Managing NIC-encrypted flows for migrating guests or tasks
First Claim
1. A method of migrating a guest of a virtual machine from a host computing device to a target computing device, the method comprising:
- at the host computing device;
preparing, using one or more processors, to send information to a target computing device, the information including at least a flow key and a first data packet of a plurality of data packets of the guest;
generating, using the one or more processors, a receive token by encrypting the flow key using a receive master key;
encrypting the first data packet using the flow key;
generating a send token by encrypting the receive master key, flow key, and first data packet using a send master key, wherein the send token encapsulates the receive master key, the flow key, and the first data packet;
sending the send token to a network adapter; and
decrypting, on the network adapter, the send token to identify the receive master key, flow key, and the first data packet;
encrypting, on the network adapter, the first data packet using the flow key, andsending, by the network adapter, the encrypted first data packet and the receive token to the target computing device;
at the target computing device;
receiving the encrypted first data packet and the receive token;
decrypting the receive token using the receive master key;
identifying the flow key in response to decrypting the receive token; and
decrypting the first data packet using the identified flow key; and
completing migration of the guest to the target computing device by repeating the preceding steps for remaining data packets of the plurality of data packets of the guest.
2 Assignments
0 Petitions
Accused Products
Abstract
An example of a system and method implementing a live migration of a guest on a virtual machine of a host server to a target server is provided. For example, a host server may utilize a flow key to encrypt and decrypt communications with a target server. This flow key may be encrypted using a receive master key, which may result in a receive token. The receive token may be sent to the Network Interface Controller of the host server, which will then encrypt the data packet and forward the information to the target server. Multiple sender schemes may be employed on the host server, and various updates may take place on the target server as a result of the new location of the migrating guest from the host server to the target server.
51 Citations
13 Claims
-
1. A method of migrating a guest of a virtual machine from a host computing device to a target computing device, the method comprising:
-
at the host computing device; preparing, using one or more processors, to send information to a target computing device, the information including at least a flow key and a first data packet of a plurality of data packets of the guest; generating, using the one or more processors, a receive token by encrypting the flow key using a receive master key; encrypting the first data packet using the flow key; generating a send token by encrypting the receive master key, flow key, and first data packet using a send master key, wherein the send token encapsulates the receive master key, the flow key, and the first data packet; sending the send token to a network adapter; and decrypting, on the network adapter, the send token to identify the receive master key, flow key, and the first data packet; encrypting, on the network adapter, the first data packet using the flow key, and sending, by the network adapter, the encrypted first data packet and the receive token to the target computing device; at the target computing device; receiving the encrypted first data packet and the receive token; decrypting the receive token using the receive master key; identifying the flow key in response to decrypting the receive token; and decrypting the first data packet using the identified flow key; and completing migration of the guest to the target computing device by repeating the preceding steps for remaining data packets of the plurality of data packets of the guest. - View Dependent Claims (2, 3, 4, 5, 13)
-
-
6. A system for migrating a guest of a virtual machine from a host computing device to a target computing device, the system comprising:
-
the host computing device, the host computing device comprising; a network adapter; at least one memory storing encryption keys; and one or more processors in communication with the memory, the one or more processors configured to; prepare information for sending to the target computing device the information including at least a flow key and a first data packet of a plurality of data packets of the guest; generate a receive token by encrypting the flow key using a receive master key; encrypt the first data packet using the flow key; generate a send token by encrypting the receive master key, the flow key, and the first data packet using a send master key, wherein the send token encapsulates the receive master key, the flow key, and the first data packet; send the send token to the network adapter; and decrypt, on the network adapter, the send token to identify the receive master key, flow key, and the first data packet; encrypt, on the network adapter, the first data packet using the flow key, and send the encrypted first data packet and the receive token to the target computing device; and repeat the preceding steps for remaining data packets of the plurality of data packets to complete migration of the guest to the target computing device. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
Specification