Abstract: A system and method for massively multi-core computing are provided. A method for computer management includes determining if there is a need to allocate at least one first resource to a first plane. If there is a need to allocate at least one first resource, the at least one first resource is selected from a resource pool based on a set of rules and allocated to the first plane. If there is not a need to allocate at least one first resource, it is determined if there is a need to de-allocate at least one second resource from a second plane. If there is a need to de-allocate at least one second resource, the at least one second resource is de-allocated. The first plane includes a control plane and/or a data plane and the second plane includes the control plane and/or the data plane. The resources are unchanged if there is not a need to allocate at least one first resource and if there is not a need to de-allocate at least one second resource.

Abstract: A computer system that communicates cryptographic resource utilization information while processing data packets is described. During operation, the system receives a first data packet and generates a second data packet by performing a cryptographic transformation on the first data packet. Next, the system appends auxiliary information to the second data packet. This auxiliary information includes information associated with cryptographic resource utilization during the cryptographic transformation. Then, the system provides the second data packet including the auxiliary information.

Abstract: A method for obtaining a capability from a network interface card (NIC), involving sending a query to the NIC for the capability, obtaining the capability from the NIC in response to the query, sending the capability to a virtual NIC, and sending the capability from the virtual NIC to a virtual network stack associated with the virtual NIC, wherein the capability is used by the virtual network stack to process packets.

Abstract: A computer readable medium comprising software instructions for managing resources on a host, wherein the software instructions comprise functionality to: configure a classifier located on a NIC, to forward packets addressed to a first destination address to a first HRR mapped to a first VNIC, wherein packets addressed to the first destination address are associated with a first PFC lane; configure the classifier to forward packets addressed to a second destination address to a second HRR, wherein packets addressed to the second destination address are associated with a second PFC lane; and transmit, by the first VNIC, a pause frame associated with the first PFC lane to a switch operatively connected to the physical NIC, wherein the switch, in response to receiving the pause frame, stores packets associated with the first PFC lane in a buffer without transmitting the packets.

Abstract: A method for implementing a security protocol, involving receiving a packet from a network connection, obtaining an identifier for one of a plurality of security association database (SADB) partitions associated with the packet, wherein each of the plurality of SADB partitions is associated with one of a plurality of packet destinations, applying a security association from the one of the plurality of SADB partitions to the packet, and sending the packet to the one of the plurality of packet destinations associated with the SADB partition, wherein the packet is processed at the one of the plurality of packet destinations.

Abstract: A method for processing a request for a cryptographic function that includes calling into a user-level encryption framework to process the request, wherein calling into the encryption framework comprises sending the request from a user-level application, and processing the request and returning a result to the user-level application, wherein processing the request includes selecting a user-level cryptographic provider from available user-level providers and processing the request using the user-level cryptographic provider selected from the available user-level providers, if the request comprises a metaslot provider request, and selecting the user-level cryptographic provider specified in the request and processing the request using the specified user-level cryptographic provider, if the request is not the metaslot provider request.

Abstract: A method for notifying a packet destination that includes receiving a packet by a network interface card (NIC), where the packet destination is a destination of the packet, classifying the packet, forwarding the packet to one of a plurality of receive rings on the NIC, determining whether the one of the plurality of receive rings comprises space to store the packet, dropping the packet if the receive ring does not comprise the space to store the packet, and sending a notification message to the packet destination, where the notification message indicates that the packet was dropped by the receive ring.

Abstract: A method for securing a commercial grid network involves receiving a lease request from a client to lease a computing resource selected from multiple computing resources in the commercial grid network, mapping a unique identifier of the client to a security label selected from multiple unmapped security labels to obtain a client-label mapping based on the lease request, mapping a unique identifier of the computing resource to the security label to obtain a resource-label mapping based on the lease request, storing the client-label mapping and the resource-label mapping in a security label repository to obtain stored security label mappings, and authenticating, by the commercial grid network, an access request from the client to the computing resource using the stored security label mappings.

Abstract: A method for notifying a packet destination that includes receiving a packet by a network interface card (NIC), where the packet destination is a destination of the packet, classifying the packet, forwarding the packet to one of a plurality of receive rings on the NIC, determining whether the one of the plurality of receive rings comprises space to store the packet, dropping the packet if the receive ring does not comprise the space to store the packet, and sending a notification message to the packet destination, where the notification message indicates that the packet was dropped by the receive ring.

Abstract: A system for processing encrypted SSL sessions includes a web application, a secure sockets layer socket, a TCP/IP stack network layer device. The secure sockets layer socket is coupled between the web application and the TCP/IP stack network layer device. The system also includes an Ethernet device. The TCP/IP stack network layer device is coupled to the Ethernet device. The system also includes a SSL kernel, a kernel SSL interface coupled between the kernel SSL module and the TCP/IP stack network layer device and a crypto subsystem coupled to the kernel SSL module. A method for processing encrypted SSL sessions is also described.

Abstract: A method for processing packets that includes receiving a first packet for a first virtual machine by a network interface card (NIC), classifying the first packet using a hardware classifier, where the hardware classifier is located on the NIC, sending the first packet to a first one of a plurality of receive rings based on the classification, sending the first packet from the first one of the plurality of receive rings to a first virtual network interface card (VNIC), sending the first packet from the first VNIC to a first interface, and sending the first packet from the first interface to the first virtual machine, where the first virtual machine is associated with the first interface, where the first VNIC and the first virtual machine are executing on a host.

Abstract: A network interface card (NIC) includes a security association database (SADB) comprising a plurality of security associations (SAs), a cryptographic offload engine configured to decrypt a packet using one of the plurality of SAs, a security policy database (SPD) comprising a plurality of security policies (SPs) and a plurality of filter policies, and a policy engine configured to determine an admittance of the packet using one of the plurality of SPs from the SPD and apply one of the plurality of filter policies to the packet.

Abstract: A method for processing packets, where the method includes programming a hardware classifier in a network interface card (NIC) to send packets associated with a first packet destination to a non-standby hardware receive ring (HRR), programming a software ring to obtain packets from the non-standby HRR, programming the software ring to send packets for the first destination to a first software receive ring (SRR), wherein the first packet destination is associated with the first SRR, obtaining identifying information about a packet associated with a denial of service (DoS) attack, programming the hardware classifier, using the identifying information, to send the packet associated with the DoS attack to a standby HRR, and for each packet received by the hardware classifier determining to which of the standby HRR and the non-standby HRR to send the packet using the programming of the hardware classifier.

Abstract: In general, the invention relates to a creating a network model on a host. The invention includes: gathering first component properties associated with a first physical network device on a target network; creating a first container using first component properties; determining that a second physical network device is operatively connected to the first physical network device via a physical network link; gathering second component properties associated with the physical network link; creating a first VNIC associated with the first container; determining that at least one virtual network device is executing on the second physical network device; gathering third component properties associated with the at least one virtual network device; creating a second container, wherein the second container is configured using the third component properties; and creating a second VNIC associated with the second container.

Abstract: A system and method for providing network connectivity to a host, involving creating a virtual switch on the host, specifying at least one data link attribute of the virtual switch, creating a plurality of virtual network interface cards (VNICs) on the host, associating each of the plurality of VNICs with the virtual switch, and assigning the at least one data link attribute of the virtual switch to each of the plurality of VNICs, where the virtual switch is connected to a physical network interface card (NIC) associated with the host, where each of the plurality of VNICs is associated with a different one of a plurality of execution environments, where the plurality of execution environments is located on the host, and where the plurality of VNICs is located on the host.

Abstract: A method for changing network configuration parameters that includes generating a request to change a network configuration parameter by a user, determining whether the user is allowed to change the network configuration parameter using a network configuration database, if the user is allowed to change the network configuration parameter, updating the network configuration database to reflect the change in the network configuration parameter, updating a container associated with the network configuration parameter to reflect the change in the configuration parameter, and if the user is not allowed to change the network configuration parameter, dropping the request.

Abstract: A method for processing a packet that includes receiving the packet where the packet comprises a header, and traversing a flow table comprising a plurality of flow table entries (FTEs) for each FTE encountered during the traversal, obtaining a packet matching function associated with the FTE, applying the packet matching function associated with the FTE to the header to determine whether the packet matches the FTE, if the packet matches the FTE, send the packet to one selected from the group consisting of one of a plurality of receive rings (RRs) and a first sub-flow table, where the first sub-flow table is associated with the FTE, stopping the traversal of the flow table, and if the packet does not match the FTE continue the traversal of the flow table.

Abstract: A computer readable medium comprising software instructions for managing resources on a host, wherein the software instructions comprise functionality to: configure a classifier located on a NIC, to forward packets addressed to a first destination address to a first HRR mapped to a first VNIC, wherein packets addressed to the first destination address are associated with a first PFC lane; configure the classifier to forward packets addressed to a second destination address to a second HRR, wherein packets addressed to the second destination address are associated with a second PFC lane; and transmit, by the first VNIC, a pause frame associated with the first PFC lane to a switch operatively connected to the physical NIC, wherein the switch, in response to receiving the pause frame, stores packets associated with the first PFC lane in a buffer without transmitting the packets.

Abstract: Apparatus, methods and computer program products are disclosed for specifying a MAC identifier for a network-interface-device that includes multiple universally administered MAC identifiers and connects to a network through a port. The network-interface-device accepts data packets received through the port if the data packets contain a destination address that matches any active MAC identifier. The method includes reserving a first and second universally administered MAC identifiers from the available universally administered MAC identifiers. The first universally administered MAC identifier and the second universally administered MAC identifier are respectively associated with a first and second resource of the network-interface-device. The MAC identifier is assigned to one of the first or second resource and activated. Other aspects include apparatus logics and program products that perform the method.

Abstract: A method for migrating a virtual machine executing on a host. The method involves monitoring, by a monitoring agent connected to a device driver, hosts in a network, wherein the device driver is connected to a network interface card, determining a virtual machine to be migrated based on a virtual machine policy, sending, by the host, a request to migrate to at least one of a plurality of target hosts in the network, receiving an acceptance to the request to migrate from at least one of the plurality of target hosts, determining, by the monitoring agent, a chosen target host to receive the virtual machine based on a migration policy, wherein the chosen target host is one of the at least one target hosts that sent the acceptance, sending a confirmation and historical information to the chosen target host, and migrating the virtual machine to the chosen target host.