1. Patent Search
  2. Details

NETWORK SWITCHING WITH CO-RESIDENT DATA-PLANE AND NETWORK INTERFACE CONTROLLERS

20230040655 · 2023-02-09

    Inventors

    Cpc classification

    International classification

    Abstract

    A system with co-resident data-plane and network interface controllers embodying a method for network switching of a data packet incoming from a network at a packet input processor portion of a network interface resource comprising the packet input processor, a packet output processor, and a network interface controller, implemented as a module or a single chip, to a target entity via either the network interface controller or the packet input processor is disclosed.

    Claims

    1. A method for network switching with co-resident data-plane processors and network interface controller, comprising: receiving a packet from a network at a medium access controller; selecting by a medium access controller a data-plane packet input processor or the network interface controller of a network interface resource comprising: the data-plane packet input processor, a data-plane packet output processor, and the network interface controller; and providing a packet received form a network to the network interface controller or the data-plane packet input processor in accordance with the selecting.

    2. The method as claimed in claim 1, wherein the network interface resource is implemented as a single chip or a hybrid circuit.

    3. The method as claimed in claim 1, wherein the network interface resource is implemented as a module, comprising at least one or more chips or a hybrid circuit.

    4. The method as claimed in claim 1, wherein the selecting by the medium access controller the data-plane packet input processor or the network interface controller of the network interface resource comprising: determining a content of the packet by the medium access controller; and providing the packet to the data-plane packet input processor or to the network interface controller of the network interface resource in accordance with the determined content of the packet.

    5. The method as claimed in claim 1, wherein the selecting by the medium access controller the data-plane packet input processor or the network interface controller of a network interface resource comprising: determining a state of a register; and providing the packet to the data-plane packet input processor or to the network interface controller of the network interface resource in accordance with the determined state of a register.

    6. The method as claimed in claim 1, wherein the selecting by the medium access controller the data-plane packet input processor or the network interface controller of a network interface resource comprising: determining a state of a register; determining a content of the packet; and providing the packet to the data-plane packet input processor or to the network interface controller of the network interface resource in accordance with the determined state of the register and the content of the packet.

    7. The method as claimed in claim 1, wherein upon providing the packet to the data-plane packet input processor, the method further comprising: processing the packet by the data-plane packet input processor to determine a target entity; providing the packet to a storage; notifying a packet handling entity that a packet for the target entity is available.

    8. The method as claimed in claim 7, further comprising: requesting the packet by the target entity; and processing the packet by the packet handling entity in accordance with a packet management policy.

    9. The method as claimed in claim 8, wherein processing the packet by the packet handling entity in accordance with the packet management policy comprises: discarding the packet.

    10. The method as claimed in claim 8, wherein processing the packet by the handling entity in accordance with the packet management policy comprises: providing the packet to a different destination entity than the target entity.

    11. The method as claimed in claim 8, wherein processing the packet by the packet handling entity in accordance with the packet management policy comprises: providing the packet to the target entity upon determining that the target entity instantiated a data plane.

    12. The method as claimed in claim 8, wherein processing the packet by the packet handling entity in accordance with the packet management policy comprising: providing the packet to the target entity via the data-plane packet output processor, a loopback entity and the network interface controller upon determining the target entity did not instantiate or is not capable of instantiating a data-plane.

    13. The method as claimed in claim 8, wherein processing the packet by the packet handling entity in accordance with the packet management policy comprises: switching the packet route on layer 2 and layer 3.

    14. A network interface apparatus, comprising: a network interface resource comprising a data-plane packet input processor, a data-plane packet output processor, and a network interface controller; and at least one medium access controller, communicatively coupled to network facing inbound and outgoing interfaces of the network interface controller, a network facing outgoing interface of the packet output processor, and a network facing inbound interface of the packet input processor and at least one loopback entity; wherein the medium access controller is configured to: select the data-plane packet input processor or to the network interface controller; and to provide a packet received from a network to: the network interface controller or to the data-plane packet input processor in accordance with the selection.

