Method and arrangement for secure tunneling of data between virtual routers

US 6,438,612 B1
Filed: 09/11/1998
Issued: 08/20/2002
Est. Priority Date: 09/11/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for communicating data packets across a non secure network which does not support virtual networks between a transmitting virtual router implemented in transmitting computer device which is a node on one of a plurality of virtual networks sharing a network at a transmitting location, and a receiving virtual router implemented in a receiving computer device which is a node on one of a plurality of virtual networks sharing a network at a receiving location, the method comprising the steps ofa) establishing a secure tunnel for at least one of said plurality of virtual networks, each said secure tunnel so established for transmitting data packets for said one virtual network across said non secure network which does not support virtual networks, each said secure tunnel so established being set up by establishing a security association for the secure transmission of data packets between said transmitting computer device and said receiving computer device using any secure tunneling protocol for which a security association can be established, and agreeing upon and recording elements of said security association as a set of selectors in a memory or database in each of said transmitting and receiving computers, said selectors including at least one additional selector which directly or indirectly identifies said one virtual network which said secure tunnel serves and thereby also identifying a transmitting virtual router which supplies data packets to be transmitted via said secure tunnel and a receiving virtual router to which data packets are to be routed at said receiving computer device, (b) in the transmitting computer device, using the identification of the transmitting virtual router in the transmitting computer device from which a packet arrives to select the proper security association associated with a secure tunnel over said non secure tunnel which serves the virtual network of which said transmitting virtual router is a part, and using said selected security association for processing the data packet to encrypt at least a portion of said packet and add a header which includes information which identifies the security association to be used to process said packet at said receiving computer device, and transmitting said encrypted packet over said non secure network using the secure tunnel established by negotiation of said security association used to process said packet, (c) in the receiving computer device, selecting the security association for processing a data packet coming from the transmitting computer device on the basis of conventional security association selection processing using predetermined security association selector values contained within the data packet header, and using said security association to decrypt said packet, and (d) in the receiving computer device, reading said at least one additional selector added to said security association selected in step (c) which said at least one additional selector directly or indirectly identifies the receiving virtual router to which said packet is to be directed, and using said at least one additional selector to route said data packet to receiving virtual router so identified and which is part of a virtual network containing a computer or other device to which said packet is addressed.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data packets are communicated between a transmitting virtual router in a transmitting computer device and a receiving virtual router in a receiving computer device. A security association is established for the secure transmission of data packets between the transmitting computer device and the receiving computer device. The transmitting virtual router and the receiving virtual router are identified within said security association. In the transmitting computer device, the security association for processing a data packet coming from the transmitting virtual router is selected on the basis of the identification of the transmitting virtual router within the security association. In the receiving computer device, the security association for processing a data packet coming from the transmitting computer device is selected on the basis of values contained within the data packet. In the receiving computer device, the data packet processed within the security association is directed to the receiving virtual router on the basis of the identification of the receiving virtual router within the security association.

