OFFLOAD DEVICE-BASED STATELESS PACKET PROCESSING

US 20120250686A1
Filed: 03/30/2011
Published: 10/04/2012
Est. Priority Date: 03/30/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for processing data packets in an electronic environment, comprising:

under control of one or more computer systems configured with executable instructions,receiving a user data packet to a virtual function associated with a virtual network for a user;

performing a lookup in a rule table for at least one rule for processing the user data packet;

performing software-based processing of the user data packet in a trusted domain in response to determining a trap rule from the rule table;

performing no further processing of the user data packet in response to determining a drop rule from the rule table; and

performing at least a portion of the processing of the user data packet using an offload device in response to determining a forward rule from the rule table, the processing including at least adding an outer header to the user data packet and sending the user data packet out onto a physical network, the outer header including at least one opaque field and including protocol-specific information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

High-speed processing of packets to, and from, a virtualization environment can be provided while utilizing hardware-based segmentation offload and other such functionality. A hardware vendor such as a network interface card (NIC) manufacturer can enable the hardware to support open and proprietary stateless tunneling in conjunction with a protocol such as single root I/O virtualization (SR-IOV) in order to implement a virtualized overlay network. The hardware can utilize various rules, for example, that can be used by the NIC to perform certain actions, such as to encapsulate egress packets and decapsulate packets.

Citations

29 Claims

1. A computer-implemented method for processing data packets in an electronic environment, comprising:
- under control of one or more computer systems configured with executable instructions,receiving a user data packet to a virtual function associated with a virtual network for a user;
  
  performing a lookup in a rule table for at least one rule for processing the user data packet;
  
  performing software-based processing of the user data packet in a trusted domain in response to determining a trap rule from the rule table;
  
  performing no further processing of the user data packet in response to determining a drop rule from the rule table; and
  
  performing at least a portion of the processing of the user data packet using an offload device in response to determining a forward rule from the rule table, the processing including at least adding an outer header to the user data packet and sending the user data packet out onto a physical network, the outer header including at least one opaque field and including protocol-specific information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer-implemented method of claim 1, further comprising:
    - performing at least one generic check on the user data packet before performing the lookup.
  - 3. The computer-implemented method of claim 2, wherein the at least one generic check includes at least one of level two (L2) or level three (L3) anti-spoofing, or trapping for at least one type of packet.
  - 4. The computer-implemented method of claim 1, wherein the lookup is performed by the offload device.
  - 5. The computer-implemented method of claim 4, wherein the offload device provides a virtualized overlay network based on a single root I/O virtualization (SR-IOV) protocol.
  - 6. The computer-implemented method of claim 1, further comprising:
    - performing at least one metric update on the user data packet before performing the lookup.
  - 7. The computer-implemented method of claim 1, wherein the processing using an offload device further includes at least one of throttling the user data packet, or performing a quality of service action.
  - 8. The computer-implemented method of claim 1, wherein sending the user data packet out onto a physical network is performed as part of a segmentation offload process.
  - 9. The computer-implemented method of claim 1, wherein the processing using an offload device further includes updating header fields of the user data packet, the header fields including at least one of an inner and an outer packet length, and inner and an outer checksum, a source and a destination address, and a time-to-live (TTL) value.
  - 10. The computer-implemented method of claim 1, wherein the processing using an offload device includes performing packet source checking on each egress packet based at least in part upon a source virtual machine.
  - 11. The computer-implemented method of claim 1, wherein the software-based processing includes processing by Dom-0 control software.
  - 12. The computer-implemented method of claim 1, wherein the processing utilizes a generic format such that any appropriate protocol is able to be supported through changing parameters of a lookup key.
  - 13. The computer-implemented method of claim 12, wherein the appropriate protocol is able to be mapped to a stateless tunneling protocol.

