Abstract: A method for bandwidth control on a network interface card (NIC), the method that includes initiating a current time period, receiving a plurality of incoming packets for a receive ring, populating, by a NIC, the receive ring with the plurality of incoming packets according to a size of the receive ring during the current time period, wherein the size of the receive ring is based on an allocated bandwidth for the receive ring, and sending, by the NIC, the plurality of incoming packets to a host when a duration of the current time period elapses, wherein the duration is based on the allocated bandwidth for the receive ring.

Abstract: A method for indicating bandwidth for a virtual network interface card (NIC) includes receiving a bandwidth trigger for a bandwidth of a first virtual NIC operatively connected to a NIC, wherein the NIC is associated with a network bandwidth, obtaining a bandwidth allocation stored in the first virtual NIC in response to the bandwidth trigger, wherein the bandwidth allocation corresponds to the bandwidth of the first virtual NIC, and wherein the bandwidth allocation corresponds to a portion of the network bandwidth, and returning the bandwidth allocation to a component associated with the virtual NIC.

Abstract: A method is disclosed that includes assigning a portion of network hardware resources of a host to a virtual network interface card (VNIC), and configuring a virtual machine network stack (VMNS) in a virtual machine (VM) bound to the VNIC to use the portion of network hardware resources assigned to the VNIC. The method also includes performing a modification to the portion of network hardware resources, and automatically reconfiguring the VMNS to adapt to the modification.

Abstract: A computer system that forwards data packets is described. During operation, the system receives a data packet on a first interface and classifies the data packet to determine a corresponding destination. This classification is based on dynamically configured classification rules that include multiple attributes corresponding to multiple layers in an Open System Interconnect (OSI) Reference model. Then, the system provides the data packet on a second interface corresponding to the destination.

Abstract: One embodiment of the present invention provides a system that provides heterogeneous resources for client systems. During operation, the system maintains a stateful resource database that tracks heterogeneous resources in a given environment. The system receives requests from client systems, and in response to the requests searches for a heterogeneous resource in the stateful resource database that matches the request. If the system finds an available heterogeneous resource that matches the request, it proceeds to submit the request to the resource. Maintaining and using the stateful resource database facilitates efficiently sharing scarce heterogeneous resources across a number of client systems.

Abstract: A method for processing packets. The method includes receiving a first packet by a first socket on a host, determining by the first socket to process the first packet using a first virtual Transmission Control Protocol offload engine (VTOE), transmitting the first packet to the first VTOE, wherein transmitting the first packet to the first VTOE bypasses a first virtual network stack interposed between the first socket and first VTOE, transmitting the first packet to a HW TOE operatively connected to the host, processing the first packet, using the HW TOE, to obtain a first processed packet; and transmitting the first processed packet to a network operatively connected to the HW TOE, where the HW TOE is associated with the first VTOE and a second VTOE in the host.

Abstract: A method for receiving incoming packets associated with a virtual Local Area Network (VLAN) includes receiving an incoming packet, classifying the incoming packet based on a VLAN tag embedded in the incoming packet, wherein the VLAN tag corresponds to the VLAN, and passing the incoming packet to a virtual network interface card (NIC) based on the VLAN tag.

Abstract: A method and system for capturing and reporting debug information regarding data transport failures in a multi-level secure operating environment. A process available only to a trusted system administrator is activated causing probe activation. The data transport command is repeated. The process probes the locations where the data packets move across environment boundaries of the secure network. When the data stops being transported, the process captures the relevant information on the type of failure, its cause, the address where it occurred and the possible consequence. The captured information can then be displayed to an appropriately credentialed administrator through a password-protected command for debug. The probes are then deactivated.

Abstract: A method for testing a network topology. The method includes obtaining the network topology, where the network topology includes a number of nodes connected by at least one link. The method further includes instantiating a number of containers corresponding to the nodes, instantiating a number of virtual network stacks, and instantiating at least one virtual switch corresponding to the at least one link. The containers are subsequently connected to the virtual network stacks using the at least one virtual switch. At least one of the virtual network stacks is then configured to send and receive packets. Finally, the network topology is tested by sending a packet through at least one of the plurality of virtual network stacks and the at least one virtual switch, wherein a result of the testing is used to validate the network topology.

Abstract: A method for securing a commercial grid network over non-trusted routes involves receiving, by an administrative node in the commercial grid network, a lease request from a client to lease one of multiple resource nodes in the commercial grid network, wherein the client is separated from the resource node by a non-trusted route. The method further involves transmitting, by the administrative node, a network security key associated with the client to the resource node, storing, by the resource node, the network security key in a network security key repository specific to the resource node, establishing, by the resource node, a secure network tunnel over the non-trusted route using the network security key, transmitting a network packet securely between the client and the resource node over the secure network tunnel, and destroying, by the resource node, the secure network tunnel when a lease term associated with the client and the resource node expires.

Abstract: A system including a network interface card (NIC) associated with a Media Access Control (MAC) address and a host operatively connected to the NIC. The NIC includes a default hardware receive ring (HRR), a plurality of non-default HRRs, and a hardware classifier. The hardware classifier is configured to analyze an inbound packet using a destination Internet Protocol (IP) address and to send the inbound packet to one of the plurality of non-default HRRs if the inbound packet is a unicast packet, and to send the packet to the default HRR if the inbound packet is an inbound multi-recipient packet. The host includes a plurality of virtual NICs (VNICs) and an inbound software classifier, that includes a plurality of software receive rings (SRRs) and is configured to obtain inbound packets from the default HRR, and to determine to which of the plurality of SRRs to send a copy of the packet.

