Packet validation in virtual network interface architecture
First Claim
1. A method for interfacing a computing device with a network interface device, comprising the steps of:
- a first sending process of the computing device initiating establishment of a first transmit queue;
a privileged mode process, in response to the step of the first sending process initiating establishment of a first transmit queue, establishing the first transmit queue in a virtual address space of the first sending process, the first sending process enqueueing a first data packet onto the first transmit queue for transmission onto the network, without involvement of any privileged mode routines, the first data packet having a first characteristic;
the network interface device receiving at least part of the first data packet from the first transmit queue for transmission onto the network;
the network interface device making a first determination of whether the first sending process has authority to transmit data packets having the first characteristic onto the network; and
the network interface device transmitting the first data packet onto the network only if the first determination is positive.
11 Assignments
0 Petitions
Accused Products
Abstract
Roughly described, a network interface device receiving data packets from a computing device for transmission onto a network, the data packets having a certain characteristic, transmits the packet only if the sending queue has authority to send packets having that characteristic. The data packet characteristics can include transport protocol number, source and destination port numbers, source and destination IP addresses, for example. Authorizations can be programmed into the NIC by a kernel routine upon establishment of the transmit queue, based on the privilege level of the process for which the queue is being established. In this way, a user process can use an untrusted user-level protocol stack to initiate data transmission onto the network, while the NIC protects the remainder of the system or network from certain kinds of compromise.
46 Citations
18 Claims
-
1. A method for interfacing a computing device with a network interface device, comprising the steps of:
-
a first sending process of the computing device initiating establishment of a first transmit queue;
a privileged mode process, in response to the step of the first sending process initiating establishment of a first transmit queue, establishing the first transmit queue in a virtual address space of the first sending process, the first sending process enqueueing a first data packet onto the first transmit queue for transmission onto the network, without involvement of any privileged mode routines, the first data packet having a first characteristic;
the network interface device receiving at least part of the first data packet from the first transmit queue for transmission onto the network;
the network interface device making a first determination of whether the first sending process has authority to transmit data packets having the first characteristic onto the network; and
the network interface device transmitting the first data packet onto the network only if the first determination is positive. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
- 13. Network interface apparatus, for use with a plurality of transmit queues allocated among a plurality of different processes in a computer system, comprising a database indicating, for each given one of the transmit queues, whether data packets having a first characteristic are permitted to be transmitted onto the network from the given transmit queue.
Specification