Co-operative secure packet management

US 8,640,220 B1
Filed: 09/09/2009
Issued: 01/28/2014
Est. Priority Date: 09/09/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method for processing data packets in an electronic environment, comprising:

under control of one or more computer systems configured with executable instructions,receiving a packet to a physical network interface on a host machine executing a guest operating system, the guest operating system having native access to a first physical processing unit of the host machine, the host machine including a second physical processing unit inaccessible by the guest operating system, the host machine further including an input/output (I/O) hub configured to;

restrict the first physical processing unit from modifying header information of the packet in the physical network interface and enabling the first physical processing unit to access a payload portion of the packet in the physical network interface; and

enable the second physical processing unit to modify the header information of the packet in the physical network interface,the physical network interface capable of transmitting packets of data between a secure environment and a user environment;

extracting the header information for the packet using the physical network interface and causing the header information to be forwarded to the second physical processing unit;

if the packet is received from the user environment,determining a mapping of a first address of the packet in the user environment to a second address of the packet in the secure environment using the second physical processing unit;

updating header information to the packet to specify the second address; and

forwarding the packet to the second address using the physical network interface; and

if the packet is received from the secure environment,determining a mapping of the second address of the packet in the secure environment to the first address of the packet in the user environment using the second physical processing unit;

updating header information to the packet to specify the first address; and

forwarding the packet to the first address using the physical network interface,wherein the physical network interface is able to offload at least a portion of processing for the packet to the second physical processing unit.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure networking processes, such as packet encapsulation and decapsulation, can be executed upstream of a user or guest operating system provisioned on a host machine, where the user has substantially full access to that machine. The processing can be performed on a device such as a network interface card (NIC), which can have a separate network port for communicating with mapping systems or other devices across a cloud or secure network. A virtual image of the NIC can be provided to the user such that the user can still utilize at least some of the NIC functionality. In some embodiments, the NIC can work with a standalone processor or control host in order to offload much of the processing to the control host. The NIC can further handle headers and payload separately where possible, in order to improve the efficiency of processing the various packets.

115 Citations

View as Search Results

26 Claims

1. A computer-implemented method for processing data packets in an electronic environment, comprising:
- under control of one or more computer systems configured with executable instructions,receiving a packet to a physical network interface on a host machine executing a guest operating system, the guest operating system having native access to a first physical processing unit of the host machine, the host machine including a second physical processing unit inaccessible by the guest operating system, the host machine further including an input/output (I/O) hub configured to;
  
  restrict the first physical processing unit from modifying header information of the packet in the physical network interface and enabling the first physical processing unit to access a payload portion of the packet in the physical network interface; and
  
  enable the second physical processing unit to modify the header information of the packet in the physical network interface,the physical network interface capable of transmitting packets of data between a secure environment and a user environment;
  
  extracting the header information for the packet using the physical network interface and causing the header information to be forwarded to the second physical processing unit;
  
  if the packet is received from the user environment,determining a mapping of a first address of the packet in the user environment to a second address of the packet in the secure environment using the second physical processing unit;
  
  updating header information to the packet to specify the second address; and
  
  forwarding the packet to the second address using the physical network interface; and
  
  if the packet is received from the secure environment,determining a mapping of the second address of the packet in the secure environment to the first address of the packet in the user environment using the second physical processing unit;
  
  updating header information to the packet to specify the first address; and
  
  forwarding the packet to the first address using the physical network interface,wherein the physical network interface is able to offload at least a portion of processing for the packet to the second physical processing unit.
- View Dependent Claims (2, 3)
- - 2. The computer-implemented method of claim 1, further comprising:
    - if no mapping of the first and second addresses can be determined, rejecting the packet whereby the packet is not delivered to an intended location.
  - 3. The computer-implemented method of claim 1, further comprising:
    - exposing a virtual image of the physical network interface to the user, wherein the user is able to view and access functions of the physical network interface exposed by the virtual image.

