APPLICATION SERVICES BASED ON DYNAMIC SPLIT TUNNELING

US 20140344917A1
Filed: 05/16/2013
Published: 11/20/2014
Est. Priority Date: 05/16/2013
Status: Active Grant

First Claim

Patent Images

1. Logic encoded in a tangible, non-transitory computer readable medium for execution by a processor, and when executed operable to:

obtain data representative of a service fully qualified domain name (FQDN) associated with a first network associated with a first tunnel;

route traffic directed to the FQDN onto the first tunnel; and

route traffic not directed to the FQDN elsewhere.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example embodiment, a method of dynamically tunneling specific, or per application, services on demand without having to build complex split tunneling policies on Virtual Private Network (VPN) terminators. In particular embodiments, the method can allow for tunneling to multiple data centers on devices with limited, e.g., single, concentrator capabilities.

21 Citations

View as Search Results

21 Claims

1. Logic encoded in a tangible, non-transitory computer readable medium for execution by a processor, and when executed operable to:
- obtain data representative of a service fully qualified domain name (FQDN) associated with a first network associated with a first tunnel;
  
  route traffic directed to the FQDN onto the first tunnel; and
  
  route traffic not directed to the FQDN elsewhere.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The logic set forth in claim 1, further operable to:
    - allocate dummy service Internet Protocol (IP) addresses corresponding to the FQDNs associated with the first tunnel;
      
      obtain data representative of a service FQDN associated with a second network associated with a second tunnel; and
      
      allocate dummy service IP addresses corresponding to the FQDNs associated with the second tunnel.
  - 3. The logic set forth in claim 2, further operable to:
    - intercept a first Domain Name System (DNS) request for a sub-domain associated with a first FQDN associated with the first network;
      
      forward the first DNS request onto the first tunnel;
      
      receive a response to the first DNS request, the response comprising a first service IP address associated with the first network;
      
      map the first service IP address in the response to the first DNS request to a first dummy service IP address allocated to the FQDN associated with the first tunnel;
      
      replacing the first service IP address in the response to the first DNS request with the first dummy service IP address;
      
      forward the response to the first DNS request with the first dummy IP address;
      
      intercept a second Domain Name System (DNS) request for a sub-domain associated with a second FQDN associated with the second network;
      
      forward the second DNS request onto the second tunnel;
      
      receive a response to the second DNS request, the response comprising a second service IP address associated with the second network;
      
      map the second service IP address in the response to the second DNS request to a second dummy service IP address allocated to the FQDN associated with the second tunnel; and
      
      replacing the second service IP address in the response to the first DNS request with the second dummy service IP address; and
      
      forward the response to the second DNS request with the second dummy IP address.
  - 4. The logic set forth in claim 3, wherein the second DNS request comprises a destination address, the logic is further operable to:
    - obtain data representative of an address of a DNS server associated with the second network; and
      
      modify the destination address of the second DNS request, the destination address is changed to match the address of the DNS server associated with the second tunnel;
      
      store data representative of the second DNS request, the data representative of the second DNS comprises the destination address of the second DNS request;
      
      wherein the modified second DNS request forwarded on the second tunnel contains the address of the DNS server associated with the second network as the destination address.
  - 5. The logic set forth in claim 4, wherein the second DNS response comprises a source address, the logic is further operable to:
    - matching the response to the second DNS request to the stored data representative of the second DNS request;
      
      modify the source address of the response to the second DNS request, wherein the source address is modified to match the destination address of the second DNS request; and
      
      forward the modified response to the second DNS request.
  - 6. The logic set forth in claim 3, further operable to:
    - receive a first packet, the first packet having the first dummy IP address as a destination address;
      
      replace the first dummy IP address with the first service IP address in the response to the first DNS request;
      
      forward the first packet onto the first tunnel with the first service IP address in the response to the first DNS request as the destination address;
      
      receive a second packet, the second packet having the second dummy IP address as a destination address;
      
      replacing the second dummy IP address with the second service IP address in the response to the second DNS request;
      
      forward the second packet onto the second tunnel with the second service IP address in the response to the second DNS request as the destination address.
  - 7. The logic set forth in claim 3, further operable to:
    - receive a first packet from the first tunnel with a source address matching the first service IP address in the response to the first DNS request;
      
      replace the source address of the first packet with the first dummy IP address;
      
      forward the first packet with the first dummy IP address as the source address;
      
      receive a second packet from the second tunnel with a source address matching the second service IP address in the response to the second DNS request;
      
      replace the source address of the second packet with the second dummy IP address; and
      
      forward the second packet with the second dummy IP address as the source address.
  - 8. The logic set forth in claim 3, further operable to:
    - intercept a third Domain Name System (DNS) request for a sub-domain not associated with a FQDN associated with the first tunnel and not associated with an FQDN associated with the tunnel;
      
      forward the third DNS request onto the first tunnel;
      
      receive a response to the third DNS request, the response comprising a third service IP address;
      
      forward the response to the third DNS request with the third service IP address.
  - 9. The logic set forth in claim 1, further operable to:
    - establish the first tunnel with a security device associated with a first network;
      
      wherein the data representative of service FQDNs associated with the first tunnel is obtained upon establishment of the first tunnel.
  - 10. The logic set forth in claim 9, further operable toreceive VPN configuration data for a second network from the security device associated with the first network;
    - andestablish a second tunnel with the second network employing the VPN configuration data received from the security devicewherein the data representative of service FQDNs associated with the second tunnel are obtained from the second network.

