`(Large Entity)
`(Only for new nonprovisional applications under 37 CFR 1.53(b))
`
`Docket No.
`YOR920050160US1
`
`Total Pages in this Submission
`4
`
`Fee Calculation and Transmittal
`
`CLAIMS AS FILED
`For
`#Allowed
`#Extra
`#Filed
`- 20 =
`Total Claims
`28
`8
`- 3 =
`lndep. Claims
`3
`0
`Multiple Dependent Claims (check if applicable) □
`Total # of Pages in Specification
`I Total # of Drawing Sheets
`37
`18
`I
`Total# of Sheets
`Application Size Fee
`55
`I
`Basic Fee
`Search Fee
`Examination Fee
`
`X
`
`X
`
`Rate
`$50.00
`$200.00
`
`OTHER FEE (specify purpose)
`
`-
`- -
`-
`TOT AL FILING FEE
`
`Fee
`
`$400.00
`$0.00
`$0.00
`
`$0.00
`$300.00
`$500.00
`$200.00
`$0.00
`
`$1,400.00
`
`□ A check in the amount of
`to cover the filing fee is enclosed.
`~ Tl1e Director is hereby authorized to charge and credit Deposit Account No.
`as described below.
`~ Charge the amount of
`~ Credit any overpayment.
`~ Charge any additional filing fees required under 37 C.F.R. 1.16 and 1.17.
`□ Charge the issue fee set in 37 C.F.R. 1.18 at the mailing of the Notice of Allowance,
`pursuant to 37 C.F.R. 1.311(b).
`□ Payment by credit card. Form PTO-2038 is attached.
`WARNING: Information on this form may become public. Credit card information should not be
`included on this form. Provide credit card information and authorization on PTO-2038.
`
`$1,400.00
`
`as filing fee.
`
`50-0510
`
`Dated: January 3, 2007
`
`Customer Number: 48150
`
`cc:
`
`/L~L/
`- ✓-
`
`re-
`. Dresch, Esq. - Registration #46,672
`John
`Sean M. McGinn, Esq. - Registration #34,386
`
`McGinn IP Law Group, PLLC
`8321 Old Courthouse Road
`Suite 200
`Vienna, VA 22182-3817
`
`Page 4 of 4
`
`P01ULRG/REV10
`
`Microsoft Ex. 1002, p. 1
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`Express Mail Label No.
`
`UTILITY PATENT APPLICATION TRANSMITTAL
`(Large Entity)
`(Only for new nonprovisional applications under 37 CFR 1.53(b))
`
`Docket No.
`YOR920050160US1
`
`Total Pages in this Submission
`4
`
`COMMISSIONER FOR PATENTS
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`Transmitted herewith for filing under 35 U.S.C. 111 (a) and 37 C.F.R. 1.53(b) is a new utility patent application for an
`invention entitled:
`MOVEABLE ACCESS CONTROL LIST (ACL) MECHANISMS FOR HYPERVISORS AND VIRTUAL
`. MACHINES AND VIRTUAL PORT FIREWALLS
`
`i
`
`I
`and invented by:
`
`~ohn REDMANN
`Oebanjan SAHA
`ISambit SAHU
`Oinesh Chandra VERMA
`
`Assignee: International Business Machines Corporation
`Assignee Residence: Armonk, New York 10504
`
`If a CONTINUATION APPLICATION, check appropriate box and supply the requisite information:
`D Continuation D Divisional D Continuation-in-part (CIP) of prior application No.:
`Which is a:
`□ Continuation D Divisional □ Continuation-in-part (CIP) of prior application No.:
`Which is a:
`D Continuation D Divisional D Continuation-in-part (CIP) of prior application No.:
`
`Enclosed are:
`
`Application Elements
`
`1.
`
`fZl Filing fee as calculated and transmitted as described below
`
`2.
`
`fZl Specification having
`
`37
`
`pages and including the following:
`
`a.
`
`fZl Descriptive Title of the Invention
`
`b. □ Cross References to Related Applications (if applicable)
`
`c. D Statement Regarding Federally-sponsored Research/Development (if applicable)
`
`d. D Reference to Sequence Listing, a Table, or a Computer Program Listing Appendix
`
`e.
`
`fZl Background of the Invention
`
`f.
