Abstract: A method for processing a packet includes receiving the packet in a network interface card (NIC), obtaining a first classification for the packet, placing the packet in one of a first plurality of receive rings based on the first classification, obtaining a security association (SA) from one of a plurality of security association database (SADB) partitions, decrypting the packet using the SA, obtaining a security policy (SP) from one of a plurality of security policy database (SPD) partitions, determining an admittance of the packet based on the SP, obtaining a second classification for the packet based on the admittance, placing the packet in one of a second plurality of receive rings based on the second classification, and sending the packet to a host operatively connected to the NIC, wherein the packet is further processed by the host.

Abstract: A network interface card (NIC) includes a security association database (SADB) comprising a plurality of security associations (SAs), a cryptographic offload engine configured to decrypt a packet using one of the plurality of SAs, a security policy database (SPD) comprising a plurality of security policies (SPs) and a plurality of filter policies, and a policy engine configured to determine an admittance of the packet using one of the plurality of SPs from the SPD and apply one of the plurality of filter policies to the packet.

Abstract: A method for securing a commercial grid network involves receiving a lease request from a client to lease a computing resource selected from multiple computing resources in the commercial grid network, mapping a unique identifier of the client to a security label selected from multiple unmapped security labels to obtain a client-label mapping based on the lease request, mapping a unique identifier of the computing resource to the security label to obtain a resource-label mapping based on the lease request, storing the client-label mapping and the resource-label mapping in a security label repository to obtain stored security label mappings, and authenticating, by the commercial grid network, an access request from the client to the computing resource using the stored security label mappings.

Abstract: A method for obtaining a capability from a network interface card (NIC), involving sending a query to the NIC for the capability, obtaining the capability from the NIC in response to the query, sending the capability to a virtual NIC, and sending the capability from the virtual NIC to a virtual network stack associated with the virtual NIC, wherein the capability is used by the virtual network stack to process packets.

Abstract: A method for implementing a security protocol, involving receiving a packet from a network connection, obtaining an identifier for one of a plurality of security association database (SADB) partitions associated with the packet, wherein each of the plurality of SADB partitions is associated with one of a plurality of packet destinations, applying a security association from the one of the plurality of SADB partitions to the packet, and sending the packet to the one of the plurality of packet destinations associated with the SADB partition, wherein the packet is processed at the one of the plurality of packet destinations.

Abstract: A method for configuring a network on a host includes obtaining a first virtual network stack and a second virtual network stack on the host, configuring a first transport layer implementation on the first virtual network stack, configuring a second transport layer implementation on the second virtual network stack, receiving a packet by the host, sending a packet to the first virtual network stack, and processing the packet using the first transport layer implementation.

Abstract: Apparatus, methods and computer program products are disclosed for specifying a MAC identifier for a network-interface-device that includes multiple universally administered MAC identifiers and connects to a network through a port. The network-interface-device accepts data packets received through the port if the data packets contain a destination address that matches any active MAC identifier. The method includes reserving a first and second universally administered MAC identifiers from the available universally administered MAC identifiers. The first universally administered MAC identifier and the second universally administered MAC identifier are respectively associated with a first and second resource of the network-interface-device. The MAC identifier is assigned to one of the first or second resource and activated. Other aspects include apparatus logics and program products that perform the method.

Abstract: A method for testing a network topology. The method includes obtaining the network topology, where the network topology includes a number of nodes connected by at least one link. The method further includes instantiating a number of containers corresponding to the nodes, instantiating a number of virtual network stacks, and instantiating at least one virtual switch corresponding to the at least one link. The containers are subsequently connected to the virtual network stacks using the at least one virtual switch. At least one of the virtual network stacks is then configured to send and receive packets. Finally, the network topology is tested by sending a packet through at least one of the plurality of virtual network stacks and the at least one virtual switch, wherein a result of the testing is used to validate the network topology.

Abstract: A method for performing a cryptographic function including calling into an encryption framework to perform the cryptographic function, wherein calling into the encryption framework comprises sending a request to perform the cryptographic function from a kernel consumer, and processing the request and returning the result to the kernel consumer, wherein processing the request comprises determining whether the request is synchronous or asynchronous, and determining which cryptographic provider to use to perform the cryptographic function.

Abstract: A computer system that communicates cryptographic resource utilization information while processing data packets is described. During operation, the system receives a first data packet and generates a second data packet by performing a cryptographic transformation on the first data packet. Next, the system appends auxiliary information to the second data packet. This auxiliary information includes information associated with cryptographic resource utilization during the cryptographic transformation. Then, the system provides the second data packet including the auxiliary information.

Abstract: A computer system that forwards data packets is described. During operation, the system receives a data packet on a first interface and classifies the data packet to determine a corresponding destination. This classification is based on dynamically configured classification rules that include multiple attributes corresponding to multiple layers in an Open System Interconnect (OSI) Reference model. Then, the system provides the data packet on a second interface corresponding to the destination.

