Packet validation in virtual network interface architecture

US 9,912,665 B2
Filed: 02/12/2013
Issued: 03/06/2018
Est. Priority Date: 04/27/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing, by a privileged mode process, a first virtual address space resource for a first user-level process to bypass subsequent kernel routines;

programming, by the privileged mode process, first authorizations into a network interface device indicating one or more first particular characteristics of data packets the first user-level process is authorized to transmit via the network interface device onto a network;

subsequently enqueueing a first data packet in the first virtual address space resource by the first user-level process, without involving the privileged mode process by bypassing kernel routines; and

subsequently determining, by the network interface device and without involving the privileged mode process, whether said first data packet has any of the one or more first particular characteristics indicated in the first authorizations, and only if so, transmitting, by the network interface device and without involving the privileged mode process, said first data packet onto the network.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Roughly described, a network interface device receiving data packets from a computing device for transmission onto a network, the data packets having a certain characteristic, transmits the packet only if the sending queue has authority to send packets having that characteristic. The data packet characteristics can include transport protocol number, source and destination port numbers, source and destination IP addresses, for example. Authorizations can be programmed into the NIC by a kernel routine upon establishment of the transmit queue, based on the privilege level of the process for which the queue is being established. In this way, a user process can use an untrusted user-level protocol stack to initiate data transmission onto the network, while the NIC protects the remainder of the system or network from certain kinds of compromise.

196 Citations

20 Claims

1. A method comprising:
- establishing, by a privileged mode process, a first virtual address space resource for a first user-level process to bypass subsequent kernel routines;
  
  programming, by the privileged mode process, first authorizations into a network interface device indicating one or more first particular characteristics of data packets the first user-level process is authorized to transmit via the network interface device onto a network;
  
  subsequently enqueueing a first data packet in the first virtual address space resource by the first user-level process, without involving the privileged mode process by bypassing kernel routines; and
  
  subsequently determining, by the network interface device and without involving the privileged mode process, whether said first data packet has any of the one or more first particular characteristics indicated in the first authorizations, and only if so, transmitting, by the network interface device and without involving the privileged mode process, said first data packet onto the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method according to claim 1, wherein one of the one or more particular first characteristics comprises at least one characteristic selected from:
    - a particular network transport protocol,a particular source IP port number,a particular destination IP port number,a particular source IP address, anda particular destination IP address; and
      
      wherein determining comprises determining, by the network interface device, whether the first user-level process is authorized to transmit data packetsusing the particular network transport protocol,having the particular source IP port number,having the particular destination IP port number,having the particular source IP address, orhaving the particular destination IP address, respectively.
  - 3. A method according to claim 1, further comprising retrieving, by the network interface device and without involving the privileged mode process, at least part of the first data packet from the first virtual address space resource.
  - 4. A method according to claim 3, further comprising aborting, by the network interface device and without involving the privileged mode process, retrieval of the first data packet if the first data packet is determined not to have any of the one or more first particular characteristics indicated in the first authorizations.
  - 5. A method according to claim 1, further comprising notifying, by the first user-level process, the network interface device of the availability of the first data packet in the first virtual address space resource, without invoking any privileged mode routines.
  - 6. A method according to claim 1, wherein programming comprises programming, by the privileged mode process, authorization rights for the first virtual address space resource into a database accessible to the network interface device, in response to the establishment of the first virtual address space resource,and wherein determining comprises examining, by the network interface device, the authorization rights for the virtual address space resource in the database.
  - 7. A method according to claim 1, further comprising:
    - establishing, by the privileged mode process, a second virtual address space resource for a second user-level process;
      
      programming, by the privileged mode process, second authorizations into the network interface device indicating one or more second particular characteristics of data packets the second user-level process is authorized to transmit via the network interface device onto the network;
      
      subsequently enqueueing a second data packet in the second virtual address space resource by the second user-level process, without involving the privileged mode process; and
      
      subsequently determining, by the network interface device and without involving the privileged mode process, whether said second data packet has any of the one or more second particular characteristics indicated in the second authorizations, and only if so transmitting, by the network interface device and without involving the privileged mode process, said second data packet onto the network.

