Method of providing an encrypted multipoint VPN service

US 20070115990A1
Filed: 11/22/2005
Published: 05/24/2007
Est. Priority Date: 11/22/2005
Status: Active Grant

First Claim

Patent Images

1. A method of providing an encrypted multipoint Virtual Private Network (VPN) service comprising:

receiving a first packet of a plurality of packets at an ingress Provider Edge (PE) router in a network including a hub and an egress PE router, the plurality of packets destined for a remote server in communication with said egress PE router;

performing a lookup at said ingress PE router for a destination prefix of said first packet, and determining that a next-hop for said first packet is reachable through a tunnel;

sending, by said ingress PE router, a resolution request to said hub to acquire a routable Internet Protocol (IP) address associated with said egress PE router;

encapsulating, encrypting and sending said packets to said hub until a resolution reply is received by said ingress PE router and until Security Associations (SAs) have been exchanged between said ingress PE router and said egress PE router, said packets carrying a bit set in said header indicating that said header includes a tunnel IP address of said egress PE router which should be used for forwarding said packets;

receiving a resolution reply from said hub at said ingress PE router;

updating a next-hop cache of said ingress PE router;

exchanging IPSec SAs with said egress PE router;

updating an FIB entry with said SAs; and

establishing a VPN between said egress PE router and said ingress PE router, and forwarding all subsequent packets of said plurality of packets destined for said egress PE router directly towards said egress PE router across said VPN established between said egress PE router and said ingress PE router.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus and computer program product for providing an encrypted multipoint Virtual Private Network (VPN) service is presented. A first packet of a plurality of packets is received at an ingress provider edge (PE) the plurality of packets destined for a remote server in communication with said egress PE router. A lookup for a destination prefix of a first packet is preformed, and a determination made that a next-hop for the first packet is reachable through a mGRE tunnel. A resolution request is sent to a hub to acquire a routable IP address. The packets sent to the hub are encapsulated, and encrypting until a resolution reply is received and until security associations (SAs) have been exchanged. Then a VPN is established between the ingress and egress PEs and is used for all subsequent packets.

83 Citations

View as Search Results

20 Claims

1. A method of providing an encrypted multipoint Virtual Private Network (VPN) service comprising:
- receiving a first packet of a plurality of packets at an ingress Provider Edge (PE) router in a network including a hub and an egress PE router, the plurality of packets destined for a remote server in communication with said egress PE router;
  
  performing a lookup at said ingress PE router for a destination prefix of said first packet, and determining that a next-hop for said first packet is reachable through a tunnel;
  
  sending, by said ingress PE router, a resolution request to said hub to acquire a routable Internet Protocol (IP) address associated with said egress PE router;
  
  encapsulating, encrypting and sending said packets to said hub until a resolution reply is received by said ingress PE router and until Security Associations (SAs) have been exchanged between said ingress PE router and said egress PE router, said packets carrying a bit set in said header indicating that said header includes a tunnel IP address of said egress PE router which should be used for forwarding said packets;
  
  receiving a resolution reply from said hub at said ingress PE router;
  
  updating a next-hop cache of said ingress PE router;
  
  exchanging IPSec SAs with said egress PE router;
  
  updating an FIB entry with said SAs; and
  
  establishing a VPN between said egress PE router and said ingress PE router, and forwarding all subsequent packets of said plurality of packets destined for said egress PE router directly towards said egress PE router across said VPN established between said egress PE router and said ingress PE router.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein said encapsulating further comprises said hub removing a delivery IP header and tunnel header and utilizing said tunnel IP address to find a corresponding routable IP address in its cache.
  - 3. The method of claim 2 further comprising said hub encrypting and encapsulating a payload IP packet with a label and forwarding said packet to said egress PE router
  - 4. The method of claim 1 further comprising dynamically discovering any route reflectors clients in said network.
  - 5. The method of claim 4 wherein said dynamically discovering further comprises establishing sessions with said route reflectors clients to exchange routing information.
  - 6. The method of claim 1 further comprising performing one of the group consisting of tearing down said VPN when the plurality of packets have been forwarded to said egress PE router, and maintaining said VPN when the plurality of packets have been forwarded to said egress PE router.
  - 7. The method of claim 1 further comprising using at least one additional hub in communication with said ingress PE router and said egress PE router to provide at least one of fault tolerance and load balancing.

8. A computer readable medium having computer readable code thereon for providing an encrypted multipoint Virtual Private Network (VPN) service, the medium comprising:
- instructions for receiving a first packet of a plurality of packets at an ingress Provider Edge (PE) router in a network including a hub and an egress PE router, the plurality of packets destined for a remote server in communication with said egress PE router;
  
  instructions for performing a lookup at said ingress PE router for a destination prefix of said first packet, and determining that a next-hop for said first packet is reachable through a tunnel;
  
  instructions for sending, by said ingress PE router, a resolution request to said hub to acquire a routable Internet Protocol (IP) address associated with said egress PE router;
  
  instructions for encapsulating, encrypting and sending said packets to said hub until a resolution reply is received by said ingress PE router and until Security Associations (SAs) have been exchanged between said ingress PE router and said egress PE router, said packets carrying a bit set in said header that indicates said header includes a tunnel IP address of said egress PE router to be sued for forwarding said packets;
  
