Method and apparatus for learning endpoint addresses of IPSec VPN tunnels

US 20080080509A1
Filed: 09/29/2006
Published: 04/03/2008
Est. Priority Date: 09/29/2006
Status: Active Grant

First Claim

Patent Images

1. A method of communicating an endpoint address of an Internet Protocol Security (IPSec) Virtual Private Network (VPN) tunnel, the method comprising the steps of:

formatting a Multiprotocol Border Gateway Protocol (MPBGP) route advertisement to include a route distinguisher;

ip-prefix, an endpoint address of an IPSec VPN tunnel, and a route target; and

transmitting the MPBGP route advertisement.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Customer Edge (CE) network elements can automatically learn IPSec tunnel endpoints for other CEs connected to sites in a Virtual Private Network (VPN) so that manual configuration of IPSec tunnel endpoints is not required and so that a centralized database of IPSec tunnel endpoints is not required to be separately maintained. According to an embodiment of the invention, a BGP export route policy is set on all CEs, so that when they announce their VPN routes in the standard format, the application of this export route policy changes the announcement to replace the BGP peering point address that would ordinarily be advertised with the IPSec tunnel endpoint address. When any given site receives a VPN route update formatted in this manner, it processes the VPN route update and learns from the update the IPSec tunnel endpoint as well as the associated VPN routes.

179 Citations

15 Claims

1. A method of communicating an endpoint address of an Internet Protocol Security (IPSec) Virtual Private Network (VPN) tunnel, the method comprising the steps of:
- formatting a Multiprotocol Border Gateway Protocol (MPBGP) route advertisement to include a route distinguisher;
  
  ip-prefix, an endpoint address of an IPSec VPN tunnel, and a route target; and
  
  transmitting the MPBGP route advertisement.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the route distinguisher:
    - ip-prefix identifies the route, wherein the route target identifies a VPN with which the route is associated.
  - 3. The method of claim 1, further comprising the step of receiving route information comprising the route distinguisher:
    - ip-prefix, a peering point address, and the route target, and wherein the step of formatting comprises replacing the peering point address with the endpoint address of the IPSec VPN tunnel.
  - 4. The method of claim 3, wherein the peering point address and the endpoint address of the IPSec VPN tunnel are different addresses on a CE network element.
  - 5. The method of claim 4, wherein the method further comprises causing the CE network element to segregate routes by implementing VRFs according to IETF RFC 2547.

6. A Multiprotocol Border Gateway Protocol (MPBGP) route advertisement, comprising:
- a route distinguisher;
  
  IP-prefix;
  
  an Internet Protocol Security (IPSec) Virtual Private Network (VPN) tunnel endpoint address; and
  
  a route target.
- View Dependent Claims (7, 8, 9)
- - 7. The MPBGP route advertisement of claim 6, wherein the route target identifies a VPN associated with the route advertisement, and wherein the route distinguisher identifies a unique address within the enterprise for the case of overlapping ip addresses among VPNs.
  - 8. The MPBGP route advertisement of claim 7, wherein the format of the route advertisement is <
    - RD;
      
      prefix, VPN-nh, RT>
      
      , in which RD;
      
      prefix is the route distinguisher and ip prefix, VPN-nh is the IPSec VPN tunnel endpoint address, and RT is the route target.
  - 9. The MPBGP route advertisement of claim 7, wherein the IPSec VPN tunnel endpoint address is a public address of a Customer Edge network element configured to implement the VPN tunnel on behalf of at least one VPN site.

10. A network, comprising:
- a Group Controller Key Server (GCKS),a plurality of Customer Edge (CE) network elements, each of the CE network elements having an established secure control channel between a routing peering endpoint address on the CE and the GCKS, each of the CE network elements also having at least one established secure data channel having a secure data channel endpoint address other than the routing peering endpoint address;
  
  wherein each of the CE network elements includes a routing table containing routing information correlating routes with the secure data channel endpoint addresses of the other CE network elements; and
  
  wherein each of the CE network elements is configured to transmit route advertisements containing both route information and the secure data channel endpoint address of that CE network element.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The network of claim 10, wherein the route advertisements are Multiprotocol Border Gateway Protocol (MPBGP) route advertisements that include a route distinguisher:
    - IP-prefix, an endpoint address of an IPSec VPN tunnel, and a route target.
  - 12. The network of claim 10, wherein the CE network elements are all associated with an enterprise.
  - 13. The network of claim 10, wherein the secure data channels are formed using IPSec.
  - 14. The network of claim 10, wherein the secure data channels use a common key obtained from the GCKS.
  - 15. The network of claim 10, wherein a BGP route export policy is set on each of the CE network elements to change a MPBGP peering point address in route advertisements to be transmitted to the endpoint address of the IPSec VPN tunnel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Nortel Networks Limited (Nortel Networks Corporation)
Inventors
Chao, John, Khanna, Bakul, Jesuraj, Ramasamy, Lee, Robert

Granted Patent

US 7,907,595 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 45/00   Routing or path finding of ...

H04L 45/02   Topology update or discovery

H04L 45/033   by updating distance vector...

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/50   using label swapping, e.g. ...

H04L 63/0272   Virtual private networks

H04L 63/164   at the network layer

Method and apparatus for learning endpoint addresses of IPSec VPN tunnels

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

179 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for learning endpoint addresses of IPSec VPN tunnels

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

179 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links