Global Virtual VPN

US 20090304003A1
Filed: 05/22/2009
Published: 12/10/2009
Est. Priority Date: 05/27/2008
Status: Abandoned Application

First Claim

Patent Images

1. In a virtual private network (VPN) on the public Internet, the process of connecting a first plurality of hubs together using private networks for routing data packets to network destinations wherein at least two hubs of the first plurality of hubs are located on different continents.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus and article of manufacture for building next generation improved global virtual private networks over the Internet. The method comprises of building two layers on top of the public infrastructure (001): a network abstraction layer (NAL) (002) and a network virtualization layer (NVL) (003): the NVL (003) is built on top of the NAL (002). The NVL (003) consists in Group Domain of Interpretation (GDOI) domain deployments on virtualized hardware aggregators over a NAL (002). The latter consists in point-to-multipoint Generic Routing Encapsulation (GRE) networks over the Internet (001). Both the NVL (003) and NAL (002) can be deployed using advanced unattended provisioning methodology.

Citations

90 Claims

1. In a virtual private network (VPN) on the public Internet, the process of connecting a first plurality of hubs together using private networks for routing data packets to network destinations wherein at least two hubs of the first plurality of hubs are located on different continents.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 2. The process of claim 1 where the private networks include high speed, low latency circuits.
  - 3. The process of claim 1 wherein at least one hub of the first plurality of hubs is located in an area that has wire-speed Internet service.
  - 4. The process of claim 3 wherein said circuits use at least one WAN optimization technique.
  - 5. The process of claim 4 wherein the WAN optimization technique is selected from the group consisting of WAN optimization techniques consisting of TFO, DRE, adaptive persistent session-based compression, protocol acceleration, content pre-positioning, and meta-caching.
  - 6. The process of claim 4 wherein circuits comprise at least one active path between pairs of connected hubs.
  - 7. The process of claim 1 wherein at least one hub of said first plurality of hubs is connected by the Public Internet to a plurality of spokes and to a second plurality of hubs using virtualized connections, said virtualized connections being network paths carrying distinct network traffic over separate logical links,wherein IP routing defines the routing of said data packets using an IP protocol, said IP routing being stored in a routing table,wherein said plurality of spokes are first endpoints, and spoke to spoke connectivity occurs only within the same continent by Internet routing,wherein said second plurality of hubs are second endpoints on the same continent, and hub to hub connectivity occurs by IP routing, andwherein LAN IP subnets define all IP network destinations reachable on the internal side of said first and second endpoints.
  - 8. The process of claim 7 wherein a tunnel interface defines an interface on an endpoint that is one side of a point-to-point or point-to-multipoint link with at least one other endpoint,wherein tunnel IP addresses define all the IP addresses of the tunnel interfaces of an endpoint,wherein the translation of the tunnel IP addresses and all LAN IP subnets of the endpoint Internet IP address occurs for each endpoint, andwherein at the registration process the IP addressing scheme of each endpoint is recorded, said IP addressing scheme including the public IP addresses and the tunnel IP addresses of each endpoint and all LAN IP subnets of each endpoint.
  - 9. The process of claim 7 wherein said second plurality of hubs include at least one hub of said first plurality of hubs.
  - 10. The process of claim 7 wherein a first method is used that allows an endpoint connected to a non-broadcast multi-access (NBMA) network to discover the internetworking layer addresses and subnetwork addresses of the NBMA next hop towards a destination endpoint.
  - 11. The process of claim 9 wherein said first method is the Next Hop Resolution Protocol (NHRP).
  - 12. The process of claim 9 wherein a second method is used to build a network abstraction layer on top of the NBMA network.
  - 13. The process of claim 11 wherein said second method is selected from the group of methods consisting of Generic Routing Encapsulation (GRE), Multipoint Generic Routing Encapsulation (mGRE), Dynamic Multipoint VPN (DMVPN), MultiProtocol Label Switching (MPLS) and Overlay Transport Virtualization (OTV).
  - 14. The process of claim 7 wherein at least some of said endpoints communicate with each other in a manner that ensures traffic will transit in an optimized way.
  - 15. The process of claim 14 wherein the manner comprises exchanging routing information.
  - 16. The process of claim 15 wherein the manner comprises the at least one hub functioning as a server and the endpoints connected to the at least one hub functioning as clients, whereby at least some of said endpoints communicate with each other without such communication passing through the at least one hub.
  - 17. The process of claim 7 wherein the at least one hub and the endpoints connected to said at least one hub are connected together in a network abstraction layer, each said connected endpoint having IP routing information comprising IP routes to the public IP addresses of the other said connected endpoints.
  - 18. The process of claim 17 wherein the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.
  - 19. The process of claim 18 wherein the at least one remote agent is operated manually.
  - 20. The process of claims 18 wherein the at least one remote agent comprises an automation daemon.
  - 21. The process of claim 18 wherein the IP routes of said endpoints are stored in a database for use by the at least one remote agent for generating the changes in the endpoint routing table.
  - 22. The process of claim 18 wherein encryption techniques are used to ensure the protection of data exchanged between endpoints.
  - 23. The process of claim 22 wherein the protection is selected from the group of protections consisting of privacy, authentication, integrity, and non-repudiation of an endpoint.
  - 24. The process of claim 18 wherein a virtual tunnel using a set of encryption keys is used between each pair of endpoints.
  - 25. The process of claim 18 wherein a synchronizing protocol is used for distributing the same set of encryption keys to all said endpoints participating in said VPN.
  - 26. The process of claim 22 wherein said same set of encryption keys is used for resolving management issues among the participating endpoints.
  - 27. The process of claim 22 wherein said same set of encryption keys is used for preventing an endpoint from being overwhelmed by delays.
  - 28. The process of claim 26 wherein the synchronizing protocol is GDOI.
  - 29. The process of claim 17 wherein said connectivity is selected from the group of connectivities consisting of endpoint to endpoint connectivity, hub to endpoint connectivity, and endpoint to hub to endpoint connectivity.
  - 30. The process of claim 17 wherein multiple logical paths are created over at least one network path using virtualization techniques forming a network virtualization layer.
  - 31. The process of claim 30 wherein physical endpoints are capable of virtualization.
  - 32. The process of claim 31 wherein the virtualization technique is selected from the group of virtualization protocols consisting of MPLS, GRE, and 802.1q Tagging.
  - 33. The process of claim 18 wherein the at least one remote agent uses a protocol to securely transport and deliver configurations to endpoints.
  - 34. The process of claim 33 wherein the protocol is selected from the group of protocols consisting of, SSH, SNMP, SCP, SSL-based and TLS-based protocols.
  - 35. The process of claim 18 wherein the at least one remote agent uses a protocol to transport and deliver configurations to endpoints.
  - 36. The process of claim 35 wherein the protocol is selected from the group of protocols consisting of Telnet, TFTP, FTP and HTTP.

