ROUTING DEVICE HAVING INTEGRATED MPLS-AWARE FIREWALL

US 20130074177A1
Filed: 11/05/2012
Published: 03/21/2013
Est. Priority Date: 08/14/2008
Status: Active Grant

First Claim

Patent Images

1. A network router comprising:

a plurality of interfaces configured to send and receive packets for virtual private networks (VPNs) associated with one or more customer networks;

a firewall integrated within the network router, the firewall configured to apply stateful firewall services to the packets; and

a control unit that executes a routing protocol to maintain routing information specifying routes through a network, wherein the control unit executes at least one multi-protocol label switched (MPLS) protocol to establish a plurality of MPLS label switched paths (LSPs) through the service provider network to carry the packets for the customer VPNs;

wherein the control unit of the routing engine executes a network services protocol that programs the firewall with mapping information that specifies one or more MPLS labels for each of the MPLS LSPs and that maps the MPLS labels to the customer VPNs,wherein the firewall applies policies to the packets received from the service provider network having MPLS labels that match the MPLS labels specified within the mapping information programmed into the firewall by the network services protocol of the routing engine.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An MPLS-aware firewall allows firewall security policies to be applied to MPLS traffic. The firewall, which may be integrated within a routing device, can be configured into multiple virtual security systems. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to the packets. The user interface allows the user to define different zones and policies for different ones of the virtual security systems. In addition, the user interface supports a syntax that allows the user to define the zones for the firewall by specifying the customer VPNs as interfaces associated with the zones. The routing device generates mapping information for the integrated firewall to map the customer VPNs to specific MPLS labels for the MPLS tunnels carrying the customer'"'"'s traffic.

77 Citations

View as Search Results

25 Claims

1. A network router comprising:
- a plurality of interfaces configured to send and receive packets for virtual private networks (VPNs) associated with one or more customer networks;
  
  a firewall integrated within the network router, the firewall configured to apply stateful firewall services to the packets; and
  
  a control unit that executes a routing protocol to maintain routing information specifying routes through a network, wherein the control unit executes at least one multi-protocol label switched (MPLS) protocol to establish a plurality of MPLS label switched paths (LSPs) through the service provider network to carry the packets for the customer VPNs;
  
  wherein the control unit of the routing engine executes a network services protocol that programs the firewall with mapping information that specifies one or more MPLS labels for each of the MPLS LSPs and that maps the MPLS labels to the customer VPNs,wherein the firewall applies policies to the packets received from the service provider network having MPLS labels that match the MPLS labels specified within the mapping information programmed into the firewall by the network services protocol of the routing engine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The network router of claim 1, further comprising a forwarding engine configured by the routing engine to select next hops for the packets in accordance with the routing information, the forwarding engine comprising a switch fabric to forward the packets to the interfaces based on the selected next hops,wherein the forwarding engine includes a flow control module that, upon receiving packets from the network, directs one or more of the packets to the firewall for application of the stateful firewall services;
    - and
  - 3. The network router of claim 1, further comprising a user interface by which a user specifies one or more zones for application of the stateful firewall services to the packets by the firewall, each of the zones defined by a list of one or more of the interfaces, wherein the user interface supports a syntax that allows the user to define the zones by specifying the customer VPNs within lists of interfaces associated with the zones, and wherein the user interface allows the user to specify one or more policies for the firewall with respect to the zones.
  - 4. The network router of claim 3, wherein the firewall stores configuration data that specifies the zones defined by the user, at least one of the zones specifying a collection of interfaces associated with one or more of the customer VPNs.
  - 5. The network router of claim 3, where the lists of interfaces are lists of logical interfaces, and wherein at least two or more or of the MPLS LSPs for the customer VPNs flow through a single physical interface of the router.
  - 6. The network router of claim 1, wherein the user interface is a text-based interface that supports a command syntax that allows the user to specify the zones.
  - 7. The network router of claim 1, wherein the user interface is a user interface output by the router to be presented remotely by a web browsers or management station.
  - 8. The network router of claim 1, wherein for the MPLS LSPs for which the network router operates as an egress label switched router, the mapping information between the routing engine and the firewall associates inner MPLS labels affixed to packets received from the LSPs by the interface cards with respective ones of the customer VPNs.
  - 9. The network router of claim 1,wherein for the MPLS LSPs for which the network router operates as an ingress label switched router, the mapping information communicated between the routing engine and the firewall associates pairs of MPLS labels and a forwarding next hop with respective ones of the customer VPNs,wherein the network router affixes the MPLS labels to the packets when outputting the packets to the network.
  - 10. The network router of claim 1,wherein the firewall determines an input zone and an output zone for each of the packets based on zones defined by the user,wherein the firewall applies one or more of the stateful firewall services to each of the packets based on the input zone and output zone determined for the packet.
  - 11. The network router of claim 1,wherein, based on the routing information, the routing engine programs the forwarding engine with forwarding information that associates network destinations and MPLS labels with specific next hops and corresponding interface ports of interface cards of the router,wherein the routing engine programs the firewall with at least a portion of the forwarding information, andwherein, for each packet received from the forwarding engine, the firewall performs a route lookup for the packet using the portion of the forwarding information to determine an output zone for the packet.
  - 12. The network router of claim 1, wherein the stateful firewall services include multiple services including, intrusion deep packet inspection, virus scanning of application-layer data carried by the packets, layer seven security services.
  - 13. The network router of claim 1, wherein the network router comprises one of a provider edge router, a Broadband Remote Access Server (BRAS), a Broadband Network Gateway (BNG), Cable Modem Termination System (CMTS), a Multi-Service Edge router (MSE), a Gateway GPRS (General Packet Radio Services) Support Node (GGSN), a Packet Data Serving Node (PDSN), or a Public Data Network Gateway (PDN-GW), a data center device that provides routing and security functions for packets flowing in or out of a data center, a peering router that serves as a point of interconnection between network service providers, or an autonomous system border router (ASBR).
  - 14. The network router of claim 1,wherein the MPLS protocol executing within the routing engine receives the MPLS labels from one or more peer routers, andwherein the network services protocol generates the mapping information to maps the MPLS labels learned from the peer routers via the MPLS protocol to the customer VPNs specified by the user via the user interface.

