Packet validation in virtual network interface architecture
First Claim
1. A method comprising:
- establishing, by a privileged mode process, a first virtual address space resource for a first user-level process to bypass subsequent kernel routines;
programming, by the privileged mode process, first authorizations into a network interface device indicating one or more first particular characteristics of data packets the first user-level process is authorized to transmit via the network interface device onto a network;
subsequently enqueueing a first data packet in the first virtual address space resource by the first user-level process, without involving the privileged mode process by bypassing kernel routines; and
subsequently determining, by the network interface device and without involving the privileged mode process, whether said first data packet has any of the one or more first particular characteristics indicated in the first authorizations, and only if so, transmitting, by the network interface device and without involving the privileged mode process, said first data packet onto the network.
7 Assignments
0 Petitions
Accused Products
Abstract
Roughly described, a network interface device receiving data packets from a computing device for transmission onto a network, the data packets having a certain characteristic, transmits the packet only if the sending queue has authority to send packets having that characteristic. The data packet characteristics can include transport protocol number, source and destination port numbers, source and destination IP addresses, for example. Authorizations can be programmed into the NIC by a kernel routine upon establishment of the transmit queue, based on the privilege level of the process for which the queue is being established. In this way, a user process can use an untrusted user-level protocol stack to initiate data transmission onto the network, while the NIC protects the remainder of the system or network from certain kinds of compromise.
196 Citations
20 Claims
-
1. A method comprising:
-
establishing, by a privileged mode process, a first virtual address space resource for a first user-level process to bypass subsequent kernel routines; programming, by the privileged mode process, first authorizations into a network interface device indicating one or more first particular characteristics of data packets the first user-level process is authorized to transmit via the network interface device onto a network; subsequently enqueueing a first data packet in the first virtual address space resource by the first user-level process, without involving the privileged mode process by bypassing kernel routines; and subsequently determining, by the network interface device and without involving the privileged mode process, whether said first data packet has any of the one or more first particular characteristics indicated in the first authorizations, and only if so, transmitting, by the network interface device and without involving the privileged mode process, said first data packet onto the network. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
a data processing system comprising a first user-level level process and a privileged mode process; and a network interface device; wherein; the privileged mode process is arranged to; establish a first virtual address space resource for the first user-level process; and program first authorizations into the network interface device indicating one or more first particular characteristics of data packets the first user-level process is authorized to transmit via the network interface device onto a network; the first user-level process is arranged to subsequently enqueue a first data packet in the first virtual address space resource, without involving the privileged mode process; and the network interface device is arranged to, without involving the privileged mode process, subsequently determine whether said first data packet has any of the one or more first particular characteristics indicated in the first authorizations, and only if so transmit said first data packet onto the network without involving the privileged mode process. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method for interfacing a computing device with a network interface device, for use with a network, comprising:
-
a sending process of the computing device requesting establishment of a virtual memory resource for data packet transmission; a privileged mode process, in response to the sending process requesting establishment of the virtual memory resource, establishing the virtual memory resource in a virtual address space of the sending process; programming, by the privileged mode process, first authorizations into the network interface device indicating one or more first particular characteristics of data packets that the sending process is authorized to transmit via the network interface device onto the network; the sending process adding a data packet to the virtual memory resource, without involvement of any privileged mode routines, the data packet having at least one particular characteristic; the network interface device receiving at least part of the data packet from the virtual memory resource for transmission onto the network; the network interface device making a determination of whether the sending process has authority to transmit said data packet onto the network, in dependence upon at least one of said at least one characteristics; and the network interface device transmitting the data packet onto the network only if the determination is positive. - View Dependent Claims (16)
-
-
17. A system comprising:
-
a computing device comprising a privileged mode process and a sending process; a network interface device; and a network; wherein; the sending process is arranged to request establishment of a virtual memory resource for data packet transmission; the privileged mode process is arranged to, in response to the sending process requesting establishment of the virtual memory resource, establish the virtual memory resource in a virtual address space of the sending process; and program first authorizations into the network interface device indicating one or more first particular characteristics of data packets that the sending process is authorized to transmit via the network interface device onto the network; the sending process is arranged to add a data packet to the virtual memory resource, without involvement of any privileged mode routines, the data packet having at least one particular characteristic; and the network interface device is arranged to; receive at least part of the data packet from the virtual memory resource for transmission onto the network; make a determination of whether the sending process has authority to transmit said data packet onto the network, in dependence upon at least one of said at least one characteristics; and transmit the data packet onto the network only if the determination is positive. - View Dependent Claims (18)
-
-
19. A method for interfacing a computing device with a network interface device, for use with a network, comprising:
-
a first sending process of the computing device initiating establishment of a first transmit queue; a privileged mode process, in response to the first sending process initiating establishment of a first transmit queue, establishing the first transmit queue in a virtual address space of the first sending process; and programming, by the privileged mode process, first authorizations into the network interface device indicating one or more first particular characteristics of data packets that the sending process is authorized to transmit via the network interface device onto the network; the first sending process enqueueing a first data packet onto the first transmit queue for transmission onto the network, without involvement of any privileged mode routines, the first data packet having a first characteristic; the network interface device receiving at least part of the first data packet from the first transmit queue for transmission onto the network; the network interface device making a first determination of whether the first sending process has authority to transmit data packets having the first characteristic onto the network, in dependence upon whether the first transmit queue has such authority according to authorization rights maintained on the network interface device; and the network interface device transmitting the first data packet onto the network only if the first determination is positive.
-
-
20. A system comprising:
-
a computing device; and a network interface device in communication with the computing device via a physical bus, wherein the computing device is configured such that; in response to a first sending process of the computing device initiating establishment of a first transmit queue, a privileged mode process of the computing device establishes the first transmit queue in a virtual address space of the first sending process; and programming, by the privileged mode process, first authorizations into the network interface device indicating one or more first particular characteristics of data packets that the sending process is authorized to transmit via the network interface device onto the network; in response to the first sending process enqueueing a first data packet onto the first transmit queue for transmission onto a network, the first data packet having a first characteristic, the network interface device receives at least part of the first data packet without involvement of any privileged mode routines of the computing device; and wherein the network interface device is configured to make a first determination as to whether the first sending process has authority to transmit data packets having the first characteristic onto the network, in dependence upon whether the first transmit queue has such authority according to authorization rights maintained on the network interface device, and to transmit the first data packet onto the network only if the first determination is positive.
-
Specification