`
`fZl Brief Summary of the Invention
`
`g.
`
`fZl Brief Description of the Drawings (if filed)
`
`h.
`
`rZJ Detailed Description
`
`i.
`
`j.
`
`fZl Claim(s) as Classified Below
`
`fZl Abstract of the Disclosure
`
`Page I of 4
`
`P01ULRG/REV10
`
`Microsoft Ex. 1002, p. 2
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`UTILITY PATENT APPLICATION TRANSMITTAL
`(Large Entity)
`(Only for new nonprovisional applications under 37 CFR 1.53(b))
`
`Docket No.
`YOR920050160US1
`
`Total Pages in this Submission
`4
`
`Application Elements (Continued)
`
`3. ~ Drawing(s) (when necessary as prescribed by 35 USC 113)
`
`a. ~ Formal
`b. D
`
`Informal
`
`Number of Sheets
`
`18 (Figs. 1-19)
`
`Number of Sheets
`
`4. ~ Oath or Declaration
`
`D Unexecuted
`a. ~ Newly executed (original or copy)
`b. D Copy from a prior application (37 CFR 1.63(d)) (for continuation/divisional application only)
`D Without Power of Attorney
`c. ~ With Power of Attorney
`d. 0 DELETION OF INVENTOR(S)
`Signed statement attached deleting inventor(s) named in the prior application,
`see 37 C.F.R. 1.63(d)(2) and 1.33(b).
`
`5. D
`
`Incorporation By Reference (usable if Box 4b is checked)
`The entire disclosure of the prior application, from which a copy of the oath or declaration is supplied under
`Box 4b, is considered as being part of the disclosure of the accompanying application and is hereby
`incorporated by reference therein.
`
`6. D CD ROM or CD-R in duplicate, large table or Computer Program (Appendix)
`7. D Application Data Sheet (See 37 CFR 1.76)
`8. D Nucleotide and/or Amino Acid Sequence Submission (if applicable, all must be included)
`a. D Computer Readable Form (CRF)
`b. D Specification Sequence Listing on:
`i. 0 CD-ROM or CD-R (2 copies); or
`ii. D Paper
`c. D Statement(s) Verifying Identical Paper and Computer Readable Copy
`
`Accompanying Application Parts
`
`9. D Assignment Papers (cover sheet & document(s))
`10. D 37 CFR 3.73(8) Statement (when there is an assignee)
`11. D English Translation Document (if applicable)
`12. ~ Information Disclosure Statement/PTO-1449
`13. D Preliminary Amendment
`14. ~ Return Receipt Postcard (MPEP 503) (Should be specifically itemized)
`15. D Certified Copy of Priority Document(s) (ifforeign priority is claimed)
`16. D Certificate of Mailing
`D First Class D Express Mail (Specify Label No.):
`
`~ Copies of IDS Citations
`
`Page 2 of 4
`
`P01ULRG/REV10
`
`Microsoft Ex. 1002, p. 3
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`UTILITY PATENT APPLICATION TRANSMITTAL
`(Large Entity)
`(Only for new nonprovisional applications under 37 CFR 1.53(b))
`
`Docket No.
`YOR920050160US1
`
`Total Pages in this Submission
`4
`
`Accompanying Application Parts (Continued)
`
`17. D Additional Enclosures (please identify below):
`
`Request That Application Not Be Published Pursuant To 35 U.S.C. 122(b)(2)
`
`18. D Pursuant to 35 U.S.C. 122(b)(2), Applicant hereby requests that this patent application not be
`published pursuant to 35 U.S.C. 122(b)(1 ). Applicant hereby certifies that the invention disclosed in
`this application has not and will not be the subject of an application filed in another country, or under
`a multilateral international agreement, that requires publication of applications 18 months after filing
`of the application.
`
`Warning
`
`An applicant who makes a request not to publish, but who subsequently files in a foreign
`country or under a multilateral international agreement specified in 35 U.S.C. 122(b)(2)(B)(i),
`must notify the Director of such filing not later than 45 days after the date of the filing of
`such foreign or international application. A failure of the applicant to provide such notice
`within the prescribed period shall result in the application being regarded as abandoned,
`unless it is shown to the satisfaction of the Director that the delay in submitting the notice
`was unintentional.
