SYSTEMS, METHODS, AND DEVICES FOR SMART MAPPING AND VPN POLICY ENFORCEMENT

US 20170026417A1
Filed: 07/22/2016
Published: 01/26/2017
Est. Priority Date: 07/23/2015
Status: Active Grant

First Claim

Patent Images

1. One or more computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:

program, via a northbound interface, a mapping between an endpoint identifier (EID) and a routing locator (RLOC) directly into a mapping database at a mapping system;

receive, from a first tunneling router associated with a first virtual network, a mapping request to a second virtual network, the first router compliant with a Locator/ID Separation Protocol, the mapping request comprising an EID tuple that includes a source identifier and a destination identifier;

identify an RLOC based, at least in part, on the destination identifier of the EID tuple from the mapping database; and

transmit the RLOC to the first tunneling router.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of the embodiments are directed to systems, methods, and computer program products to program, via a northbound interface, a mapping between an endpoint identifier (EID) and a routing locator (RLOC) directly into a mapping database at a mapping system; receive, from a first tunneling router associated with a first virtual network, a mapping request to a second virtual network, the first router compliant with a Locator/ID Separation Protocol, the mapping request comprising an EID tuple that includes a source identifier and a destination identifier; identify an RLOC based, at least in part, on the destination identifier of the EID tuple from the mapping database; and transmit the RLOC to the first tunneling router implementing an high level policy that has been dynamically resolved into a state of the mapping database.

122 Citations

28 Claims

1. One or more computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
- program, via a northbound interface, a mapping between an endpoint identifier (EID) and a routing locator (RLOC) directly into a mapping database at a mapping system;
  
  receive, from a first tunneling router associated with a first virtual network, a mapping request to a second virtual network, the first router compliant with a Locator/ID Separation Protocol, the mapping request comprising an EID tuple that includes a source identifier and a destination identifier;
  
  identify an RLOC based, at least in part, on the destination identifier of the EID tuple from the mapping database; and
  
  transmit the RLOC to the first tunneling router.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The one or more computer readable storage media of claim 1, wherein the source identifier is located in a first portion of the EID tuple.
  - 3. The one or more computer readable storage media of claim 1, wherein the source identifier is located in a second portion of the EID tuple.
  - 4. The one or more computer readable storage media of claim 1, wherein the instructions are further operable when executed to rendering a forwarding policy based, at least in part, on the source identifier from the EID tuple.
  - 5. The one or more computer readable storage media of claim 4, wherein the instructions are further operable when executed to identifying the RLOC based on the identified forwarding policy.
  - 6. The one or more computer readable storage media of claim 4, wherein the instructions are further operable to resolving a policy associated with a source identifier into a forwarding state.

7. One or more computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
- program, via a northbound interface, a mapping between an endpoint identifier (EID) and a routing locator (RLOC) directly into a mapping database at a mapping system;
  
  receive, from a first tunneling router associated with a first virtual network, a mapping request to a second virtual network, the first router compliant with a Locator/ID Separation Protocol (LISP), the mapping request comprising an RLOC tuple that includes a source identifier and a destination identifier, the RLOC tuple an extension of an EID;
  
  identify an endpoint identifier for a destination based, at least in part, on the destination identifier of the EID tuple; and
  
  transmit the RLOC to the first tunneling router.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The one or more computer readable storage media of claim 7, wherein the source identifier is located in a first portion of the EID tuple.
  - 9. The one or more computer readable storage media of claim 7, wherein the source identifier is located in a second portion of the EID tuple.
  - 10. The one or more computer readable storage media of claim 7, wherein the instructions are further operable when executed to rendering a forwarding policy based, at least in part, on the source identifier from the EID tuple.
  - 11. The one or more computer readable storage media of claim 10, wherein the instructions are further operable when executed to identifying the RLOC based on the identified forwarding policy.
  - 12. The one or more computer readable storage media of claim 10, wherein the instructions are further operable to resolving a policy associated with a source identifier into a forwarding state.

13. One or more computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
- program, via a northbound interface, a mapping between a device identifier and a location identifier directly into a mapping database at a mapping system;
  
  receive, from a first tunneling router associated with a first virtual network, a mapping request to a second virtual network, the first router compliant with a Locator/ID Separation Protocol (LISP);
  
  determine a mapping to a destination address based on the mapping request;
  
  determine that the mapping comprises a traffic engineering format;
  
  based on determining that the mapping comprises a traffic engineering format;
  
  compare an ingress tunneling router locator field in the mapping request with a locator address of the mapping;
  
  determine whether a match exists between the ingress tunneling router locator field and the locator address of the mapping; and
  
  if a match exists between the ingress tunneling router locator field and the locator address of the mapping, return, to the first tunneling router, a next hop locator as a single locator in a map reply message.
- View Dependent Claims (14)
- - 14. The one or more computer readable storage media of claim 13, wherein the instructions are further operable to determining whether a match exists between the ingress tunneling router locator field and the locator address of the mapping;
    - andif a match does not exist between the ingress tunneling router locator field and the locator address of the mapping, return, to the first tunneling router, a first hop locator as a single locator in the map reply message.

15. A method comprising:
- programing, via a northbound interface, a mapping between an endpoint identifier (EID) and a routing locator (RLOC) directly into a mapping database at a mapping system;
  
  receiving, from a first tunneling router associated with a first virtual network, a mapping request to a second virtual network, the first router compliant with a Locator/ID Separation Protocol (LISP), the mapping request comprising an endpoint identifier (EID) tuple that includes a source identifier and a destination identifier;
  
  identifying a routing locator (RLOC) based, at least in part, on the destination identifier of the EID tuple; and
  
  transmitting the RLOC to the first tunneling router.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, wherein the source identifier is located in a first portion of the EID tuple.
  - 17. The method of claim 15, wherein the source identifier is located in a second portion of the EID tuple.

