IP encryption over resilient BGP/MPLS IP VPN
First Claim
1. A method for operating on a data packet to provide an enterprise networking environment over a service provider network, comprising:
- a customer edge (CE) router function, located within the enterprise network, for;
providing the data packet;
a Policy Enforcement Point (PEP) function, for;
applying an IPSec protocol to the data packet; and
applying a security association policy to the data packet;
a provider edge router function, located within the service provider network, for;
applying an MPLS protocol to the data packet; and
forwarding the data packet according to the enterprise network Virtual Private Network (VPN) routing and forwarding (VRF).
12 Assignments
0 Petitions
Accused Products
Abstract
Encryption of Internet Protocol (IP) traffic using IP Security (IPSec) at the edge of the enterprise network, in such a way as to support resilient BGP/MPLS IP VPN network designs. The IP traffic is securely tunneled within IPSec tunnels from the edge to the edge of the enterprise network. The IPSec traffic is also tunneled within MPLS tunnels from the edge to the edge of the service provider network. The enterprise network thus manages its own IPSec site-to-site VPN. The service provider thus independently manages its own MPLS network. The result provides an IP VPN or Layer 3 MPLS VPN to the enterprise; the enterprise IPSec network can thus be considered as an overlay to the MPLS service provider network.
-
Citations
20 Claims
-
1. A method for operating on a data packet to provide an enterprise networking environment over a service provider network, comprising:
-
a customer edge (CE) router function, located within the enterprise network, for;
providing the data packet;
a Policy Enforcement Point (PEP) function, for;
applying an IPSec protocol to the data packet; and
applying a security association policy to the data packet;
a provider edge router function, located within the service provider network, for;
applying an MPLS protocol to the data packet; and
forwarding the data packet according to the enterprise network Virtual Private Network (VPN) routing and forwarding (VRF). - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 14, 17, 18, 20)
-
-
11. An apparatus for operating on a data packet to provide an enterprise networking environment over a service provider network, comprising:
-
a customer edge (CE) router within the enterprise network for providing the data packet;
a Policy Enforcement Point (PEP) function arranged to;
apply an IPSec protocol to the data packet;
apply a security association policy to the data packet;
and within the service provider network, a provider edge (PE) router arranged to;
apply an MPLS protocol to the data packet;
forward the data packet according to enterprise network Virtual Private Network (VPN) routing and forwarding (VRF) tables. - View Dependent Claims (13, 15, 16)
-
-
19. The apparatus of 17 wherein two PEs are controlled by different service providers.
Specification