8. A system comprising:
- a data processing system comprising a first user-level level process and a privileged mode process; and
  
  a network interface device;
  
  wherein;
  
  the privileged mode process is arranged to;
  
  establish a first virtual address space resource for the first user-level process; and
  
  program first authorizations into the network interface device indicating one or more first particular characteristics of data packets the first user-level process is authorized to transmit via the network interface device onto a network;
  
  the first user-level process is arranged to subsequently enqueue a first data packet in the first virtual address space resource, without involving the privileged mode process; and
  
  the network interface device is arranged to, without involving the privileged mode process, subsequently determine whether said first data packet has any of the one or more first particular characteristics indicated in the first authorizations, and only if so transmit said first data packet onto the network without involving the privileged mode process.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. A system according to claim 8, wherein one of the one or more particular first characteristics comprises a characteristic selected from:
    - a particular network transport protocol,a particular source IP port number,a particular destination IP port number,a particular source IP address, anda particular destination IP address; and
      
      wherein the network interface device is further arranged to determine whether the first user-level process is authorized to transmit data packetsusing the particular network transport protocol,having the particular source IP port number,having the particular destination IP port number,having the particular source IP address, orhaving the particular destination IP address, respectively.
  - 10. A system according to claim 8, wherein the network interface device is further arranged to retrieve at least part of the first data packet from the first virtual address space resource.
  - 11. A system according to claim 10, wherein the network interface device is further arranged to abort retrieval of the first data packet if the first data packet is determined not to have any of the one or more first particular characteristics indicated in the first authorizations.
  - 12. A system according to claim 8, wherein the first user-level process is further arranged to notify the network interface device of the availability of the first data packet in the first virtual address space resource, without invoking any privileged mode routines.
  - 13. A system according to claim 8, wherein the privileged mode process is further arranged to, once it has established the first virtual address space resource, program authorization rights for the first virtual address space resource into a database accessible to the network interface device,and wherein the network interface device is further arranged to examine the authorization rights for the virtual address space resource in the database.
  - 14. A system according to claim 8, wherein:
    - the data processing system further comprises a second user-level level process;
      
      the privileged mode process is further arranged to;
      
      establish a second virtual address space resource for the second user-level process; and
      
      program second authorizations into the network interface device indicating one or more second particular characteristics of data packets the second user-level process is authorized to transmit via the network interface device onto the network;
      
      the second user-level process is arranged to subsequently enqueue a second data packet in the second virtual address space resource, without involving the privileged mode process; and
      
      the network interface device is further arranged to, without involving the privileged mode process, subsequently determine whether said second data packet has any of the one or more second particular characteristics indicated in the second authorizations, and only if so transmit said second data packet onto the network without involving the privileged mode process.

15. A method for interfacing a computing device with a network interface device, for use with a network, comprising:
- a sending process of the computing device requesting establishment of a virtual memory resource for data packet transmission;
  
  a privileged mode process, in response to the sending process requesting establishment of the virtual memory resource, establishing the virtual memory resource in a virtual address space of the sending process;
  
  programming, by the privileged mode process, first authorizations into the network interface device indicating one or more first particular characteristics of data packets that the sending process is authorized to transmit via the network interface device onto the network;
  
  the sending process adding a data packet to the virtual memory resource, without involvement of any privileged mode routines, the data packet having at least one particular characteristic;
  
  the network interface device receiving at least part of the data packet from the virtual memory resource for transmission onto the network;
  
  the network interface device making a determination of whether the sending process has authority to transmit said data packet onto the network, in dependence upon at least one of said at least one characteristics; and
  
  the network interface device transmitting the data packet onto the network only if the determination is positive.
- View Dependent Claims (16)
- - 16. A method according to claim 15:
    - wherein programming, by the privileged mode process, first authorizations into the network interface device, comprises programming, by the privileged mode process, authorization rights for the virtual memory resource into a database accessible to the network interface device, in response to the establishment of the virtual memory resource,and wherein the network interface device makes said determination by examining the authorization rights for the virtual memory resource in the database.

