Packet authentication and encryption in virtual networks
First Claim
1. A computer-implemented method comprising:
- receiving, by a host computing system configured to host one or more virtual computing nodes of a virtual network and from a mapping server for the virtual network that maintains mapping information associating virtual network addresses of the virtual network with physical network addresses, a cryptographic key;
receiving, by the configured host computing system, a communication from a first of the virtual computing nodes that is intended for a destination virtual computing node in the virtual network other than the first virtual computing node;
generating, by the configured host computing system based at least in part on the communication and on the cryptographic key received from the mapping server, a hash value for the communication; and
forwarding, by the configured host computing system and based at least in part on the mapping information maintained by the mapping server, the communication and the generated hash value to the destination virtual computing node.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods provide logic for distributing cryptographic keys in a physical network comprising a plurality of physical nodes. In one implementation, a computer-implemented method is provided for distributing cryptographic keys in a physical network. The method includes receiving information mapping a virtual network address of a virtual node to a physical network address of a physical node. The virtual node may be associated with a virtual network hosted by the physical node, and the received mapping information identifies a virtual network address of the node and the physical network address of the node. The mapping service transmits a current version of a cryptographic key and an identifier of the current version to the physical node.
-
Citations
20 Claims
-
1. A computer-implemented method comprising:
-
receiving, by a host computing system configured to host one or more virtual computing nodes of a virtual network and from a mapping server for the virtual network that maintains mapping information associating virtual network addresses of the virtual network with physical network addresses, a cryptographic key; receiving, by the configured host computing system, a communication from a first of the virtual computing nodes that is intended for a destination virtual computing node in the virtual network other than the first virtual computing node; generating, by the configured host computing system based at least in part on the communication and on the cryptographic key received from the mapping server, a hash value for the communication; and forwarding, by the configured host computing system and based at least in part on the mapping information maintained by the mapping server, the communication and the generated hash value to the destination virtual computing node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer-readable medium having stored contents that configure a computing device to perform a method, the method comprising:
-
receiving, by a host computing system configured to host one or more virtual computing nodes of a first virtual network, a communication indicating a first of the virtual computing nodes hosted by the configured host computing system as a destination and further indicating a remote computing node of the first virtual network as a source, wherein receiving the communication includes receiving a hash value associated with the received communication; selecting, by the configured host computing system and based at least in part on the indicated source remote computing node and on information received from a mapping server for the first virtual network, one of multiple local cryptographic keys; generating, by the configured host computing system and based at least in part on the selected local cryptographic key, a local hash value for the received communication; and authenticating, by the configured host computing system, the communication only if the generated local hash value matches the received hash value associated with the communication. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A system, comprising:
-
one or more processors of a mapping server; and one or more memories of the mapping server including instructions that, upon execution by at least one of the one or more processors, cause the mapping server to manage one or more virtual networks and to; receive information associating a physical network address with a virtual network address for a node of a first of the one or more virtual networks; based at least in part on the received information, update mapping information maintained by the mapping server for the first virtual network; provide, to one or more physical host machines that each hosts one or more nodes of the first virtual network, at least some of the updated mapping information; and transmit, to the one or more physical host machines, a cryptographic key associated with the first virtual network for use in authentication of communications within the first virtual network. - View Dependent Claims (18, 19, 20)
-
Specification