    15. The apparatus as claimed in claim 14, wherein the network interface resource is implemented as a single chip or a hybrid circuit.

    16. The apparatus as claimed in claim 14, wherein the network interface resource is implemented as a module, comprising at least one or more chips or a hybrid circuit.

    17. The network interface apparatus as claimed in claim 14, wherein the medium access controller selects the data-plane packet input processor or the network interface controller by being configured to: determine a content of the packet; and provide the packet to the data-plane packet input processor or to the network interface controller of a network interface resource in accordance with the determined content of the packet.

    18. The network interface apparatus as claimed in claim 14, wherein the medium access controller selects the data-plane packet input processor or the network interface controller by being configured to: determine a state of a register; and provide the packet to the data-plane packet input processor or to the network interface controller of a network interface resource in accordance with the determined state of the register.

    19. The network interface apparatus as claimed in claim 14, wherein the medium access controller selects the data-plane packet input processor or the network interface controller by being configured to: determine a state of a register; determine a content of the packet; and provide the packet to the data-plane packet input processor or to the network interface controller of the network interface resource in accordance with the determined state of the register and the content of the packet.

    20. The network interface apparatus as claimed in claim 15, wherein upon receiving the packet, the data-plane packet input processor is configured to: process the packet to determine a target entity; provide the packet to a storage; and notify a packet handling entity that a packet for the target entity is available.

    21. The method as claimed in claim 20, wherein the target entity is configured to request the packet; and the packet handling entity is configured to process the packet in accordance with a packet management policy.

    22. The method as claimed in claim 21, wherein the packet handling entity configured to process the packet in accordance with a packet management policy determines to discard the packet.

    23. The method as claimed in claim 21, wherein the packet handling entity configured to process the packet in accordance with a packet management policy determines to provide the packet to a different destination entity than the target entity.

    24. The method as claimed in claim 21, the packet handling entity configured to process the packet in accordance with a packet management policy determines to provide the packet to the target entity that instantiated a data plane.

    25. The method as claimed in claim 21, wherein the packet handling entity configured to process the packet in accordance with a packet management policy determines to provide the packet to the target entity via the data-plane packet output processor, a loopback entity and the network interface controller, to the target entity that did not instantiate or is not capable to instantiate a data-plane.

    26. The network interface apparatus as claimed in claim 21, wherein the packet handling entity configured to process the packet in accordance with a packet management policy determines to switch the packet route on layer 2 and layer 3.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0019] The foregoing aspects described herein will become more readily apparent by reference to the following description when taken in conjunction with the accompanying drawings wherein:

    [0020] FIG. 1 depicts a conceptual structure of a virtualization system in accordance with known aspects;

    [0021] FIG. 2 depicts a conceptual structure of a network interface resources in accordance with an aspect of this disclosure;

    [0022] FIG. 3a depicts a first part of a flow chart enabling the process for switching between a NIC and a Packet input processor (PKI) Packet output processor (PKO) for incoming packet in accordance with an aspect of this disclosure;

    [0023] FIG. 3b depicts a second part of the flow chart enabling the process for switching between a NIC and a Packet input processor (PKI) Packet output processor (PKO) for incoming packet in accordance with an aspect of this disclosure;

    [0024] FIG. 4a depicts a first part of a flow chart enabling the process for switching between the NIC and the PKI/PKO for outgoing packet in accordance with an aspect of this disclosure;

    [0025] FIG. 4b depicts a second part of the flow chart enabling the process for switching between the NIC and the PKI/PKO for outgoing packet in accordance with an aspect of this disclosure.

    [0026] The description of like structural elements among the figures, is not repeated, the like elements have reference numerals differing by an integer multiple of 100, i.e., reference numeral 102 in FIG. 1, becomes reference numeral 202 in FIG. 2; unless differences and/or alternative aspects are explicitly noted. An expression “_X” in a reference indicates an instance of an element, while and expression “(X)” indicates a sub-block in a drawing where helpful for better understanding. Any unreferenced single and/or double-arrow line indicates a possible information flow between the depicted entities.