37. A system comprising a virtual private network (VPN) on the public Internet, for connecting a first plurality of hubs together using private networks that include high speed, low latency circuits, for routing data packets to network destinations,wherein at least two hubs of the first plurality of hubs are located on different continents,wherein at least one hub of the first plurality of hubs is located in an area that has wire-speed Internet service, andwherein said circuits use at least one WAN optimization technique.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 79, 80, 81, 82, 83, 84, 85)
- - 38. The system of claim 37 wherein the WAN optimization technique is selected from the group of WAN optimization techniques consisting of TFO, DRE, adaptive persistent session-based compression, protocol acceleration, content pre-positioning, and meta-caching.
  - 39. The system of claim 37 wherein said circuits comprise at least one active path between pairs of connected hubs.
  - 40. The system of claim 37 wherein at least one hub of said first plurality of hubs is connected by the Public Internet to a plurality of spokes and to a second plurality of hubs,wherein IP routing defines the routing of said data packets using an IP protocol, said IP routing being stored in a routing table,wherein said plurality of spokes are first endpoints, and spoke to spoke connectivity occurs only within the same continent by Internet routing,wherein said second plurality of hubs are second endpoints on the same continent, and hub to hub connectivity occurs by IP routing, andwherein LAN IP subnets define all IP network destinations reachable on the internal side of said first and second endpoints.
  - 41. The system of claim 40 wherein a tunnel interface defines at least one interface on an endpoint that is one side of a point-to-point or point-to-multipoint link with at least one other endpoint,wherein tunnel IP addresses define all the IP addresses of the tunnel interfaces of an endpoint,wherein the translation of the tunnel IP addresses and all LAN IP subnets of the endpoint Internet IP address occurs for each endpoint, andwherein at system registration process the IP addressing scheme of each endpoint is recorded, said IP addressing scheme including the public IP addresses and the tunnel IP addresses of each endpoint and all LAN IP subnets of each endpoint.
  - 42. The system of claim 41 wherein said second plurality of hubs includes at least one hub of said first plurality of hubs.
  - 43. The system of claim 41 wherein a first method is used that allows an endpoint connected to a non-broadcast multi-access (NBMA) network to discover the internetworking layer addresses and subnetwork addresses of the NBMA next hop towards a destination endpoint.
  - 44. The system of claim 43 wherein said first method is the Next Hop Resolution Protocol (NHRP).
  - 45. The system of claim 43 wherein a second method is used to build a network abstraction layer on top of the NBMA network.
  - 46. The system of claim 45 wherein said second method is selected from the group of methods consisting of Generic Routing Encapsulation (GRE), Multipoint Generic Routing Encapsulation (mGRE), Dynamic Multipoint VPN (DMVPN), MultiProtocol Label Switching (MPLS) and Overlay Transport Virtualization (OTV).
  - 47. The system of claim 40 wherein at least some of said endpoints communicate with each other in a manner that ensures traffic will transit in an optimized way.
  - 48. The system of claim 47 wherein the manner comprises exchanging routing information.
  - 49. The system of claim 47 wherein the manner comprises the at least one hub functioning as a server and the endpoints connected to the at least one hub functioning as clients, whereby at least some of said endpoints communicate with each other without such communication passing through the at least one hub.
  - 50. The system of claim 41 wherein the at least one hub and the endpoints connected to said at least one hub are connected together in a network abstraction layer, each said connected endpoint having IP routing information comprising IP routes to the public IP addresses of the other said connected endpoints.
  - 51. The system of claim 50 wherein the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.
  - 52. The system of claim 51 wherein the at least one remote agent is operated manually.
  - 53. The system of claims 51 wherein the at least one remote agent comprises an automation daemon.
  - 54. The system of claim 51 wherein the IP routes of said endpoints are stored in a database for use by the at least one remote agent for generating the changes in the endpoint routing table.
  - 55. The system of claim 51 wherein encryption techniques are used to ensure the protection of data exchanged between endpoints.
  - 56. The system of claim 55 wherein the protection is selected from the group of protections consisting of privacy, authentication, integrity, and non-repudiation of an endpoint.
  - 57. The system of claim 51 wherein a virtual tunnel using a set of encryption keys is used between each pair of endpoints.
  - 58. The system of claim 57 wherein a synchronizing protocol is used for distributing the same set of encryption keys to all said endpoints participating in said VPN.
  - 59. The system of claim 58 wherein said same set of encryption keys is used for resolving management issues among the participating endpoints.
  - 60. The system of claim 58 wherein said same set of encryption keys is used for preventing an endpoint from being overwhelmed by delays.
  - 61. The system of claim 58 wherein the synchronizing protocol is GDOI.
  - 62. The system of claim 50 wherein said connectivity is selected from the group of connectivities consisting of endpoint to endpoint connectivity, hub to endpoint connectivity, and endpoint to hub to endpoint connectivity.
  - 63. The system of claim 50 wherein multiple logical paths can be created over at least one physical path using virtualization techniques forming a network virtualization layer.
  - 64. The system of claim 63 wherein physical endpoints are capable of virtualization.
  - 65. The system of claim 64 wherein the virtualization technique is selected from the group of virtualization protocols consisting of MPLS, GRE, 802.1q Tagging.
  - 66. The system of claim 51 wherein the at least one remote agent uses a protocol to securely transport and deliver configurations to endpoints.
  - 67. The system of claim 66 wherein the protocol is selected from the group of protocols consisting of, SSH, SNMP, SCP, SSL-based and TLS-based protocols.
  - 68. The system of claim 51 wherein the at least one remote agent use a protocol to transport and deliver configurations to endpoints.
  - 69. The system of claim 68 wherein the protocol is selected from the group of protocols consisting of Telnet, TFTP, FTP, and HTTP.
  - 70. In the system of claim 37, at least of said hubs operating to route said data packets.
  - 71. In the system of claim 40, at least one of said hubs operating to route said data packets.
  - 72. In the system of claim 41 wherein at least one of said endpoints operating to route said data packets.
  - 73. In the system of claim 51, at least one remote agent operating to remotely configure the endpoint routing table of the IP routes from an endpoint to all other endpoints.
  - 79. The system of claim 37 wherein a first method is used that allows an endpoint connected to a non-broadcast multi-access (NBMA) network to discover the internetworking layer addresses and subnetwork addresses of the NBMA next hop towards a destination endpoint.
  - 80. The system of claim 79 wherein the first method is the Next Hop Resolution Protocol (NHRP).
  - 81. The system of claim 79 wherein a second method is used to build a network abstraction layer on top of the NBMA network.
  - 82. The system of claim 37 wherein the at least one hub and the endpoints connected to said at least one hub are connected together in a network abstraction layer, each said connected endpoint having IP routing information comprising IP routes to the public IP addresses of the other said connected endpoints.
  - 83. The system of claim 82 wherein the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.
  - 84. The system of claim 40 wherein the at least one hub and the endpoints connected to said at least one hub are connected together in a network abstraction layer, each said connected endpoint having IP routing information comprising IP routes to the public IP addresses of the other said connected endpoints.
  - 85. The system of claim 84 wherein the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.

74. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors to perform the process of connecting a first plurality of hubs together using private networks for routing data packets to network destinations.
- View Dependent Claims (75, 76, 77, 78)
- - 75. The one or more processor readable storage devices of claim 74 wherein at least one hub of said first plurality of hubs is connected by the Public Internet to a plurality of spokes and to a second plurality of hubs,wherein IP routing defines the routing of said data packets using an IP protocol, said IP routing being stored in a routing table,wherein said plurality of spokes are first endpoints, and spoke to spoke connectivity occurs only within the same continent by Internet routing, andwherein said second plurality of hubs are second endpoints on the same continent, and hub to hub connectivity occurs by IP routing.
  - 76. The one or more processor readable storage devices of claim 75 wherein LAN IP subnets define all IP network destinations reachable on the internal side of said first and second endpoints,wherein a tunnel interface defines an interface on an endpoint that is one side of a point-to-point or point-to-multipoint link with at least one other endpoint,wherein tunnel IP addresses define all the IP addresses of the tunnel interfaces of an endpoint,wherein the translation of the tunnel IP addresses and all LAN IP subnets of the endpoint Internet IP address occurs for each endpoint, andwherein at the registration process the IP addressing scheme of each endpoint is recorded, said IP addressing scheme including the public IP addresses and the tunnel IP addresses of each endpoint and all LAN IP subnets of each endpoint.
  - 77. The one or more processor readable storage devices of claim 75 wherein the at least one hub and the endpoints connected to said at least one hub are connected together in a network abstraction layer, each said connected endpoint having IP routing information comprising IP routes to the public IP addresses of the other said connected endpoints, and the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.
  - 78. The one or more processor readable storage devices of claim 76 wherein the at least one hub and the endpoints connected to said at least one hub are connected together in a network abstraction layer, each said connected endpoint having IP routing information comprising IP routes to the public IP addresses of the other said connected endpoints, and the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.

