US9270594B2 - Apparatus and method for applying network policy at virtual interfaces - Google Patents
Apparatus and method for applying network policy at virtual interfaces Download PDFInfo
- Publication number
- US9270594B2 US9270594B2 US11/927,317 US92731707A US9270594B2 US 9270594 B2 US9270594 B2 US 9270594B2 US 92731707 A US92731707 A US 92731707A US 9270594 B2 US9270594 B2 US 9270594B2
- Authority
- US
- United States
- Prior art keywords
- frame
- operating system
- network
- system interface
- policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/20—Traffic policing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
Definitions
- the present disclosure relates generally to network communication.
- Example embodiments relate to enforcement of network policy upon communications from virtual interfaces.
- Network policy enforcement is commonly used to control network access by nodes on a network. For example, policy enforcement may be used to control a node's ability to access other nodes, to define a node's scope of privileges, to prevent denial of service attacks and to enforce firewall policies. An appropriate policy may be selected based on the identification or lack thereof of a node or a user.
- FIG. 1 illustrates a block diagram of an example embodiment of a network system
- FIG. 2 illustrates a block diagram of a further example embodiment of a network system
- FIG. 3 illustrates a block diagram of a yet further example embodiment of a network system
- FIG. 4 is a flow diagram of a method, in accordance with an example embodiment, for enabling the application of network policy enforcement
- FIG. 5 is a flow diagram of a further method, in accordance with an example embodiment, for enabling the application of network policy enforcement;
- FIG. 6 a illustrates example fields within a frame
- FIG. 6 b - c illustrate block diagrams of network systems in accordance with example embodiments
- FIG. 7 illustrates a block diagram of a further network system, in accordance with an example embodiment
- FIGS. 8 a , 8 b and 8 c are block diagrams illustrating example communication networks in which embodiments are applied.
- FIG. 9 shows a diagrammatic representation of a machine in the example form of a computer system within which a set of instructions for causing the machine to perform any one or more of the methodologies discussed herein, may be executed.
- an operating system located on a node accesses a network through a software operating system interface paired in a one-to-one fashion with a physical network interface.
- one way to enforce network policy is to identify the node by the physical input/output (I/O) interface connecting it to the network.
- I/O input/output
- one physical port corresponds to one operating system so the communications can be regulated.
- a single physical device may appear to other hardware and software as multiple logical devices (e.g., multiple virtual devices).
- some network devices e.g., physical devices
- a virtual machine may include an operating system that interfaces via multiple “virtual interfaces” to a network.
- Virtual interfaces allow applications, services and operating systems to separately access the network through the virtual interfaces using a common physical I/O interface to the network.
- network policy may be enforced with hardware or software. The enforcement may occur within each network node or external to each node but within the network.
- Example embodiments may be deployed in a network device (e.g., a server) and a switch that are communicate coupled with one another in a network system.
- the network device includes an operating system interface, a virtualization adapter, and an input output port.
- the virtualization adapter may receive a frame from the operating system interface and tag the frame to indicate that the frame is associated with the operating system interface. The frame may then be transmitted with another frame associated with a different operating system interface, via the input output port.
- the switch may receive the frame and enforce a network policy upon the frame, based on the tag.
- policy configurations relating to functionality at a network node may be set or configured in the network (e.g., at a single point in the network).
- Example embodiments disclosed herein include receiving data from an operating system or multiple operating systems located on a network device (e.g. various operating systems located on a single computer's virtual machines).
- one or more operating system interfaces e.g., a virtual interface
- frames are used by way of example herein and is intended to include a data packet of fixed or variable length which has been encoded by a data link layer communications protocol for digital transmission over a node-to-node link.
- Each frame may include a header and a frame synchronization, or optionally a bit synchronization, payload. Examples of frames include, but are not restricted to, Ethernet frames and Fibre Channel frames.
- a virtualization adapter receives one or more frames from the operating system interface and tags the one or more frames with an indicator that indicates an association with its source operating system interface (e.g., a virtual interface).
- the one or more frames may then be configured to be transmitted over an I/O port (e.g., a physical input/output port) concurrently with other frames associated with various other operating system interfaces (e.g., interfaces to various operating systems instantiated in virtual machines), to a network switch.
- the source of the one or more frames may be identified so that network policy may be applied at a point within the network and not, for example, at the destination node itself.
- the one or more frames is created by one or more operating system interfaces (e.g., virtual interfaces), that is interfaced with an operating system located on the network device.
- a policy enforcement module located within the switch may receive the one or more frames.
