System and method to negotiate private network addresses for initiating tunneling associations through private and/or public networks
First Claim
1. In a data network having a plurality of private networks and public networks, and a plurality of network devices, a method for initiating a tunneling association between an originating end of the tunneling association and a terminating end of the tunneling association, the method comprising the following steps:
- receiving a request to initiate the tunneling association on a first network device, wherein the first network device is associated with the originating end of the tunneling association, and wherein the request includes a unique identifier for the terminating end of the tunneling association;
informing a trusted-third-party network device of the request on a public network;
associating a public network address for a second network device with the unique identifier for the terminating end of the tunneling association on the trusted-third-party network device, wherein the second network device is associated with the terminating end of the tunneling association; and
negotiating a first private network address on the first network device and a second private network address on the second network device through the public network, wherein the first private network address is assigned to the originating end of the tunneling association and the second private network address is assigned to the terminating end of the tunneling association.
6 Assignments
0 Petitions
Accused Products
Abstract
A method for initiating a tunneling association in a data network. The method includes negotiating private addresses, such as private Internet Protocol addresses, for the ends of the tunneling association. The negotiation is performed on a public network, such as the Internet, through a trusted-third-party without revealing the private addresses. The method provides for hiding the identity of the originating and terminating ends of the tunneling association from the other users of the public network. Hiding the identities may prevent interception of media flow between the ends of the tunneling association or eavesdropping on Voice-over-Internet-Protocol calls. The method increases the security of communication on the data network without imposing a computational burden on the devices in the data network.
-
Citations
41 Claims
-
1. In a data network having a plurality of private networks and public networks, and a plurality of network devices, a method for initiating a tunneling association between an originating end of the tunneling association and a terminating end of the tunneling association, the method comprising the following steps:
-
receiving a request to initiate the tunneling association on a first network device, wherein the first network device is associated with the originating end of the tunneling association, and wherein the request includes a unique identifier for the terminating end of the tunneling association;
informing a trusted-third-party network device of the request on a public network;
associating a public network address for a second network device with the unique identifier for the terminating end of the tunneling association on the trusted-third-party network device, wherein the second network device is associated with the terminating end of the tunneling association; and
negotiating a first private network address on the first network device and a second private network address on the second network device through the public network, wherein the first private network address is assigned to the originating end of the tunneling association and the second private network address is assigned to the terminating end of the tunneling association. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
negotiating the first private network address on the first network device and the second private network address on the second network device through the trusted-third-party network device.
-
-
4. The method of claim 1 wherein the negotiating step further comprises:
-
selecting the first private network address from a first pool of private addresses on the first network device;
communicating the first private network address from the first network device to the second network device through the public network;
selecting the second private network address from a second pool of private addresses on the second network device, wherein the second private network address is a different address than the first private network address; and
communicating the second private network address from the second network device to the first network device through the public network.
-
-
5. The method of claim 1 wherein the negotiating step further comprises:
-
selecting a plurality of private network addresses from a pool of private addresses on the first network device;
communicating the plurality of private network addresses from the first network device to the second network device through the public network;
selecting the first private network address and the second private network address from the plurality of private addresses on the second network device, wherein the second private network address is a different address than the first private network address; and
communicating the first private network address and the second private network address from the second network device to the first network device through the public network.
-
-
6. The method of claim 1 wherein the unique identifier for the terminating end of the tunneling association is any of a dial-up number, an electronic mail address, or a domain name.
-
7. The method of claim 1 wherein the associating step includes associating the public network address with a lower layer of a protocol stack for the second network device.
-
8. The method of claim 7 wherein the lower layer of the protocol stack for the second network device is an Internet Protocol layer.
-
9. The method of claim 1 wherein the first private network address and the second private network address are respectively associated with a higher layer of a protocol stack for the first network device and a higher layer of a protocol stack for the second network device.
-
10. The method of claim 9 wherein the higher layers of the protocol stacks are application layers.
-
11. The method of claim 9 wherein the first private network address and the second private network address are private Internet Protocol addresses.
-
12. The method of claim 1 wherein the receiving step includes receiving the request to initiate the tunneling association in a higher layer of a protocol stack for the first network device.
-
13. The method of claim 12 wherein the higher layer of the protocol stack for the first network device is an application layer.
