Enabling a service provider to provide intranet services
A method and system allows a service provider to provide Intranet services remotely by assigning private virtual servers to customers. Each customer addresses transmissions to one or more private virtual servers using private addresses from the customer's private Intranet. The addresses of different private virtual servers do not have to be unique and may overlap. Customers exchange privately-addressed transmissions with the service provider using tunnels to traverse the local or regional network connecting the customer with the service provider. The service provider routes the transmissions to the relevant private virtual server belonging to the customer that sent the transmission. The service provider also routes privately-addressed transmissions back to individual customers using tunnels.
Latest Digital Asset Enterprises, L.L.C. Patents:
- Restricting communication of selected processes to a set of specific network addresses
- Dynamically modifying the resources of a virtual server
- Virtualizing super-user privileges for multiple virtual processes
- Dynamically modifying the resources of a virtual server
- Regulating file access rates according to file type
This patent application is a reissue application for U.S. Pat. No. 6,948,003, issued from U.S. patent application Ser. No. 09/526,980, filed on Mar. 15, 2000.
This application is related to U.S. patent Ser. No. 09/452,286, entitled “Providing Quality of Service Guarantees to Virtual Hosts”, by Pawan Goyal et al., filed Nov. 30, 1999, and commonly assigned with the present application. The subject matter of related application U.S. patent Ser. No. 09/452,286 is incorporated by reference herein in its entirety.
BACKGROUND1. Field of Invention
the present invention relates generally to providing private networking services, e.g., Intranet services, remotely, and more particularly, to allowing a service provider to locate and manage private network servers at the service provider's location, while connecting the servers to a customer's premises such that they appear to be local and private to the customer.
2. Background of the Invention
Networked computer resources are growing more popular as the benefits of sharing computing resources becomes evident. One of the fastest-growing segments of the Internet is the private network market. A private network is an interconnected group of computing resources accessible only by the network members. Security protocols are used to ensure that only authorized users have access to the network's resources, even where the network operates on the public network infrastructure and protocols. A private network, often belonging to a corporation, may be used to store web pages and other shared information. This information is maintained in a private space, generally screened off from external sources such as the Internet by a firewall which blocks unauthorized access. Such private networks are often referred to as intranets, local area networks (LAN) or wide area networks (WAN).
In a typical LAN implementation, a single location contains a group of individual user computers, as well as one or more dedicated host computers executing server programs to maintain the network's shared information. The private LAN is screened off from the Internet by a firewall, though users may access the Internet if needed. Network traffic intended for the network is allowed through the firewall only if authorized. The resources within the LAN all may communicate using private addresses. It is not necessary to use registered IP addresses for each resource because the system is screened off from the global Internet.
This model may be extended to multiple location sites. Computer networks that span relatively large geographical distances are typically referred to as WANs. In a private WAN, individual sites must be connected in a secure manner. A secure connection between WAN sites may be accomplished using a virtual private network. A virtual private network utilizes ordinary Internet protocols and may also use public communications mediums to connect; however, privacy is ensured through features such as tunneling (data encapsulation) or the use of leased lines. A leased line is a permanent connection between two points that is always active. Resources on a WAN may communicate using only private addresses because the network is screened off from the global Internet.
Private networks contain common elements. Each generally contains a dedicated local server to maintain the shared private network data, and a communications system for providing data communication services between machines on the private network. Communication takes place using a private address space. Because the address spaces for individual private networks need only be locally unique, the address spaces among several different private networks may overlap because the networks are isolated from each other. More specifically, in private intranets, two unrelated intranets at different companies may use the same local addresses for user computers. No conflict arises since the networks are not connected.
Data communications services and servers are not easy to configure, manage, and maintain. Thus, there is an incentive for the service providers that offer access to communications facilities to provide such private network services and servers as well, thereby relieving corporations from the burden of providing these services directly. Some examples of service providers are: Internet Service Providers (ISP), Application Service Providers, Network Service Providers, and Competitive Local Exchange Carriers (CLEC).
It is not economically feasible for a service provider to remotely manage servers located on a customer's premises, and support many different customers in this fashion. Rather a service provider would prefer to offer private network services to multiple customers while keeping all of the server host computers within a location of the service provider for ease of management. Accordingly, service providers typically dedicate a physical host computer as each individual customer's server, and maintain each host computer in the centralized facility. However, this means the service provider will have to own and maintain potentially large numbers of physical host computers, at least one for each customer's server or private network However, many customers will neither require nor be amenable to paying for the use of an entire host computer. Generally, only a fraction of the processing power, storage, and other resources of a host computer will be required to meet the needs of an individual customer.
Alternatively, a service provider may utilize one physical host computer to provide commercial host services to multiple customers. Using Transmission Control Protocol (TCP) and other transport protocols, a server application executing on a single physical host can be programmed to process requests made to multiple network addresses. Such functionality is known as virtual hosting.
In virtual hosting, each customer is assigned a network address (or domain name), and is provided with resources on a single, physical host computer, effectively sharing the host with other customers. A client computer requests data from a specific customer's host by targeting communication requests to the appropriate network address (or domain name). The virtual host server can service requests to multiple network addresses or domain names. Thus, the functionality of numerous hosts is provided by a single physical host computer, servicing requests made to a plurality of network addresses and domain names by multiple customers.
However, virtual hosting it is commonly performed today does not provide many of beneficial features of private networks. Service providers will have to be able to provide certain features of private networks before customers will be willing to outsource services related to the operation and maintenance of their private network. First, customers will want to ensure that their private data is inaccessible to other customers sharing the same host computers. For instance, if a service provider provides email outsourcing for both Company A and Company B on the same computer, Company A will want to ensure that the directories in which its email is stored are not accessible to Company B, and vice versa.
Additionally, customers will want to ensure that their services are not compromised due to problems originating with another customer. If a service provider uses a single host computer to provide server resources for both Company A and Company B, steps must be taken to ensure that overuse of the resources by Company A does not impact Company B's service. Additionally, faults, crashes, or similar problems caused by one customer must not compromise the service provided to another customer. Such performance degradation issues must be contained by the service provider to impact only the customer responsible for the problem, and not to impact any other customers.
Finally, companies A and B will want their servers to have IP addresses that belong to their own private address spaces. Using addresses from each company's own private address space offers more security because private IP addresses are not reachable over the public Internet. The use of private IP addresses guards against private servers becoming accessible from the public Internet by accidental misconfiguration of equipment. Also, public IP addresses are a limited resource; there is insufficient address space for private networks to consume addresses from the public address space. Furthermore, if a company connects a number of servers or corporate locations together they will wish to establish a virtual private network. To run the routing protocols required for communications within a virtual private network requires a coherent addressing scheme. Such a virtual private network is easier to manage from a private address space.
However, the use of private address schemes creates difficulties for the service provider. The service provider may now have several virtual servers assigned to the same IP address, because companies A and B may have overlapping address spaces, as is typical in private networks. This address overlap can cause the communication network to fail. Typically, one of the virtual servers would become unreachable due to this address overlap error.