    DETAILED DESCRIPTION

    [0027] Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by a person having ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and this disclosure.

    [0028] As used herein, the singular forms “a,” “an,” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprise,” “comprises,” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. The term “and/or” includes any and all combinations of one or more of the associated listed items.

    [0029] The term “communicatively coupled” is intended to specify a communication path permitting information exchange either directly among the communicatively coupled entities, or via an intervening entity.

    [0030] Various disclosed aspects may be illustrated with reference to one or more exemplary configurations. As used herein, the term “exemplary” means “serving as an example, instance, or illustration,” and should not necessarily be construed as preferred or advantageous over other configurations disclosed herein.

    [0031] Various aspects of the present invention will be described herein with reference to drawings that are schematic illustrations of conceptual configurations of the present invention, unless explicitly noted. The various aspects of this disclosure are provided to enable a person having ordinary skill in the art to practice the present invention. Modifications to various aspects of a presented throughout this disclosure will be readily apparent to a person having ordinary skill in the art, and the concepts disclosed herein may be extended to other applications.

    [0032] FIG. 2 depicts a conceptual structure of a network interface resources 206 in accordance with an aspect of this disclosure. The structure 206 provides at least a NIC 218, a packet input processor (PKI) 220, and a packet output processor (PKO) 222. In one aspect, the structure is implemented on a single chip, designed to minimize power consumption, chip area, input output, pin-out and other chip characteristics. Thus, such a structure does not simply place two individual chips on a single piece of silicon material but comprises a monolithic chip. A chip comprises a semiconductor material, onto which a set of electronic circuits is fabricated.

    [0033] In another aspect, the structure 206 is implemented as a hybrid circuit, comprising at least two separate monolithic chips, which are interconnected together with optional supporting components, bonded to a common substrate, and encapsulated. By means of an example, each of the components, i.e., the NIC 218, the packet input processor (PKI) 220, and the packet output processor (PKO) 222 comprise a monolithic chip. Alternatively, a combination of two components, e.g., the packet input processor (PKI) 220, and the packet output processor (PKO) 222 comprise on monolithic chip, and the third component, e.g., the NIC 218 comprises a different monolithic chip. The optional supporting components comprise, e.g., capacitors, resistors, and other components known to a person of ordinary skill in the art.

    [0034] In yet another aspect, the structure 206 is implemented as a module. Such a module comprises the monolithic chip or the hybrid circuit mounted on a printed circuit board, optionally together with additional supporting components providing additional functionality, e.g., input/output interfaces, interconnections, and other functionality known to a person of ordinary skill in the art. Such supporting components can be implemented as chips/integrated circuits and/or discreet components.

    [0035] An advantage of the hybrid circuitry or the module is, that an improved functionality of one of the components improves a functionality of the hybrid circuitry or the module, without a need to make changes to other components of the hybrid circuitry module, e.g., interfaces to the other entities disclosed in FIG. 2.

    [0036] A data packet from a communications network (not shown) arrives via one of physical connectors/ports 224 and is provided to communicatively coupled medium access controller (MAC) 226, hardware or a hardware and software entity that implements a media access control data communication protocol. In one aspect, the MAC 226 is also provided on either the module or the single chip. The MAC 226 emulates a full-duplex logical communication channel in a multi-point network and provides the data packet to either the NIC 218 or the PKI 220. Although only two physical connectors/ports 224 and MACs 226 are shown, other number of ports and MACs are contemplated

    [0037] In one aspect, the MAC 226 selects the NIC 218 or the PKI 220 based on a value in a register (not shown), thus statically assigning the MAC 226 to either the NIC 218 or the PKI 220. In computer architecture, a processor register is a small amount of storage available as part of a CPU or other digital processor. Such registers are (typically) addressed by mechanisms other than main memory and can be accessed more quickly. Such a static assignment may be used to associate a connector/port, e.g., 224(1), with the NIC 218, e.g., because the connector/port 224(1) is already preceded with a router/switch using a network processor carrying efficiently packet management.

