Dynamic Network Tunnel Endpoint Selection

US 20090031415A1
Filed: 07/26/2007
Published: 01/29/2009
Est. Priority Date: 07/26/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of selecting a network tunnel endpoint, comprising:

dynamically selecting, from among a plurality of selectable tunnel endpoints, a particular one of the selectable tunnel endpoints for tunneling into an enterprise network, wherein the particular one has a lowest cost according to cost metric information associated with reaching a destination in the enterprise network from each of the selectable tunnel endpoints; and

establishing the network tunnel using the particular one of the selectable tunnel endpoints.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Dynamically selecting an endpoint for a tunnel into an enterprise computing infrastructure. A client dynamically selects a gateway (which may alternatively be referred to as a boundary device or server) as a tunnel endpoint for connecting over a public network (or, more generally, an untrusted network) into an enterprise computing infrastructure. The selection is made, in preferred embodiments, according to least-cost routing metrics pertaining to paths through the enterprise network from the selected gateway to a destination host. The least-cost routing metrics may be computed using factors such as the proximity of selectable tunnel endpoints to the destination host; stability or redundancy of network resources for this gateway; monetary costs of transmitting data over a path between the selectable tunnel endpoints and destination host; congestion on that path; hop count for that path; and/or latency or transmit time for data on that path.

79 Citations

View as Search Results

18 Claims

1. A computer-implemented method of selecting a network tunnel endpoint, comprising:
- dynamically selecting, from among a plurality of selectable tunnel endpoints, a particular one of the selectable tunnel endpoints for tunneling into an enterprise network, wherein the particular one has a lowest cost according to cost metric information associated with reaching a destination in the enterprise network from each of the selectable tunnel endpoints; and
  
  establishing the network tunnel using the particular one of the selectable tunnel endpoints.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method according to claim 1, wherein the network tunnel is a virtual private network (“
    - VPN”
      
      ) tunnel.
  - 3. The method according to claim 1, wherein the dynamically selecting is performed by a client that then initiates the establishing of the network tunnel.
  - 4. The method according to claim 3, wherein the cost metric information is specified in a data structure accessible to the client.
  - 5. The method according to claim 1, wherein the cost metric information comprises at least one of:
    - proximity of the selectable tunnel endpoints to the destination;
      
      stability or redundancy of network resources associated with the selectable tunnel endpoints;
      
      monetary costs of transmitting data over a path between the selectable tunnel endpoints and the destination;
      
      congestion on the path;
      
      hop count for the path; and
      
      transmit time for data on the path.
  - 6. The method according to claim 1, wherein each of the selectable tunnel endpoints is identified using a destination filter, the destination filter for each of the selectable tunnel endpoints comprising at least one of:
    - an identification of the destination;
      
      a source port number associated with an application that will use the tunnel;
      
      a destination port number associated with the application; and
      
      a destination subnet.
  - 7. The method according to claim 6, wherein the dynamically selecting further comprises comparing an identification of the destination to the destination filter for selected ones of the selectable tunnel endpoints until determining that the destination filter for the particular one of the selectable tunnel endpoints applies to the identified destination.
  - 8. The method according to claim 1, further comprising:
    - performing the dynamically selecting for each of a plurality of destinations in the enterprise network, thereby selecting at least two different ones of the selectable tunnel endpoints for tunneling into the enterprise network from a client outside the enterprise network; and
      
      performing the establishing, by the client, for each of the at least two different ones of the selectable tunnel endpoints, thereby enabling the client to communicate with each of the plurality of destinations using distinct network tunnels from the client to each of the at least two different ones.
  - 9. The method according to claim 1, wherein the dynamically selecting is performed for a client in an untrusted network environment and occurs responsive to a notification sent to the client from an initial tunnel endpoint in the enterprise network, wherein the notification directs the client to select a different tunnel endpoint for reaching the destination.
  - 10. The method according to claim 6, wherein the dynamically selecting further comprises:
    - dynamically issuing a probe for cost metric information for reaching the destination when a comparison of an identification of the destination to the destination filter for the selectable tunnel endpoints determines that no destination filter matches the identified destination; and
      
      performing the dynamically selecting using results received responsive to the dynamically-issued probe.
  - 11. The method according to claim 1, wherein:
    - the dynamically selecting and the establishing are performed by a client in an untrusted network environment; and
      
      the cost metric information is distributed to the client upon detecting that the client is preparing to establish the network tunnel.
  - 12. The method according to claim 1, wherein the network tunnel traverses an untrusted network.
  - 13. The method according to claim 1, wherein the network tunnel traverses one of:
    - a private mobile radio network;
      
      a private enterprise network; and
      
      an i2 network.
  - 14. The method according to claim 1, wherein the cost metric information associated with reaching the destination from at least one of the selectable tunnel endpoints is periodically revised.
  - 15. The method according to claim 1, wherein:
    - the dynamically selecting is performed for a client outside the enterprise network;
      
      the network tunnel is established between the client and the particular one of the selectable tunnel endpoints;
      
      the particular one of the selectable tunnel endpoints establishes a connection through the enterprise network to the destination; and
      
      communications between the client and the destination use the established network tunnel and the established connection.
  - 16. The method according to claim 1, wherein:
    - the dynamically selecting is performed for a client outside the enterprise network;
      
      the network tunnel is established between the client and the particular one of the selectable tunnel endpoints;
      
      the destination is co-located with the particular one of the selectable tunnel endpoints; and
      
      communications between the client and the destination use the established network tunnel.

17. A system for establishing a network tunnel across an untrusted network environment, comprising:
- a plurality of selectable tunnel endpoints;
  
  a client operably connected to the untrusted network environment;
  
  a destination operably connected to an enterprise network;
  
  cost metric information associated with reaching the destination from each of the selectable tunnel endpoints;
  
  a selector for dynamically selecting a particular one of the selectable tunnel endpoints for tunneling into the enterprise network, wherein the particular one has a lowest cost according to the cost metric information associated with reaching the destination; and
  
  an establisher for establishing the network tunnel from the client to the particular one of the selectable tunnel endpoints.

18. A computer program product for establishing a network tunnel, the computer program product comprising at least one computer-usable storage media storing computer-usable program code, wherein the computer-usable program code, when executed on a computer, causes the computer to:
- dynamically select, from among a plurality of selectable tunnel endpoints, a particular one of the selectable tunnel endpoints for tunneling into an enterprise network, wherein the particular one has a lowest cost according to cost metric information associated with reaching a destination in the enterprise network from each of the selectable tunnel endpoints; and
  
  establish the network tunnel using the particular one of the selectable tunnel endpoints.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Heninger, Ivan M., Marano, Clifford D., Kari, John D., Urgo, David M., Aldridge, M. Lynn, Dill, Peter C.

Granted Patent

US 7,992,201 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

H04L 63/0272 Virtual private networks

Dynamic Network Tunnel Endpoint Selection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic Network Tunnel Endpoint Selection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links