Network interface decryption and classification technique

US 7,607,168 B1
Filed: 04/22/2005
Issued: 10/20/2009
Est. Priority Date: 04/22/2005
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a physical network interface card, operatively connected to a network, comprising a plurality of receive rings, and configured to;

receive at least one packet from the network,determine whether the at least one packet is encrypted, andupon determining that the at least one packet is encrypted,decrypt the at least one packet to obtain at least one decrypted packet,classify the at least one decrypted packet to obtain at least one classified packet, anddirect the at least one classified data packet to at least one of the plurality of receive rings; and

a host system, operatively connected to the physical network interface card, comprising a plurality of virtual serialization queues and a plurality of virtual network interface cards operatively connected to the plurality of virtual serialization queues,wherein each of the plurality of virtual network interface cards is associated with a distinct internet protocol (IP) address,wherein each of the plurality of virtual network interface cards is associated with at least one of the plurality of receive rings, andwherein each of the plurality of virtual serialization queues is arranged to receive data packets from at least one of the plurality of receive rings.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Encrypted data packets are received by a network interface card. The network interface card, upon determining that the received data packets are encrypted, directs the encrypted data packets to decryption hardware in the network interface card. The decryption hardware decrypts the encrypted data packets and forwards the decrypted data packets to a hardware classifier that classifies the decrypted data packets and directs the classified decrypted data packets to the appropriate receive resource(s) of the network interface card.

Citations

15 Claims

1. A system, comprising:
- a physical network interface card, operatively connected to a network, comprising a plurality of receive rings, and configured to;
  
  receive at least one packet from the network,determine whether the at least one packet is encrypted, andupon determining that the at least one packet is encrypted,decrypt the at least one packet to obtain at least one decrypted packet,classify the at least one decrypted packet to obtain at least one classified packet, anddirect the at least one classified data packet to at least one of the plurality of receive rings; and
  
  a host system, operatively connected to the physical network interface card, comprising a plurality of virtual serialization queues and a plurality of virtual network interface cards operatively connected to the plurality of virtual serialization queues,wherein each of the plurality of virtual network interface cards is associated with a distinct internet protocol (IP) address,wherein each of the plurality of virtual network interface cards is associated with at least one of the plurality of receive rings, andwherein each of the plurality of virtual serialization queues is arranged to receive data packets from at least one of the plurality of receive rings.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the physical network interface card further comprises a classifier implemented in hardware, wherein the classifier is configured to classify the at least one decrypted packet to obtain the at least one classified packet.
  - 3. The system of claim 2, wherein the physical network interface card further comprises hardware decryptor logic operatively connected to the classifier and configured to decrypt the at least one packet to obtain at least one decrypted packet.
  - 4. The system of claim 3, further comprising:
    - a key database, wherein the hardware decryptor logic is configured to decrypt the at least one data packet based on information stored in the key database.
  - 5. The system of claim 4, wherein the key database is included in the physical network interface card.
  - 6. The system of claim 2, wherein the classifier is further configured to direct the at least one classified data packet to the at least one of the plurality of receive rings.
  - 7. The system of claim 1, wherein each of the plurality of virtual serialization queues is associated with at least one selected from a group consisting of a service, a user, and a container of the host system.
  - 8. The system of claim 1, the physical network interface card further comprising:
    - at least one send ring configured to direct data packets received from the host system to the network.

9. A method of processing network traffic, comprising:
- receiving a data packet from a network;
  
  determining whether the received data packet is encrypted; and
  
  upon determining that the received data packet is encrypted,decrypting the received data packet in hardware of a physical network interface card,classifying the decrypted data packet,directing the decrypted data packet to one of a plurality of receive rings of the physical network interface card based on the classifying,directing the decrypted data packet in the one of a plurality of receive rings to one of a plurality of virtual network interface cards included in a host system, anddirecting the decrypted data packet in the one of the plurality of virtual network interface cards to one of a plurality of virtual serialization queues included in the host system,wherein each of the plurality of virtual network interface cards is associated with a distinct internet protocol (IP) address,wherein each of the plurality of virtual network interface cards is associated with at least one of the plurality of receive rings, andwherein each of the plurality of virtual network interface cards is associated with a respective one of the virtual serialization queues.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, further comprising:
    - upon determining that the received data packet is encrypted,directing the decrypted data packet in the one of the plurality of virtual serialization queues to at least one of a plurality of packet destinations in the host system.
  - 11. The method of claim 9, wherein decrypting the received data packet in hardware of the physical network interface card is based on information stored in a key database.
  - 12. The method of claim 9, wherein each of the plurality of virtual serialization queues is associated with at least one selected from a group consisting of a service, a user, and a container of the host system.
  - 13. The method of claim 9, further comprising:
    - sending data packets from the host system to the network.

14. A computer readable storage medium having software instructions embodied therein, the software instructions adapted to be executed to implement a method of processing network traffic, the method comprising:
- receiving a data packet from a network;
  
  determining whether the received data packet is encrypted; and
  
  upon determining that the received data packet is encrypted,decrypting the received data packet in hardware of a physical network interface card,classifying the decrypted data packet,directing the decrypted data packet to one of a plurality of receive rings of the physical network interface card based on the classifying,directing the decrypted data packet in the one of a plurality of receive rings to one of a plurality of virtual network interface cards included in a host system, anddirecting the decrypted data packet in the one of the plurality of virtual network interface cards to one of a plurality of virtual serialization queues included in the host system,wherein each of the plurality of virtual network interface cards is associated with a distinct internet protocol (IP) address,wherein each of the plurality of virtual network interface cards is associated with at least one of the plurality of receive rings, andwherein each of the plurality of virtual network interface cards is associated with a respective one of the virtual serialization queues.
- View Dependent Claims (15)
- - 15. The computer readable storage medium of claim 14, the method further comprising:
    - upon determining that the received data packet is encrypted,directing the decrypted data packet in the one of the plurality of virtual serialization queues to at least one of a plurality of packet destinations in the host system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Droux, Nicolas G., Tripathi, Sunay, Chu, Hsiao-Keng Jerry
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Powers; William S

Application Number

US11/112,436
Time in Patent Office

1,642 Days
Field of Search

726/13
US Class Current

726/13
CPC Class Codes

H04L 47/2441   relying on flow classificat...

H04L 49/90   Buffering arrangements

H04L 49/9063   Intermediate storage in dif...

H04L 63/0428   wherein the data content is...

Network interface decryption and classification technique

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Network interface decryption and classification technique

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links