Automated establishment of addressability of a network device for a target network enviroment

US 20030018889A1
Filed: 09/20/2001
Published: 01/23/2003
Est. Priority Date: 07/20/2001
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting, by a boot time process of a network device in a factory default configuration, the presence of a storage device containing therein addressability data that allows the network device to communicate and be addressable within a network environment in which it will be functioning;

after detecting the presence of the storage device, receiving at the network device the addressability data by using a protocol associated with the storage device to transport the addressability data from the storage device to the network device; and

establishing addressability of the network device, by the boot time process, to enable it to communicate with and be addressed by other nodes in the network environment by configuring one or more address parameters of the network device based upon the addressability data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods are provided for remote, automated, and secure network device provisioning over a pre-existing communications network. According to one embodiment, automated establishment of addressability of a network device is supported for a target network environment. A boot time process of a network device in a factory default configuration detects the presence of a storage device containing therein addressability data that allows the network device to communicate and be addressable within the target network environment. After detecting the presence of the storage device, the network device receives the addressability data from the storage device by using a communication protocol associated with the storage device. Finally, addressability of the network device is established to enable it to communicate with and be addressed by other nodes in the target network environment by configuring one or more address parameters of the network device based upon the addressability data.

Citations

60 Claims

1. A method comprising:
- detecting, by a boot time process of a network device in a factory default configuration, the presence of a storage device containing therein addressability data that allows the network device to communicate and be addressable within a network environment in which it will be functioning;
  
  after detecting the presence of the storage device, receiving at the network device the addressability data by using a protocol associated with the storage device to transport the addressability data from the storage device to the network device; and
  
  establishing addressability of the network device, by the boot time process, to enable it to communicate with and be addressed by other nodes in the network environment by configuring one or more address parameters of the network device based upon the addressability data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 19, 20)
- - 2. The method of claim 1, wherein the network device includes a designated provisioning port, and said detecting the presence of a storage device includes detecting the presence of the storage device coupled to the designated provisioning port.
  - 3. The method of claim 2, wherein the designated provisioning port comprises an asynchronous EIA232-compliant communications port.
  - 4. The method of claim 2, wherein the storage device comprises a hardware token that includes non-volatile, programmable memory.
  - 5. The method of claim 1, wherein the addressability data comprises:
    - a unique Internet Protocol (IP) address for the network device;
      
      a local IP subnet mask for the network device;
      
      an IP address associated with a default gateway for the network device; and
      
      an IP address of a remote device configuration server.
  - 6. The method of claim 1, further comprising the boot time process:
    - encrypting a configuration request directly or indirectly using security data retrieved from the storage device; and
      
      transmitting the encrypted configuration request to the remote device configuration server.
  - 7. The method of claim 1, wherein the storage device also contains sufficient configuration data to bring the network device into a fully defined, functional state, and wherein the method further comprises receiving at the network device the configuration data by using the protocol to transport the configuration data from the storage device to the network device.
  - 8. The method of claim 1, further comprising prior to said detecting the presence of a storage device, the storage device or another storage device loading or controlling the loading of firmware into the network device, the firmware including instructions representing the boot time process.
  - 9. The method of claim 1, further comprising transmitting a configuration request to the remote device configuration server from the boot time process, the configuration request including security data retrieved from the storage device or being encrypted based upon the security data.
  - 10. The method of claim 9, wherein the network device comprises a virtual private network (VPN) device, and the method further comprises receiving, in response to the configuration request, configuration data from the remote device configuration server, the configuration data including at least one IP address of a peer VPN device with which the network device will establish a tunnel, and port and protocol numbers for traffic types to be allowed through the tunnel.
  - 11. The method of claim 1, wherein the network device comprises a virtual private network (VPN) gateway.
  - 12. The method of claim 1, wherein the network device comprises a router.
  - 13. The method of claim 1, further comprising prior to said receiving the addressability data and in response to said detecting the presence of a storage device the network device entering into a provisioning mode to handle receipt of the addressability data and said establishing addressability of the network device.
  - 14. The method of claim 1, wherein the storage device comprises a wireless handheld device.
  - 15. The method of claim 1, wherein the storage device comprises a Universal Serial Bus (USB) hardware token.
  - 16. The method of claim 1, wherein the storage device comprises a smart card.
  - 17. The method of claim 1, wherein the storage device comprises a magnetically encoded card.
  - 19. The method of claim 18, wherein said step for establishing addressability of the network device involves the use of a hardware token coupled to an asynchronous EIA232-compliant communications port of the network device, the hardware token including a non-volatile, programmable memory having stored therein addressability data including a unique Internet Protocol (IP) address for the network device, an IP address associated with a default gateway for the network device, an IP subnet mask, and an IP address of the remote device configuration server.
  - 20. The method of claim 18, wherein said step for establishing addressability of the network device comprises a hardware token coupled to a port of the network device controlling the network device using a native console command set of the network device.

