Methods and apparatus for tunnel stitching in a network

US 20070248091A1
Filed: 04/24/2006
Published: 10/25/2007
Est. Priority Date: 04/24/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

receiving a key exchange request message originating from a source node in a first type of network, the key exchange request message including a request to create a secured connection using encryption keys;

in response to receiving the key exchange request message, utilizing a unique identifier in the key exchange request message to identify a virtual private network associated with the second type of network; and

in lieu of responding to the key exchange request message and providing encryption key information to the source node, utilizing a corresponding forwarding table associated with the virtual private network identified by the unique identifier for purposes forwarding the key exchange request message to a destination in the second type of network to establish the secured connection.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An edge router (disposed between a packet-switched network and a label-switching network) is configured to receive an IKE message originating from a client on the Internet (e.g., packet-switched network) attempting to set up a tunnel. Upon receipt of the IKE message, the edge router utilizes a unique identifier in the IKE message to identify a virtual private network in the label-switching network. In lieu of terminating an IPSec tunnel at the edge router and performing a respective key exchange with the client, the edge router identifies a corresponding forwarding table associated with the virtual private network (identified by the unique identifier in the IKE message) and, based on the corresponding forwarding table, forwards the IKE message to a destination reachable via the label-switching network. The destination (e.g., a key server in a corresponding VPN) communicates with the client through the edge router to set up the tunnel.

93 Citations

View as Search Results

25 Claims

1. A method comprising:
- receiving a key exchange request message originating from a source node in a first type of network, the key exchange request message including a request to create a secured connection using encryption keys;
  
  in response to receiving the key exchange request message, utilizing a unique identifier in the key exchange request message to identify a virtual private network associated with the second type of network; and
  
  in lieu of responding to the key exchange request message and providing encryption key information to the source node, utilizing a corresponding forwarding table associated with the virtual private network identified by the unique identifier for purposes forwarding the key exchange request message to a destination in the second type of network to establish the secured connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method as in claim 1 further comprising:
    - maintaining a mapping association amongst the unique identifier, the destination, and the corresponding forwarding table associated with the virtual private network to enable forwarding of the key exchange request message to the destination in the virtual private network.
  - 3. A method as in claim 1, wherein receiving the key exchange request message from the source node includes receiving an IKE (Internet Key Exchange) message from the source node that resides in a packet-switching type of network, the IKE message being used to initiate an exchange of encryption key information for purposes of creating the secured connection.
  - 4. A method as in claim 3, wherein forwarding the key exchange request message to the destination includes continuing forwarding of the IKE message to the destination over a label-switching type of network based on information in the corresponding forwarding table.
  - 5. A method as in claim 4, wherein forwarding the key exchange request message to the destination occurs in lieu of terminating the secured connection at an intermediate node between the source node and the destination, the method further comprising:
    - utilizing a same overlapping address on both the destination node as well as the intermediate node.
  - 6. A method as in claim 1, wherein forwarding the key exchange request message to the destination occurs in lieu of terminating the secured connection at an intermediate node between the source node and the destination.
  - 7. A method as in claim 1 further comprising:
    - advertising routing information to the virtual private network for purposes of notifying the destination of a return routing path through the second type of network from the destination to the source node.
  - 8. A method as in claim 1, wherein receiving the key exchange request message includes receiving the key exchange request message from the source node that transmitted the key exchange request message over a packet-switched type of network to an edge router associated with the second type of network;
    - and wherein utilizing the unique identifier in the request key exchange request message to identify the virtual private network associated with the second type of network includes utilizing the unique identifier in the key exchange request message at the edge router to identify a key exchange server in a label-switching network environment in which to forward the key exchange request message from the edge router to the destination.
  - 9. A method as in claim 1, wherein forwarding the key exchange request message to the destination node in the second type of network alleviates an intermediate node other than the destination in the virtual private network from having to engage in a key exchange with the source node for purposes of establishing the secured connection.
  - 10. A method as in claim 1, wherein forwarding the key exchange request message to the destination in the second type of network includes forwarding the key exchange request message to a key server in the second type of network.
  - 11. A method as in claim 1 further comprising:
    - upon receipt of the key exchange request message from the source node, installing a route path to the source node in the corresponding forwarding table to enable forwarding of return communications from the destination to the source node; and
      
      advertising the route path to the virtual private network identified by the unique identifier.
  - 12. A method as in claim 1 further comprising:
    - initiating a stitching function with respect to the corresponding forwarding table to map the key exchange request message from the source node to the virtual private network, utilization of the stitching function preventing dissemination of specific address or other information associated with the destination to entities in the first type of network.

13. A method comprising:
- receiving a key exchange request message from a source node in a first type of network, the key exchange request message being transmitted by the source node to initiate communications with an edge router between the first type of network and a second type of network for purposes of creating a secured connection using encryption keys; and
  
  in lieu of terminating the secured connection at the edge router, utilizing a forwarding table maintained by the edge router to forward the key exchange request message to a destination node in the second type of network for purposes of enabling a key exchange between the source node and the destination node through the edge router.

