Secure packet management for bare metal access

US 8,959,611 B1
Filed: 09/09/2009
Issued: 02/17/2015
Est. Priority Date: 09/09/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for processing data packets in an electronic environment, comprising:

provisioning, by at least one computer system, a guest operating system (OS) on a host machine and granting the guest OS native access to a central processing unit (CPU) of the host machine;

preventing the guest OS from having native access to a portion of a physical network interface of the host machine utilized for encapsulation;

receiving a packet to the physical network interface on the host machine, the physical network interface capable of transmitting packets of data between a secure environment and a user environment,wherein if the packet is received from the user environment, the physical network interface is configured to;

determine a mapping of a first address of the packet in the user environment to a second address of the packet in the secure environment, the mapping obtained from a mapping service residing outside of the host machine using a port in the physical network interface that is inaccessible by the CPU as it runs the guest OS;

encapsulate the packet to include header information that references the second address; and

forward the packet to the second address; and

wherein if the packet is received from the secure environment, the physical network interface is configured to;

determine a mapping of the second address of the packet in the secure environment to the first address of the packet in the user environment, the mapping obtained from the mapping service using the port inaccessible to the CPU as it runs the guest OS;

encapsulate the packet to include header information that references the first address; and

forward the packet to the first address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure networking processes, such as packet encapsulation and decapsulation, can be executed upstream of a user or guest operating system provisioned on a host machine, where the user has substantially full access to that machine. The processing can be performed on a device such as a network interface card (NIC), which can have a separate network port for communicating with mapping systems or other devices across a cloud or secure network. A virtual image of the NIC can be provided to the user such that the user can still utilize at least some of the NIC functionality. In some embodiments, the NIC can work with a standalone processor or control host in order to offload much of the processing to the control host. The NIC can further handle headers and payload separately where possible, in order to improve the efficiency of processing the various packets.

Citations

26 Claims

1. A computer-implemented method for processing data packets in an electronic environment, comprising:
- provisioning, by at least one computer system, a guest operating system (OS) on a host machine and granting the guest OS native access to a central processing unit (CPU) of the host machine;
  
  preventing the guest OS from having native access to a portion of a physical network interface of the host machine utilized for encapsulation;
  
  receiving a packet to the physical network interface on the host machine, the physical network interface capable of transmitting packets of data between a secure environment and a user environment,wherein if the packet is received from the user environment, the physical network interface is configured to;
  
  determine a mapping of a first address of the packet in the user environment to a second address of the packet in the secure environment, the mapping obtained from a mapping service residing outside of the host machine using a port in the physical network interface that is inaccessible by the CPU as it runs the guest OS;
  
  encapsulate the packet to include header information that references the second address; and
  
  forward the packet to the second address; and
  
  wherein if the packet is received from the secure environment, the physical network interface is configured to;
  
  determine a mapping of the second address of the packet in the secure environment to the first address of the packet in the user environment, the mapping obtained from the mapping service using the port inaccessible to the CPU as it runs the guest OS;
  
  encapsulate the packet to include header information that references the first address; and
  
  forward the packet to the first address.
- View Dependent Claims (2, 3)
- - 2. The computer-implemented method of claim 1, further comprising:
    - if no mapping of the first and second addresses can be determined, rejecting the packet whereby the packet is not delivered to an intended location.
  - 3. The computer-implemented method of claim 1, wherein when the packet is received from the secure environment, the mapping information for the first address in the user environment is contained within the packet.

4. A computer-implemented method for processing data packets in an electronic environment, comprising:
- provisioning, by at least one computer system, a guest operating system (OS) on a host machine and granting the guest OS native access to a central processing unit (CPU) of the host machine, the host machine operating between a user environment having a user address space and a provider environment having a provider address space;
  
  for a packet to be transmitted via the host machine,encapsulating the packet to include header information using a hardware device that is partially secured from access by the CPU granted to the guest OS, the guest OS prevented from having native access to a portion of the hardware device utilized for encapsulation; and
  
  transmitting the packet using the encapsulated header information,wherein to encapsulate the packet to include the header information, the hardware device uses a mapping between a first address in the user address space and a second address in the provider address space obtained from a mapping service to encapsulate the packet to include the header information to enable the packet to be delivered to an intended destination in the user environment or the provider environment.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
- - 5. The computer-implemented method of claim 4, wherein the hardware device is one of a network interface card (NIC), network switch, edge device, or network router.
  - 6. The computer-implemented method of claim 4, wherein the user address space is a virtual address space or physical address space and the provider address space is a virtual address space or physical address space.
  - 7. The computer-implemented method of claim 4, further comprising:
    - when no mapping can be determined, rejecting the packet whereby the packet is not delivered to the intended destination.
  - 8. The computer-implemented method of claim 4, wherein updating the header information includes performing encapsulation or decapsulation on the packet.
  - 9. The computer-implemented method of claim 4, wherein the mapping service maintains mappings between the user address space and the provider address space.
  - 10. The computer-implemented method of claim 9, wherein the hardware device is operable to contact the mapping service using a channel that is not exposed to the guest OS.
  - 11. The computer-implemented method of claim 4, wherein when the packet is received from the provider environment, the mapping information for the first address in the user environment is contained within the packet.
  - 12. The computer-implemented method of claim 4, wherein the hardware device is further capable of processing the packet to perform auditing, traffic analysis, or stateful firewalling.