18. A method comprising the steps of:
- a step for establishing addressability of a network device that takes the network device from a factory default state to an initial operating state in which the network device can communicate and is addressable within a predetermined network environment; and
  
  a step, responsive to completion of the step for establishing addressability, for provisioning the network device that takes the network device from the initial operating state to a fully defined, functional state in which the network device is configured and ready to process network traffic in the predetermined network environment by acquiring remaining configuration data by way of one or more data transfers over a network from a remote device configuration server.

21. A method comprising:
- detecting, by a boot time process of a first virtual private network (VPN) device in a factory default configuration, the presence of a hardware token coupled to a designated provisioning port of the first VPN network device, the hardware token including a non-volatile, programmable memory having stored therein addressability data that allows the first VPN device to communicate and be addressable within a predetermined network environment;
  
  after detecting the presence of the storage device, receiving at the first VPN device the addressability data by using a protocol associated with the hardware token to read the addressability data from the non-volatile, programmable memory of the hardware token;
  
  establishing addressability of the first VPN device, by the boot time process, to enable it to communicate with other network devices in the predetermined network environment by setting one or more address parameters of the first VPN device based upon the addressability data;
  
  transmitting a configuration request to a remote device configuration server from the boot time process, the configuration request including security data read from the hardware token or encrypted based upon the security data;
  
  receiving, in response to the configuration request, tunnel configuration data from the remote device configuration server, the tunnel configuration data including an Internet Protocol (IP) address of a second VPN device associated with the predetermined network environment; and
  
  causing a tunnel to be established between the first VPN device and the second VPN device through a transit network based upon the tunnel configuration data.
- View Dependent Claims (22, 23, 24, 26, 27, 28, 30, 31, 32, 33, 35, 36, 37, 39, 40, 41, 42, 43, 44, 46, 47, 48, 49, 50, 51)
- - 22. The method of claim 21, wherein the transit network comprises a private internetwork.
  - 23. The method of claim 21, wherein the transit network comprises a public internetwork.
  - 24. The method of claim 23, wherein the transit network comprises the Internet.
  - 26. The network device provisioning system of claim 25, further comprising:
    - a remote device configuration server to manage access to a plurality of sets of configuration data including a first set of configuration data for the first network device;
      
      wherein the addressability data for the first network device includes an Internet Protocol (IP) address for the remote device configuration server;
      
      wherein the non-volatile, programmable memory of the hardware token additionally has stored therein a unique identifier corresponding to the first set of configuration data, and wherein the first network device is capable of automatically initiating a configuration phase in response to completion of the addressability phase, during the configuration phase, the first network device transmits a configuration request that includes the unique identifier to the remote device configuration server and the remote device configuration server responds to the configuration request by supplying the first set of configuration data to the first network device.
  - 27. The network device provisioning system of claim 26, wherein the first network device comprises a first virtual private network (VPN) device, and wherein the first set of configuration data includes an IP address of a second VPN device with which the first network device will establish a tunnel, and port and protocol numbers for traffic types to be allowed through the tunnel.
  - 28. The network device provisioning system of claim 26, wherein the first network device comprises a router, and wherein the first set of configuration data includes access control list (ACL) information.
  - 30. The network device of claim 29, wherein the provisioning interface comprises an asynchronous EIA232-compliant communications port.
  - 31. The network device of claim 29, wherein the firmware further transmits a configuration request to a remote device configuration server, the configuration request including security data retrieved from the storage device or being encrypted based upon the security data.
  - 32. The network device of claim 31, wherein the network device comprises a virtual private network (VPN) device, and the firmware further receives, in response to the configuration request, configuration data from the remote device configuration server, the configuration data including at least one IP address of a peer VPN device with which the network device will establish a tunnel, and port and protocol numbers for traffic types to be allowed through the tunnel.
  - 33. The network device of claim 31, wherein the network device comprises a router, and the firmware further receives, in response to the configuration request, configuration data from the remote device configuration server, the configuration data including access control list (ACL) information.
  - 35. The machine-readable medium of claim 34, wherein the addressability data comprises:
    - a unique Internet Protocol (IP) address for the network device;
      
