Virtual network protocol
First Claim
Patent Images
1. A method implemented by a data processing apparatus, the method comprising:
- in a user process space of a host operating system, wherein the host operating system hosts one or more distinct virtual machines each being a hardware virtualization, performing the following;
receiving, at a first communication process of the host operating system, an outgoing packet from a source virtual machine (VM) of the one or more distinct virtual machines, the outgoing packet destined for a destination VM, wherein the destination VM is one of the one or more distinct virtual machines hosted by the host operating system;
obtaining, from a VM registry, a source secret key for the source VM, the source secret key not being known by the destination VM;
requesting a first token from the VM registry, the request including the source secret key and data identifying the destination VM;
obtaining the first token, from the VM registry, the first token being used to establish a unidirectional virtual network pair between the source VM and the destination VM, wherein the first token is derived at least partly from both a destination secret key for the destination VM and a network address of the destination VM, where the destination secret key is not known by the source VM;
encapsulating, at the first communication process of the host operating system, the outgoing packet in a second packet along with the first token and a token expiration time;
receiving, at a second communication process of the host operating system, the second packet directed to the destination VM;
verifying the first token wherein verifying the first token comprises;
generating, in the user process space, a verification token based on at least the destination secret key for the destination VM and the network address of the destination VM; and
verifying the token in response to determining that the first token matches the verification token; and
de-encapsulating the second packet and providing the outgoing packet to the destination VM responsive to the verifying.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for receiving an outgoing packet from a source virtual machine; obtaining a secret key for the source virtual machine, the secret key not being known by a destination virtual machine; obtaining a unique token derived at least partly from the secret key and a network address of the destination virtual machine; encapsulating the outgoing packet in a second packet along with the token and a token expiration time; and sending the second packet to the destination virtual machine.
294 Citations
27 Claims
-
1. A method implemented by a data processing apparatus, the method comprising:
in a user process space of a host operating system, wherein the host operating system hosts one or more distinct virtual machines each being a hardware virtualization, performing the following; receiving, at a first communication process of the host operating system, an outgoing packet from a source virtual machine (VM) of the one or more distinct virtual machines, the outgoing packet destined for a destination VM, wherein the destination VM is one of the one or more distinct virtual machines hosted by the host operating system; obtaining, from a VM registry, a source secret key for the source VM, the source secret key not being known by the destination VM; requesting a first token from the VM registry, the request including the source secret key and data identifying the destination VM; obtaining the first token, from the VM registry, the first token being used to establish a unidirectional virtual network pair between the source VM and the destination VM, wherein the first token is derived at least partly from both a destination secret key for the destination VM and a network address of the destination VM, where the destination secret key is not known by the source VM; encapsulating, at the first communication process of the host operating system, the outgoing packet in a second packet along with the first token and a token expiration time; receiving, at a second communication process of the host operating system, the second packet directed to the destination VM; verifying the first token wherein verifying the first token comprises; generating, in the user process space, a verification token based on at least the destination secret key for the destination VM and the network address of the destination VM; and verifying the token in response to determining that the first token matches the verification token; and de-encapsulating the second packet and providing the outgoing packet to the destination VM responsive to the verifying. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
10. A non-transitory storage medium encoded with instructions which, when executed by data processing apparatus, cause the data processing apparatus to perform operations comprising:
in a user process space of a host operating system, wherein the host operating system hosts one or more distinct virtual machines each being a hardware virtualization, performing the following; receiving, at a first communication process of the host operating system, an outgoing packet from a source virtual machine (VM) of the one or more distinct virtual machines, the outgoing packet destined for a destination VM, wherein the destination VM is one of the one or more distinct virtual machines hosted by the host operating system; obtaining, from a VM registry, a source secret key for the source VM, the source secret key not being known by the destination VM; requesting a first token from the VM registry, the request including the source secret key and data identifying the destination VM; obtaining the first token, from the VM registry, the first token being used to establish a unidirectional virtual network pair between the source VM and the destination VM, wherein the first token is derived at least partly from both a destination secret key for the destination VM and a network address of the destination VM, where the destination secret key is not known by the source VM; encapsulating, at the first communication process of the host operating system, the outgoing packet in a second packet along with the first token and a token expiration time; receiving, at a second communication process of the host operating system, the second packet directed to the destination VM; verifying the first token wherein verifying the first token comprises; generating, in the user process space, a verification token based on at least the destination secret key for the destination VM and the network address of the destination VM; and verifying the token in response to determining that the first token matches the verification token; and de-encapsulating the second packet and providing the outgoing packet to the destination VM responsive to the verifying. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
19. A system comprising:
-
a storage medium encoded with instructions; data processing apparatus operable to execute the instructions to perform operations comprising; in a user process space of a host operating system, wherein the host operating system hosts one or more distinct virtual machines each being a hardware virtualization, performing the following; receiving, at a first communication process of the host operating system, an outgoing packet from a source virtual machine (VM) of the one or more distinct the virtual machines, the outgoing packet destined for a destination VM, wherein the destination VM is one of the one or more distinct virtual machines hosted by the host operating system; obtaining, from a VM registry, a source secret key for the source VM, the source secret key not being known by the destination VM; requesting a first token from the VM registry, the request including the source secret key and data identifying the destination VM; obtaining the first token, from the VM registry, the first token being used to establish a unidirectional virtual network pair between the source VM and the destination VM, wherein the first token is derived at least partly from both a destination secret key for the destination VM and a network address of the destination VM, where the destination secret key is not known by the source VM; encapsulating, at the first communication process of the host operating system, the outgoing packet in a second packet along with the first token and a token expiration time; receiving, at a second communication process of the host operating system, the second packet directed to the destination VM; verifying the first token wherein verifying the first token comprises; generating, in the user process space, a verification token based on at least the destination secret key for the destination VM and the network address of the destination VM; and verifying the token in response to determining that the first token matches the verification token; and de-encapsulating the second packet and providing the outgoing packet to the destination VM responsive to the verifying. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
Specification