`
`19. 0 Other:
`
`Page 3 of 4
`
`P01ULRG/REV10
`
`Microsoft Ex. 1002, p. 4
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`UTILITY PATENT APPLICATION TRANSMITTAL
`(Large Entity)
`(Only for new nonprovisional applications under 37 CFR 1.53(b))
`
`Docket No.
`YOR920050160US1
`
`Total Pages in this Submission
`4
`
`Fee Calculation and Transmittal
`
`CLAIMS AS FILED
`For
`#Allowed
`#Extra
`#Filed
`- 20 =
`Total Claims
`28
`8
`- 3 =
`lndep. Claims
`3
`0
`Multiple Dependent Claims (check if applicable) □
`Total # of Pages in Specification
`I Total # of Drawing Sheets
`37
`18
`I
`Total# of Sheets
`Application Size Fee
`55
`I
`Basic Fee
`Search Fee
`Examination Fee
`
`X
`
`X
`
`Rate
`$50.00
`$200.00
`
`OTHER FEE (specify purpose)
`
`-
`- -
`-
`TOT AL FILING FEE
`
`Fee
`
`$400.00
`$0.00
`$0.00
`
`$0.00
`$300.00
`$500.00
`$200.00
`$0.00
`
`$1,400.00
`
`□ A check in the amount of
`to cover the filing fee is enclosed.
`~ Tl1e Director is hereby authorized to charge and credit Deposit Account No.
`as described below.
`~ Charge the amount of
`~ Credit any overpayment.
`~ Charge any additional filing fees required under 37 C.F.R. 1.16 and 1.17.
`□ Charge the issue fee set in 37 C.F.R. 1.18 at the mailing of the Notice of Allowance,
`pursuant to 37 C.F.R. 1.311(b).
`□ Payment by credit card. Form PTO-2038 is attached.
`WARNING: Information on this form may become public. Credit card information should not be
`included on this form. Provide credit card information and authorization on PTO-2038.
`
`$1,400.00
`
`as filing fee.
`
`50-0510
`
`Dated: January 3, 2007
`
`Customer Number: 48150
`
`cc:
`
`/L~L/
`- ✓-
`
`re-
`. Dresch, Esq. - Registration #46,672
`John
`Sean M. McGinn, Esq. - Registration #34,386
`
`McGinn IP Law Group, PLLC
`8321 Old Courthouse Road
`Suite 200
`Vienna, VA 22182-3817
`
`Page 4 of 4
`
`P01ULRG/REV10
`
`Microsoft Ex. 1002, p. 5
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`Express Mail Label No.
`
`UTILITY PATENT APPLICATION TRANSMITTAL
`(Large Entity)
`(Only for new nonprovisional applications under 37 CFR 1.53(b))
`
`Docket No.
`YOR920050160US1
`
`Total Pages in this Submission
`4
`
`COMMISSIONER FOR PATENTS
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`Transmitted herewith for filing under 35 U.S.C. 111 (a) and 37 C.F.R. 1.53(b) is a new utility patent application for an
`invention entitled:
`MOVEABLE ACCESS CONTROL LIST (ACL) MECHANISMS FOR HYPERVISORS AND VIRTUAL
`. MACHINES AND VIRTUAL PORT FIREWALLS
`
`i
`
`I
`and invented by:
`
`~ohn REDMANN
`Oebanjan SAHA
`ISambit SAHU
`Oinesh Chandra VERMA
`
`Assignee: International Business Machines Corporation
`Assignee Residence: Armonk, New York 10504
`
`If a CONTINUATION APPLICATION, check appropriate box and supply the requisite information:
`D Continuation D Divisional D Continuation-in-part (CIP) of prior application No.:
`Which is a:
`□ Continuation D Divisional □ Continuation-in-part (CIP) of prior application No.:
`Which is a:
`D Continuation D Divisional D Continuation-in-part (CIP) of prior application No.:
`
`Enclosed are:
`
`Application Elements
`
`1.
`
`fZl Filing fee as calculated and transmitted as described below
`
`2.
`
`fZl Specification having
`
`37
`
`pages and including the following:
`
`a.
