Externally controlled reachability in virtual private networks

US 20050021789A1
Filed: 01/30/2004
Published: 01/27/2005
Est. Priority Date: 07/03/2003
Status: Active Grant

First Claim

Patent Images

1. An comprising a network adapted to allow systems to connect to the network via edge routers of the network, and further adapted to assign at least some of said systems to specified VPNs, which network includes collection of one or more devices that operates to insure that systems A and B of said systems that are each assigned to one or more VPNs but which have no commonly assigned VPN cannot communicate with each other, the improvement comprising:

a controller that (1) detects an identified application, executed an element of said arrangement, which calls for communication between system A and system B, and (2) authorizes such communication when said identified application is included in a set of one or more allowed applications, by directing said collection to modify itself to enable said communication between system A and system B.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network that supports VPNs is enhanced to allow users in one VPN to communicate with users in another VPN in the course of executing a predefined application, such as VoIP. This capability is achieved dynamically by enabling a device that can communicate with the network elements that operate to normally prohibit inter-VPN communication to direct those network elements to enable such communication, at least for the purposes the purposes of specific applications.

20 Citations

View as Search Results

21 Claims

1. An comprising a network adapted to allow systems to connect to the network via edge routers of the network, and further adapted to assign at least some of said systems to specified VPNs, which network includes collection of one or more devices that operates to insure that systems A and B of said systems that are each assigned to one or more VPNs but which have no commonly assigned VPN cannot communicate with each other, the improvement comprising:
- a controller that (1) detects an identified application, executed an element of said arrangement, which calls for communication between system A and system B, and (2) authorizes such communication when said identified application is included in a set of one or more allowed applications, by directing said collection to modify itself to enable said communication between system A and system B.
- View Dependent Claims (2, 3, 5, 6, 7, 8, 9, 10)
- - 2. The arrangement of claim 1 where said element of said arrangement is system A.
  - 3. The arrangement of claim 1 where said element of said arrangement is system B.
  - 5. The arrangement of claim 1 where said collection comprises VPN routing and forwarding tables, one within each of said edge routers.
  - 6. The arrangement of claim 1 where said network is an MPLS network.
  - 7. The arrangement of claim 6 where said collection comprises VPN routing and forwarding tables, one within each of edge routers of said network, and said controller directs an edge router of said edge routers though which system A is connected to said network to modify its routing and forwarding table, and directs an edge router of said edge routers though which system B is connected to said network to modify its routing and forwarding table.
  - 8. The arrangement of claim 1 where said identified application is voice over IP and voice over IP is one of said allowed applications.
  - 9. The arrangement of claim 1 where said identified application is video over IP and video over IP is one of said allowed applications.
  - 10. The arrangement of claim 1 where said controller comprises a route server and a call control element.

4. The arrangement of clam 1 where said collection comprises said edge routers.

11. A method executed in an arrangement including a network that supports assigning systems to specified VPNs, which systems connect to edge routers of the network, which network includes collection, comprising one or more devices, that operates to insure that systems A and B of said systems that are each assigned to one or more VPNs but which have no commonly assigned VPN cannot communicate with each other, comprising the steps of:
- receiving a message from an application of a type for which inter-VPN communication is allowed, indicating a desire to establish communication between said systems A and B;
  
  directing said collection to install a modification having whose effect is to allow communication between said systems A and B; and
  
  directing said collection to remove said modification at a later time to reinstate prohibition against communication between said systems A and B.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11 where said application is voice over Internet or video over Internet.
  - 13. The method of claim 12 where said directing said collection to remove said modification occurs substantially contemporaneously with termination of said voice over Internet or video over Internet communication.
  - 14. The method of claim 11 where said directing said collection to install a modification comprises the steps of:
    - installing a entry X in a table of an element that of said collection that is charged with blocking traffic so that that no traffic is carried from, system A from a system that is assigned to a VPN to which system A is not assigned, which entry nullifies said blocking relative to system B, and installing a entry Y in a table of an element that of said collection that is charged with blocking traffic so that that no traffic is carried from, system B from a system that is assigned to a VPN to which system B is not assigned, which entry nullifies said blocking relative to system A.
  - 15. The method of claim 14 where entry X includes a criterion that nullifies said blocking only relative to traffic pertaining to said application, and entry Y includes a criterion that nullifies said blocking only relative to traffic pertaining to said application.
  - 16. The method of claim 11 where said collection is said edge routers of the network.
  - 17. The method of claim 11 where said directing said collection to install a modification comprises a step of installing a entry in a VPN route and forward (VRF) table that is associated with edge router A of said edge routes through which said system A is coupled to said network, and installing an entry in a VRF table that is associated with edge router B of said edge routes through which said system B is coupled to said network.
  - 18. The method of claim 17 where said entry that is installed in said VRF associated with said edge router A comprises an indication that system B belongs to a VPN to which system A belongs, and said entry that is installed in said VRF associated with said edge router B comprises an indication that system A belongs to a VPN to which system B belongs.
  - 19. The method of claim 18 where said entry that is installed in said VRF associated with said edge router A further comprises a route indication for reaching system B, and said entry that is installed in said VRF associated with said edge router B further comprises a route indication for reaching system A.
  - 20. The method of claim 18 where said entry that is installed in said VRF associated with said edge router A further comprises a route criterion for limiting traffic that is destined to system B solely to traffic that pertains to said application.

21. A method executed in an arrangement including a network that supports assigning systems to specified VPNs, which systems connect to edge routers of the network, which network includes collection, comprising one or more devices, that operates to insure that systems A and B of said systems that are each assigned to one or more VPNs but which have no commonly assigned VPN cannot communicate with each other, comprising the steps of:
- receiving a message from a indicating a desire to establish communication between said systems A and B pursuant to an identified application;
  
  determining whether to authorize said communication;
  
  when said step of determining permits such communication, directing said collection to allow said communication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ali Murat Iloglu, Han Q. Nguyen
Original Assignee
Ali Murat Iloglu, Han Q. Nguyen
Inventors
Iloglu, Ali Murat, Nguyen, Han Q.

Granted Patent

US 7,313,605 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

H04L 63/0272 Virtual private networks

Externally controlled reachability in virtual private networks

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Externally controlled reachability in virtual private networks

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links