Virtual private network management system

US 6,931,016 B1
Filed: 10/13/1999
Issued: 08/16/2005
Est. Priority Date: 10/13/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method of managing a virtual private network, the method comprising:

receiving a request for a given network device to join a given virtual private network having a set of network devices, the request being received from the given network device, the request having a given network device identifier that identifies the given network device;

retrieving, from a network device memory set, a set of network device identifiers that identify all network devices in the set of network devices;

forwarding a notify message to each network device in the set of network devices, the notify message including the given network device identifier;

forwarding a join message to the given network device, the join message including the set of network device identifiers;

establishing an encrypted communication tunnel between the given network device and at least one of the set of network devices; and

storing, in the network device memory set, the given network device identifier.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method of managing a virtual private network having a set of network devices maintains a network device memory set for storing a set of network device identifiers that identifies each of the set of network device. More particularly, a request to join the virtual private network is received from a given network device having a given network device identifier that identifies the given network device. The set of network device identifiers then is retrieved from the network device memory set to identify all network devices in the set of network devices. A notify message then is forwarded to each of the set of network devices, and a join message is forwarded to the given network device. The notify message includes the given network device identifier, while the join message includes the set of network device identifiers. The given network device identifier then is stored in the network device memory set.

Citations

54 Claims

1. A method of managing a virtual private network, the method comprising:
- receiving a request for a given network device to join a given virtual private network having a set of network devices, the request being received from the given network device, the request having a given network device identifier that identifies the given network device;
  
  retrieving, from a network device memory set, a set of network device identifiers that identify all network devices in the set of network devices;
  
  forwarding a notify message to each network device in the set of network devices, the notify message including the given network device identifier;
  
  forwarding a join message to the given network device, the join message including the set of network device identifiers;
  
  establishing an encrypted communication tunnel between the given network device and at least one of the set of network devices; and
  
  storing, in the network device memory set, the given network device identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method as defined by claim 1 wherein establishing the encrypted communication tunnel further comprises, in response to receipt of the notify message, at least one of the set of network devices communicating with the given network device to establish the communication tunnel with the given network device.
  - 3. The method as defined by claim 1 wherein establishing the encrypted communication tunnel further comprises, in response to receipt of the join message, the given network device communicating with at least one of the network devices in the set of network devices to establish the communication tunnel with the at least one of the set of network devices.
  - 4. The method as defined by claim 1 wherein the request includes a network identifier identifying the given virtual private network.
  - 5. The method as defined by claim 1 wherein the total number of network devices in the set of network devices equals zero, the network device memory set being a database that is established for the given virtual private network in response to receipt of the request.
  - 6. The method as defined by claim 1 wherein the request is received from a packet based network.
  - 7. The method as defined by claim 1 further comprising:
    - authenticating the request to confirm the identify of the given network device.
  - 8. The method as defined by claim 1 wherein each network identifier is an Internet Protocol address.
  - 9. The method as defined by claim 1 further comprising:
    - receiving a remove message from a remove network device;
      
      retrieving all network device identifiers from the network device memory set; and
      
      forwarding a first message to all network devices identified by retrieved network device identifiers, each first message including a remove identifier identifying the remove network device.
  - 10. The method as defined by claim 9 wherein the response to receipt of the first message, at least one of the network devices in the set of network devices disconnects a communication tunnel between the at least one network device and the remove network device.
  - 11. The method as defined by claim 9 further comprising:
    - forwarding a second message to the remove network device, the second message including the retrieved network device identifiers.
  - 12. The method as defined by claim 1 wherein the join message and notify message include data identifying the given virtual private network.
  - 13. The method as defined by claim 1 further comprising:
    - generating the notify message and the join message.