Thus in order to satisfy customers' needs, a service provider desiring to provide private network services must be able to guarantee four different kinds of isolation. Functional isolation separates the data and functionality of each customer. Fault isolation protects one customer from the faults created by another customer. Performance isolation allows each customer to receive a performance commitment independent of the behavior of other customers. Address isolation allows each customer to choose the virtual server IP address that it wants to be associated with, independent of other customers.
Virtual hosting currently cannot provide these beneficial features of ordinary private servers. This is due to the inability of a virtual host to allocate appropriate amounts of computer resources of the physical host computer to servicing client requests made to specific virtual hosts, and hence to specific customers. A private virtual server, by contrast, is able to provide the functional, fault, and performance isolation that an ordinary virtual server cannot. A method for creating such a private virtual server is disclosed in the related application identified above, U.S. patent Ser. No. 09/452,286, entitled “Providing Quality of Service Guarantees to Virtual Hosts.”
However, a method and system is still needed to allow customers to use their own private address spaces to communicate with a remotely-located private virtual server maintained by a service provider, where the private virtual server addresses may overlap.
SUMMARY OF THE INVENTIONThe present invention allows providers of virtual servers to properly differentiate and route transmissions using private addresses on a common host server. The term “private virtual server” as used herein is a virtual server that supports a private address space wherein the private address spaces of different private virtual servers may overlap.
Customers exchange privately-addressed transmissions with a service provider using tunnels to traverse the local or regional network connecting the customer with the service provider. The service provider receives the transmissions at a gateway into the service provider's data center. The service provider then routes the transmission to the private virtual server belonging to the customer that sent the transmission. The service provider also routes privately-addressed transmissions back to individual customers using tunnels. In this way, the service provider is able to implement a separate routing context on behalf of each individual customer.
The present invention allows for flexibility in designing a private virtual server that suits an individual customer's needs. For example, an individual customer may have multiple physical sites all utilizing the same private virtual server. Optionally, an individual customer may be assigned more than one private virtual server, for instance, if different divisions of an organization each wish to maintain their own private servers while making all the data available to the organization at large.
In one embodiment, the present invention comprises a multiplexing/demultiplexing mechanism capable of routing signals to and from one or more private virtual servers located on a physical host computer. Each private virtual server is associated with only one private network. The multiplexing/demultiplexing mechanism receives a privately addressed transmission and routes it to the private virtual server with which it is associated. The privately addressed transmission may then be processed within the private virtual server in the same manner as if the server was actually a physical server resident within a LAN. The multiplexing/demultiplexing mechanism also receives an outgoing transmission from a private virtual server and routes it back to the private network associated with it. Incoming and outgoing transmissions are addressed using a tunneling scheme. Tunneling allows privately-addressed transmissions to be transported over a network that uses global addresses and allows customers to address their private virtual server using a non-unique private address. As a result, all transmissions to and from a customer are sent only to the customer's respective private virtual server.
In another embodiment, the present invention includes more than one physical host computer. Each physical host computer contains one or more private virtual servers. Privately-addressed incoming transmissions are sent to the service provider's data center. The transmissions are placed on tunnels to traverse the local or regional network connecting the customer with the service provider. A tunnel switching mechanism is used to forward transmissions received at the service provider's data center to the proper physical host computer.
In another embodiment, the present invention is a method for locating and managing private network services in a data center location remote from private network users. The method comprises receiving a transmission addressed using a private address of a recipient, and routing the transmission to a private virtual server. The correct private virtual server is determined from the address of either the sender or the recipient of the transmission.
The foregoing merely summarizes aspects of the invention. The present invention is more completely described with respect to the following drawings and detailed description.
Reference will now be made in detail to several embodiments of the present invention, examples of which are illustrated in the accompanying drawings. Wherever practicable, the same reference numbers will be used throughout the drawings to refer to the same or like parts. The figures depict preferred embodiments of the present invention for purposes of illustration only. One skilled in the art will readily recognize from the following discussion that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles of the invention described herein.
As used herein, the terms “customer”, “user”, and “private network user” refer to individuals or groups of individuals accessing the same private virtual server. Typically, a private virtual server “user” is a group of individuals with a shared association. For example, “user” may collectively refer to the employees of a company, or to certain employees within a division of a company. One company (a “customer”) may have several different users, each corresponding to a different group within the company. Additionally, a “user” may also refer to a single individual.
In the present invention, customers send and receive data using a network. In one embodiment, the protocol used within each customer's network will be IP (Internet Protocol). The IP addressing format will also be assumed herein for purposes of illustration. However, it will be evident to one of skill in the art that a different network protocol could be used instead of IP within a customer's private network, for example, Open Systems Interconnection (OSI), Internetwork Packet Exchange (IPX), System Network Architecture (SNA), and Asynchronous Transfer Mode (ATM).
Data from customers 112 and 114 may optionally be aggregated 130 before being sent out over a local or regional network 140. Aggregation 130 is not required, but generally is done to concentrate data traffic for more efficient transmission over a network. For example, a customer site may aggregate the multiple data streams coming from various different users (clients) within the site before transmitting data onto a public network.
Aggregation 130 may also take place between customers and non-customers. This may occur when data transmission sites are located physically close together, to consolidate traffic flow onto the local or regional network 140. In another example, aggregation is also common in digital subscriber line (DSL) systems. A digital subscriber line access multiplexer (DSLAM) concentrates data traffic from multiple DSL loops onto the backbone network before connection to the rest of the local or regional network 140. Data directed to different destinations will be separated and individually routed within the local or regional network 140.
The local or regional network 140 connects a customer with a private virtual server system 100. The local or regional network 140 may be comprised of different types of interconnected networks. System 100 is capable of functioning with a wide variety of different local or regional networks 140, as will be evident to one of skill in the art.
Traffic from each individual customer 112 and 114 is aggregated 130 and transported across the local or regional network 140 until it reaches a service provider gateway 152. The service provider gateway 152 provides the connection into the service provider data center 150. The service provider gateway 152 direct traffic from each customer to the private virtual servers it owns and prevents traffic from reaching private virtual servers a customer does not own.
The service provider gateway 152 connects to a physical server machine 160. The physical server machine 160 may be any kind of computer adapted to support private virtual servers. It is to be understood that a service provider data center 150 will typically contain more than one physical server machine 160.
Located on the physical server machine 160 is a group of private virtual servers 162. In one embodiment, each private virtual server 162 is capable of implementing quality of service guarantees to individual customers. A service provider may implement different quality of service guarantees by allocating different percentages of the physical server machine 160 to servicing each of the private virtual servers 162. Thus the private virtual servers 162 may each consume a different percentage of the resources of physical server machine 160. This resource allocation may be dynamically changed by the service provider as required.
