Domain isolation through virtual network machines

US 6,609,153 B1
Filed: 12/24/1998
Issued: 08/19/2003
Est. Priority Date: 12/24/1998
Status: Expired due to Term

First Claim

Patent Images

1. A computer implemented method comprising:

routing Internet Protocol (IP) packets within a first Internet Service Provider'"'"'s (ISP'"'"'s) domain from a single network device with a first database, the first database including addresses of the first ISP'"'"'s domain; and

routing IP packets within a second ISPs domain from the single network device with a second database, the second database being separate from the first database and including addresses of the second ISP'"'"'s domain.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer implemented method in which Internet Protocol (IP) packets are routed within a first Internet Service Provider'"'"'s (ISP'"'"'s) domain from a single network device with a first database. The first database includes addresses of the first ISP. IP packets are also routed within a second ISP'"'"'s domain from single network device with a second database. The second database, which is separate from the first database, includes addresses of the second ISP.

Citations

81 Claims

1. A computer implemented method comprising:
- routing Internet Protocol (IP) packets within a first Internet Service Provider'"'"'s (ISP'"'"'s) domain from a single network device with a first database, the first database including addresses of the first ISP'"'"'s domain; and
  
  routing IP packets within a second ISPs domain from the single network device with a second database, the second database being separate from the first database and including addresses of the second ISP'"'"'s domain.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer implemented method of claim 1, wherein the first database also includes control and policy information for the first ISP'"'"'s domain and the second database includes control and policy information for the second ISP'"'"'s domain.
  - 3. The computer implemented method of claim 1 further comprising connecting a subscriber to the first ISP'"'"'s domain with an authentication, authorization and accounting protocol.
  - 4. The computer implemented method of claim 1 further comprising:
5. The computer implemented method of claim 1 further comprising:
- providing the corporation administrative control of the third database, but not the first and second databases;
  
  providing the first ISP administrative control of the first database, but not the second and third databases; and
  
  providing the second ISP administrative control of the second database, but not the first and third databases.
6. The method of claim 1 further comprising routing the packets within the first ISP'"'"'s domain with a global database that includes globally known addresses if the packets cannot be routed within the first ISP'"'"'s domain with the first database.

7. A memory having a set of one or more programs stored thereon to cause a single network device to perform operations comprising:
- maintaining a first database separately from a second database in the single network device, the first database having addresses for a first Internet Service Provider'"'"'s (ISP'"'"'s) domain and the second database having addresses for a second ISP'"'"'s domain;
  
  routing Internet Protocol (IP) packets within the first ISP'"'"'s domain from the single network device with the first database; and
  
  routing IP packets within the second ISP'"'"'s domain from the single network device with the second database.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The memory of claim 7 further comprising providing access to a subscriber to the first ISP'"'"'s domain with an authentication, authorization, and accounting protocol.
  - 9. The computer implemented method of claim 7 further comprising:
10. The computer implemented method of claim 9 further comprising:
- providing the first ISP administrative control of the first database, but not the second or third databases;
  
  providing the second ISP administrative control of the second database, but not the first or third databases; and
  
  providing the corporation administrative control of the third database, but not the first or second databases.
11. The memory of claim 7 wherein the set of one or more programs cause the single network device to perform operations further comprising:
- maintaining a third database separately from the first and second databases, wherein the third database has addresses of a backbone; and
  
  routing IP packets within the first ISP'"'"'s domain with the third database if they cannot be routed with the first database.

12. A single network device comprising:
- an electronic memory having a first database of network addresses of a first network domain that is administered by a first Internet Service Provider (ISP);
  
  a second database of network addresses of a second network domain that is administered by a second ISP, the second database being isolated from the first database; and
  
  a set of one or more processors to execute a set of instructions that cause the single network device to route a first set of packets of the first network domain with the first database and to route a second set of packets of the second network domain with the second database.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The single network device of claim 12 wherein the packets are IP packets.
  - 14. The single network device of claim 12 wherein the packets are layer 2 packets.
  - 15. The single network device of claim 12 wherein the first set of packets are transmitted from a subscriber of the first ISP and the second set of packets are transmitted from a subscriber of the second ISP.
  - 16. The single network device of claim 12 further comprising:
17. The single network device of claim 12 further comprising:
- the electronic memory having a third database of addresses of a network provider that is administered by the network provider, the third database being isolated from the first and second databases; and
  
  the set of processors to execute the set of instructions that further cause the single network device to route the first set of packets with the third database if they cannot be routed with the first database.

