Abstract: One embodiment of the present invention provides a system that provides heterogeneous resources for client systems. During operation, the system maintains a stateful resource database that tracks heterogeneous resources in a given environment. The system receives requests from client systems, and in response to the requests searches for a heterogeneous resource in the stateful resource database that matches the request. If the system finds an available heterogeneous resource that matches the request, it proceeds to submit the request to the resource. Maintaining and using the stateful resource database facilitates efficiently sharing scarce heterogeneous resources across a number of client systems.

Abstract: A method for securing a commercial grid network over non-trusted routes involves receiving, by an administrative node in the commercial grid network, a lease request from a client to lease one of multiple resource nodes in the commercial grid network, wherein the client is separated from the resource node by a non-trusted route. The method further involves transmitting, by the administrative node, a network security key associated with the client to the resource node, storing, by the resource node, the network security key in a network security key repository specific to the resource node, establishing, by the resource node, a secure network tunnel over the non-trusted route using the network security key, transmitting a network packet securely between the client and the resource node over the secure network tunnel, and destroying, by the resource node, the secure network tunnel when a lease term associated with the client and the resource node expires.

Abstract: One embodiment of the present invention provides a system that buffers data inside of a byte-stream protocol at a transport layer on a client, which is receiving the data from an external source. The system operates by receiving a configuration parameter at the transport layer from an application executing on the client, wherein the configuration parameter specifies a condition upon which data buffered at the transport layer is to be sent to the application. The system then buffers data destined for the application at the transport layer on the client, and sends the buffered data to the application when the condition specified by the configuration parameter is met. Buffering data at the transport layer on the client facilitates more efficient processing of system calls.

Abstract: A method for processing a packet includes receiving the packet in a network interface card (NIC), obtaining a first classification for the packet, placing the packet in one of a first plurality of receive rings based on the first classification, obtaining a security association (SA) from one of a plurality of security association database (SADB) partitions, decrypting the packet using the SA, obtaining a security policy (SP) from one of a plurality of security policy database (SPD) partitions, determining an admittance of the packet based on the SP, obtaining a second classification for the packet based on the admittance, placing the packet in one of a second plurality of receive rings based on the second classification, and sending the packet to a host operatively connected to the NIC, wherein the packet is further processed by the host.

Abstract: A network interface card (NIC) includes a security association database (SADB) comprising a plurality of security associations (SAs), a cryptographic offload engine configured to decrypt a packet using one of the plurality of SAs, a security policy database (SPD) comprising a plurality of security policies (SPs) and a plurality of filter policies, and a policy engine configured to determine an admittance of the packet using one of the plurality of SPs from the SPD and apply one of the plurality of filter policies to the packet.

Abstract: A method for securing a commercial grid network involves receiving a lease request from a client to lease a computing resource selected from multiple computing resources in the commercial grid network, mapping a unique identifier of the client to a security label selected from multiple unmapped security labels to obtain a client-label mapping based on the lease request, mapping a unique identifier of the computing resource to the security label to obtain a resource-label mapping based on the lease request, storing the client-label mapping and the resource-label mapping in a security label repository to obtain stored security label mappings, and authenticating, by the commercial grid network, an access request from the client to the computing resource using the stored security label mappings.

Abstract: A method for implementing a security protocol, involving receiving a packet from a network connection, obtaining an identifier for one of a plurality of security association database (SADB) partitions associated with the packet, wherein each of the plurality of SADB partitions is associated with one of a plurality of packet destinations, applying a security association from the one of the plurality of SADB partitions to the packet, and sending the packet to the one of the plurality of packet destinations associated with the SADB partition, wherein the packet is processed at the one of the plurality of packet destinations.

Abstract: A method for obtaining a capability from a network interface card (NIC), involving sending a query to the NIC for the capability, obtaining the capability from the NIC in response to the query, sending the capability to a virtual NIC, and sending the capability from the virtual NIC to a virtual network stack associated with the virtual NIC, wherein the capability is used by the virtual network stack to process packets.

Abstract: One embodiment of the present invention provides a system that specifies a MAC identifier for a network-interface-device in a computing device. In this system, the network-interface-device is configured to connect to a network though a port. During operation, the network-interface-device receives data packets through this port, and accepts a data packet if the data packet contains a destination that matches the MAC identifier for the network-interface-device, which can be a universally-administered MAC identifier. The system is also configured to determine whether the network-interface-device supports one or more additional MAC identifiers. If so, the system adds and activates an additional MAC identifier. By activating the newly-added MAC identifier in the computing device, the system allows the network-interface-device to logically separate data packets based on MAC identifiers.