In one embodiment, the IP network address of each private virtual server 162 corresponds to a private address from the private address space of the respective customer assigned to the private virtual server. A private address is any locally-assigned address, which does not have to be unique within the global Internet. Conversely, a global address is a registered IP address that is unique within the public network system of communications. Generally, connecting a private network to a public network requires network address translation, which maps global addresses onto private addresses at the public/private network boundary. Private addresses are not routable in the public network, therefore transmissions cannot be sent to the private virtual servers 162 across the public network 120 using only their private addresses.
The network addresses for the private virtual servers are chosen to correspond to each customer's private address space. The private address spaces of customers 112 and 114 may overlap. Therefore, the network addresses for these customers' assigned virtual private servers may not be unique. It is possible for private virtual servers 162 to all be assigned the same network address.
Thus the use of private addresses for the private virtual servers creates two different problems: such private addresses cannot be used to transmit data directly across a public network, and there may be address overlap among the private virtual servers.
A solution to the problem of transporting privately-addressed transmissions is shown in
Customers 210 and 220 use tunnels to allow privately-addressed data transmissions to traverse the local or regional network 240. Customer 210 has a single tunnel 212 from customer 210's site to the service provider gateway 252. Similarly, customer 220 has a single tunnel 222 from customer 220's site to the service provider gateway 252. A tunnel is created by encapsulating a data transmission within a second type of addressing protocol. Transmissions, which use addresses that are unique only within a narrow scope, may thus be transported across a second network within a wider address scope. In this way, private IP addresses that are only unique within a private IP network are encapsulated for transport across the global public Internet. The origination of the tunnel, on the customer's side, must occur before traffic from multiple customers is aggregated. The numbers of customers and private virtual servers shown in
System 200 demonstrates how a customer can be communicatively coupled to a private virtual server system using privately-addressed transmissions. However, once privately-addressed transmissions are routed across a public network, the problem of potential address overlap among the destination private virtual servers still remains.
In another embodiment, the tunnels 312, 322, and 332 could be replaced with dedicated leased lines. A leased line is a permanent connection between two points set up by a telecommunications common carrier. A leased line is not part of the global public network, and therefore may carry privately-addressed traffic.
The physical server machine 360 contains three private virtual servers 362, as well as a multiplexing/demultiplexing mechanism 350. Incoming tunnels 312, 322, and 332 communicatively couple to the multiplexing/demultiplexing mechanism 350. The private virtual servers 362 may have overlapping IP addresses. A set of internal pointers 314 is used to direct traffic from the multiplexing/demultiplexing mechanism 350 to the correct private virtual server 362, thereby communicatively coupling the multiplexing/demultiplexing mechanism 350 to the private virtual servers 362.
The multiplexing/demultiplexing mechanism 350 performs the functions of separating incoming communication streams back into their original constituent streams, and merging multiple separate communication streams onto a single physical communications medium. In one embodiment, the multiplexing/demultiplexing mechanism 350 is implemented in the network interface card of the physical server machine 360. The multiplexing/demultiplexing mechanism 350 may be implemented in an application specific integrated circuit (ASIC) on the network interface card, or on the software driver.
Incoming tunneled transmissions are sent on a physical medium as packet flows. When the multiplexing/demultiplexing mechanism 350 demultiplexes an incoming set of packet flows, incoming packets are stored in a buffer and one of the fields in the packet header is used to select the incoming packet queue to which the buffer should be linked. An incoming packet queue is a list of pointers wherein each pointer points to a packet buffer. Thus packets arriving with different tunnel identifiers are linked to different incoming packet queues. There is one incoming packet queue per tunnel.
Outgoing transmissions sent by the various private virtual servers are also packet flows. Each private virtual server has its own outgoing packet queue. These packet queues are again implemented as lists of pointers to packet buffers. The scheduler in the network interface card selects which of the non-empty outgoing packet queues it should serve next. The scheduler takes the pointer from the head of the selected queue and transmits the packet from the buffer that is pointed to by the pointer.
The tunnel switching operations of the mutiplexing/demultiplexing mechanism 350 are shown in more detail in
The physical host computer 400 also includes a multiplexing/demultiplexing mechanism 410. Multiplexing/demultiplexing mechanism 410 has an internal pointer 430 directed at each IP stack 422. Multiplexing/demultiplexing mechanism 410 includes a lookup table 412 that includes a list of incoming tunnel identifiers and pointers to their associated IP stacks within the physical host computer 400. Lookup table 412 is created by software residing on the physical host computer 400, which associates each IP stack with a particular customer, and ensures that transmissions sent from a particular customer are only directed to that particular customer's private virtual server.
A data packet 452 enters the multiplexing/demultiplexing mechanism 410 using an incoming tunnel 450. The tunnel 450 is not an individual physical connection, but is a means of encapsulating the packet 452 to permit routing across a public network. Although only one incoming tunnel 450 is shown in
The tunnel identifying information of the incoming packet 452 identifies which customer sent the packet 452. Packet 452's incoming tunnel identifying information is stripped 446, and the tunnel identifying information is presented 444 to the lookup table 412. Lookup table 412 returns 442 an internal pointer 430 for the appropriate IP stack 422. Packet 452 is then routed 440 to the identified IP stack 422 using the internal pointer 430.
An alternative embodiment is to embed the internal pointer 430 in the control data structure that controls the operation of the tunnel. The control data structure is typically located on the network interface card. The network interface card is typically located on the physical server machine 400.
A packet 552 is originally sent from the IP stack 422 of one of the private virtual servers 420. The packet 552 is directed 530 to the multiplexing/demultiplexing mechanism 410. Upon arrival at the multiplexing/demultiplexing mechanism 410, the internal tunnel IP stack identifier is read 540, and this identifier is presented 542 to lookup table 512.
Lookup table 512 returns 544 the associated outgoing tunnel identifying information. The outgoing tunnel identifier is added 546 to packet 552. Packet 552 is then sent out using the appropriate outgoing tunnel 550. The outgoing tunnel 550 is associated with the customer assigned to the private virtual server 420, which originally sent the packet 552. Although only one outgoing tunnel is shown in
An alternative embodiment is for the IP stack 422 of each private virtual server 420 to encapsulate the packet 552 with the proper outgoing tunnel header and tunnel identifier, thereby creating the tunnel 550. In this embodiment, the lookup table 512 is not used. The multiplexer/demultiplexer mechanism 410 merges the encapsulated and identified packet streams together, and sends them out.
A service provider will typically own and manage multiple physical server machines. Additionally, customers may wish to purchase more than one private virtual server, for example, for separate divisions within the same company. A customer may also have multiple physical customer sites using the same private virtual server, wherein each customer site uses a different tunnel to communicate with the service provider. A tunnel switch supports these different configurations in a private virtual server system.
A tunnel switch comprises one or more physical interfaces, with each interface capable of carrying many multiplexed tunnels. A tunnel switch will typically be capable of supporting a number of different physical interface technologies and a number of different types of tunnels for each type of physical interface. A tunnel switch performs two separate services: switching tunnels, and switching packets within a tunnel.