`
`fZl Descriptive Title of the Invention
`
`b. □ Cross References to Related Applications (if applicable)
`
`c. D Statement Regarding Federally-sponsored Research/Development (if applicable)
`
`d. D Reference to Sequence Listing, a Table, or a Computer Program Listing Appendix
`
`e.
`
`fZl Background of the Invention
`
`f.
`
`fZl Brief Summary of the Invention
`
`g.
`
`fZl Brief Description of the Drawings (if filed)
`
`h.
`
`rZJ Detailed Description
`
`i.
`
`j.
`
`fZl Claim(s) as Classified Below
`
`fZl Abstract of the Disclosure
`
`Page I of 4
`
`P01ULRG/REV10
`
`Microsoft Ex. 1002, p. 6
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`UTILITY PATENT APPLICATION TRANSMITTAL
`(Large Entity)
`(Only for new nonprovisional applications under 37 CFR 1.53(b))
`
`Docket No.
`YOR920050160US1
`
`Total Pages in this Submission
`4
`
`Application Elements (Continued)
`
`3. ~ Drawing(s) (when necessary as prescribed by 35 USC 113)
`
`a. ~ Formal
`b. D
`
`Informal
`
`Number of Sheets
`
`18 (Figs. 1-19)
`
`Number of Sheets
`
`4. ~ Oath or Declaration
`
`D Unexecuted
`a. ~ Newly executed (original or copy)
`b. D Copy from a prior application (37 CFR 1.63(d)) (for continuation/divisional application only)
`D Without Power of Attorney
`c. ~ With Power of Attorney
`d. 0 DELETION OF INVENTOR(S)
`Signed statement attached deleting inventor(s) named in the prior application,
`see 37 C.F.R. 1.63(d)(2) and 1.33(b).
`
`5. D
`
`Incorporation By Reference (usable if Box 4b is checked)
`The entire disclosure of the prior application, from which a copy of the oath or declaration is supplied under
`Box 4b, is considered as being part of the disclosure of the accompanying application and is hereby
`incorporated by reference therein.
`
`6. D CD ROM or CD-R in duplicate, large table or Computer Program (Appendix)
`7. D Application Data Sheet (See 37 CFR 1.76)
`8. D Nucleotide and/or Amino Acid Sequence Submission (if applicable, all must be included)
`a. D Computer Readable Form (CRF)
`b. D Specification Sequence Listing on:
`i. 0 CD-ROM or CD-R (2 copies); or
`ii. D Paper
`c. D Statement(s) Verifying Identical Paper and Computer Readable Copy
`
`Accompanying Application Parts
`
`9. D Assignment Papers (cover sheet & document(s))
`10. D 37 CFR 3.73(8) Statement (when there is an assignee)
`11. D English Translation Document (if applicable)
`12. ~ Information Disclosure Statement/PTO-1449
`13. D Preliminary Amendment
`14. ~ Return Receipt Postcard (MPEP 503) (Should be specifically itemized)
`15. D Certified Copy of Priority Document(s) (ifforeign priority is claimed)
`16. D Certificate of Mailing
`D First Class D Express Mail (Specify Label No.):
`
`~ Copies of IDS Citations
`
`Page 2 of 4
`
`P01ULRG/REV10
`
`Microsoft Ex. 1002, p. 7
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`UTILITY PATENT APPLICATION TRANSMITTAL
`(Large Entity)
`(Only for new nonprovisional applications under 37 CFR 1.53(b))
`
`Docket No.
`YOR920050160US1
`
`Total Pages in this Submission
`4
`
`Accompanying Application Parts (Continued)
`
`17. D Additional Enclosures (please identify below):
`
`Request That Application Not Be Published Pursuant To 35 U.S.C. 122(b)(2)
`
`18. D Pursuant to 35 U.S.C. 122(b)(2), Applicant hereby requests that this patent application not be
`published pursuant to 35 U.S.C. 122(b)(1 ). Applicant hereby certifies that the invention disclosed in
`this application has not and will not be the subject of an application filed in another country, or under
`a multilateral international agreement, that requires publication of applications 18 months after filing
`of the application.