- the policy enforcement module may first identify a source I/O port associated with the one or more frames and then examine indicators (e.g., frame tags) located within the one or more frames (e.g., within a frame header) to identify the source operating system interface (e.g., a virtual interface) that generated the one or more frames. Based on an identified source I/O port and an identified source operating system interface, the policy enforcement module may enforce a network policy upon the at least one frame.
- indicators e.g., frame tags
- FIG. 1 illustrates a block diagram of a network system 100 in accordance with an example embodiment.
- the system 100 is shown to include an information processing device 101 with an I/O port 103 which may be used to communicatively couple the information processing device 101 to transmission medium 105 .
- the information processing device 102 includes I/O ports 104 and 112 which may be used to couple the information processing device 102 to the transmission medium 105 .
- the network device 120 is coupled to the information processing device 102 via the I/O port 112 and/or other commercially available connection means.
- the information processing devices 101 and 102 are communicatively coupled together and coupled with the network device 120 when each are simultaneously coupled to transmission medium 105 .
- the information processing devices 101 , 102 may be any electronic device that processes information according to a list of instructions.
- the information processing device 101 is a computer that includes a central processing unit (CPU) to manipulate information; the information processing devices 101 , 102 may be a network device (e.g. a switch that operates on Ethernet layer 2 frames).
- the information processing devices 101 , 102 may communicate with other devices (e.g., the network device 120 ) coupled to the transmission medium 105 using multiple communication protocols.
- the information processing devices 101 , 102 may communicate over the transmission medium 105 using 10 gigabit Ethernet, internet SCSI (iSCSI), Fibre Channel, or any other protocols that can be communicated over Ethernet.
- the information processing devices 101 and 102 are network devices and are referred as network devices 101 , 102 below.
- the transmission medium 105 may be any medium suitable for carrying information between the network devices 101 , 102 .
- transmission medium 105 is a twisted pair cable to carry Ethernet communications.
- Other example embodiments may include combinations of transmission mediums that have various physical forms and collectively form an overall physical transmission medium (e.g. a combination of optical fiber, wireless, and twisted pairs coupled by routers, switches and/or other network devices, etc.).
- the I/O ports 103 , 104 may be interfaces (e.g., network adaptors) between a device (e.g. network devices 101 , 102 ) and the transmission medium 105 that enable the device to receive and/or transmit information to and/or from the transmission medium 105 .
- I/O ports 103 , 104 are physical I/O ports that physically couple with the transmission medium 105 (e.g. via RJ-45 connector and cable) through a port (e.g. a port configured to receive an RJ-45 connector).
- I/O ports 103 , 104 are configured to accommodate the use of multiple protocols communicated over transmission medium 105 .
- FIG. 2 illustrates a block diagram of a further example embodiment of a network system 200 in which network policy may be applied to communications originating at operating system interfaces.
- FIG. 2 includes a network device 201 coupled with a network device 202 via I/O ports 203 , 204 and a transmission medium 205 .
- the I/O ports 203 and 204 may resemble the I/O ports 103 , 104 described with respect to FIG. 1 .
- the network device 220 is coupled to the network device 202 using I/O port 212 and/or any other commercially available connection means/arrangement. In an example embodiment, the characteristics of the network device 220 are substantially similar to the network devices 101 or 102 .
- the network device 201 includes a physical I/O port 203 , a virtualization module 207 , operating system interfaces 209 a - n , one or more operating systems 211 , and applications and/or services 213 a - n.
- a virtualization module 207 is communicatively coupled between the I/O port 203 and the operating system interfaces 209 a - c .
- the virtualization module 207 receives information from, and sends information to, the operating system interfaces 209 a - n . Further, the virtualization module 207 receives information from and sends information to the I/O port 203 .
- the virtualization module 207 receives separate frames from the operating system interfaces 209 a - n ; thus, the virtualization module 207 may receive n frames.
- the virtualization module 207 appends (e.g., tags) each of the n frames with an indicator to indicate the identity of the operating system interface (e.g. 209 a , 209 b or 209 n ) from which each separate frame originated.
- the virtualization module 207 then queues the appended frames for transmission over the transmission medium 205 (e.g., a single physical link) via the I/O port 203 . Without the indicator, the identity of the source of the frames would be lost once they are transmitted over the single physical link.
- indicators appended to each frame that identify the source from which the frame originated may preserve the identity of the source. Accordingly, network policy management pertaining to that source may be managed at the remote network device 202 .
- the virtualization module 207 in an example embodiment appends an indicator to each frame (or sequence of frames) so that, once transmitted, the indicator may indicate the operating system interface (e.g. 209 a , 209 b or 209 n ) from which the frames originated. It is to be understood that software and/or hardware other than the virtualization module 207 may append an I/O indicator in other example embodiments.
