SYSTEM, METHOD AND APPARATUS THAT EMPLOY VIRTUAL PRIVATE NETWORKS TO RESIST IP QOS DENIAL OF SERVICE ATTACKS

US 20130283379A1
Filed: 06/24/2013
Published: 10/24/2013
Est. Priority Date: 03/20/2001
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

at least one first boundary router configured to provide a Virtual Private Network (VPN) that supports quality of service levels, and interfaces an access network via a Customer Premise Equipment (CPE) edge router and a physical access link; and

at least one second boundary router coupled to a public network;

wherein the access network connects to the at least one first boundary router, and wherein the at least first boundary router and the at least one second boundary router are connected by a separate logical connection to prevent denial of service attacks on the physical access link originating from sources outside the VPN.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach provides a communication network that supports one or more network-based Virtual Private Networks (VPNs) to resist Denial of Service (DoS) attacks. A first boundary router is configured to provide a Virtual Private Network (VPN) that supports quality of service levels, and interfaces an access network via a Customer Premise Equipment (CPE) edge router and a physical access link. A second boundary router is coupled to a public network. The access network connects to the first boundary router, and wherein the first boundary router and the second boundary router are connected by a separate logical connection to prevent denial of service attacks on the physical access link originating from sources outside the VPN.

77 Citations

View as Search Results

18 Claims

1. A system comprising:
- at least one first boundary router configured to provide a Virtual Private Network (VPN) that supports quality of service levels, and interfaces an access network via a Customer Premise Equipment (CPE) edge router and a physical access link; and
  
  at least one second boundary router coupled to a public network;
  
  wherein the access network connects to the at least one first boundary router, and wherein the at least first boundary router and the at least one second boundary router are connected by a separate logical connection to prevent denial of service attacks on the physical access link originating from sources outside the VPN.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein intra-VPN traffic destined for the VPN and extra-VPN traffic destined for the public network are both routed through the at least one first boundary router.
  - 3. The system of claim 1, wherein the at least one first boundary router comprises:
    - a plurality of physical ports for connection to a plurality of network core routers.
  - 4. The system of claim 3, wherein the VPN comprises a plurality of logical ports coupled to respective access networks.
  - 5. The system of claim 4, wherein the plurality of logical ports are coupled to the respective access networks by a forwarding function for incoming packets.
  - 6. The system of claim 4, wherein the plurality of logical ports are coupled to the respective access networks by a scheduler for outgoing packets.
  - 7. The system of claim 5, wherein the forwarding function forwards packets between the logical ports and the physical ports.

8. A method comprising:
- interfacing a virtual private network (VPN) to a respective access network via a Customer Premise Equipment (CPE) edge router and a physical access link;
  
  connecting each of the access networks only to at least one first boundary router within the VPN; and
  
  connecting the at least one first boundary router to at least one second boundary router within a public network by a logical connection separate from the physical access link, such that denial of service attacks on the physical access link originating from sources outside the VPN can be prevented.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 9. The method of claim 8, further comprising:
    - routing both intra-VPN traffic destined for the VPN and extra-VPN traffic destined for the public network through the at least one first boundary router.
  - 10. The method of claim 8, further comprising:
    - connecting a plurality of physical ports in the at least one first boundary router to a plurality of network core routers.
  - 11. The method of claim 10, further comprising:
    - coupling a plurality of logical ports in the VPN to respective access networks.
  - 12. The method of claim 11, further comprising:
    - coupling the plurality of logical ports to the respective access networks by a forwarding function for incoming packets.
  - 13. The method of claim 11, further comprising:
    - coupling the plurality of logical ports to the respective access networks by a scheduler for outgoing packets.
  - 14. The method of claim 12, further comprising:
    - forwarding, by the forwarding function, packets between the logical ports and the physical ports.
  - 15. The method of claim 8, further comprising:
    - serving each network customer site at the at least one first boundary router by a pair of VPN-enabled logical ports.
  - 16. The method of claim 15, wherein one of the pair of VPN-enabled logical ports corresponds to intra-VPN traffic and the other of the pair of VPN-enabled logical ports corresponds to extra-VPN traffic.
  - 17. The method of claim 11, wherein each of the physical ports of the at least one first boundary router that faces a network core is logically partitioned into a plurality of sub-interfaces.
  - 18. The method of claim 17, further comprising:
    - implementing the sub-interfaces as logical tunnels.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Corporate Services Group Incorporated (Verizon Communications Inc.)
Inventors
McDysan, David E.

Granted Patent

US 9,009,812 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/0272 Virtual private networks

H04L 63/1458 Denial of Service

SYSTEM, METHOD AND APPARATUS THAT EMPLOY VIRTUAL PRIVATE NETWORKS TO RESIST IP QOS DENIAL OF SERVICE ATTACKS

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

77 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM, METHOD AND APPARATUS THAT EMPLOY VIRTUAL PRIVATE NETWORKS TO RESIST IP QOS DENIAL OF SERVICE ATTACKS

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links