Regional Virtual VPN

US 20090304004A1
Filed: 05/22/2009
Published: 12/10/2009
Est. Priority Date: 05/27/2008
Status: Active Grant

First Claim

Patent Images

1. In a virtual private network (VPN) on the public Internet, the process of providing at least one hub connected by the Public Internet to a plurality of spokes and to a plurality of other hubs, for routing data packets to network destinations,wherein IP routing defines data packet routing to the network destinations using IP protocol, said IP routing being stored in a routing table,wherein said plurality of spokes are endpoints, each endpoint having an Internet IP address, and spoke to spoke connectivity occurs only within the same continent by Internet routing,wherein said plurality of hubs are endpoints, each endpoint having an Internet IP address, and hub to hub connectivity occurs only within the same continent, by IP routing,wherein LAN IP subnets define all IP network destinations on the internal side of an endpoint.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus and article of manufacture for building next generation improved regional virtual private networks over the Internet. The method comprises of building two layers on top of the public infrastructure (001): a network abstraction layer (NAL) (002) and a network virtualization layer (NVL) (003): the NVL (003) is built on top of the NAL (002). The NVL (003) consists in Group Domain of Interpretation (GDOI) domain deployments on virtualized hardware aggregators over a NAL (002). The latter consists in point-to-multipoint Generic Routing Encapsulation (GRE) networks over the Internet (001). Both the NVL (003) and NAL (002) can be deployed using advanced unattended provisioning methodology.

