CN112600826B - Virtualization security gateway system - Google Patents
Virtualization security gateway system Download PDFInfo
- Publication number
- CN112600826B CN112600826B CN202011434689.0A CN202011434689A CN112600826B CN 112600826 B CN112600826 B CN 112600826B CN 202011434689 A CN202011434689 A CN 202011434689A CN 112600826 B CN112600826 B CN 112600826B
- Authority
- CN
- China
- Prior art keywords
- rdma
- virtualization
- rule
- security
- host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012544 monitoring process Methods 0.000 claims abstract description 60
- 230000005540 biological transmission Effects 0.000 claims abstract description 32
- 238000000034 method Methods 0.000 claims abstract description 18
- 230000008569 process Effects 0.000 claims abstract description 10
- 230000002146 bilateral effect Effects 0.000 claims description 3
- 238000000926 separation method Methods 0.000 claims description 3
- 230000001960 triggered effect Effects 0.000 claims description 3
- 239000000284 extract Substances 0.000 claims 1
- 238000010348 incorporation Methods 0.000 claims 1
- 238000005516 engineering process Methods 0.000 abstract description 6
- 230000006870 function Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
- H04L67/5682—Policies or rules for updating, deleting or replacing the stored data
Abstract
The invention relates to a virtualization security gateway system, which comprises: RDMA (remote direct memory Access), which adopts the mixed virtualization combining software and hardware to realize the virtualization of the RDMA on a single host; the virtualization security gateway is designed aiming at the RDMA security gateway on the basis of the realization of the RDMA hybrid virtualization, monitors the RDMA connection, does not relate to the monitoring of specific data transmission, and ensures the low-delay characteristic of a system. According to the invention, through a hybrid virtualization technology combining software and hardware, data transmission is performed through SR-IOV to ensure the advantages of low delay and high throughput of RDMA, on the basis, a security gateway is combined into a virtualization scheme, and the high load of a security module when the security module is used for matching security rules of all data streams is reduced through a mode of only monitoring a connection process, so that the security of the system is improved while the virtualization performance is ensured.
Description
Technical Field
The invention belongs to the technical field of network monitoring, and particularly relates to a virtualization security gateway system.
Background
The Remote Direct Memory Access (RDMA) technology unloads the processing of the protocol stack to the network card, and the network card directly accesses the Memory data by using the DMA technology after analyzing the data packet, thereby avoiding multiple copies of the data. Meanwhile, the CPU is released from network data transmission through data processing unloading, and the use efficiency of the CPU is improved. By the characteristics of zero copy and kernel bypass, low delay, high throughput and high performance in the data transmission process are realized.
However, RDMA itself is designed for a single-tenant environment, and presents significant challenges when faced with a multi-tenant environment on a single host in cloud computing. One of the problems is that RDMA, a technique that bypasses the core, does reduce latency to some extent, but it is this approach that bypasses the core that is not conducive to monitoring the transfer of data. In a conventional TCP/IP network, since data must be processed by the kernel network protocol stack, a monitoring module may be placed on the host to monitor this. However, RDMA completely bypasses the kernel, the data transmission process is not sensed by the kernel, and the previously existing methods cannot realize the monitoring of the security event. Protection of user data cannot be achieved, which is a serious problem for a cloud environment.
In this context, virtualization of RDMA is a more desirable policy. Under the support of virtualization, monitoring of data transmission can be realized by setting a component on a virtual machine for capturing commands issued by an application program, however, the virtualization in a pure software form inevitably causes a sharp decline of network transmission performance, and the original purpose of low delay and high throughput using RDMA is violated. Therefore, hybrid virtualization using a combination of software and hardware is a relatively good implementation. MasQ proposed by Hua is an RDMA virtualization solution applied to private cloud, and uses the idea of separating control path and data path. The system makes full use of the buffer property of RDMA, realizes the virtualization of RDMA by operating the state information of Queue Pair (QP), and realizes the disconnection of data connection by modifying the state information of QP on the safety function.
