Virtual private network with multiple tunnels associated with one group name

US 6,823,462 B1
Filed: 09/07/2000
Issued: 11/23/2004
Est. Priority Date: 09/07/2000
Status: Active Grant

First Claim

Patent Images

1. A method for allowing a server node in a virtual private network to have a single tunnel definition and a single security policy for a plurality of tunnels associated with a group name comprising the steps of:

configuring a group database in said server node, wherein said group database in said server node comprises said group name and a list of members associated with said group name;

configuring a rules database in said server node, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single security policy for each of the plurality of tunnels associated with said group name;

establishing a tunnel having a tunnel definition between a client node having a member name and said server node by negotiating a common security policy; and

associating said tunnel with a group in said group database based on said member name such that only one copy of said tunnel definition and associated security policy is maintained on said server node regardless of the number of client nodes to server node tunnels associated with said group.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, network system and computer program product for establishing a server node in a virtual private network with a single tunnel definition and a single security policy for a plurality of tunnels associated with a group name. In one embodiment, a method comprises the step of configuring a group database in the server node. The group database in the server node comprises the group name and a list of members associated with the group name. The method further comprises configuring a rules database in the server node. The rules database associates the group name with a particular security policy. The method further comprises configuring a tunnel definition database in the server node. In the tunnel definition database, the remote ID is defined as the group name. In another embodiment of the present invention, the list of members associated with the group name comprises a non-contiguous list of ID types. In another embodiment of the present invention, the members associated with the group name are identified by any specified name.

117 Citations

66 Claims

1. A method for allowing a server node in a virtual private network to have a single tunnel definition and a single security policy for a plurality of tunnels associated with a group name comprising the steps of:
- configuring a group database in said server node, wherein said group database in said server node comprises said group name and a list of members associated with said group name;
  
  configuring a rules database in said server node, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single security policy for each of the plurality of tunnels associated with said group name;
  
  establishing a tunnel having a tunnel definition between a client node having a member name and said server node by negotiating a common security policy; and
  
  associating said tunnel with a group in said group database based on said member name such that only one copy of said tunnel definition and associated security policy is maintained on said server node regardless of the number of client nodes to server node tunnels associated with said group.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method as recited in claim 1 further comprising the step of:
3. The method as recited in claim 1, wherein said list of members associated with said group name comprise an ID type and an ID of each member associated with said group name.
4. The method as recited in claim 3, wherein said ID type is an Internet Key Exchange (IKE) defined ID type, wherein said list of members is a non-contiguous list of IKE defined ID types.
5. The method as recited in claim 3, wherein said ID is a login ID.
6. The method as recited in claim 3, wherein said ID is a specified name.
7. The method as recited in claim 2, wherein configuring said tunnel definition database in said server node comprises establishing said server node and said client node as the two end points of said tunnel.
8. The method as recited in claim 7, wherein said tunnel definition database in said server node is configured by a user entering a local ID, a local ID type, said remote ID and a remote ID type through a GUI.
9. The method as recited in claim 7, wherein said tunnel definition database in said server node is configured by a user entering a local ID, a local ID type, said remote ID and a remote ID type through a command line interface.
10. The method as recited in claim 1, wherein said group database in said server node comprises said group name and an ID type of each member of said group name and an ID of each member of said group name.
11. The method as recited in claim 10, wherein configuring said group database in said server node is accomplished by entering said group name, said ID type of each member of said group name and said ID of each member of said group name through a GUI.
12. The method as recited in claim 10, wherein configuring said group database in said server node is accomplished by entering said group name, said ID type of each member of said group name and said ID of each member of said group name through a command line interface.
13. The method as recited in claim 10, wherein configuring said group database in said server node is accomplished by entering said group name, said ID type of each member of said group name and said ID of each member of said group name through configuration files.
14. The method as recited in claim 1, wherein said rules database in said server node comprises said group name, a group name ID type and a security policy pointer.
15. The method as recited in claim 14, wherein configuring said rules database in said server node is accomplished by entering said group name, said group name ID type and said security policy pointer through a GUI.
16. The method as recited in claim 14, wherein configuring said rules database in said server node is accomplished by entering said group name, said group name ID type and said security policy pointer through a command line interface.