- network devices e.g., 202 and/or 220 that receive the appended frames (e.g., n sets of information) can determine the originating I/O port and use the indicator(s) to determine the identity of the operating system interface 209 a - n from which the frames were received.
- the virtualization module 207 may be logic implemented in hardware, software or a combination of hardware and software.
- the virtualization module 207 is a software layer (e.g. a software layer to virtualize hardware) in a hierarchical architecture that interfaces a computer's hardware with the computer's software.
- the virtualization module may be provided in hardware in a network adaptor or network interface card (NIC). Accordingly, the network interface card may define a virtual NIC that allows the source of the communications (e.g., frames) to be retained after virtualization of the frames.
- the operating system interfaces 209 a - n are communicatively coupled with the virtualization module 207 and the operating system(s) 211 .
- the operating system interfaces 209 a - n facilitate communication between the operating system 211 and the transmission medium 205 .
- the operating system 211 may require information located within a network device 220 that is coupled with the transmission medium 205 .
- the operating system 211 may request the information from an operating system interface 209 a - n that will, in turn, send the request to the network device 220 via the virtualization module 207 , the I/O port 203 , the transmission medium 205 , the I/O port 204 , the network device 202 and the I/O port 212 .
- Each operating system interface 209 a - n may send information to, and receive frames from, the virtualization module 207 using a communication protocol that is different from the communication arrangement that it uses to communicate with the operating system 211 .
- the operating system interfaces 209 a - n may translate between a protocol language understood by the operating system 211 and a protocol language understood by the virtualization module 207 .
- the operating system interfaces 209 a and 209 n may use an internet protocol (IP) and the operating system interface 209 b may use fibre channel (FC) protocol to communicate with the virtualization module 207 ; neither of the above named protocols may be used to communicate with the operating system 211 .
- IP internet protocol
- FC fibre channel
- the operating system interfaces 209 a - n may be logic implemented in software, hardware or a combination of the two.
- the operating system interfaces are software instructions processed by one or more processors associated with network device 201 .
- the operating system 211 may be software that manages hardware and software resources on network device 201 . Operating system 211 may form a platform upon which applications and/or services 213 a - n can run. In carrying out its functionality, the operating system 211 may send information to, and receive information from, the transmission medium 205 as described above. For example, on each one of a plurality of hardware devices (e.g., server machines), a plurality of different operating systems (e.g., Linux, Windows, etc.) may be deployed. Each operating system deployment may define a virtual server.
- a plurality of different operating systems e.g., Linux, Windows, etc.
- the applications and/or services 213 a - n may be a software construction that is enabled by processor hardware (not shown) and the operating system 211 , inter alia, to perform specific tasks defined by a user.
- the application software may be a spreadsheet application, word processing application, web server, transaction processing software, database, or any other application software, etc.
- Applications and/or services 213 a - n may be the software that combines to form an operating system (e.g. operating system 211 ).
- the applications and/or services 213 a - n may include software for controlling and allocating memory, prioritizing system requests, controlling I/O devices, facilitating networking, managing file systems, and other resources, etc.
- the network device 201 may host one or more operating systems 211 and operating system interfaces 209 a - n . Each of the operating system interfaces 209 a - n may be interfaced with the one or more operating systems 211 .
- the virtualization module 207 may receive a frame from one or more of the operating system interfaces 209 a - n and append an indicator to the frame.
- the indicators may indicate to an information processing system (e.g. network device 202 ) an association between the frame and the one or more operating system interfaces (e.g., an indication of the operating system interfaces 209 a - n from which the frame originated).
- the network device 201 may also include I/O port 203 .
- the virtualization module may configure the frame (and e.g., with other frames associated with operating system interfaces ( 209 a - n )) to be transmitted to another network device (e.g. 202 ) via a transmission medium 205 .
- the network system 200 in FIG. 2 is also shown to include the network device 202 (e.g. a network switch) having an I/O port 204 , a virtualization module 206 , and a policy enforcement module 208 .
- the policy enforcement module 208 is remote from the virtualization module 207 and the transmission medium 205 (physical connection).
- the I/O port 204 may resemble the I/O ports 103 , 104 in FIG. 1 .
- the I/O port 204 receives information from the transmission medium 205 and forwards the information to the virtualization module 206 .
- the virtualization module 206 receives the appended frames and examines an indicator (e.g., of each frame) to identify the I/O port (e.g. I/O port 203 ) from which the frames were received (e.g., by reading a source address from a layer 2 header). It is to be understood that software and/or hardware other than the virtualization module 206 may examine the frames for an I/O indicator. In an example embodiment, the virtualization module 206 retrieves (e.g. parses) an indicator from each of the frames to identify the operating system interface (e.g. 209 a , 209 b or 209 n ) from which the particular frame originated.