At present, research on RDMA virtualization is less, only a few companies such as Huaye and Microsoft have certain implementation, some of the companies are completely realized by software, all traffic needs to be forwarded by a repeater on a host, and great performance loss exists. While the other part distinguishes the data path and the control path, and still needs to realize the partial control on the safety by means of the function of the TCP/IP. In terms of security, conventional security monitoring requires inspection of each data stream, which results in a relatively large performance loss. In general, few security gateways have been studied for virtualization of RDMA in a cloud computing environment.
Disclosure of Invention
In view of this, an embodiment of the present invention provides a virtualization security gateway system, so as to solve the problems in the prior art that the RDMA virtualization performance loss is too large, the dependence on the TCP/IP related security policy is too strong, the security monitoring flow of the network security boundary is too complex, and the overhead caused by monitoring all data is large.
As a preferred technical solution of the present invention, the virtualized security gateway system is composed of two parts, including the following:
hybrid virtualization of RDMA;
the method adopts mixed virtualization combining software and hardware to realize the virtualization of RDMA on a Single host, the scheme is combined with the separation of a data path and a control path in a software defined network, and the virtualization is realized by using the Single-root input/output virtualization (SR-IOV) and software virtualization modes of a network card on the premise of ensuring sufficient data transmission;
a virtualized security gateway;
on the basis of the realization of RDMA hybrid virtualization, a security gateway aiming at RDMA is designed, the connection of the RDMA is monitored, the monitoring of specific data transmission is not involved, and the low-delay characteristic of a system is ensured;
integration of RDMA operations with a security gateway;
the operational flow of the integrated RDMA hybrid virtualization and virtualization security gateway is as follows, when an application in a virtual machine issues an RDMA request:
s1: if the command is a data transmission command, directly sending a request to the VF distributed by the SR-IOV by the driver according to the original scheduling process to finish the data transmission;
s2: if the command is a connection-related command such as rdma _ connect, the command is forwarded to a resident process-monitoring module on the host computer through a socket interface according to the modified function, and the task is analyzed;
s3: in the monitoring module, firstly, the transmitted data is analyzed, information such as a host number, a virtual machine number, a read-write type and the like is taken out of the data, and then the data is matched with a rule linked list of a safety rule base stored on a physical host;
s4: if the security rules are not matched, the monitoring module sends a corresponding request to the network card and returns the returned information to the application program on the virtual machine again so that the application program can complete subsequent data transmission, and meanwhile, the monitoring module caches the relevant information of the running connection so as to continuously monitor the data later;
s5: if the security rule is matched, the connection is forbidden, and the monitoring module directly prevents the establishment of the connection and returns information of failure in creating the connection to the application program.
As a preferred technical solution of the present invention, the virtualized security gateway includes a monitoring module, a security rule base, and a rule distribution module, wherein,
a monitoring module: and the resident process in the user space is used for receiving the control command forwarded from the virtual machine, analyzing the command and matching the command with the rule base. The monitoring module caches the existing connection so as to facilitate subsequent continuous monitoring;
a security rule base: the component stores security rules specified by a user, all the rules are connected in series in a linked list mode, and the monitoring module determines whether security exception exists or not by traversing the rule base;
a rule distribution module: the module is unique in the system and can be placed on a trusted host in the system, and when a user needs to update the security rules, the rule updating, adding or deleting operation is sent to each host through the rule distribution module.
In order to ensure the reliability of rule transmission, the rule distribution module uses RDMA bilateral primitive SEND/RECV when sending the rule to other hosts, the host SENDs RDMA _ RECV operation to the host holding the rule distribution module in advance when the system is started, and then waits for the event to be triggered;
when the rule needs to be operated, the rule distribution module SENDs the rule to each host by using the SEND command, so that the RECV command is consumed, and then initiates a RECV operation again, so that each host is ensured to wait for receiving the updating, adding or deleting operation of the rule all the time.
As a preferred technical solution of the present invention, in step S4, the monitoring module continuously monitors the established connection (placed in the connection cache whenever there is an allowed connection), and when a new rule is added or updated or deleted, the monitoring module scans the existing connection and performs further operation according to the matching result.
