Automated operation and security system for virtual private networks

US 6,751,729 B1
Filed: 07/22/1999
Issued: 06/15/2004
Est. Priority Date: 07/24/1998
Status: Expired due to Term

First Claim

Patent Images

1. A node device for providing secure communication over a data network to computers coupled through the node device and a plurality of other node devices, comprising:

at least one network communication interface for coupling the node device to the data network;

at least one local communication interface for coupling the node device to a local network of computers;

a tunneling communication service coupled to the at least one network communication interface and configured to establish at least one cryptographically secured communication tunnel with at least one other node device;

automated means for dynamically updating and adapting to changes in the routing topology of the local network of computers and of the computers coupled through a plurality of other node devices that are reachable over the at least one cryptographically secured communication tunnel;

a routing database for holding dynamically updated routing data;

a router that uses routing database information obtained from the dynamically updated routing data to identify the at least one cryptographically secured communication tunnel or the at least one local communication interface over which to forward a data packet that has been received from a cryptographic communication tunnel or from a local communication interface; and

at least one cryptographic module for encrypting/decrypting data packets sent or received over the at least one cryptographically secured communication tunnel.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A node device for providing secure communication services over a data network, such as the Internet or another public or private packet switched network, to multiple computers that are coupled through the node device and multiple other node devices. The node device includes a network communication interface for coupling the node device to the data network. The node device includes a data storage containing cryptographic information including information that is unique to the node device. The node device also includes a tunneling communication service coupled to the network interface configured to maintaining an encrypted communication tunnel with each of multiple other node devices using the cryptographic information. For example, the encrypted communication tunnels are implemented using the IPsec or PPTP protocols. The node device includes a routing database for holding routing data and a router coupled to the tunneling communication service and to the routing database. The router can pass communication from one communication tunnel to another. A centralized server can be used to control the node devices in a centralized manner, thereby reducing or eliminating on-site administration of node devices.

Citations

28 Claims

1. A node device for providing secure communication over a data network to computers coupled through the node device and a plurality of other node devices, comprising:
- at least one network communication interface for coupling the node device to the data network;
  
  at least one local communication interface for coupling the node device to a local network of computers;
  
  a tunneling communication service coupled to the at least one network communication interface and configured to establish at least one cryptographically secured communication tunnel with at least one other node device;
  
  automated means for dynamically updating and adapting to changes in the routing topology of the local network of computers and of the computers coupled through a plurality of other node devices that are reachable over the at least one cryptographically secured communication tunnel;
  
  a routing database for holding dynamically updated routing data;
  
  a router that uses routing database information obtained from the dynamically updated routing data to identify the at least one cryptographically secured communication tunnel or the at least one local communication interface over which to forward a data packet that has been received from a cryptographic communication tunnel or from a local communication interface; and
  
  at least one cryptographic module for encrypting/decrypting data packets sent or received over the at least one cryptographically secured communication tunnel.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The node device of claim 1, wherein the automated means employs a dynamic routing protocol that exchanges dynamic routing protocol packets through the at least one cryptographically secured communication tunnel and over the at least one local communication interface.
  - 3. The node device of claim 2, wherein the dynamic routing protocol is an interior routing protocol.
  - 4. The node device of claim 3, wherein the interior routing protocol is OSPFv2.
  - 5. The node device of claim 1, wherein cryptographic operations are applied to Internet Protocol (IP) packets.
  - 6. The node device of claim 5, wherein cryptographic operations and protocols comply with IETF IPSec standards.
  - 7. The node device of claim 1, wherein the cryptographic module is a software module.

8. A node device for providing secure communication over a data network to computers coupled through the node device and a plurality of other node devices, comprising:
- at least one network communication interface for coupling the node device to the data network;
  
  at least one local communication interface for coupling the node device to a local network of computers;
  
  a tunneling communication service coupled to the at least one network communication interface and configured to establish at least one cryptographically secured communication tunnel with at least one other node device;
  
  means for segregating the at least one cryptographically secured communication tunnel and the at least one local communication interface into at least two separate VPNs such that each cryptographically secured communication tunnel and each local communication interface is a member of one of the separate VPNs;
  
  automated means, on a VPN by VPN basis, for dynamically updating, and adapting to changes in the routing topology of the local network of computers and of the computers coupled through a plurality of other node devices that are reachable over the at least one cryptographically secured communication tunnel comprising each of the segregated VPNs;
  
  forwarding means for receiving a data packet over a local communication interface belonging to a VPN that uses routing topology information corresponding only to said VPN and obtained from the automated means to identify the at least one cryptographically secured communication tunnel over which to forward the data packet;
  
  forwarding means for receiving a data packet over a cryptographically secured communication tunnel belonging to a VPN that uses routing topology information corresponding only to said VPN and obtained from the automated means to identify the at least one local communication interface over which to forward the data packet; and
  