Citations

82 Claims

1. In a virtual private network (VPN) on the public Internet, the process of providing at least one hub connected by the Public Internet to a plurality of spokes and to a plurality of other hubs, for routing data packets to network destinations,wherein IP routing defines data packet routing to the network destinations using IP protocol, said IP routing being stored in a routing table,wherein said plurality of spokes are endpoints, each endpoint having an Internet IP address, and spoke to spoke connectivity occurs only within the same continent by Internet routing,wherein said plurality of hubs are endpoints, each endpoint having an Internet IP address, and hub to hub connectivity occurs only within the same continent, by IP routing,wherein LAN IP subnets define all IP network destinations on the internal side of an endpoint.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 2. The process of claim 1 wherein a tunnel interface defines an interface on an endpoint that is one side of a point-to-point or point-to-multipoint link with at least one other endpoint,wherein tunnel IP addresses define all the IP addresses of the tunnel interfaces of an endpoint,wherein the translation of the tunnel IP addresses and all LAN IP subnets of the endpoint Internet IP address occurs for each endpoint, andwherein at the registration process the IP addressing scheme of each endpoint is recorded, said IP addressing scheme including the public IP addresses and the tunnel IP addresses of each endpoint and all LAN IP subnets of each endpoint.
  - 3. The process of claim 2 wherein a first method is used that allows an endpoint connected to a non-broadcast multi-access (NBMA) network to discover the internetworking layer addresses and subnetwork addresses of the NBMA next hop towards a destination endpoint.
  - 4. The process of claim 3 wherein said first method is the Next Hop Resolution Protocol (NHRP).
  - 5. The process of claim 3 wherein a second method is used to build a network abstraction layer on top of the NBMA network.
  - 6. The process of claim 5 wherein said second method is selected from the group of methods consisting of Generic Routing Encapsulation (GRE), Multipoint Generic Routing Encapsulation (mGRE), Dynamic Multipoint VPN (DMVPN), MultiProtocol Label Switching (MPLS) and Overlay Transport Virtualization (OTV).
  - 7. The process of claim 3 wherein at least some of said endpoints communicate with each other in a manner that ensures traffic will transit in an optimized way.
  - 8. The process of claim 7 wherein the manner comprises exchanging routing information.
  - 9. The process of claim 7 wherein the manner comprises the at least one hub functioning as a server and the endpoints functioning as clients, whereby at least some of said endpoints communicate with each other without such communication passing through the at least one hub.
  - 10. The process of claim 3 wherein the at least one hub and said endpoints that are connected to said at least one hub are connected together in a network abstraction layer, each endpoint having IP routing information comprising IP routes to the public IP addresses of the other endpoints.
  - 11. The process of claim 10 wherein the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.
  - 12. The process of claim 11 wherein the at least one remote agent is operated manually.
  - 13. The process of claims 11 wherein the at least one remote agent comprises an automation daemon.
  - 14. The process of claim 11 wherein the IP routes of said endpoints are stored in a database for use by the remote agents for generating the changes in the endpoint routing table.
  - 15. The process of claim 14 wherein encryption techniques are used to ensure the protection of data exchanged between endpoints.
  - 16. The process of claim 15 wherein the protection is selected from the group of protections consisting of privacy, authentication, integrity, and non-repudiation of an endpoint.
  - 17. The process of claim 15 wherein a virtual tunnel using a set of encryption keys is used between each pair of endpoints.
  - 18. The process of claim 17 wherein a synchronizing protocol is used for distributing the same set of encryption keys to all endpoints participating in said VPN.
  - 19. The process of claim 17 wherein said same set of encryption keys is used for resolving management issues among the participating endpoints.
  - 20. The process of claim 17 wherein said same set of encryption keys is used for preventing an endpoint from being overwhelmed by delays.
  - 21. The process of claim 18 wherein the synchronizing protocol is GODI.
  - 22. The process of claim 10 wherein said connectivity is selected from the group of connectivities consisting of endpoint to endpoint connectivity, hub to endpoint connectivity, and endpoint to hub to endpoint connectivity.
  - 23. The process of claim 10 wherein multiple logical paths can be created over at least one physical path using virtualization techniques forming a network virtualization layer.
  - 24. The process of claim 23 wherein physical endpoints are capable of virtualization.
  - 25. The process of claim 24 wherein the virtualization technique is selected from the group of virtualization protocols consisting of MPLS, GRE, and 802.1q Tagging.
  - 26. The process of claim 11 wherein remote agents use a protocol to securely transport and deliver configurations to endpoints.
  - 27. The process of claim 26 wherein the protocol is selected from the group of protocols consisting of, SSH, SNMP, SCP, SSL-based and TLS-based protocols.
  - 28. The process of claim 11 wherein remote agents use a protocol to transport and deliver configurations to endpoints.
  - 29. The process of claim 28 wherein the protocol is selected from the group of protocols consisting of Telnet, TFTP, FTP and HTTP.