`
`Warning
`
`An applicant who makes a request not to publish, but who subsequently files in a foreign
`country or under a multilateral international agreement specified in 35 U.S.C. 122(b)(2)(B)(i),
`must notify the Director of such filing not later than 45 days after the date of the filing of
`such foreign or international application. A failure of the applicant to provide such notice
`within the prescribed period shall result in the application being regarded as abandoned,
`unless it is shown to the satisfaction of the Director that the delay in submitting the notice
`was unintentional.
`
`19. 0 Other:
`
`Page 3 of 4
`
`P01ULRG/REV10
`
`Microsoft Ex. 1002, p. 8
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`MCGINN INTELLECTUAL PROPERTY LAW GROUP, PLLC
`A PROFESSIONAL LIMITED LIABILITY COMPANY
`PATENTS, TRADEMARKS, COPYRIGHTS, AND INTELLECTUAL PROPERTY LAW
`8321 OLD COURTHOUSE ROAD, SUITE 200
`VIENNA, VIRGINIA 22182-3817
`TELEPHONE (703) 761-4100
`FACSIMILE (703) 761-2375; (703) 761-2376
`
`APPLICATION
`FOR
`UNITED STATES
`LETTERS PATENT
`
`APPLICANTS:
`
`John REDMANN
`Debanjan SAHA
`Sambit SAHU
`Dinesh Chandra VERMA
`
`FOR:
`
`MOVEABLE ACCESS CONTROL
`LIST (ACL) MECHANISMS FOR
`HYPERVISORS AND VIRTUAL
`MACHINES AND VIRTUAL PORT
`FIREWALLS
`
`DOCKET NO.:
`
`YOR920050160US1
`
`Microsoft Ex. 1002, p. 9
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`1
`
`MOVEABLE ACCESS CONTROL LIST (ACL) MECHANISMS
`
`FOR HYPERVISORS AND VIRTUAL MACHINES
`
`AND VIRTUAL PORT FIREWALLS
`
`BACKGROUND OF THE INVENTION
`
`Field of the Invention
`
`[0001]
`
`The present invention generally relates to a method and system for providing control
`
`of network security of a virtual machine, and more particularly, to a method of virtual machine
`
`migration with filtered network connectivity which includes enforcing network security and
`
`routing at a hypervisor layer at which a virtual machine partition is executed and which is
`
`independent of guest operating systems.
`
`Description of the Related Art
`
`[0002]
`
`In a network-secured environment, host movement means movmg its network
`
`entangled state, which includes routing (e.g., VLAN (virtual local area network) tags, OSPF
`
`(open shortest-path first) host route entries, etc.) and security (e.g., firewall (FW) access control
`
`lists (ACLs), switch ACLs, router ACLs, VLAN tags, etc.) from one machine to another.
`
`[0003]
`
`That is, in order to perform maintenance on or provide a fail-over for a processor
`
`device or machine, it is desirable to move or migrate a virtual machine (VM) from one processor
`
`machine or device to another processor machine or device.
`
`[0004]
`
`For purposes of this disclosure, a virtual machine (VM) generally includes a virtual
`
`data processing system, in which multiple operating systems and programs can be run by the
`
`YOR920050160US1
`(YOR.580)
`
`Microsoft Ex. 1002, p. 10
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`2
`
`computer at the same time. Each user appears to have an independent computer with its own
`
`input and output devices.
`
`[0005]
`
`For purposes of this disclosure, logical partitioning (LPAR) generally means the
`
`capability to divide a single physical system into multiple logical or "virtual" systems, each
`
`sharing a portion of the server's hardware resources (such as processors, memory and
`
`input/output (1/0)). Each LPAR runs an independent copy of an operating system. They can
`
`even be different operating system versions or distributions.
`
`[0006]
`
`That is, LPAR generally allows customers to "slice-up" a machine into virtual
`
`partitions, and provides the flexibility to dynamically change the allocation of system resources
`
`for those environments, thereby providing the capability to create multiple virtual partitions
`
`within a processor. Spare capacity can be re-allocated to virtual partitions. Any of the virtual
`
`servers may run on any of the physical processors, meaning that the processor resources are fully
`
`shared, which makes it possible to run the physical server at very high utilization levels.
`
`[0007]
`
`For purposes of this disclosure, dynamic logical partitioning (DLPAR) generally
`
`mcreases flexibility, enabling selected system resources like processors, memory and 1/0
`
`components to be added and deleted from dedicated partitions while they are actively in use.
