Distributed VPN Service

US 20170033924A1
Filed: 07/31/2015
Published: 02/02/2017
Est. Priority Date: 07/31/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a plurality of host machines for providing computing and network resource, wherein the host machines are computing devices interconnected by an internal network;

a set of edge nodes for providing access of said plurality of host machines from devices external to said internal network,wherein at least one of said set of edge nodes is responsible for negotiating a key for encrypting a set of outgoing packets from a particular host machine in the plurality of host machines to an external device outside of said internal network,wherein the negotiated encryption key is provided to said particular host machine in order for said particular host machine to encrypts said set of outgoing packets.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

For a network that includes host machines for providing computing and networking resources and a VPN gateway for providing external access to those resources, a novel method that distributes encryption keys to the hosts to encrypt/decrypt the complete payload originating/terminating at those hosts is described. These encryption keys are created or obtained by the VPN gateway based on network security negotiations with the external networks/devices. These negotiated keys are then distributed to the hosts via control plane of the network. In some embodiments, this creates a complete distributed mesh framework for processing crypto payloads.

Citations

21 Claims

1. A system comprising:
- a plurality of host machines for providing computing and network resource, wherein the host machines are computing devices interconnected by an internal network;
  
  a set of edge nodes for providing access of said plurality of host machines from devices external to said internal network,wherein at least one of said set of edge nodes is responsible for negotiating a key for encrypting a set of outgoing packets from a particular host machine in the plurality of host machines to an external device outside of said internal network,wherein the negotiated encryption key is provided to said particular host machine in order for said particular host machine to encrypts said set of outgoing packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the set of edge nodes comprises a plurality of edge nodes for forwarding outgoing packets to the external device.
  - 3. The system of claim 1, wherein the internal network is provided by a first datacenter, wherein the external device is a host machine in a remote network that is provided by a second datacenter.
  - 4. The system of claim 1, wherein the negotiated key is further for decrypting a set of incoming packets from said external device to said particular host machine.
  - 5. The system of claim 4, wherein the set of incoming packet and the set of outgoing packets belong to a particular L4 connection.
  - 6. The system of claim 4, wherein the set of incoming packet and the set of outgoing packets belong to a same L2 segment.
  - 7. The system of claim 1, wherein the at least one edge node negotiates a plurality of encryption keys for a plurality of different sets of incoming packets.
  - 8. The system of claim 7, wherein the an edge node receives an incoming encrypted packet decrypts a portion of the packet by identifying a negotiated key for decrypting the incoming encrypted packet based on information stored in a header of the packet.
  - 9. The system of claim 7, wherein the system further comprises a controller for distributing the plurality of keys to two or more of the host machines, wherein each of the two or more host machines uses at least one of the distributed keys to encrypt a set of outgoing packets and a set of incoming packets.
  - 10. The system of claim 9, wherein the plurality of host machines implements a plurality of distributed logical forwarding elements and the controller is further for controlling distributed logical forwarding elements.

11. A computing device serving as one of a plurality of host machines in a datacenter, the computing device comprising:
- a set of processing units; and
  
  a machine readable medium storing a program for execution by at least one of the processing units, the program sets of instructions for;
  
  receiving an encryption key from an edge node of a datacenter, wherein the edge node negotiated the key for encrypting a set of outgoing packets from the computing device to an external device outside of the datacenter; and
  
  using the received key to encrypt the set of outgoing packets.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The computing device of claim 11, wherein the datacenter is a first datacenter, wherein the external device is a host machine in a remote network that is provided by a second datacenter.
  - 13. The computing device of claim 11, wherein the negotiated key is further for decrypting a set of incoming packets from said external device to said computing device.
  - 14. The computing device of claim 13, wherein the set of incoming packet and the set of outgoing packets belong to a particular L4 connection.
  - 15. The computing device of claim 13, wherein the set of incoming packet and the set of outgoing packets belong to a same L2 segment.
  - 16. The computing device of claim 11, wherein the edge node negotiates a plurality of encryption keys for a plurality of different sets of outgoing packets.
  - 17. The computing device of claim 16, further comprising operating a plurality of virtual machines (VMs) that transmits the plurality of different sets of outgoing packets, wherein the program further comprises selecting an encryption key for encrypting each set of outgoing packets.

18. A method comprising:
- negotiating, at an edge node of a datacenter that comprises a plurality of host machines, a key for encrypting a set of outgoing packets from a particular host machine to an external device outside of the datacenter; and
  
  providing the negotiated key to the particular host machine for encrypting the set of outgoing packets.
- View Dependent Claims (19, 20, 21)
- - 19. The method of claim 18, wherein the negotiated key provided to the particular host machine is further for the particular host machine to decrypt a set of incoming packets from the external device.
  - 20. The method of claim 18 further comprises negotiating a plurality of encryption keys for a plurality of different sets of incoming packets.
  - 21. The method of claim 20 further comprises:
    - receiving an incoming encrypted packet and decrypting a portion of the packet by identifying a negotiated key for decrypting the incoming encrypted packet based on information stored in a header of the packet;
      
      using the decrypted portion of the incoming packet to identify a destination host machine; and
      
      forward the incoming packet to the identified host machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Jain, Jayant, Sengupta, Anirban, Masurekar, Uday

Granted Patent

US 10,044,502 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 9/45558   Hypervisor-specific managem...

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/0803   Configuration setting

H04L 63/0218   Distributed architectures, ...

H04L 63/0272   Virtual private networks

H04L 63/06   for supporting key manageme...

H04L 9/0819   Key transport or distributi...

Distributed VPN Service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed VPN Service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links