18. A method comprising:
- programing, via a northbound interface, a mapping between an endpoint identifier (EID) and a routing locator (RLOC) directly into a mapping database at a mapping system;
  
  receiving, from a first tunneling router associated with a first virtual network, a mapping request to a second virtual network, the first router compliant with a Locator/ID Separation Protocol (LISP), the mapping request comprising an router locator (RLOC) tuple that includes a source identifier and a destination identifier, the RLOC tuple an extension of an endpoint identifier (EID);
  
  identifying an endpoint identifier for a destination based, at least in part, on the destination identifier of the EID tuple; and
  
  transmitting the RLOC to the first tunneling router.

19. A method comprising:
- programing, via a northbound interface, a mapping between a device identify and a routing location identification directly into a mapping database at a mapping system;
  
  receiving, from a first tunneling router associated with a first virtual network, a mapping request to a second virtual network, the first router compliant with a Locator/ID Separation Protocol (LISP);
  
  determining a mapping to a destination address based on the mapping request;
  
  determining that the mapping comprises a traffic engineering format;
  
  based on determining that the mapping comprises a traffic engineering format;
  
  comparing an ingress tunneling router locator field in the mapping request with a locator address of the mapping;
  
  determining whether a match exists between the ingress tunneling router locator field and the locator address of the mapping; and
  
  if a match exists between the ingress tunneling router locator field and the locator address of the mapping, return, to the first tunneling router, a next hop locator as a single locator in a map reply message.
- View Dependent Claims (20)
- - 20. The method claim 19, wherein the instructions are further operable to determining whether a match exists between the ingress tunneling router locator field and the locator address of the mapping;
    - andif a match does not exist between the ingress tunneling router locator field and the locator address of the mapping, return, to the first tunneling router, a first hop locator as a single locator in the map reply message.

21. One or more computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
- receive a policy associated with a virtual private network (VPN) via a service orchestrator;
  
  identify one or more mapping states for the policy;
  
  associate the one or more forwarding states with one or more source and destination identifiers; and
  
  provide the one or more forwarding states and one or more source and destination identifiers to a mapping server.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The one or more computer readable storage media of claim 21, wherein the instructions are further operable when executed to:
    - identify a traffic engineering policy for the VPN;
      
      identifying a forwarding state for the traffic engineering policy; and
      
      providing the forwarding state for the traffic engineering policy to the mapping server.
  - 23. The one or more computer readable storage media of claim 21, wherein the instructions are further operable when executed to:
    - identify a service insertion policy for the VPN;
      
      identifying a forwarding state for the service insertion policy; and
      
      providing the forwarding state for the service insertion policy to the mapping server.
  - 24. The one or more computer readable storage media of claim 21, wherein the instructions are further operable when executed to:
    - identify an encryption policy for the VPN;
      
      identifying a forwarding state for the encryption policy; and
      
      providing the forwarding state for the encryption policy to a key management server.
  - 25. The one or more computer readable storage media of claim 21, wherein the instructions are further operable when executed to:
    - identify a group policy for the VPN;
      
      identifying one or more routers for with the group policy, the one or more routers forming a forwarding state for the VPN; and
      
      providing the forwarding state for the group policy to the mapping server.
  - 26. The one or more computer readable storage media of claim 21, wherein the instructions are further operable when executed to:
    - identify a first policy and a second policy for the VPN;
      
      resolving the first policy by identifying a first forwarding state for the first policy;
      
      resolving the second policy by identifying a second forwarding state for the second policy;
      
      compounding the first forwarding state with the second forwarding state; and
      
      providing the first and second forwarding states to the mapping server.
  - 27. The one or more computer readable storage media of claim 21, wherein the instructions are further operable when executed to:
    - identify a first policy and a second policy for the VPN;
      
      resolving the first policy by identifying a first forwarding state for the first policy;
      
      resolving the second policy by identifying a second forwarding state for the second policy;
      
      determine a conflict in forwarding states between the first forwarding state and the second forwarding state;
      
      determine, based on one or more policy resolution priorities associated with the VPN, a third forwarding state, the third forwarding state reflecting at least one policy for the VPN; and
      
      providing the third forwarding states to the mapping server.
  - 28. The one or more computer readable storage media of claim 21, wherein a forwarding state comprising an identification of one or more endpoint identifiers that satisfy the policy or an encryption policy for one or more endpoint identifiers or a combination of the two.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Coras, Florin T., Evans, John William, Ermagan, Vina, Maino, Fabio R., Miclea, Marius Horia, Quinn, Paul, Lewis, Darrel Jay, Weis, Brian E.

Granted Patent

US 10,637,889 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 2012/5621   Virtual private network [VP...

H04L 45/54   Organization of routing tables

H04L 45/64   using an overlay routing layer

H04L 45/74   Address processing for routing

H04L 61/251   between different IP versions

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/20   for managing network securi...

H04L 69/03   Protocol definition or spec...

SYSTEMS, METHODS, AND DEVICES FOR SMART MAPPING AND VPN POLICY ENFORCEMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

122 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS, METHODS, AND DEVICES FOR SMART MAPPING AND VPN POLICY ENFORCEMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links