Intrusion detection and prevention processing within network interface circuitry

US 8,621,627 B1
Filed: 02/12/2010
Issued: 12/31/2013
Est. Priority Date: 02/12/2010
Status: Active Grant

First Claim

Patent Images

1. A network interface controller (NIC) configured to couple a host to a network, the NIC coupled to the host via a host bus, and the host configured to operate a plurality of virtual machines, the NIC configured to:

receive at least one data frame, the at least one data frame including at least a source network address and indication of at least one destination network address,determine if the received data frame is a frame on which additional processing should occur;

based on a result of the determining step, cause the frame to be provided to the host, via the host bus, for the host to perform the additional processing; and

receive, via the host bus, the frame on which additional processing has been performed and steer the frame to a destination based on the at least one destination address.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network interface controller (NIC) is configured to couple a host to a network. The NIC coupled to the host via a host bus, and the host is configured to operate a plurality of virtual machines. The NIC is configured to receive at least one data frame, the at least one data frame including at least a source network address and indication of at least one destination network address; determine if the received data frame is a frame on which additional processing should occur; based on a result of the determining step, cause the frame to be provided to the host, via the host bus, for the host to perform the additional processing; and receive, via the host bus, the frame on which additional processing has been performed and steer the frame to a destination based on the at least one destination address.

Citations

29 Claims

1. A network interface controller (NIC) configured to couple a host to a network, the NIC coupled to the host via a host bus, and the host configured to operate a plurality of virtual machines, the NIC configured to:
- receive at least one data frame, the at least one data frame including at least a source network address and indication of at least one destination network address,determine if the received data frame is a frame on which additional processing should occur;
  
  based on a result of the determining step, cause the frame to be provided to the host, via the host bus, for the host to perform the additional processing; and
  
  receive, via the host bus, the frame on which additional processing has been performed and steer the frame to a destination based on the at least one destination address.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The NIC of claim 1, wherein the NIC is further configured to:
    - for each received data frame that is a data frame received from one of the virtual machines operated by the host and which is indicated as belonging to a connection for which the NIC is configured to offload protocol processing, performing protocol processing with respect to the data frame according to a state of the connection maintained in the NIC.
  - 3. The NIC of claim 1, wherein the NIC is further configured to:
    - for each data frame on which additional processing has been performed and that is a data frame destined for one of the virtual machines operated by the host and which is indicated as belonging to a connection for which the NIC is configured to offload protocol processing, performing protocol processing with respect to the data frame and the connection according to a state of the connection maintained in the NIC.
  - 4. The NIC of claim 1, wherein:
    - the NIC being configured to receive at least one data frame includes the NIC being configured to receive at least one data frame from either a peer via the network or from the virtual machines operated on the host.
  - 5. The NIC of claim 1, wherein the NIC is configured to carry out filter processing such that a frame that would otherwise be caused to be provided to the host, via the host bus, for the host to perform the additional processing, is instead dropped.
  - 6. The NIC of claim 5, wherein the NIC is configured to carry out filter processing at least in part based on rules that are configurable by the additional processing being performed on the host.

7. A network interface controller (NIC) configured to couple a host to a network, the NIC coupled to the host via a host bus, and the host configured to operate a plurality of virtual machines, the NIC including a data frame processing pipeline configured to:
- receive at least one data frame, the at least one data frame including at least a source network address and indication of at least one destination network address,based on an indication in the data frame, determine if the received data frame is a frame on which additional processing should occur;
  
  based on a result of the determining step, cause the frame to be provided to the host, via the host bus, for the host to perform the additional processing; and
  
  receive, via the host bus, the frame on which additional processing has been performed and provide the frame to a destination based on the indication of the at least one destination address.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 8. The NIC of claim 7, wherein the data frame processing pipeline of the NIC is further configured to:
    - for each received data frame that is a data frame received from one of the virtual machines operated by the host and which is indicated as belonging to a connection for which the NIC is configured to offload protocol processing, performing protocol processing with respect to the data frame according to a state of the connection maintained in the NIC.
  - 9. The NIC of claim 7, wherein the data frame processing pipeline of the NIC is further configured to:
    - for each data frame on which additional processing has been performed and that is a data frame destined for one of the virtual machines operated by the host and which is indicated as belonging to a connection for which the NIC is configured to offload protocol processing, performing protocol processing with respect to the data frame and the connection according to a state of the connection maintained in the NIC.
  - 10. The NIC of claim 9, wherein:
    - the NIC is further configured to add, after the performing of the protocol processing, the indication in the data frame, on which the determining is based, to at least some of the data frames that originate from a virtual machine that is not indicated as a trusted virtual machine.
  - 11. The NIC of claim 7, wherein:
    - the source network address is an original source network address; and
      
