System, method and apparatus that employ virtual private networks to resist IP QoS denial of service attacks

US 20030115480A1
Filed: 12/17/2001
Published: 06/19/2003
Est. Priority Date: 12/17/2001
Status: Abandoned Application

First Claim

Patent Images

1. A network system that resists denial of service attacks on an access link to a destination host belonging to a virtual private network (VPN), said network system comprising:

one or more egress boundary routers having connections to an access network including the access link, wherein said one or more egress boundary routers transmit intra-VPN traffic from sources within the VPN and extra-VPN traffic from sources outside the VPN within separate access network logical connections for intra-VPN and extra-VPN traffic; and

a plurality of ingress boundary routers coupled to the one or more egress boundary routers for communication utilizing a network-based VPN protocol that logically partitions intra-VPN and extra-VPN traffic, such that denial of service attacks on said access link originating from sources outside the VPN can be prevented.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network architecture in accordance with the present invention includes a communication network that supports one or more network-based Virtual Private Networks (VPNs). The communication network includes a plurality of boundary routers that are connected by access links to CPE edge routers belonging to the one or more VPNs. To prevent traffic from outside a customer'"'"'s VPN (e.g., traffic from other VPNs or the Internet at large) from degrading the QoS provided to traffic from within the customer'"'"'s VPN, the present invention gives precedence to intra-VPN traffic over extra-VPN traffic on each customer'"'"'s access link through access link prioritization or access link capacity allocation, such that extra-VPN traffic cannot interfere with inter-VPN traffic. Granting precedence to intra-VPN traffic over extra-VPN traffic in this manner entails special configuration of network elements and protocols, including partitioning between intra-VPN and extra-VPN traffic on the physical access link using layer 2 multiplexing and the configuration of routing protocols to achieve logical traffic separation between intra-VPN traffic and extra-VPN traffic at the VPN boundary routers and CPE edge routers. By configuring the access networks, the VPN boundary routers and CPE edge routers, and the routing protocols of the edge and boundary routers in this manner, the high-level service of DoS attack prevention is achieved.

119 Citations

View as Search Results

20 Claims

1. A network system that resists denial of service attacks on an access link to a destination host belonging to a virtual private network (VPN), said network system comprising:
- one or more egress boundary routers having connections to an access network including the access link, wherein said one or more egress boundary routers transmit intra-VPN traffic from sources within the VPN and extra-VPN traffic from sources outside the VPN within separate access network logical connections for intra-VPN and extra-VPN traffic; and
  
  a plurality of ingress boundary routers coupled to the one or more egress boundary routers for communication utilizing a network-based VPN protocol that logically partitions intra-VPN and extra-VPN traffic, such that denial of service attacks on said access link originating from sources outside the VPN can be prevented.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The network system of claim 1, and further comprising a Differentiated Services network coupling at least one of the plurality of ingress boundary routers and at least one of the one or more egress boundary routers.
  - 3. The network system of claim 1, and further comprising a plurality of customer premises equipment (CPE) edge routers each coupled to a respective one of said plurality of ingress boundary routers.
  - 4. The network system of claim 1, and further comprising the access network.
  - 5. The network system of claim 4, and further comprising a customer premises equipment (CPE) edge router to the access link.
  - 6. The network system of claim 5, said CPE edge router having a physical port coupled to said access link, said physical port implementing a first logical port for intra-VPN traffic and a second logical port for extra-VPN traffic.
  - 7. The network system of claim 1, wherein at least one of said plurality of ingress boundary routers implements a plurality of tunnels that logically partition intra-VPN and extra-VPN traffic.
  - 8. The network system of claim 1, wherein said one or more egress boundary routers provide a plurality of different qualities of services to said intra-VPN traffic.

9. A network system, comprising:
- an access network having an access link to a destination host belonging to a virtual private network (VPN), wherein said access network supports a first logical connection for intra-VPN traffic from sources within the VPN and a second logical connection for extra-VPN traffic from sources outside the VPN;
  
  one or more egress boundary routers having connections to the access network, wherein said one or more egress boundary routers transmit intra-VPN traffic toward the destination host via the first logical connection and transmit extra-VPN traffic toward the destination host via the second logical connection; and
  
  a plurality of ingress boundary routers coupled to the one or more egress boundary routers for communication utilizing a network-based VPN protocol that logically partitions intra-VPN and extra-VPN traffic, such that denial of service attacks on said access link originating from sources outside the VPN can be prevented.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The network system of claim 9, and further comprising a Differentiated Services network coupling at least one of the plurality of ingress boundary routers and at least one of the one or more egress boundary routers.
  - 11. The network system of claim 9, and further comprising a plurality of customer premises equipment (CPE) edge routers each coupled to a respective one of said plurality of ingress boundary routers.
  - 12. The network system of claim 9, and further comprising a customer premises equipment (CPE) edge router to the access link.
  - 13. The network system of claim 12, said CPE edge router having a physical port coupled to said access link, said physical port implementing a first logical port for intra-VPN traffic and a second logical port for extra-VPN traffic.
  - 14. The network system of claim 9, wherein at least one of said plurality of ingress boundary routers implements a plurality of tunnels that logically partition intra-VPN and extra-VPN traffic.
  - 15. The network system of claim 9, wherein said one or more egress boundary routers provide a plurality of different qualities of services to said intra-VPN traffic.

16. A method of protecting an access link to a destination host belonging to a virtual private network (VPN) against denial of service attacks, said method comprising:
- in an access network including the access link, providing a first logical connection for intra-VPN traffic from sources within the VPN and a second logical connection for extra-VPN traffic from sources outside the VPN;
  
  communicating, from a plurality of ingress boundary routers to one or more egress boundary routers, intra-VPN and extra-VPN traffic destined for said destination host, wherein said intra-VPN traffic and said extra-VPN traffic are transmitted utilizing a network-based VPN protocol that logically partitions intra-VPN and extra-VPN traffic;
  
  transmitting intra-VPN traffic from said one or more egress boundary routers toward the destination host via the first logical connection, and transmitting extra-VPN traffic from said one or more egress boundary routers toward the destination host via the second logical connection, such that denial of service attacks on said access link originating from sources outside the VPN can be prevented.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein said communicating comprises communicating utilizing a Differentiated Services protocol.
  - 18. The method of claim 16, wherein a customer premises equipment (CPE) edge router is coupled between said access network and said destination host, said method further comprising:
    - at a physical port of the CPE edge router coupled to the access link, providing first and second logical ports; and
      
      receiving intra-VPN traffic at the first logical port, and receiving extra-VPN traffic at the second logical port.
  - 19. The method of claim 16, and further comprising logically partitioning intra-VPN and extra-VPN traffic by at least one of said plurality of ingress boundary routers utilizing a plurality of tunnels.
  - 20. The method of claim 16, and further comprising said one or more egress boundary routers providing a plurality of different qualities of services to said intra-VPN traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
WorldCom, Inc. (Verizon Communications Inc.)
Inventors
McDysan, David E.

Application Number

US10/023,043
Publication Number

US 20030115480A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0272 Virtual private networks

H04L 63/1458 Denial of Service

System, method and apparatus that employ virtual private networks to resist IP QoS denial of service attacks

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and apparatus that employ virtual private networks to resist IP QoS denial of service attacks

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links