DISTRIBUTED TUNNELING FOR VPN

US 20170034129A1
Filed: 04/27/2016
Published: 02/02/2017
Est. Priority Date: 07/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a computing device, a packet for a virtual private network (VPN) connection, said packet comprises an encrypted portion and an unencrypted portion;

identifying a destination address from the unencrypted portion of the packet;

identifying an overlay logical network based on the identified destination address;

encapsulating the packet for the overlay logical network, said encapsulated packet comprising said encrypted portion and said unencrypted portion; and

forwarding the encapsulated packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A novel method of providing virtual private access to a software defined data center (SDDC) is provided. The SDDC uses distributed VPN tunneling to allow external access to application services hosted in the SDDC. The SDDC includes host machines for providing computing and networking resources and a VPN gateway for providing external access to those resources. The host machines that host the VMs running the applications that VPN clients are interested in connecting performs the VPN encryption and decryption. The VPN gateway does not perform any encryption and decryption operations. The packet structure is such that the VPN gateway can read the IP address of the VM without decrypting the packet.

Citations

20 Claims

1. A method comprising:
- receiving, at a computing device, a packet for a virtual private network (VPN) connection, said packet comprises an encrypted portion and an unencrypted portion;
  
  identifying a destination address from the unencrypted portion of the packet;
  
  identifying an overlay logical network based on the identified destination address;
  
  encapsulating the packet for the overlay logical network, said encapsulated packet comprising said encrypted portion and said unencrypted portion; and
  
  forwarding the encapsulated packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein said computing device is an edge node of a data center that comprises a plurality of host machines operating virtual machines, wherein the destination address identifies an virtual machine operating in a particular host machine.
  - 3. The method of claim 2, wherein the particular host machine is an endpoint in the overlay logical network.
  - 4. The method of claim 3 further comprising identifying the endpoint based on the identified destination address.
  - 5. The method of claim 1, wherein the packet is received from a VPN client, wherein the computing device is a VPN gateway.
  - 6. The method of claim 5, wherein the VPN gateway negotiated with the VPN client for an encryption key that is used to encrypt the encrypted portion of the packet, wherein the encryption key is provided to the particular host machine for decrypting the packet.
  - 7. The method of claim 5, wherein the received packet comprises an outer header that identifies a public address of the VPN gateway.
  - 8. The method of claim 6 further comprising removing the outer header before encapsulating the packet.

9. A method comprising:
- receiving, at a computing device, a packet encapsulated according to an overlay logical network, wherein an encapsulated payload of the packet comprises an encrypted portion and an unencrypted portion;
  
  identifying a destination address from said unencrypted portion of the encapsulated payload;
  
  attaching an outer header for a virtual private network (VPN) connection to the packet, the outer header identifying a VPN client based on the identified destination address; and
  
  forwarding the packet with the attached outer header to the VPN client.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, wherein said computing device is an edge node of a data center that comprises a plurality of host machines operating virtual machines.
  - 11. The method of claim 10, wherein the received encapsulated packet is tunneled to the computing device from a particular host machine, wherein the particular host machine and the computing device are tunnel endpoints of the overlay logical network.
  - 12. The method of claim 11, wherein the computing device is a VPN gateway that negotiated with the VPN client for an encryption key that is used to encrypt the encrypted portion of the packet, wherein the encryption key is provided to the particular host machine for encrypting the packet.
  - 13. The method of claim 9 further comprising removing encapsulation of the overlay logical network from the packet before attaching outer header.

14. A method comprising:
- receiving, at a host machine of a data center, a packet from a virtual machine hosted by the host machine;
  
  identifying a destination address from the packet;
  
  identifying a virtual private network (VPN) connection based on the identified destination address;
  
  encrypting the packet for the VPN connection, the encrypted packet comprising a encrypted portion and an unencrypted portion, wherein the unencrypted portion comprises the identified destination address; and
  
  encapsulating the packet according to an overlay logical network for tunneling the packet to an edge node of a data center that comprises the host machine.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein the host machine is operating a virtualization software for hosting the virtual machine.
  - 16. The method of claim 15, wherein the virtualization software comprises a crypto engine for performing said encrypting.
  - 17. The method of claim 14, wherein the edge node is a VPN gateway that negotiated an encryption key for said VPN connection.
  - 18. The method of claim 14, wherein an IP header of the received packet comprises the destination address.
  - 19. The method of claim 18 further comprising copying the destination address to the unencrypted portion of the encrypted packet.
  - 20. The method of claim 18, wherein the encrypted portion of the encrypted packet comprises the IP header.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Chopra, Amit, Naik, Vinayak Shashikant, Sawant, Sandesh, Jain, Jayant, Sengupta, Anirban, Masurekar, Uday

Granted Patent

US 10,567,347 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 12/4633   Interconnection of networks...

H04L 45/74   Address processing for routing

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 67/1097   for distributed storage of ...

H04L 69/14   Multichannel or multilink p...

H04L 9/083   involving central third par...

DISTRIBUTED TUNNELING FOR VPN

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DISTRIBUTED TUNNELING FOR VPN

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links