428 Citations

16 Claims

1. A method for communicating data packets across a non secure network which does not support virtual networks between a transmitting virtual router implemented in transmitting computer device which is a node on one of a plurality of virtual networks sharing a network at a transmitting location, and a receiving virtual router implemented in a receiving computer device which is a node on one of a plurality of virtual networks sharing a network at a receiving location, the method comprising the steps ofa) establishing a secure tunnel for at least one of said plurality of virtual networks, each said secure tunnel so established for transmitting data packets for said one virtual network across said non secure network which does not support virtual networks, each said secure tunnel so established being set up by establishing a security association for the secure transmission of data packets between said transmitting computer device and said receiving computer device using any secure tunneling protocol for which a security association can be established, and agreeing upon and recording elements of said security association as a set of selectors in a memory or database in each of said transmitting and receiving computers, said selectors including at least one additional selector which directly or indirectly identifies said one virtual network which said secure tunnel serves and thereby also identifying a transmitting virtual router which supplies data packets to be transmitted via said secure tunnel and a receiving virtual router to which data packets are to be routed at said receiving computer device, (b) in the transmitting computer device, using the identification of the transmitting virtual router in the transmitting computer device from which a packet arrives to select the proper security association associated with a secure tunnel over said non secure tunnel which serves the virtual network of which said transmitting virtual router is a part, and using said selected security association for processing the data packet to encrypt at least a portion of said packet and add a header which includes information which identifies the security association to be used to process said packet at said receiving computer device, and transmitting said encrypted packet over said non secure network using the secure tunnel established by negotiation of said security association used to process said packet, (c) in the receiving computer device, selecting the security association for processing a data packet coming from the transmitting computer device on the basis of conventional security association selection processing using predetermined security association selector values contained within the data packet header, and using said security association to decrypt said packet, and (d) in the receiving computer device, reading said at least one additional selector added to said security association selected in step (c) which said at least one additional selector directly or indirectly identifies the receiving virtual router to which said packet is to be directed, and using said at least one additional selector to route said data packet to receiving virtual router so identified and which is part of a virtual network containing a computer or other device to which said packet is addressed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 10)
- - 2. A method according to claim 1, further comprising between steps c) and d) the step of performing a certain transform on the data packet to be transmitted to achieve tunneling between the transmitting computer device and the receiving computer device.
  - 3. A method according to claim 2, wherein said transform is the IPSEC AH transform.
  - 4. A method according to claim 2, wherein said transform is the IPSEC ESP transform.
  - 5. A method according to claim 1, wherein step a) includes the step of using a virtual network identifier to indirectly identify the transmitting virtual router and the receiving virtual router within said security association by adding said virtual network identifier as a selector to said security association.
  - 6. A method according to claim 1, wherein step a) includes the step of adding to each said security association a transmitting virtual router identifier and a receiving virtual router identifier to directly identify transmitting virtual router and the receiving virtual router within the virtual network served by a tunnel set up by establishment of said security association.
  - 7. A method according to claim 1, wherein step a) comprises using the IKE protocol for establishing a security association between said transmitting computer device and said receiving computer device for each said tunnel to be created and creating at least one tunnel for each virtual network at the location of said transmitting computer to be coupled to another virtual network at the location of said receiving computer, and adding to each security association so established either a virtual network identifier selector identifying the virtual network which the tunnel established by said security association serves or adding to each security association selectors which give the transmitting virtual router identifier and the receiving virtual router identifier which are part of a virtual network which a tunnel established by said security association serves.
  - 8. A method according to claim 7, wherein the use of the IKE protocol comprises the step of exchanging the information identifying the transmitting virtual router and the receiving virtual router between the transmitting computer device and the receiving computer device as part of the IKE phase 2 identity payloads.
  - 10. A method according to claim 1, additionally comprising the step of inserting the information identifying the transmitting virtual router and the receiving virtual router into a data packet to be transmitted from the transmitting computer device to the receiving computer device so that its presence in the data packet is detectable in the receiving computer by analysing the contents of the data packet.

9. A method for communicating data packets between one of a plurality of transmitting virtual routers in a transmitting computer device, each transmitting virtual router being part of a different virtual network sharing a physical network at the location of said transmitting computer device and one of a plurality of receiving virtual routers in a receiving computer device, each receiving virtual router being part of a different virtual network sharing a physical network at the location of said receiving computer device, said communicating of data packets taking place across a non secure data path which does not support virtual networks, the method comprising the steps ofa) establishing a security association for the secure transmission of data packets between the transmitting computer device and the receiving computer device for at least said virtual network to which said transmitting virtual router and said receiving virtual router belong, each said security association establishing a secure data path across said non secure data path which does not support virtual networks for one said virtual network, said secure data path carrying only packet traffic belonging to said virtual network to which said secure data path is dedicated, b) for each said security association so established, adding selector data thereto identifying a transmitting virtual router and a receiving virtual router which are part of the virtual network to be served by said secure data path established by said security association, c) in said transmitting computer device, using the identification of the transmitting virtual router within the transmitting computer device from which a packet arrives for transmission in the selection of the security association for processing said data packet, and transmitting said data packet across said secure data path established by said security association and dedicated to carrying packet traffic for the virtual network of which said transmitting virtual router is a part, d) in said receiving computer device, selecting the appropriate security association with which to process each data packet coming from said transmitting computer device on the basis of values contained within a header of said data packet, and e) in said receiving computer device, determining to which virtual network each data packet received belongs and to which virtual router to send said packet using a selector stored during step b) above in the security association selected in step d) above, and directing each said data packet processed using said security association selected in step d) above to a receiving virtual router selected on the basis of a selector within said security association;
- and further comprising the steps ofinserting said selector information identifying the transmitting virtual router and the receiving virtual router for each said security association into a data packet to be transmitted from the transmitting computer device to the receiving computer device, and indicating within said security association to which said selector information applies the presence of said information in the data packet.