As a preferred technical solution of the present invention, in step S5, if some of the existing connections match the security rules, the monitoring module needs to immediately send a request for disconnecting the network card and send information of disconnecting to the application program, so as to ensure that subsequent data reading and writing can not be performed any more, and simultaneously clear the cache of the connection information.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
in the technical scheme, the RDMA virtualization and security gateway combination method provided by the invention has the advantages that through a hybrid virtualization technology combining software and hardware, data transmission is realized through SR-IOV to ensure the advantages of low delay and high throughput of RDMA, on the basis, the security gateway is combined into a virtualization scheme, and through a mode of only monitoring a connection process, the high load of a security module in the process of matching security rules of all data streams is reduced, so that the virtualization performance is ensured, and the security of a system is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
FIG. 1 is a schematic diagram of an RDMA virtualization model provided by an embodiment of the invention;
FIG. 2 is a schematic diagram of a monitoring part architecture provided by an embodiment of the present invention;
fig. 3 is a flowchart illustrating an application initiating an RDMA operation according to an embodiment of the present invention.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present invention with unnecessary detail.
A virtualization security gateway system, the virtualization security gateway system is composed of three parts, including the following:
hybrid virtualization of RDMA;
the mixed virtualization combining software and hardware is adopted to realize the virtualization of RDMA on a single host, the scheme is combined with the separation of a data path and a control path in a software defined network, and the virtualization is realized on the premise of ensuring sufficient data transmission;
specifically, referring to fig. 1, fig. 1 is a system architecture diagram of a hybrid virtualization implementation, which needs to use a programming interface library (verbs API) to interact with a network card driver during transmission based on RDMA, and the function library is located on each virtual machine. In order to implement the differentiated operation of different types of commands, functions in a part of function libraries can be modified and recompiled, so that the part of functions can be ensured to directly forward commands sent by an application program to a monitoring module on a host for further processing when being called.
The data path refers to a path of pure data transmission in RDMA, such as READ/WRITE/SEND/RECV and the like, and the part of the operation occupies a large part of time in a complete RDMA connection and transmission process. It is therefore impractical to use software virtualization for this aspect with a large performance penalty. Considering that the current commercial RDMA network cards all support SR-IOV technology, and the performance almost close to that of bare computers can be achieved by using SR-IOV, a VF is allocated to a virtual machine needing to use the RDMA network in the actual use process. For data transmission commands, the network card can be directly interacted with, and the intervention of a virtual machine monitor (hypervisor) and a kernel protocol stack is not needed.
The control path refers to commands in RDMA transfers related to connection and memory operations, such as establishing a connection, disconnecting a connection, creating a queue pair QP, and the like. The use of these commands, and the creation of the associated data structures, determines the network connection channels that need to be used in subsequent data transfers. It should also be noted that the delay time occupied by this part is relatively short. Therefore, forwarding monitoring is performed on this part, on one hand, a certain degree of monitoring can be performed on the RDMA transmission, and on the other hand, excessive overhead is not caused. In the system design, the function in the function library which needs to be modified is relevant to the aspect. After modification, the virtual machine will forward the relevant commands to the monitoring module on the physical host through the socket communication mechanism.
A virtualized security gateway;
specifically, referring to fig. 2, fig. 2 is an architecture diagram of a security gateway,
on the basis of the realization of RDMA hybrid virtualization, a security gateway aiming at RDMA is designed, the connection of the RDMA is monitored, the monitoring of specific data transmission is not involved, and the low-delay characteristic of a system is ensured;
the virtualization security gateway comprises a monitoring module, a security rule base and a rule distribution module, wherein,
a monitoring module: and the resident process in the user space is used for receiving the control command forwarded from the virtual machine, analyzing the command and matching the command with the rule base. The monitoring module caches the existing connection so as to facilitate subsequent continuous monitoring;
a security rule base: the component stores security rules specified by a user, all the rules are connected in series in a linked list mode, and the monitoring module determines whether security exception exists or not by traversing the rule base;
a rule distribution module: the module is unique in the system and can be placed on a trusted host in the system, and when a user needs to update the security rules, the rule updating, adding or deleting operation is sent to each host through the rule distribution module.
