Secure receive packet processing for network function virtualization applications

US 10,437,523 B2
Filed: 02/25/2016
Issued: 10/08/2019
Est. Priority Date: 02/25/2016
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a memory;

one or more processors in communication with the memory; and

an operating system (OS) including a kernel and executing on the one or more processors configured to;

map a receive ring into a first memory of an application, wherein the mapping includes a permission that prevents modification of a plurality of descriptors,map the first memory into a second memory of the kernel, wherein the kernel controls multiple processes, handles interrupts and has privileges to change the mapping of the application, and based on the permission, the application has less privileges than the kernel and is unable to change the mapping,receive a request to rearm the plurality of descriptors, andinitialize the first descriptor of the plurality of descriptors; and

the one or more processors configured to execute a packet processing thread and a rearming thread, which are configured to;

read, by the packet processing thread, a receive ring, whereinthe receive ring includes packets, andthe packets have packet information,retrieve, by the packet processing thread, the packet information within the receive ring,process, by the packet processing thread, the packets,notify, by the packet processing thread, the rearming thread that a batch size limit of a predefined quantity is reached, andresponsive to reaching the predefined quantity, request, by the rearming thread, the OS to rearm the plurality of descriptors.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A transmit packet processing system includes a memory, one or more processors in communication with the memory, and an operating system. The one or more processors execute a packet processing thread and a rearming thread. The OS maps a receive ring into a first memory of an application and maps the first memory into kernel memory. The packet processing thread reads a receive ring. The packet processing thread retrieves the packet information within the receive ring. The packet processing thread processes the packets. The packet processing thread notifies the rearming thread that a batch size limit is reached and the rearming thread requests the OS to rearm the plurality of descriptors. The OS receives the request and initializes the first descriptor of the plurality of descriptors.

Citations

20 Claims

1. A system comprising:
- a memory;
  
  one or more processors in communication with the memory; and
  
  an operating system (OS) including a kernel and executing on the one or more processors configured to;
  
  map a receive ring into a first memory of an application, wherein the mapping includes a permission that prevents modification of a plurality of descriptors,map the first memory into a second memory of the kernel, wherein the kernel controls multiple processes, handles interrupts and has privileges to change the mapping of the application, and based on the permission, the application has less privileges than the kernel and is unable to change the mapping,receive a request to rearm the plurality of descriptors, andinitialize the first descriptor of the plurality of descriptors; and
  
  the one or more processors configured to execute a packet processing thread and a rearming thread, which are configured to;
  
  read, by the packet processing thread, a receive ring, whereinthe receive ring includes packets, andthe packets have packet information,retrieve, by the packet processing thread, the packet information within the receive ring,process, by the packet processing thread, the packets,notify, by the packet processing thread, the rearming thread that a batch size limit of a predefined quantity is reached, andresponsive to reaching the predefined quantity, request, by the rearming thread, the OS to rearm the plurality of descriptors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the rearming thread is further configured to execute a system call to the OS.
  - 3. The system of claim 1, wherein the one or more processors are configured to detect, by the packet processing thread, that the first descriptor of the plurality of descriptors has been used.
  - 4. The system of claim 1, further comprising a Network Interface Controller (NIC), wherein the NIC is configured to:
    - retrieve the plurality of descriptors; and
      
      write information into the memory according to the plurality of descriptors.
  - 5. The system of claim 1, wherein the OS is further configured to validate an address associated with a first descriptor of the plurality of descriptors.
  - 6. The system of claim 5, wherein the OS is further configured to access the address associated with the first descriptor and detect that the address does not produce a page fault.
  - 7. The system of claim 1, wherein at least one memory page holds the receive ring, the at least one memory page has a first portion of memory and a second portion of memory, and the receive ring occupies the first portion of memory of the at least one memory page.
  - 8. The system of claim 7, wherein the OS is configured to erase the second portion of memory.
  - 9. The system of claim 1, wherein the receive ring is mapped into a first memory of an application using a page table, and the OS is further configured to perform a page walk on the page table to confirm that a virtual address relates to a correct physical address.
  - 10. The system of claim 1, wherein the batch size limit is half of the number of packets that can fit into the receive ring.

11. A method comprising:
- mapping, by an operating system (OS), a receive ring into a first memory of an application, wherein the mapping includes a permission that prevents modification of a plurality of descriptors;
  
  mapping, by the OS, the first memory into a second memory of a kernel, wherein the OS includes the kernel, the kernel controls multiple processes, handles interrupts and has privileges to change the mapping of the application, and based on the permission, the application has less privileges than the kernel and is unable to change the mapping;
  
  responsive to reaching a batch size limit of a predefined quantity, receiving, by the OS, a request to rearm the plurality of descriptors by a rearming thread, whereinthe rearming thread is notified that the batch size limit of the predefined quantity is reached by a packet processing thread, andthe packet processing thread reads and retrieves packet information; and
  
  initializing, by the OS, the first descriptor of the plurality of descriptors.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11, further comprising:
    - validating, by the OS, an address associated with a first descriptor of the plurality of descriptors; and
      
      translating, by the OS, the address to a second address, wherein the first descriptor of the plurality of descriptors is initialized with the second address.
  - 13. The method of claim 12, wherein validating the address includes accessing the address and detecting that the address does not produce a page fault.
  - 14. The method of claim 11, further comprising:
    - retrieving, by an NIC, the plurality of descriptors; and
      
      writing, by the NIC, information into the plurality of descriptors.
  - 15. The method of claim 11, wherein validating the address includes performing a page walk on a page table to confirm that a virtual address relates to a correct physical address.
  - 16. The method of claim 11, wherein at least one memory page holds the receive ring, the at least one memory page has a first portion of memory and a second portion of memory, and the receive ring occupies the first portion of memory of the at least one memory page.

17. A method comprising:
- reading, by a packet processing thread, a receive ring, whereinthe receive ring is mapped into a first memory of an application, the mapping includes a permission that prevents modification of a plurality of descriptors,the receive ring includes packets, andthe packets have packet information;
  
  retrieving, by the packet processing thread, the packet information within the receive ring;
  
  processing, by the packet processing thread, the packets, wherein the packets are sent through a kernel, the kernel controls multiple processes, handles interrupts and has privileges to change the mapping of the application, and based on the permission, the application has less privileges than the kernel and is unable to change the mapping;
  
  notifying, by the packet processing thread, a rearming thread that a batch size limit of a predefined quantity is reached; and
  
  responsive to reaching the predefined quantity, requesting, by the rearming thread, an OS to rearm the plurality of descriptors.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein reading the receive ring includes checking, by the packet processing thread, if a new packet is available.
  - 19. The method of claim 17, wherein processing the packets includes at least one of forwarding a packet to a network device, encrypting the packet, decrypting the packet, transcoding the packet, transrating the packet, and transizing the packet.
  - 20. The method of claim 17, further comprising detecting, by the packet processing thread, that a descriptor of the plurality of descriptors has been used.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat Israel Ltd. (International Business Machines Corporation)
Original Assignee
Red Hat Israel Ltd. (International Business Machines Corporation)
Inventors
Tsirkin, Michael
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US15/053,543
Publication Number

US 20170249457A1
Time in Patent Office

1,321 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 21/6227   where protection concerns t...

G06F 3/0673   Single storage device

Secure receive packet processing for network function virtualization applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure receive packet processing for network function virtualization applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links