    [0038] In another aspect, the MAC 226 selects the NIC 218 or the PKI 220 in accordance with a content of the data packet, e.g., a source address, a destination address, or any other content known to a person of ordinary skill in the art.

    [0039] In yet another aspect, the MAC 226 selects the NIC 218 or the PKI 220 in accordance the combination of the aspects.

    [0040] Consider first that the MAC 226 selects the NIC 218. The data packet is provided via a network facing inbound interface to a parser 218(1), which, parses the data packet in accordance with an implementation of any of the family of computer networking technologies, e.g., an Ethernet, an Internet Protocol (IP), the TCP, and other computer networking technologies known to a person of ordinary skill in the art, to determine the type of protocol used, and to apply some packet management, e.g., Quality of Service (QoS) to the data packets. The NIC 218 ascertains that the packet is valid by performing verification, e.g., a Cyclic Redundancy Check (CRC). The NIC 218 then requests a memory manager 228 to allocate a portion of a storage 204/205 to receive the data packet and additional information to another portion of the storage 204/205. The additional information may comprise a complete packet descriptor, or a list of commands which form a packet descriptor. The packet descriptor information may comprise, e.g., information at which addresses in the storage 204/205, the different parts of the data packet, e.g., a header, payload, are located, and other information known to a person of ordinary skills in the art. The allocated portion of a storage may comprise e.g., a buffer, i.e., a region of a physical storage used to temporarily store data while it is being moved from one place to another. The double reference 204/205 is meant to indicate that the storage may be distributed between chip comprising the network interface resources 206, identified by reference 205, and an off-chip storage, identified by reference 204 residing on the system served by the network interface resources 206.

    [0041] Once the storage 204/205 has been allocated, the NIC 218 writes the data packet and the additional information to the allocated portion of the storage 204/205. In one aspect, the NIC 218 may use e.g., Direct Memory Access (DMA) engine 218(2), which allows the storage 204/205 to be accessed independently of a central processing unit. In accordance with an implementation trading throughput against latency, the NIC 218 sends an interrupt to a kernel. Thus, in one aspect, when latency is critical, the NIC 218 may send the interrupt after processing each packet; in another aspect, the NIC 218 may accumulate several packets into the storage 204/205 before sending the interrupt.

    [0042] The kernel executes an interrupt handler routine, packet processing related to packet management, e.g., switching/routing, packet/frame discrimination, Quality of service (QoS) enforcement, access control, encryption, Transmission Control Protocol (TCP) offload processing, routing, and other packet management known to a person skilled in the art, determines and delivers the data packet to the destination entity 230. The destination entity 230 may comprise a component of the kernel, the operating system, and any other entity of the system served by the network interface resources 206. At the destination entity 230 the delivered packet is placed to a queue (not shown) for processing. Methods for queue management, e.g., a tail drop, a backpressure, a random early discard, a Quality of Service by the destination entity 230 are well known by a person of ordinary skill in the art. A queue is an organization of data into a structure in which entities, i.e., the data comprising a packet, are kept and are retrievable in a definite order.

    [0043] When the entity 230 needs to send a data out over the communication network, in one aspect the entity 230 requests the memory manager 228 to allocate a portion of the storage 204/205 to receive a complete packet descriptor, or a list of commands which form a packet descriptor, and notifies the transmit DMA engine 218(3). In another aspect, the entity 230 requests the kernel to process the data for a transmission. In response, the kernel requests the memory manager 228 to allocate a portion of the storage 204/205 to receive a complete packet descriptor, or a list of commands which form a packet descriptor, and notifies the transmit DMA engine 218(3). In yet another aspect, the entity 230 requests the kernel to process the data for a transmission. In response, the kernel allocates a portion of the storage 204/205 to receive a complete packet descriptor, or a list of commands which form a packet descriptor, and notifies the transmit DMA engine 218(3). The DMA engine 218(3) reads the packet descriptors and provides the data packet via a network facing outgoing interface to the MAC 226. Alternatively, the DMA engine 218(3) executes the list of commands, assembles a packet from the data, and provides the data packet to the MAC 226. MAC 226 then transmits the data packet to the communication network via the physical connectors/ports 224(1).