  at least one cryptographic module for encrypting/decrypting data packets sent or received over the at least one cryptographically secured communication tunnel.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The node device of claim 8, wherein the automated means employs a dynamic routing protocol that separately exchanges dynamic routing protocol packets through the at least one cryptographically secured communication tunnels and over the at least one local communication interface comprising each segregated VPN.
  - 10. The node device of claim 9, wherein the routing topology information obtained from dynamic routing protocol packets received over a cryptographically secured communication tunnel or a local communication interface belonging to one of the VPNs is only propagated over other cryptographically secured communication tunnels and other local communication interfaces belonging to the same VPN.
  - 11. The node device of claim 10, wherein data packets received over a cryptographically secured communication tunnel or local communication interface belonging to a particular VPN are forwarded over cryptographically secured communication tunnels or local communication interfaces belonging to the same VPN and not forwarded over the cryptographically secured communication tunnels or local communication interfaces belonging to a different VPN.
  - 12. The node device of claim 9, wherein the dynamic routing protocol is an interior routing protocol.
  - 13. The node device of claim 12, wherein the interior routing protocol is OSPFv2.
  - 14. The node device of claim 13, wherein the cryptographic operations are applied to Internet Protocol (IP) packets.
  - 15. The node device of claim 14, wherein the cryptographic operations and protocols comply with IETF IPSec standards.
  - 16. The node device of claim 8, wherein the cryptographic module is a software module.

17. A method for providing secure communication over a data network to computers coupled through a node device and a plurality of other node devices, comprising:
- coupling the node device to the data network via at least one network communication interface;
  
  coupling the node device to a local network of computers via at least one local communication interface;
  
  establishing at least one cryptographically secured communication tunnel between the node device and at least one other node device;
  
  dynamically updating and adapting to changes in the routing topology of the local network of computers and of the computers coupled through a plurality of other node devices that are reachable over the at least one cryptographically secured communication tunnel;
  
  maintaining dynamically updated routing data;
  
  using routing database information obtained from the dynamically updated routing data to identify the at least one cryptographically secured communication tunnel or the at least one local communication interface over which to forward a data packet that has been received from a cryptographic communication tunnel or from a local communication interface; and
  
  encrypting/decrypting data packets sent or received over the at least one cryptographically secured communication tunnel.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein dynamically updating and adapting to changes in the routing topology includes using a dynamic routing protocol that exchanges dynamic routing protocol packets through the at least one cryptographically secured communication tunnel and over the at least one local communication interface.
  - 19. The method of claim 18, wherein the dynamic routing protocol is an interior routing protocol.
  - 20. The method of claim 17, wherein cryptographic operations are applied to Internet Protocol (IP) packets.

21. A method for providing secure communication over a data network to computers coupled through a node device and a plurality of other node devices, comprising:
- coupling the node device to the data network via at least one network communication interface;
  
  coupling the node device to a local network of computers via at least one local communication interface;
  
  establishing at least one cryptographically secured communication tunnel with at least one other node device;
  
  segregating the at least one cryptographically secured communication tunnel and the at least one local communication interface into at least two separate VPNs such that each cryptographically secured communication tunnel and each local communication interface is a member of one of the separate VPNs;
  
  dynamic updating and adapting to changes in the routing topology of the local network of computers and of the computers coupled through a plurality of other node devices that are reachable over the at least one cryptographically secured communication tunnel comprising each of the segregated VPNs, on a segregated VPN by VPN basis;
  
  receiving a data packet over a local communication interface belonging to a VPN that uses routing topology information corresponding only to said VPN and identifying the at least one cryptographically secured communication tunnel over which to forward the data packet;
  
  receiving a data packet over a cryptographically secured communication tunnel belonging to a VPN that uses routing topology information corresponding only to said VPN and identifying the at least one local communication interface over which to forward the data packet; and
  
  encrypting/decrypting data packets sent or received over the at least one cryptographically secured communication tunnel.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The method of claim 21, wherein dynamically updating and adapting to changes in the routing topology includes using a dynamic routing protocol that separately exchanges dynamic routing protocol packets through the at least one cryptographically secured communication tunnel and over the at least one local communication interface comprising each segregated VPN.
  - 23. The method of claim 22, wherein the routing topology information obtained from dynamic routing protocol packets received over a cryptographically secured communication tunnel or a local communication interface belonging to one of the VPNs is only propagated over other cryptographically secured communication tunnels and other local communication interfaces belonging to the same VPN.
  - 24. The method of claim 23, wherein data packets received over a cryptographically secured communication tunnel or local communication interface belonging to a particular VPN are forwarded over cryptographically secured communication tunnels or local communication interfaces belonging to the same VPN and not forwarded over the cryptographically secured communication tunnels or local communication interfaces belonging to a different VPN.
  - 25. The method of claim 21, wherein the dynamic routing protocol is an interior routing protocol.
  - 26. The method of claim 25, wherein the interior routing protocol is OSPFv2.
  - 27. The method of claim 26, wherein cryptographic operations are applied to Internet Protocol (IP) packets.
  - 28. The method of claim 27, wherein the cryptographic operations and protocols comply with IETF IPSec standards.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Assured Digital, Inc., RPX Corporation
Original Assignee
Spatial Adventures, Inc
Inventors
Giniger, Michael L., Hilton, Warren S.
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
Seal, James

Application Number

US09/359,570
Time in Patent Office

1,790 Days
Field of Search

713/153, 713/163, 713/201
US Class Current

713/153
CPC Class Codes

H04L 63/0272 Virtual private networks

H04L 63/0823 using certificates cryptogr...

Automated operation and security system for virtual private networks

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Automated operation and security system for virtual private networks

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links