Enabling platform network stack control in a virtualization platform
First Claim
1. A system, comprising:
- a virtualization platform capable of running a virtual machine monitor and a plurality of virtual machines, the virtual machine monitor to capture packets of information to be sent over a network by a process running in a virtual machine on the platform;
an encoder residing in a virtual machine to encode packets of information, the packets of information to be sent to a network interface card (NIC) via a network stack, wherein the encoder is communicatively coupled to a virtual network stack in the virtual machine running on the virtualization platform; and
a decoder to decode and verify the encoded packets of information, the decoder communicatively coupled to the NIC, wherein the NIC sends only verified decoded information packets and drops unverified information packets.
1 Assignment
0 Petitions
Accused Products
Abstract
In some embodiments, the invention involves protecting network communications in a virtualized platform. An embodiment of the present invention is a system and method relating to protecting network communication flow using packet encoding/certification and the network stack. One embodiment uses a specialized engine or driver in the network stack to encode packets before being sent to physical network controller. The network controller may use a specialized driver to decode the packets, or have a hardware implementation of a decoder. If the decoded packet is certified, the packet is transmitted. Otherwise, the packet is dropped. An embodiment of the present invention utilizes virtualization architecture to implement the network communication paths. Other embodiments are described and claimed.
308 Citations
34 Claims
-
1. A system, comprising:
-
a virtualization platform capable of running a virtual machine monitor and a plurality of virtual machines, the virtual machine monitor to capture packets of information to be sent over a network by a process running in a virtual machine on the platform;
an encoder residing in a virtual machine to encode packets of information, the packets of information to be sent to a network interface card (NIC) via a network stack, wherein the encoder is communicatively coupled to a virtual network stack in the virtual machine running on the virtualization platform; and
a decoder to decode and verify the encoded packets of information, the decoder communicatively coupled to the NIC, wherein the NIC sends only verified decoded information packets and drops unverified information packets. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for sending packets in a virtualization platform, comprising:
-
sending a packet of information by an application running on the platform, the packet of information to be sent over a network, wherein the packet is sent to a first virtual network interface;
capturing the packet of information by a management partition running in a first virtual machine on the platform;
encoding a packet of information by an encoder residing in the management partition, the encoder communicatively coupled to a virtual network stack; and
sending the encoded packet of information to a physical network interface, the physical network interface being capable of decoding and authenticating the encoded packet, the physical network interface being capable of sending authenticated packets and dropping unauthenticated packets. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 27, 28)
-
-
23. A machine accessible medium having instructions for sending packets in a virtualization platform, the instructions when accessed cause the machine to:
-
send a packet of information by an application running on the platform, the packet of information to be sent over a network, wherein the packet is sent to a first virtual network interface;
capture the packet of information by a management partition running in a first virtual machine on the platform;
encode a packet of information by an encoder residing in the management partition, the encoder communicatively coupled to a virtual network stack; and
send the encoded packet of information to a physical network interface, the physical network interface being capable of decoding and authenticating the encoded packet, the physical network interface being capable of sending authenticated packets and dropping unauthenticated packets. - View Dependent Claims (24, 25, 26, 29, 30, 31, 32, 33, 34)
-
Specification