In order to ensure the reliability of rule transmission, the RDMA bilateral primitive SEND/RECV is used when the rule distribution module SENDs the rule to other hosts. All hosts will issue RDMA RECV operations to the host holding the rule distribution module in advance at system startup and then wait for the event to be triggered. When the rule needs to be operated, the rule distribution module SENDs the rule to each host by using the SEND command, so that the RECV command is consumed, and then initiates a RECV operation again, so that each host is ensured to wait for receiving the updating, adding or deleting operation of the rule all the time.
A combination of virtualized RDMA with a virtualized security gateway;
the operation flow of the RDMA hybrid virtualization and virtualization security gateway after being integrated is as follows, please refer to fig. 3 together, when an application in a virtual machine issues an RDMA request:
if the command is a data transmission command, directly sending a request to the VF distributed by the SR-IOV by the driver according to the original scheduling process to finish the data transmission;
if the command is a connection-related command such as rdma _ connect, the command is forwarded to a resident process-monitoring module on the host computer through a socket interface according to the modified function, and the task is analyzed;
in the monitoring module, firstly, the transmitted data is analyzed, information such as a host number, a virtual machine number, a read-write type and the like is taken out of the data, and then the data is matched with a rule linked list of a safety rule base stored on a physical host;
if the security rules are not matched, the monitoring module sends a corresponding request to the network card and returns the returned information to the application program on the virtual machine again so that the application program can complete subsequent data transmission, and meanwhile, the monitoring module caches the relevant information of the running connection so as to continuously monitor the data later;
if the security rule is matched, the connection is forbidden, and the monitoring module directly prevents the establishment of the connection and returns information of failure in creating the connection to the application program.
In addition, it should be noted that the monitoring module may continuously monitor the established connection (which is placed in the connection cache whenever there is an allowed connection), and when a new rule is added or updated or deleted, the monitoring module may scan the existing connection and perform further operations according to the matching result.
If some of the existing connections are matched with the safety rules, the monitoring module needs to immediately send a disconnection request to the network card and send disconnection information to the application program, so that subsequent data reading and writing can not be carried out any more, and meanwhile, the cache of the connection information is eliminated.
The invention designs an RDMA virtualization implementation scheme and a security gateway system based on the virtualization, which can realize the monitoring and access control of a physical host to the network traffic on a virtual machine. The system is based on KVM/QEMU, realizes data transmission by using RDMA, and uses a hybrid virtualization solution combining software and hardware and connection-based security monitoring. In order to guarantee the advantages of RDMA and the performance of a system, the data path and the control path of virtual machine data transmission are separated by utilizing the idea of a software defined network. The data path uses the SR-IOV technology to allocate a virtual function VF for the virtual machine, thereby ensuring that the data transmission process is close to the original performance of the bare computer. The control path is mainly responsible for operating related commands such as connection and the like, wherein software is used for assisting virtualization, a function library is modified on the virtual machine level, and the control commands can be redirected to a monitoring module on the physical host. And the monitoring module realized on the physical host is responsible for analyzing the command transmitted by the virtual machine and discovering potential safety problems by traversing the safety rule base. And transmitting to the RDMA network card under the condition of ensuring the security.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.
Claims (7)
1. A virtualized security gateway system, the virtualized security gateway system comprising:
virtualized RDMA:
the virtualization of RDMA on a single host is realized by adopting mixed virtualization combining software and hardware, and the virtualization is realized on the premise of ensuring sufficient data transmission by combining the separation of a data path and a control path in a software defined network so as to obtain the virtualized RDMA;
the virtualization security gateway:
the method comprises the steps that a security gateway aiming at RDMA is designed, and connection of the RDMA is monitored;
incorporation of virtualized RDMA with virtualized security gateways:
the integrated step of virtualized RDMA and virtualized security gateway comprises: when an application in a virtual machine issues an RDMA request:
s1: if the RDMA request is a data transmission command, directly sending a request to a virtual function VF distributed by the SR-IOV by a driver according to the original scheduling process to finish the data transmission;
s2: if the RDMA request is a command related to connection, forwarding the RDMA request to the host through the socket interface according to the modified function, and analyzing the task;
s3: analyzing the transmitted data, taking out the host number, the virtual machine number and the read-write type from the data, and matching the host number, the virtual machine number and the read-write type with a rule linked list of a safety rule base stored on a physical host;
the virtualization security gateway comprises a monitoring module, a security rule base and a rule distribution module, wherein,
a monitoring module: the resident process in the user space is used for receiving the control command forwarded from the virtual machine, analyzing the command and matching the command with the rule base, and the monitoring module caches the existing connection so as to facilitate subsequent continuous monitoring;
a security rule base: the safety rule base stores safety rules appointed by a user, all the rules are connected in series in a linked list mode, and the monitoring module determines whether safety abnormity exists or not by traversing the rule base;
a rule distribution module: the method is placed on a trusted host in the system, and when a user needs to update the security rules, the rule updating, adding or deleting operation is sent to each host through a rule distribution module.