11. A method for transmitting data packets from a transmitting virtual router which forms part of one of a plurality of virtual networks which shares a physical network coupled to a transmitting device to a particular one of a plurality of virtual networks which share a physical network at a receiving location, said transmitting virtual router being implemented in said transmitting computer device, said transmission occurring across a non secure network which does not support virtual networks to a receiving computer device, the method comprising the steps of:
- a) establishing a secure tunnel data path across said non secure network for at least the one of said plurality of virtual networks to which said transmitting virtual router belongs, said non secure network being one which does not support virtual networks, said establishment of said secure tunnel data path implemented by establishing for at least said virtual network to which said transmitting virtual router belongs a security association that defines said secure tunnel data path across said non secure network, said secure tunnel data path being established for the secure transmission of data packets of said virtual network to which said transmitting virtual router belongs between said transmitting computer device and said receiving computer device across said non secure network, b) for at least the virtual network to which said transmitting virtual router belong and for which a security association was established, identifying said transmitting virtual router which forms part of said virtual network corresponding to said security association by storing data within said security association which identifies said transmitting virtual router, and c) in said transmitting computer device, using the identification of the transmitting virtual router within the transmitting computer device from which a packet arrives for transmission across said non secure network in the selection of the corresponding security association which establishes said secure tunnel data path which is dedicated to carrying traffic for the virtual network of which said transmitting virtual router is a part and using said security association for processing said data packet coming from said transmitting virtual router.

12. A method for receiving data packets transmitted by a transmitting virtual router which is part of one of a plurality of virtual networks which share a physical network at the location of and coupled to a transmitting computer device, said packets transmitted over a non secure data path which does not support virtual networks through a secure tunnel dedicated to transmitting only packets from the virtual network of which said transmitting virtual router is a part to a receiving virtual router which is part of one of a plurality of virtual networks sharing a physical network at the location of and coupled to a receiving computer device, said receiving virtual router being one of a plurality of virtual routers implemented by said receiving computer device, each of said virtual routers implemented by said receiving computer device being part of a different one of said plurality of virtual networks sharing a physical network at the location of and coupled to said receiving computer device in execution in said receiving computer device, the method comprising the steps ofa) establishing at least one said secure tunnel through said non secure data path which does not support virtual networks for at least the one of said plurality of logical networks to which said transmitting and receiving virtual routers belong by establishing a security association for each said secure tunnel, said security association defining the characteristics of said tunnel for the secure transmission of data packets between said transmitting computer device and said receiving computer device, each said secure tunnel so established dedicated to carrying data packets for only one of said virtual networks, b) including data identifying said transmitting virtual router and said receiving virtual router within said security association that defines the characteristics of said secure tunnel through which are transmitted said packets belonging to said virtual network of which said transmitting virtual router and said receiving virtual router are a part, c) in said receiving computer device, selecting said security association which defines the characteristics of said secure tunnel through which said packets are transmitted by reading information from each said packet, and using said selected security association for processing each data packet coming through said tunnel, and d) in said receiving computer device, directing each data packet processed according to said security association selected in step c) to said receiving virtual router on the basis of the identification of said receiving virtual router within the security association used to process each said data packet.

