Systems and methods for application-specific access to virtual private networks

US 10,348,686 B2
Filed: 08/17/2015
Issued: 07/09/2019
Est. Priority Date: 06/06/2013
Status: Active Grant

First Claim

Patent Images

1. A method, performed at an electronic device that includes a processor, a memory, and a network interface, comprising:

generating, by an application executing on the device, a request for a network data flow to a virtual private network (VPN);

comparing identification information associated with the application against a set of rules stored on the memory, wherein the set of rules identifies conditions for the application to be authorized to access the VPN;

establishing a connection for the network data flow upon the identification information satisfying the conditions for the application to access the VPN;

executing a VPN agent in user space, wherein the VPN agent includes a VPN plugin; and

diverting the network data flow to the VPN agent as opposed to entering a Transport Connection Protocol (TCP)/Internet Protocol (IP) stack, wherein the VPN plugin tunnels the network data flow over a VPN tunnel.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein are systems and methods utilizing application-specific access to a virtual private network (“VPN”). A method may comprise receiving, from an application executing on a device, a request for a network data flow to a private network, comparing identification information associated with the application against a set of rules stored on a memory of the device, wherein the set of rules identifies conditions for the application to be authorized to access the private network, and establishing a connection for the network data flow upon the identification information satisfying the conditions for the application to access the private network.

Citations

20 Claims

1. A method, performed at an electronic device that includes a processor, a memory, and a network interface, comprising:
- generating, by an application executing on the device, a request for a network data flow to a virtual private network (VPN);
  
  comparing identification information associated with the application against a set of rules stored on the memory, wherein the set of rules identifies conditions for the application to be authorized to access the VPN;
  
  establishing a connection for the network data flow upon the identification information satisfying the conditions for the application to access the VPN;
  
  executing a VPN agent in user space, wherein the VPN agent includes a VPN plugin; and
  
  diverting the network data flow to the VPN agent as opposed to entering a Transport Connection Protocol (TCP)/Internet Protocol (IP) stack, wherein the VPN plugin tunnels the network data flow over a VPN tunnel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - communicating the network data flow between the VPN and the application over the VPN tunnel, wherein each packet in the network data flow traverses a network stack only a single time before being communicated to the VPN.
  - 3. The method of claim 1, further comprising:
    - receiving a destination host name from the application;
      
      providing the destination host name to the VPN plugin; and
      
      resolving the destination host name at the VPN plugin based on the set of rules.
  - 4. The method of claim 1, wherein the set of rules include account-based access procedures for authorizing the application to access the VPN, wherein the application tags the network data flow with a string, wherein the string identifies the account for which access to the VPN is being established.
  - 5. The method of claim 4, wherein the account is one of a mail account, a contact list and a calendar account.
  - 6. The method of claim 4, wherein the account based access procedures for authorizing the application to access the VPN include matching the string to at least one account identifier stored within the memory.
  - 7. The method of claim 6, further comprising determining whether the account is a master access account and when the account is the master access account the account based access procedures are automatically satisfied.
  - 8. The method of claim 1, further comprising:
    - opening a flow divert socket for application data to flow between the application to the VPN plugin.
  - 9. The method of claim 1, wherein the VPN agent further includes a packet filter that receives the network data flow and when the packet filter receives the network data flow the network data flow includes a payload of application data without any corresponding headers.
  - 10. The method of claim 1, further comprising:
    - generating the network data flow, wherein the network data flow comprises a data packet that includes an IP header, a TCP header, a transport layer security (TLS) header and a payload of application data and wherein the data packet excludes any other type of header.

11. A device, comprising:
- a memory storing a plurality of rules; and
  
  a processor coupled to the memory and configured to perform actions that include;
  
  receiving a request for a network data flow to a virtual private network (VPN) from an application executing on the device;
  
  comparing identification information associated with the application against a set of rules stored on the device, wherein the set of rules identifies conditions for the application to be authorized to access the VPN;
  
  establishing a connection for the network data flow upon the identification information satisfying the conditions for the application to access the VPN;
  
  executing a VPN agent in user space, wherein the VPN agent includes a VPN plugin; and
  
  diverting the network data flow to the VPN agent as opposed to entering a Transport Connection Protocol (TCP)/Internet Protocol (IP) stack, wherein the VPN plugin tunnels the network data flow over a VPN tunnel.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The device of claim 11, wherein the processor is further configured to perform:
    - communicating the network data flow between the VPN and the application over the the VPN tunnel, wherein each packet in the network data flow traverses a network stack only a single time before being communicated to the VPN.
  - 13. The device of claim 11, wherein the processor is further configured to perform:
    - receiving a destination host name from the application;
      
      providing the destination host name to the VPN plugin; and
      
      resolving the destination host name at the VPN plugin based on the set of rules.
  - 14. The device of claim 11, wherein the set of rules include account-based access procedures for authorizing the application to access the VPN, wherein the application tags the network data flow with a string, wherein the string identifies the account for which access to the VPN is being established.
  - 15. The device of claim 14, wherein the account is one of a mail account, a contact list and a calendar account.
  - 16. The device of claim 11, wherein the processor is further configured to perform:
    - opening a flow divert socket for application data to flow between the application to the VPN plugin.

17. A non-transitory computer readable storage medium with an executable program stored thereon, wherein the program instructs a processor to perform actions that include:
- receiving, from an application executing on a device, a request for a network data flow to a virtual private network (VPN);
  
  comparing identification information associated with the application against a set of rules stored on the device, wherein the set of rules identifies conditions for the application to be authorized to access the VPN;
  
  establishing a connection for the network data flow upon the identification information satisfying the conditions for the application to access the VPN;
  
  executing a VPN agent in user space, wherein the VPN agent includes a VPN plugin; and
  
  diverting the network data flow from to the VPN agent as opposed to entering a Transport Connection Protocol (TCP)/Internet Protocol (IP) stack, wherein the VPN plugin tunnels the network data flow over a VPN tunnel.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer readable storage medium of claim 17, wherein the actions further include:
    - communicating the network data flow between the VPN and the application over the VPN tunnel, wherein each packet in the network data flow traverses a network stack only a single time before being communicated to the VPN.
  - 19. The non-transitory computer readable storage medium of claim 17, wherein the actions further include:
    - receiving a destination host name from the application;
      
      providing the destination host name to the VPN plugin; and
      
      resolving the destination host name at the VPN plugin based on the set of rules.
  - 20. The non-transitory computer readable storage medium of claim 17, wherein the processor further opens a flow divert socket for application data to flow between the application to the VPN plugin.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Wood, James P.
Primary Examiner(s)
Kabir, Jahangir

Application Number

US14/827,953
Publication Number

US 20150358293A1
Time in Patent Office

1,422 Days
Field of Search

726 1, 726 13, 726 14, 726 15
US Class Current
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0272   Virtual private networks

H04L 63/10   for controlling access to d...

H04L 63/164   at the network layer

Systems and methods for application-specific access to virtual private networks

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for application-specific access to virtual private networks

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links