Virtual private network and tunnel gateway with multiple overlapping, remote subnets

US 20030145104A1
Filed: 01/23/2002
Published: 07/31/2003
Est. Priority Date: 01/23/2002
Status: Active Grant

First Claim

Patent Images

1. A method for providing local gateway support for multiple overlapping remote networks, comprising the steps of:

loading a plurality of overlapping connections, each including an inbound packet having a source IP address;

for each said connection, binding said source IP address in a bind table with an internally routable and system-wide unique source IP address from an internal address pool; and

network address translating outbound packets, each said outbound packet having a destination IP address, to determine a virtual private network connection for receiving said outbound packet.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Local gateway support for multiple overlapping remote networks. The local gateway includes a pool of unique, internally routable system-wide addresses, an address bind table, a filter rules table, and a collection of security association databases. A plurality of overlapping connections are received at the local gateway from remote networks, each including an inbound packet having a source IP address. For each connection, the source IP address is bound with an address from the address pool in a bind table. Outbound packets are processed through the bind table to determine the destination IP address corresponding to a correct one of the plurality of overlapping connections.

78 Citations

View as Search Results

28 Claims

1. A method for providing local gateway support for multiple overlapping remote networks, comprising the steps of:
- loading a plurality of overlapping connections, each including an inbound packet having a source IP address;
  
  for each said connection, binding said source IP address in a bind table with an internally routable and system-wide unique source IP address from an internal address pool; and
  
  network address translating outbound packets, each said outbound packet having a destination IP address, to determine a virtual private network connection for receiving said outbound packet.
- View Dependent Claims (2)
- - 2. The method of claim 1, further comprising the steps of:
    - filtering said outbound packet to determine a first connection name;
      
      determining from said bind table a second connection name;
      
      responsive to said first and second connection names comparing equal, processing said outbound packet into a VPN tunnel using a security association database determined by said first connection name; and
      
      responsive to said first and second connection names comparing not equal, processing said outbound packet into a VPN tunnel using a security association database determined by said second connection name.

3. A local gateway system, comprising:
- an address pool for storing a plurality of internally routable and system wide, nonconflicting network addresses;
  
  an address bind table for binding a conflicting source address from an inbound packet from a remote network to a connection name and to a unique network address from said address pool;
  
  a filter rules table responsive to an outbound packet for determining a first connection indicia;
  
  said address bind table further responsive to said outbound packet for determining a second connection indicia; and
  
  said local gateway system being responsive to said first and second connection indicia comparing equal for processing said outbound packet to a communications tunnel using a first security association determined by said first connection indicia, and responsive to said first and second connection indicia comparing not equal for processing said outbound packet to a communications tunnel using a second security association determined by said second connection indicia.

4. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for providing local gateway support for multiple overlapping remote networks, said method steps comprising:
- loading a plurality of overlapping connections, each including an inbound packet having a source IP address;
  
  for each said connection, binding said source IP address in a bind table with an internally routable and system-wide unique source IP address from an internal address pool; and
  
  network address translating outbound packets, each said outbound packet having a destination IP address, to determine a virtual private network connection for receiving said outbound packet.
- View Dependent Claims (5)
- - 5. The program storage device of claim 4, said method steps further comprising:
    - filtering said outbound packet to determine a first connection name;
      
      determining from said bind table a second connection name;
      
      responsive to said first and second connection names comparing equal, processing said outbound packet into a VPN tunnel using a security association database determined by said first connection name; and
      
      responsive to said first and second connection names comparing not equal, processing said outbound packet into a VPN tunnel using a security association database determined by said second connection name.

6. A computer program product or computer program element for providing local gateway support for multiple overlapping remote networks, according to method steps comprising:
- loading a plurality of overlapping connections, each including an inbound packet having a source IP address;
  
  for each said connection, binding said source IP address in a bind table with an internally routable and system-wide unique source IP address from an internal address pool; and
  
  network address translating outbound packets, each said outbound packet having a destination IP address, to determine a virtual private network connection for receiving said outbound packet.