13. A computer-implemented method for processing data packets in an electronic environment, comprising:
- provisioning, by at least one computer system, a guest operating system (OS) on a host machine and granting the guest OS native access to a central processing unit (CPU) of a host machine, the host machine operating between a user environment having a user address space and a provider environment having a provider address space;
  
  for an Ethernet frame received to a physical network interface of the host machine, removing framing of the Ethernet frame and encapsulating the underlying packet to include header information using a hardware device that is at least partially secured from access by the CPU granted to the guest OS, the guest OS prevented from having native access to a portion of the hardware device utilized for encapsulation; and
  
  transmitting the encapsulated packet using the updated header information,wherein to encapsulate the packet to include the header information, the hardware device uses a mapping between a first address in the user address space and a second address in the provider address space obtained from a mapping service to encapsulate the packet to include the header information to enable the packet to be delivered to an intended destination in the user environment or the provider environment.

14. A system for processing data packets in an electronic environment, comprising:
- a processor; and
  
  a memory device including instructions that, when executed by the processor, cause the processor to;
  
  provision a guest operating system (OS) on a host machine and granting the guest OS native access to a central processing unit (CPU) of a host machine, the host machine operating between a user environment having a user address space and a provider environment having a provider address space;
  
  for a packet to be transmitted via the host machine, cause encapsulation of the packet to include header information to be updated using a hardware device that is at least partially secured from access by the CPU granted to the guest OS, the guest OS prevented from having native access to a portion of the hardware device utilized for encapsulation; and
  
  cause the encapsulated packet to be transmitted using the updated header information,wherein to encapsulate the packet to include the header information, the hardware device uses a mapping between a first address in the user address space and a second address in the provider address space obtained from a mapping service to encapsulate the packet to include the header information to enable the packet to be delivered to an intended destination in the user environment or the provider environment.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14, wherein the hardware device is one of a network interface card (NIC), network switch, edge device, or network router.
  - 16. The system of claim 14, wherein the user address space is a virtual address space and the provider address space is a physical address space corresponding to addresses of hardware used to process the packet.
  - 17. The system of claim 14, wherein the instructions when executed by the processor further cause the processor to:
    - when no mapping can be determined, reject the packet whereby the packet is not delivered to an intended destination.
  - 18. The system of claim 14, wherein updating the header information includes performing encapsulation or decapsulation on the packet.
  - 19. The system of claim 14, wherein the mapping service maintains mappings between the user address space and the provider address space.
  - 20. The system of claim 14, wherein when the packet is received from the provider environment, the mapping information for the first address in the user environment is contained within the packet.

21. A non-transitory computer readable storage medium storing instructions for processing data packets in an electronic environment, the instructions when executed by a processor causing the processor to:
- provision, using at least one computer system, a guest operating system (OS) on a host machine and granting the guest OS access to a central processing unit (CPU) of a host machine, the host machine operating between a user environment having a user address space and a provider environment having a provider address space;
  
  for a packet to be transmitted via the host machine, cause encapsulation of the packet to include header information using a hardware device that is at least partially secured from access by the CPU granted to the user guest OS, the guest OS prevented from having native access to a portion of the hardware device utilized for encapsulation; and
  
  cause the packet to be transmitted using the encapsulated packet including the header information,wherein to encapsulate the packet to include the header information, the hardware device uses a mapping between a first address in the user address space and a second address in the provider address space obtained from a mapping service to update the packet to include the header information to enable the packet to be delivered to an intended destination in the user environment or the provider environment.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The non-transitory computer readable storage medium of claim 21, wherein the hardware device is one of a network interface card (NIC), network switch, edge device, or network router.
  - 23. The non-transitory computer readable storage medium of claim 21, wherein the instructions when executed by the processor further cause the processor to:
    - when no mapping can be determined, reject the packet whereby the packet is not delivered to an intended destination.
  - 24. The non-transitory computer readable storage medium of claim 21, wherein updating the header information includes performing encapsulation or decapsulation on the packet.
  - 25. The non-transitory computer readable storage medium of claim 21, wherein the mapping service maintains mappings between the user address space and the provider address space.
  - 26. The non-transitory computer readable storage medium of claim 21, wherein when the packet is received from the provider environment, the mapping information for the first address in the user environment is contained within the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Vincent, Pradeep, Marr, Michael David
Primary Examiner(s)
LE, CHAU D

Application Number

US12/556,432
Time in Patent Office

1,987 Days
Field of Search

726/2, 726/13
US Class Current

726/13
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 45/74   Address processing for routing

H04L 61/103   across network layers, e.g....

H04L 61/25   of the same type

H04L 63/107   wherein the security polici...

H04L 67/10   in which an application is ...

Secure packet management for bare metal access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Secure packet management for bare metal access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links