- an indicator e.g., of each frame
- the operating system interface e.g. 209 a , 209 b or 209 n
- the virtualization module 206 transmits each of the frames to the policy enforcement module 208 .
- the virtualization module may transmit the identities of the originating I/O port and operating system interfaces (e.g. 203 and 209 a - n ) sending each particular frame.
- the policy enforcement module 208 may be logic (implemented in hardware and/or software) to enforce defined network policy upon network nodes coupled to transmission medium 205 .
- the network policy may be enforced to control a node's (or a plurality of nodes') ability to access other nodes, to define a node's scope of privileges, to prevent denial of service (DoS) attacks, to enforce firewall policies, and so on.
- An appropriate network policy may be selected based on the identification, or lack thereof, of a frame associated with a node or a user. Policy enforcement may include any mechanism to uphold a defined standard. It should be noted that the policies described above are included only for example and not as an exhaustive definition of network policy enforcement or to limit the disclosed patentable technology herein.
- the policy enforcement module 208 allows or denies transmission of the frame to other nodes (e.g., nodes or network devices coupled with the transmission medium 205 ) in accordance with the policy defined for the network, based at least in part on the identity of the I/O port and the operating system interface that originated the frame.
- an I/O port (e.g. 204 ) of a network device may receive a frame from another network device (e.g. 201 ).
- a virtualization module e.g., the virtualization module 206
- a policy enforcement module e.g., policy enforcement module 208
- the policy is enforced further based on an identified source I/O port (e.g., the I/O port 203 ).
- the policy enforcement module 208 accesses a storage module 210 (e.g., utilizing a lookup table) to reference the policy to be applied to a frame originating at a particular operating system interface. A frame that violates policy may, for example, be dropped.
- the storage module 210 is located within the policy enforcement module 208 however, the storage 210 may reside in different locations in other embodiments.
- the policy enforcement module 208 may determine that all, or some portion of, frames are permitted to reach (can be forwarded to) a desired destination network device coupled with the transmission medium 205 .
- frames that originated at the operating system interface 209 b may have a desired destination network device that is one of the operating system interfaces 209 a - n .
- the destination operating system interface may be on the same network device 201 .
- the policy enforcement module 208 may then transmit the frames to the virtualization module 206 where each of the frames are appended with at least one indicator to specify the appropriate destination I/O port and operating system interface.
- the appropriate destination is I/O port 203 and operating system interface 209 a.
- I/O port 204 transmits the frames with their associated indicators to I/O port 203 across the transmission medium 205 .
- the virtualization module 207 may retrieve (e.g., parse) an indicator from each frame to identify one or more operating system interfaces 209 a - n that are to receive the particular frame. Continuing with the example of the frame from operating system interface 209 b , as described above, the virtualization module 207 may forward particular frames to the operating system interface 209 a . The information within the frames may then be translated by the operating system interface 209 a and forwarded to the operating system 211 .
- FIG. 3 illustrates a block diagram of a network system 300 in accordance with a further example embodiment.
- the system 300 includes a network device 301 coupled to the network devices 302 , 320 via I/O ports 303 , 304 , 312 and a transmission medium 305 (physical connection).
- the network device 301 includes the physical I/O port 303 , a virtualization module 307 , operating system interfaces 309 a - n , operating systems 311 a - m and applications and/or services 313 a - n .
- the operating systems 311 a - 311 m exist on virtual machines that are instantiated on the network device 301 .
- the network device 301 includes additional components, each of the above described components may be similar to the corresponding components described with respect to FIG. 2 .
- the applications and/or services 313 a - n , the operating systems 311 a - m and the operating system interfaces 309 a - n may be substantially similar to the applications and/or services 213 a - n , the operating system 211 and the operating system interfaces 209 a - n of FIG. 2 .
- each operating system 311 a - m may support multiple applications and/or services 313 a - n . Additionally, each operating system 311 a - m may communicate through multiple operating system interfaces 309 a - n . In an example embodiment, the number of applications and/or services 313 a - n is different for different operating systems 311 a - m and the number operating system interfaces need not be uniform across the operating systems 311 a - m or the applications and/or services 313 a - n.
- the operating system 311 a may signal or command the operating system interface 309 a to communicate a frame over transmission medium 305 using iSCSI protocol.
- the operating system 311 a may signal the operating system interface 309 b to communicate over transmission medium 305 using FC protocol.
- the operating systems 311 b - m may also signal or command the operating system interfaces 309 d - n to communicate with the transmission medium 305 with various similar and/or dissimilar communication protocols that are supported by the operating system 311 a - m making the request.
- the operating system interfaces 309 a - n may receive the request and forward it to the virtualization module 307 .