17. A system comprising:
- a computing device comprising a privileged mode process and a sending process;
  
  a network interface device; and
  
  a network;
  
  wherein;
  
  the sending process is arranged to request establishment of a virtual memory resource for data packet transmission;
  
  the privileged mode process is arranged to, in response to the sending process requesting establishment of the virtual memory resource,establish the virtual memory resource in a virtual address space of the sending process; and
  
  program first authorizations into the network interface device indicating one or more first particular characteristics of data packets that the sending process is authorized to transmit via the network interface device onto the network;
  
  the sending process is arranged to add a data packet to the virtual memory resource, without involvement of any privileged mode routines, the data packet having at least one particular characteristic; and
  
  the network interface device is arranged to;
  
  receive at least part of the data packet from the virtual memory resource for transmission onto the network;
  
  make a determination of whether the sending process has authority to transmit said data packet onto the network, in dependence upon at least one of said at least one characteristics; and
  
  transmit the data packet onto the network only if the determination is positive.
- View Dependent Claims (18)
- - 18. A system according to claim 17, wherein:
    - programming first authorizations into the network interface device by the privileged mode process further comprises programming, by the privileged mode process, authorization rights for the virtual memory resource into a database accessible to the network interface device, in response to the establishment of the virtual memory resource,and wherein the network interface device is arranged to make said determination by examining the authorization rights for the virtual memory resource in the database.

19. A method for interfacing a computing device with a network interface device, for use with a network, comprising:
- a first sending process of the computing device initiating establishment of a first transmit queue;
  
  a privileged mode process, in response to the first sending process initiating establishment of a first transmit queue, establishing the first transmit queue in a virtual address space of the first sending process; and
  
  programming, by the privileged mode process, first authorizations into the network interface device indicating one or more first particular characteristics of data packets that the sending process is authorized to transmit via the network interface device onto the network;
  
  the first sending process enqueueing a first data packet onto the first transmit queue for transmission onto the network, without involvement of any privileged mode routines, the first data packet having a first characteristic;
  
  the network interface device receiving at least part of the first data packet from the first transmit queue for transmission onto the network;
  
  the network interface device making a first determination of whether the first sending process has authority to transmit data packets having the first characteristic onto the network, in dependence upon whether the first transmit queue has such authority according to authorization rights maintained on the network interface device; and
  
  the network interface device transmitting the first data packet onto the network only if the first determination is positive.

20. A system comprising:
- a computing device; and
  
  a network interface device in communication with the computing device via a physical bus,wherein the computing device is configured such that;
  
  in response to a first sending process of the computing device initiating establishment of a first transmit queue, a privileged mode process of the computing device establishes the first transmit queue in a virtual address space of the first sending process; and
  
  programming, by the privileged mode process, first authorizations into the network interface device indicating one or more first particular characteristics of data packets that the sending process is authorized to transmit via the network interface device onto the network;
  
  in response to the first sending process enqueueing a first data packet onto the first transmit queue for transmission onto a network, the first data packet having a first characteristic, the network interface device receives at least part of the first data packet without involvement of any privileged mode routines of the computing device; and
  
  wherein the network interface device is configured to make a first determination as to whether the first sending process has authority to transmit data packets having the first characteristic onto the network, in dependence upon whether the first transmit queue has such authority according to authorization rights maintained on the network interface device, and to transmit the first data packet onto the network only if the first determination is positive.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Xilinx, Inc. (Advanced Micro Devices, Inc.)
Original Assignee
SolarFlare Communications Incorporated (Advanced Micro Devices, Inc.)
Inventors
Pope, Steve L., Riddoch, David J., Yu, Ching, Roberts, Derek
Primary Examiner(s)
BIAGINI, CHRISTOPHER D

Application Number

US13/765,579
Publication Number

US 20140059221A1
Time in Patent Office

1,848 Days
Field of Search
US Class Current
CPC Class Codes

H04L 47/50   Queue scheduling

H04L 49/90   Buffering arrangements

H04L 49/901   using storage descriptor, e...

H04L 49/9031   Wraparound memory, e.g. ove...

H04L 49/9063   Intermediate storage in dif...

H04L 63/10   for controlling access to d...

Packet validation in virtual network interface architecture

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

196 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Packet validation in virtual network interface architecture

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

196 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links