MULTI-DOMAIN DYNAMIC GROUP VIRTUAL PRIVATE NETWORKS

US 20080215880A1
Filed: 03/02/2007
Published: 09/04/2008
Est. Priority Date: 03/02/2007
Status: Active Grant

First Claim

Patent Images

1. A system that facilitates secure communication of data, comprising:

a security component associated with a network in a first domain that obtains a subset of keying material and a subset of crypto-policy information associated with a disparate network in a disparate domain and facilitates the encryption of the data in accordance with the subset of keying material and the subset of crypto-policy information; and

a routing component that is associated with the security component and transmits the encrypted data from the network in the first domain to the disparate network in the disparate domain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and/or methods of secure communication of information between multi-domain virtual private networks (VPNs) are presented. A dynamic group VPN (DGVPN) can reside in one domain and a disparate DGVPN can reside in a disparate domain. An administrative security authority (ASA) can be employed in each domain. Each ASA can generate and exchange respective keying material and crypto-policy information to be used for inter-domain communications when routing data from a member in one DGVPN to a member(s) in the disparate DGVPN, such that an ASA in one domain can facilitate encryption of data in accordance with the policy of the other domain before the data is sent to the other domain. Each ASA can establish a key server to generate the keying material and crypto-policy information associated with its local DGVPN, and such material and information can be propagated to intra-domain members.

47 Citations

View as Search Results

20 Claims

1. A system that facilitates secure communication of data, comprising:
- a security component associated with a network in a first domain that obtains a subset of keying material and a subset of crypto-policy information associated with a disparate network in a disparate domain and facilitates the encryption of the data in accordance with the subset of keying material and the subset of crypto-policy information; and
  
  a routing component that is associated with the security component and transmits the encrypted data from the network in the first domain to the disparate network in the disparate domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the network is a dynamic group virtual private network.
  - 3. The system of claim 1, wherein the security component is a key server.
  - 4. The system of claim 1, further comprising a disparate routing component that is associated with the disparate network that receives the encrypted data, and a disparate security component associated with the disparate network decrypts the encrypted data according to the crypto-policy associated with the disparate network.
  - 5. The system of claim 4, wherein the decrypted data is presented to an entity associated with the disparate network.
  - 6. The system of claim 1, wherein the security component is authenticated prior to obtaining a subset of keying material and a subset of crypto-policy information, the security component is authenticated by a disparate security component associated with the disparate network.
  - 7. The system of claim 1, wherein the security component generates a subset of keying material and a subset of crypto-policy information associated with the network and transmits such material and information to a disparate security component associated with the disparate network.
  - 8. The system of claim 1, further comprising:
    - an interface component that can employ a virtual private network routing/forwarding instance global-interface outbound crypto-map mapping such that crypto-policy is applied to data packets outside the first domain.
  - 9. The system of claim 1, wherein the subset of crypto-policy information is associated with a crypto-policy that comprises a list of prefixes to which the crypto-policy is applied.
  - 10. The system of claim 1, wherein the subset of crypto-policy information is associated with a plurality of prefixes, each prefix of the plurality of prefixes is marked during as part of the routing protocol between a border router associated with the first domain and a disparate border router associated with the disparate domain.
  - 11. The system of claim 1, wherein the subset of crypto-policy information is associated with a crypto-policy, the crypto-policy is associated with prefixes that serve as multicast sources such that at least one receiver in the disparate domain obtains key material associated with and for inter-domain multicast trees.
  - 12. The system of claim 1, wherein the security component secures data in accordance with a crypto-policy associated with at least one of the network associated with the first domain or the disparate network associated with the disparate domain.

13. A method that facilitates communication of data, comprising:
- receiving keying material and crypto-policy information, associated with a first domain, from another domain, the keying material and the crypto-policy information are associated with the other domain;
  
  encrypting data packets in accordance with the crypto-policy information, the data packets are encrypted in the first domain; and
  
  transmitting the encrypted data packets from the first domain to the other domain.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, further comprising:
    - generating keying material and crypto-policy information; and
      
      propagating the keying material and crypto-policy information to a router component.
  - 15. The method of claim 14, further comprising:
    - decrypting the data packets after the data packets are received in the other domain, the data packets are decrypted in the other domain; and
      
      transferring the decrypted data packets to a device associated with the other domain.
  - 16. The method of claim 15, further comprising:
    - routing the data packets to prefixes in the other domain.
  - 17. The method of claim 13, further comprising:
    - contacting a disparate security component in the other domain;
      
      authenticating the security component;
      
      establishing a secure channel to facilitate the transfer of the keying material and the crypto-policy information;
      
      requesting the keying material and the crypto-policy information;
      
      generating the keying material and the crypto-policy information; and
      
      sending the keying material and the crypto-policy information to the security component via the secure channel.
  - 18. The method of claim 13, further comprising:
    - generating a list of prefixes to which a crypto-policy associated with the crypto-policy information; and
      
      sending the list of prefixes with the crypto-policy information.
  - 19. The method of claim 13, further comprising:
    - tagging a plurality of prefixes during router distribution.

20. A system, comprising:
- means for obtaining key information and cryptographic information from at least one of a key server associated with a first domain or a disparate key server associated with a different domain;
  
  means for encrypting data in accordance with the key information and the cryptographic information;
  
  means for routing the data from a member in the first domain to another member associated with at least one of the first domain or the different domain; and
  
  means for decrypting the data in accordance with the key information and the cryptographic information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Guichard, James Neil, Wainner, Warren Scott, Weis, Brian E.

Granted Patent

US 8,713,669 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/162
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/065   for group communications cr...

MULTI-DOMAIN DYNAMIC GROUP VIRTUAL PRIVATE NETWORKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

47 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MULTI-DOMAIN DYNAMIC GROUP VIRTUAL PRIVATE NETWORKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links