Acceleration of packet flow classification in a virtualized system

US 8,010,990 B2
Filed: 10/26/2006
Issued: 08/30/2011
Est. Priority Date: 10/26/2006
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a memory to store a plurality of database lookups and a plurality of policy databases, each database lookup associated with only one policy database and each policy database and database lookup pair associated with only one virtual machine, the policy database to store a processing policy associated with a received packet; and

a packet classifier to direct the received packet to the policy database and database lookup pair associated with one of a plurality of virtual machines to identify the processing policy to handle the received packet,wherein the virtual machine identified to handle the received packet is dependent on a network interface through which the packet is received.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system having a plurality of virtual machines is provided. Each virtual machine in the computer system has an associated policy (rules) database and database (policy table) for storing rules and a database lookup associated with the policy database. One policy database/database lookup pair per virtual machine allows each virtual machine to have a different set of packet processing rules and security policies for handling the same key. In addition, the policy database associated with one virtual machine may be updated and the database lookup associated with the policy database re-generated independently without requiring any update of the policy database lookups associated with any of the other policy databases in the computer system.

206 Citations

18 Claims

1. An apparatus comprising:
- a memory to store a plurality of database lookups and a plurality of policy databases, each database lookup associated with only one policy database and each policy database and database lookup pair associated with only one virtual machine, the policy database to store a processing policy associated with a received packet; and
  
  a packet classifier to direct the received packet to the policy database and database lookup pair associated with one of a plurality of virtual machines to identify the processing policy to handle the received packet,wherein the virtual machine identified to handle the received packet is dependent on a network interface through which the packet is received.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The apparatus of claim 1, wherein the policy database is a Security Policy Database (SPD), the policy database and database lookup pair to allow each virtual machine to have a different processing policy for handling a same key extracted from the received packet, the processing policy including a set of packet processing rules and security policies.
  - 3. The apparatus of claim 2, wherein the received packet is an Internet Protocol Security (IPsec) packet.
  - 4. The apparatus of claim 2, wherein the database lookup uses a Recursive Flow Classification (RFC) algorithm to provide an index to the SPD based on the key extracted from the received packet.
  - 5. The apparatus of claim 4, wherein the key includes a tuple of a set of fields from headers included in the packet.
  - 6. The apparatus of claim 5, wherein the set of fields include a Transport Control Protocol (TCP) source port field, a TCP destination port field, an Internet Protocol (IP) source address field and an IP destination address field.
  - 7. The apparatus of claim 1, wherein each of the plurality of virtual machines includes an operating system that operates independently from the operating systems in the other virtual machines.
  - 8. The apparatus of claim 1, wherein the memory to store a plurality of virtual machine cache tables, each virtual machine cache table associated with one virtual machine, the virtual machine cache table to store rules retrieved from the policy table.

9. An method comprising:
- providing a plurality of database lookups and a plurality of policy databases, each database lookup associated with only one policy database and each policy database and database lookup pair associated with only one virtual machine, the policy database to store a processing policy associated with a received packet; and
  
  directing the received packet to the policy database and database lookup pair associated with one of a plurality of virtual machines to identify the processing policy to handle the received packet,wherein the virtual machine identified to handle the received packet is dependent on a network interface through which the packet is received.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein the policy database is a Security Policy Database (SPD), the policy database and database lookup pair to allow each virtual machine to have a different processing policy for handling a same key extracted from the received packet, the processing policy including a set of packet processing rules and security policies.
  - 11. The method of claim 10, wherein the received packet is an Internet Protocol Security (IPsec) packet.
  - 12. The method of claim 10, wherein the database lookup uses a Recursive Flow Classification (RFC) algorithm to provide an index to the SPD based on a key extracted from the received packet.
  - 13. The method of claim 12, wherein the key includes a tuple of a set of fields from headers included in the packet.
  - 14. The method of claim 13, wherein the set of fields include a Transport Control Protocol (TCP) source port field, a TCP destination port field, an Internet Protocol (IP) source address field and an IP destination address field.
  - 15. The method of claim 9, wherein each of the plurality of virtual machines includes an operating system that operates independently from the operating systems in the other virtual machines.
  - 16. The method of claim 9, wherein the memory to store a plurality of virtual machine cache tables, each virtual machine cache table associated with one virtual machine, the virtual machine cache table to store rules retrieved from the policy table.

17. An article including a machine-accessible medium having associated information, wherein the information, when accessed, results in a machine performing:
- providing a plurality of database lookups and a plurality of policy databases, each database lookup associated with only one policy database and each policy database and database lookup pair associated with only one virtual machine, the policy database to store a processing policy associated with a received packet; and
  
  directing the received packet to the policy database and database lookup pair associated with one of a plurality of virtual machines to identify the processing policy to handle the received packet,wherein the virtual machine identified to handle the received packet is dependent on a network interface through which the packet is received.

18. An system comprising:
- a switch;
  
  a memory to store a plurality of database lookups and a plurality of policy databases, each database lookup associated with only one policy database and each policy database and database lookup pair associated with only one virtual machine, the policy database to store a processing policy associated with a received packet; and
  
  a packet classifier to direct the received packet to the policy database and database lookup pair associated with one of a plurality of virtual machines to identify the processing policy to handle the received packet,wherein the virtual machine identified to handle the received packet is dependent on a network interface through which the packet is received.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tahoe Research Limited (f/k/a Learndale Limited) (Vector Capital Corporation)
Original Assignee
Intel Corporation
Inventors
Doyle, Stephen, Ferguson, Conor
Primary Examiner(s)
Hoffman; Brandon S

Application Number

US11/588,469
Publication Number

US 20080148341A1
Time in Patent Office

1,769 Days
Field of Search

713151-153, 713/162, 713/189, 370/235, 370/238, 370/351, 370/389, 370/392, 370/401, 370/412, 370/466, 726/1, 726/13
US Class Current

726/1
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/20   Traffic policing

H04L 47/2441   relying on flow classificat...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

Acceleration of packet flow classification in a virtualized system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

206 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Acceleration of packet flow classification in a virtualized system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

206 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links