INFRASTRUCTURE LEVEL LAN SECURITY

US 20140226820A1
Filed: 02/12/2013
Published: 08/14/2014
Est. Priority Date: 02/12/2013
Status: Active Grant

First Claim

Patent Images

1. A method for securing traffic in a multi-tenant virtualized infrastructure, comprising:

intercepting a Layer 2 (L2) frame sent via a first virtual network interface card (vNIC) in route to a first physical network interface card (pNIC);

determining a first secure wire to which the first vNIC is connected, wherein the first secure wire is enabled on a first L2 domain;

encrypting payload data of the L2 frame using a first encryption key associated with the first secure wire.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

100 Citations

View as Search Results

21 Claims

1. A method for securing traffic in a multi-tenant virtualized infrastructure, comprising:
- intercepting a Layer 2 (L2) frame sent via a first virtual network interface card (vNIC) in route to a first physical network interface card (pNIC);
  
  determining a first secure wire to which the first vNIC is connected, wherein the first secure wire is enabled on a first L2 domain;
  
  encrypting payload data of the L2 frame using a first encryption key associated with the first secure wire.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 16, 17, 18)
- - 2. The method of claim 1, wherein the intercepting and determining are performed by an encryption module of a virtual machine (VM) host on which one or more virtual machines (VMs) run, wherein the encryption module is at a farthest layer from the first vNIC, and wherein the encrypting is performed by a key management module of the VM host, the key management module exposing an application programming interface (API) which the encryption module invokes for the encrypting.
  - 3. The method of claim 2, wherein the intercepting, determining, and encrypting do not require configuration changes to operating systems of the VMs.
  - 4. The method of claim 2, wherein the VMs and applications and processes running in the VMs are unaware of the existence of the secure wire.
  - 5. The method of claim 2, further comprising, fetching, by the key management module, the first encryption key, wherein the first encryption key is securely transmitted from a management server.
  - 6. The method of claim 1, further comprising:
    - receiving, via a second pNIC, the transmitted encrypted frame;
      
      intercepting the encrypted frame as the encrypted frame is in transit to a second vNIC from the second pNIC;
      
      decrypting payload data of the encrypted frame using the first encryption key.
  - 7. The method of claim 6, wherein the frame is encrypted according to IEEE MAC Security Standard (MACSec) frame format.
  - 8. The method of claim 6, further comprising, adding to the L2 frame a value which indicates an EtherType, a value which identifies the first encryption key, an encoded encryption initialization vector value, or a signed hash value used to authenticate the encrypted frame and ensure data integrity of the encrypted frame.
  - 9. The method of claim 1, wherein the encrypting is performed based on a policy, the policy specifying which traffic out of the first vNIC to encrypt.
  - 10. The method of claim 1, wherein the secure wire is enabled on a virtual extensible LAN (VXLAN).
  - 16. The computer-readable storage medium of claim 10, the operations further comprising:
    - receiving, via a second pNIC, the transmitted encrypted frame;
      
      intercepting the encrypted frame as the encrypted frame is in transit to a second vNIC from the second pNIC;
      
      decrypting payload data of the encrypted frame using the first encryption key.
  - 17. The computer-readable storage medium of claim 16, wherein the frame is encrypted according to IEEE MAC Security Standard (MACSec) frame format.
  - 18. The computer-readable storage medium of claim 16, the operations further comprising, adding to the L2 frame a value which indicates an EtherType, a value which identifies the first encryption key, an encoded encryption initialization vector value, or a signed hash value used to authenticate the encrypted frame and ensure data integrity of the encrypted frame.

11. A non-transitory computer-readable storage medium embodying computer program instructions for reducing perceived read latency, the computer program instructions implementing operations for securing traffic in a multi-tenant virtualized infrastructure, the operations comprising:
- intercepting, by an encryption module of a first virtual machine (VM) host, an L2 frame sent via a first virtual network interface card (vNIC) as the L2 frame is en route to a first physical network interface card (pNIC);
  
  determining a first secure wire to which the first vNIC is connected, wherein the first secure wire is enabled on a first L2 domain;
  
  modifying, by the encryption module, the L2 frame to generate an encrypted frame, wherein the modifying includes encrypting payload data of the L2 frame using a first encryption key shared by vNICs connected to the first secure wire; and
  
  transmitting the encrypted frame over a network, wherein the transmitting is performed via the first pNIC.
- View Dependent Claims (12, 13, 14, 15, 19, 20)
- - 12. The computer-readable storage medium of claim 11, wherein the intercepting and determining are performed by an encryption module of a virtual machine (VM) host on which one or more virtual machines (VMs) run, wherein the encryption module is at a farthest layer from the first vNIC, and wherein the encrypting is performed by a key management module of the VM host, the key management module exposing an application programming interface (API) which the encryption module invokes for the encrypting.
  - 13. The computer-readable storage medium of claim 12, wherein the intercepting, determining, and encrypting do not require configuration changes to operating systems of the VMs.
  - 14. The computer-readable storage medium of claim 12, wherein the VMs and applications and processes running in the VMs are unaware of the existence of the secure wire.
  - 15. The computer-readable storage medium of claim 12, the operations further comprising, fetching, by a key management module of the VM host, the first encryption key, wherein the first encryption key is securely transmitted from a management server.
  - 19. The computer-readable storage medium of claim 11, wherein the encrypting is performed based on a policy, the policy specifying which traffic out of the first vNIC to encrypt.
  - 20. The computer-readable storage medium of claim 11, wherein the secure wire is enabled on a virtual extensible LAN (VXLAN).

21. A system, comprising:
- a processor; and
  
  a memory, wherein the memory includes a program for reducing perceived read latency, the program being configured to perform operations for securing traffic in a multi-tenant virtualized infrastructure comprising;
  
  Without making any changes to existing VM and applications running inside VM, intercepting a Layer 2 (L2) frame sent via a first virtual network interface card (vNIC) in route to a first physical network interface card (pNIC);
  
  determining a first secure wire to which the first vNIC is connected, wherein the first secure wire is enabled on a first L2 domain;
  
  encrypting payload data of the L2 frame using a first encryption key associated with the first secure wire.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
CHOPRA, Amit, MASUREKAR, Uday

Granted Patent

US 9,930,066 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0457   wherein the sending and rec...

H04L 63/0485   Networking architectures fo...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/065   for group communications cr...

H04L 63/0876   based on the identity of th...

H04L 63/123   received data contents, e.g...

H04L 63/162   at the data link layer

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0833   involving conference or gro...

H04L 9/0866   involving user or device id...

INFRASTRUCTURE LEVEL LAN SECURITY

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

INFRASTRUCTURE LEVEL LAN SECURITY

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links