Abstract: A method for changing network configuration parameters that includes generating a request to change a network configuration parameter, where the request is generated by a virtual machine, sending the request to a virtual network interface card (VNIC) associated with the virtual machine, sending the request to a VNIC configuration database associated with the VNIC, determining whether the virtual machine is allowed to change the network configuration parameter, if the virtual machine is allowed to change the network configuration parameter, updating the VNIC configuration database and VNIC to reflect the change in the network configuration parameter, and notifying the virtual machine that the change in network configuration parameter is allowed, and if the virtual machine is not allowed to change the network configuration parameter, dropping the request.

Abstract: A method is disclosed that includes assigning a portion of network hardware resources of a host to a virtual network interface card (VNIC), and configuring a virtual machine network stack (VMNS) in a virtual machine (VM) bound to the VNIC to use the portion of network hardware resources assigned to the VNIC. The method also includes performing a modification to the portion of network hardware resources, and automatically reconfiguring the VMNS to adapt to the modification.

Abstract: A method for processing a packet that includes receiving the packet where the packet comprises a header, and traversing a flow table comprising a plurality of flow table entries (FTEs) for each FTE encountered during the traversal, obtaining a packet matching function associated with the FTE, applying the packet matching function associated with the FTE to the header to determine whether the packet matches the FTE, if the packet matches the FTE, send the packet to one selected from the group consisting of one of a plurality of receive rings (RRs) and a first sub-flow table, where the first sub-flow table is associated with the FTE, stopping the traversal of the flow table, and if the packet does not match the FTE continue the traversal of the flow table.

Abstract: A method for notifying a packet destination that includes receiving a packet by a network interface card (NIC), where the packet destination is a destination of the packet, classifying the packet, forwarding the packet to one of a plurality of receive rings on the NIC, determining whether the one of the plurality of receive rings comprises space to store the packet, dropping the packet if the receive ring does not comprise the space to store the packet, and sending a notification message to the packet destination, where the notification message indicates that the packet was dropped by the receive ring.

Abstract: A method for changing network configuration parameters that includes generating a request to change a network configuration parameter by a user, determining whether the user is allowed to change the network configuration parameter using a network configuration database, if the user is allowed to change the network configuration parameter, updating the network configuration database to reflect the change in the network configuration parameter, updating a container associated with the network configuration parameter to reflect the change in the configuration parameter, and if the user is not allowed to change the network configuration parameter, dropping the request.

Abstract: A method for processing packets that includes receiving a first packet for a first virtual machine by a network interface card (NIC), classifying the first packet using a hardware classifier, where the hardware classifier is located on the NIC, sending the first packet to a first one of a plurality of receive rings based on the classification, sending the first packet from the first one of the plurality of receive rings to a first virtual network interface card (VNIC), sending the first packet from the first VNIC to a first interface, and sending the first packet from the first interface to the first virtual machine, where the first virtual machine is associated with the first interface, where the first VNIC and the first virtual machine are executing on a host.

Abstract: A method for virtualizing a network interface card includes creating a first plurality of virtual NICs, assigning each of a plurality of receive rings on the network interface card (NIC) to one of the first plurality of virtual NICs, and if the number of virtual NICs is greater than the number of receive rings on the NIC, creating a first software ring corresponding to one of the plurality of receive rings on the NIC, creating a first plurality of software receive rings associated with the first software ring, creating a second plurality of virtual NICs, and assigning each of the first plurality of software receive rings to one of the second plurality of virtual NICs, wherein the plurality of receive rings is less than a sum of the first plurality of virtual NICs and the second plurality of virtual NICs.

Abstract: A method for processing packets, where the method includes programming a hardware classifier in a network interface card (NIC) to send packets associated with a first packet destination to a non-standby hardware receive ring (HRR), programming a software ring to obtain packets from the non-standby HRR, programming the software ring to send packets for the first destination to a first software receive ring (SRR), wherein the first packet destination is associated with the first SRR, obtaining identifying information about a packet associated with a denial of service (DoS) attack, programming the hardware classifier, using the identifying information, to send the packet associated with the DoS attack to a standby HRR, and for each packet received by the hardware classifier determining to which of the standby HRR and the non-standby HRR to send the packet using the programming of the hardware classifier.

Abstract: A system including a network interface card (NIC) associated with a Media Access Control (MAC) address and a host operatively connected to the NIC. The NIC includes a default hardware receive ring (HRR), a plurality of non-default HRRs, and a hardware classifier. The hardware classifier is configured to analyze an inbound packet using a destination Internet Protocol (IP) address and to send the inbound packet to one of the plurality of non-default HRRs if the inbound packet is a unicast packet, and to send the packet to the default HRR if the inbound packet is an inbound multi-recipient packet. The host includes a plurality of virtual NICs (VNICs) and an inbound software classifier. that includes a plurality of software receive rings (SRRs) and is configured to obtain inbound packets from the default HRR, and to determine to which of the plurality of SRRs to send a copy of the packet.