Packet validation in virtual network interface architecture

US 20060248234A1
Filed: 04/27/2005
Published: 11/02/2006
Est. Priority Date: 04/27/2005
Status: Active Grant

First Claim

Patent Images

1. A method for interfacing a computing device with a network interface device, comprising the steps of:

a first sending process of the computing device initiating establishment of a first transmit queue;

a privileged mode process, in response to the step of the first sending process initiating establishment of a first transmit queue, establishing the first transmit queue in a virtual address space of the first sending process, the first sending process enqueueing a first data packet onto the first transmit queue for transmission onto the network, without involvement of any privileged mode routines, the first data packet having a first characteristic;

the network interface device receiving at least part of the first data packet from the first transmit queue for transmission onto the network;

the network interface device making a first determination of whether the first sending process has authority to transmit data packets having the first characteristic onto the network; and

the network interface device transmitting the first data packet onto the network only if the first determination is positive.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Roughly described, a network interface device receiving data packets from a computing device for transmission onto a network, the data packets having a certain characteristic, transmits the packet only if the sending queue has authority to send packets having that characteristic. The data packet characteristics can include transport protocol number, source and destination port numbers, source and destination IP addresses, for example. Authorizations can be programmed into the NIC by a kernel routine upon establishment of the transmit queue, based on the privilege level of the process for which the queue is being established. In this way, a user process can use an untrusted user-level protocol stack to initiate data transmission onto the network, while the NIC protects the remainder of the system or network from certain kinds of compromise.

46 Citations

View as Search Results

18 Claims

1. A method for interfacing a computing device with a network interface device, comprising the steps of:
- a first sending process of the computing device initiating establishment of a first transmit queue;
  
  a privileged mode process, in response to the step of the first sending process initiating establishment of a first transmit queue, establishing the first transmit queue in a virtual address space of the first sending process, the first sending process enqueueing a first data packet onto the first transmit queue for transmission onto the network, without involvement of any privileged mode routines, the first data packet having a first characteristic;
  
  the network interface device receiving at least part of the first data packet from the first transmit queue for transmission onto the network;
  
  the network interface device making a first determination of whether the first sending process has authority to transmit data packets having the first characteristic onto the network; and
  
  the network interface device transmitting the first data packet onto the network only if the first determination is positive.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method according to claim 1, wherein the first characteristic comprises a particular network transport protocol, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first sending process is authorized to transmit data packets using the particular network transport protocol.
  - 3. A method according to claim 1, wherein the first characteristic comprises a particular source IP port number, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first sending process is authorized to transmit data packets having the particular source IP port number.
  - 4. A method according to claim 1, wherein the first characteristic comprises a particular destination IP port number, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first sending process is authorized to transmit data packets having the particular source IP port number.
  - 5. A method according to claim 1, wherein the first characteristic comprises a particular source IP address, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first sending process is authorized to transmit data packets having the particular source IP port number.
  - 6. A method according to claim 1, wherein the first characteristic comprises a particular destination IP address, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first sending process is authorized to transmit data packets having the particular source IP port number.
  - 7. A method according to claim 1, wherein the step of the network interface device receiving at least part of the first data packet comprises the step of the network interface device retrieving at least part of the first data packet from the first transmit queue.
  - 8. A method according to claim 1, further comprising the step of the first sending process notifying the network interface device, without invoking any privileged mode routines, of the availability of the first data packet in the first transmit queue.
  - 9. A method according to claim 1, wherein the first sending process is a user level process, further comprising the step of a privileged mode process, in response to the step of the first sending process initiating establishment of a first transmit queue, programming authorization rights for the first transmit queue into the network interface device, and wherein the step of the network interface device making a first determination comprises the step of the network interface device examining the authorization rights for the first transmit queue.
  - 10. A method according to claim 1, further comprising the steps of:
    - a second sending process initiating establishment of a second transmit queue;
      
      a privileged mode process, in response to the step of the second sending process initiating establishment of a second transmit queue, establishing the second transmit queue in a virtual address space of the second sending process;
      
      the second sending process enqueueing a second data packet onto the second transmit queue for transmission onto the network, the second data packet having a second characteristic;
      
      the network interface device receiving at least part of the second data packet from the second transmit queue;
      
      the network interface device making a second determination of whether the second sending process has authority to transmit data packets having the second characteristic onto the network; and
      
      the network interface device transmitting the second data packet onto the network only if the second determination is positive.
  - 11. A method according to claim 10, wherein the second sending process is a user level process, further comprising the step of a privileged mode process, in response to the step of the second sending process initiating establishment of a second transmit queue, programming authorization rights for the second transmit queue into the network interface device, and wherein the step of the network interface device making a second determination comprises the step of the network interface device examining the authorization rights for the second transmit queue.
  - 12. A method according to claim 1, wherein the step of the network interface device receiving at least part of the first data packet comprises the step of the network interface device retrieving at least part of the first data packet from the first transmit queue, further comprising the step of aborting retrieval of the first data packet if the first determination is negative.

13. Network interface apparatus, for use with a plurality of transmit queues allocated among a plurality of different processes in a computer system, comprising a database indicating, for each given one of the transmit queues, whether data packets having a first characteristic are permitted to be transmitted onto the network from the given transmit queue.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. Apparatus according to claim 13, wherein the database further indicates, for each given one of the transmit queues, whether data packets having a second characteristic are permitted to be transmitted onto the network from the given transmit queue.
  - 15. Apparatus according to claim 13, wherein the first characteristic includes a network transport protocol.
  - 16. Apparatus according to claim 13, wherein the first characteristic includes a source IP port number.
  - 17. Apparatus according to claim 13, wherein the first characteristic includes a destination IP port number.
  - 18. Apparatus according to claim 13, wherein the first characteristic includes a member of the group consisting of a source IP address and a destination IP address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Xilinx, Inc. (Advanced Micro Devices, Inc.)
Original Assignee
Level 5 Networks, Inc. (Advanced Micro Devices, Inc.)
Inventors
Riddoch, David, Pope, Steve, Roberts, Derek, Yu, Ching

Granted Patent

US 7,634,584 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/250
CPC Class Codes

H04L 47/50   Queue scheduling

H04L 49/90   Buffering arrangements

H04L 49/901   using storage descriptor, e...

H04L 49/9031   Wraparound memory, e.g. ove...

H04L 49/9063   Intermediate storage in dif...

H04L 63/10   for controlling access to d...

Packet validation in virtual network interface architecture

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Packet validation in virtual network interface architecture

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links