    [0044] Consider now that the MAC 226 selects the PKI 220. The data packet is provided a network facing interface to a parser 220(1), which parses the data packet in accordance with an implementation of any of the family of computer networking technologies, e.g., an Ethernet, Internet Protocol (IP), the TCP, and other computer networking technologies known to a person of ordinary skill in the art. In accordance with parameters obtained from fields of the parsed data packet, the PKI 220 determines a software or hardware entity, e.g., the entity 232 to receive and process the data packet. The parameters may comprise, e.g., a port at which the incoming packet was received, a destination MAC address, a destination IP address, and other fields known to a person skilled in the art. The entity 232 may comprise, e.g., an operating system, an application executed by the operating system, such application including a virtual machine, a hard disk, or any other entity known to a person of ordinary skill in the art.

    [0045] The PKI 220 then requests the memory manager 228 to allocate a portion of a storage 204/205 to receive the data packet. Such a portion of a memory may comprise e.g., a buffer. Once the PKI 220 writes the data packet via an inside facing interface to the allocated portion of the storage 204/205, the PKI 220 provides an event notification to a packet handling software entity 234 that a data packet for the entity 232 is available. Such notification may comprise providing information to packet handling software entity 234 via a scheduler (not shown). Once the software entity 232 is ready to obtain work involving the data packet, the software entity 232 requests work from the scheduler. The term work is any operation to be carried out by the software entity 232. The scheduler retrieves the work, in form of the instructions to be processed and an address to the data packet(s) on which the work is to be carried out, and provides the work to the entity 232. The entity 232 then requests the data packet from the storage 204/205 and the data packet is processed by the packet handling software entity 234, which processes the packet in accordance with a packet management policy, and provides the packet to the entity 232, if the policy allows such delivery.

    [0046] In one aspect, the packet handling software entity 234 may implement functionality related to packet management, e.g., layer 2 (L2) switching, layer 3 (L3) switching, traffic policing, access control, traffic shaping, deep packet inspection, and other packet management known to a person of ordinary skill in the art.

    [0047] As appreciated by a person of ordinary skill in the art, L3 switching uses the MAC address from the host's network interface resource to decide where to forward frame. L3 uses a routable protocol address from the frame. Such routable protocol may comprise, e.g., IP, Internetwork Packet Exchange (IPX), AppleTalk, and other known to a person of ordinary skill in the art. In traditional systems, the switching functionality is implemented in a hardware, i.e., in an Application Specific Integrated Circuit (ASIC). Such an ASIC is not necessary in an aspect of the invention. Since the packet handling software entity 234 is implemented on an already existing hardware, i.e., a coprocessor, of the network interface resource 206, the functionality related to packet management may be implemented as additional software on the hardware. Thus, there may be no hardware cost in term of, e.g., additional chip area, power consumption, to this packet management function. A coprocessor is a computer processing unit used to supplement the functions of the central processing unit. Supplemental functions performed by the coprocessor may be floating point arithmetic, graphics, signal processing, string processing, encryption or I/O Interfacing with peripheral devices. The coprocessor carries out these functions under a close control of a supervisory processing unit.

    [0048] When the entity 232 needs to send a data out over the communication network, the entity 232 requests the memory manager 228 to allocate a portion of the storage 204/205 to receive a complete packet descriptor, or a list of commands which form a packet descriptor, and notifies the PKO's 222 transmit DMA engine 222(2). The DMA engine 222(2) reads the packet descriptors via the PKO's 222 inside facing interface and provides the data packet to the MAC 226. Alternatively, the DMA engine 222(2) executes the list of commands, assembles a packet from the data, and provides the data packet via the PKO's 222 network facing interface to the MAC 226. MAC 226 then transmits the data packet to the communication network via the physical connectors/ports 224.