13. An apparatus for securely transmitting data packets from a transmitting virtual router to a receiving virtual router over a non secure data path, comprising:
- a transmitting computer device;
  
  a receiving computer device;
  
  a plurality of virtual routers implemented in said transmitting and receiving computer devices, said plurality of virtual routers including a transmitting virtual router and a receiving virtual router on the same virtual network, each of said plurality of virtual routers each being part of at least one of a plurality of virtual networks which include the virtual network which includes said transmitting virtual router and said receiving virtual router, means for establishing a security association establishing the characteristics of a secure tunnel for the secure transmission of data packets between said transmitting computer device and said receiving computer device via a non secure data path, means for directly or indirectly identifying said transmitting virtual router and said receiving virtual router to be used in transmitting said data packets between said transmitting computer device and said receiving computer device via said secure tunnel by adding data to said security association which identifies said transmitting and receiving virtual routers or at least said virtual network of which they are a part such that said secure tunnel carries only data packets belonging to said virtual network of which said transmitting and receiving virtual routers are a part, and means for using said data in said security association which identifies said transmitting and receiving virtual routers or at least said virtual network of which they are a part to route packets into said secure tunnel which serves to couple said transmitting virtual router to said receiving virtual router and for selecting a security association based upon the identity of the secure tunnel through which data packets arrived at said receiving computer device and using data in said selected security association to route packets received at said receiving computer device via the secure tunnel defined by said selected security association to said receiving virtual router coupled to the virtual network served by said secure tunnel.

14. An apparatus for selecting the proper secure tunnel across a non secure network to use in transmitting data packets from a transmitting virtual router forming part of a virtual network which is one of a plurality of virtual networks at a transmitting location to a receiving virtual router which forms part of a virtual network at a receiving location which is intended to carry data traffic at said receiving location which comes from or is to be sent to said virtual network at said transmitting location of which said transmitting virtual router is a part, comprising:
- a transmitting computer device coupled to a physical network at a transmitting location, said network being shared by a plurality of virtual networks, each carrying different traffic, said transmitting computer device for coupling to a non secure network which does not support virtual networks, said non secure network also being coupled to a receiving computer device which implements at a receiving location a plurality of receiving virtual routers each of which is part of a different virtual network at said receiving location, each virtual network at said receiving location for carrying data from or sending data to a corresponding one of said virtual networks at said transmitting location;
  
  a plurality of transmitting virtual routers implemented in said transmitting computer device, each of said plurality of transmitting virtual routers coupled to one of said plurality of virtual networks at said transmitting location which share said physical network coupled to said transmitting computer device, means for establishing a security association establishing the characteristics of a secure tunnel across said non secure network for the secure transmission of data packets from one of said virtual networks at said transmitting location to a corresponding one of said virtual networks at said receiving location, said secure tunnel coupling a transmitting virtual router at said transmitting location to a receiving virtual router at said receiving location, and for adding additional data to said security association that directly or indirectly identifies said transmitting virtual router and/or said virtual network to which said transmitting virtual router is coupled, and means for controlling said transmitting computer device to use the identity of the transmitting virtual router from which data is received for transmission to a destination device on a virtual network at said receiving location to route packets into the proper secure tunnel which couples said transmitting virtual router to a receiving virtual router which is coupled to said virtual network at said receiving location which is coupled to said destination device.