18. A method comprising:
- routing packets for a first set of subscribers with a fist virtual router, and routing packets for a second set of subscribers with a second virtual router, the first and second virtual routers being isolated from each other within a single network device, the first set of subscribers subscribing to a first Internet Service Provider (ISP) and the second set of subscribers subscribing to a second ISP;
  
  providing administrative control of the first virtual router, which includes a first network database, used by the first virtual router to route packets, of network device addresses within the first ISP'"'"'s domain and control and policy information for the first ISP'"'"'s domain, to the first ISP; and
  
  providing administrative control of the second virtual router, which includes a second network database, used by the second virtual router to route packets, of network device addresses within the second ISP'"'"'s domain and control and policy information for the second ISP'"'"'s domain, to the second ISP, wherein the first ISP does not have administrative control of the second network database and the second ISP does not have administrative control of the first network database.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The method of claim 18 wherein the packets are layer 2 packets.
  - 20. The method of claim 18 wherein providing administrative control of the first virtual router comprises allowing the first ISP to modify the first network address database and the control and policy information governing the first ISP'"'"'s domain.
  - 21. The method of claim 18 further comprising:
22. The method of claim 18 further comprising:
- routing packets for a third set of subscribers with a third virtual router; and
  
  providing administrative control of the third virtual router, which includes a third network database of network device addresses within a corporation'"'"'s domain and control and policy information for the corporation'"'"'s domain, wherein the corporation has administrative control of the third virtual router but not the first and second virtual routers.
23. The method of claim 22 further comprising providing a network provider access to the first, second and third network databases and a global network database, said global network database being in said single network device.
24. The method of claim 18 wherein the packets are layer 3 packet.
25. The method of claim 18 further comprising:
- connecting the first and second set of subscribers to the single network device in accordance with an a authorization, authentication and accosting protocol.

26. An electronic memory encoded with a set of instructions, which when executed on a single network device, cause said single network device to perform operations comprising:
- creating a plurality of collections of processes and mechanisms for implementing router functionality, each of the plurality of collections of processes and mechanisms operating on a different network database including addresses and control and policy information;
  
  separately storing the network database of each of the plurality of collections of processes and mechanisms; and
  
  each of the plurality of collections of processes and mechanisms routing packets within a different administrative domain with its network database and in accordance with its control and policy information.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The electronic memory of claim 26 wherein the packets are layer 2 packets.
  - 28. The electronic memory of claim 26 wherein each of the plurality of collections of processes and mechanisms runs its own IP stack.
  - 29. The electronic memory of claim 26 wherein at least one of the different administrative domains is administered by an Internet Service Provider.
  - 30. The electronic memory of claim 26 wherein at least one of the different administrative domains is administered by a corporation.

31. A single network device comprising:
- plurality of virtual network machines that are individually isolated, each of the plurality of virtual network machines to route packets within a different administrative domain with a network address database for the different administrative domain, and control and policy information for the different administrative domain;
  
  a first port to transmit and receive said packets to and from subscribers; and
  
  a second port to transmit and receive said packets to and from the Internet.
- View Dependent Claims (32, 33, 34)
- - 32. The single network device of claim 31 wherein the plurality of virtual network machines are virtual IP routers.
  - 33. The single network device of claim 31 wherein the different administrative domains include an Internet Service Provider domain and a corporate domain.
  - 34. The single network device of claim 31 further comprising a third port to transmit and receive a second set of packets to and from a corporate network domain.