    [0049] The conceptual structure 206 providing at least NIC and PKIPKO on a single chip enables use of the chip in applications requiring use of both the NIC and PKI/PKO. By means of an example, consider a virtualized system 100 disclosed in FIG. 1. The operating system 108 may need to use the NIC portion of the network resource 106, while the virtual machine 112(1), which instantiates a data-plane may need to use the PKI/PKO portion of the network resource 106. Additionally, the chip allows providing packet management, including switching of a packet to the operating system 108, and/or other entities communication via a kernel, even if the packet arrives at the PKI/PKO portion of the network resource 106. Such a functionality may allow a packet intended for a plurality of destinations, e.g., a broadcast packet, a multicast packet, to reach all destinations. In addition, even if an entity, e.g., a virtual machine 112(2), is capable of instantiating a data-plane, the entity may still prefer to receive packets via the NIC portion of the network resource 106, because due to the difference in interrupt driven software, i.e., operating system, and event driven software, i.e., data-plane, the application execution on the virtual machine 112(2) may better use the kernel's capabilities. Thus, the packet may be directed to the PKI/PKO portion of the network resource 106, use some of the efficient packet management functionality of the network processor, and then be routed via the NIC portion of the network resource 106 to use the kernel's capabilities.

    [0050] Referring back to the conceptual structure 206, to enable communication between the NIC 218 and the PKI 220 respective PKO 222, hardware loopback entities 236, 238 are provided.

    [0051] FIG. 3 depicts a flow chart enabling the process for switching between the NIC and PKI/PKO for incoming packet. To further clarify the relationship between the flow chart of FIG. 3 and certain elements of the conceptual structure of a virtualization system 100 disclosed in greater details in FIG. 1 and associated text, and the network resource 206 as disclosed in FIG. 2 and associated text, references to the structural elements are in parenthesis.

    [0052] In step 302, a hypervisor (110) initiates entities that configure a specific operation of the virtual system (100), e.g., the hypervisor (110), the virtual machine(s) (112), i.e., structures (114), and the network resources, (106), i.e., register (114). The process continues in step 304.

    [0053] In step 304, a data packet from a communications network arrives via one of physical connectors/ports (224_n) and is provided to a MAC (226). The process continues in step 306.

    [0054] In step 306, the MAC (226) determines whether the packet should be provided to a NIC (218) or to the PKI (220). The determination is carried out in accordance with a specific implementation.

    [0055] Thus, in one aspect, the MAC (226) selects the NIC (218) or the PKI (220) in accordance with a content of the data packet, e.g., a source address, a destination address, or any other content known to a person of ordinary skill in the art.

    [0056] In another aspect, the MAC (226) determines a value of the variable in the register (114). When the variable has a first value, the MAC (226) selects the NIC (218); when the variable has a second value, the MAC (226) selects the PKI (220).

    [0057] In yet another aspect, the variable in the register (114) is a multi-state variable. When the variable has a first value, the MAC (226) selects the NIC (218); when the variable has a second value, the MAC (226) selects the PKI (220); and when the variable has a third value, the decision is carried out in accordance with the content of the data packet.

    [0058] A person skilled in the art will appreciate that other implementations of the decision process are within the scope of the invention.

    [0059] The process continues in step 308 when the MAC (226) determined that the packet is to be delivered to the NIC (218), and the process continues in step 314 when the MAC (226) determined that the packet is to be delivered to the PKI (220).

    [0060] In step 308, the packet is delivered to the NIC (218). The process continues in step 310.

    [0061] In step 310, the NIC (218) processes the packet as disclosed infra and sends an interrupt to a kernel. The process continues in step 312.

    [0062] In step 312, the kernel processes the packet as disclosed infra, and delivers the data packet, to a queue of the destination entity (230) for processing as disclosed infra.

    [0063] In step 314, the packet is delivered to the PKI (220). The process continues in step 316.

    [0064] In step 316, the PKI (220) processes the packet to determine a target software or hardware entity (232) to receive and process the data packet as disclosed infra. The process continues in step 318.