15. An apparatus for securely receiving data packets from a transmitting virtual router on a virtual network at a transmitting location and transmitted over a non secure data path that does not support virtual networks via a secure tunnel and routing said packets to a receiving virtual router on a virtual network at a receiving location that corresponds to said virtual network from which said data packets originated, comprising:
- a receiving computer device for coupling to said non secure network which does not support virtual networks and coupled to a physical network;
  
  a plurality of virtual routers implemented in said receiving computer device, each of said plurality of virtual routers coupled to a different one or a plurality of virtual networks at the location of said receiving computer device, each of said virtual networks at the location of said receiving computer device sharing said physical network to which said receiving computer device is coupled, at least one of said virtual networks at the location of said receiving computer device being coupled to a receiving virtual router and hereafter called the receiving virtual network, said receiving virtual network corresponding to and for carrying data of a virtual network hereafter called a transmitting virtual network which is one of a plurality of virtual networks at the location of a transmitting computer device, said data being transmitted from said transmitting virtual network by a transmitting virtual router coupled thereto, means for negotiating a security association establishing the characteristics of secure tunnel for the secure transmission of data packets from said transmitting virtual router to said receiving virtual router via said non secure network, said security association resulting in a set of selectors to be used for said secure transmission, means for adding to said security association one or more additional selectors to directly or indirectly identify the virtual network and/or said receiving virtual router to which said data passing through said secure tunnel is to be routed by said receiving computer device, and means for determining through which secure tunnel data arriving at said receiving computer device passed and looking up the security association that defines said secure tunnel and using said one or more additional selectors added to said security association to route packets to said receiving virtual router so that they can be routed onto said receiving virtual network.

16. An article of manufacture comprising:
- a computer usable medium having computer readable code segments embodied thereon for implementing routing across a non secure network which does not support virtual networks, the computer readable program code segments comprising;
  
  a first computer readable program code segment for controlling a transmitting computer device at a transmitting location to implement a first plurality of virtual routers including at least one transmitting virtual router which is part of a transmitting virtual network which is one of a plurality of virtual networks at said transmitting location, each said virtual network including at least one of said first plurality of virtual routers;
  
  a second computer readable program code segment for controlling a receiving computer device to implement a plurality of virtual routers including a receiving virtual router which is part of a receiving virtual network which is one of a plurality of virtual networks at said receiving location;
  
  a third computer readable program code segment for controlling said transmitting and receiving computer devices to negotiate one or more security associations, each said security association defining a secure tunnel data path to link a virtual network at said transmitting location to a virtual network at said receiving location through a non secure network which does not support virtual networks, at least one said security association being negotiated to implement a secure tunnel data path to couple said receiving virtual network to said transmitting virtual network, said third computer readable program code segment for adding additional selector data to each said security association so negotiated that directly or indirectly identifies the virtual networks and/or virtual routers which are linked by each said secure tunnel data path;
  
  a fourth computer readable program code segment for controlling said transmitting computer device to receive data packets from said transmitting virtual router for transmission across said non secure data network and to use the identification of said transmitting virtual router to determine the security association to use in processing said data packet, and for transmitting said data packet via a secure tunnel data path which was established by said security association; and
  
  a fifth computer readable program code segment for controlling said receiving computer device to receive data packets transmitted across said non secure data path via one or more of said secure tunnel data paths and to route each said data packets to the appropriate receiving virtual router by selecting a security association for each said data packets on the basis of the secure tunnel data path through which said data packet travelled and to use said additional selector data which was added to the selected security association to identify the appropriate receiving virtual router to which to route the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Inside Secure SA
Original Assignee
SSH Communications Security Ltd. (SSH Communications Security Oyj)
Inventors
Ylonen, Tatu, Kivinen, Tero
Primary Examiner(s)
Rinehart, Mark H.
Assistant Examiner(s)
Vaughn, Jr., William C

Application Number

US09/151,744
Publication Number

US 20020062344A1
Time in Patent Office

1,439 Days
Field of Search

709/204, 709/223, 709/200, 709/224, 709/249, 709/238, 709/229, 709/225, 709/232, 713/200, 713/201, 713/160, 713/162, 713/161, 713/150, 713/153, 370/392, 370/397, 380/23, 707/9, 707/10
US Class Current

709/249
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/164   at the network layer

Method and arrangement for secure tunneling of data between virtual routers

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

428 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and arrangement for secure tunneling of data between virtual routers

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

428 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links