Virtual network protocol

US 9,740,516 B1
Filed: 09/10/2015
Issued: 08/22/2017
Est. Priority Date: 01/13/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

in a user process space of a host operating system operating on a given host machine, wherein the host operating system hosts one or more distinct virtual machines each being a hardware virtualization, performing the following steps;

receiving, in one or more processes running in the user process space, an outgoing packet from a source virtual machine (VM) of the one or more distinct virtual machines, the outgoing packet destined for a destination VM;

obtaining, in the one or more processes running in the user process space, a source secret key for the source VM, the source secret key not being known by the destination VM;

determining, in the one or more processes running in the user process space, a destination key based on a network address of the destination VM, where the destination secret key is not known by the source VM;

obtaining, in the one or more processes running the user process space, a token derived at least partly from the source secret key and the destination secret key;

encapsulating, in the one or more processes running the user process space, the outgoing packet in a second packet along with the token; and

transmitting, through one or more processes running in a kernel process space of the host operating system, the second packet to the destination VM.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for implementing virtual network pairs between virtual machines and other devices.

Citations

18 Claims

1. A method comprising:
- in a user process space of a host operating system operating on a given host machine, wherein the host operating system hosts one or more distinct virtual machines each being a hardware virtualization, performing the following steps;
  
  receiving, in one or more processes running in the user process space, an outgoing packet from a source virtual machine (VM) of the one or more distinct virtual machines, the outgoing packet destined for a destination VM;
  
  obtaining, in the one or more processes running in the user process space, a source secret key for the source VM, the source secret key not being known by the destination VM;
  
  determining, in the one or more processes running in the user process space, a destination key based on a network address of the destination VM, where the destination secret key is not known by the source VM;
  
  obtaining, in the one or more processes running the user process space, a token derived at least partly from the source secret key and the destination secret key;
  
  encapsulating, in the one or more processes running the user process space, the outgoing packet in a second packet along with the token; and
  
  transmitting, through one or more processes running in a kernel process space of the host operating system, the second packet to the destination VM.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the user process space has reduced privileges as compared to the kernel process space of the host operating system.
  - 3. The method of claim 1, wherein the outgoing packet is a layer three packet.
  - 4. The method of claim 1, wherein the second packet is a layer four packet.
  - 5. The method of claim 1, the one or more steps further comprising:
    - including, in the second packet, a second token that the destination VM can use to send a packet to the source VM.
  - 6. The method of claim 1, wherein obtaining the source secret key for the source VM comprises:
    - obtaining the secret key from a process which maintains a mapping between virtual machines, as identified by their respective network addresses, and the physical machine they are hosted on.

7. A storage medium encoded with instructions which, when executed by data processing apparatus, cause the data processing apparatus to perform operations comprising:
- in a user process space of a host operating system operating on a given host machine, wherein the host operating system hosts one or more distinct virtual machines each being a hardware virtualization, performing the following steps;
  
  receiving, in one or more processes running the user process space, an outgoing packet from a source virtual machine (VM) of the one or more distinct virtual machines, the outgoing packet destined for a destination VM;
  
  obtaining, in the one or more processes running the user process space, a source secret key for the source VM, the source secret key not being known by the destination VM;
  
  determining, in the one or more processes running the user process space, a destination key based on a network address of the destination VM, where the destination secret key is not known by the source VM;
  
  obtaining, in the one or more processes running the user process space, a token derived at least partly from the source secret key and the destination secret key;
  
  encapsulating, in the one or more processes running the user process space, the outgoing packet in a second packet along with the token; and
  
  transmitting, through one or more processes running in a kernel process space of the host operating system, the second packet to the destination VM.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The storage medium of claim 7, wherein the user process space has reduced privileges as compared to the kernel process space of the host operating system.
  - 9. The storage medium of claim 7, wherein the outgoing packet is a layer three packet.
  - 10. The storage medium of claim 7, wherein the second packet is a layer four packet.
  - 11. The storage medium of claim 7, the one or more steps further comprising:
    - including, in the second packet, a second token that the destination VM can use to send a packet to the source VM.
  - 12. The storage medium of claim 7, wherein obtaining the source secret key for the source VM comprises:
    - obtaining the secret key from a process which maintains a mapping between virtual machines, as identified by their respective network addresses, and the physical machine they are hosted on.

13. A system comprising:
- a storage medium encoded with instructions;
  
  data processing apparatus operable to execute the instructions to perform operations comprising;
  
  in a user process space of a host operating system operating on a given host machine, wherein the host operating system hosts one or more distinct virtual machines each being a hardware virtualization, performing the following steps;
  
  receiving, in the one or more processes running the user process space, an outgoing packet from a source virtual machine (VM) of the one or more distinct virtual machines, the outgoing packet destined for a destination VM;
  
  obtaining, in the one or more processes running the user process space, a source secret key for the source VM, the source secret key not being known by the destination VM;
  
  determining, in the one or more processes running the user process space, a destination key based on a network address of the destination VM, where the destination secret key is not known by the source VM;
  
  obtaining, in the one or more processes running the user process space, a token derived at least partly from the source secret key and the destination secret key;
  
  encapsulating, in the one or more processes running the user process space, the outgoing packet in a second packet along with the token; and
  
  transmitting, through one or more processes running in a kernel process space of the host operating system, the second packet to the destination VM.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein the user process space has reduced privileges as compared to the kernel process space of the host operating system.
  - 15. The system of claim 13, wherein the outgoing packet is a layer three packet.
  - 16. The system of claim 13, wherein the second packet is a layer four packet.
  - 17. The system of claim 13, the one or more steps further comprising:
    - including, in the second packet, a second token that the destination VM can use to send a packet to the source VM.
  - 18. The system of claim 13, wherein obtaining the source secret key for the source VM comprises:
    - obtaining the secret key from a process which maintains a mapping between virtual machines, as identified by their respective network addresses, and the physical machine they are hosted on.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Petrescu-Prahova, Cristian, Kern, Christoph, Anderson, Evan K., Beda, III, Joseph S.
Primary Examiner(s)
Tang, Kenneth

Application Number

US14/850,483
Time in Patent Office

712 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

H04L 12/4633   Interconnection of networks...

Virtual network protocol

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual network protocol

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links