    [0065] In step 318, the data packet is written to the allocated portion of the memory (204/205), and packet handling software entity (234) is notified that a data packet for the entity (232) is available as disclosed infra. The process continues in step 320.

    [0066] In step 320, the target software or hardware entity (232) that has obtained work involving the data packet requests the data packet(s) from the packet handling software entity (234) as disclosed infra. The process continues in step 322.

    [0067] In step 322, the packet handling software entity (234) processes the packet in accordance with a packet management policy. The packet management policy for the packet is determined in accordance with criteria that may be based on the fields in the packet, the rate of a traffic, and other criteria known to a person of ordinary sill in the art. By means of an example, the fields in the packet, e.g., the source or the destination MAC or IP address may be used for access control; the data portion, and possibly the header of the packet may be used for deep packet inspection for protocol non-compliance, viruses, spam, intrusions, or defined criteria to decide whether the packet may be passed, be discarded, or be re-routed to a different destination. By means of another example, the rate of the traffic may be used for traffic policing, and/or traffic shaping. The process continues in step 324 when the packet handling software entity (234) determines that the packet need to be discarded or be re-routed to a different destination; otherwise, the process continues in step 326.

    [0068] In step 324, the packet is dropped or re-routed to another entity, e.g., an intrusion detection entity.

    [0069] In step 326, if the PKI (220) determined that target entity to receive the packet is an entity, which instantiated a data-plane and the processing continues in step 328. Otherwise, the packet is provided to the PKO (222), and the processing continues in step 330.

    [0070] In step 328, the packet is delivered to the target entity.

    [0071] In step 330, the packet is processed by the PKO (222) as disclosed infra. The process continues in step 332.

    [0072] In step 332, the PKO (222) provides the packet to the NIC (218) via a loopback entity (236) the since the destination entity (232) to receive and process the data packet is incapable of, or does not instantiate a data-plane. The processing continues in step 334.

    [0073] In step 334, the NIC (218) processes the data packet as disclosed infra and sends an interrupt to a kernel. The process continues in step 336.

    [0074] In step 336, the kernel processes the packet as disclosed infra, and delivers the data packet, to a queue of the destination entity (232) for processing as disclosed infra. The process ends.

    [0075] FIG. 4 depicts a flow chart enabling the process for switching between the NIC and PKI/PKO for outgoing packet. To further clarify the relationship between the flow chart of FIG. 4 and certain elements of the conceptual structure of a virtualization system 100 disclosed in greater details in FIG. 1 and associated text, and the network resource 206 as disclosed in FIG. 2 and associated text, references to the structural elements are in parenthesis.

    [0076] In block 402, a hypervisor (110) initiates entities that configure a specific operation of the virtual system (100), e.g., the hypervisor (110), the virtual machine(s) (112), i.e., structures (114), and the network resources, (106), i.e., register (114). The process continues in block 404.

    [0077] In block 404, an entity in of the virtual system (100), e.g., an entity (230) running as a guest on virtual machine (112(1)), needs to send a data out over the communication network. In one aspect, the requests the memory manager (228) to allocate a portion of the storage (204/205) to receive a complete packet descriptor, or a list of commands which form a packet descriptor, and notifies the NIC (218), e.g., the transmit DMA engine (218(3)). The process continues in block 408. In another aspect, the entity (230) requests the kernel to process the data for a transmission. The process continues in block 406.

    [0078] In block 406, the kernel requests the memory manager (228) to allocate a portion of the storage (204/205) to receive a complete packet descriptor, or a list of commands which form a packet descriptor, and notifies the NIC (218), e.g., the transmit DMA engine (218(3)). The process continues in block 408.

    [0079] In block 408, the DMA engine 218(3) reads the packet descriptors or, alternatively, executes the list of commands and assembles a packet from the data, and provides the data packet via the loopback entity (238) to the PKI (220). The process continues in block 410.

    [0080] In block 410, the PKI (220) processes the packet to determine a target software or hardware entity to receive and processes the data packet as disclosed infra. When the PKI (220) determines that the target software or hardware entity is within the virtual system (100), e.g., an entity (232) running as a guest on virtual machine (112(2)), the process continues in block 412; otherwise the process continues in block 422.