  instructions for receiving a resolution reply from said hub at said ingress PE router;
  
  instructions for updating a next-hop cache of said ingress PE router;
  
  instructions for exchanging IPSec SAs with said egress PE router;
  
  instructions for updating an FIB entry with said SAs; and
  
  instructions for establishing a VPN between said egress PE router and said ingress PE router, and forwarding all subsequent packets of said plurality of packets destined for said egress PE router directly towards said egress PE router across said VPN established between said egress PE router and said ingress PE router.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer readable medium of claim 8 wherein said instructions for encapsulating further comprises instructions for said hub for removing a delivery IP header and tunnel header and utilizing said tunnel IP address to find a corresponding routable IP address in its cache.
  - 10. The computer readable medium of claim 9 further comprising instructions for said hub encrypting and encapsulating a payload IP packet with a label and forwarding said packet to said egress PE router
  - 11. The computer readable medium of claim 8 further comprising instructions for dynamically discovering any route reflectors clients in said network.
  - 12. The computer readable medium of claim 11 further comprising instructions for establishing sessions with said route reflectors clients to exchange routing information.
  - 13. The computer readable medium of claim 8 further comprising instructions for performing one of the group consisting of tearing down said VPN when the plurality of packets have been forwarded to said egress PE router, and maintaining said VPN when the plurality of packets have been forwarded to said egress PE router.
  - 14. The computer readable medium of claim 8 further comprising instructions for using at least one additional hub in communication with said ingress PE router and said egress PE router to provide at least one of fault tolerance and load balancing.

15. An ingress Provider Edge (PE) router comprising:
- a memory;
  
  a processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface; and
  
  wherein the memory is encoded with an application providing an encrypted multipoint Virtual Private Network (VPN) service that when performed on the processor, provides a process for processing information, the process causing the computer system to perform the operations of;
  
  receiving a first packet of a plurality of packets in a network including a hub and an egress Provider Edge (PE) router, the plurality of packets destined for a remote server in communication with said egress PE router;
  
  performing a lookup at said ingress PE router for a destination prefix of said first packet, and determining that a next-hop for said first packet is reachable through a tunnel;
  
  sending a resolution request to said hub to acquire a routable Internet Protocol (IP) address associated with said egress PE router;
  
  encapsulating, encrypting and sending said packets to said hub until a resolution reply is received and until Security Associations (SAs) have been exchanged between said ingress PE router and said egress PE router, said packets carrying a bit set in said header indicating that said header includes a tunnel IP address of said egress PE router which should be used for forwarding said packets;
  
  receiving a resolution reply from said hub;
  
  updating a next-hop cache;
  
  exchanging SAs with said egress PE router;
  
  updating an FIB entry with said SAs; and
  
  establishing a VPN with said ingress PE router, and forwarding all subsequent packets of said plurality of packets destined for said egress PE router directly towards said egress PE router across said VPN established between said egress PE router and said ingress PE router.
- View Dependent Claims (16, 17, 20)
- - 16. The ingress PE router of claim 15 wherein said ingress PE router performs one of the group consisting of tearing down said VPN when the plurality of packets have been forwarded to said egress PE router router, and maintaining said VPN when the plurality of packets have been forwarded to said egress PE router router.
  - 17. The ingress router of claim 15 wherein said ingress PE router dynamically discovers any route reflectors clients in said network, and establishes sessions with said route reflectors clients to exchange routing information.
  - 20. The hub of claim 16 further performing the operation of encrypting and encapsulating a payload IP packet with a label and forwarding said packet to said egress PE router.

18. A hub comprising:
- a memory;
  
  a processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface; and
  
  wherein the memory is encoded with an application providing an encrypted multipoint Virtual Private Network (VPN) service that when performed on the processor, provides a process for processing information, the process causing the computer system to perform the operations of;
  
  receiving, from an ingress Provider Edge (PE) router, a resolution request to provide a routable Internet Protocol (IP) address associated with said egress PE router;
  
  receiving packets at said hub until a resolution reply is sent to said ingress PE router and until Security Associations (SAs) have been exchanged between said ingress PE router and said egress PE router, said packets carrying a bit set in said header indicating that said header includes a tunnel IP address of said egress PE router which should be used for forwarding said packets; and
  
  providing a resolution reply to said ingress PE router.
- View Dependent Claims (19)
- - 19. The hub of claim 18 further performing the operation of removing a delivery IP header and a tunnel header and utilizing said tunnel IP address to find a corresponding routable IP address in its cache.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Haseeb Niazi, Mohamed Khalid, Rajiv Asati, Vijay Bollapragada
Original Assignee
Haseeb Niazi, Mohamed Khalid, Rajiv Asati, Vijay Bollapragada
Inventors
Khalid, Mohamed, Asati, Rajiv, Niazi, Haseeb, Bollapragada, Vijay

Granted Patent

US 7,590,123 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 45/00   Routing or path finding of ...

H04L 45/17   Shortcut routing, e.g. usin...

H04L 45/80   Ingress point selection by ...

H04L 63/0272   Virtual private networks

H04L 63/164   at the network layer

Method of providing an encrypted multipoint VPN service

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Method of providing an encrypted multipoint VPN service

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others