INFRASTRUCTURE LEVEL LAN SECURITY
First Claim
1. A method for securing traffic in a multi-tenant virtualized infrastructure, comprising:
- intercepting a Layer 2 (L2) frame sent via a first virtual network interface card (vNIC) in route to a first physical network interface card (pNIC);
determining a first secure wire to which the first vNIC is connected, wherein the first secure wire is enabled on a first L2 domain;
encrypting payload data of the L2 frame using a first encryption key associated with the first secure wire.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.
100 Citations
21 Claims
-
1. A method for securing traffic in a multi-tenant virtualized infrastructure, comprising:
-
intercepting a Layer 2 (L2) frame sent via a first virtual network interface card (vNIC) in route to a first physical network interface card (pNIC); determining a first secure wire to which the first vNIC is connected, wherein the first secure wire is enabled on a first L2 domain; encrypting payload data of the L2 frame using a first encryption key associated with the first secure wire. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 16, 17, 18)
-
-
11. A non-transitory computer-readable storage medium embodying computer program instructions for reducing perceived read latency, the computer program instructions implementing operations for securing traffic in a multi-tenant virtualized infrastructure, the operations comprising:
-
intercepting, by an encryption module of a first virtual machine (VM) host, an L2 frame sent via a first virtual network interface card (vNIC) as the L2 frame is en route to a first physical network interface card (pNIC); determining a first secure wire to which the first vNIC is connected, wherein the first secure wire is enabled on a first L2 domain; modifying, by the encryption module, the L2 frame to generate an encrypted frame, wherein the modifying includes encrypting payload data of the L2 frame using a first encryption key shared by vNICs connected to the first secure wire; and transmitting the encrypted frame over a network, wherein the transmitting is performed via the first pNIC. - View Dependent Claims (12, 13, 14, 15, 19, 20)
-
-
21. A system, comprising:
-
a processor; and a memory, wherein the memory includes a program for reducing perceived read latency, the program being configured to perform operations for securing traffic in a multi-tenant virtualized infrastructure comprising; Without making any changes to existing VM and applications running inside VM, intercepting a Layer 2 (L2) frame sent via a first virtual network interface card (vNIC) in route to a first physical network interface card (pNIC); determining a first secure wire to which the first vNIC is connected, wherein the first secure wire is enabled on a first L2 domain; encrypting payload data of the L2 frame using a first encryption key associated with the first secure wire.
-
Specification