    [0081] In block 412, the data packet is written to the allocated portion of the memory (204/205), and packet handling software entity (234) is notified that a data packet for the entity (232) is available as disclosed infra. The process continues in step 414.

    [0082] In step 414, the target software or hardware entity (232) that has obtained work involving the data packet requests the data packet(s) from the packet handling software entity (234) as disclosed infra. The process continues in step 416.

    [0083] In step 416, the packet handling software entity (234) processes the packet in accordance with a packet management policy. The packet management policy for the packet is determined in accordance with different criteria. Such criteria may be based on the fields in the packet, the rate of a traffic, and other criteria known to a person of ordinary sill in the art. by means of an example, the fields in the packet, e.g., the source or the destination MAC or IP address may be used for access control; the data portion, and possibly the header of the packet may be used for deep packet inspection for protocol non-compliance, viruses, spam, intrusions, or defined criteria to decide whether the packet may be passed, be discarded, or be re-routed to a different destination. By means of another example, the rate of the traffic may be used for traffic policing, and/or traffic shaping. The process continues in step 418 when the packet handling software entity (234) determines that the packet need to be discarded or be re-routed to a different destination; otherwise, the process continues in step 420.

    [0084] In step 418, the packet is dropped or re-routed to another entity, e.g., an intrusion detection entity.

    [0085] In step 420, the packet is delivered to the queues of the target entity (232).

    [0086] In step 422, the packet is delivered to the packet handling software entity (234). The process continues in block 424.

    [0087] In step 424, the packet handling software entity (234) processes the packet in accordance with a packet management policy. The packet management policy for the packet is determined in accordance with criteria that may be based on the fields in the packet, the rate of a traffic, and other criteria known to a person of ordinary sill in the art. by means of an example, the fields in the packet, e.g., the source or the destination MAC or IP address may be used for access control; the data portion, and possibly the header of the packet may be used for deep packet inspection for protocol non-compliance, viruses, spam, intrusions, or defined criteria to decide whether the packet may be passed, be discarded, or be re-routed to a different destination. By means of another example, the rate of the traffic may be used for traffic policing, and/or traffic shaping. The process continues in step 418 when the packet handling software entity (234) determines that the packet need to be discarded or be re-routed to a different destination; otherwise, the process continues in step 426.

    [0088] In step 426, the packet is delivered to the PKO (222). The process continues in step 428.

    [0089] In step 428, the packet is processed by the PKO (222) as disclosed infra. The process continues in step 430.

    [0090] In step 430, the PKO (222) provides the packet to the output port (224) via the MAC (226), since the destination entity to receive and process the data packet is outside the virtual system (100). The process ends.

    [0091] The various aspects of this disclosure are provided to enable a person having ordinary skill in the art to practice the present invention. Various modifications to these aspects will be readily apparent to persons of ordinary skill in the art, and the concepts disclosed therein may be applied to other aspects without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

    [0092] Therefore, by means of an example a person having ordinary skill in the art will understand, that the flow chart is not exhaustive because certain steps may be added or be unnecessary and/or may be carried out in parallel based on a particular implementation.

    [0093] All structural and functional equivalents to the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the various aspects described throughout this disclosure that are known or later come to be known to those of ordinary skill in the art are expressly incorporated herein by reference and are intended to be encompassed by the claims. Such illustrative logical blocks, modules, circuits, and algorithm steps may be implemented as electronic hardware, computer software, or combinations of both.

    [0094] Those of skill in the art would understand that information and signals may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced throughout the above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, or any combination thereof.

    [0095] Moreover, nothing disclosed herein is intended to be dedicated to the public regardless of whether such disclosure is explicitly recited in the claims. No claim element is to be construed under the provisions of 35 U.S.C. § 112, sixth paragraph, unless the element is expressly recited using the phrase “means for” or, in the case of a method claim, the element is recited using the phrase “step for.”