- the virtualization module 307 may receive frames from the operating system interfaces 309 a - n as described above by way of example with respect to operating system interfaces 209 a - n in FIG. 2 . However, in this embodiment, the operating system interfaces 309 a - n may communicate with the virtualization module 307 on behalf of the different operating systems 311 a - m . In an example embodiment, the virtualization module 307 may append (or include in any manner) an indicator to each frame to indicate the identity of the operating system interface from which each frame originated.
- the virtualization module 307 may arrange the appended frames into a queue from which they are transmitted to the I/O port 303 and then to transmission medium 305 .
- the virtualization module 307 may additionally append an indicator to the frames to indicate the I/O port (e.g., the I/O port 303 ) from which the frames originated. It is to be understood that software and/or hardware other than the virtualization module 307 may append (or include) an I/O port indicator in other example embodiments.
- the network device 302 , the virtualization module 306 and the I/O port 304 may be substantially similar to their counterparts in FIG. 2 .
- the virtualization module 306 receives frames appended with appropriate indicators and examines each indicator to identify the I/O port (e.g., I/O port 303 ) from which the frame was received (e.g., by reading a source address from a layer 2 header). It is to be understood that, in other example embodiments, software and/or hardware other than the virtualization module 306 may examine the frame for an I/O indicator.
- the virtualization module 306 retrieves (e.g. parses) an indicator from each of the frames to identify the operating system interface (e.g. 309 a - n ) from which the frame originated.
- the virtualization module 306 may transmit each of the frames to a policy enforcement module 308 .
- the virtualization module 306 may transmit the identities of the originating I/O port and operating system interfaces (e.g., 303 and 309 a - n ).
- the policy enforcement module 308 allows or inhibits communication of the frame to other nodes in accordance with, or based on, the policy defined for the network.
- the policy may be stored within storage module 310 .
- the policy may be based, at least in part, on the identity of the I/O port and the operating system interface from which the frame originated.
- FIG. 4 is a flow diagram of a method 400 , in accordance with an example embodiment, for enabling the application of network policy enforcement to operating system interfaces.
- the method 400 processing logic receives frames from one or more operating systems via operating system interfaces.
- an operating system located on a computer sends information to the processing logic through the computer's operating system interfaces (e.g. protocol engines located on a computer).
- the process may begin at block 401 with processing logic receiving a first frame from a first operating system interface. Thereafter, as shown at block 402 , the processing logic appends an indicator to each frame to associating the frame with a source operating system interface (see block 402 ).
- the method 400 may then configure the frame and other frames that are associated with various operating system interfaces to be transmitted over a common I/O port.
- FIG. 5 is a flow diagram of a method 500 , in accordance with an example embodiment, for enabling the application of policy enforcement to operating system interfaces.
- method 500 is performed by components of the information processing device 102 , 202 and 302 (e.g., network devices) shown in FIGS. 1 , 2 , and 3 .
- the method 500 begins with processing logic receiving a frame (see block 501 ) (e.g., from an operating system(s) through operating system interfaces and an I/O port) that includes at least one operating system interface indicator (e.g., a tag) that identifies an operating system interface from which the frame was sent. Thereafter, as shown at block 502 , the operating system indicator is examined to identify a network policy associated with the operating system interface. As shown in block 503 the method may conclude with the appropriate network policy being enforced on the frame.
- a frame see block 501
- the operating system interface indicator e.g., a tag
- the operating system indicator is examined to identify a network policy associated with the operating system interface.
- the method may conclude with the appropriate network policy being enforced on the frame.
- network administrators applying a new network policy to a network need not install hardware and software on each terminating network node; rather, a fewer number of intermediate network nodes are enabled to enforce policy upon operating system interfaces (e.g. virtual interfaces).
- network administrators may update fewer nodes (e.g., only the intermediate nodes and not the network adaptors themselves) to apply a new policy across a network.
- the example embodiments may be implemented in software, hardware or a combination thereof.
- the methods described herein may be implemented by computer program product or software which may include a machine or computer-readable medium having stored thereon instructions which may be used to program a computer (or other electronic devices).
- the functionality/methods described herein may be performed by specific hardware components (e.g., integrated circuits) that contain hardwired logic for performing the functionality, or by any combination of programmed computer components and custom hardware components.
- FIG. 6 a illustrates example fields within a frame.
- the fields shown in FIG. 6 a may be used to identify I/O ports, operating system interfaces (e.g., virtual interfaces) and provide additional information (examples discussed below) to enable policy enforcement upon operating system interfaces.
- a frame may be a set of information of fixed or variable length that is encoded by a communications protocol for digital transmission over a node-to-node link.
- a frame may be encoded with data link layer protocol (Layer 2).