`
`The ability to reconfigure dynamic LPARs enables system administrators to dynamically
`
`redefine all available system resources to enable optimum capacity for each partition.
`
`[0008]
`
`For purposes of this disclosure, virtual local area network (VLAN or virtual LAN)
`
`generally allows clients to create virtual Ethernet connections to provide high-speed inter(cid:173)
`
`partition communication between logical partitions on a server without the need for network 1/0
`
`adapters and switches. Connectivity outside of the server can be achieved using the virtual 1/0
`
`YOR920050160US1
`(YOR.580)
`
`Microsoft Ex. 1002, p. 11
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`3
`
`server partition that acts as an internet protocol (IP) forwarder to the Local Area Network (LAN)
`
`through an Ethernet 1/0 adapter.
`
`[0009]
`
`For purposes of this disclosure, a hypervisor, sometimes referred to as a virtualization
`
`manager, includes a program that allows multiple operating systems, which can include different
`
`operating systems or multiple instances of the same operating system, to share a single hardware
`
`processor. A hypervisor preferably can be designed for a particular processor architecture.
`
`[0010]
`
`Each operating system appears to have the processor, memory, and other resources all
`
`to itself. However, the hypervisor actually controls the real processor and its resources,
`
`allocating what is needed to each operating system in turn.
`
`[0011]
`
`Because an operating system is often used to run a particular application or set of
`
`applications in a dedicated hardware server, the use of a hypervisor preferably can make it
`
`possible to run multiple operating systems (and their applications) in a single server, reducing
`
`overall hardware costs. Production and test systems also preferably can run at the same time in
`
`the same hardware.
`
`In addition, different operating systems preferably can share the same
`
`server.
`
`[0012]
`
`Thus, a hypervisor generally means a scheme which allows multiple operating
`
`systems to run, unmodified, on a host computer at the same time. Such software lets multiple
`
`operating systems run on the same computer, a feature that is particularly useful for
`
`consolidating servers in order to save money, and for extracting as much work as possible from a
`
`single system.
`
`[0013]
`
`As mentioned above, in order to perform maintenance on or provide a fail-over for a
`
`processor device or machine, it is desirable to move or migrate a virtual machine (VM) from one
`
`processor machine or device to another processor machine or device.
`
`YOR920050160US1
`(YOR.580)
`
`Microsoft Ex. 1002, p. 12
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`4
`
`[0014] With reference to Figures 1-3, conventional approaches to migrating virtual machines
`
`from one device (e.g., hardware device) to another device (e.g., hardware device) will be
`
`described.
`
`[0015]
`
`Figure 1 illustrates an exemplary system 100 which can include a plurality of virtual
`
`machines (VM) (101) controlled by a switches (e.g., SWA1-SWB5) (102) connected by an
`
`Internet Service Provider (ISP) (103) and protected by firewalls FWl and FW2 (104).
`
`[0016]
`
`As mentioned above, in a network-secured environment, host movement means
`
`moving its network entangled state, which includes routing and security from one machine to
`
`another.
`
`[0017]
`
`In Figure 2, the network entangled state of virtual machine VM 205 ( e.g., hypervisor
`
`206; NICl 207, VNIC 210, switchl 208, and firewall FWl 209) is copied to virtual machine
`
`VM' 215 (e.g., hypervisor 216; NIC2 217, VNIC (virtual network interface card) 210, switch2
`
`218, and firewall FW2 219). In Figure 2, there is no ACL at switch2 (318), which means every
`
`virtual machine could be masqueraded. Also, at the firewall FW2 (219), there is no selection of
`
`which virtual machine can go where.
`
`[0018]
`
`As illustrated in Figure 2, conventional systems (e.g., 200) generally do not include
`
`ACLs. Also, the firewall FW2 does not include a selection of which virtual machine can be
`
`accessed. Thus, the conventional systems provide very little security and routing generally is
`
`provided by OSPF advertised host routes.
`
`[0019]
`
`Figure 3 illustrates another conventional system in which routing is taken care of by
`
`OSPF advertised host routes. Figure 3 illustrates a conventional system in which restrictive
`
`ACLs are included in the switch2 and the firewall FW2 includes restrictions for access.