Abstract: A method for virtualizing a network interface card includes creating a first plurality of virtual NICs, assigning each of a plurality of receive rings on the network interface card (NIC) to one of the first plurality of virtual NICs, and if the number of virtual NICs is greater than the number of receive rings on the NIC, creating a first software ring corresponding to one of the plurality of receive rings on the NIC, creating a first plurality of software receive rings associated with the first software ring, creating a second plurality of virtual NICs, and assigning each of the first plurality of software receive rings to one of the second plurality of virtual NICs, wherein the plurality of receive rings is less than a sum of the first plurality of virtual NICs and the second plurality of virtual NICs.

Abstract: A method for processing packets. The method includes receiving a first packet by a first socket on a host, determining by the first socket to process the first packet using a first virtual Transmission Control Protocol offload engine (VTOE), transmitting the first packet to the first VTOE, wherein transmitting the first packet to the first VTOE bypasses a first virtual network stack interposed between the first socket and first VTOE, transmitting the first packet to a HW TOE operatively connected to the host, processing the first packet, using the HW TOE, to obtain a first processed packet; and transmitting the first processed packet to a network operatively connected to the HW TOE, where the HW TOE is associated with the first VTOE and a second VTOE in the host.

Abstract: A method for processing packets. The method includes receiving a first packet by a network interface card (NIC) from a network, determining, using a first classification level, a first receive ring group (RRG) for the first packet, determining, using a second level classification, a first receive ring (RR) in the first RRG for the first packet, sending the first packet to the first RR, and sending the first packet from the first RR to a host operatively connected to the network interface card, wherein the first packet is received by a first virtual network interface card (VNIC) associated with the first RRG, where the first RRG is located in the NIC.

Abstract: A system includes a first and a second network component, and a bridge. The bridge, which resides a Media Access Control (MAC) layer of a host, includes a bridge component, a first virtual network interface card (VNIC) and a second VNIC, wherein the first VNIC is associated with the first network component and the second VNIC is associated with the second network component. Further, the bridge component is configured to send packets received from the first network component to the second network component and to send packets received from the second network component to the first network component.

Abstract: A method for dynamically changing a virtual network interface card (VNIC) binding. If the use of a hardware receive ring (HRR) is below the first threshold and the use of the software receive ring (SRR) is above the second threshold, then: binding the first VNIC to the SRR and the second VNIC to the HRR, removing the binding from the first VNIC to the HRR, removing the binding from the second VNIC to the SRR, and reprogramming a hardware classifier to send packets associated with the r VNIC to a second HRR and to send packets associated with the second VNIC to the HRR, reprogramming a software classifier to send packets associated with the first VNIC to the SRR, wherein the software classifier is associated with a soft ring (SR) and the SR is configured to obtain packets from the second HRR.

Abstract: A method for bandwidth control on a network interface card (NIC), the method that includes initiating a current time period, receiving a plurality of incoming packets for a receive ring, populating, by a NIC, the receive ring with the plurality of incoming packets according to a size of the receive ring during the current time period, wherein the size of the receive ring is based on an allocated bandwidth for the receive ring, and sending, by the NIC, the plurality of incoming packets to a host when a duration of the current time period elapses, wherein the duration is based on the allocated bandwidth for the receive ring.

Abstract: In general, the invention relates to a method for processing packets. The method includes receiving a first packet by a network interface card (NIC) connected to a host, classifying the first packet using a classifier, sending the first packet to a receive ring based on a classification of the first packet by the classifier, and sending the first packet from the receive ring to a first virtual network interface card (VNIC) located on the host. The method further includes determining, using a first policy associated with the first VNIC, whether to process the first packet using offload hardware. When the first packet is to be processed using the offload hardware, the method includes sending the first packet to the offload hardware, receiving a first processed packet from the offload hardware by the first VNIC and sending the first processed packet from the first VNIC to a first packet destination.

Abstract: One embodiment of the present invention provides a system that provides heterogeneous resources for client systems. During operation, the system maintains a stateful resource database that tracks heterogeneous resources in a given environment. The system receives requests from client systems, and in response to the requests searches for a heterogeneous resource in the stateful resource database that matches the request. If the system finds an available heterogeneous resource that matches the request, it proceeds to submit the request to the resource. Maintaining and using the stateful resource database facilitates efficiently sharing scarce heterogeneous resources across a number of client systems.

Abstract: A method for securing a commercial grid network over non-trusted routes involves receiving, by an administrative node in the commercial grid network, a lease request from a client to lease one of multiple resource nodes in the commercial grid network, wherein the client is separated from the resource node by a non-trusted route. The method further involves transmitting, by the administrative node, a network security key associated with the client to the resource node, storing, by the resource node, the network security key in a network security key repository specific to the resource node, establishing, by the resource node, a secure network tunnel over the non-trusted route using the network security key, transmitting a network packet securely between the client and the resource node over the secure network tunnel, and destroying, by the resource node, the secure network tunnel when a lease term associated with the client and the resource node expires.