- Layer 2 data link layer protocol
- Example embodiments described herein are not limited to the use of a frame to identify the origin of information; rather, frames are used by way of example and not limitation.
- FIGS. 6 b and 6 c are block diagrams illustrating example embodiment of network systems.
- frames may be communicated between an adapter and a switch.
- the example embodiments of frame fields shown in FIG. 6 a may be used to transfer information that can be used to practice example embodiments disclosed herein.
- Information within the frame fields may enable network policy enforcement upon virtual interfaces performed by a policy enforcement switch located within the network itself. Further, information within the example frame fields can be used to enable frame delivery from a policy enforcement switch, to virtual interfaces.
- a field “d” may be used to indicate frame direction.
- d a field “d” may be used to indicate frame direction.
- an adapter e.g. a network terminal
- a switch e.g. including a policy enforcement module as herein before described.
- FIG. 6 b where the frame is shown to include a value of d is set to “0”.
- d is set to “1” to indicate that the frame is being transmitted from a policy enforcement module to an adapter (see FIG. 6 c ).
- a further identifier field “p” is provided.
- FIG. 6 c illustrates an example embodiment of frames being delivered to virtual interfaces at specific dst_vif locations. In this example embodiment, frames are delivered to dst_vif locations 1 , 4 , 7 and 10 (as indicated by arrows descending from the adapter).
- FIG. 7 is a block diagram of a network system 700 , in accordance with an example embodiment.
- the system 700 is shown to include operating systems 705 a - f which may be any operating system (e.g. Linux, Microsoft Windows XP, UNIX or any other available operating system that communicates with a network, etc.).
- Operating system interfaces 707 a - i and 708 a - i may be software or hardware (or a combination thereof) that implement layers of a protocol stack (e.g. logic to transform operating system commands to network protocols).
- the system 700 is also shown to include network adapters 701 , 702 that virtualize and tag frames sent from the operating systems 705 a - c and to operating systems 705 d - f through operating system interfaces 707 a - i , 708 a - i.
- virtualization includes transmitting frames from different virtual interfaces (e.g., operating system interfaces) so that the frames can be transmitted through a single Ethernet cable 706 to a virtual interface switch 704 .
- Virtualization of frames may also include parsing the frames so that the frames can be distributed to a particular destination based on a defined policy.
- tagging frames includes appending an indicator to a frame to indicate the frame's source or destination operating system interface (e.g. 707 a - i , 708 a - i ) and I/O port (not shown).
- source or destination operating system interface e.g. 707 a - i , 708 a - i
- I/O port not shown
- the adapters 701 , 702 each send and receive frames (frames from/to each of 707 a - i , 708 a - i ) over a single twisted pair Ethernet cable 706 .
- the virtual interface multiplexer 703 sends and receives frames over a single twisted pair Ethernet cable connected with adapters 710 , 702 .
- the virtual interface multiplexer 703 may be a multiplexer configured to receive and forward frames, inter alia, from the virtualization interfaces (e.g. 707 a - i , 708 a - i ) that have been virtualized by adapters 701 , 702 for transfer over a single cable (e.g. 706 ).
- the virtual interface multiplexer 703 may be configured to receive and forward frames, inter alia, from virtual interface switch 704 .
- the virtual interface multiplexer 703 may include logic designed to perform the above disclosed functions.
- the virtual interface multiplexer 703 may be realized through hardware or software configuration or a configuration that includes both hardware and software.
- a virtual interface switch 704 is a network device that enforces network policy upon frames originating at virtual interface adapters.
- the virtual interface switch 704 receives frames from all 18 operating system interfaces 707 a - i and 708 a - i . Because each frame is tagged with one or more identification indicator, the virtual interface switch 704 can apply network policy to each of the operating system interfaces 707 a - i , 708 a - i . Those frames that violate policy are dropped (e.g. denied access to a destination node). Those frames that do not violate policy may be forwarded to a desired destination. Those frames whose desired destination is one or more of operating system interface 707 a - i , 708 a - i are tagged for that destination and virtualized to enable transmission over a single Ethernet cable to the virtual interface multiplexer 703 .
- frames are received by the virtual adapters 701 , 702 .
- Each of the adapters 701 , 702 may then read each frame's tags to determine which of the virtual interfaces 707 a - i , 708 a - i is each of their destination(s).
- Example embodiments described above may enable network policy to be efficiently and economically enforced on networks including nodes who communicate from virtual interfaces through single physical wires. By enforcing policy on intermediate devices within the network instead of on every termination node, the time and cost associated with implementing network policy can be reduced.
- FIGS. 8 a , 8 b and 8 c are block diagrams illustrating example communication networks in which embodiments may be applied.
