Virtualized network interface for remote direct memory access over converged ethernet

US 9,313,029 B2
Filed: 12/15/2013
Issued: 04/12/2016
Est. Priority Date: 12/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method for generating an opaque data comprising a stream identifier, which identifies memory region and access controls permitted to be accessed by data fields of a packet containing the stream identifier, the packet being formatted in accordance with remote direct memory access over converged Ethernet, comprising:

encrypting at least a part of the stream identifier with a first secret random data to provide an encrypted stream identifier;

generating a digest by applying a cryptographic hash to the at least the part of the stream identifier; and

combining the encrypted stream identifier with the digest to generate the opaque data, wherein the opaque data comprises a remote key (R-Key) in accordance with Infiniband specification.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a system embodying the method for generating an opaque data comprising a stream identifier, comprising encrypting at least part of a stream identifier with a first secret random data to provide an encrypted stream identifier; generating a digest by applying a cryptographic hash to at least the at least the part of the stream identifier; and combining the encrypted stream identifier with the digest, is disclosed Additionally, a method and a system embodying the method for reconstructing a stream identifier from the opaque data indicating permission to access a region of a storage at an entity that generated the opaque data is disclosed.

14 Citations

23 Claims

1. A method for generating an opaque data comprising a stream identifier, which identifies memory region and access controls permitted to be accessed by data fields of a packet containing the stream identifier, the packet being formatted in accordance with remote direct memory access over converged Ethernet, comprising:
- encrypting at least a part of the stream identifier with a first secret random data to provide an encrypted stream identifier;
  
  generating a digest by applying a cryptographic hash to the at least the part of the stream identifier; and
  
  combining the encrypted stream identifier with the digest to generate the opaque data, wherein the opaque data comprises a remote key (R-Key) in accordance with Infiniband specification.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method as claimed in claim 1, comprising:
    - encrypting the entire stream identifier with the first secret random data to provide the encrypted stream identifier; and
      
      generating the digest by applying the cryptographic hash to the entire stream identifier.
  - 3. The method as claimed in claim 1, wherein the generating a digest by applying a cryptographic hash to the at least the part of the stream identifier comprises:
    - generating the digest by applying the cryptographic hash to the at least the part of the stream identifier and a second secret random data.
  - 4. The method as claimed in claim 1, wherein the generating a digest by applying a cryptographic hash to the at least the part of the stream identifier comprises:
    - generating the digest by applying the cryptographic hash to the at least the part of the stream identifier, a second secret random data, and a third data.
  - 5. The method as claimed in claim 4, wherein the third data do not need to be secret.

6. An apparatus for generating an opaque data comprising a stream identifier, which identifies memory region and access controls permitted to be accessed by data fields of a packet containing the stream identifier, the packet being formatted in accordance with remote direct memory access over converged Ethernet, comprising:
- an entity configuredto encrypt at least a part of the stream identifier with a first secret random data to provide an encrypted stream identifier,to generate a digest by applying a cryptographic hash to the at least the part of the stream identifier, andto combine the encrypted stream identifier with the digest to generate the opaque data, wherein the opaque data comprises a remote key (R-Key) in accordance with specification implementing Infiniband specification.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The apparatus as claimed in claim 6, wherein the entity is configured to:
    - encrypt the entire stream identifier with the first secret random data to provide the encrypted stream identifier; and
      
      generate the digest by applying the cryptographic hash to the entire stream identifier.
  - 8. The apparatus as claimed in claim 6, wherein the entity is configured to:
    - generate the digest by applying the cryptographic hash to the at least the part of the stream identifier and a second secret random data.
  - 9. The apparatus as claimed in claim 6, wherein the entity is configured to:
    - generate the digest by applying the cryptographic hash to the at least the part of the stream identifier, a second secret random data, and a third data.
  - 10. The apparatus as claimed in claim 9, wherein the third data do not need to be secret.
  - 11. The apparatus as claimed in claim 6, wherein the entity comprises one of:
    - a hypervisor;
      
      a virtual machine; and
      
      a virtual network interface card.

12. A method for reconstructing a stream identifier, which identifies memory region and access controls permitted to be accessed by data fields of a packet containing the stream identifier, the packet being formatted in accordance with remote direct memory access over converged Ethernet, comprising:
- receiving an opaque data at an entity that generated the opaque data, wherein the opaque data comprises a remote key (R-Key) in accordance with Infiniband specification;
  
  separating the opaque data into an encrypted stream identifier and a first digest;
  
  decrypting the encrypted stream identifier with a first secret random data to provide a decrypted stream identifier; and
  
  verifying the decrypted stream identifier using the first digest.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method as claimed in claim 12, further comprising:
    - combining the decrypted stream identifier with a static part of the stream identifier when the decrypted stream identifier comprises a programmable part of the stream identifier.
  - 14. The method as claimed in claim 12, wherein the verifying the decrypted stream identifier comprises:
    - generating a second digest by applying a cryptographic hash to the decrypted stream identifier;
      
      declaring the decrypted stream identifier verified when the first digest and the second digest are identical.
  - 15. The method as claimed in claim 14, wherein the generating a second digest by applying a cryptographic hash to the decrypted stream identifier comprises:
    - generating the second digest by applying the cryptographic hash to the decrypted stream identifier and a second secret random data.
  - 16. The method as claimed in claim 14, wherein the generating a second digest by applying a cryptographic hash to the decrypted stream identifier comprises:
    - generating the digest by applying the cryptographic hash to the decrypted stream identifier, a second secret random data, and a third data.
  - 17. The method as claimed in claim 16, wherein the third data do not need to be secret.

18. An apparatus for reconstructing a stream identifier, which identifies memory region and access controls permitted to be accessed by data fields of a packet containing the stream identifier, the packet being formatted in accordance with remote direct memory access over converged Ethernet, comprising:
- a virtual interface network card configuredto receive an opaque data at an entity that generated the opaque data, wherein the opaque data comprises a remote key (R-Key) in accordance with Infiniband specification;
  
  to separate the opaque data into an encrypted stream identifier and a first digest;
  
  to decrypt the encrypted stream identifier with a first secret random data to provide a decrypted stream identifier; and
  
  to verify the decrypted stream identifier using the first digest.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The apparatus as claimed in claim 18, wherein the virtual interface network card is configured to:
    - combine the decrypted stream identifier with a static part of the stream identifier when the decrypted stream identifier comprises a programmable part of the stream identifier.
  - 20. The apparatus as claimed in claim 18, wherein the virtual interface network card is configured to:
    - generate a second digest by applying a cryptographic hash to the decrypted stream identifier;
      
      declare the decrypted stream identifier verified when the first digest and the second digest are identical.
  - 21. The apparatus as claimed in claim 20, wherein the virtual interface network card is configured to:
    - generate the second digest by applying the cryptographic hash to the decrypted stream identifier and a second secret random data.
  - 22. The apparatus as claimed in claim 20, wherein the virtual interface network card is configured to:
    - generate the second digest by applying the cryptographic hash to the decrypted stream identifier, a second secret random data, and a third data.
  - 23. The apparatus as claimed in claim 22, wherein the third data do not need to be secret.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Marvell Asia Pte Limited (Marvell Technology Group Limited)
Original Assignee
Cavium, LLC (Marvell Technology Group Limited)
Inventors
Snyder, Wilson Parkhurst II
Primary Examiner(s)
Vaughan, Michael R

Application Number

US14/106,841
Publication Number

US 20150172055A1
Time in Patent Office

849 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 9/3236 using cryptographic hash fu...

Virtualized network interface for remote direct memory access over converged ethernet

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Virtualized network interface for remote direct memory access over converged ethernet

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links