In a switching tunnels service, all packets arriving on one incoming tunnel are forwarded to an outgoing tunnel. This may be implemented without looking into the headers of the packets themselves. The tunnel switch notes which tunnel and physical interface the packet arrived on. Given the identifier of the incoming tunnel and the incoming physical interface, the tunnel switch uses a lookup table to specify the outgoing tunnel and physical interface.
In a switching packets service, incoming tunnels are terminated at the tunnel switch. The packets within each tunnel are extracted and switched individually based upon the incoming physical interface, the incoming tunnel, and information from the header of the packet. A private virtual server system supporting multiple physical servers, multiple private virtual servers per customer, and multiple customer sites per private virtual server will support such a switching packets service in addition to supporting a switching tunnels service.
Each customer site is connected to the system 600 via an external tunnel that traverses the local or regional network 620 and communicatively couples to a tunnel switch 632. Customer site 612 uses external tunnel 622, customer site 614 uses external tunnel 624, and customer site 616 uses external tunnel 626. A tunnel switch 632 operates as the gateway to physical servers 640 and 650, and supports tunnels on multiple physical interfaces. Tunnel switch 632 is communicatively coupled to physical server 640 via a set of tunnels 634. Tunnel switch 632 is communicatively coupled to physical server 650 via a set of tunnels 636. Physical server 640 contains a multiplexing/demultiplexing mechanism 642, which is linked via a set of internal pointers 662 to a set of private virtual servers 660. Physical server 650 contains a multiplexing/demultiplexing mechanism 652, which is linked via a set of internal pointers 682 to a set of private virtual servers 680.
Tunnel switch 700 also includes a set of outgoing physical interfaces 732 carrying a set of outgoing tunnels 730 to a set of physical host computers 720. Physical interface 732A carries tunnels 730A and 730B to physical host computer 720A. Physical interface 732B carries tunnel 730C to physical host computer 720B. Physical interface 732C carries tunnels 730D and 730E to physical host computer 720C. The tunnel switch 700 includes a customer lookup table 800 and a set of customer forwarding tables 900. The features of the customer lookup table and customer forwarding tables will be discussed in more detail before fully explaining the functions of the tunnel switch 700.
The customer lookup table 800 associates external tunnel and physical interface identifiers with a particular customer. Each customer listed in the customer lookup table 800 has an associated customer forwarding table. For example, customer 1's information is contained in customer forwarding table 910, and customer 2's information is contained in customer forwarding table 920. When a customer communicates with a private virtual server, each data transmission will arrive on a particular physical interface using a particular tunnel.
Customer lookup table 800 contains four fields: incoming physical interface, incoming tunnel identifier, service, and customer identifier. Each incoming physical interface and incoming tunnel identifier entry will reference a unique customer identifier. This customer identifier provides an index to the correct customer forwarding table associated with this physical interface/tunnel identifier pair. For example, a transmission arriving on physical interface 712 and incoming tunnel 710B would be indexed to customer 1's customer forwarding table (table 910 from
Each customer forwarding table 910, 920 and 930 contains three fields: destination IP address, outgoing tunnel identifier, and outgoing physical interface. Based upon the destination IP address of a particular transmission, the proper outgoing tunnel and outgoing physical interface is determined. Using customer lookup table 910 as an example, transmissions with a destination IP address of the “main server” for customer I would be placed on outgoing tunnel 730A on physical interface 732A. In the opposite direction, transmissions with a destination IP address of “site 1” for customer 1 would be placed on outgoing tunnel 710E on physical interface 712.
The information in the customer forwarding tables 900 is segregated by customer because the private address spaces of different customers may overlap, and therefore the destination IP addresses on each individual customer forwarding table are not unique within the set of all customer forwarding tables. For example, “main server” of customer 1 and “server” of customer 2 may have the same IP address.
The service field in the customer lookup table 800 identifies whether only a tunnel switching service (TS) is required, or a packet switching service (PS) is required. If only a tunnel switching service is required, the associated customer forwarding table will contain only a single entry specifying the proper outgoing tunnel and outgoing physical interface. For example, customer lookup table 800 indexes transmissions arriving on physical interface 712 and incoming tunnel 710C to customer 2, and identifies these transmissions as requiring only a tunnel switching service Customer lookup table 920 associated with customer 2 directs all traffic to outgoing tunnel 730D on physical interface 732C.
The customer lookup table 800 and customer forwarding tables 900 allow the tunnel switch 700 to support a variety of different private network configurations. For example, customer lookup table 800 shows that customer 1 uses two different incoming tunnels: 710A and 710B. Customer forwarding table 910 shows that customer I also has two different destination IP addresses corresponding to two different private virtual servers: “main server” and “backup server.” Additionally, customer 1 has two different destination IP addresses corresponding to two different customer sites: “site 1” and “site 2.” However, customer forwarding table 920 shows that customer 2 has only one private virtual server (“server”). The example private network configurations referred to herein are merely illustrative. It will be understood by one of skill in the art that many different configurations are possible.
Referring back to
The customer lookup table 800 uses the physical interface and tunnel identifier to return 748 the correct customer forwarding table (910) for use with the packet 718. A group of customer forwarding tables 900 contains a customer forwarding table 910 that is associated with the customer that uses physical interface 712 and tunnel 710B. Packet 718's destination IP address, for example, “main server” is presented 750 to customer forwarding table 910.
From the information contained in customer forwarding table 910, the correct outgoing physical interface and tunnel identifier for packet 718 is identified 754. Referring to
Customers utilizing a private virtual server system may also be accessing the global Internet. In this case, both the private virtual server communications traffic and the Internet communications traffic are sent out on a public network. A method for separating the two traffic streams is required.
In one embodiment, shown in
Within the tunnel switch 1060, traffic addressed to the Internet is segregated out from traffic directed to the customer's private virtual server(s). The Internet traffic is sent out to the Internet 1030 via a public communications channel 1064. Internet responses back to the customer are returned in the same way that they were sent. The tunnel switch 1060 sends private virtual server traffic out on an internal tunnel 1062 to the physical server machine 1070 that holds the customer's private virtual server.
A variety of tunneling protocols may be used to create the tunnels used in the present invention. It is preferable to use a layer 2 tunneling protocol for security purposes. Layer 2 tunnels provide solid circuits that make it difficult to “spoof” a fake source address. Packets using a layer 3 tunneling protocol may be created with a fake IP address, allowing a packet to appear to come from a customer when in fact it was sent by an unauthorized third party. Tunnels using a layer 3 tunneling protocol require encryption so that an intruder cannot decode the information. Encryption is also required to protect against accidentally routing the traffic to an incorrect destination, because the encryption will prevent mis-directed traffic from being decoded. Preference for tunnel type depends upon the service provider's network architecture.
Typical examples of tunnel protocols include Asynchronous Transfer Mode virtual circuits (ATM VCs), frame relay virtual circuits (FR VCs), the Point-to-Point Protocol (PPP) across the Layer 2 Tunneling Protocol (L2TP), and IP security protocol (IPsec). ATM or frame relay virtual circuits may be delivered to a customer using Digital Subscriber Line (DSL) access. However, it will be evident to one of skill in the art that other tunneling protocols may be used to implement the tunnels of the present invention.