35. A single network device comprising:
- communication hardware;
  
  a set of one or more processors coupled with the communication hardware; and
  
  an electronic memory coupled with the communication hardware and the set of processors, the electronic memory encoded with a set of instructions to cause the set of processors to, host a first virtual router that includes a first network database of network device addresses within a first Internet Service Provider'"'"'s (ISP'"'"'s) domain and control and policy information for the first ISP'"'"'s domain, and host a second virtual router, isolated from the first virtual router, that includes a second network database of network device addresses within a second ISP'"'"'s domain and control and policy information for the second ISP'"'"'s domain, route packets for a first set of subscribers with the communication hardware and the first virtual router, wherein the first set of subscribers subscribe to the first ISP, route packets for a second set of subscribers with the communication hardware and the second virtual router, wherein the second set of subscribers subscribe to the second ISP, provide the first ISP administrative control of the first virtual router but not the second virtual router, and provide the second ISP administrative control of the second virtual router, but not the first virtual router.
- View Dependent Claims (36, 37, 38, 39)
- - 36. The single network device of claim 35 further comprising the electronic memory to host a global network database.
  - 37. The single network device of claim 35 further comprising:
38. The single network device of claim 35, wherein the set of instructions further cause the set of processors to switch packets for a third set of subscribers with the communication hardware and the first virtual router.
39. The single network device of claim 35 wherein the packets are layer 3 packets.

40. A network comprising:
- a set of one or more networks;
  
  a set of one or more end stations communicating, for a first set of one or more subscribers of a first Internet Service Provider (ISP) and for a second set of one or more subscribers of a second ISP, packets;
  
  a single network access device coupled between the set of networks and the set of end stations, the single network access device having, communication hardware;
  
  an electronic memory coupled with the communication hardware, the electronic memory having stored therein, a first network database, controllable for administration by the first ISP but not the second ISP, including network device addresses and control and policy information for the first ISP, a second network database, controllable for administration by the second ISP but not the first ISP, including network device addresses and control and policy information for the second ISP, wherein the fast network database and the second network database are isolated from each other; and
  
  a set of one or more processors, coupled with the communication hardware and the electronic memory, routing said packets being communicated for the first set of subscribers with the communication hardware and a first virtual router that includes the first network database, and routing said packets being communicated for the second set of subscribers with the communication hardware and a second virtual router that includes the second network database.
- View Dependent Claims (41, 42, 43, 44)
- - 41. The network of claim 40 further comprising the electronic memory having stored therein a global network database.
  - 42. The network of claim 40 fiber comprising:
43. The network of claim 40 further comprising the set of processors switching packets for a third set of one or more subscribers with the communication hardware and the first virtual router.
44. The network of claim 40 wherein the packets are layer 3 packets.

45. An electronic memory encoded with a set of instructions, which when executed on a single network device, cause said single network device to perform operations comprising:
- routing packets for a first set of subscribers with a first virtual router, and routing packets for a second set of subscribers with a second virtual router, the first and second virtual routers being isolated from each other within the single network device, the first set of subscribers subscribing to a first Internet Service Provider (ISP) and the second set of subscribers subscribing to a second ISP;
  
  providing administrative control of the first virtual router, which includes a first network database of network device addresses within the first ISP'"'"'s domain and control and policy information for the first ISP'"'"'s domain, to the first ISP; and
  
  providing administrative control of the second virtual router, which includes a second network database of network device addresses within the second ISP'"'"'s domain and control and policy information for the second ISP'"'"'s domain, to the second ISP, wherein the first ISP does not have administrative control of the second network database and the second ISP does not have administrative control of the first network database.
- View Dependent Claims (46, 47, 48)
- - 46. The electronic memory of claim 45, wherein the operations further comprise:
47. The electronic memory of claim 45 wherein the operations further comprise:
- routing packets for a third set of subscribers with a third virtual router, the third virtual router being isolated from the first and second virtual router within the single network device; and
  
  providing a corporation administrative control of the third virtual router, which includes a third network database of network device addresses of the corporation and control and policy information for the corporation, wherein the corporation has administrative control of the third virtual router but not the first and second virtual routers.
48. The electronic memory of claim 45, wherein the operations further comprise:
- switching packets for a third set of one or more subscribers with the first virtual router.