-
14. The method of claim 1 wherein the originating end of the tunneling association and the terminating end of the tunneling association is any of a multimedia device or a telephony device.
-
15. The method of claim 1 wherein the first network device and the second network device is any of an edge router, a cable modem for a data-over-cable system, or a cable modem termination system for a data-over-cable system.
-
16. In a data network having a plurality of private networks and public networks, and a plurality of network devices, a method for establishing an end of a tunneling association through a first network device, the method comprising the following steps:
-
receiving a first message on the first network device from an originating end of a tunneling association, wherein the first message includes a first indicator that the first message is associated with a higher layer of a protocol stack for the first network device and a unique identifier for a terminating end of the tunneling association;
assigning a first private network address to the originating end of the tunneling association, wherein the first private network address is associated with the higher layer of the protocol stack for the first network device;
transmitting a second message to a trusted-third-party network device on a public network associated with a lower layer of the protocol stack for the first network device, wherein the second message includes a second indicator that the second message is associated with a higher layer of a protocol stack for the trusted-third-party network device and the unique identifier for the terminating end of the tunneling association;
receiving a third message on the first network device from the public network, wherein the third message includes a third indicator that the third message is associated with the higher layer of the protocol stack for the first network device, a second private network address for the terminating end of the tunneling association, and a public network address for a second network device associated with the terminating end of the tunneling association; and
associating the first private network address with the second private network address in the higher layer of the protocol stack for the first network device. - View Dependent Claims (17, 18, 19, 20)
constructing a payload for the second message in the higher layer of the protocol stack for the first network device; and
directing the lower layer of the protocol stack for the first network device to encapsulate and transmit the second message.
-
-
19. The method of claim 16 wherein the lower layer of the protocol stack for the first network device is an Internet Protocol layer and the higher layer of the protocol stack for the first network device is an application layer.
-
20. The method of claim 16 wherein the originating end of the tunneling association is any of a multimedia device or a telephony device, and the first network device is any of an edge router, a cable modem for a data-over-cable system, or a cable modem termination system for a data-over-cable system.
-
21. In a data network having a plurality of private networks and public networks, and a plurality of network devices, a method for establishing an end of a tunneling association through a first network device, the method comprising the following steps:
-
receiving a first message on the first network device from a public network associated with a lower layer of a protocol stack for the first network device, wherein the first message includes a first indicator that the first message is associated with a higher layer of the protocol stack for the first network device, a first private network address for an originating end of the tunneling association, and a public network address for a second network device associated with the originating end of the tunneling association;
assigning a second private network address to a terminating end of the tunneling association, wherein the second private network address is associated with the higher layer of the protocol stack for the first network device and the second private network address is a different address than the first private network address;
transmitting a second message on the public network, wherein the second message includes a second indicator that the second message is associated with a higher layer of a protocol stack for the second network device and the second private network address; and
associating the first private network address with the second private network address in the higher layer of the protocol stack for the first network device. - View Dependent Claims (22, 23, 24, 25)
constructing a payload for the second message in the higher layer of the protocol stack for the first network device; and
directing the lower layer of the protocol stack for the first network device to encapsulate and transmit the second message.
-
-
24. The method of claim 21 wherein the lower layer of the protocol stack for the first network device is an Internet Protocol layer and the higher layer of the protocol stack for the first network device is an application layer.
-
25. The method of claim 21 wherein the terminating end of the tunneling association is any of a multimedia device or a telephony device, and the first network device is any of an edge router, a cable modem for a data-over-cable system, or a cable modem termination system for a data-over-cable system.