`
`YOR920050160US1
`(YOR.580)
`
`Microsoft Ex. 1002, p. 13
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`5
`
`[0020]
`
`In Figure 3, the network entangled state of virtual machine VM 305 (e.g., hypervisor
`
`306; NICl 307, VNIC 310, switchl 308, and firewall FWl 309) is copied to virtual machine
`
`VM' 315 (e.g., hypervisor 316; NIC2 317, VNIC 310, switch2 318, and firewall FW2 319). As
`
`illustrated in Figure 3, in the conventional systems, the restrictive ACLs are provided, for
`
`example, at switch2 (318). The firewall FW2 also includes restrictions.
`
`[0021]
`
`Thus, the conventional systems and methods require a complex update scheme to
`
`update the ACLs in the real switches and the filters in the firewalls to migrate a virtual machine
`
`from one machine to another machine.
`
`[0022]
`
`Generally, conventional virtual machine systems and methods provide very little
`
`network security.
`
`In the conventional systems and methods, routing generally is provided by
`
`open shortest-path first (OSPF) advertised host routes. Conventional systems and methods
`
`generally do not include access control lists (ACLs) and security generally is only as good as
`
`security at each individual machine.
`
`[0023]
`
`For example, one conventional system and method relates to virtualizing computer
`
`systems on the same host practical. Some conventional methods relate to arbitration of access to
`
`shared resources on the same host when multiple operating systems attempt to access the shared
`
`resource.
`
`In particular, one conventional method focuses on the ability to virtualize shared
`
`memory page tables, which to date had not been successfully addressed in direct execution
`
`virtual machines. The conventional method does not, however, address network virtualization,
`
`in which a virtual machine is to be network addressable, which is addressed herein below by the
`
`present invention. Instead, the conventional method merely relates to a virtual machine that is
`
`addressable but that does not migrate its network-entangled state.
`
`YOR920050160US1
`(YOR.580)
`
`Microsoft Ex. 1002, p. 14
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`6
`
`[0024]
`
`Another exemplary method and device relates to a mechanism for restoring, porting,
`
`replicating and check pointing computer systems using state extraction. This conventional
`
`method covers the ability to initiate migration of a virtual machine from one system to another.
`
`Particularly, the conventional method and device discusses the migration of peripheral state in
`
`which the peripheral is assumed to be a hardware resource that is emulated. However, such
`
`conventional methods and devices do not discuss the much more flexible and efficient possibility
`
`of capturing application state, such as the state of a firewall or routing that pertains to a particular
`
`movable partition, which is addressed herein below by the present invention.
`
`Instead, these
`
`conventional methods and devices merely focus on device control, which, as the ordinarily
`
`skilled artisan would know and understand, is not the same as ( or equivalent to) the
`
`establishment of logical rules that govern the interaction of a migrated virtual machine with the
`
`rest of the network infrastructure, as described herein below by the present invention. These
`
`conventional methods and devices also do not disclose or suggest, however, that a logical device
`
`needs to be bootstrapped and/or that device state in the network needs to be revoked upon
`
`migration of a virtual machine partition, as described herein below by the present invention
`
`[0025]
`
`Other conventional systems and methods relate to a logical partition manager. These
`
`methods discuss the possibility of feeding information that is created within a logical partition
`
`(guest, or virtual machine) back to a partition manager. These conventional methods discuss the
`
`operating system (OS) itself applying security controls and routing in a special partition. The
`
`crux of these conventional methods is so-called paravirtualization.
`
`[0026]
`
`In paravirtualization, the partition manager "trusts" the partition OS to cooperate with
`
`the other partitions. These conventional systems suffer from a serious security flaw that an
`
`undermined OS can disable access protection that prevents remote control software from
`
`YOR920050160US1
`(YOR.580)
`
`Microsoft Ex. 1002, p. 15
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`7
`
`manipulating an operating system instance running within a logical partition (guest or virtual
`
`machine). These conventional methods, therefore, cannot be used to implement access controls
`
`unless additional security inventions secure the shared state and control across partitions in
`
`reliable manner. These conventional methods do not discuss how the network access controls
`
`may have to be reset on copying a virtual machine from one computer to another, which is
`
`addressed herein below by the present invention. These conventional methods also do not
`
`discuss how network access control and routing is to be maintained.
