Virtual network protocol

US 9,135,037 B1
Filed: 01/13/2012
Issued: 09/15/2015
Est. Priority Date: 01/13/2011
Status: Active Grant

First Claim

Patent Images

1. A method implemented by a data processing apparatus, the method comprising:

in a user process space of a host operating system, wherein the host operating system hosts one or more distinct virtual machines each being a hardware virtualization, performing the following;

receiving, at a first communication process of the host operating system, an outgoing packet from a source virtual machine (VM) of the one or more distinct virtual machines, the outgoing packet destined for a destination VM, wherein the destination VM is one of the one or more distinct virtual machines hosted by the host operating system;

obtaining, from a VM registry, a source secret key for the source VM, the source secret key not being known by the destination VM;

requesting a first token from the VM registry, the request including the source secret key and data identifying the destination VM;

obtaining the first token, from the VM registry, the first token being used to establish a unidirectional virtual network pair between the source VM and the destination VM, wherein the first token is derived at least partly from both a destination secret key for the destination VM and a network address of the destination VM, where the destination secret key is not known by the source VM;

encapsulating, at the first communication process of the host operating system, the outgoing packet in a second packet along with the first token and a token expiration time;

receiving, at a second communication process of the host operating system, the second packet directed to the destination VM;

verifying the first token wherein verifying the first token comprises;

generating, in the user process space, a verification token based on at least the destination secret key for the destination VM and the network address of the destination VM; and

verifying the token in response to determining that the first token matches the verification token; and

de-encapsulating the second packet and providing the outgoing packet to the destination VM responsive to the verifying.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for receiving an outgoing packet from a source virtual machine; obtaining a secret key for the source virtual machine, the secret key not being known by a destination virtual machine; obtaining a unique token derived at least partly from the secret key and a network address of the destination virtual machine; encapsulating the outgoing packet in a second packet along with the token and a token expiration time; and sending the second packet to the destination virtual machine.

294 Citations

27 Claims

1. A method implemented by a data processing apparatus, the method comprising:
- in a user process space of a host operating system, wherein the host operating system hosts one or more distinct virtual machines each being a hardware virtualization, performing the following;
  
  receiving, at a first communication process of the host operating system, an outgoing packet from a source virtual machine (VM) of the one or more distinct virtual machines, the outgoing packet destined for a destination VM, wherein the destination VM is one of the one or more distinct virtual machines hosted by the host operating system;
  
  obtaining, from a VM registry, a source secret key for the source VM, the source secret key not being known by the destination VM;
  
  requesting a first token from the VM registry, the request including the source secret key and data identifying the destination VM;
  
  obtaining the first token, from the VM registry, the first token being used to establish a unidirectional virtual network pair between the source VM and the destination VM, wherein the first token is derived at least partly from both a destination secret key for the destination VM and a network address of the destination VM, where the destination secret key is not known by the source VM;
  
  encapsulating, at the first communication process of the host operating system, the outgoing packet in a second packet along with the first token and a token expiration time;
  
  receiving, at a second communication process of the host operating system, the second packet directed to the destination VM;
  
  verifying the first token wherein verifying the first token comprises;
  
  generating, in the user process space, a verification token based on at least the destination secret key for the destination VM and the network address of the destination VM; and
  
  verifying the token in response to determining that the first token matches the verification token; and
  
  de-encapsulating the second packet and providing the outgoing packet to the destination VM responsive to the verifying.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the second packet includes a second token that the destination VM can use to send a packet to the source VM.
  - 3. The method of claim 1 wherein the token is a hash-based message authentication code.
  - 4. The method of claim 1 wherein a respective guest operating system executes on each of the virtual machines.
  - 5. The method of claim 1 wherein the destination VM is on a same physical machine as the source VM.
  - 6. The method of claim 1 wherein the outgoing packet is a layer three packet.
  - 7. The method of claim 1 wherein the second packet is a layer four packet.
  - 8. The method of claim 1 wherein the user process space has reduced privileges as compared to a process space wherein a kernel of the host operating system executes.
  - 9. The method of claim 1 wherein obtaining the secret key for the source VM comprises obtaining the secret key from a process which maintains a mapping between virtual machines, as identified by their respective network addresses, and the physical machine they are hosted on.