11. An apparatus, comprising:
- an interface;
  
  a virtual private network (VPN) client coupled with the interface;
  
  the VPN client selectively routes Domain Name System (DNS) request for sub-domains associated with a first network through a tunnel associated with the first network via the interface;
  
  the VPN client selectively routes DNS request for sub-domains associated with a second network through a tunnel associated with the second network via the interface;
  
  the VPN client replaces the destination address for DNS requests for sub-domains associated with the second network to match an address of a DNS server associated with the second network; and
  
  the VPN client stores data representative of DNS requests for sub-domains associated with the second network;
  
  the VPN client forwards the DNS requests for sub-domains associated with the second network with the address of the DNS server associated with the second network.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The apparatus set forth in claim 11, the VPN client matches DNS responses received from the second network with stored DNS request employing the stored data representative of DNS requests;
    - the VPN client replaces the source address of the DNS responses with the destination addresses of the DNS requests; and
      
      the VPN client forwards the DNS responses with the destination addresses of the DNS requests.
  - 13. The apparatus set forth in claim 11, the VPN client associates service Internet Protocol (IP) addresses for sub-domains associated with the first and second networks to dummy service IP addresses;
    - andthe VPN client replaces the service IP addresses in DNS responses for sub-domains associated with the first and second networks with dummy service IP addresses in and provides the DNS responses with the dummy service IP addresses.
  - 14. The apparatus set forth in claim 13, the VPN client is responsive to receiving a packet having a dummy service IP address associated with the first network as the destination address to replace the dummy service IP address with an appropriate service IP address;
    - andforward the packet with the appropriate IP address to the first network through the first tunnel via the interface.
  - 15. The apparatus set forth in claim 13, the VPN client is responsive to receiving a packet having a source address via the first tunnel from the first network to replace the source address with the appropriate dummy service IP address;
    - andthe VPN client forwards the packet with the appropriate dummy service IP address.
  - 16. The apparatus set forth in claim 13, the VPN client is responsive to receiving a packet having a dummy service IP address associated with the second network as the destination address to replace the dummy service IP address with an appropriate service IP address;
    - andforward the packet with the appropriate IP address to the second network through the second tunnel.
  - 17. The apparatus set forth in claim 13, the VPN client is responsive to receiving a packet having a source address via the second tunnel from the second network to replace the source address with the appropriate dummy service IP address;
    - andthe VPN client forwards the packet with the appropriate dummy service IP address.
  - 18. The apparatus set forth in claim 13, wherein the dummy service IP addresses allocated for service IP addresses associated with the first network and service IP associated with the second network are contiguous.

19. A computer implemented method, comprising:
- selectively routing Domain Name System (DNS) request for sub-domains associated with a first network through a tunnel associated with the first network;
  
  selectively routing DNS request for sub-domains associated with a second network through a tunnel associated with the second network;
  
  associating service Internet Protocol (IP) addresses for sub-domains associated with the first and second networks to dummy service IP addresses;
  
  replacing the service IP addresses in DNS responses for sub-domains associated with the first and second networks with dummy service IP addresses; and
  
  forwarding the DNS responses with the dummy service IP addresses.
- View Dependent Claims (20, 21)
- - 20. The computer implemented method set forth in claim 19, further comprising:
    - replacing the destination address for DNS requests for sub-domains associated with the second network to match an address of a DNS server associated with the second network; and
      
      storing data representative of DNS requests for sub-domains associated with the second network;
      
      forwarding the DNS requests for sub-domains associated with the second network with the address of the DNS server associated with the second network;
      
      .matching DNS responses received from the second network with stored DNS request employing the stored data representative of DNS requests;
      
      replacing the source address of the DNS responses with the destination addresses of the DNS requests; and
      
      forwarding the DNS responses with the destination addresses of the DNS requests.
  - 21. The method set forth in claim 19, further comprising:
    - replacing a destination address of packets having a dummy service IP addresses associated with the first network as the destination address with the appropriate service IP address for the first network;
      
      forwarding the packets with the appropriate service IP address as the destination address for the first network to the first network via the first tunnel;
      
      replacing a destination address of packets having a dummy service IP addresses associated with the second network as the destination address with the appropriate service IP address for the first network;
      
      forwarding the packets with the appropriate service IP address for the second network as the destination address to the second network via the second tunnel;
      
      replacing a source address of packets received from the first network with a dummy service IP addresses associated with the first network;
      
      forwarding the packets with the dummy IP address associated with the first network as the source address;
      
      replacing a source address of packets received from the second network with a dummy service IP addresses associated with the second network;
      
      forwarding the packets with the dummy IP address associated with the second network as the source address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
PARLA, Vincent E., Santau, Vlad, Champagne, Timothy Steven Jr., Munz, Kerry Hannigan

Granted Patent

US 9,137,211 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

H04L 45/74   Address processing for routing

H04L 61/4511   using domain name system [DNS]

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0272   Virtual private networks

APPLICATION SERVICES BASED ON DYNAMIC SPLIT TUNNELING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

APPLICATION SERVICES BASED ON DYNAMIC SPLIT TUNNELING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links