The customer site 1110 contains a group of computers 1112A, 1112B, and 1112C. The computers 1112 are representative of the customer's on-site private network. Such a private network could be comprised of more or fewer individual computers, as well as other types of equipment such as storage devices.
Components within a customer's on-site private network communicate using a private IP addressing scheme. A packet 1114 is a privately-addressed transmission sent using the local IP protocol of the customer site 1110. Packet 1114 is sent from customer 1110 to customer 1110's private virtual server. Packet 1114 has a destination address corresponding to a private virtual server of service provider 1150.
The on-site private network of devices 1112 is connected to a customer premise equipment box (CPE) 1120. Packet 114 is routed to CPE 1120. The CPE connects the customer site 1110 to a tunnel 1132, established between the customer site 1110 and the service provider site 1150. The tunnel functions as a bi-directional data pipe, and is typically established when a customer subscribes to a service provider providing a tunneling service. A fixed ATM tunnel is referred to as a permanent virtual circuit. The CPE divides the data of packet 1114 into cells (or packets) of a fixed size designated by the ATM protocol, and encapsulates them with a Virtual Channel Identifier (VCI) used to direct the cells through the data pipe. An ATM cell 1118 is created from the division and encapsulation of packet 1114.
Tunnel 1132 terminates at a tunnel switch 1160 of the service provider 1150. Tunnel switch 1160 is connected via a set of bi-directional ATM tunnels 1172 to a set of physical servers 1170. In another embodiment, two sets of unidirectional tunnels are used to provide a two-way connection between customer site 1110 and service provider 1150.
A set of incoming external tunnels 1132 terminates at the tunnel switch 1160. Tunnel 1132B carries the incoming ATM cell 1118. Referring back to
In
Customer forwarding table 1232B returns 1218 the identity of the outgoing tunnel required to reach the correct private virtual server destination (1250A) for ATM cell 1118. ATM cell 1118 is then placed 1220 on an internal tunnel 1172 to reach the private virtual server 1250A. Internal tunnel 1172 terminates at a multiplexing/demultiplexing mechanism 1290 of the physical host computer 1170, which contains private virtual server 1250A.
The VCI of ATM cell 1118 is stripped 1252, and the VCI is presented 1254 to lookup table 1260. The rest of the ATM cell 1118, including the original source/destination addresses and payload, is held until the original IP packet 1114 sent by a customer 1112 can be reassembled. The ATM protocol uses relatively small cells compared to other transmission protocols. Therefore multiple ATM cells may be required to reassemble the original pre-ATM-encapsulation packet 1114.
Once the original IP packet 1114 has been reassembled 1262, the location of the IP stack of the destination private virtual server 1250A is retrieved 1256 from lookup table 1260. Packet 1114 is routed 1280 to the IP stack of private virtual server 1250A.
Although the invention has been described in considerable detail with reference to certain embodiments, other embodiments are possible. As will be understood by those of skill in the art, the invention may be embodied in other specific forms without departing from the essential characteristics thereof For example, different protocols may be used to create tunnels. Accordingly, the present invention is intended to embrace all such alternatives, modifications and variations as fall within the spirit and scope of the appended claims and equivalents.
Claims
1. In a system comprising a host computer containing a plurality of virtual servers which support a private network address space wherein the private network address spaces of two or more of the virtual servers overlap, a method for providing private network services using private addresses in a location remote from private network users, the method comprising:
- storing a customer lookup table, the customer lookup table storing associations between physical interfaces and tunnel identifiers identifying tunnels for private networks and a plurality of customer forwarding tables;
- storing a plurality of customer forwarding tables, the customer forwarding tables associating network addresses with physical interfaces and tunnel identifiers;
- receiving, over a tunnel, a transmission on a physical interface, the transmission containing a tunnel identifier;
- determining the correct customer forwarding table from the customer lookup table using the physical interface and the tunnel identifier;
- determining via the customer forwarding table a physical interface and tunnel identifier associated with a network address of the transmission; and
- sending the transmission to the network address on the determined physical interface using the determined tunnel identifier.
2. A computer-readable medium containing a computer program product for providing private network services using private addresses in a location remote from private network users, wherein a host computer contain a plurality of virtual servers which support a private network address space and wherein the private network address spaces of two or more of the virtual servers overlap, the computer program product, when executed by a computing system, implements a process comprising:
- program instructions for storing a customer lookup table, the customer lookup table storing associations between physical interfaces and tunnel identifiers identifying tunnels for private networks and a plurality of customer forwarding tables;
- program instructions for storing a plurality of customer forwarding tables, the customer forwarding tables associating network addresses with physical interfaces and tunnel identifiers;
- program instructions for receiving, over a tunnel, a transmission on a physical interface, the transmission containing a tunnel identifier;
- program instructions for determining the correct customer forwarding table from the customer lookup table using the physical interface and the tunnel identifier;
- program instructions for determining via the customer forwarding table a physical interface and tunnel identifier associated with a network address of the transmission; and
- program instructions for sending the transmission to the network address on the determined physical interface using the determined tunnel identifier.
3. In a system comprising a host computer containing multiple virtual servers that each support a private network address space wherein the private network address spaces of two or more of the virtual servers overlap, a method for providing private network services using private addresses in a location remote from private network users, the method comprising:
- storing customer lookup information and customer forwarding information, the customer lookup information specifying associations between physical interfaces and tunnel identifiers identifying tunnels for private networks and multiple customer forwarding tables, the customer forwarding information associating network addresses with physical interfaces and tunnel identifiers;
- receiving, over a tunnel, a transmission on a physical interface having an interface identifier, the transmission identifying a tunnel identifier;
- determining the correct customer forwarding information from the customer lookup information using the physical interface identifier and the tunnel identifier;
- using the customer forwarding information to identify a physical interface and tunnel identifier associated with a network address of the transmission; and
- sending the transmission to the network address on the identified physical interface using the identified tunnel identifier.
4. The method of claim 3, further comprising receiving the transmission via the tunnel from a private network.
5. The method of claim 3, further comprising routing the transmission over a layer 2 tunnel.
6. The method of claim 3, wherein routing the transmission to a virtual server comprises:
- terminating an incoming tunnel containing a transmission; and
- multiplexing the transmission to a virtual server.
7. The method of claim 6, further comprising:
- identifying the tunnel identifier contained in the transmission; and
- selecting a virtual server based upon the identified tunnel identifier.
8. The method of claim 6, wherein routing the transmission to a virtual server comprises:
- terminating an incoming tunnel containing the transmission;
- switching the transmission to a tunnel connected to a physical host computer containing a private network's virtual server;
- terminating the tunnel at the physical host computer; and
- multiplexing the transmission to the virtual server.