-
26. In a data network having a plurality of private networks and public networks, and a plurality of network devices, a method for mediating a tunneling association through a trusted-third-party network device, the method comprising the following steps:
-
receiving a first message on the trusted-third-party network device from a first network device on a public network associated with a lower layer of a protocol stack for the trusted-third-party network device, wherein the first network device is associated with an originating end of the tunneling association, and wherein the first message includes a first indicator that the first message is associated with a higher layer of the protocol stack for the trusted-third-party network device, a first private network address for the originating end of the tunneling association, a unique identifier for a terminating end of the tunneling association, and a first public network address for the first network device;
associating a second public network address for a second network device with the unique identifier for the terminating end of the tunneling association on the trusted-third-party network device, wherein the second network device is associated with the terminating end of the tunneling association;
transmitting a second message from the trusted-third-party network device to the second network device on the public network, wherein the second message includes a second indicator that the second message is associated with a higher layer of a protocol stack for the second network device, the first private network address, and the first public network address;
receiving a third message on the trusted-third-party network device from the second network device on the public network, wherein the third message includes a third indicator that the third message is associated with a higher layer of a protocol stack for the trusted-third-party network device and a second private network address for the terminating end of the tunneling association;
associating the first private network address with the second private network address in the higher layer of the protocol stack for the trusted-third-party network device; and
transmitting a fourth message from the trusted-third-party network device to the first network device on the public network, wherein the fourth message includes a fourth indicator that the fourth message is associated with a higher layer of a protocol stack for the first network device, the second private network address, and the second public network address. - View Dependent Claims (27, 28, 29, 30, 31, 32)
constructing a payload for the second message in the higher layer of the protocol stack for the trusted-third-party network device; and
directing the lower layer of the protocol stack for the trusted-third-party network device to encapsulate and transmit the second message.
-
-
29. The method of claim 26 wherein the step of transmitting the fourth message further comprises:
-
constructing a payload for the fourth message in the higher layer of the protocol stack for the trusted-third-party network device; and
directing the lower layer of the protocol stack for the trusted-third-party network device to encapsulate and transmit the fourth message.
-
-
30. The method of claim 26 wherein the lower layer of the protocol stack for the trusted-third-party network device is an Internet Protocol layer and the higher layer of the protocol stack for the trusted-third-party network device is an application layer.
-
31. The method of claim 26 wherein the unique identifier for the terminating end of the tunneling association is any of a dial-up number, an electronic mail address, or a domain name.
-
32. The method of claim 26 wherein the trusted-third-party network device is an address supplier.
-
33. In a data network having a plurality of private networks and public networks, and a plurality of network devices, a method for mediating a tunneling association through a trusted-third-party network device, the method comprising the following steps:
-
receiving a first message on the trusted-third-party network device from a first network device on a public network associated with a lower layer of a protocol stack for the trusted-third-party network device, wherein the first network device is associated with an originating end of the tunneling association, and wherein the first message includes a first indicator that the first message is associated with a higher layer of the protocol stack for the trusted-third-party network device, a unique identifier for a terminating end of the tunneling association, and a first public network address for the first network device;
associating a second public network address for a second network device with the unique identifier for the terminating end of the tunneling association on the trusted-third-party network device, wherein the second network device is associated with the terminating end of the tunneling association; and
transmitting a second message from the trusted-third-party network device to the first network device on the public network, wherein the second message includes a second indicator that the second message is associated with a higher layer of a protocol stack for the first network device, and the second public network address. - View Dependent Claims (34, 35, 36, 37, 38)
constructing a payload for the second message in the higher layer of the protocol stack for the trusted-third-party network device; and
directing the lower layer of the protocol stack for the trusted-third-party network device to encapsulate and transmit the second message.
-
-
36. The method of claim 33 wherein the lower layer of the protocol stack for the trusted-third-party network device is an Internet Protocol layer and the higher layer of the protocol stack for the trusted-third-party network device is an application layer.
-
37. The method of claim 33 wherein the unique identifier for the terminating end of the tunneling association is any of a dial-up number, an electronic mail address, or a domain name.
-
38. The method of claim 33 wherein the trusted-third-party network device is an address supplier.
-
39. In a data network having a plurality of private networks and public networks, and a plurality of network devices, a method for initiating a Voice-over-Internet-Protocol association between an originating telephony device and a terminating telephony device, the method comprising the following steps:
-
receiving a request to initiate the Voice-over-Internet-Protocol association on a first network device, wherein the first network device is associated with the originating telephony device, and wherein the request includes a unique identifier for the terminating telephony device;
informing a trusted-third-party network device of the request on a public network;
associating a public Internet Protocol address for a second network device with the unique identifier for the terminating telephony device on the trusted-third-party network device, wherein the second network device is associated with the terminating telephony device; and
negotiating a first private Internet Protocol address on the first network device and a second private Internet Protocol address on the second network device through the public network, wherein the first private Internet Protocol address is assigned to the originating telephony device and the second private Internet Protocol address is assigned to the terminating telephony device. - View Dependent Claims (40, 41)
-
Specification