Virtual network pairs

US 8,533,343 B1
Filed: 05/31/2012
Issued: 09/10/2013
Est. Priority Date: 01/13/2011
Status: Active Grant

First Claim

Patent Images

1. A method implemented by data processing apparatus, the method comprising:

receiving a plurality of outgoing packets from one or more source virtual machines executing on the data processing apparatus, each source virtual machine being a hardware virtualization of the data processing apparatus and each packet being destined for a destination virtual machine;

establishing a plurality of virtual network pairs, one for each unique pair of source and destination virtual machines, wherein establishing the plurality of virtual network pairs comprises receiving, from an external data processing apparatus and in exchange for a secret key that is not known by the one or more destination virtual machines, a distinct token and network address for each of the one or more destination virtual machines, wherein each token is a single piece of information that represents a distinct secret key and the network address of the destination virtual machine, and wherein the established virtual network pairs are unidirectional;

encapsulating each outgoing packet in a message with the token for the destination virtual machine of the message; and

sending each message to the respective destination virtual machine for the message by sending the message to the respective network address for the destination virtual machine.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for implementing virtual network pairs between virtual machines and other devices. In one aspect, a method includes receiving a plurality of outgoing packets from one or more source virtual machines executing on the data processing apparatus, each source virtual machine being a hardware virtualization of the data processing apparatus and each packet destined for a destination virtual machine; establishing a plurality of virtual network pairs, one for each unique pair of source and destination virtual machines, wherein establishing the plurality of virtual network pairs comprises obtaining, from an external data processing apparatus, a different network address for each destination virtual machine; encapsulating each outgoing packet in a message; and sending each message to the destination virtual machine for the respective packet by sending the message to the respective network destination address.

75 Citations

View as Search Results

20 Claims

1. A method implemented by data processing apparatus, the method comprising:
- receiving a plurality of outgoing packets from one or more source virtual machines executing on the data processing apparatus, each source virtual machine being a hardware virtualization of the data processing apparatus and each packet being destined for a destination virtual machine;
  
  establishing a plurality of virtual network pairs, one for each unique pair of source and destination virtual machines, wherein establishing the plurality of virtual network pairs comprises receiving, from an external data processing apparatus and in exchange for a secret key that is not known by the one or more destination virtual machines, a distinct token and network address for each of the one or more destination virtual machines, wherein each token is a single piece of information that represents a distinct secret key and the network address of the destination virtual machine, and wherein the established virtual network pairs are unidirectional;
  
  encapsulating each outgoing packet in a message with the token for the destination virtual machine of the message; and
  
  sending each message to the respective destination virtual machine for the message by sending the message to the respective network address for the destination virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein receiving, establishing and encapsulating are performed in a user space of an operating system.
  - 3. The method of claim 1 wherein at least one unique pair of source and destination virtual machines execute on a same data processing apparatus.
  - 4. The method of claim 1 wherein at least one unique pair of source and destination virtual machines execute on different data processing apparatus.
  - 5. The method of claim 1 wherein a token encapsulated with a message received from a particular source virtual machine is used by a particular destination virtual machine to authenticate the message.
  - 6. The method of claim 1 wherein the network address comprises an Internet Protocol address of a host machine on which the destination virtual machine executes and a User Datagram Protocol port for the destination virtual machine.
  - 7. The method of claim 1, further comprising:
    - determining that a validity period for a particular destination virtual machine'"'"'s network address has elapsed.
  - 8. The method of claim 7, further comprising obtaining, from the external data processing apparatus, a new network address for the destination virtual machine.

9. A system comprising:
- data processing apparatus and one or more storage devices having instructions stored thereon that, when executed by the data processing apparatus, cause the data processing apparatus to perform operations comprising;
  
  receiving a plurality of outgoing packets from one or more source virtual machines executing on the data processing apparatus, each source virtual machine being a hardware virtualization of the data processing apparatus and each packet being destined for a destination virtual machine;
  
  establishing a plurality of virtual network pairs, one for each unique pair of source and destination virtual machines, wherein establishing the plurality of virtual network pairs comprises receiving, from an external data processing apparatus and in exchange for a secret key that is not known by the one or more destination virtual machines, a distinct token and network address for each of the one or more destination virtual machines, wherein each token is a single piece of information that represents a distinct secret key and the network address of the destination virtual machine, and wherein the established virtual network pairs are unidirectional;
  
  encapsulating each outgoing packet in a message with the token for the destination virtual machine of the message; and
  
  sending each message to the respective destination virtual machine for the message by sending the message to the respective network address for the destination virtual machine.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein receiving, establishing and encapsulating are performed in a user space of an operating system.
  - 11. The system of claim 9 wherein at least one unique pair of source and destination virtual machines execute on a same data processing apparatus.
  - 12. The system of claim 9 wherein at least one unique pair of source and destination virtual machines execute on different data processing apparatus.
  - 13. The system of claim 9 wherein a token encapsulated with a message received from a particular source virtual machine is used by a particular destination virtual machine to authenticate the message.
  - 14. The system of claim 9 wherein the network address comprises an Internet Protocol address of a host machine on which the destination virtual machine executes and a User Datagram Protocol port for the destination virtual machine.
  - 15. The system of claim 9 wherein the operations further comprise:
    - determining that a validity period for a particular destination virtual machine'"'"'s network address has elapsed.
  - 16. The system of claim 15 wherein the operations further comprise:
    - obtaining, from the external data processing apparatus, a new network address for the destination virtual machine.

17. A non-transitory storage medium having instructions stored thereon that, when executed by data processing apparatus, cause the data processing apparatus to perform operations comprising:
- receiving a plurality of outgoing packets from one or more source virtual machines executing on the data processing apparatus, each source virtual machine being a hardware virtualization of the data processing apparatus and each packet being destined for a destination virtual machine;
  
  establishing a plurality of virtual network pairs, one for each unique pair of source and destination virtual machines, wherein establishing the plurality of virtual network pairs comprises receiving, from an external data processing apparatus and in exchange for a secret key that is not known by the one or more destination virtual machines, a distinct token and network address for each of the one or more destination virtual machines, wherein each token is a single piece of information that represents a distinct secret key and the network address of the destination virtual machine, and wherein the established virtual network pairs are unidirectional;
  
  encapsulating each outgoing packet in a message with the token for the destination virtual machine of the message; and
  
  sending each message to the respective destination virtual machine for the message by sending the message to the respective network address for the destination virtual machine.
- View Dependent Claims (18, 19, 20)
- - 18. The storage medium of claim 17, wherein receiving, establishing and encapsulating are performed in a user space of an operating system.
  - 19. The storage medium of claim 17 wherein a token encapsulated with a message received from a particular source virtual machine is used by a particular destination virtual machine to authenticate the message.
  - 20. The storage medium of claim 17 wherein the network address comprises an Internet Protocol address of a host machine on which the destination virtual machine executes and a User Datagram Protocol port for the destination virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Beda, Joseph S. III, Petrescu-Prahova, Cristian, Kern, Christoph, Anderson, Evan K.
Primary Examiner(s)
BAYARD, DJENANE M

Application Number

US13/485,846
Time in Patent Office

467 Days
Field of Search

709/227, 709/228, 709/229
US Class Current

709/227
CPC Class Codes

G06F 9/546   Message passing systems or ...

H04L 63/0876   based on the identity of th...

H04L 63/126   the source of the received ...

Virtual network pairs

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

75 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual network pairs

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links