1. Field of the Invention
The disclosed technology relates to the field of computer devices and resources.
2. Related Art
Networked systems exchange information across a network by sending data packets that encapsulate the information being exchanged. These data packets generally include a unique destination address or identifier for the data packet's destination (destinations for multicast and broadcast packets). The uniqueness of the address/identifier is in accordance with the definitions of MAC-48, EUI-48™ and EUI-64™ as defined/used in networking standards known to one skilled in the art. Networked systems require that the address/identifier be unique so that the data packet can be directed to its intended destination. The data packet also contains a source address/identifier to identify which device/resource emitted the data packet onto the network. One skilled in the art will understand that there are additional details related to broadcast and multicast data packets.
Each address/identifier that complies with the previously referenced definitions comprises two primary fields. The first field is a 24-bit identifier often referred to as an “organizationally unique identifier” (OUI) which is uniquely assigned by the IEEE Registration Authority to a requesting organization (such as a networking device manufacturer). The requesting organization is responsible for maintaining uniqueness by providing unique values for the second field (which is the “extension identifier”). The address/identifier is a concatenation of these two fields. Often, an address/identifier is permanently (or semi-permanently) installed into a networking device or permanently (or semi-permanently) associated with a specific service and is hence termed a “universally administered MAC identifier” or a “burned-in address/identifier” (because the universally administered MAC identifier is commonly “burned-into” a read-only-memory installed in a network interface card (NIC) or other “network-interface-device”).
The MAC-48 and EUI-48 definitions are syntactically indistinguishable from one another and are assigned from the same numbering space. The EUI-64 definition uses an expanded numbering space that provides an expansion of the currently available address/identifiers. MAC-48, EUI-48™ and EUI-64™ are commonly referred to as the “Media Access Control (MAC) address”, the “MAC identifier”, the “hardware address”, the “Ethernet address”, etc.
For the rest of this disclosure, the term “MAC identifier” is used to mean any address/identifier that is used to identify a specific device or service on a network. One skilled in the art will understand that the terms “MAC address” and “MAC identifier” are equivalent, can be used interchangeably, and that for the rest of this document the use of one implies the use of the other.
The MAC identifier can be used by the “layer 2” networking protocols. On the Internet, the Address Resolution Protocol (ARP) converts an address in a layer 3 protocol (for example, an IP address) to a MAC identifier.
A “locally administered MAC identifier” is assigned to a device by a network administrator, and overrides the universally administered MAC identifier (the “burned-in” address). Locally administered MAC identifiers should not contain organizationally unique identifiers assigned by the IEEE (but see the subsequent discussion on “cloning”). Locally administered MAC identifiers are distinguished from universally administered MAC identifiers by a bit in the MAC identifier.
A typical host network-interface-device includes a burned-in MAC identifier. The burned-in MAC identifier is inserted into the “source” field of a data packet when the data packet is transmitted by the host network-interface-device. Furthermore, the host network-interface-device will examine all the data packets it receives and if the destination address/identifier in the data packet matches the burned-in MAC identifier, the host network-interface-device will accept the information within the data packet. Generally, the host network-interface-device will not accept data packets unless they are specifically addressed to the host network-interface-device, addressed as a multicast recognized by the host network-interface-device, or as a broadcast. However, the host network-interface-device can be conditioned to be in promiscuous mode so that all data packets seen by the host network-interface-device are provided to the next protocol level and the host network-interface-device provides no data packet filtering. Data packets sent by the host network-interface-device contain the host network-interface-device's active MAC identifier in the source field of the data packet.
For the rest of this disclosure, the term “burned-in MAC identifier” refers to the universally administered MAC identifier; the term “active MAC identifier” refers to the MAC identifier that is transmitted and/or recognized by a networking device or service; and the term “spoofed/cloned MAC identifier” refers to a universally administered MAC identifier that is not the universally administered MAC identifier assigned to the network interface card by the device's manufacturer, or a universally administered MAC identifier of another network-interface-device (and the like).