      a local IP subnet mask for the network device;
      
      an IP address associated with a default gateway for the network device; and
      
      an IP address of a remote device configuration server.
  - 36. The machine-readable medium of claim 34, wherein the instructions further include instructions which, if executed by the processor, cause the processor to transmit a configuration request to the remote device configuration server, the configuration request including security data based upon information retrieved from the storage device.
  - 37. The machine-readable medium of claim 34, wherein the network device comprises a virtual private network (VPN) device, and wherein the instructions further include instructions which, if executed by the processor, cause the processor to receive, in response to the configuration request, configuration data from the remote device configuration server, the configuration data including at least one IP address of a peer VPN device with which the network device will establish a tunnel, and port and protocol numbers for traffic types to be allowed through the tunnel.
  - 39. The method of claim 38, wherein the network device is capable of automatically initiating a configuration phase in response to the completion of the addressability phase, during which the network device transmits a configuration request to a remote configuration server responsible for managing access to a remote configuration database, the method further comprising:
    - uploading configuration data for the network device into the remote configuration database and associating the configuration data with a unique set of security data; and
      
      programming the non-volatile memory of the hardware token with the unique set of security data to be provided to the network device for inclusion with the configuration request.
  - 40. The method of claim 38, wherein the addressability data comprises:
    - a unique Internet Protocol (IP) address for the network device;
      
      a local IP subnet mask for the network device;
      
      an IP address associated with a default gateway for the network device; and
      
      an IP address of a remote device configuration server.
  - 41. The method of claim 39, wherein the network device comprises a virtual private network (VPN) device, and the configuration data comprises at least one IP address of a peer VPN device with which the network device will establish a tunnel, and port and protocol numbers for traffic types to be allowed through the tunnel.
  - 42. The method of claim 41, wherein in response to receiving the configuration data, the network device causes a tunnel to be established with the peer VPN device through a transit network.
  - 43. The method of claim 38, wherein the network device comprises a router.
  - 44. The method of claim 38, wherein the designated provisioning port comprises an asynchronous EIA232-compliant communications port.
  - 46. The method of claim 45, wherein the non-volatile, programmable memory of the hardware token additionally has stored therein a unique identifier associated with a set of configuration data for the network device and stored in a remote configuration database, and wherein the network device is capable of automatically initiating a configuration phase in response to completion of the addressability phase, during which the network device causes the set of configuration data to be delivered to the network device by transmitting a configuration request including the unique identifier to a remote configuration server that is responsible for managing access to the remote configuration database.
  - 47. The method of claim 45, wherein the addressability data comprises:
    - a unique Internet Protocol (IP) address for the network device;
      
      a local IP subnet mask for the network device;
      
      an IP address associated with a default gateway for the network device; and
      
      an IP address of a remote device configuration server.
  - 48. The method of claim 46, wherein the network device comprises a virtual private network (VPN) device, and the set of configuration data comprises at least one IP address of a peer VPN device with which the network device will establish a tunnel, and port and protocol numbers for traffic types to be allowed through the tunnel.
  - 49. The method of claim 48, wherein in response to receiving the configuration data, the network device causes a tunnel to be established with the peer VPN device through a transit network.
  - 50. The method of claim 45, wherein the network device comprises a router.
  - 51. The method of claim 45, wherein the designated provisioning port comprises an asynchronous EIA232-compliant communications port.

25. A network device provisioning system comprising:
- a first network device to be placed in an initial operating configuration in which the first network device can communicate and be addressable within a predetermined network environment;
  
  a hardware token to interface with a designated provisioning port of the first network device, the hardware token including a non-volatile, programmable memory having stored therein addressability data for the first network device; and
  
  wherein the first network device is capable of automatically initiating an addressability phase in response to detecting the presence of the hardware token on the designated provisioning port, during the addressability phase, the first network device receives the addressability data from the hardware token and transitions from a current configuration to the initial operating configuration.

29. A network device comprising:
- a provisioning interface to receive addressability data from a storage device, the addressability data allowing the network device to communicate and be addressable within a target network environment;
  
  one or more flash memory modules having stored therein firmware to;
  
  check for the presence of the storage device during boot time processing, cause the addressability data to be received from the storage device using a protocol associated with the storage device if the storage device is present, and establish addressability of the network device by configuring one or more address parameters of the network device based upon the addressability data; and
  
  a processor coupled to the one or more flash memory modules to execute the firmware in response to reset or power up.

