Method and apparatus for processing communications in a virtual private network

US 6,701,437 B1
Filed: 11/09/1998
Issued: 03/02/2004
Est. Priority Date: 04/17/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method of operating a virtual private network unit to facilitate secure communications between virtual private network members over a public network, comprising:

coupling the virtual private network unit to a first local network via a first data channel;

coupling the virtual private network unit to a first public network via the first data channel;

maintaining a set of addresses in the first local network that are not assigned to members of the virtual private network residing in the first local network;

receiving a first data packet over the first data channel from a first member of the virtual private network in the first local network, wherein the first data packet is addressed to a second member of the virtual private network with a first address from the set of addresses;

replacing the first address with a remote address corresponding to the second member;

transforming the first data packet in accordance with pre-determined rules for transforming data packets sent between members of the virtual private network; and

forwarding the transformed first data packet over the first data channel to the public network for delivery to the remote address.

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a computer system for processing communications in a virtual private network. The computer system operates in a selective mode, in which only communications transiting the virtual private network are processed according to specified virtual private network parameters, such as encryption, compression and authentication algorithms. Virtual private network communications passing between a public network and a private network are thus received and processed according to the algorithms, while other communications bypass the computer system. Multiple private networks may be served by a single computer system.

344 Citations

33 Claims

1. A method of operating a virtual private network unit to facilitate secure communications between virtual private network members over a public network, comprising:
- coupling the virtual private network unit to a first local network via a first data channel;
  
  coupling the virtual private network unit to a first public network via the first data channel;
  
  maintaining a set of addresses in the first local network that are not assigned to members of the virtual private network residing in the first local network;
  
  receiving a first data packet over the first data channel from a first member of the virtual private network in the first local network, wherein the first data packet is addressed to a second member of the virtual private network with a first address from the set of addresses;
  
  replacing the first address with a remote address corresponding to the second member;
  
  transforming the first data packet in accordance with pre-determined rules for transforming data packets sent between members of the virtual private network; and
  
  forwarding the transformed first data packet over the first data channel to the public network for delivery to the remote address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising:
3. The method of claim 2, wherein processing the secure data packet comprises:
- disassembling the secure data packet; and
  
  recovering a second data packet.
4. The method of claim 3, wherein processing the secure data packet further comprises decrypting the second data packet.
5. The method of claim 2, wherein processing the secure data packet comprises translating the secure data packet from a tunnel mode.
6. The method of claim 1, wherein transforming the first data packet comprises encapsulating the first data packet within a secure data packet.
7. The method of claim 6, wherein transforming the first data packet further comprises encrypting the first data packet.
8. The method of claim 6, wherein encapsulating the first data packet comprises:
- coupling a source address to the first data packet, the source address corresponding to the virtual private network unit; and
  
  coupling a destination address to the first data packet, the destination address corresponding to a second virtual private network unit.
9. The method of claim 1, wherein transforming the first data packet comprises translating the first data packet into a tunnel mode.
10. The method of claim 1, further comprising:
- coupling the virtual private network unit to a second local network via a second data channel;
  
  receiving a second data packet from a third member of the virtual private network in the second local network over the second data channel, wherein the second data packet is addressed to a fourth member of the virtual private network;
  
  transforming the second data packet in accordance with said pre-determined rules for transforming data packets sent between members of the virtual private network; and
  
  transmitting the transformed second data packet toward the fourth member of the virtual private network;
  
  wherein the first and second data channels comprise separate and distinct signal conductors.
11. The method of claim 10, wherein transmitting the transformed second data packet comprises forwarding the transformed second data packet to the public network over the first data channel.
12. The method of claim 10, further comprising coupling the virtual private network unit to a second public network via the second data channel, wherein transmitting the transformed second data packet comprises forwarding the transformed second data packet to the second public network via the second data channel.
13. The method of claim 12, wherein the first public network comprises the second public network.
14. The method of claim 1, further comprising:
- operating the virtual private network unit in a selective mode, in which the virtual private network unit only receives communications from members of the virtual private network.

15. An apparatus for facilitating secure communications between members of a virtual private network, comprising:
- a first communication port coupled to a first local network and a public network;
  
  a first storage area containing a first series of instructions for transforming a communication packet received from the public network;
  
  a processor for processing a received communication packet according to said first series of executable instructions; and
  
  a set of local addresses not assigned to virtual private network members coupled to said first local network;
  
  wherein a first communication packet directed from a remote member of the virtual private network to a first member of the virtual private network in said first local network is received at the apparatus with a remote source address corresponding to the remote member; and
  
  wherein the remote source address is replaced with a local address from the set of local addresses before the first communication packet is forwarded to said first local network.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. The apparatus of claim 15, further comprising:
17. The apparatus of claim 16, wherein said processor is configured in accordance with said second series of instructions to modify an address portion of said second communication packet and to encrypt a data portion of said second communication packet.
18. The apparatus of claim 16, wherein said processor is configured in accordance with said second series of instructions to translate said second communication packet into a tunnel mode.
19. The apparatus of claim 15, wherein said processor is configured in accordance with said first series of instructions to modify an address portion of said first communication packet and to decrypt a data portion of said first communication packet.
20. The apparatus of claim 15, wherein said processor is configured in accordance with said first series of instructions to translate said first communication packet from a tunnel mode.
21. The apparatus of claim 15, further comprising:
- a second communication port coupled to a second local network;
  
  wherein a second communication packet received through said second communication port from said second local network is processed in accordance with a second series of instructions.
22. The apparatus of claim 21, wherein said second communication port is further coupled to a second public network.
23. The apparatus of claim 22, wherein said second communication packet is forwarded through said second communication port to said second public network.
24. The apparatus of claim 23, wherein said first public network comprises said second public network.
25. The apparatus of claim 15, wherein the apparatus is operable in a selective mode in which the apparatus only receives communications from members of the virtual private network.