86. In a virtual private network (VPN) on the public Internet, the process of connecting a first plurality of hubs together using private networks for routing data packets to network destinations,wherein at least two hubs of the first plurality of hubs are located on different continents,wherein at least one hub of said first plurality of hubs is connected by the Public Internet to a plurality of spokes and to a second plurality of hubs using virtualized connections, said virtualized connections being network paths carrying distinct network traffic over separate logical links,wherein IP routing defines the routing of said data packets using an IP protocol, said IP routing being stored in a routing table,wherein said plurality of spokes are first endpoints, and spoke to spoke connectivity occurs only within the same continent by Internet routing,wherein said second plurality of hubs are second endpoints on the same continent, and hub to hub connectivity occurs by IP routing,wherein LAN IP subnets define all IP network destinations reachable on the internal side of said first and second endpoints,wherein a tunnel interface defines an interface on an endpoint that is one side of a point-to-point or point-to-multipoint link with at least one other endpoint,wherein tunnel IP addresses define all the IP addresses of the tunnel interfaces of an endpoint,wherein the translation of the tunnel IP addresses and all LAN IP subnets of the endpoint Internet IP address occurs for each endpoint,wherein at the registration process the IP addressing scheme of each endpoint is recorded, said IP addressing scheme including the public IP addresses and the tunnel IP addresses of each endpoint and all LAN IP subnets of each endpoint,wherein a first method is used that allows an endpoint connected to a non-broadcast multi-access (NBMA) network to discover the internetworking layer addresses and subnetwork addresses of the NBMA next hop towards a destination endpoint,wherein a second method is used to build a network abstraction layer on top of the NBMA network,wherein at least some of said endpoints communicate with each other in a manner that ensures traffic will transit in an optimized way,wherein the at least one hub and the endpoints connected to said at least one hub are connected together in a network abstraction layer, each said connected endpoint having IP routing information comprising IP routes to the public IP addresses of the other said connected endpoints, andwherein the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.

87. A system comprising a virtual private network (VPN) on the public Internet, for connecting a first plurality of hubs together using private networks for routing data packets to network destinations,wherein at least two hubs of the first plurality of hubs are located on different continents,wherein at least one hub of said first plurality of hubs is connected by the Public Internet to a plurality of spokes and to a second plurality of hubs using virtualized connections, said virtualized connections being network paths carrying distinct network traffic over separate logical links,wherein IP routing defines the routing of said data packets using an IP protocol, said IP routing being stored in a routing table,wherein said plurality of spokes are first endpoints, and spoke to spoke connectivity occurs only within the same continent by Internet routing,wherein said second plurality of hubs are second endpoints on the same continent, and hub to hub connectivity occurs by IP routing,wherein LAN IP subnets define all IP network destinations reachable on the internal side of said first and second endpoints,wherein a tunnel interface defines an interface on an endpoint that is one side of a point-to-point or point-to-multipoint link with at least one other endpoint,wherein tunnel IP addresses define all the IP addresses of the tunnel interfaces of an endpoint,wherein the translation of the tunnel IP addresses and all LAN IP subnets of the endpoint Internet IP address occurs for each endpoint,wherein at the registration process the IP addressing scheme of each endpoint is recorded, said IP addressing scheme including the public IP addresses and the tunnel IP addresses of each endpoint and all LAN IP subnets of each endpoint,wherein a first method is used that allows an endpoint connected to a non-broadcast multi-access (NBMA) network to discover the internetworking layer addresses and subnetwork addresses of the NBMA next hop towards a destination endpoint,wherein a second method is used to build a network abstraction layer on top of the NBMA network,wherein at least some of said endpoints communicate with each other in a manner that ensures traffic will transit in an optimized way,wherein the at least one hub and the endpoints connected to said at least one hub are connected together in a network abstraction layer, each said connected endpoint having IP routing information comprising IP routes to the public IP addresses of the other said connected endpoints, andwherein the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.
- View Dependent Claims (88, 89, 90)
- - 88. In the system of claim 87, at least of said hubs operating to route said data packets.
  - 89. In the system of claim 87 at least one of said endpoints operating to route said data packets.
  - 90. In the system of claim 87, at least one remote agent operating to remotely configure the endpoint routing table of the IP routes from an endpoint to all other endpoints.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Glue Networks, Inc.
Original Assignee
Glue Networks, Inc.
Inventors
Huynh Van, Olivier, Gray, Jeffrey G.

Application Number

US12/471,179
Publication Number

US 20090304003A1
Time in Patent Office

Days
Field of Search
US Class Current

370/395.310
CPC Class Codes

H04L 12/4633 Interconnection of networks...

H04L 12/4641 Virtual LANs, VLANs, e.g. v...

Global Virtual VPN

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

90 Claims

Specification

Solutions

Use Cases

Quick Links

Global Virtual VPN

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

90 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links