3377624 | April 1968 | Nelson et al. |
4177510 | December 4, 1979 | Appell et al. |
5189667 | February 23, 1993 | Esaki et al. |
5212793 | May 18, 1993 | Donica et al. |
5226160 | July 6, 1993 | Waldron et al. |
5249290 | September 28, 1993 | Heizer |
5263147 | November 16, 1993 | Francisco et al. |
5325530 | June 28, 1994 | Mohrmann |
5437032 | July 25, 1995 | Wolf et al. |
5528753 | June 18, 1996 | Fortin |
5572680 | November 5, 1996 | Ikeda et al. |
5584023 | December 10, 1996 | Hsu |
5603020 | February 11, 1997 | Hashimoto et al. |
5623492 | April 22, 1997 | Teraslinna |
5636371 | June 3, 1997 | Yu |
5640595 | June 17, 1997 | Baugher et al. |
5692047 | November 25, 1997 | McManis |
5706097 | January 6, 1998 | Schelling et al. |
5706453 | January 6, 1998 | Cheng et al. |
5708774 | January 13, 1998 | Boden |
5719854 | February 17, 1998 | Choudhury et al. |
5727203 | March 10, 1998 | Hapner et al. |
5748614 | May 5, 1998 | Wallmeier |
5752003 | May 12, 1998 | Hart |
5761477 | June 2, 1998 | Wahbe et al. |
5764889 | June 9, 1998 | Ault et al. |
5781550 | July 14, 1998 | Templin et al. |
5799173 | August 25, 1998 | Gossler et al. |
5809527 | September 15, 1998 | Cooper et al. |
5828893 | October 27, 1998 | Wied et al. |
5838686 | November 17, 1998 | Ozkan |
5838916 | November 17, 1998 | Domenikos et al. |
5842002 | November 24, 1998 | Schnurer et al. |
5845129 | December 1, 1998 | Wendorf et al. |
5850399 | December 15, 1998 | Ganmukhi et al. |
5860004 | January 12, 1999 | Fowlow et al. |
5864683 | January 26, 1999 | Boebert et al. |
5889956 | March 30, 1999 | Hauser et al. |
5889996 | March 30, 1999 | Adams |
5892968 | April 6, 1999 | Iwasaki et al. |
5905730 | May 18, 1999 | Yang et al. |
5905859 | May 18, 1999 | Holloway et al. |
5913024 | June 15, 1999 | Green et al. |
5915085 | June 22, 1999 | Koved |
5915095 | June 22, 1999 | Miskowiec |
5918018 | June 29, 1999 | Gooderum et al. |
5920699 | July 6, 1999 | Bare |
5933603 | August 3, 1999 | Vahalia et al. |
5937159 | August 10, 1999 | Meyers et al. |
5956481 | September 21, 1999 | Walsh et al. |
5978373 | November 2, 1999 | Hoff et al. |
5982748 | November 9, 1999 | Yin et al. |
5987524 | November 16, 1999 | Yoshida et al. |
5991812 | November 23, 1999 | Srinivasan |
5999963 | December 7, 1999 | Bruno et al. |
6016318 | January 18, 2000 | Tomoike et al. |
6018527 | January 25, 2000 | Yin et al. |
6023721 | February 8, 2000 | Cummings |
6038608 | March 14, 2000 | Katsumata et al. |
6038609 | March 14, 2000 | Geulen et al. |
6047325 | April 4, 2000 | Jain et al. |
6055617 | April 25, 2000 | Kingsbury |
6061349 | May 9, 2000 | Coile et al. |
6065118 | May 16, 2000 | Bull et al. |
6075791 | June 13, 2000 | Chiussi et al. |
6075938 | June 13, 2000 | Bugnion et al. |
6078929 | June 20, 2000 | Rao et al. |
6078957 | June 20, 2000 | Adelman et al. |
6086623 | July 11, 2000 | Broome et al. |
6092178 | July 18, 2000 | Jindal et al. |
6094674 | July 25, 2000 | Hattori et al. |
6101543 | August 8, 2000 | Alden et al. |
6108701 | August 22, 2000 | Davies et al. |
6108759 | August 22, 2000 | Orcutt et al. |
6122673 | September 19, 2000 | Basak et al. |
6154776 | November 28, 2000 | Martin et al. |
6154778 | November 28, 2000 | Koistinen et al. |
6161139 | December 12, 2000 | Win et al. |
6167520 | December 26, 2000 | Touboul et al. |
6172981 | January 9, 2001 | Cox et al. |
6189046 | February 13, 2001 | Moore et al. |
6192389 | February 20, 2001 | Ault et al. |
6192512 | February 20, 2001 | Chess |
6230203 | May 8, 2001 | Koperda et al. |
6240463 | May 29, 2001 | Benmohamed et al. |
6247057 | June 12, 2001 | Barrera, III |
6259699 | July 10, 2001 | Opalka et al. |
6266678 | July 24, 2001 | McDevitt et al. |
6269404 | July 31, 2001 | Hart et al. |
6279039 | August 21, 2001 | Bhat et al. |
6279040 | August 21, 2001 | Ma et al. |
6282581 | August 28, 2001 | Moore et al. |
6282703 | August 28, 2001 | Meth et al. |
6286047 | September 4, 2001 | Ramanathan et al. |
6298479 | October 2, 2001 | Chessin et al. |
6314558 | November 6, 2001 | Angel et al. |
6327622 | December 4, 2001 | Jindal et al. |
6336138 | January 1, 2002 | Caswell et al. |
6351775 | February 26, 2002 | Yu |
6353616 | March 5, 2002 | Elwalid et al. |
6363053 | March 26, 2002 | Schuster et al. |
6370583 | April 9, 2002 | Fishler et al. |
6381228 | April 30, 2002 | Prieto, Jr. et al. |
6385638 | May 7, 2002 | Baker-Harvey |
6389448 | May 14, 2002 | Primak et al. |
6393484 | May 21, 2002 | Massarani |
6425003 | July 23, 2002 | Herzog et al. |
6430622 | August 6, 2002 | Aiken, Jr. et al. |
6434631 | August 13, 2002 | Bruno et al. |
6434742 | August 13, 2002 | Koepele, Jr. |
6438134 | August 20, 2002 | Chow et al. |
6442164 | August 27, 2002 | Wu |
6457008 | September 24, 2002 | Rhee et al. |
6463459 | October 8, 2002 | Orr et al. |
6470398 | October 22, 2002 | Zargham et al. |
6487578 | November 26, 2002 | Ranganathan |
6487663 | November 26, 2002 | Jaisimha et al. |
6490670 | December 3, 2002 | Collins et al. |
6499137 | December 24, 2002 | Hunt |
6529950 | March 4, 2003 | Lumelsky et al. |
6529985 | March 4, 2003 | Deianov |
6542167 | April 1, 2003 | Darlet et al. |
6553413 | April 22, 2003 | Leighton et al. |
6560613 | May 6, 2003 | Gylfason |
6578055 | June 10, 2003 | Hutchison et al. |
6578068 | June 10, 2003 | Bowman-Amuah |
6580721 | June 17, 2003 | Beshai et al. |
6625650 | September 23, 2003 | Stelliga |
6647422 | November 11, 2003 | Wesinger, Jr. et al. |
6658571 | December 2, 2003 | O'Brien et al. |
6680922 | January 20, 2004 | Jorgensen |
6691312 | February 10, 2004 | Sen et al. |
6711607 | March 23, 2004 | Goyal |
6725456 | April 20, 2004 | Bruno et al. |
6754716 | June 22, 2004 | Sharma |
6760775 | July 6, 2004 | Anerousis et al. |
6779016 | August 17, 2004 | Aziz et al. |
6820117 | November 16, 2004 | Johnson |
6976258 | December 13, 2005 | Goyal |
6976286 | December 20, 2005 | Goyal |
6982984 | January 3, 2006 | Asayesh et al. |
7061899 | June 13, 2006 | Walker et al. |
7111163 | September 19, 2006 | Haney |
7225259 | May 29, 2007 | Ho et al. |
7318152 | January 8, 2008 | Haney |
7441043 | October 21, 2008 | Henry et al. |
7653074 | January 26, 2010 | Asayesh et al. |
7672288 | March 2, 2010 | Iartym |
20030061338 | March 27, 2003 | Stelliga |
64-002145 | January 1989 | JP |
64002145 | January 1989 | JP |
WO 99/39261 | August 1999 | WO |
WO-9939261 | August 1999 | WO |
- Plummer, D. C., An Ethernet Address Resolution Protocol - or Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware, Nov. 1982, http://www.msg.net/kadow/answers/extras/rfc/rfc826.txt [retrieved from the Internet Jan. 17, 2000].