17. A method for allowing a server node in a virtual private network to have a single tunnel definition and a single security policy for a plurality of tunnels associated with a group name comprising the steps of:
- configuring a group database in said server node, wherein said group database in said server node comprises said group name and a list of members associated with said group name;
  
  configuring a rules database in said server node, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single security policy for each of the plurality of tunnels associated with said group name;
  
  establishing a tunnel having a tunnel definition between a client node having a member name and said server node by negotiating a common security policy;
  
  associating said tunnel with a group in said group database based on said member name such that only one copy of said tunnel definition and associated security policy is maintained on said server node regardless of the number of client nodes to server node tunnels associated with said group; and
  
  activating said tunnel, wherein activating said tunnel comprises the steps of;
  
  sending a security policy stored in a policy database of said client node by said client node to said server node;
  
  sending a security policy stored in a policy database of said server node by said server node to said client node if said security policy stored in said policy database of said server node matches said security policy stored in said policy database of said client node;
  
  sending a first nonce by said client node to said server node;
  
  sending a second nonce by said server node to said client node;
  
  sending a first ID by said client node to said server node; and
  
  sending a second ID by said server node to said client node.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The method as recited in claim 17, wherein said first and second nonce are used to generate key material for said server and client node, respectively.
  - 19. The method as recited in claim 17, wherein said policy database in said client and server node are configured by entering said security policy through a GUI at said client and server node.
  - 20. The method as recited in claim 17, wherein said policy database in said client and server node are configured by entering said security policy through a command line interface at said client and server node.
  - 21. The method as recited in claim 17, wherein said first ID is an ID of said particular member of said group name.

22. A method for allowing a server node in a virtual private network to have a single tunnel definition and a single security policy for a plurality of tunnels associated with a soup name comprising the steps of:
- configuring a group database in said server node, wherein said group database in said server node comprises said group name and a list of members associated with said group name;
  
  configuring a rules database in said server node, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single security policy for each of the plurality of tunnels associated with said group name;
  
  establishing a tunnel having a tunnel definition between a client node having a member name and said server node by negotiating a common security policy;
  
  associating said tunnel with a group in said group database based on said member name such that only one copy of said tunnel definition and associated security policy is maintained on said server node regardless of the number of client nodes to server node tunnels associated with said group; and
  
  activating said tunnel, wherein activating tunnel comprises the steps of;
  
  sending a security policy stored in a policy database of said client node by said client node to said server node;
  
  sending a security policy stored in a policy database of said server node by said server node to said client node if said security policy stored in said policy database of said server node agrees on the same set of protection suites at any point in time with said security policy stored in said policy database of said client node;
  
  sending a first nonce by said client node to said server node;
  
  sending a second nonce by said server node to said client node;
  
  sending a first ID by said client node to said server node; and
  
  sending a second ID by said server node to said client node.

23. A virtual private network system comprising:
- a plurality of tunnels associated with a group name, wherein each of said plurality of tunnels associated with said group name comprises a plurality of nodes, wherein each of said plurality of nodes comprises a communication adapter to interconnect with said virtual private network, wherein one of said plurality of nodes is a server node, wherein one of said plurality of nodes is a client node, wherein said server node comprises;
  
  a group database, wherein said group database comprises said group name and a list of members associated with said group name; and
  
