A virtualization technology is important in a field of server. Specifically, it is possible to operate one physical machine as a plurality of virtual machines (VM: Virtual Machine) by the virtualization technology using virtualization software such as VMware (registered trademark) and Xen (registered trademark) (refer, for example, to Non-Patent Literature 1). Thus, efficient server operation is possible.
FIG. 1 is a block diagram showing a typical virtual machine environment. In FIG. 1, a plurality of virtual machines are constructed on one physical machine. Each virtual machine has a communication unit such as protocol stack for communicating with other virtual machines and the physical machine. The communication unit performs communication through a virtual network interface.
Typically, the plurality of virtual machines are managed by management software such as hypervisor. The management software is included in the virtualization software and operates on the physical machine like the virtual machine. The management software has a virtual switch (Virtual Switch). The virtual switch, which is a software-based packet switch, relays communications between the virtual machines and communications between the virtual machine and the physical machine.
Also, there is known a technology that encrypts communication according to a cryptography protocol such as SSL (Secure Socket Layer) in order to increase communication security (refer to Patent Literature 1). FIG. 2 shows a case where each virtual machine performs cryptography processing. As shown in FIG. 2, the function of cryptography processing is implemented in each virtual machine individually. It should be noted in the present description that the “cryptography processing” includes both of encryption processing and decryption processing.
FIG. 3 shows a case where the management software has a filtering function. The filtering function determines whether or not a packet includes a specific data and, if included, performs a predetermined processing with respect to the packet. For example, the filtering function drops a packet if a specific character string is included in a data section of the packet.
Let us consider a case where each virtual machine in FIG. 3 performs the encrypted communication. In this case, communication content (packet data) is encrypted and the management software may not be able to execute the filtering processing. The reason is that the management software does not have a decryption function. Therefore, as matters now stand, it is necessary as shown in FIG. 4 to first execute decryption processing in a decryption processing virtual machine and then execute the filtering processing in the management software. Such the processing causes increase in overhead of the filtering processing, which is not desirable. Such a problem can arise in a spam mail filtering system, for example. A similar problem can also arise, for example, in a case where the management software has a regular expression search function.
Also, in recent years, a cryptography processing accelerator that performs the cryptography processing at high-speed may be installed in the physical machine as shown in FIG. 5. The cryptography processing accelerator may be incorporated into hardware such as an expansion card or may be achieved by a software program. Here, let us consider a case where the virtual machine performs the cryptography processing by utilizing the cryptography processing accelerator of the physical machine. In this case, the virtual machine typically uses an interface different from the virtual network interface in order to utilize the cryptography processing accelerator. Therefore, a mechanism that performs scheduling between virtual machines and exclusive access control is required.