INFRASTRUCTURE LEVEL LAN SECURITY

US 20160099968A1
Filed: 12/10/2015
Published: 04/07/2016
Est. Priority Date: 02/12/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of providing group key-based encryption, comprising:

receiving a selection of a Layer 2 (L2) domain on which a secure wire is to be enabled;

generating an encryption key for the secure wire;

receiving a selection of one or more virtual network interface cards (vNICs) to add to the secure wire; and

encrypting communications between the one or more vNICs using the encryption key generated for the secure wire.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

Citations

20 Claims

1. A computer-implemented method of providing group key-based encryption, comprising:
- receiving a selection of a Layer 2 (L2) domain on which a secure wire is to be enabled;
  
  generating an encryption key for the secure wire;
  
  receiving a selection of one or more virtual network interface cards (vNICs) to add to the secure wire; and
  
  encrypting communications between the one or more vNICs using the encryption key generated for the secure wire.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein encrypting the communications includes:
    - intercepting, by one or more encryption modules, frames sent by the one or more vNICs as the frames are en route to physical network interface cards (pNICs); and
      
      encrypting, by one or more key management modules, the intercepted frames, wherein the one or more key management modules maintain mappings between secure wires and associated encryption keys and expose application programming interfaces (APIs) which the encryption modules invoke for encrypting frames.
  - 3. The method of claim 2,wherein the encryption key is generated by a management server;
    - andwherein the encryption key is securely transmitted from the management server to the one or more key management modules.
  - 4. The method of claim 2, wherein the one or more encryption modules are located at layers farthest from the one or more vNICs.
  - 5. The method of claim 2, further comprising:
    - intercepting the encrypted frames as the encrypted frames are en route to one or more target vNICs; and
      
      decrypting payload data of the encrypted frames using the encryption key.
  - 6. The method of claim 1, wherein only permitted cloud tenant administrators are able to add or remove vNICs from the secure wire.
  - 7. The method of claim 1, further comprising:
    - adding to each of the intercepted frames at least one of a value which identifies the encryption key, an encoded encryption initialization vector value, and a signed hash value used to authenticate the encrypted frames and ensure data integrity.
  - 8. The method of claim 1, wherein the intercepted frames are encrypted according to IEEE MAC Security Standard (MACSec) frame format.
  - 9. The method of claim 1, wherein the encrypting is performed based on one or more policies specifying which traffic out of the one or more vNICs to encrypt.
  - 10. The method of claim 1, wherein the secure wire is enabled on a virtual extensible LAN (VXLAN).

11. A non-transitory computer-readable storage medium embodying computer program instructions for providing group key-based encryption, the computer program instructions implementing operations comprising:
- receiving a selection of a Layer 2 (L2) domain on which a secure wire is to be enabled;
  
  generating an encryption key for the secure wire;
  
  receiving a selection of one or more virtual network interface cards (vNICs) to add to the secure wire; and
  
  encrypting communications between the one or more vNICs using the encryption key generated for the secure wire.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The computer-readable storage medium of claim 11, wherein encrypting the communications includes:
    - intercepting, by one or more encryption modules, frames sent by the one or more vNICs as the frames are en route to physical network interface cards (pNICs); and
      
      encrypting, by one or more key management modules, the intercepted frames, wherein the one or more key management modules maintain mappings between secure wires and associated encryption keys and expose application programming interfaces (APIs) which the encryption modules invoke for encrypting frames.
  - 13. The computer-readable storage medium of claim 12,wherein the encryption key is generated by a management server;
    - andwherein the encryption key is securely transmitted from the management server to the one or more key management modules.
  - 14. The computer-readable storage medium of claim 12, wherein the one or more encryption modules are located at layers farthest from the one or more vNICs.
  - 15. The computer-readable storage medium of claim 12, the operations further comprising:
    - intercepting the encrypted frames as the encrypted frames are en route to one or more target vNICs; and
      
      decrypting payload data of the encrypted frames using the encryption key.
  - 16. The computer-readable storage medium of claim 11, wherein only permitted cloud tenant administrators are able to add or remove vNICs from the secure wire.
  - 17. The computer-readable storage medium of claim 11, the operations further comprising:
    - adding to each of the intercepted frames at least one of a value which identifies the encryption key, an encoded encryption initialization vector value, and a signed hash value used to authenticate the encrypted frames and ensure data integrity.
  - 18. The computer-readable storage medium of claim 11, wherein the encrypting is performed based on a policy, the policy specifying which traffic out of the first vNIC to encrypt.
  - 19. The computer-readable storage medium of claim 11, wherein the secure wire is enabled on a virtual extensible LAN (VXLAN).

20. A system, comprising:
- a processor; and
  
  a memory, wherein the memory includes a program for providing group key-based encryption, the program being configured to perform operations comprising;
  
  receiving a selection of a Layer 2 (L2) domain on which a secure wire is to be enabled,generating an encryption key for the secure wire,receiving a selection of one or more virtual network interface cards (vNICs) to add to the secure wire, andencrypting communications between the one or more vNICs using the encryption key generated for the secure wire.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VMware, Inc. (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
CHOPRA, Amit, MASUREKAR, Uday

Granted Patent

US 10,771,505 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0457   wherein the sending and rec...

H04L 63/0485   Networking architectures fo...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/065   for group communications cr...

H04L 63/0876   based on the identity of th...

H04L 63/123   received data contents, e.g...

H04L 63/162   at the data link layer

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0833   involving conference or gro...

H04L 9/0866   involving user or device id...

INFRASTRUCTURE LEVEL LAN SECURITY

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

INFRASTRUCTURE LEVEL LAN SECURITY

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links