  a rules database, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single copy of a security policy for each of the plurality of tunnels associated with said group name.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 24. The virtual private network system as recited in claim 23, wherein said server node further comprises:
    - a tunnel definition database, wherein a remote ID in said tunnel definition is defined as said group name, wherein said server node has a single tunnel definition for each of the plurality of tunnels associated with said group name.
  - 25. The virtual private network system as recited in claim 24, wherein a particular tunnel of said plurality of tunnels associated with said group name is activated, wherein said particular tunnel is associated with a particular member of said group name.
  - 26. The virtual private network system as recited in claim 23, wherein said list of members associated with said group name comprise an ID type and an ID of each member associated with said group name.
  - 27. The virtual private network system as recited in claim 26, wherein said ID type is an Internet Key Exchange (IKE) defined ID type, wherein said list of members is a non-contiguous list of IKE defined ID types.
  - 28. The virtual private network system as recited in claim 26, wherein said ID is a login ID.
  - 29. The virtual private network system as recited in claim 26, wherein said ID is a specified name.
  - 30. The virtual private network system as recited in claim 24, wherein said tunnel definition database in said server node is configured by a user entering a local ID, a local ID type, said remote ID and a remote ID type through a GUI.
  - 31. The virtual private network system as recited in claim 24, wherein said tunnel definition database in said server node is configured by a user entering a local ID, a local ID type, said remote ID and a remote ID type through a command line interface.
  - 32. The virtual private network system as recited in claim 23, wherein said group database in said server node comprises said group name and an ID type of each member of said group name and an ID of each member of said group name.
  - 33. The virtual private network system as recited in claim 32, wherein said group database in said server node is configured by a user entering said group name, said ID type of each member of said group name and said ID of each member of said group name through a GUI.
  - 34. The virtual private network system as recited in claim 32, wherein said group database in said server node is configured by a user entering said group name, said ID type of each member of said group name and said ID of each member of said group name through a command line interface.
  - 35. The virtual private network system as recited in claim 32, wherein said group database in said server node is configured by a user entering said group name, said ID type of each member of said group name and said ID of each member of said group name through configuration files.
  - 36. The virtual private network system as recited in claim 23, wherein said rules database in said server node comprises said group name, a group name ID type and a security policy pointer.
  - 37. The virtual private network system as recited in claim 36, wherein said rules database is configured by a user entering said group name, said group name ID type and said security policy pointer through a GUI.
  - 38. The virtual private network system as recited in claim 37, wherein said rules database is configured by a user entering said group name, said group name ID type and said security policy pointer through a command line interface.

39. A virtual private network system comprising:
- a plurality of tunnels associated with a group name, wherein each of said plurality of tunnels associated with said group name comprises a plurality of nodes, wherein each of said plurality of nodes comprises a communication adapter to interconnect with said virtual private network, wherein one of said plurality of nodes is a server node, wherein one of said plurality of nodes is a client node, wherein said server node comprises;
  
  a group database, wherein said group database comprises said group name and a list of members associated with said group name; and
  
  a rules database, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single copy of a security policy for each of the plurality of tunnels associated with said group name;
  
  wherein the server node further comprises;
  
  a tunnel definition database, wherein a remote ID in said tunnel definition is defined as said group name, wherein said server node has a single tunnel definition for each of the plurality of tunnels associated with said group name;
  
  wherein a particular tunnel of said plurality of tunnels associated with said group name is activated, wherein said particular tunnel is associated with a particular member of said group name;
  
  wherein activating said particular tunnel comprises the steps of;
  
  sending a security policy stored in a policy database of said client node by said client node to said server node;
  
  sending a security policy stored in a policy database of said server node by said server node to said client node if said security policy stored in said policy database of said server node matches said security policy stored in said policy database of said client node;
  
  sending a first nonce by said client node to said server node;
  
  sending a second nonce by said server node to said client node;
  
  sending a first ID by said client node to said server node; and
  
  sending a second ID by said server node to said client node.
- View Dependent Claims (40, 41, 42, 43)
- - 40. The virtual private network system as recited in claim 39, wherein said first and second nonce are used to generate key material for said server and client node, respectively.
  - 41. The virtual private network system as recited in claim 39, wherein said policy database in said client and server node are configured by entering said security policy through a GUI at said client and server node.
  - 42. The virtual private network system as recited in claim 39, wherein said policy database in said client and server node are configured by entering said security policy through a command line interface at said client and server node.
  - 43. The virtual private network system as recited in claim 39, wherein said first ID is an ID of said particular member of said group name.