Abstract: A method for configuring a network on a host includes obtaining a first virtual network stack and a second virtual network stack on the host, configuring a first transport layer implementation on the first virtual network stack, configuring a second transport layer implementation on the second virtual network stack, receiving a packet by the host, sending a packet to the first virtual network stack, and processing the packet using the first transport layer implementation.

Abstract: A method for routing a packet. The method includes receiving the packet from a first network into a network interface card (NIC), where the NIC is operatively connected to a host and the host includes a first virtual network stack and a second virtual network stack. The method further includes sending the packet to a first virtual network stack, where the first virtual network stack includes a first filter, a first network layer, and a first transport layer. In addition, the first filter, the first network layer, and the first transport layer are isolated from the second virtual network stack. If the packet is permitted through the first filter in the first virtual network stack, then the packet is sent to a first virtual NIC.

Abstract: A method for timestamping data packets from a network involves receiving a first data packet from the network, obtaining, from a clock, a timestamp indicating an arrival time of the first data packet, where a network interface controller (NIC) includes the clock, providing the timestamp and the first data packet to a client operatively connected to the NIC, computing a network property using the timestamp, selecting a network protocol based on the network property, and transmitting a second data packet via the NIC using the network protocol.

Abstract: In general, the invention relates to a method for managing a network connection. The method includes receiving a request for the network connection from a host, where the network connection is associated with an overlay network. The method further includes sending, in response to the request, a first available bandwidth per flow to the host, and receiving packets from the host. The packets received from the host are associated with the network connection and the initial packet transmission rate of the packets over the network connection is based on the first available bandwidth per flow. Further, the first available bandwidth per flow is obtained by probing a first router in the overlay network to obtain a first available bandwidth associated with the first router.

Abstract: In general, the invention relates to a method for sending a packet from an application to a destination. The method includes opening a network connection between the application and the destination, tuning at least one layer in a network stack, based on application information associated with the application, to obtain a tuned network stack, wherein the network stack is associated with the network connection, receiving the packet from the application, processing the packet using the tuned network stack to obtain a processed packet, and sending the processed packet to the destination, wherein the processed packet is received by the destination.

Abstract: A method for optimizing a network stack includes inputting network information into a transport protocol algorithm selector, inputting a first transport protocol algorithm into the transport protocol algorithm selector, analyzing a result of the transport protocol algorithm selector, selecting the first transport protocol algorithm based on the result, receiving a first packet in the network stack, and processing the first packet using the first transport protocol algorithm.

Abstract: In general, the invention relates to a method for classifying an application. The method includes receiving, at a kernel, a plurality of packets from the application, wherein the application is executing outside of the kernel, obtaining a first measurement from the plurality of packets associated with a first parameter using a first internal estimator in the kernel, applying a first statistical technique to the first measurement to generate a first estimate of the first parameter, and obtaining a classification of the application based on the first estimate. Further, the classification of the application is used to optimize a network connection associated with the application.

Abstract: A method for managing a network connection includes establishing the network connection between an application and a packet destination, wherein the network connection comprises a plurality of paths, receiving a plurality of packets from the application on the network connection, wherein the plurality of packets is associated with the network connection, and wherein the plurality of packets comprises data from the application, obtaining a distribution of the plurality of packets among the plurality of paths by a master transport protocol module, wherein each of the plurality of paths is associated with one of a plurality of transport protocol modules, and transmitting, based on the distribution, the plurality of packets over the plurality of paths using the plurality of transport protocol modules, wherein each of the plurality of transport protocol modules implements one of a plurality of congestion control algorithms, wherein the plurality of packets are received at the packet destination.

Abstract: A method for using offloaded transport layer protocols involves signaling a network interface controller (NIC) with a signal to use one of multiple transport layer protocols embedded in the NIC, and transmitting a data packet via the NIC using the transport layer protocol.

Abstract: A method for testing a network topology. The method includes obtaining the network topology, where the network topology includes a number of nodes connected by at least one link. The method further includes instantiating a number of containers corresponding to the nodes, instantiating a number of virtual network stacks, and instantiating at least one virtual switch corresponding to the at least one link. The containers are subsequently connected to the virtual network stacks using the at least one virtual switch. At least one of the virtual network stacks is then configured to send and receive packets. Finally, the network topology is tested by sending a packet through at least one of the plurality of virtual network stacks and the at least one virtual switch, wherein a result of the testing is used to validate the network topology.

Abstract: One embodiment of the present invention provides a system that facilitates buffering data at a kernel in a computer system, wherein the data is buffered based on the structure of a message contained in the data. The system operates by receiving data at a computer system from an external source. Next, the system buffers the data at a kernel on the computer system. As the system buffers the data, the system also determines if the buffered data constitutes a complete message as defined by a communication protocol. If so, the system forwards the buffered data to an application on the computer system.