4. A computer-implemented method for processing data packets in an electronic environment, comprising:
- under control of one or more computer systems configured with executable instructions,providing a guest operating system on a host machine with native access to at least a first physical processing unit of the host machine, the host machine including a second physical processing unit inaccessible by the guest operating system, the first physical processing unit restricted from modifying header information of a packet received by a hardware device of the host machine, the first physical processing unit enabled to access a payload portion of the packet received by the hardware device, the second physical processing unit enabled to modify the header information of the packet received by the hardware device, the host machine operating between a user environment having a user address space and a provider environment having a provider address space;
  
  for a packet to be transmitted via the host machine,causing the packet to be received to the hardware device;
  
  causing the hardware device to pass header information for the packet to the second physical processing unit of the host machine;
  
  determining mapping information for the packet using the second physical processing unit;
  
  updating the header information using the mapping information; and
  
  transmitting the packet from the hardware device using the updated header in formation,wherein the hardware device is able to offload at least a portion of processing for the packet to the second physical processing unit.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 5. The computer-implemented method of claim 4, wherein the hardware device is one of a network interface card (NIC), network switch, edge device, or network router.
  - 6. The computer-implemented method of claim 4, wherein the host machine includes a plurality of processors, and the processors other than the second physical processing unit form a symmetric multiprocessing unit.
  - 7. The computer-implemented method of claim 4, wherein passing header information for the packet to the second physical processing unit includes storing the header information to a queue accessible by the second physical processing unit.
  - 8. The computer-implemented method of claim 4, further comprising:
    - storing a payload portion of the packet while the second physical processing unit is processing the header information.
  - 9. The computer-implemented method of claim 4, wherein the user address space is a virtual address space and the provider address space is a physical address space corresponding to addresses of hardware used to process the packet.
  - 10. The computer-implemented method of claim 4, further comprising:
    - when no mapping can be determined, rejecting the packet whereby the packet is not delivered to an intended destination.
  - 11. The computer-implemented method of claim 4, wherein updating the header information includes performing encapsulation or decapsulation on the packet using the second physical processing unit.
  - 12. The computer-implemented method of claim 4, wherein determining the mapping between the first address in the user address space and the second address in the provider address comprises contacting a mapping service maintaining mappings between the user address space and the provider address space.
  - 13. The computer-implemented method of claim 4, wherein when the packet is received from the provider environment, the mapping information for the first address in the user environment is contained within the packet.
  - 14. The computer-implemented method of claim 4, wherein the second physical processing unit is further capable of processing the packet to perform a security function selected from auditing, traffic analysis, and stateful firewalling.

15. A computer-implemented method for processing data packets in an electronic environment, comprising:
- under control of one or more computer systems configured with executable instructions,providing a guest operating system on a host machine with native access to at least a first physical processing unit of the host machine, the host machine including a second physical processing unit inaccessible by the guest operating system, the first physical processing unit restricted from modifying header information of a packet received by a physical network interface of the host machine, the first physical processing unit enabled to access to a payload portion of the packet received by the hardware device, the second physical processing unit enabled to modify the header information of the packet received by the physical network interface, the host machine operating between a user environment having a user address space and a provider environment having a provider address space;
  
  for an Ethernet frame received to the physical network interface of the host machine;
  
  causing the physical network interface to determine header information for any underlying packet of the received Ethernet frame and pass the header information for the packet to the second physical processing unit of the host machine;
  
  determining mapping information for the packet using the second physical processing unit;
  
  updating the header information using the mapping information; and
  
  processing the packet using the updated header information,wherein the hardware device is able to offload at least a portion of processing for the packet to the second physical processing unit.