44. A virtual private network system comprising:
- a plurality of tunnels associated with a group name, wherein each of said plurality of tunnels associated with said group name comprises a plurality of nodes, wherein each of said plurality of nodes comprises a communication adapter to interconnect with said virtual private network, wherein one of said plurality of nodes is a server node, wherein one of said plurality of nodes is a client node, wherein said server node comprises;
  
  a group database, wherein said group database comprises said group name and a list of members associated with said group name; and
  
  a rules database, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single copy of a security policy for each of the plurality of tunnels associated with said group name;
  
  wherein the server node further comprises;
  
  a tunnel definition database, wherein a remote ID in said tunnel definition is defined as said group name, wherein said server node has a single tunnel definition for each of the plurality of tunnels associated with said group name;
  
  wherein a particular tunnel of said plurality of tunnels associated with said group name is activated, wherein said particular tunnel is associated with a particular member of said group name;
  
  wherein activating said particular tunnel comprises the steps of sending a security policy stored in a policy database of said client node by said client node to said server node;
  
  sending a security policy stored in a policy database of said server node by said server node to said client node if said security policy stored in said policy database of said server node agrees on the same set of protection suites at any point in time with said security policy stored in said policy database of said client node;
  
  sending a first nonce by said client node to said server node;
  
  sending a second nonce by said server node to said client node;
  
  sending a first ID by said client node to said server node; and
  
  sending a second ID by said server node to said client node.

45. A computer program product having a computer readable medium having computer program logic recorded thereon for allowing a server node in a virtual private network to have a single tunnel definition and a single security policy for a plurality of tunnels associated with a group name, comprising:
- programming operable for configuring a group database in said server node, wherein said group database in said server node comprises said group name and a list of members associated with said group name;
  
  programming operable for configuring a rules database in said server node, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single security policy for each of the plurality of tunnels associated with said group name;
  
  programming operable for establishing a tunnel having a tunnel definition between a client node having a member name and said server node by negotiating a common security policy; and
  
  programming operable for associating said tunnel with a group in said group database based on said member name such that only one copy of said tunnel definition and associated security policy is maintained on said server node regardless of the number of client nodes to server node tunnels associated with said group.
- View Dependent Claims (46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
- - 46. The computer program product as recited in claim 45 further comprises:
47. The computer program product as recited in claim 45, wherein said list of members associated with said group name comprise an ID type and an ID of each member associated with said group name.
48. The computer program product as recited in claim 47, wherein said ID type is an Internet Key Exchange (IKE) defined ID type, wherein said list of members is a non-contiguous list of IKE defined ID types.
49. The computer program product as recited in claim 47, wherein said ID is a login ID.
50. The computer program product as recited in claim 47, wherein said ID is a specified name.
51. The computer program product as recited in claim 46, wherein configuring said tunnel definition database in said server node comprises:
- programming operable for establishing said server node and said client node as the two end points of said tunnel.
52. The computer program product as recited in claim 51, wherein said tunnel definition database in said server node is configured by a user entering a local ID, a local ID type, said remote ID and a remote ID type through a GUI.
53. The computer program product as recited in claim 51, wherein said tunnel definition database in said server node is configured by a user entering a local ID, a local ID type, said remote ID and a remote ID type through a command line interface.
54. The computer program product as recited in claim 45, wherein said group database in said server node comprises said group name and an ID type of each member of said group name and an ID of each member of said group name.
55. The computer program product as recited in claim 54, wherein configuring said group database in said server node is accomplished by entering said group name, said ID type of each member of said group name and said ID of each member of said group name through a GUI.
56. The computer program product as recited in claim 54, wherein configuring said group database in said server node is accomplished by entering said group name, said ID type of each member of said group name and said ID of each member of said group name through a command line interface.
57. The computer program product as recited in claim 54, wherein configuring said group database in said server node is accomplished by entering said group name, said ID type of each member of said group name and said ID of each member of said group name through configuration files.
58. The computer program product as recited in claim 45, wherein said rules database in said server node comprises said group name, a group name ID type and a security policy pointer.
59. The computer program product as recited in claim 58, wherein configuring said rules database in said server node is accomplished by entering said group name, said group name ID type and said security policy pointer through a GUI.
60. The computer program product as recited in claim 58, wherein configuring said rules database in said server node is accomplished by entering said group name, said group name ID type and said security policy pointer through a command line interface.