- Huang, X. W. et al., “The Entrapid Protocol Development Environment,” Proceedings of IEEE Infocom'99, Mar. 1999, 9 pages.
- Duffield, N. G. et al., “A Flexible Model for Resource Management in Virtual Private Networks,” Computer Communication Review Conference, Computer Communication, ACM SIGCOMM'99 Conference, Cambridge, MA, Aug. 30, 1999-Sep. 3, 1999, pp. 95-108.
- Campbell, A. T. and S. Keshav, “Quality of Service in Distributed Systems,” Computer Communications 21, 1998, pp. 291-293.
- Bach, M.J., “The Design of the Unix® Operating System,” New Delhi, Prentice-Hall of India, 1989, pp. v-x, 19-37.
- McDougall, R. et al., “Resource Management,”, Upper Saddle River, NJ, Prentice Hall, 1999, pp. iii-xix, 135-191.
- Rijsinghani, A., RFC 1624, May 1994, http://www.faqs.org/rfcs/rfc1624.html, [retrieved from the internet Feb. 2, 2000].
- Mallory, T. and Kullberg, A., RFC 1141, Jan. 1990, http://www.faqs.org/rfcs/rfc1141.html, [retrieved online Feb. 2, 2000].
- Egevang, K. and P. Francis, “RFC 1631,” May 1994, http://www.faqs.org/rfcs/rfc1631.html, [retrieved online Feb. 2, 2000].
- Goyal, P. et al., “Start-time Fair Queuing: A Scheduling Algorithm for Integrated Services Packet Switching Networks,” Proceedings of ACM SIGCOMM'96, San Francisco, CA, Aug. 1996, 14 pages.
- Janosi, T., “Notes on ‘A Hierarchical CPU Scheduler for Multimedia Operating Systems’ by Pawan Goyal, Xingang Guo and Harrick Vin,” http://cs.cornell.edu/Info/Courses/Spring-97/CS614/goy.html, [retrieved online May 8, 2000].
- Goyal, P., “Packet Scheudling Algorithms for Integrated Services Networks,” PhD Dissertation, Unviersity of Texas, Austin, TX, Aug. 1997.
- Boehm, B., “Managing Software Productivity and Reuse,” IEEE Computer, vol. 32, No. 9, Sep. 1999, 3 pages.
- Corbato, F. J. et al., “An Experimental Timesharing System,” Proceedings of the American Federation of Information Processing Societies Spring Joint Computer Conference, San Francisco, CA, May 1-3, 1962, pp. 335-344.
- Deutsch, P. and C.A. Grant, “A Flexible Measurement Tool for Software Systems,” Information Processing 71 [Proc. of the IFIP Congress], 1971, pp. 320-326.
- Edjlali, G. et al., “History-based Access Control for Mobile Code,” Fifth ACM Conference on Computer and Communication Security, Nov. 3-5, 1998, 19 pages.
- Erlingsson, U. and Schneider, F. B., “SASI Enforcement of Security Policies: A Retrospective,” Proc. New Security Paradigms Workshop, Apr. 2, 1999, pp. 1-17.
- Erlingsson, U. and Schnieder, F. B., “IRM Enforcement of Java Stack Inspection,” [online], Feb. 19, 2000, [retrieved on Apr. 2, 2002]. Retrieved from the Internet: http://cs-tr.cs.cornell.edu/Dienst/UI2.0/Show—Page/ncstrl.cornell/TR2000-1786.
- Evans, D. and Twyman, A., “Flexible Policy-Directed Code Safety,” Proc. of 1999 IEEE Symposium on Security and Privacy, Oakland, CA, May 9-12, 1999, pp. 1-14.
- Fraser, T. et al., “Hardening COTS Software with Generic Software Wrappers,” Proc. of 1999 IEEE Symposium on Security and Privacy, 1999, 15 pages.
- Goldberg, I. et al., “A Secure Environment for Untrusted Helper Applications (Confining the Wily Hacker),” Proc. of the Sixth USENIX UNIX Security Symposium, San Jose, CA, Jul. 1996, 14 pages.
- Goldberg, R. P., “Survey of Virtual Machine Research,” IEEE Computer, Jun. 1974, pp. 34-45.
- Pandey, R. and Hashii, B., “Providing Fine-Grained Access Control for Mobile Programs Through Binary Editing,” Technical Report TR98 08, University of California, Davis, CA, 1998, pp. 1-22.
- Ritchie, D. M., “The Evolution of the Unix Time-Sharing System,” AT&T Bell Laboratories Technical Journal 63, No. 6, Part 2, Oct. 1984, (originally presented 1979), 11 pages.
- Saltzer, J., H. and Schroeder, M. D., “The Protection of Information in Computer Systems,” [online], 1973, [retrieved on Apr. 2, 2002]. Retrieved from the Internet: http://www.cs.virginia.edu˜evans/cs551/saltzer/.
- Wahbe, R. et al., “Efficient Software-Based Fault Isolation,” Proc. of the Symposium on Operating System Principles, 1993, 14 pages.
- Keshav, S., “An Engineering Approach to Computer Networking: ATM Networks, the Internet, and the Telephone Network,” Reading, MA, Addison-Wesley, 1997, pp. vii-xi, 85-115, 209-355, 395-444.