2. The virtualized security gateway system of claim 1, wherein the step of integrating the virtualized RDMA and the virtualized security gateway as a whole further comprises:
s4: if the security rules are not matched, the monitoring module sends a corresponding request to the network card and returns the returned information to the application program on the virtual machine again so that the application program can complete subsequent data transmission, and meanwhile, the monitoring module caches the relevant information of the running connection so as to continuously monitor the data later;
s5: if the security rule is matched, the connection is forbidden, and the monitoring module directly prevents the establishment of the connection and returns information of failure in creating the connection to the application program.
3. The virtualization security gateway system of claim 2, wherein the monitoring module parses the transmitted data, extracts the host number, the virtual machine number, and the read/write type from the parsed data, and matches the host number, the virtual machine number, and the read/write type with a rule chain table of a security rule base stored on the physical host.
4. The virtualized security gateway system of claim 3, wherein the RDMA bilateral primitive SEND/RECV is used by the rule distribution module when sending the rule to other hosts, and the host SENDs RDMA RECV operations to the host holding the rule distribution module in advance at system boot, and then waits for the event to be triggered.
5. A virtualized security gateway system as in claim 4 wherein said rule distribution module uses the SEND command to SEND the rule to each host when it needs to be operated on, whereby the RECV command is consumed, and then initiates a RECV operation again, thereby ensuring that each host is waiting to receive a rule update, add or delete operation.
6. The virtualization security gateway system of claim 5, wherein in step S4, the monitoring module continuously monitors the established connection, and when a new rule is added or updated or deleted, the monitoring module scans the existing connection and performs further operation according to the matching result.
7. The virtualization security gateway system of claim 6, wherein in step S5, if some of the existing connections match the security rules, the monitoring module immediately sends a disconnection request to the network card and sends the disconnection information to the application program, so as to ensure that subsequent data reading and writing cannot be performed any more, and simultaneously, the cache of the connection information is cleared.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011434689.0A CN112600826B (en) | 2020-12-10 | 2020-12-10 | Virtualization security gateway system |
| PCT/CN2020/139253 WO2022120974A1 (en) | 2020-12-10 | 2020-12-25 | Virtualization security gateway system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011434689.0A CN112600826B (en) | 2020-12-10 | 2020-12-10 | Virtualization security gateway system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112600826A CN112600826A (en) | 2021-04-02 |
| CN112600826B true CN112600826B (en) | 2022-02-22 |
Family
ID=75191664
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011434689.0A Active CN112600826B (en) | 2020-12-10 | 2020-12-10 | Virtualization security gateway system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN112600826B (en) |
| WO (1) | WO2022120974A1 (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114301641B (en) * | 2021-12-15 | 2024-03-19 | 中国科学院深圳先进技术研究院 | Virtual security gateway system suitable for RDMA network |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106664290A (en) * | 2015-05-26 | 2017-05-10 | 华为技术有限公司 | Data transmission method and device for photoelectric hybrid network |
| CN107450966A (en) * | 2011-03-30 | 2017-12-08 | 亚马逊技术公司 | The framework and interface of processing data packets based on burden-alleviating device |
| CN111400237A (en) * | 2014-12-29 | 2020-07-10 | Nicira股份有限公司 | Method for providing multi-lease support for RDMA |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104866407A (en) * | 2015-06-23 | 2015-08-26 | 山东中孚信息产业股份有限公司 | Monitoring system and method in virtual machine environment |
