DYNAMIC, USER-CONFIGURABLE VIRTUAL PRIVATE NETWORK

US 20190081930A1
Filed: 01/08/2018
Published: 03/14/2019
Est. Priority Date: 09/13/2017
Status: Active Grant

First Claim

Patent Images

1. A non-transitory processor-readable medium storing code to be executed by a processor, the code comprising code representing instructions to:

receive, from an origin, packets identifying a destination;

define a first virtual private network (VPN) that defines first data path from the origin to the destination at a first time, the first VPN including a first plurality of logical switches including a first egress switch;

send each packet identifying the destination that is received from the origin during a first time period to the destination via the first data path;

define a second VPN that defines a second data path from the origin to the destination at a second time, the second VPN including a second plurality of logical switches including a second egress switch, the second egress switch being different from the first egress switch; and

send each packet identifying the destination that is received from the origin during a second time period to the destination via the second data path without disrupting communications between the origin and the destination between the first time period and the second time period, the first time period and the second time period being mutually exclusive.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments described herein relate managing communications between an origin and a destination using end-user and/or administrator configurable virtual private network(s) (VPN(s)). A first VPN that defines a first data path between an origin and a destination can be defined at a first time. A second VPN that defines a second, different data path between the origin and the destination can defined at a second time. Each packet sent across the first VPN and each packet sent across the second VPN can follow the same data path for that VPN, such each packet can be sent across the first VPN or the second VPN in the order it was received, and the transition between the first VPN and the second VPN can be “seamless,” and communications between the origin and the destination are not disrupted between the first time period and the second time period.

Citations

32 Claims

1. A non-transitory processor-readable medium storing code to be executed by a processor, the code comprising code representing instructions to:
- receive, from an origin, packets identifying a destination;
  
  define a first virtual private network (VPN) that defines first data path from the origin to the destination at a first time, the first VPN including a first plurality of logical switches including a first egress switch;
  
  send each packet identifying the destination that is received from the origin during a first time period to the destination via the first data path;
  
  define a second VPN that defines a second data path from the origin to the destination at a second time, the second VPN including a second plurality of logical switches including a second egress switch, the second egress switch being different from the first egress switch; and
  
  send each packet identifying the destination that is received from the origin during a second time period to the destination via the second data path without disrupting communications between the origin and the destination between the first time period and the second time period, the first time period and the second time period being mutually exclusive.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The non-transitory processor-readable medium of claim 1, wherein at least a subset of the first plurality of logical switches are implemented on a commercial cloud.
  - 3. The non-transitory processor-readable medium of claim 1, wherein a first subset of the first plurality of logical switches are implemented on a first commercial cloud and a second subset of the first plurality of logical switches are implemented on a second commercial cloud.
  - 4. The non-transitory processor-readable medium of claim 1, wherein the packets relate to streaming media, the first time period transitions to the second time period while the origin is streaming media to the destination, the streaming media not being interrupted during a transition from the first time period to the second time period.
  - 5. The non-transitory processor readable medium of claim 1, the code further comprising code representing instructions to:
    - encrypt each packet sent from the origin to the destination such that each packet remains encrypted until received by the destination.
  - 6. The non-transitory processor-readable medium of claim 1, the code further comprising code representing instructions to:
    - assign a private internal internet protocol (IP) address to each logical switch from the first plurality of logical switches; and
      
      apply a plurality of layers of encryption to the packets, each layer of encryption from the plurality of layers of encryption identifying a logical switch from the first plurality of logical switches by an internal IP address, the plurality of layers of encryption obscuring first data path and the contents of the packets from each logical switch from the plurality of logical switches and obscuring the destination from each logical switch from the plurality of logical switches other than the first egress switch.
  - 7. The non-transitory processor-readable medium of claim 1, the code further comprising code representing instructions to:
    - define a routing table for the first VPN, the routing table identifying each logical switch from the first plurality of logical switches by a private internal internet protocol (IP) address and a public IP address;
      
      propagate at least a portion of the routing table to each logical switch from the first plurality of logical switches; and
      
      address each packet sent from the origin to the destination using the private internal IP addresses.

8. An access server, comprising a processor and a memory, the access server configured to:
- receive a plurality of packets from an origin;
  
  define a route from the access server to an egress node, the route including a plurality of logical switches, the route traversing a commercial cloud, an administrator of the access server not being an administrator of physical hardware of the commercial cloud; and
  
  send each packet from the plurality of packets to the egress node via the route in an order received such that the plurality of packets arrive at the egress node sequentially.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 9. The access server of claim 8, further configured to:
    - receive, from a user associated with the origin, an indication of a desired route, each logical switch of the route defined based on the indication of the desired route.
  - 10. The access server of claim 8, further configured to:
    - receive, from the administrator of the access server, an indication of a desired route, the route defined based on the indication of the desired route.
  - 11. The access server of claim 8, further configured to:
    - receive a signal from the origin including a request for authentication, the route defined based on the request for authentication.
  - 12. The access server of claim 8, further configured to:
    - authenticate the origin, the route spanning a virtual private network (VPN) such that each logical switch of the route is accessible only by being authenticated by the access server.
  - 13. The access server of claim 8, wherein packets leaving the egress node are devoid of identifiers associated with the origin.
  - 14. The access server of claim 8, wherein packets leaving the egress node are devoid of identifiers associated with the origin and devoid of identifiers associated any logical switch from the plurality of logical switches other than the egress node.
  - 15. The access server of claim 8, wherein the access server is further configured to:
    - alter the egress node of the route without interrupting traffic flowing from the origin to a destination.
  - 16. The access server of claim 8, wherein the access server is further configured to instantiate at least a subset of the plurality of logical switches in the commercial cloud.
  - 17. The access server of claim 8, wherein the access server is further configured to:
    - authenticate the origin; and
      