16. A system for processing data packets in an electronic environment, comprising:
- a processor; and
  
  a memory device including instructions that, when executed by the processor, cause the processor to;
  
  provide a guest operating system with native access to at least a first physical processing unit of a host machine, the host machine including a second physical processing unit inaccessible by the guest operating system, the first physical processing unit restricted from modifying header information of a packet received by a hardware device of the host machine, the first physical processing unit enabled to access a payload portion of the packet received by the hardware device, the second physical processing unit enabled to modify the header information of the packet received by the hardware device, the host machine operating between a user environment having a user address space and a provider environment having a provider address space;
  
  for a packet to be transmitted via the host machine,cause the packet to be received to the hardware device that is at least partially secured from access by the guest operating system;
  
  cause the hardware device to pass header information for the packet to the second physical processing unit of the host machine;
  
  cause mapping information for the packet to be determined using the second physical processing unit;
  
  cause the header information to be updated using the mapping information; and
  
  cause the packet to be transmitted from the hardware device using the updated header information,wherein the hardware device is able to offload at least a portion of processing for the packet to the second physical processing unit.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The system of claim 16, wherein the hard ware device is one of a network interface card (NIC), network switch, edge device, or network router.
  - 18. The system of claim 16, wherein the instructions when executed by the processor further cause the processor to:
    - when no mapping can be determined, cause the packet to be rejected whereby the packet is not delivered to an intended destination.
  - 19. The system of claim 16, wherein updating the header information includes performing encapsulation or decapsulation on the packet.
  - 20. The system of claim 16, wherein determining the mapping between the first address in the user address space and the second address in the provider address comprises contacting a mapping service maintaining mappings between the user address space and the provider address space.
  - 21. The system of claim 16, wherein when the packet is received from the provider environment, the mapping information for the first address in the user environment is contained within the packet.

22. A non-transitory computer readable storage medium storing instructions for processing data packets in an electronic environment, the instructions when executed by a processor causing the processor to:
- provide a guest operating system with native access to at least a first physical processing unit of a host machine, the host machine including a second physical processing unit inaccessible by the guest operating system, the first physical processing unit restricted from modifying header information of a packet received by a hardware device of the host machine, the first physical processing unit enabled to access a payload portion of the packet received by the hardware device, the second physical processing unit enabled to modify the header information of the packet received by the hardware device, the host machine operating between a user environment having a user address space and a provider environment having a provider address space;
  
  for a packet to be transmitted via the host machine,cause the packet to be received to the hardware device that is at least partially secured from access by the guest operating system;
  
  cause the hardware device to pass header information for the packet to a second physical processing unit of the host machine;
  
  cause mapping information for the packet to be determined using the second physical processing unit;
  
  cause the header information to be updated using the mapping information; and
  
  cause the packet to be transmitted from the hardware device using the updated header information,wherein the hardware device is able to offload at least a portion of processing for the packet to the second physical processing unit.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The non-transitory computer readable storage medium of claim 22, wherein the hardware device is one of a network interface card (NIC), network switch, edge device, or network router.
  - 24. The non-transitory computer readable storage medium of claim 22, wherein the instructions when executed by the processor further cause the processor to:
    - when no mapping can be determined, cause the packet to be rejected whereby the packet is not delivered to an intended destination.
  - 25. The non-transitory computer readable storage medium of claim 22, wherein updating the header information includes performing encapsulation or decapsulation on the packet.
  - 26. The non-transitory computer readable storage medium of claim 22, wherein when the packet is received from the provider environment, the mapping information for the first address in the user environment is contained within the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Vincent, Pradeep, Marr, Michael David
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
ELMORE, JOHN E

Application Number

US12/556,421
Time in Patent Office

1,602 Days
Field of Search

726 2- 4, 726 11- 13, 726 26- 29
US Class Current

726/13
CPC Class Codes

G06F 17/00   Digital computing or data p...

G06F 2209/509   Offload

G06F 9/5027   the resource being a machin...

H04L 63/0272   Virtual private networks

H04L 69/12   Protocol engines

H04L 69/22   Parsing or analysis of headers

H04L 69/321   Interlayer communication pr...

Co-operative secure packet management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

115 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Co-operative secure packet management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links