- Stevens, R. W., “UNIX Network Programming vol. 1 Networking APIs: Sockets and XTI,” Upper Saddle River, NJ, Prentice Hall, 1998, pp. v-xiv, 29-53, 85-110, 727-760.
- Tanenbaum, A. S. and Woodhull, A. S., “Operating Systems: Design and Implementation,” Upper Saddle River, NJ, Prentice Hall, 1997, pp. vii-xiv, 1-46, 401-454.
- Rubini, A., “LINUX Device Drivers,” Sebastopol, CA, O'Reilly & Associates, Inc., 1998, pp. v-x, 13-40.
- Goyal, P., et al., “A Hierarchical CPU Scheduler for Multimedia Operating Systems,” Proceedings of the Second Symposium on Operating Systems Design and Implementations (OSDI'96), Seattle, WA, Oct. 1996, 15 pages.
- Laurie, B. and Laurie, P., “Apache the Definitive Guide,” Sebastopol, CA, O'Reilly & Associates, Inc., Feb. 1999, pp. v-viii, 43-74.
- Aho, A. V. and Ullman J. D., “Principles of Complier Design,” Reading, MA, 1977, pp. vii-x, 359-362, 519-522.
- Jonsson, J., “Exploring the Importance of Preprocessing Operations in Real-Time Multiprocessor Scheduling,” Proc. of the IEEE Real-Time Systems Symposium—Work-in-Progress session, San Francisco, CA, Dec. 4, 1997, pp. 31-34.
- Rusling, D. A., “Processes,” http://www.cebaf.gov/ saw/linux/tlk-html/node44.html> [retrieved online Dec. 7, 1999].
- Rusling, D. A., “Linux Processes,” http://www.cebatgov/˜saw/linux/tlk-html/node45.html, [retrieved online Dec. 7, 1999].
- Rusling, D. A., “Identifiers,” http://www.ce-baf.gov/˜saw/linux/tlk-html/node46.html, [retrieved online Dec. 7, 1999].
- Rusling, D. A., “Scheduling,” http://www.ce-baf.gov/˜saw/linux/tlk-html/node47.html, [retrieved online Dec. 7, 1999].
- Rusling, D. A., “Scheduling in Multiprocessor Systems,” http://www.cebaf.gov/˜saw/linux/tlk-html/node48.html, [retrieved online Dec. 7, 1999].
- Rusling, D. A., “Files,” http://www.cebaf.gov/˜saw/linux/tlk-html/node49.html, [retrieved online Dec. 7, 1999].
- Goyal, Pawan et al., “Generalized Guaranteed Rate Scheduling Algorithms: A Framework,” IEEE/ACM Transactions on Networking, vol. 5, No. 4, Aug. 1997, pp. 561-571.
- “Symbol Table,” © 1997, 1998, [Retrieved online Apr. 4, 2003] http://216-239-33-100/search?q=cache:eASXK8qC—-AC:www.caldera.com/developers/gabi/1998-04-29/ch4.s..., pp. 1-5.
- Mitra, Debasis et al., “Hierarchical Virtual Partitioning: Algorithms for Virtual Private Networking,” Bell Labs Technical Journal, Spring, 1997, http://cm.bell-labs.com/cm/ms/who/mitra/paper/globe.ps.
- U.S. Appl. No. 09/503,975, Goyal.
- Plummer, D. C.,An Ethernet Address Resolution Protocol—or—Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware, Nov. 1982, [online], [retrieved on Jan. 17, 2000]. Retrieved from the Internet: <URL:http://www.msg.net/kadow/answers/extras/rfc/rfc826.txt>.
- Rijsinghani, A., RFC 1624, May 1994, [online], [retrieved Feb. 2, 2000]. retrieved from the internet: <URL: http://www.faqs.org/rfcs/rfc1624.html>.
- Mallory, T and Kullberg, A., RFC 1141, Jan. 1990 [online], [retrieved Feb. 2, 2000]. retrieved from the Internet: <URL: http://www.faqs.org/rfcs/rfc1141.html>.
- Egevang, K. and Francis P., RFC 1631, May 1994 [online], [retrieved Feb. 2, 2000]. retrieved from the Internet: <URL: http://www.faqs.org/rfcs/rfc1631.html>.
- Jánosi, T., “Notes on ‘A Hierarchical CPU Scheduler for Multimedia Operating Systems’ by Pawan Goyal, Xingang Guo and Harrick Vin,” [online], [retrieved on May 8, 2000]. Retrieved from the internet: <URL: http://cs.cornell.edu/Info/Courses/Spring-97/CS614/goy.html>.
- Pending U.S. Appl. No. 09/452,286, filed Nov. 30, 1999, entitled “Providing Quality of Service Guarantees to Virtual Hosts”.
- Pending U.S. Appl. No. 09/499,098, filed Feb. 4, 2000, entitled “Selective Interception of System Calls”.
- Pending U.S. Appl. No. 09/498,450, filed Feb. 4, 2000, entitled “Dynamic Scheduling of Task Streams in a Multiple-Resource System to Ensure Task Stream Quality of Service”.
- Pending U.S. Appl. No. 09/500,212, filed Feb. 8, 2000, entitled “Disambiguating File Descriptors”.
- Pending U.S. Appl. No. 09/502,155, filed Feb. 11, 2000, entitled “Restricting Communication Between Network Devices on a Common Network”.
- Pending U.S. Appl. No. 09/503,975, filed Feb. 14, 2000, entitled “Restricting Communication of Selected Processes to a Set of Specific Network Addresses”.
- Rusling, D. A., Processes, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL: http://www.cebaf.gov/˜saw/linux/tlk-html/node44.html>.
- Rusling, D. A., Linux Processes, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL: http://www.cebaf.gov/˜saw/linux/tlk-html/node45.html>.
- Rusling, D. A., Identifiers, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL: http://www.cebaf.gov/˜saw/linux/tlk-html/node46.html>.
- Rusling, D. A., Scheduling, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL: http://www.cebaf.gov/˜saw/linux/tlk-html/node47.html>.
- Rusling, D. A., Scheduling in Multiprocessor Systems, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL: http://www.cebaf.gov/˜saw/linux/tlk-html/node48.html>.
- Rusling, D. A., Files, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL: http://www.cebaf.gov/˜saw/linux/tlk-html/node49.html>.
- Symbol Table, [online] copyright 1997, 1998, [Retrieved on Apr. 4, 2003] Retrieved from the internet <URL: http://216-239-33-100/search?q=cache:eASXK8qC—-AC:www.caldera.com/developers/gabi/1998-04-29/ch4.s..., pp. 1-5.
Type: Grant
Filed: Sep 19, 2007
Date of Patent: Dec 27, 2011
Assignee: Digital Asset Enterprises, L.L.C. (Wilmington, DE)
Inventors: Peter Newman (Mountain View, CA), Pawan Goyal (Mountain View, CA)
Primary Examiner: David Eng
Attorney: Perkins Coie LLP
Application Number: 11/858,091
International Classification: G06F 15/173 (20060101);