- FIG. 8 what is taught through the embodiments described above may be implemented with existing virtualization software.
- the direct DMA “hypervisor” interfaces are leveraged through inserting “src_vif” on egress frames and distributing ingress frames based on “dst_vif.”
- Embodiments in FIG. 8 may support local and remote virtual interface switches. Local switches may be supported with “softswitch” and remote switches with “hardswitch.”
- FIG. 9 shows a diagrammatic representation of a machine in the example form of a computer system 900 within which a set of instructions for causing the machine to perform any one or more of the methodologies discussed herein may be executed.
- the machine operates as a standalone device or may be connected (e.g., networked) to other machines.
- the machine may operate in the capacity of a server or a client machine in server-client network environment, or as a peer machine in a peer-to-peer (or distributed) network environment.
- the machine may be a personal computer (PC), a tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a network router, switch or bridge, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine.
- PC personal computer
- PDA Personal Digital Assistant
- STB set-top box
- WPA Personal Digital Assistant
- the example computer system 900 includes a processor 902 (e.g., a central processing unit (CPU), a graphics processing unit (GPU) or both), a main memory 904 and a static memory 906 , which communicate with each other via a bus 908 .
- the computer system 900 may further include a video display unit 910 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)).
- the computer system 900 also includes an alphanumeric input device 912 (e.g., a keyboard), a user interface (UI) navigation device 914 (e.g., a mouse), a disk drive unit 916 , a signal generation device 918 (e.g., a speaker) and a network interface device 920 .
- an alphanumeric input device 912 e.g., a keyboard
- UI user interface
- disk drive unit 916 e.g., a disk drive unit
- signal generation device 918 e.g., a speaker
- the disk drive unit 916 includes a machine-readable medium 922 on which is stored one or more sets of instructions and data structures (e.g., software 924 ) embodying or utilized by any one or more of the methodologies or functions described herein.
- the software 924 may also reside, completely or at least partially, within the main memory 904 and/or within the processor 902 during execution thereof by the computer system 900 , the main memory 904 and the processor 902 also constituting machine-readable media.
- the software 924 may further be transmitted or received over a network 926 via the network interface device 920 utilizing any one of a number of well-known transfer protocols (e.g., FTP).
- FTP transfer protocol
- machine-readable medium 922 is shown in an example embodiment to be a single medium, the term “machine-readable medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions.
- the term “machine-readable medium” shall also be taken to include any medium that is capable of storing, encoding or carrying a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present invention, or that is capable of storing, encoding or carrying data structures utilized by or associated with such a set of instructions.
- the term “machine-readable medium” shall accordingly be taken to include, but not be limited to, solid-state memories, optical and magnetic media, and carrier wave signals.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims (25)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/927,317 US9270594B2 (en) | 2007-06-01 | 2007-10-29 | Apparatus and method for applying network policy at virtual interfaces |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US94151007P | 2007-06-01 | 2007-06-01 | |
US11/927,317 US9270594B2 (en) | 2007-06-01 | 2007-10-29 | Apparatus and method for applying network policy at virtual interfaces |
Publications (2)
Publication Number | Publication Date |
---|---|
US20080301759A1 US20080301759A1 (en) | 2008-12-04 |
US9270594B2 true US9270594B2 (en) | 2016-02-23 |
Family
ID=40089819
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/927,317 Active 2032-12-10 US9270594B2 (en) | 2007-06-01 | 2007-10-29 | Apparatus and method for applying network policy at virtual interfaces |
Country Status (1)
Country | Link |
---|---|
US (1) | US9270594B2 (en) |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8667482B2 (en) * | 2007-08-10 | 2014-03-04 | Microsoft Corporation | Automated application modeling for application virtualization |
US8646090B1 (en) * | 2007-10-03 | 2014-02-04 | Juniper Networks, Inc. | Heuristic IPSec anti-replay check |
US8036106B1 (en) | 2007-10-31 | 2011-10-11 | World Wide Packets, Inc. | Distributed control packet transmission |
US8144574B1 (en) * | 2007-10-31 | 2012-03-27 | World Wide Packets, Inc. | Distributed control packet processing |
US8254381B2 (en) * | 2008-01-28 | 2012-08-28 | Microsoft Corporation | Message processing engine with a virtual network interface |
KR101377462B1 (en) * | 2010-08-24 | 2014-03-25 | 한국전자통신연구원 | Automated Control Method And Apparatus of DDos Attack Prevention Policy Using the status of CPU and Memory |