30. A system comprising a virtual private network (VPN) on the public Internet, for providing at least one hub connected by the Public Internet to a plurality of spokes and to a plurality of other hubs, for routing data packets to network destinations,wherein IP routing defines data packet routing to the network destinations using IP protocol, said IP routing being stored in a routing table,wherein said plurality of spokes are endpoints, each endpoint having an Internet IP address and a target IP address, and spoke to spoke connectivity occurs only within the same continent by Internet routing, andwherein said plurality of hubs are endpoints, each endpoint having an Internet IP address and a target IP address, and hub to hub connectivity occurs only within the same continent, by IP routing.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65)
- - 31. The system of claim 30:
    - wherein LAN IP subnets define all IP network destinations on the internal side of an endpoint,wherein a tunnel interface defines an interface on an endpoint that is one side of a point-to-point or point-to-multipoint link with at least one other endpoint,wherein tunnel IP addresses define all the IP addresses of the tunnel interfaces of an endpoint,wherein the translation of the tunnel IP addresses and all LAN IP subnets of the endpoint Internet IP address occurs for each endpoint, andwherein at the registration system the IP addressing scheme of each endpoint is recorded, said IP addressing scheme including the public IP addresses and the tunnel IP addresses of each endpoint and all LAN IP subnets of each endpoint.
  - 32. The system of claim 31 wherein a first method is used that allows an endpoint connected to a non-broadcast multi-access (NBMA) network to discover the internetworking layer addresses and subnetwork addresses of the NBMA next hop towards a destination endpoint.
  - 33. The system of claim 32 wherein said first method is the Next Hop Resolution Protocol (NHRP).
  - 34. The system of claim 32 wherein a second method is used to build a network abstraction layer on top of the NBMA network.
  - 35. The system of claim 34 wherein said second method is selected from the group of methods consisting of Generic Routing Encapsulation (GRE), Multipoint Generic Routing Encapsulation (mGRE), Dynamic Multipoint VPN (DMVPN), MultiProtocol Label Switching (MPLS) and Overlay Transport Virtualization (OTV).
  - 36. The system of claim 32 wherein at least some of said endpoints communicate with each other in a manner that ensures traffic will transit in an optimized way.
  - 37. The system of claim 36 wherein the manner comprises exchanging routing information.
  - 38. The system of claim 36 wherein the manner comprises the at least one hub functioning as a server and the endpoints functioning as clients, whereby at least some of said endpoints communicate with each other without such communication passing through the at least one hub.
  - 39. The system of claim 32 wherein the at least one hub and said endpoints that are connected to said at least one hub are connected together in a network abstraction layer, each endpoint having IP routing information comprising IP routes to the public IP addresses of the other endpoints.
  - 40. The system of claim 39 wherein the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.
  - 41. The system of claim 40 wherein the at least one remote agent is operated manually.
  - 42. The system of claims 40 wherein the at least one remote agent comprises an automation daemon.
  - 43. The system of claim 40 wherein the IP routes of said endpoints are stored in a database for use by the remote agents for generating the changes in the endpoint routing table.
  - 44. The system of claim 43 wherein encryption techniques are used to ensure the protection of data exchanged between endpoints.
  - 45. The system of claim 44 wherein the protection is selected from the group of protections consisting of privacy, authentication, integrity, and non-repudiation of an endpoint.
  - 46. The system of claim 44 wherein a virtual tunnel using a set of encryption keys is used between each pair of endpoints.
  - 47. The system of claim 45 wherein a synchronizing protocol is used for distributing the same set of encryption keys to all endpoints participating in said VPN.
  - 48. The system of claim 46 wherein said same set of encryption keys is used for resolving management issues among the participating endpoints.
  - 49. The system of claim 46 wherein said same set of encryption keys is used for preventing an endpoint from being overwhelmed by delays.
  - 50. The system of claim 47 wherein the synchronizing protocol is GODI.
  - 51. The system of claim 39 wherein said connectivity is selected from the group of connectivities consisting of endpoint to endpoint connectivity, hub to endpoint connectivity, and endpoint to hub to endpoint connectivity.
  - 52. The system of claim 39 wherein multiple logical paths can be created over at least one physical path using virtualization techniques forming a network virtualization layer.
  - 53. The system of claim 52 wherein physical endpoints are capable of virtualization.
  - 54. The system of claim 53 wherein the virtualization technique is selected from the group of virtualization protocols consisting of MPLS, GRE, and 802.1q Tagging.
  - 55. The system of claim 40 wherein the at least one remote agent uses a protocol to securely transport and deliver configurations to endpoints.
  - 56. The system of claim 50 wherein the protocol is selected from the group of protocols consisting of, SSH, SNMP, SCP, SSL-based and TLS-based protocols.
  - 57. The system of claim 40 wherein remote agents use a protocol to transport and deliver configurations to endpoints.
  - 58. The system of claim 57 wherein the protocol is selected from the group of protocols consisting of Telnet, TFTP, FTP and HTTP.
  - 59. The system of claim 30 wherein a first method is used that allows an endpoint connected to a non-broadcast multi-access (NBMA) network to discover the internetworking layer addresses and subnetwork addresses of the NBMA next hop towards a destination endpoint.
  - 60. The system of claim 59 wherein the first method is the Next Hop Resolution Protocol (NHRP).
  - 61. The system of claim 59 wherein a second method is used to build a network abstraction layer on top of the NBMA network.
  - 62. In the system of claim 30 an endpoint routing data packets to another endpoint.
  - 63. In the system of claim 31 an endpoint routing data packets to another endpoint.
  - 64. In the system of claim 30, wherein a first method is used that allows an endpoint connected to a non-broadcast multi-access (NBMA) network to discover the internetworking layer addresses and subnetwork addresses of the NBMA next hop towards a destination endpoint,an endpoint routing data packets to another endpoint.
  - 65. In the system of claim 31, wherein a first method is used that allows an endpoint connected to a non-broadcast multi-access (NBMA) network to discover the internetworking layer addresses and subnetwork addresses of the NBMA next hop towards a destination endpoint,an endpoint routing data packets to another endpoint.

66. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors to perform the process of providing at least one hub connected by the Public Internet to a plurality of spokes and to a plurality of other hubs, for routing data packets to network destinations,wherein IP routing defines data packet routing to the network destinations using IP protocol, said IP routing being stored in a routing table,wherein said plurality of spokes are endpoints, each endpoint having an Internet IP address, and spoke to spoke connectivity occurs only within the same continent by Internet routing, andwherein said plurality of hubs are endpoints, each endpoint having an Internet IP address, and hub to hub connectivity occurs only within the same continent, by IP routing, and wherein LAN IP subnets define all IP network destinations on the internal side of an endpoint.
- View Dependent Claims (67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77)
- - 67. The one or more processor readable storage devices of claim 66 wherein a tunnel interface defines an interface on an endpoint that is one side of a point-to-point or point-to-multipoint link with at least one other endpoint,wherein tunnel IP addresses define all the IP addresses of the tunnel interfaces of an endpoint,wherein the translation of the tunnel IP addresses and all LAN IP subnets of the endpoint Internet IP address occurs for each endpoint, andwherein at the registration process the IP addressing scheme of each endpoint is recorded, said IP addressing scheme including the public IP addresses and the tunnel IP addresses of each endpoint and all LAN IP subnets of each endpoint.
  - 68. The one or more processor readable storage devices of claim 66 wherein a first method is used that allows an endpoint connected to a non-broadcast multi-access (NBMA) network to discover the internetworking layer addresses and subnetwork addresses of the NBMA next hop towards a destination endpoint.
  - 69. The one more processor readable storage devices of claim 68 wherein a second method is used to build a network abstraction layer on top of the NBMA network.
  - 70. The one or more processor readable storage devices of claim 67 wherein a first method is used that allows an endpoint connected to a non-broadcast multi-access (NBMA) network to discover the internetworking layer addresses and subnetwork addresses of the NBMA next hop towards a destination endpoint.
  - 71. The one more processor readable storage devices of claim 70 wherein a second method is used to build a network abstraction layer on top of the NBMA network.
  - 72. The one or more processor readable storage devices of claim 66 wherein the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.
  - 73. The one or more processor readable storage devices of claim 67 wherein the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.
  - 74. The one or more processor readable storage devices of claim 68 wherein the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.
  - 75. The one or more processor readable storage devices of claim 69 wherein the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.
  - 76. The one or more processor readable storage devices of claim 70 wherein the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.
  - 77. The one or more processor readable storage devices of claim 71 wherein the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.