There are situations where it is useful for the active MAC identifier to be other than the burned-in MAC identifier (a universally administered MAC identifier). Some devices allow the burned-in MAC identifier to be changed. However, it is more common to “clone” the MAC identifier by providing the device with a capability of accepting and using a universally administered MAC identifier other than the universally administered MAC identifier provided by the device's manufacturer. There are numerous reasons why the ability to specify the MAC identifier is useful. These reasons include providing support for Layer 2 authentication in a firewall system (where the firewall monitors specific locally administered MAC identifiers that are periodically changed). Changing the MAC identifier is also useful when modifying a network if, for example, an internet service provider registers the universally administered MAC identifier of the device that directly connects to the ISP. Thus, if a user changes the ISP connection device, the user either must re-register the universally administered MAC identifier of the changed connection device with the ISP or clone the universally administered MAC identifier of the prior device in the changed connection device.
Turning now to difficulties related to MAC identifiers when used within some virtualized computing environments. One example of a virtualized computing environment includes a host computer system that executes an operating system (that can be a commonly-used operating system such as Solaris®, LINUX® or Microsoft Windows XP®) and/or a specialized virtualization operating system such as a hypervisor or other “virtual machine monitor”. The host operating system or hypervisor manages the host computer's resources. The hypervisor can also mimic the hardware of a second computer system (using any one or combination of techniques known to one skilled in the art) such that installing the operating system on a virtual machine appears to be identical to installing on an actual physical computer.
A “virtual machine monitor” generally is an application program that executes subject to the host operating system and mimics the hardware of a second computer system whereas a hypervisor generally is an operating system that directly provides virtualization support for virtual computers. Both approaches provide a virtualized computing environment and this document uses the terms interchangeably.
The virtualized computing environment enables a host computer system to emulate other systems. For example, a computer manufactured by SUN Microsystems that is executing the Solaris® operating system and a hypervisor application can simultaneously execute programs in the host environment and at the same time mimic a processor (such as one manufactured by Intel Corporation) that is executing applications that use a windowing operating system (such as one provided by Microsoft Corporation) in a guest environment; and at the same time can also mimic a processor manufactured by Sun Microsystems that executes an unstable research operating system that is prone to crash the emulated system; all without disruption to the other virtualized computing environments executing in the real host computer. Thus, critical errors in one virtualized computing environment that crash the virtual computer will not impact the other virtualized computing environments.
The virtual computers have one or more virtual network-interface-devices. A single host network-interface-device can be carved into multiple virtual network-interface-devices each needing its own MAC identifier. The virtual network-interface-devices behave just like any other real (non-virtual) NIC for the rest of the system. NIC vendors are beginning to provide host network-interface-devices that have multiple universally administered MAC identifiers and/or multiple address slots for storing additional MAC identifiers.
One difficulty when using a host network-interface-device in a host computer environment where that host network-interface-device is used to support guest environments is that the traditional host network-interface-device only has one MAC identifier. Thus, without more, each guest environment as well as the host environment uses the same MAC identifier, which requires significant out-of-protocol processing to determine the actual destination for the data packet.
One way this problem is addressed is by configuring the virtual network-interface-device with a locally administered MAC identifier which is then used for emitting data packets through the network-interface-device, and placing the host network-interface-device into promiscuous mode (which allows all incoming data packets to be accepted by the host) and distributing the received data packets to the appropriate virtual NIC in accordance with the MAC identifier in the destination field of the data packet.
There are a number of difficulties that arise when the host network-interface-device is operated in promiscuous mode. These include, but are not limited to, performance impacts on the host computer because each data packet on the network must be examined by a higher protocol layer as the NIC does not filter any data packet; and security impacts because each data packet is copied into computer memory and thus jeopardizes network security (for example a malicious user or administrator could capture passwords etc.).
Hence, what is needed is a method and an apparatus for allowing virtual network-interface-devices to use additional MAC identifiers without the problems of the above-described techniques.