14. A computer-implemented method for processing data packets in an electronic environment, comprising:
- under control of one or more computer systems configured with executable instructions,receiving a user data packet to a physical function associated with an offload device;
  
  building a lookup key for the user data packet using the offload device;
  
  performing a lookup in a rule table for at least one rule for processing the user data packet using the lookup key;
  
  performing software-based processing of the user data packet in a trusted domain in response to determining a trap rule from the rule table;
  
  performing no further processing of the user data packet in response to determining a drop rule from the rule table; and
  
  performing at least a portion of the processing of the user data packet using the offload device in response to determining a forward rule from the rule table, the processing including at least stripping an inner and outer header, performing any packet modification, and forwarding the user data packet to an internal virtual function, the internal virtual function operable to deliver the user data packet to a guest virtual machine.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The computer-implemented method of claim 14, wherein the processing using the offload device includes removing at least one outer encapsulation header from the user data packet.
  - 16. The computer-implemented method of claim 14, wherein the internal virtual function is identified by the forward rule.
  - 17. The computer-implemented method of claim 14, wherein the processing using the offload device is operable to identify the user data packet as being encapsulated using a format of a predefined protocol at a predefined offset.
  - 18. The computer-implemented method of claim 14, further comprising:
    - processing the user data packet using software-based processing when the user data packet is not encapsulated.
  - 19. The computer-implemented method of claim 14, wherein the offload device is a network interface card (NIC).
  - 20. The computer-implemented method of claim 14, further comprising:
    - determining a virtual machine corresponding to the user data packet using a fixed-length field in the opaque bits at a pre-determined offset in the user data packet.
  - 21. The computer-implemented method of claim 14, wherein each physical function has a set of ingress rules, each rule consisting at least partially of a set of opaque bits capable of being matched with the opaque bits of encapsulated ingress packets.
  - 22. The computer-implemented method of claim 14, wherein other traffic is passed through without processing in response to determining a pass rule from the rule table.
  - 23. The computer-implemented method of claim 14, wherein customer encapsulated traffic and control traffic is trapped independent of determining a pass rule from the rule table.

24. A system for processing data packets in an electronic environment, comprising:
- a processor; and
  
  a memory device including instructions that, when executed by the processor, cause the processor to;
  
  receive a user data packet to a virtual function associated with a virtual network for a user;
  
  perform a lookup in a rule table for at least one rule for processing the user data packet;
  
  perform software-based processing of the user data packet in a trusted domain in response to determining a trap rule from the rule table;
  
  perform no further processing of the user data packet in response to determining a drop rule from the rule table; and
  
  perform at least a portion of the processing of the user data packet using an offload device in response to determining a forward rule from the rule table, the processing including at least adding an outer header to the user data packet and sending the user data packet out onto a physical network, the outer header including at least one opaque field and including protocol-specific information.
- View Dependent Claims (25, 26)
- - 25. The system of claim 24, further comprising:
    - at least one offload device operable to perform the lookup.
  - 26. The system of claim 24, wherein the offload device provides a virtualized overlay network based on a single root I/O virtualization (SR-IOV) protocol.

27. A system for processing data packets in an electronic environment, comprising:
- a processor; and
  
  a memory device including instructions that, when executed by the processor, cause the processor to;
  
  receive a user data packet to a physical function associated with an offload device;
  
  build a lookup key for the user data packet using the offload device;
  
  perform a lookup in a rule table for at least one rule for processing the user data packet using the lookup key;
  
  perform software-based processing of the user data packet in a trusted domain in response to determining a trap rule from the rule table;
  
  perform no further processing of the user data packet in response to determining a drop rule from the rule table; and
  
  perform at least a portion of the processing of the user data packet using the offload device in response to determining a forward rule from the rule table, the processing including at least stripping an inner and outer header, performing any packet modification, and forwarding the user data packet to an internal virtual function, the internal virtual function operable to deliver the user data packet to a guest virtual machine.
- View Dependent Claims (28, 29)
- - 28. The system of claim 27, wherein the processing using an offload device includes removing at least one outer encapsulation header from the user data packet.
  - 29. The system of claim 27, wherein the offload device is a network interface card (NIC).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Vincent, Pradeep, Klein, Matthew D., McKelvie, Samuel J.

Granted Patent

US 8,462,780 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/4666   Operational details on the ...

H04L 45/64   using an overlay routing layer

H04L 47/12   Avoiding congestion; Recove...

H04L 47/13   in a LAN segment, e.g. ring...

H04L 63/0218   Distributed architectures, ...

H04L 63/1466   Active attacks involving in...

OFFLOAD DEVICE-BASED STATELESS PACKET PROCESSING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

OFFLOAD DEVICE-BASED STATELESS PACKET PROCESSING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links