Ethernet encryption over resilient virtual private LAN services

US 20080192739A1
Filed: 02/14/2007
Published: 08/14/2008
Est. Priority Date: 02/14/2007
Status: Active Grant

First Claim

Patent Images

1. A method for operating on a data packet to provide an enterprise networking environment over a service provider network, comprising the steps of:

providing a customer edge (CE) router function, located within the enterprise network, operable for providing the data packet;

a Policy Enforcement Point (PEP) function, operable for;

applying an Ethernet encryption protocol to the data packet; and

applying a security association policy to the data packet;

a provider edge router function, located within the service provider network, operable for;

applying an MPLS protocol to the data packet to provide a Virtual Private LAN Network (VPLS) service to the enterprise; and

forwarding the data packet according to the MAC learning and aging functions provided by the VPLS service.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Encryption of Ethernet/IEEE 802.3 packet data units (PDUs) at the edge of the enterprise network, in such a way as to support resilient Virtual Private LAN Services (VPLS) network designs. The Ethernet traffic is securely tunneled within encrypted Ethernet tunnels from the edge to the edge of the enterprise network. The encrypted Ethernet traffic is also tunneled within Multi-Protocol Layer Switching (MPLS) tunnels from the edge to the edge of the service provider network. The enterprise network thus manages its own Ethernet site-to-site Virtual Private Network (VPN). The service provider thus independently manages its own MPLS network. The result provides a VPLS or Layer 2 MPLS VPN to the enterprise; the enterprise Ethernet encrypted network can thus be considered as an overlay to the MPLS service provider network.

Citations

20 Claims

1. A method for operating on a data packet to provide an enterprise networking environment over a service provider network, comprising the steps of:
- providing a customer edge (CE) router function, located within the enterprise network, operable for providing the data packet;
  
  a Policy Enforcement Point (PEP) function, operable for;
  
  applying an Ethernet encryption protocol to the data packet; and
  
  applying a security association policy to the data packet;
  
  a provider edge router function, located within the service provider network, operable for;
  
  applying an MPLS protocol to the data packet to provide a Virtual Private LAN Network (VPLS) service to the enterprise; and
  
  forwarding the data packet according to the MAC learning and aging functions provided by the VPLS service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, additionally comprising the steps of:
    - the PEPs operable for receiving the security association from a network overlay that is responsible for distributing the security policy and the encryption key to the PEPs.
  - 3. The method of claim 2 wherein the network overlay additionally comprises:
    - a security policy layer; and
      
      an encryption key layer.
  - 4. The method of claim 3 wherein the security policy layer is provided by a Management and Policy (MAP) server and the encryption key layer is provided by a Key Authority Point (KAP) server.
  - 5. The method of claim 4 wherein one outbound encryption key is provided for each PEP site that becomes the inbound encryption key for the other PEP sites.
  - 6. The method of claim 4 further comprising the following steps operable by the KAP:
    - generating one key; and
      
      distributing the same key both for inbound traffic and outbound traffic for each associated PEP.
  - 7. The method of claim 1, further comprising the steps of:
    - maintaining the original MAC address header in the data packet in the clear; and
      
      encrypting only the Ethernet payload of the data packet;
  - 8. The method of claim 1, further comprising the steps of:
    - providing resiliency, by connecting two or more CEs to two or more PEs.
  - 9. The method of claim 8 wherein two PEs are controlled by different service providers.
  - 10. The method of claim 8 wherein the method provides for full mesh connectivity between n sites, where n is greater than 2, enterprise sites is provided by only 2 security associations.

11. An apparatus for operating on a data packet to provide an enterprise networking environment over a service provider network, comprising:
- a customer edge (CE) router function, located within the enterprise network, for;
  
  providing the data packet;
  
  a Policy Enforcement Point (PEP) function, for;
  
  applying an Ethernet encryption protocol to the data packet; and
  
  applying a security association policy to the data packet;
  
  a provider edge router function, located within the service provider network, for;
  
  applying an MPLS protocol to the data packet to provide a Virtual Private LAN Network (VPLS) service to the enterprise; and
  
  forwarding the data packet according to the MAC learning and aging functions provided by the VPLS service.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The apparatus of claim 11, further comprising:
    - receiving the security association from a network overlay that is responsible for distributing the security policy and the encryption key to the PEPs.
  - 13. The apparatus of claim 12 wherein the network overlay further comprises:
    - a security policy layer; and
      
      an encryption key layer.
  - 14. The apparatus of claim 13 wherein the security policy layer is provided by a Management and Policy (MAP) server and the encryption key layer is provided by a Key Authority Point (KAP) server.
  - 15. The apparatus of claim 14 wherein one outbound encryption key is provided for each PEP site that becomes the inbound encryption key for the other PEP sites.
  - 16. The apparatus of claim 14 further comprising, by the KAP:
    - generating one key; and
      
      distributing the same key both for inbound traffic and outbound traffic for each associated PEP.
  - 17. The apparatus of claim 11, further comprising:
    - Maintaining the original MAC address header in the data packet in the clear; and
      
      encrypting only the Ethernet payload of the data packet;
  - 18. The apparatus of claim 11, further comprising two or more CEs operable in communication with two or more PEs for providing resiliency.
  - 19. The apparatus of claim 18 wherein two PEs are controlled by different service providers.
  - 20. The apparatus of claim 18 wherein the network includes full mesh connectivity between n sites, where n is greater than 2, enterprise sites is provided by only 2 security associations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certes Networks, Inc.
Original Assignee
Certes Networks, Inc.
Inventors
Carrasco, Serge-Paul

Granted Patent

US 7,864,762 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/389
CPC Class Codes

H04L 45/00   Routing or path finding of ...

H04L 45/50   using label swapping, e.g. ...

H04L 63/0272   Virtual private networks

H04L 63/20   for managing network securi...

Ethernet encryption over resilient virtual private LAN services

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Ethernet encryption over resilient virtual private LAN services

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links