15. A method comprising:
- executing, with a routing engine of a router, at least one multi-protocol label switched (MPLS) protocol to establish MPLS label switched paths (LSPs) through the service provider network to carry packets for one or more customer virtual private networks (VPNs) for one or more customer networks;
  
  communicating mapping information from the routing engine to a firewall integrated within the router, wherein the mapping information associates one or more MPLS labels for the MPLS LSPs with the customer VPNs; and
  
  applying stateful firewall services to the packets with the firewall of the network router based on the zones specified by the user and the mapping information received from the routing engine,wherein applying stateful firewall services comprises applying the policies to the packets received from the service provider network having MPLS labels that match the MPLS labels specified within the mapping information and to packets received from the customer networks that are destined to be forwarded by the router as MPLS packets.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. The method of claim 15, further comprising presenting, with the router, a user interface by which a user specifies one or more zones for application of the stateful firewall services by the firewall,wherein the user interface supports a syntax that allows the user to define the zones by specifying the customer VPNs as interfaces associated with the zones, andwherein the user interface allows the user to specify one or more policies for the firewall with respect to the zones.
  - 17. The method of claim 16, further comprising storing within the router configuration data that specifies the zones defined by the user, at least one of the zones specifying a collection of interfaces that includes identifiers for one or more of the customer VPNs.
  - 18. The method of claim 16,wherein the user interface allows the user to specify one or more policies for the firewall,wherein the firewall applies the policies to the packets received from the service provider network having MPLS labels that match the MPLS labels specified within the mapping information communicated to the firewall by the routing engine, andwherein the firewall applies the policies to packets received from the customer networks and that are destined to be forwarded by the routing device as MPLS packets.
  - 19. The method of claim 16, further comprising:
    - storing, within the router, configuration data that specifies the zones defined by the user, at least one of the zones specifying a collection of interfaces that includes identifiers for one or more customer VPNs;
      
      determining, for each of the received packets, whether the received packet is an MPLS packet;
      
      when the received packet is an MPLS packet, accessing the mapping information to map an inner MPLS label of received packet to one of the identifiers for customer VPNs to determine an input zone for the received packet;
      
      determining an output zone for the packet; and
      
      applying one or more of the stateful firewall services to each of the packets based on the input zone and output zone determined for the packet.
  - 20. The method of claim 16, further comprisingstoring, within the router, configuration data that specifies the zones defined by the user, at least one of the zones specifying a collection of interfaces that includes identifiers for one or more of the customer VPNs;
    - determining, for each of the received packets, an input zone for the received packet;
      
      performing a route lookup with the firewall to determine whether the received packet is to be output on an MPLS LSP by the forwarding engine;
      
      when the received packet is to be output on the VPN tunnel;
      
      (1) determining from the route lookup a next hop for the packet and an MPLS label that the forwarding engine will affix to the packet when forwarding the packet; and
      
      (2) accessing the mapping information to map the next hop and the MPLS label to be affixed to the packet to one of the customer VPNs to determine an output zone for the received packet when the packet is subsequently forwarded by the forwarding engine; and
      
      applying one or more of the stateful firewall services to each of the packets based on the input zone and output zone determined for the packet.
  - 21. The method of claim 15, further comprising directing, with a flow control module of a forwarding engine of the router, one or more of the received packets to the firewall for application of stateful firewall services;
  - 22. The method of claim 15, further comprising:
    - after applying stateful firewall services, forwarding at least some of the packets from the firewall to the forwarding engine;
      
      selecting, for the packets from the firewall, next hops within the network with the forwarding engine; and
      
      forwarding the packets to the interfaces in accordance with the selected next hops.
  - 23. The method of claim 15, wherein at least two or more or of the MPLS LSPs for the customer VPNs flow through a single physical interface of the router.
  - 24. The method of claim 15, wherein for the MPLS LSPs for which the network router operates as an egress label switched router, the mapping information associates inner MPLS labels affixed to packets received from the LSPs by the interface cards with respective ones of the customer VPNs.
  - 25. The method of claim 15, wherein for MPLS LSPs for which the network router operates as an ingress label switched router, the mapping information associates pairs of a MPLS labels and a forwarding next hop with respective identifiers for the customer VPNs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Varadhan, Kannan, Gomes, Joao Campelo F.N.

Granted Patent

US 8,955,100 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/50   using label swapping, e.g. ...

H04L 45/60   Router architectures

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

ROUTING DEVICE HAVING INTEGRATED MPLS-AWARE FIREWALL

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

77 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

ROUTING DEVICE HAVING INTEGRATED MPLS-AWARE FIREWALL

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others