7. A local gateway system for processing inbound and outbound packets with respect to a local network and a plurality of remote nodes having potentially overlapping addresses, comprising:
- an address pool component;
  
  an address bind table component;
  
  a filter rules table component;
  
  a security association component;
  
  an entry in said address bind table component including a left hand side (LHS) address field, a right hand side (RHS) address field, and first connection name field;
  
  an entry in said filter rules table component including source IP address (sip), destination IP address (dip), source port, destination port, second connection name, and action field;
  
  said address pool component including a pool of sip addresses administratively reserved and uniquely routable within said local network;
  
  a security association in said security association component including third connection name and security association data;
  
  first logic responsive to an inbound packet for dynamically binding in said address bind table component the inbound packet sip with a local sip selected from said address pool component and first connection indicia;
  
  second logic responsive to an outbound packet for accessing said filter rules table component to determine filter derived connection indicia;
  
  third logic responsive to said outbound packet for accessing said address bind table component to determine corresponding bind table derived connection indicia; and
  
  fourth logic responsive to said filter derived connection indicia and said bind table derived connection indicia comparing equal for accessing said security association component to select security association data corresponding to said filter derived connection data for processing said outbound packet, and responsive to said filter derived connection indicia and said bind table derived connection indicia comparing not equal for accessing said security association component to select security association data corresponding to said bind table derived connection indicia for processing said outbound packet.
- View Dependent Claims (8)
- - 8. The local gateway system of claim 7, further comprising:
    - said action field selectively containing deny, permit, and IP Sec required indicia; and
      
      said second logic being responsive to said outbound packet corresponding to a filter having an action field containing said IP Sec required indicia for initiating execution of said third logic.

9. A method for operating a local gateway, comprising the steps of:
- receiving an inbound packet on a network connection from a remote node; and
  
  applying source-in network address translation to establish dynamic binding of the source IP address of said inbound packet with an internally routable and system wide unique source-in IP address and a connection name.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, further comprising the steps of:
    - receiving an outbound packet from an internal node;
      
      filtering said outbound packet to determine a first connection;
      
      selectively determining a second connection from a connection name bound to said unique source-in IP address corresponding to the destination-out IP address of said outbound packet; and
      
      selectively overriding said first connection by said second connection.
  - 11. The method of claim 10, further comprising the step of:
    - tunneling said outbound packet to said remote node responsive to security association data selectively corresponding to said first connection or said second connection.
  - 12. The method of claim 11, further comprising the step of:
    - overriding said first connection by said second connection responsive to said first connection and said second connection comparing not equal.

13. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for providing local gateway support for multiple overlapping remote networks, said method steps comprising:
- receiving an inbound packet on a network connection from a remote node; and
  
  applying source-in network address translation to establish dynamic binding of the source IP address of said inbound packet with an internally routable and system wide unique source-in IP address and a connection name.
- View Dependent Claims (14, 15, 16)
- - 14. The program storage device of claim 13, said method steps further comprising:
    - receiving an outbound packet from an internal node;
      
      filtering said outbound packet to determine a first connection;
      
      selectively determining a second connection from a connection name bound to said unique source-in IP address corresponding to the destination-out IP address of said outbound packet; and
      
      selectively overriding said first connection by said second connection.
  - 15. The program storage device of claim 14, said method steps further comprising:
    - tunneling said outbound packet to said remote node responsive to security association data selectively corresponding to said first connection or said second connection.
  - 16. The program storage device of claim 15, said method steps further comprising:
    - overriding said first connection by said second connection responsive to said first connection and said second connection comparing not equal.

17. A communication method, comprising the steps of:
- operating a remote gateway to initiate a connection with a local gateway;
  
  sending from a remote node at said remote gateway an inbound packet addressed by a destination address to a local node at said local gateway and a remote node source address identifying said remote node;
  
  operating said local gateway to decapsulate said inbound packet;
  
  operating said local gateway to determine that said inbound packet requires source-in network address translation and that no existing address bind exists for said inbound packet;
  
  operating said local gateway to choose a pool address and create a binding table entry binding said remote node source address to said pool address and a unique connection name;
  
  replacing said remote node source address with said pool address and forwarding said inbound packet to said local node;
  
  receiving at said local gateway an outbound packet having as its destination address said pool address;
  
  filtering said outbound packet to identify corresponding connection indicia;
  
  finding in said binding table an entry corresponding to said outbound packet, converting said destination address to said remote node source address, and returning said unique connection name;
  
  responsive to said unique connection name, selecting security association data; and
  
  responsive to said security association data, tunneling said outbound packet to said remote node.
- View Dependent Claims (18, 19)
- - 18. The method of claim 17, said remote node being one of a plurality of remote nodes having overlapping addresses.
  - 19. The method of claim 18, further comprising the steps of:
    - comparing said corresponding connection indicia and said unique connection name; and
      
      responsive to said corresponding connection indicia and said unique connection name comparing equal, selecting security association data corresponding to said corresponding connection indicia.