US8959569B2 (en) * | 2011-03-18 | 2015-02-17 | Juniper Networks, Inc. | Security enforcement in virtualized systems |
US9185056B2 (en) | 2011-09-20 | 2015-11-10 | Big Switch Networks, Inc. | System and methods for controlling network traffic through virtual switches |
US9503397B2 (en) | 2013-01-15 | 2016-11-22 | International Business Machines Corporation | Applying a client policy to a group of channels |
US10599856B2 (en) | 2017-06-07 | 2020-03-24 | International Business Machines Corporation | Network security for data storage systems |
US11057432B2 (en) * | 2018-04-10 | 2021-07-06 | Nutanix, Inc. | Creation of security policies using a visual approach |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7366784B2 (en) * | 2001-11-27 | 2008-04-29 | Hitachi, Ltd. | System and method for providing and using a VLAN-aware storage device |
US20080240113A1 (en) * | 2007-03-26 | 2008-10-02 | Carmi Arad | System and method of modifying data packet tags |
US7451203B2 (en) * | 2003-12-22 | 2008-11-11 | Hewlett-Packard Development Company, L.P. | Method and system for communicating between a management station and at least two networks having duplicate internet protocol addresses |
US20090083445A1 (en) * | 2007-09-24 | 2009-03-26 | Ganga Ilango S | Method and system for virtual port communications |
-
2007
- 2007-10-29 US US11/927,317 patent/US9270594B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7366784B2 (en) * | 2001-11-27 | 2008-04-29 | Hitachi, Ltd. | System and method for providing and using a VLAN-aware storage device |
US7451203B2 (en) * | 2003-12-22 | 2008-11-11 | Hewlett-Packard Development Company, L.P. | Method and system for communicating between a management station and at least two networks having duplicate internet protocol addresses |
US20080240113A1 (en) * | 2007-03-26 | 2008-10-02 | Carmi Arad | System and method of modifying data packet tags |
US20090083445A1 (en) * | 2007-09-24 | 2009-03-26 | Ganga Ilango S | Method and system for virtual port communications |
Also Published As
Publication number | Publication date |
---|---|
US20080301759A1 (en) | 2008-12-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9270594B2 (en) | Apparatus and method for applying network policy at virtual interfaces | |
US20200265005A1 (en) | Network traffic routing in distributed computing systems | |
US8005022B2 (en) | Host operating system bypass for packets destined for a virtual machine | |
US9219638B2 (en) | Apparatus and method for applying network policy at a network device | |
US9059965B2 (en) | Method and system for enforcing security policies on network traffic | |
US7634608B2 (en) | Bridging network components | |
US7643482B2 (en) | System and method for virtual switching in a host | |
US8194667B2 (en) | Method and system for inheritance of network interface card capabilities | |
US7733795B2 (en) | Virtual network testing and deployment using network stack instances and containers | |
US8634415B2 (en) | Method and system for routing network traffic for a blade server | |
US8295275B2 (en) | Tagging network I/O transactions in a virtual machine run-time environment | |
US7965714B2 (en) | Method and system for offloading network processing | |
US7742474B2 (en) | Virtual network interface cards with VLAN functionality | |
US7515596B2 (en) | Full data link bypass | |
US8036127B2 (en) | Notifying network applications of receive overflow conditions | |
US20130305343A1 (en) | Computerized system and method for handling network traffic | |
US7613132B2 (en) | Method and system for controlling virtual machine bandwidth | |
US8458366B2 (en) | Method and system for onloading network services | |
CN110719215B (en) | Flow information acquisition method and device of virtual network | |
US7944923B2 (en) | Method and system for classifying network traffic | |
CN113228576A (en) | Method and device for processing data in network | |
US11570150B2 (en) | VPN deep packet inspection | |
US7848331B2 (en) | Multi-level packet classification | |
US20080002701A1 (en) | Network interface card virtualization based on hardware resources and software rings | |
US8149709B2 (en) | Serialization queue framework for transmitting packets |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: NUOVA SYSTEMS, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:RIVERS, JAMES PAUL;KODEBOYINA, CHAITANYA;GADDE, RAVI KUMAR;REEL/FRAME:020731/0483 Effective date: 20080328 |
|
AS | Assignment |
Owner name: CISCO TECHNOLOGY, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:NUOVA SYSTEMS, INC.;REEL/FRAME:027165/0432 Effective date: 20090317 |
|
AS | Assignment |
Owner name: CISCO TECHNOLOGY, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:NUOVA SYSTEMS, INC.;REEL/FRAME:027171/0181 Effective date: 20090317 |
|
AS | Assignment |
Owner name: CISCO TECHNOLOGY, INC., CALIFORNIA Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE RECORDING OF APP. NO. 11/972,317, PREVIOUSLY RECORDED ON REEL 027165 FRAME 0432. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:NUOVA SYSTEMS, INC.;REEL/FRAME:027328/0179 Effective date: 20090317 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |