Abstract: A method for controlling a denial of service attack involves receiving a plurality of packets from a network, identifying an attacking host based on a severity level of the denial of service attack from the network, wherein the attacking host is identified by an identifying attack characteristic associated with one of the plurality of packets associated with the attacking host, analyzing each of the plurality of packets by a classifier to determine to which of a plurality of temporary data structures each of the plurality of packet is forwarded, forwarding each of the plurality of packets associated with the identifying attack characteristic to one of the plurality of temporary data structures matching the severity level of the denial of service attack as determined by the classifier, requesting a number of packets from the one of the plurality of temporary data structures matching the severity level by the virtual serialization queue, and forwarding the number of packets to the virtual serialization queue.

Abstract: A method for offloading a secure protocol connection, involving establishing the secure protocol connection between a host system and a remote peer, offloading the secure protocol connection to a network interface card (NIC) to obtain an offloaded secure protocol connection, determining whether a packet is associated with the offloaded secure protocol connection, and if the packet is associated with the offloaded secure protocol connection, identifying the offloaded secure protocol connection, performing cryptographic operations on the packet using at least one secret key to obtain a processed packet, and returning a status of the processed packet to the host system.

Abstract: A method for processing packets. The method includes receiving a first packet, wherein the first packet is associated with a first protocol, classifying the first packet using a protocol associated with the first packet, sending the first packet to a first receive ring based on the classification, sending the first packet from the first receive ring to a first virtual network interface card (VNIC) based on an operating mode, sending the first packet from the first VNIC to a first protocol specific virtual network stack (VNS), wherein the first protocol specific VNS is configured to only process packets associated with the first protocol, and processing the first packet by the first protocol specific VNS to obtain a first processed packet.

Abstract: A method for controlling resource utilization of a container that includes associating the container with a virtual network stack, receiving a plurality of packets from a network, analyzing each of the plurality of packets by a classifier to determine to which of a plurality of temporary data structures each of the plurality of packet is forwarded, forwarding each of the plurality of packets to one of the plurality of temporary data structures as determined by the classifier, requesting at least one packet for the one of the plurality of temporary data structures by the virtual network stack, wherein the virtual network stack is associated with the one of the plurality of temporary data structures, and forwarding the at least one packet to the virtual network stack.

Abstract: A system including a network interface card (NIC) associated with a Media Access Control (MAC) address and a host operatively connected to the NIC. The NIC includes a default hardware receive ring (HRR), a plurality of non-default HRRs, and a hardware classifier. The hardware classifier is configured to analyze an inbound packet using a destination Internet Protocol (IP) address and to send the inbound packet to one of the plurality of non-default HRRs if the inbound packet is a unicast packet, and to send the packet to the default HRR if the inbound packet is an inbound multi-recipient packet. The host includes a plurality of virtual NICs (VNICs) and an inbound software classifier, that includes a plurality of software receive rings (SRRs) and is configured to obtain inbound packets from the default HRR, and to determine to which of the plurality of SRRs to send a copy of the packet.

Abstract: A system that includes a network interface for receiving a packets from a network, a classifier operatively connected to the network interface that analyzes each of the packets and determines to which temporary data structure to forward each of packets, wherein the classifier analyzes each packet to determine with which of a plurality of protocols the packet is associated with. Each temporary data structure within the system is configured to receive packets from the classifier, wherein each of the temporary data structures is associated with at least one virtual serialization queue and wherein each of the temporary data structures is configured to store packets associated with at least one of the plurality of protocols. The at least one virtual serialization queue is configured to queue packets from the one of the temporary data structures associated with the at least one virtual serialization queue.

Abstract: A method for virtualizing a network interface card includes creating a first plurality of virtual NICs, assigning each of a plurality of receive rings on the network interface card (NIC) to one of the first plurality of virtual NICs, and if the number of virtual NICs is greater than the number of receive rings on the NIC, creating a first software ring corresponding to one of the plurality of receive rings on the NIC, creating a first plurality of software receive rings associated with the first software ring, creating a second plurality of virtual NICs, and assigning each of the first plurality of software receive rings to one of the second plurality of virtual NICs, wherein the plurality of receive rings is less than a sum of the first plurality of virtual NICs and the second plurality of virtual NICs.

Abstract: Techniques, systems, and apparatus for offloading data connections from a kernel onto an associated TNIC are disclosed. Generally, embodiments of the invention are configured to send message packets of a connection to an endpoint at substantially the same time as an associated offload set-up process is performed. A method provides a data connection enabling data exchange between two TCP endpoints. After a determination is made that the connection is suitable for offloading, the kernel sends connection state information and a request that the connection be offloaded to a TNIC. Prior to completion of offload set up, an initial transmission of connection data is sent to an associated TCP endpoint. These principles can be implemented as software operating on a computer system, as a computer system module, as a computer program product and as a series of related devices and products.

Abstract: A method for processing packets. The method includes receiving a first packet, wherein the first packet is associated with a first protocol, classifying the first packet using a protocol associated with the first packet, sending the first packet to a first receive ring based on the classification, sending the first packet from the first receive ring to a first virtual network interface card (VNIC) based on an operating mode, sending the first packet from the first VNIC to a first protocol specific virtual network stack (VNS), wherein the first protocol specific VNS is configured to only process packets associated with the first protocol, and processing the first packet by the first protocol specific VNS to obtain a first processed packet.

