Managing NIC-encrypted flows for migrating guests or tasks

US 10,693,850 B2
Filed: 05/11/2015
Issued: 06/23/2020
Est. Priority Date: 05/12/2014
Status: Active Grant

First Claim

Patent Images

1. A method of migrating a guest of a virtual machine from a host computing device to a target computing device, the method comprising:

at the host computing device;

preparing, using one or more processors, to send information to a target computing device, the information including at least a flow key and a first data packet of a plurality of data packets of the guest;

generating, using the one or more processors, a receive token by encrypting the flow key using a receive master key;

encrypting the first data packet using the flow key;

generating a send token by encrypting the receive master key, flow key, and first data packet using a send master key, wherein the send token encapsulates the receive master key, the flow key, and the first data packet;

sending the send token to a network adapter; and

decrypting, on the network adapter, the send token to identify the receive master key, flow key, and the first data packet;

encrypting, on the network adapter, the first data packet using the flow key, andsending, by the network adapter, the encrypted first data packet and the receive token to the target computing device;

at the target computing device;

receiving the encrypted first data packet and the receive token;

decrypting the receive token using the receive master key;

identifying the flow key in response to decrypting the receive token; and

decrypting the first data packet using the identified flow key; and

completing migration of the guest to the target computing device by repeating the preceding steps for remaining data packets of the plurality of data packets of the guest.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example of a system and method implementing a live migration of a guest on a virtual machine of a host server to a target server is provided. For example, a host server may utilize a flow key to encrypt and decrypt communications with a target server. This flow key may be encrypted using a receive master key, which may result in a receive token. The receive token may be sent to the Network Interface Controller of the host server, which will then encrypt the data packet and forward the information to the target server. Multiple sender schemes may be employed on the host server, and various updates may take place on the target server as a result of the new location of the migrating guest from the host server to the target server.

51 Citations

13 Claims

1. A method of migrating a guest of a virtual machine from a host computing device to a target computing device, the method comprising:
- at the host computing device;
  
  preparing, using one or more processors, to send information to a target computing device, the information including at least a flow key and a first data packet of a plurality of data packets of the guest;
  
  generating, using the one or more processors, a receive token by encrypting the flow key using a receive master key;
  
  encrypting the first data packet using the flow key;
  
  generating a send token by encrypting the receive master key, flow key, and first data packet using a send master key, wherein the send token encapsulates the receive master key, the flow key, and the first data packet;
  
  sending the send token to a network adapter; and
  
  decrypting, on the network adapter, the send token to identify the receive master key, flow key, and the first data packet;
  
  encrypting, on the network adapter, the first data packet using the flow key, andsending, by the network adapter, the encrypted first data packet and the receive token to the target computing device;
  
  at the target computing device;
  
  receiving the encrypted first data packet and the receive token;
  
  decrypting the receive token using the receive master key;
  
  identifying the flow key in response to decrypting the receive token; and
  
  decrypting the first data packet using the identified flow key; and
  
  completing migration of the guest to the target computing device by repeating the preceding steps for remaining data packets of the plurality of data packets of the guest.
- View Dependent Claims (2, 3, 4, 5, 13)
- - 2. The method of claim 1, further comprising:
    - sending the information to the network adapter;
      
      storing, on the network adapter, the information and the receive token as a tuple, the tuple corresponding to a flow ID; and
      
      sending the receive token, flow key, first data packet, and encapsulation information as a tuple to the target computing device.
  - 3. The method of claim 1, further comprising:
    - retrieving a send token from a first table;
      
      copying the retrieved send token in a second table; and
      
      sending the copied send token to the network adapter.
  - 4. The method of claim 3, wherein the first and second tables include a reliability number, the reliability number corresponding to the send token, and the method further comprising:
    - updating the send token associated with the first table; and
      
      incrementing the reliability number associated with the send token of the first table in response to the update.
  - 5. The method of claim 4, further comprising:
    - checking the reliability number corresponding to the send token in the first table before copying the send token in a second table;
      
      storing the reliability number in the second table;
      
      verifying, after copying the send token, the reliability number corresponding to the send token is the same in the first and second tables; and
      
      when the reliability number is not the same, retrieving the send token again.
  - 13. The method of claim 1, wherein the target computer device calculates the flow key, the flow key being one key of a bi-directional flow key pair for sending data to and receiving data from an external computer after migration.

6. A system for migrating a guest of a virtual machine from a host computing device to a target computing device, the system comprising:
- the host computing device, the host computing device comprising;
  
  a network adapter;
  
  at least one memory storing encryption keys; and
  
  one or more processors in communication with the memory, the one or more processors configured to;
  
  prepare information for sending to the target computing device the information including at least a flow key and a first data packet of a plurality of data packets of the guest;
  
  generate a receive token by encrypting the flow key using a receive master key;
  
  encrypt the first data packet using the flow key;
  
  generate a send token by encrypting the receive master key, the flow key, and the first data packet using a send master key, wherein the send token encapsulates the receive master key, the flow key, and the first data packet;
  
  send the send token to the network adapter; and
  
  decrypt, on the network adapter, the send token to identify the receive master key, flow key, and the first data packet;
  
  encrypt, on the network adapter, the first data packet using the flow key, andsend the encrypted first data packet and the receive token to the target computing device; and
  
  repeat the preceding steps for remaining data packets of the plurality of data packets to complete migration of the guest to the target computing device.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The system of claim 6, wherein the one or more processors are further configured to:
    - send the information to the network adapter;
      
      store, on the network adapter, the information and the receive token as a tuple, the tuple corresponding to a flow ID; and
      
      send the receive token, flow key, first data packet, and encapsulation information as a tuple to the target computing device.
  - 8. The system of claim 6, wherein the one or more processors are further configured to:
    - at least one memory storing encryptionsend thegenerate a send token by encrypting the receive master key, flow key, and first data packet using a send master key, wherein the send token encapsulates the receive master key, flow key, and first data packet;
      
      send the send token to the network adapter; and
      
      decrypt, on the network adapter, the receive master key, flow key, and data packet.
  - 9. The system of claim 8, wherein the one or more processors are further configured to:
    - retrieve a send token from a first table;
      
      copy the retrieved send token in a second table; and
      
      send the copied send token to the network adapter.
  - 10. The system of claim of claim 9, wherein the first and second tables include a reliability number, the reliability number corresponding to the send token, and the one or more processors are further configured to:
    - update the send token associated with the first table; and
      
      increment the reliability number associated with the send token of the first table in response to the update.
  - 11. The system of claim 10, wherein the one or more processors are further configured to:
    - check the reliability number corresponding to the send token in the first table before copying the send token in a second table;
      
      store the reliability number in the second table;
      
      verify, after copying the send token, the reliability number corresponding to the send token is the same in the first and second tables; and
      
      when the reliability number is not the same, retrieve the send token again.
  - 12. The system of claim 11, wherein the one or more processors are further configured to send the copied send token to the network adapter when the reliability number is the same.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google LLC (Alphabet Inc.)
Inventors
Serebrin, Benjamin Charles
Primary Examiner(s)
Tran, Tongoc

Application Number

US14/708,685
Publication Number

US 20150326542A1
Time in Patent Office

1,870 Days
Field of Search

713160
US Class Current
CPC Class Codes

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45558   Hypervisor-specific managem...

H04L 2463/062   applying encryption of the ...

H04L 63/0428   wherein the data content is...

H04L 63/045   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0822   using key encryption key

Managing NIC-encrypted flows for migrating guests or tasks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

Managing NIC-encrypted flows for migrating guests or tasks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others