10. A non-transitory storage medium encoded with instructions which, when executed by data processing apparatus, cause the data processing apparatus to perform operations comprising:
- in a user process space of a host operating system, wherein the host operating system hosts one or more distinct virtual machines each being a hardware virtualization, performing the following;
  
  receiving, at a first communication process of the host operating system, an outgoing packet from a source virtual machine (VM) of the one or more distinct virtual machines, the outgoing packet destined for a destination VM, wherein the destination VM is one of the one or more distinct virtual machines hosted by the host operating system;
  
  obtaining, from a VM registry, a source secret key for the source VM, the source secret key not being known by the destination VM;
  
  requesting a first token from the VM registry, the request including the source secret key and data identifying the destination VM;
  
  obtaining the first token, from the VM registry, the first token being used to establish a unidirectional virtual network pair between the source VM and the destination VM, wherein the first token is derived at least partly from both a destination secret key for the destination VM and a network address of the destination VM, where the destination secret key is not known by the source VM;
  
  encapsulating, at the first communication process of the host operating system, the outgoing packet in a second packet along with the first token and a token expiration time;
  
  receiving, at a second communication process of the host operating system, the second packet directed to the destination VM;
  
  verifying the first token wherein verifying the first token comprises;
  
  generating, in the user process space, a verification token based on at least the destination secret key for the destination VM and the network address of the destination VM; and
  
  verifying the token in response to determining that the first token matches the verification token; and
  
  de-encapsulating the second packet and providing the outgoing packet to the destination VM responsive to the verifying.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The storage medium of claim 10 wherein the second packet includes a token that the destination VM can use to send a packet to the source VM.
  - 12. The storage medium of claim 10 wherein the token is a hash-based message authentication code.
  - 13. The storage medium of claim 10 wherein a respective guest operating system executes on each of the virtual machines.
  - 14. The storage medium of claim 10 wherein the destination VM is on a same physical machine as the source VM.
  - 15. The storage medium of claim 10 wherein the outgoing packet is a layer three packet.
  - 16. The storage medium of claim 10 wherein the second packet is a layer four packet.
  - 17. The storage medium of claim 10 wherein the user process space has reduced privileges as compared to a process space wherein a kernel of the host operating system executes.
  - 18. The storage medium of claim 10 wherein obtaining the secret key for the source VM comprises obtaining the secret key from a process which maintains a mapping between virtual machines, as identified by their respective network addresses, and the physical machine they are hosted on.

19. A system comprising:
- a storage medium encoded with instructions;
  
  data processing apparatus operable to execute the instructions to perform operations comprising;
  
  in a user process space of a host operating system, wherein the host operating system hosts one or more distinct virtual machines each being a hardware virtualization, performing the following;
  
  receiving, at a first communication process of the host operating system, an outgoing packet from a source virtual machine (VM) of the one or more distinct the virtual machines, the outgoing packet destined for a destination VM, wherein the destination VM is one of the one or more distinct virtual machines hosted by the host operating system;
  
  obtaining, from a VM registry, a source secret key for the source VM, the source secret key not being known by the destination VM;
  
  requesting a first token from the VM registry, the request including the source secret key and data identifying the destination VM;
  
  obtaining the first token, from the VM registry, the first token being used to establish a unidirectional virtual network pair between the source VM and the destination VM, wherein the first token is derived at least partly from both a destination secret key for the destination VM and a network address of the destination VM, where the destination secret key is not known by the source VM;
  
  encapsulating, at the first communication process of the host operating system, the outgoing packet in a second packet along with the first token and a token expiration time;
  
  receiving, at a second communication process of the host operating system, the second packet directed to the destination VM;
  
  verifying the first token wherein verifying the first token comprises;
  
  generating, in the user process space, a verification token based on at least the destination secret key for the destination VM and the network address of the destination VM; and
  
  verifying the token in response to determining that the first token matches the verification token; and
  
  de-encapsulating the second packet and providing the outgoing packet to the destination VM responsive to the verifying.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The system of claim 19 wherein the second packet includes a token that the destination VM can use to send a packet to the source VM.
  - 21. The system of claim 19 wherein the token is a hash-based message authentication code.
  - 22. The system of claim 19 wherein a respective guest operating system executes on each of the virtual machines.
  - 23. The system of claim 19 wherein the destination VM is on a same physical machine as the source VM.
  - 24. The system of claim 19 wherein the outgoing packet is a layer three packet.
  - 25. The system of claim 19 wherein the second packet is a layer four packet.
  - 26. The system of claim 19 wherein the user process space has reduced privileges as compared to a process space wherein a kernel of the host operating system executes.
  - 27. The system of claim 19 wherein obtaining the secret key for the source VM comprises obtaining the secret key from a process which maintains a mapping between virtual machines, as identified by their respective network addresses, and the physical machine they are hosted on.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Petrescu-Prahova, Cristian, Anderson, Evan K., Beda, Joseph S. III, Kern, Christoph
Primary Examiner(s)
Tang, Kenneth

Application Number

US13/350,470
Time in Patent Office

1,341 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

H04L 12/4633   Interconnection of networks...

Virtual network protocol

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

294 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

Virtual network protocol

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

294 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others