Abstract: A system including a plurality of virtual network interface cards (VNICs); and a Vswitch table associated with a virtual switch, wherein each entry in the Vswitch table is associated with one of the plurality of VNICs, wherein each of the plurality of VNICs is located on the host, and wherein each of the plurality of VNICs is associated with the virtual switch. The first VNIC in the plurality of VNICs is configured to receive a packet associated with a hardware address (HA), determine, using the HA, whether one of the plurality of entries in the Vswitch table is associated with the HA, send the packet to a VNIC associated with HA if one of the plurality of entries in the Vswitch table is associated with the HA, wherein the VNIC is one of the plurality of VNICs.

Abstract: A method for migrating a first virtual machine (VM), that includes transmitting, prior to migration, a first packet between the first VM on a first blade chassis and a second VM on a second blade chassis using a first virtual network interface card (VNIC) and a second VNIC. The method includes migrating the first VM and the first VNIC to the second blade, identifying a subnet of the first VM, identifying a subnet of the second VM, and creating a virtual router to execute on the second blade. The virtual router is associated with a third VNIC and a fourth VNIC. A first network address in the first VNIC's subnet is assigned to the third VNIC. A second network address in the second VNIC's subnet is assigned to the fourth VNIC. The method includes routing a second packet between the first VM and the second VM using the virtual router.

Abstract: A method for controlling a denial of service attack involves receiving a plurality of packets from a network, identifying an attacking host based on a severity level of the denial of service attack from the network, wherein the attacking host is identified by an identifying attack characteristic associated with one of the plurality of packets associated with the attacking host, analyzing each of the plurality of packets by a classifier to determine to which of a plurality of temporary data structures each of the plurality of packet is forwarded, forwarding each of the plurality of packets associated with the identifying attack characteristic to one of the plurality of temporary data structures matching the severity level of the denial of service attack as determined by the classifier, requesting a number of packets from the one of the plurality of temporary data structures matching the severity level by the virtual serialization queue, and forwarding the number of packets to the virtual serialization queue.

Abstract: A system includes a first and a second network component, and a bridge. The bridge, which resides a Media Access Control (MAC) layer of a host, includes a bridge component, a first virtual network interface card (VNIC) and a second VNIC, wherein the first VNIC is associated with the first network component and the second VNIC is associated with the second network component. Further, the bridge component is configured to send packets received from the first network component to the second network component and to send packets received from the second network component to the first network component.

Abstract: A method for offloading a secure protocol handshake. The method includes establishing a connection between a host system and a remote peer, and determining whether the secure protocol handshake is offloaded to a network interface card (NIC). When the secure protocol handshake is offloaded to the NIC, an offload request is sent to offload the secure protocol handshake, where the offload request includes a value of at least one cryptographic key. The method further includes performing cryptographic operations associated with the secure protocol handshake using the value of at least one cryptographic key to obtain at least one secret key, and returning a status of the secure protocol handshake to the host system.

Abstract: A method for routing packets includes receiving an outbound packet issued by a first virtual machine, wherein the first virtual machine is located on a host, determining a packet destination associated with the outbound packet, querying a routing table for a routing entry corresponding to the packet destination, wherein the routing table comprises a first routing entry referencing an external host and a second routing entry referencing a second virtual machine, wherein the second virtual machine is located on the host, if the routing entry corresponding to the packet destination is the first routing entry, passing the packet to the external host, and if the routing entry corresponding to the packet destination is the second routing entry, passing the packet to the second virtual machine.

Abstract: A method for isolating legitimate network traffic during a denial of service attack involves receiving a plurality of packets from a network, detecting an attack from the network on a first virtual network stack, wherein the attack on the first virtual network stack comprises at least one from the group consisting of the denial of service attack and an extreme network load, if the attack is detected, forwarding a plurality of packets associated with a subsequent connection to a temporary data structure associated with a second virtual network stack, wherein the second virtual network stack is a lowest priority queue configured at connection setup time, determining whether the subsequent connection is legitimate, and forwarding at least one of the plurality of packets associated with the subsequent connection to a temporary data structure associated with the first virtual network stack if the subsequent connection is legitimate, wherein a higher priority mapping is assigned by a classifier to the subsequent co

Abstract: Incoming/outgoing data packets to/from a network are processed by associated receive/send rings of a network interface. A plurality of counters, disposed in hardware, are each associated with particular receive/send rings. Each of the plurality of counters maintains a count of a number of data packets processed by an associated receive/send ring.

Abstract: In general, in one aspect, the invention relates to a network interface card (NIC) aggregation framework, including a plurality of providers each configured to publish at least one port, a MAC client configured to send a packet to the at least one port, and a media access control (MAC) service module configured to map the at least one port to one of the plurality of providers, wherein the MAC service module comprises a client interface configured to interface with the MAC client and a provider interface configured to interface with each of the plurality of providers.

Abstract: A method of controlling bandwidth including receiving and classifying a packet, sending the packet to a hardware receive ring based on a classification of the packet, and sending, in accordance with an operating mode, the packet to a software receive ring, sending the packet from the software receive ring to a virtual network interface card, where the virtual network interface card is associated with a virtual machine, where the operating mode is adjusted to control the bandwidth consumed by the virtual machine.

Abstract: A method for dynamically changing a virtual network interface card (VNIC) binding. If the use of a hardware receive ring (HRR) is below the first threshold and the use of the software receive ring (SRR) is above the second threshold, then: binding the first VNIC to the SRR and the second VNIC to the HRR, removing the binding from the first VNIC to the HRR, removing the binding from the second VNIC to the SRR, and reprogramming a hardware classifier to send packets associated with the r VNIC to a second HRR and to send packets associated with the second VNIC to the HRR, reprogramming a software classifier to send packets associated with the first VNIC to the SRR, wherein the software classifier is associated with a soft ring (SR) and the SR is configured to obtain packets from the second HRR.