20. A method for operating a local gateway for controlling communication between a local node and a remote node, comprising the steps of:
- receiving an inbound packet on a network connection from a remote node, said inbound packet characterized by a first source address identifying said remote node and a first destination address identifying said local node; and
  
  applying source-in network address translation to establish dynamic binding of said first source address with an internally routable and system wide unique second source address and a first connection name.
- View Dependent Claims (21, 22, 23)
- - 21. The method of claim 20, further comprising the steps of:
    - establishing said dynamic binding by creating a binding entry in an address bind table with a bind entry left hand side set equal to said second source address selected from a local address pool, a bind entry right hand side set equal to said first source address, and said first connection name.
  - 22. The method of claim 21, further comprising the steps of:
    - receiving from said local node an outgoing packet intended for said remote node and having identifying indicia including a second destination address;
      
      filtering said outgoing packet to find a filter rule having a second connection name associated with said identifying indicia;
      
      responsive to said second connection name, identifying a filter derived security association;
      
      responsive to said filter rule requiring source-in network address translation, searching said address bind table for a matching binding entry having a bind entry left hand side corresponding to said second destination address, and setting said second destination address equal to said bind entry right hand side;
      
      responsive to said first connection name selected from said matching binding entry, identifying a binding table derived security association; and
      
      selectively responsive to said filter derived security association or said binding table derived security association, processing said outbound packet into a tunnel for communication to said remote node.
  - 23. The method of claim 22, further comprising the steps of:
    - responsive to said first connection name selected from said matching binding entry and said second connection name comparing not equal, selecting said binding table derived security association for processing said outbound packet.

24. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for providing local gateway support for multiple overlapping remote networks, said method steps comprising:
- operating a remote gateway to initiate a connection with a local gateway;
  
  sending from a remote node at said remote gateway an inbound packet addressed by a destination address to said local node at said local gateway and a remote node source address identifying said remote node;
  
  operating said local gateway to decapsulate said inbound packet;
  
  operating said local gateway to determine that said inbound packet requires source-in network address translation and that no existing address bind exists for said inbound packet;
  
  operating said local gateway to choose a pool address and create a binding table entry binding said remote node source address to said pool address and a unique connection name;
  
  replacing said remote node source address with said pool address and forwarding said inbound packet to said local node;
  
  receiving at said local gateway an outbound packet having as its destination address said pool address;
  
  filtering said outbound packet to identify corresponding connection indicia;
  
  finding in said binding table an entry corresponding to said outbound packet, converting said destination address to said remote node source address, and returning said unique connection name;
  
  responsive to said unique connection name, selecting security association data; and
  
  responsive to said security association data, tunneling said outbound packet to said remote node.

25. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for providing local gateway support for multiple overlapping remote networks, said method steps comprising:
- receiving an inbound packet on a network connection from a remote node, said inbound packet characterized by a first source address identifying said remote node and a first destination address identifying said local node; and
  
  applying source-in network address translation to establish dynamic binding of said first source address with an internally routable and system wide unique second source address and a first connection name.
- View Dependent Claims (26, 27, 28)
- - 26. The program storage device of claim 25, said method steps further comprising:
    - establishing said dynamic binding by creating a binding entry in an address bind table with a bind entry left hand side set equal to said second source address selected from a local address pool, a bind entry right hand side set equal to said first source address, and said first connection name.
  - 27. The program storage device of claim 26, said method steps further comprising:
    - receiving from said local node an outgoing packet intended for said remote node and having identifying indicia including a second destination address;
      
      filtering said outgoing packet to find a filter rule having a second connection name associated with said identifying indicia;
      
      responsive to said second connection name, identifying a filter derived security association;
      
      responsive to said filter rule requiring source-in network address translation, searching said address bind table for a matching binding entry having a bind entry left hand side corresponding to said second destination address, and setting said second destination address equal to said bind entry right hand side;
      
      responsive to said first connection name selected from said matching binding entry, identifying a binding table derived security association; and
      
      selectively responsive to said filter derived security association or said binding table derived security association, processing said outbound packet into a tunnel for communication to said remote node.
  - 28. The program storage device of claim 27, said method steps further comprising:
    - responsive to said first connection name selected from said matching binding entry and said second connection name comparing not equal, selecting said binding table derived security association for processing said outbound packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Boden, Edward B., Palermo, Donald A.

Granted Patent

US 7,099,319 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/238
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 61/00   Network arrangements, proto...

H04L 61/2535   Multiple local networks, e....

H04L 61/2567   for reachability, e.g. inqu...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

Virtual private network and tunnel gateway with multiple overlapping, remote subnets

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

Virtual private network and tunnel gateway with multiple overlapping, remote subnets

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others