`
`[0027]
`
`Other conventional systems and methods relate to virtual machine operating system
`
`local area networks (LANs), and describe a system for defining and creating virtual network
`
`adapters within a hypervisor for the use by guest virtual machines. These conventional systems
`
`and methods do not discuss access controls and routing problems pertaining to a virtual machine
`
`being copied across the network, which are addressed and solved herein below by the present
`
`invention.
`
`[0028]
`
`Other conventional systems and methods relate to preservation of a computer system
`
`processing state in a mass storage device. These conventional systems and methods describe
`
`how the state of a computer should be stored in a mass storage device. These conventional
`
`systems and methods do not describe how the storage should be extended to also capture state
`
`that is external to the processor's addressable memory, which is addressed herein below by the
`
`present invention.
`
`SUMMARY OF THE INVENTION
`
`[0029]
`
`In view of the foregoing and other exemplary problems, drawbacks, and
`
`disadvantages of the conventional methods and systems, an exemplary feature of the present
`
`YOR920050160US1
`(YOR.580)
`
`Microsoft Ex. 1002, p. 16
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`8
`
`invention is to provide a method and system for providing control of network security of a virtual
`
`machine, and more particularly, to a method of virtual machine migration with filtered network
`
`connectivity which includes enforcing network security and routing at a hypervisor layer at
`
`which a virtual machine partition is executed and which is independent of guest operating
`
`systems.
`
`[0030]
`
`As mentioned above, in order to perform maintenance on or provide a fail-over for a
`
`processor device or machine, it is desirable to move or migrate a virtual machine (VM) from one
`
`processor machine or device to another processor machine or device. However, conventional
`
`systems and methods require a complex scheme to update and install ACLs in the real switches
`
`of the machines and update and install firewalls. Also, the conventional systems and methods
`
`provide very little security.
`
`[0031]
`
`The exemplary method and system of the present invention can provide control of
`
`network security of a virtual machine by enforcing network security and routing at a hypervisor
`
`layer at which a virtual machine partition is executed and which is independent of guest
`
`operating systems.
`
`[0032]
`
`The exemplary aspects of the present application preferably can provide a hypervisor
`
`security architecture designed and developed to provide a secure foundation for server platforms,
`
`providing numerous beneficial functions, such as, strong isolation, mediated sharing and
`
`communication between virtual machines. These properties can all be strictly controlled by a
`
`flexible access control enforcement engine, which also can enforce mandatory policies.
`
`[0033]
`
`The exemplary features of the invention also can provide attestation and integrity
`
`guarantees for the hypervisor and its virtual machines.
`
`YOR920050160US1
`(YOR.580)
`
`Microsoft Ex. 1002, p. 17
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`9
`
`[0034]
`
`For example, the present invention exemplarily defines a computer implemented
`
`method of controlling network security of a virtual machine, including enforcing network
`
`security and routing at a hypervisor layer.
`
`[0035]
`
`Particularly, the present invention defines a computer implemented method of virtual
`
`machine migration with filtered network connectivity, including enforcing network security and
`
`routing at a hypervisor layer which is independent of guest operating systems.
`
`[0036]
`
`The exemplary method of the present invention can include, for example, copying
`
`network security and routing for the virtual machine to the hypervisor layer, migrating the virtual
`
`machine from a first hardware device to a second hardware device, updating routing controls for
`
`the virtual machine at the hypervisor level, updating traffic filters for the virtual machine at the
`
`hypervisor level, and advertising the migration of the virtual machine from the first hardware
`
`device to the second hardware device.
`
`[0037]
`
`On the other hand, an exemplary system for controlling network security of a virtual
`
`machine by enforcing network security and routing at a hypervisor layer, according to the
`
`present invention, includes a copying unit that copies network security and routing for the virtual
`
`machine to the hypervisor layer, a migrating unit that migrates the virtual machine from a first
`
`hardware device to a second hardware device, a first updating unit that updates routing controls
`
`for the virtual machine at the hypervisor level, a second updating unit that updates traffic filters
`
`for the virtual machine at the hypervisor level, and an advertising unit that advertises the
`
`migration of the virtual