49. A method in a single network device comprising:
- creating a plurality of collections of processes and mechanisms for implementing router functionality, each of the plurality of collections of processes and mechanisms operating on a different network database including addresses and control and policy information;
  
  separately storing the network database of each of the plurality of collections of processes and mechanisms; and
  
  each of the plurality of collections of processes and mechanisms routing packets within a different administrative domain with its network database and in accordance with its control and policy information.
- View Dependent Claims (50, 51, 52, 53, 54)
- - 50. The computer implemented method of claim 49 wherein at least one of the plurality of collections of processes and mechanisms switching packets within its administrative domain with its network database.
  - 51. The computer implemented method of claim 49 wherein each of the plurality of collections of processes and mechanisms runs its own IP stack.
  - 52. The computer implemented method of claim 49 wherein at least one of the different administrative domains is administered by an Internet Service Provider.
  - 53. The computer implemented method of claim 49 wherein at least one of the different administrative domains is administered by a corporation.
  - 54. The computer implemented method of claim 49 wherein the different network database of each of the plurality of collections of processes and mechanisms includes addressing information, control information, and policy information.

55. A single network device comprising:
- a set of one or more processors; and
  
  an electronic memory coupled with the set of processors, the electronic memory having a set of instructions to cause the set of processors to, create a plurality of collections of processes and mechanisms, each of the plurality of collections of processes and mechanisms to operate on a different network database including control and policy information, and to route packets within a different administrative domain with its network database and in accordance with its control and policy information, and separately store the different network database of each of the plurality of collections of processes and mechanisms.
- View Dependent Claims (56, 57, 58, 59, 60)
- - 56. The single network device of claim 55 further comprising at least one of the collections of processes and mechanisms to switch packets with its network database and in accordance with its control and policy information.
  - 57. The single network device of claim 55 wherein the set of instructions further cause the set of processors to independently run an Internet Protocol stock for each of the plurality of collections of processes and mechanisms.
  - 58. The single network device of claim 55 wherein at least one of the different administrative domains is administered by an Internet Service Provider.
  - 59. The single network device of claim 55 wherein at least one of the different administrative domains is administered by a corporation.
  - 60. The single network device of claim 55 wherein the different network database of each of the plurality of collections of processes and mechanisms is to include addressing information, control information, and policy information.

61. A network comprising:
- a set of one or more networks;
  
  a set of one or more end stations communicating packets with the set of networks; and
  
  a single network device coupled between the set of networks and the set of end stations, the single network device having a plurality of collections of processes and mechanisms, each of the plurality of collections of processes and mechanisms, operating on a different network database including addresses and control and policy information, wherein the network database operated on by each of the collection of processes and mechanisms is stored separately, and routing packets within a different administrative domain with its network database and in accordance with its control and policy information.
- View Dependent Claims (62, 63, 64, 65)
- - 62. The network of claim 61 further comprising at least one of the plurality of collections of processes and mechanisms switching packets with its network database and in accordance with its control and policy information.
  - 63. The network of claim 61 each of the plurality or collections of processes and mechanisms independently running an IP stack.
  - 64. The network of claim 61 wherein at least one of the different administrative domains is administered by an Internet Service Provider.
  - 65. The network of claim 61 wherein at least one of the different administrative domains is administered by a corporation.

66. A network comprising:
- a set or one or more networks;
  
  a set of one or more end stations communicating packets with the set of networks, and a single network device coupled between the set of networks and the set of end stations, the single network device having, a first virtual network machine transmitting certain of said packets for a first subscriber in accordance with a first network database of a first administrative domain, the first database having addressing and policy information of the first administrative domain, and a second virtual network machine, which is isolated from the first virtual network machine, transmitting certain packets for a second subscriber in accordance with a second network database, the second network database having addressing and policy information for a second administrative domain.
- View Dependent Claims (67, 68, 69, 70, 71)
- - 67. The network of claim 66 wherein the first administrative domain is administered by a corporation.
  - 68. The network of claim 66 wherein the first administrative domain is administered by an Internet Service Provider.
  - 69. The network of claim 66 wherein the first administrative domain provides a first service and the second administrative domain provides it second service.
  - 70. The network of claim 66 wherein the addressing information in the first database includes layer 2 addressing information.
  - 71. The network of claim 66 wherein the addressing information in the first database include layer 3 addressing information.

