Layer two encryption for data center interconnectivity

US 20100153701A1
Filed: 12/17/2008
Published: 06/17/2010
Est. Priority Date: 12/17/2008
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a receive logic to receive an unencrypted layer two (L2) switched frame, where the unencrypted L2 switched frame includes a payload and an L2 header;

an encryption logic to selectively encrypt the unencrypted L2 switched frame into an encrypted frame upon determining that the unencrypted L2 switched frame is to be sent through an L2 virtual private network (L2VPN) requiring encryption; and

a delivery logic;

to add a service tag and a tunnel header to the encrypted frame, where the service tag includes data to identify a decryption function to decrypt the encrypted frame, where the tunnel header includes routing information, and where at least one of the service tag and the tunnel header are configured based, at least in part, on the encrypting performed by the encryption logic; and

to provide the encrypted frame to the L2VPN, where the providing includes selectively sending the encrypted frame as one of, a point to point packet, and a multipoint packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and other embodiments associated with layer two (L2) encryption for data center interconnectivity are described. One example system includes a receive logic to receive an unencrypted L2 switched frame (UL2SF). The UL2SF may include a payload and an L2 header. The example system may also include an encryption logic to selectively encrypt the UL2SF into an encrypted frame if the UL2SF is to be sent through an L2 virtual private network (L2VPN) requiring encryption. The example system may also include a delivery logic that adds a header to the encrypted frame. The header may include data to identify a decryption function to decrypt the encrypted frame and routing information for the encrypted frame. The delivery logic may also provide the encrypted frame to the L2VPN, where the providing includes selectively sending the encrypted frame as one of, a point to point packet, and a multipoint packet.

183 Citations

23 Claims

1. An apparatus, comprising:
- a receive logic to receive an unencrypted layer two (L2) switched frame, where the unencrypted L2 switched frame includes a payload and an L2 header;
  
  an encryption logic to selectively encrypt the unencrypted L2 switched frame into an encrypted frame upon determining that the unencrypted L2 switched frame is to be sent through an L2 virtual private network (L2VPN) requiring encryption; and
  
  a delivery logic;
  
  to add a service tag and a tunnel header to the encrypted frame, where the service tag includes data to identify a decryption function to decrypt the encrypted frame, where the tunnel header includes routing information, and where at least one of the service tag and the tunnel header are configured based, at least in part, on the encrypting performed by the encryption logic; and
  
  to provide the encrypted frame to the L2VPN, where the providing includes selectively sending the encrypted frame as one of, a point to point packet, and a multipoint packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The apparatus of claim 1, where the unencrypted L2 switched frame is an Ethernet frame.
  - 3. The apparatus of claim 1, where unencrypted L2 switched frame is an L2VPN frame.
  - 4. The apparatus of claim 1, where the encryption logic analyzes a header on the unencrypted L2 switched frame to determine if the unencrypted L2 switched frame is to be sent through an L2VPN requiring encryption.
  - 5. The apparatus of claim 1, where the apparatus is a network switch.
  - 6. The apparatus of claim 1, where the apparatus is embodied on a wide area network (WAN) card.
  - 7. The apparatus of claim 1, where the apparatus is embodied on a network switch.
  - 8. The apparatus of claim 1, where the service tag includes a virtual private network identification code.
  - 9. The apparatus of claim 1, where the format of the tunnel header complies with an Internet protocol.
  - 10. The apparatus of claim 1, where the format of the tunnel header complies with a generic routing encapsulation protocol.
  - 11. The apparatus of claim 1, where the tunnel header includes a quality of service (QoS) parameter that indicates a priority of the Internet service required by the encrypted L2 switched frame.
  - 12. The apparatus of claim 1, where the service tag includes a QoS parameter that indicates a priority of the Internet service required by the encrypted L2 switched frame.
  - 13. The apparatus of claim 1, where the tunnel header includes a protocol type, a sequence number, a key, a checksum, and an offset.

14. A logic encoded in one or more tangible media for execution and when executed operable to perform a method, the method comprising:
- receiving a layer two switched frame (L2SF) into a network switch;
  
  selectively encrypting and encapsulating the L2SF to create an encrypted and encapsulated L2SF (EEL2SF), where the L2SF is selected for encrypting based, at least in part, on whether the L2SF is to be sent through a layer two virtual private network (L2VPN), where encrypting includes encrypting a payload and a layer two (L2) header, and where adding a header tag to the encrypted L2SF creates an EEL2SF;
  
  providing the EEL2SF to the L2VPN; and
  
  selectively processing the L2SF to create a de-capsulated L2SF, where the L2SF is selected for de-capsulation based, at least in part, on information stored in a header tag of the L2SF, where de-capsulating the L2SF includes one or more of, removing the header tag from the L2SF, decrypting the L2SF into an unencrypted L2SF, and providing the de-capsulated L2SF to an L2 network.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The logic of claim 14, where decrypting the L2SF is based, at least in part, on information stored in the header tag of the L2SF.
  - 16. The logic of claim 14, where the encrypted L2SF is provided to the L2VPN as a multipoint packet.
  - 17. The logic of claim 16, where providing the multicast packet to the L2VPN includes providing the multicast packet without replicating the multicast packet.
  - 18. The logic of claim 14, where encrypting the L2SF and adding the header tag to the encrypted L2SF facilitates communicating the encrypted L2SF on an L2 network as a multipoint packet.
  - 19. The logic of claim 14, where adding the header tag to the encrypted L2SF includes one or more of, adding a header tag that complies with a generic routing encapsulation (GRE) protocol, and adding information associated with routing, encryption, protocol type, and error checking.
  - 20. The logic of claim 14, where encrypting the L2SF and adding the header tag to the encrypted L2SF are performed by a programmable intelligent services accelerator (PISA).
  - 21. The logic of claim 14, where decrypting the L2SF is performed by a decryption logic identified by information in the header of the L2SF.
  - 22. The logic of claim 14, where selecting for encrypting based on whether the L2SF is to be sent through an L2VPN is determined by analyzing the L2 header for a destination of the L2SF to determine whether the L2SF travels outside of a network that is controlled by the owner of the network.

23. A system, comprising:
- means for receiving a layer two switched frame (L2SF) that includes a payload and a layer two header, where the L2SF may be one of, an encrypted and encapsulated L2SF (EEL2SF), and an unencrypted L2SF (UL2SF);
  
  means for selectively encrypting and encapsulating an UL2SF into an EEL2SF, where the UL2SF is selected for encrypting based, at least in part, on whether the UL2SF is to be sent through a layer two virtual private network (L2VPN), including means for adding a service tag and a tunnel header to the UL2SF, where the service tag includes data to identify a decryption function to decrypt the EEL2SF, and where the tunnel header includes routing information; and
  
  means for selectively processing an EEL2SF to create a de-capsulated L2SF (DL2SF), where the EEL2SF is selected for de-capsulation based, at least in part, on information stored in the service tag of the EEL2SF, where de-capsulating the EEL2SF includes one or more of, removing the service tag and the tunnel header from the EEL2SF, decrypting the EEL2SF into an UL2SF, and providing the DL2SF to a layer two network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Jabr, Khalil, Shenoy, Sudhakar, Manohar, Madhusudanan, Hebbani, Sandeep, Kandaswamy, Sridar

Granted Patent

US 8,271,775 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/151
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 12/4666   Operational details on the ...

H04L 63/0428   wherein the data content is...

H04L 63/162   at the data link layer

Layer two encryption for data center interconnectivity

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

183 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Layer two encryption for data center interconnectivity

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

183 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links