| US10558250B2 (en) * | 2016-12-23 | 2020-02-11 | Oracle International Corporation | System and method for coordinated link up handling following switch reset in a high performance computing network |
| US10909066B2 (en) * | 2018-04-03 | 2021-02-02 | Microsoft Technology Licensing, Llc | Virtual RDMA switching for containerized applications |
| CN111966446B (en) * | 2020-07-06 | 2022-08-19 | 复旦大学 | RDMA virtualization method in container environment |
-
2020
- 2020-12-10 CN CN202011434689.0A patent/CN112600826B/en active Active
- 2020-12-25 WO PCT/CN2020/139253 patent/WO2022120974A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107450966A (en) * | 2011-03-30 | 2017-12-08 | 亚马逊技术公司 | The framework and interface of processing data packets based on burden-alleviating device |
| CN111400237A (en) * | 2014-12-29 | 2020-07-10 | Nicira股份有限公司 | Method for providing multi-lease support for RDMA |
| CN106664290A (en) * | 2015-05-26 | 2017-05-10 | 华为技术有限公司 | Data transmission method and device for photoelectric hybrid network |
Non-Patent Citations (1)
| Title |
|---|
| 《RDMA虚拟化相关技术研究》;代超等;《计算机系统应用》;20200930;全文、图3 * |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2022120974A1 (en) | 2022-06-16 |
| CN112600826A (en) | 2021-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8713180B2 (en) | Zero-copy network and file offload for web and application servers | |
| US9588807B2 (en) | Live logical partition migration with stateful offload connections using context extraction and insertion | |
| RU2436149C2 (en) | Migrating virtual machine, having resource such as hardware | |
| US7941812B2 (en) | Input/output virtualization through offload techniques | |
| US7840736B2 (en) | Bus communication enumeration | |
| US8495262B2 (en) | Using a table to determine if user buffer is marked copy-on-write | |
| US9678912B2 (en) | Pass-through converged network adaptor (CNA) using existing ethernet switching device | |
| US20070041383A1 (en) | Third party node initiated remote direct memory access | |
| US10678465B2 (en) | Seamless migration of storage volumes between storage arrays | |
| CN106557444B (en) | Method and device for realizing SR-IOV network card and method and device for realizing dynamic migration | |
| US11757796B2 (en) | Zero-copy processing | |
| US9390036B2 (en) | Processing data packets from a receive queue in a remote direct memory access device | |
| CN109983741B (en) | Transferring packets between virtual machines via direct memory access devices | |
| CN114039789B (en) | Traffic protection method, electronic device and storage medium | |
| TW202320062A (en) | Cloud gaming system and method for operating cloud gaming system | |
| US20060136697A1 (en) | Method, system, and program for updating a cached data structure table | |
| CN112600826B (en) | Virtualization security gateway system | |
| WO2022143717A1 (en) | Method, apparatus, and system for migrating virtual machine | |
| US9921867B2 (en) | Negotiation between virtual machine and host to determine executor of packet flow control policy with reduced address space | |
| US10228968B2 (en) | Network interface device that alerts a monitoring processor if configuration of a virtual NID is changed | |
| JP7117674B2 (en) | Data transfer system and system host | |
| US20180225162A1 (en) | Flexible command line interface redirection | |
| US11755765B2 (en) | Optimized directory enumeration and data copy for client drive redirection in virtual desktops | |
| KR20230106877A (en) | Computing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240130 Address after: 518000, Building A, Building 2, Shenzhen International Innovation Valley, Dashi Road, Xili Community, Xili Street, Nanshan District, Shenzhen City, Guangdong Province, China, 2203 Patentee after: SHENZHEN INSTITUTE OF BEIDOU APPLIED TECHNOLOGY Guo jiahuodiqu after: Zhong Guo Address before: 1068 No. 518055 Guangdong city of Shenzhen province Nanshan District Shenzhen University city academy Avenue Patentee before: SHENZHEN INSTITUTES OF ADVANCED TECHNOLOGY CHINESE ACADEMY OF SCIENCES Guo jiahuodiqu before: Zhong Guo |