26. A method of operating a virtual private network unit in a virtual private network to selectively process communications across a public network between members of the virtual private network, comprising:
- operating the virtual private network unit in a selective mode, in which the virtual private network unit only receives communications from members of the virtual private network;
  
  receiving a virtual private network communication at the virtual private network unit, wherein the communication comprises a source address corresponding to a remote client and a destination address corresponding to a member of the virtual private network connected to a local network;
  
  maintaining a set of local addresses not assigned to virtual private network members connected to the local network;
  
  processing the communication to replace the source address with a local address from the set of local addresses; and
  
  forwarding the communication to the local network for delivery to the virtual private network member;
  
  wherein the virtual private network unit is coupled to the public network and the local network through a single communication port.
- View Dependent Claims (27)
- - 27. The method of claim 26, further comprising:

28. A method of operating a virtual private network unit within a virtual private network to facilitate the exchange of secure communications across a public network, comprising:
- coupling the virtual private network unit to a first local network via a first data channel;
  
  coupling the virtual private network unit to the public network via the first data channel;
  
  maintaining a set of addresses in the first local network that are not assigned to members of the virtual private network residing in the local network;
  
  receiving a first communication over the first data channel, the first communication being directed between a local member of the virtual private network within the first local network and a remote member of the virtual private network;
  
  if the first communication is directed from the remote member to the local member, in the communication, replacing a remote address corresponding to the remote member with a first address from the set of addresses;
  
  if the first communication is directed from the local member to the remote member, in the communication, replacing a first address from the set of addresses with a remote address corresponding to the remote member; and
  
  forwarding the communication over the first data channel.
- View Dependent Claims (29)
- - 29. The method of claim 28, further comprising:

30. A communication system for facilitating secure communications over a public network between members of a virtual private network, comprising:
- a local network comprising a first member of the virtual private network;
  
  a virtual private network unit operating in a selective mode, in which the virtual private network unit only receives communications from members of the virtual private network;
  
  a pool of addresses in the local network that are not assigned to members of the virtual private network residing in the local network;
  
  a first communication link coupling the local network and the public network; and
  
  a second communication link coupling the virtual private network unit to the first communication link;
  
  wherein a communication directed between the first member of the virtual private network and a second member of the virtual private network is received by the virtual private network unit over the second communication link with a first address from the pool of addresses, modified in accordance with a pre-determined series of rules, and forwarded by the virtual private network unit over the second communication link; and
  
  wherein the virtual private network unit replaces the first address from the pool of addresses with a remote address corresponding to the second member.

31. A computer readable storage medium storing instructions that, when executed by a computer, cause the computer to perform a method of operating a virtual private network unit in a virtual private network to selectively process communications across a public network between members of the virtual private network, the method comprising:
- operating the virtual private network unit in a selective mode, in which the virtual private network unit only receives communications from members of the virtual private network;
  
  receiving a virtual private network communication at the virtual private network unit, wherein the communication comprises a source address corresponding to a remote client and a destination address corresponding to a member of the virtual private network connected to a local network;
  
  maintaining a set of local addresses not assigned to virtual private network members connected to the local network;
  
  processing the communication to replace the source address with a local address from the set of local addresses; and
  
  forwarding the communication to the local network for delivery to the virtual private network member;
  
  wherein the virtual private network unit is coupled to the public network and the local network through a single communication port.

32. A computer readable storage medium storing instructions that, when executed by a computer, cause the computer to perform a method of operating a virtual private network unit to facilitate secure communications between virtual private network members over a public network, the method comprising:
- coupling the virtual private network unit to a first local network via a first data channel;
  
  coupling the virtual private network unit to a first public network via the first data channel;
  
  maintaining a set of addresses in the first local network that are not assigned to members of the virtual private network residing in the first local network;
  
  receiving a first data packet over the first data channel from a first member of the virtual private network in the first local network, wherein the first data packet is addressed to a second member of the virtual private network with a first address from the set of addresses;
  
  replacing the first address with a remote address corresponding to the second member;
  
  forwarding the first data packet over the first data channel to the public network.

33. A computer readable storage medium storing instructions that, when executed by a computer, cause the computer to perform a method of operating a virtual private network unit within a virtual private network to facilitate the exchange of secure communications across a public network, the method comprising:
- coupling the virtual private network unit to a first local network via a first data channel;
  
  coupling the virtual private network unit to the public network via the first data channel;
  
  maintaining a set of addresses in the first local network that are not assigned to members of the virtual private network residing in the local network;
  
  receiving a first communication over the first data channel, the first communication being directed between a local member of the virtual private network within the first local network and a remote member of the virtual private network;
  
  if the first communication is directed from the remote member to the local member, in the communication, replacing a remote address corresponding to the remote member with a first address from the set of addresses;
  
  if the first communication is directed from the local member to the remote member, in the communication, replacing a first address from the set of addresses with a remote address corresponding to the remote member; and
  
  forwarding the communication over the first data channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
VPNet Technologies, Inc. (Avaya Incorporated)
Inventors
Arrow, Leslie J., Hoke, Mark R.
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US09/188,867
Time in Patent Office

1,940 Days
Field of Search

713/201, 713/200, 713/162, 713/153, 713/154, 370/351, 709/220, 709/227, 709/228, 709/230, 709/232, 709/238, 709/245, 709/249
US Class Current

726/15
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 61/2514   between local and global IP...

H04L 61/2557   Translation policies or rules

H04L 63/0272   Virtual private networks

Method and apparatus for processing communications in a virtual private network

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

344 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for processing communications in a virtual private network

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

344 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links