78. In a virtual private network (VPN) on the public Internet, the process of providing at least one hub connected by the Public Internet to a plurality of spokes and to a plurality of other hubs, for routing data packets to network destinations,wherein IP routing defines data packet routing to the network destinations using IP protocol, said IP routing being stored in a routing table,wherein said plurality of spokes are endpoints, each endpoint having an Internet IP address, and spoke to spoke connectivity occurs only within the same continent by Internet routing,wherein said plurality of hubs are endpoints, each endpoint having an Internet IP address, and hub to hub connectivity occurs only within the same continent, by IP routing,wherein LAN IP subnets define all IP network destinations on the internal side of an endpoint,wherein a tunnel interface defines an interface on an endpoint that is one side of a point-to-point or point-to-multipoint link with at least one other endpoint,wherein tunnel IP addresses define all the IP addresses of the tunnel interfaces of an endpoint,wherein the translation of the tunnel IP addresses and all LAN IP subnets of the endpoint Internet IP address occurs for each endpoint,wherein at the registration process the IP addressing scheme of each endpoint is recorded, said IP addressing scheme including the public IP addresses and the tunnel IP addresses of each endpoint and all LAN IP subnets of each endpoint,wherein a first method is used that allows an endpoint connected to a non-broadcast multi-access (NBMA) network to discover the internetworking layer addresses and subnetwork addresses of the NBMA next hop towards a destination endpoint,wherein a second method is used to build a network abstraction layer on top of the NBMA network,wherein at least some of said endpoints communicate with each other in a manner that ensures traffic will transit in an optimized way,wherein the at least one hub and said endpoints that are connected to said at least one hub are connected together in a network abstraction layer, each endpoint having IP routing information comprising IP routes to the public IP addresses of the other endpoints, andwherein the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.

79. A system comprising a virtual private network (VPN) on the public Internet, for providing at least one hub connected by the Public Internet to a plurality of spokes and to a plurality of other hubs, for routing data packets to network destinations,wherein IP routing defines data packet routing to the network destinations using IP protocol, said IP routing being stored in a routing table,wherein said plurality of spokes are endpoints, each endpoint having an Internet IP address, and spoke to spoke connectivity occurs only within the same continent by Internet routing,wherein said plurality of hubs are endpoints, each endpoint having an Internet IP address, and hub to hub connectivity occurs only within the same continent, by IP routing,wherein LAN IP subnets define all IP network destinations on the internal side of an endpoint,wherein a tunnel interface defines an interface on an endpoint that is one side of a point-to-point or point-to-multipoint link with at least one other endpoint,wherein tunnel IP addresses define all the IP addresses of the tunnel interfaces of an endpoint,wherein the translation of the tunnel IP addresses and all LAN IP subnets of the endpoint Internet IP address occurs for each endpoint,wherein at the registration process the IP addressing scheme of each endpoint is recorded, said IP addressing scheme including the public IP addresses and the tunnel IP addresses of each endpoint and all LAN IP subnets of each endpoint,wherein a first method is used that allows an endpoint connected to a non-broadcast multi-access (NBMA) network to discover the internetworking layer addresses and subnetwork addresses of the NBMA next hop towards a destination endpoint,wherein a second method is used to build a network abstraction layer on top of the NBMA network,wherein at least some of said endpoints communicate with each other in a manner that ensures traffic will transit in an optimized way,wherein the at least one hub and said endpoints that are connected to said at least one hub are connected together in a network abstraction layer, each endpoint having IP routing information comprising IP routes to the public IP addresses of the other endpoints, andwherein the endpoint routing table of the IP routes from an endpoint to all other endpoints is remotely configured using at least one remote agent.
- View Dependent Claims (80, 81, 82)
- - 80. In the system of claim 79, at least of said hubs operating to route said data packets.
  - 81. In the system of claim 79 at least one of said endpoints operating to route said data packets.
  - 82. In the system of claim 79, at least one remote agent operating to remotely configure the endpoint routing table of the IP routes from an endpoint to all other endpoints.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gluware IP LLC
Original Assignee
Glue Networks, Inc.
Inventors
Huynh Van, Olivier, Gray, Jeffrey G.

Granted Patent

US 8,837,491 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/395.310
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/56   Packet switching systems

H04L 45/00   Routing or path finding of ...

H04L 45/17   Shortcut routing, e.g. usin...

H04L 45/64   using an overlay routing layer

H04L 9/30   Public key, i.e. encryption...

Regional Virtual VPN

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

82 Claims

Specification

Solutions

Use Cases

Quick Links

Regional Virtual VPN

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

82 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links