Method and apparatus for securing and segregating host to host messaging on PCIe fabric

US 8,880,771 B2
Filed: 10/25/2012
Issued: 11/04/2014
Est. Priority Date: 10/25/2012
Status: Active Grant

First Claim

Patent Images

1. A method of operating a switch fabric having a point-to-point network protocol, the method comprising:

receiving an input from a switch fabric administrator defining subnets;

generating a virtual fabric ID (VFID) for at least one defined subnet;

tagging packets of outgoing messages from at least one host with the virtual fabric ID; and

determining if an incoming message to at least one host has a tag matching the virtual fabric ID;

wherein receive processing for incoming messages is supported if the tag of the incoming message matches an approved virtual fabric ID and the message is dropped within the switch if the tag does not match the approved virtual fabric ID.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A PCIe fabric includes at least one PCIe switch. The fabric may be used to connect multiple hosts. The PCIe switch implements security and segregation measures for host-to-host message communication. A management entity defines a Virtual PCIe Fabric ID (VPFID). The VPFID is used to enforce security and segregation. The fabric ID may be extended to be used in switch fabrics with other point-to-point protocols.

Citations

23 Claims

1. A method of operating a switch fabric having a point-to-point network protocol, the method comprising:
- receiving an input from a switch fabric administrator defining subnets;
  
  generating a virtual fabric ID (VFID) for at least one defined subnet;
  
  tagging packets of outgoing messages from at least one host with the virtual fabric ID; and
  
  determining if an incoming message to at least one host has a tag matching the virtual fabric ID;
  
  wherein receive processing for incoming messages is supported if the tag of the incoming message matches an approved virtual fabric ID and the message is dropped within the switch if the tag does not match the approved virtual fabric ID.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the point-to-point protocol is PCI Express.
  - 3. The method of claim 1, wherein said tagging is performed via vendor defined messaging.
  - 4. The method of claim 1, wherein an error code is returned to a sender if the virtual fabric ID does not match.
  - 5. The method of claim 1, wherein said determining includes checking every host-to-host packet coming out of a port and dropping the packet unless it has been tagged with a valid virtual fabric ID.
  - 6. The method of claim 5, where said determining includes checking packets at each receiving port for a valid virtual fabric ID and dropping packets having invalid virtual fabric IDs.
  - 7. The method of claim 1, wherein the switch fabric includes virtual Direct Memory Access (DMA) engine functions for each port, wherein said receiving comprises:
    - receiving from a fabric administrator one or more settings defining a relationship between VFIDs and DMA functions.
  - 8. The method of claim 7, wherein the settings include:
    - a single VFID/DMA function;
      
      a multiple VFID mode on a per DMA function basis; and
      
      a default setting having a single VFID and all DMA functions are set to this setting.
  - 9. The method of claim 1, further comprising translating an Ethernet Virtual Local Area Network (VLAN) to a corresponding VFID to permit Ethernet VLAN to be run over the fabric switch.
  - 10. The method of claim 1, further comprising generating at least one error message based at least in part on the tag not matching an approved VFID.
  - 11. The method of claim 10, wherein the at least one error message comprises a security violation notification.

12. A method of operating a switch fabric having a point-to-point network protocol, the method comprising:
- generating a table defining a virtual fabric ID (VFID) for at least one defined subnet;
  
  tagging packets of outgoing messages from at least one host with the virtual fabric ID; and
  
  determining if an incoming message to at least one host has a tag matching the virtual fabric ID;
  
  wherein receive processing for incoming messages is supported if the tag matches the virtual fabric ID and the message is dropped within the switch if the tag does not match the virtual fabric ID.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein the point-to-point protocol is PCI Express.
  - 14. The method of claim 12, wherein said tagging is performed via vendor defined messaging.
  - 15. The method of claim 12, wherein an error code is returned to a sender if the virtual fabric ID does not match.
  - 16. The method of claim 12, wherein said determining includes checking every host-to-host packet coming out of a port and dropped the packet unless it has been tagged with a valid virtual fabric ID.
  - 17. The method of claim 16, where said determining includes checking at each receiving port for a valid virtual fabric ID and dropping packets having invalid tags.
  - 18. The method of claim 12, wherein the switch fabric includes virtual Direct Memory Access (DMA) engine functions for each port, wherein said receiving comprises:
    - receiving from a fabric administrator one or more settings, including setting a relationship between VFIDs and DMA functions.
  - 19. The method of claim 18, wherein the settings include:
    - a single VFID/DMA function;
      
      a multiple VFID mode on a per DMA function basis; and
      
      a default setting having a single VFID and all DMA functions are set to this setting.
  - 20. The method of claim 12, further comprising translating an Ethernet Virtual Local Area Network (VLAN) to a corresponding VFID to permit Ethernet VLAN to be run over the fabric switch.
  - 21. The method of claim 12, further comprising generating at least one error message based at least in part on the tag not matching an approved VFID.
  - 22. The method of claim 12, wherein the at least one error message comprises a security violation notification.

23. A PCI express switch in connection with a management system, wherein a memory in the management system stores a table of virtual fabric IDs to enforce security and segregation of host-to-host message flows for hosts coupled to the PCI express switch.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
PLX Technology Incorporated (Broadcom, Inc.)
Inventors
Subramaniyan, Nagarajan, Regula, Jack, Dodson, Jeffrey Michael
Primary Examiner(s)
AUVE, GLENN ALLEN

Application Number

US13/660,791
Publication Number

US 20140122765A1
Time in Patent Office

740 Days
Field of Search

710/316, 370/357, 370/360, 370/412, 370/474
US Class Current

710/316
CPC Class Codes

G06F 13/4022   using switching circuits, e...

G06F 21/85   interconnection devices, e....

G06F 2213/0026   PCI express

G06F 2213/4004   Universal serial bus hub wi...

G06F 2221/2129   Authenticate client device ...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

Method and apparatus for securing and segregating host to host messaging on PCIe fabric

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for securing and segregating host to host messaging on PCIe fabric

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links