72. A single network device comprising:
- a first set of one or more ports to receive IP packets from a first and second set of one or more subscribers;
  
  a second set of one or more ports to transmit IP packets over a first network domain;
  
  a machine-readable medium having stored therein a set of instructions to cause the single network device to, instantiate a first and second virtual router, which are virtually-independent but share a set of physical resources within the single network device, the first virtual router to route within a second network domain, which is layered upon the first network domain, WP packets from the first set of subscribers using a first network database that includes IP addresses, control and policy information defined for the second network domain, and the second virtual router to route within a third network domain, which is layered upon the first network domain and shares the first network domain'"'"'s physical resources with the second network domain, IP packets from the second set of subscribers using a second network database that includes IP addresses and control and policy information defined for the third network domain, maintain separation between the first and second network databases so as to avoid management of inter-domain policies, wherein avoidance of inter-domain policies eases administrative tasks, provide for independent administration of the first and second network databases, wherein independent administration maintains administrative integrity of the first and second network databases.
- View Dependent Claims (73, 74, 75, 76)
- - 73. The single network device of claim 72 wherein the first set of subscribers are subscribers of a corporate network and the second set of subscribers are subscribers of an Internet service provider.
  - 74. The single network device of claim 72 wherein the first network domain is a layer 3 network domain and the second and third network domains are layer 3 network domains.
  - 75. The single network device of claim 72 further comprising the set of instructions to cause the single network device to tunnel IP packets of the first set of subscribers between separate physical locations of a virtual private network with the first virtual router.
  - 76. The single network device of claim 72 further comprising the set of instructions to cause the single network device to process the first and second set of subscribers in accordance with an authorization, authentication and accounting protocol.

77. A single network device comprising:
- a first set of one or more ports to receive IP packets from subscribers;
  
  a second set of one or more ports to transmit IP packets over a first network domain;
  
  a machine-readable medium having stored therein a set of instructions to cause the single network device to, instantiate different virtual routers for different network domains, which are layered upon the first network domain, using separate unshared inter-domain policy free, independently administrable network databases, wherein each of the separate unshared inter-domain policy free, independently administrable network databases includes IP addresses, control and policy information defined for its one of the different network domains, and route IP packets of different ones of the subscribers using those of the virtual routers for the different ones of the network domains to which those subscribers currently belong.
- View Dependent Claims (78, 79, 80, 81)
- - 78. The single network device of claim 77 wherein the subscribers includes subscribers of a corporate network and subscribers of different Internet service providers.
  - 79. The single network device of claim 77 wherein the first network domain is a layer 3 network domain and the different network domains layered upon the first network domain are layer 3 network domains.
  - 80. The single network device of claim 77 further comprising the set of instructions to cause the single network device to tunnel IP packets of certain of the subscribers between separate physical locations of a virtual private network with the one of the different virtual routers to which the certain of the subscribers belong.
  - 81. The single network device of claim 77 further comprising the set of instructions to cause the single network device to process the subscribers in accordance with an authorization, authentication and accounting protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ericsson AB (Telefonaktiebolaget LM Ericsson)
Original Assignee
Redback Networks Inc. (Telefonaktiebolaget LM Ericsson)
Inventors
Salkewicz, William
Primary Examiner(s)
Powell, Mark R.
Assistant Examiner(s)
VU, THONG H

Application Number

US09/220,413
Time in Patent Office

1,699 Days
Field of Search

709/221, 709/224, 709/238, 709/249, 709/236, 709/223, 713/201, 370/379, 370/121, 370/389, 370/399, 370/395, 370/352, 370/160, 370/54, 370/701, 370/85, 370/401, 370/400, 370/237, 370/258, 370/238, 711/3, 716/8
US Class Current

709/223
CPC Class Codes

G06F 21/44   Program or device authentic...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/00   Arrangements for maintenanc...

Domain isolation through virtual network machines

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

81 Claims

Specification

Solutions

Use Cases

Quick Links

Domain isolation through virtual network machines

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

81 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links