Virtual machine image encryption
US-2016350535-A1 · Dec 1, 2016 · US
End-to-end security for virtual private service chains
US9979704B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9979704-B2 |
| Application number | US-201414573564-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 17, 2014 |
| Priority date | Dec 17, 2014 |
| Publication date | May 22, 2018 |
| Grant date | May 22, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A first virtual machine is established in a virtual private service chain to provide a first network service to virtual private service chain traffic. A second virtual machine is also established the virtual private service chain to provide a second network service to the virtual private service chain traffic. The virtual private service chain traffic is encrypted for transmission within the virtual private service chain from the first virtual machine to the second virtual machine, wherein the encryption uses a key shared by the first and second virtual machines.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: establishing a first virtual machine in a virtual private service chain associated with a tenant to provide a first network service to virtual private service chain traffic, wherein the virtual private service chain is established within a service platform provided by a service provider hosting a plurality of virtual private service chains for a plurality of tenants; establishing a second virtual machine in the virtual private service chain to provide a second network service to the virtual private service chain traffic; receiving an encryption key from a key server arranged outside the service platform and maintained by the tenant; encrypting the virtual private service chain traffic at the first virtual machine for transmission within the virtual private service chain from the first virtual machine to the second virtual machine using the encryption key, and transmitting the traffic from the first virtual machine to the second virtual machine within the service platform. 2. The method of claim 1 , wherein the traffic is decrypted at the second virtual machine for application of the second network service. 3. The method of claim 2 , wherein the traffic is encrypted at a first virtual network interface card of the first virtual machine internal to the virtual private service chain, and the traffic is decrypted at a second virtual interface card of the second virtual machine internal to the virtual private service chain. 4. The method of claim 1 , wherein the key server is a group controller key server. 5. The method of claim 1 , wherein the encryption key is different from a key used to encrypt external traffic prior to the external traffic entering the virtual private service chain. 6. The method of claim 1 , wherein the encryption is performed according to a Group Domain of Interpretation (GDOI) protocol. 7. The method of claim 1 , further comprising: decrypting the virtual private service chain traffic at the second virtual machine; and applying the second network service to the virtual private service chain traffic. 8. The method of claim 1 , wherein establishing the second virtual machine comprises establishing the second virtual machine on a same physical network node on which the first virtual machine is established. 9. The method of claim 1 , wherein establishing the second virtual machine comprises establishing the second virtual machine on a same virtual switch on which the first virtual machine is established. 10. The method of claim 1 , wherein establishing the second virtual machine comprises establishing the second virtual machine on a physical network node that is different from a physical network node on which the first virtual machine is established. 11. A method comprising: retrieving an encryption key from a shared key server, wherein the retrieval of the encryption key is performed by a first virtual machine within a virtual private service chain associated with a tenant and is established within a service platform provided by a service provider hosting a plurality of virtual private service chains for a plurality of tenants, and wherein the shared key server is arranged outside the service platform and maintained by the tenant; receiving, at the first virtual machine from a second virtual machine within the virtual private service chain, traffic encrypted with the encryption key; decrypting the traffic using the encryption key; applying network services to the decrypted traffic; re-encrypting the decrypted traffic using the encryption key; and transmitting the traffic through the virtual private service chain. 12. The method of claim 11 , wherein the traffic is decrypted at an interface of the first virtual machine internal to the virtual private service chain. 13. The method of claim 11 , wherein the key server provides the encryption key to the first virtual machine and second virtual machine. 14. The method of claim 11 , wherein: the key server is a group controller key server. 15. The method of claim 11 , wherein the encryption key is different from a key used to encrypt the virtual private service chain traffic prior to the virtual private service chain traffic entering the virtual private service chain. 16. The method of claim 11 , wherein retrieving the encryption key comprises retrieving the encryption key according to a Group Domain of Interpretation (GDOI) protocol. 17. The method of claim 11 , wherein the first virtual machine and the second virtual machine are established on a same physical network node. 18. An apparatus comprising: a network interface unit to enable communication over a network; and a processor coupled to the network interface unit, that: establishes a first virtual machine within a virtual private service chain associated with a tenant to provide a first network service to virtual private service chain traffic, wherein the virtual private service chain is established within a service platform provided by a service provider hosting a plurality of virtual private service chains for a plurality of tenants; retrieves via the first virtual machine an encryption key from a shared key server arranged outside the service platform and maintained by the tenant; receives, from a second virtual machine within the virtual private service chain, traffic encrypted with the encryption key; decrypts via the first virtual machine the traffic using the encryption key; applies network services to the decrypted traffic via the first virtual machine; re-encrypts the decrypted traffic using the encryption key via the first virtual machine; and causes the traffic to be sent through the virtual private service chain. 19. The apparatus of claim 18 , wherein the processor decrypts the traffic at an interface of the first virtual machine internal to the virtual private service chain. 20. The apparatus of claim 18 , wherein the key server provides the encryption key to the first virtual machine and second virtual machine. 21. The apparatus of claim 18 , wherein the processor retrieves the encryption key from a group controller key server. 22. The apparatus of claim 18 , wherein the processor retrieves the encryption key that is different from a key used to encrypt external traffic prior to the external traffic entering the virtual private service chain. 23. The apparatus of claim 18 , wherein the processor retrieves the encryption key according to a Group Domain of Interpretation (GDOI) protocol. 24. The apparatus of claim 18 , wherein the first virtual machine and the second virtual machine are established on a same physical network node.
Assignees
Inventors
Classifications
by securing the transmission between two devices or processes · CPC title
- H04L63/0428Primary
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
Isolation or security of virtual machine instances · CPC title
Hypervisor-specific management and integration aspects · CPC title
Network integration; Enabling network access in virtual machine instances · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9979704B2 cover?
- A first virtual machine is established in a virtual private service chain to provide a first network service to virtual private service chain traffic. A second virtual machine is also established the virtual private service chain to provide a second network service to the virtual private service chain traffic. The virtual private service chain traffic is encrypted for transmission within the vi…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0428. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 22 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).