61. A computer program product having a computer readable medium having computer program logic recorded thereon for allowing a server node in a virtual private network to have a single tunnel definition and a single security policy for a plurality of tunnels associated with a group name, comprising:
- programming operable for configuring a group database in said server node, wherein said group database in said server node comprises said group name and a list of members associated with said group name;
  
  programming operable for configuring a rules database in said server node, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single security policy for each of the plurality of tunnels associated with said group name;
  
  programming operable for establishing a tunnel having a tunnel definition between a client node having a member name and said server node by negotiating a common security policy;
  
  programming operable for associating said tunnel with a group in said group database based on said member name such that only one copy of said tunnel definition and associated security policy is maintained on said server node regardless of the number of client nodes to server node tunnels associated with said group; and
  
  programming operable for activating said tunnel, wherein said programming operable for activating said tunnel comprises;
  
  programming operable for sending a security policy stored in a policy database of said client node by said client node to said server node;
  
  programming operable for sending a security policy stored in a policy database of said server node by said server node to said client node if said security policy stored in said policy database of said server node matches said security policy stored in said policy database of said client node;
  
  programming operable for sending a first nonce by said client node to said server node;
  
  programming operable for sending a second nonce by said server node to said client node;
  
  programming operable for sending a first ID by said client node to said server node; and
  
  programming operable for sending a second ID by said server node to said client node.
- View Dependent Claims (62, 63, 64, 65)
- - 62. The computer program product as recited in claim 61, wherein said first and second nonce are used to generate key material for said server and client node, respectively.
  - 63. The computer program product as recited in claim 61, wherein said policy database in said client and server node are configured by entering said security policy through a GUI at said client and server node.
  - 64. The computer program product as recited in claim 61, wherein said policy database in said client and server node are configured by entering said security policy through a command line interface at said client and server node.
  - 65. The computer program product as recited in claim 61, wherein said first ID is an ID of said particular member of said group name.

66. A computer program product having a computer readable medium having computer program logic recorded thereon for allowing a server node in a virtual private network to have a single tunnel definition and a single security policy for a plurality of tunnels associated with a group name, comprising:
- programming operable for configuring a group database in said server node, wherein said group database in said server node comprises said group name and a list of members associated with said group name;
  
  programming operable for configuring a rules database in said server node, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single security policy for each of the plurality of tunnels associated with said group name;
  
  programming operable for establishing a tunnel having a tunnel definition between a client node having a member name and said server node by negotiating a common security policy;
  
  programming operable for associating said tunnel with a group in said group database based on said member name such that only one copy of said tunnel definition and associated security policy is maintained on said server node regardless of the number of client nodes to server node tunnels associated with said group; and
  
  programming operable for activating said tunnel, wherein said programming operable for activating said tunnel comprises;
  
  programming operable for sending a security policy stored in a policy database of said client node by said client node to said server node;
  
  programming operable for sending a security policy stored in a policy database of said server node by said server node to said client node if said security policy stored in said policy database of said server node agrees on the same set of protection suites at any point in time with said security policy stored in said policy database of said client node;
  
  programming operable for sending a first nonce by said client node to said server node;
  
  programming operable for sending a second nonce by said server node to said client node;
  
  programming operable for sending a first ID by said client node to said server node; and
  
  programming operable for sending a second ID by said server node to said client node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Cheng, Pau-Chen, Genty, Denise Marie, Wilson, Jacqueline Hegedus, DʼSa, Ajit Clarence, Feng, Jian Hua
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Baum, Ronald

Application Number

US09/657,122
Time in Patent Office

1,538 Days
Field of Search

713/201, 709/200-229
US Class Current

726/15
CPC Class Codes

H04L 12/4641 Virtual LANs, VLANs, e.g. v...

H04L 63/0272 Virtual private networks

Virtual private network with multiple tunnels associated with one group name

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

117 Citations

66 Claims

Specification

Use Cases

Quick Links

Others

Virtual private network with multiple tunnels associated with one group name

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

117 Citations

66 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others