      the frame on which additional processing has been performed, received via the host bus, indicates the original source network address as a source network address.
  - 12. The NIC of claim 7, wherein:
    - the indication in the data frame on which the determining is based is an indication of an origin of the data frame.
  - 13. The NIC of claim 7, wherein:
    - the NIC is further configured to add the indication in the data frame, on which the determining is based, to at least some of the data frames that originate from a virtual machine that is not indicated as a trusted virtual machine.
  - 14. The NIC of claim 13 wherein:
    - for each received data frame that is a data frame received from one of the virtual machines operated by the host and which is indicated as belonging to a connection for which the NIC is configured to offload protocol processing, performing protocol processing with respect to the data frame according to a state of the connection maintained in the NIC.
  - 15. The NIC of claim 14, wherein:
    - the NIC is configured to add the indication in the data frame after the offload protocol processing is performed with respect to the data frame.
  - 16. The NIC of claim 13, wherein:
    - firmware in the NIC is configured to mark the data frame as a data frame for which the indication is to be added; and
      
      the NIC is further configured to, during protocol offload processing of the data frame, detect that the data frame has been marked and to add the indication to the protocol processed data frame.
  - 17. The NIC of claim 13, wherein:
    - the indication which the NIC is configured to add in the data frame is a control tag.
  - 18. The NIC of claim 17, wherein the control tag is an oVLAN tag.
  - 19. The NIC of claim 13, wherein:
    - the indication which the NIC is configured to add in the data frame is an Ethernet header that indicates a destination on the host to perform the intrusion detection processing.
  - 20. The NIC of claim 7, wherein:
    - the NIC being configured provide the frame to a destination based on the indication of the at least one destination address includes the NIC being configured to determine whether to provide the frame to multiple destinations based on the indication of the at least one destination address.
  - 21. The NIC of claim 20, wherein:
    - the NIC is further configured to, based on a result of the determination of whether to provide the frame to multiple destinations, replicate the frame and utilize the processing pipeline to provide the replicated frames to the multiple destinations.
  - 22. The NIC of claim 7, wherein the NIC is configured to carry out filter processing such that a frame that would otherwise be caused to be provided to the host, via the host bus, for the host to perform the additional processing, is instead dropped.
  - 23. The NIC of claim 22, wherein the NIC is configured to carry out filter processing at least in part based on rules that are configurable by the additional processing being performed on the host.

24. A network interface controller (NIC) configured to couple a host to a network, the NIC coupled to the host via a host bus, and the host configured to operate a plurality of virtual machines, the NIC configured to:
- receive at least one data frame, the at least one data frame including at least a source network address and indication of at least one destination network address,determine if the received data frame is a frame on which additional processing should occur;
  
  based on a result of the determining step, cause the frame to be provided for additional processing prior to providing the frame to a destination; and
  
  receive the frame on which additional processing has been performed and steer the frame to the destination based on the at least one destination address.
- View Dependent Claims (25, 26, 27, 28, 29)
- - 25. The NIC of claim 24, wherein the NIC is further configured to:
    - for each received data frame that is a data frame received from one of the virtual machines operated by the host and which is indicated as belonging to a connection for which the NIC is configured to offload protocol processing, performing protocol processing with respect to the data frame according to a state of the connection maintained in the NIC.
  - 26. The NIC of claim 24, wherein the NIC is further configured to:
    - for each data frame on which additional processing has been performed and that is a data frame destined for one of the virtual machines operated by the host and which is indicated as belonging to a connection for which the NIC is configured to offload protocol processing, performing protocol processing with respect to the data frame and the connection according to a state of the connection maintained in the NIC.
  - 27. The NIC of claim 24, wherein:
    - the NIC being configured to receive at least one data frame includes the NIC being configured to receive at least one data frame from either a peer via the network or from the virtual machines operated on the host.
  - 28. The NIC of claim 24, wherein the NIC is configured to carry out filter processing such that a frame that would otherwise be caused to be provided to the host, via the host bus, for the host to perform the additional processing, is instead dropped.
  - 29. The NIC of claim 24, wherein the NIC is configured to carry out filter processing at least in part based on rules that are configurable by the additional processing being performed on the host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Chelsio Communications Incorporated
Original Assignee
Chelsio Communications Incorporated
Inventors
Eiriksson, Asgeir Thor, Noureddine, Wael, Sullerey, Anamaya
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Jamshidi, Ghodrat

Application Number

US12/704,884
Time in Patent Office

1,418 Days
Field of Search

709/250
US Class Current

726/23
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/1001   for accessing one among a p...

Intrusion detection and prevention processing within network interface circuitry

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection and prevention processing within network interface circuitry

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links