Secure packet management for bare metal access

摘要

Secure networking processes, such as packet encapsulation and decapsulation, can be executed upstream of a user or guest operating system provisioned on a host machine, where the user has substantially full access to that machine. The processing can be performed on a device such as a network interface card (NIC), which can have a separate network port for communicating with mapping systems or other devices across a cloud or secure network. A virtual image of the NIC can be provided to the user such that the user can still utilize at least some of the NIC functionality. In some embodiments, the NIC can work with a standalone processor or control host in order to offload much of the processing to the control host. The NIC can further handle headers and payload separately where possible, in order to improve the efficiency of processing the various packets.

主权项

1. A computer-implemented method for processing data packets in an electronic environment, comprising:
provisioning, by at least one computer system, a guest operating system (OS) on a host machine and granting the guest OS native access to a central processing unit (CPU) of the host machine; preventing the guest OS from having native access to a portion of a physical network interface of the host machine utilized for encapsulation; receiving a packet to the physical network interface on the host machine, the physical network interface capable of transmitting packets of data between a secure environment and a user environment, wherein if the packet is received from the user environment, the physical network interface is configured to:
determine a mapping of a first address of the packet in the user environment to a second address of the packet in the secure environment, the mapping obtained from a mapping service residing outside of the host machine using a port in the physical network interface that is inaccessible by the CPU as it runs the guest OS;encapsulate the packet to include header information that references the second address; andforward the packet to the second address; and wherein if the packet is received from the secure environment, the physical network interface is configured to:
determine a mapping of the second address of the packet in the secure environment to the first address of the packet in the user environment, the mapping obtained from the mapping service using the port inaccessible to the CPU as it runs the guest OS;encapsulate the packet to include header information that references the first address; andforward the packet to the first address.