14. A data communication device supporting data flows between a first type of network and a second type of network, the data communication device being configured to:
- i) receive a key exchange request message originating from a source node in the first type of network, ii) utilize a unique identifier in the key exchange request message to identify a virtual private network associated with the second type of network; and
  
  iii) identify a corresponding forwarding table associated with the virtual private network identified by the unique identifier, and iv) in lieu of responding to the key exchange request message and providing encryption key information, forward the key exchange request message to a destination in the second type of network to create a secured connection between the source node in the first type of network and the destination in the second type of network using encryption keys.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. A data communication device as in claim 14, wherein the first type of network is a packet-switched network and the second type of network is at least one of a label-switching network and a packet-switched network.
  - 16. A data communication device as in claim 15, wherein the key exchange request message is an IKE (Internet Key Exchange) message including an IKE identifier associated with a corresponding IKE aggressive mode, the IKE message originated by the source node, the IKE message being used to initiate an exchange of encryption key information for purposes of creating the secured connection.
  - 17. A data communication device as in claim 16, which is configured to forward the key exchange request message to the destination in lieu of terminating the secured connection at the data communication device.
  - 18. A data communication device as in claim 14 configured to forward the key exchange request message to a key server in the second type of network in lieu of initiating a process to exchange key information between the data communication device and the source node.
  - 19. A data communication device as in claim 14 configured to install a route path to the source node in the corresponding forwarding table to enable forwarding of return communications from the destination to the source node.
  - 20. A data communication device as in claim 19 configured to advertise the route path to network nodes associated with the virtual private network.

21. A computer program product including a computer-readable medium having instructions stored thereon for processing data information, such that the instructions, when carried out by a processing device, enable the processing device to perform the steps of:
- receiving a key exchange request message originating from a source node in a first type of network, the key exchange request message including a request to create a secured connection between the source node in the first type of network and a destination in a second type of network;
  
  in response to receiving the key exchange request message, utilizing a unique identifier in the request key exchange request message to identify a virtual private network associated with the second type of network; and
  
  in lieu of responding to the key exchange request message and providing encryption key information to the source node, utilizing a corresponding forwarding table associated with the virtual private network identified by the unique identifier for purposes forwarding the key exchange request message to the destination in the second type of network.
- View Dependent Claims (22, 23)
- - 22. A computer program product as in claim 21, wherein receiving the key exchange request message from the source node includes receiving an IKE (Internet Key Exchange) message from the source node that resides in a packet-switching type of network, the IKE message being used to initiate an exchange of encryption key information for purposes of creating the secured connection;
    - and wherein forwarding the key exchange request message to the destination includes initiating forwarding of the IKE message to the destination over a label-switching type of network based on information in the corresponding forwarding table in lieu of terminating the secured connection at an intermediate node between the source node and the destination.
  - 23. A computer program product as in claim 21, wherein receiving the key exchange request message includes receiving the key exchange request message from the source node that transmitted the key exchange request message over a packet-switched type of network to an edge router associated with the second type of network;
    - and wherein utilizing the unique identifier in the request key exchange request message to identify the virtual private network associated with the second type of network includes utilizing the unique identifier in the key exchange request message at the edge router to identify a key exchange server in a label-switching network environment in which to forward the key exchange request message from the edge router to the destination.

24. A computer system comprising:
- a processor;
  
  a memory unit that stores instructions associated with an application executed by the processor; and
  
  an interconnect coupling the processor and the memory unit, enabling the computer system to execute the application and perform operations of;
  
  receiving a key exchange request message originating from a source node in a first type of network, the key exchange request message including a request to create a secured connection between the source node in the first type of network and a destination in a second type of network;
  
  in response to receiving the key exchange request message, utilizing a unique identifier in the key exchange request message to identify a virtual private network associated with the second type of network; and
  
  in lieu of responding to the key exchange request message and providing encryption key information to the source node, utilizing a corresponding forwarding table associated with the virtual private network identified by the unique identifier for purposes forwarding the key exchange request message to the destination in the second type of network.

25. A computer readable medium having computer readable code thereon, the computer-readable medium comprising:
- instructions for transmitting a key exchange request message originating from a source node in a first type of network to a data communication device, the data communication device configured to;
  
  receive the key exchange request message originating from the source node;
  
  in response to receiving the key exchange request message, utilize a unique identifier in the key exchange request message to identify a virtual private network associated with a virtual private network in a second type of network; and
  
  in lieu of responding to the key exchange request message and providing encryption key information to the source node, utilize a corresponding forwarding table associated with the virtual private network identified by the unique identifier for purposes forwarding the key exchange request message to a destination node of the virtual private network and support establishment of a secured connection between the source node and the destination node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Khalid, Mohamed, Cherukuri, Sunil, Asati, Rajiv, Bollapragada, Vijay

Application Number

US11/409,586
Publication Number

US 20070248091A1
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/061   for key exchange, e.g. in p...

Methods and apparatus for tunnel stitching in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

93 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Methods and apparatus for tunnel stitching in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others