      instantiate a logical switch that serves as the egress node after authenticating the origin.
  - 18. The access server of claim 8, the access server is further configured to:
    - apply a plurality of layers of encryption to each packet from the plurality of packets, each layer of encryption from the plurality of layers of encryption produced by encrypting each packet from the plurality of packets with a different encryption key that is uniquely associated with a logical switch along the route.
  - 19. The access server of claim 8, the access server is further configured to:
    - apply a plurality of layers of encryption to each packet from the plurality of packets, each layer of encryption from the plurality of layers of encryption produced by encrypting each packet from the plurality of packets with a different encryption key that is uniquely associated with a logical switch along the route that does not broadcast its encryption key.
  - 20. The access server of claim 8, wherein the access server is further configured to:
    - define a plurality of decryption keys;
      
      send a decryption key from the plurality of decryption keys to a logical switch from the plurality of logical switches; and
      
      apply a plurality of layers of encryption to each packet from the plurality of packets using a plurality of encryption keys associated with the plurality of decryption keys.

21-24. -24. (canceled)

25. A non-transitory processor-readable medium storing code to be executed by a processor of an access server, the code comprising code representing instructions to:
- receive a plurality of packets from an origin;
  
  define a route from the access server to an egress node, the route including a plurality of logical switches, the route traversing a commercial cloud, an administrator of the access server not being an administrator of physical hardware of the commercial cloud; and
  
  send each packet from the plurality of packets to the egress node via the route in an order received such that the plurality of packets arrive at the egress node sequentially.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 32)
- - 26. The non-transitory processor-readable medium of claim 25, wherein:
    - the plurality of packets is a first plurality of packets received from an origin during a first time period;
      
      the first plurality of packets identify a destination;
      
      the route is a first route that is defined at a first time and includes a first plurality of logical switches;
      
      the egress node is a first egress node; and
      
      the first plurality of packets are sent to the first egress node via the first route, the code further comprising code to representing instructions to;
      
      receive a second plurality of packets from the origin during a second time period, the second plurality of packets identifying the destination;
      
      define a second route from the origin to a second egress node at a second time, the second route including a second plurality of logical switches, the second egress node being different from the first egress node; and
      
      send each packet from the second plurality of packets via the second route without disrupting communications between the origin and the destination between the first time period and the second time period, the first time period and the second time period being mutually exclusive.
  - 27. The non-transitory processor-readable medium of claim 26, wherein at least a subset of the first plurality of logical switches are implemented on the commercial cloud.
  - 28. The non-transitory processor-readable medium of claim 26, wherein:
    - the commercial cloud is a first commercial cloud; and
      
      a first subset of the first plurality of logical switches are implemented on the first commercial cloud and a second subset of the first plurality of logical switches are implemented on a second commercial cloud.
  - 29. The non-transitory processor-readable medium of claim 26, wherein the first plurality of packets and the second plurality of packets relate to streaming media, the first time period transitions to the second time period while the origin is streaming media to the destination, the streaming media not being interrupted during a transition from the first time period to the second time period.
  - 30. The non-transitory processor readable medium of claim 26, the code further comprising code representing instructions to:
    - encrypt each packet from the first plurality of packets such that each packet from the first plurality of packets remains encrypted until received by the destination.
  - 31. The non-transitory processor-readable medium of claim 26, the code further comprising code representing instructions to:
    - assign a private internal internet protocol (IP) address to each logical switch from the first plurality of logical switches before sending the each packet from the first plurality of packets to the egress node; and
      
      apply a plurality of layers of encryption to each packet from the first plurality of packets, each layer of encryption from the plurality of layers of encryption identifying a logical switch from the first plurality of logical switches by an internal IP address, the plurality of layers of encryption obscuring the first route and the contents of packets from the first plurality of packets from each logical switch from the first plurality of logical switches and obscuring the destination from each logical switch from the first plurality of logical switches other than the first egress node.
  - 32. The non-transitory processor-readable medium of claim 26, wherein:
    - defining the first route includes defining a first virtual private network (VPN) across at least a first commercial cloud; and
      
      defining the second route includes defining a second VPN across at least a second commercial cloud.
  - 32-1. The non-transitory processor-readable medium of claim 32, the code further comprising code representing instructions to:
    - define a routing table for the first VPN, the routing table identifying each logical switch from the first plurality of logical switches by a private internal internet protocol (IP) address and a public IP address;
      
      propagate at least a portion of the routing table to each logical switch from the first plurality of logical switches; and
      
      address each packet sent from the origin to the destination using the private internal IP addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Conceal, Inc.
Original Assignee
NetAbstraction, Inc.
Inventors
HUNT, IV, Ira A.

Granted Patent

US 10,516,650 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 45/22   Alternate routing

H04L 45/54   Organization of routing tables

H04L 49/70   Virtual switches

H04L 63/0272   Virtual private networks

H04L 63/0414   during transmission, i.e. p...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

DYNAMIC, USER-CONFIGURABLE VIRTUAL PRIVATE NETWORK

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

DYNAMIC, USER-CONFIGURABLE VIRTUAL PRIVATE NETWORK

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links