34. A machine-readable medium having stored thereon data representing instructions that, if executed by a processor of a network device, cause the processor to:
- detect the presence of a storage device containing therein addressability data that allows the network device to communicate and be addressable within a network environment in which it will be functioning;
  
  receive the addressability data by using a protocol associated with the storage device to transport the addressability data from the storage device to the network device; and
  
  establish addressability of the network device to enable it to communicate with and be addressed by other nodes in the network environment by configuring one or more address parameters of the network device based upon the addressability data.

38. A method of deploying a network device comprising:
- providing a network device;
  
  providing a hardware token to interface with a designated provisioning port of the network device;
  
  programming a non-volatile memory of the hardware token with addressability data for the network device, which is capable of automatically initiating an addressability phase in response to detecting the presence of the hardware token on the designated provisioning port, the addressability phase causing the network device to receive the addressability data from the hardware token and transition from a current configuration to an initial operating configuration in which the network device can communicate and be addressable within a predetermined network environment; and
  
  separately shipping the network device and the programmed storage device to a network site at which the network device will be installed within the predetermined network environment.

45. A method of installing a network device comprising:
- receiving delivery of a network device that is capable of automatically initiating an addressability phase in response to detecting the presence of a hardware token on a designated provisioning port of the network device;
  
  receiving delivery of a hardware token, the hardware token to interface with the designated provisioning port of the network device, the hardware token including a non-volatile, programmable memory having stored therein addressability data to place the network device in an initial operating state in which the network device can communicate and be addressable within a predetermined network environment;
  
  communicatively coupling the network device with the predetermined network environment; and
  
  initiating the addressability phase by coupling the hardware token to the designated provisioning port of the network device and causing the network device to boot, the addressability phase causing the network device to receive the addressability data from the hardware token and transition from a current configuration to the initial operating configuration.

52. A method of delivering a network device comprising:
- shipping a fully operational network device in a factory default configuration to a customer network site at which the network device will be installed within a predetermined network environment, the network device capable of automatically initiating an addressability phase in response to detecting the presence of an external, user-serviceable smart hardware storage device on a designated provisioning port of the network device; and
  
  if the customer has requested an automated provisioning feature, then programming an external, user-serviceable smart hardware storage device with addressability data for the network device, the smart hardware storage device to interface with the designated provisioning port of the network device and cause the addressability phase to be initiated, the addressability phase causing the addressability data to be transferred from the smart hardware storage device to the network device and enabling the network device to transition from the factory default configuration to an initial operating configuration in which the network device can communicate and be addressable within the predetermined network environment, and shipping the programmed smart hardware storage device to the customer network site.
- View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60)
- - 53. The method of claim 52, wherein the network device is capable of automatically initiating a configuration phase in response to the completion of the addressability phase, during which the network device transmits a configuration request to a remote configuration server responsible for managing access to a remote configuration database, the method further comprising:
    - uploading configuration data for the network device into the remote configuration database and associating the configuration data with a unique set of security data; and
      
      programming the smart hardware storage device with the unique set of security data to be provided to the network device for inclusion with the configuration request.
  - 54. The method of claim 52, wherein the addressability data comprises:
    - a unique Internet Protocol (IP) address for the network device;
      
      a local IP subnet mask for the network device;
      
      an IP address associated with a default gateway for the network device; and
      
      an IP address of a remote device configuration server.
  - 55. The method of claim 53, wherein the network device comprises a virtual private network (VPN) device, and the configuration data comprises at least one IP address of a peer VPN device with which the network device will establish a tunnel, and port and protocol numbers for traffic types to be allowed through the tunnel.
  - 56. The method of claim 55, wherein in response to receiving the configuration data, the network device causes a tunnel to be established with the peer VPN device through a transit network.
  - 57. The method of claim 52, wherein the network device comprises a router.
  - 58. The method of claim 52, wherein the designated provisioning port comprises an asynchronous EIA232-compliant communications port.
  - 59. The method of claim 52, wherein the network device and the programmed smart hardware storage device are shipped separately to the customer network site.
  - 60. The method of claim 52, wherein the programmed smart hardware storage device interfaces with the designated provisioning port of the network device via one or more intermediate devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Pang, Dayman, Robison, Victor C., Burnett, Keith L.

Granted Patent

US 7,313,819 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

H04L 41/0809   Plug-and-play configuration

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

Automated establishment of addressability of a network device for a target network enviroment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

Automated establishment of addressability of a network device for a target network enviroment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links