14. An apparatus for managing a virtual private network, the apparatus comprising:
- an input that receives a request for a given network device to join a given virtual private network having a set of network devices, the request being received from the given network device, the request having a given network device identifier that identifies the given network device;
  
  data storage for storing a set of network device identifiers that identify all network devices in the set of network devices;
  
  a message generator that generates a notify message and a join message, the notify message including the given network device identifier, the join message including the set of network device identifiers;
  
  a request parser that parses the request to determine the given network device identifier for storage in the data storage;
  
  a tunnel establishment component that establishes an encrypted communication tunnel between the given network device and at least one of the set of network devices; and
  
  an output that forwards one copy of the notify message to each network device in the set of network devices, the output also forwarding the join message to the given network device.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The apparatus as defined by claim 14 wherein in response to receipt of the notify message, at least one of the set of network devices communicates with the given network device to establish the communication tunnel with the given network device.
  - 16. The apparatus as defined by claim 14 wherein the response to receipt of the join message, the given network device communicates with at least one of the network devices in the set of network devices to establish the communication tunnel with the at least one of the set of network devices.
  - 17. The apparatus as defined by claim 14 wherein the request includes a network identifier identifying the given virtual private network.
  - 18. The apparatus as defined by claim 14 wherein the total number of network devices in the set of network devices equals zero, the data storage including a database that is generated for the given virtual private network in response to receipt of the request.
  - 19. The apparatus as defined by claim 14 wherein the request is received from a packet based network.
  - 20. The apparatus as defined by claim 14 further comprising:
    - an authentication module operatively coupled with the input, the authentication module authenticating the request to confirm the identity of the given network device.
  - 21. The apparatus as defined by claim 14 wherein each network identifier is an Internet Protocol address.
  - 22. The apparatus as defined by claim 14 wherein the input receives a remove message from a remove network device, the remove network device being one of the set of network devices, the apparatus further comprising:
    - retrieval logic that retrieves all network device identifiers from the network device memory set; and
      
      a removal message generator operatively coupled with the retrieval logic, the removal message generator generating a first message having a remove identifier identifying the remove network device, the output forwarding the first message to all network devices identified by retrieved network device identifiers.
  - 23. The apparatus as defined by claim 22 wherein in response to receipt of the first message, at least one of the network devices in the set of network devices disconnects a communication tunnel between the at least one network device and the remove network device.
  - 24. The method as defined by claim 22 wherein the remove message generator generates a second remove message that is forwarded to the remove network device, the second remove message including the retrieved network device identifiers.
  - 25. The method as defined by claim 14 wherein the join message and notify message include data identifying the given virtual private network.

26. A computer program product for use on a computer system for managing a virtual private network, the computer program product comprising a computer usable medium having computer readable program code thereon, a computer readable program code including:
- program code for receiving a request for a given network device to join a given virtual private network having a set of network devices, the request being received from the given network device, the request having a given network device identifier that identifies the given network device;
  
  program code for retrieving, from a network device memory set, a set of network device identifiers that identify all network devices in the set of network devices;
  
  program code for retrieving, from a network device memory set, a set of network device identifiers that identify all network devices in the set of network devices;
  
  program code for forwarding a notify message to each network device in the set of network devices, the notify message including the given network device identifier;
  
  program code for forwarding a join message to the given network device, the join message including the set of network device identifiers;
  
  program code for establishing an encrypted communication tunnel between the given network device and at least one of the set of network devices; and
  
  program code for storing, in the network device memory set, the given network device identifier.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 27. The computer program product as defined by claim 26 wherein in response to receipt of the notify message, at least one of the set of network devices communicates with the given network device to establish the communication tunnel with the given network device.
  - 28. The computer program product as defined by claim 26 wherein in response to receipt of the join message, the given network device communicates with at least one of the network devices in the set of network devices to establish the communication tunnel with the at least one of the set of network devices.
  - 29. The computer program product as defined by claim 26 wherein the request includes a network identifier identifying the given virtual private network.
  - 30. The computer program product as defined by claim 26 wherein the total number of network devices in the set of network devices equals zero, the network device memory set being a database that is established for the given virtual private network in response to receipt of the request.
  - 31. The computer program product as defined by claim 26 wherein the request is received from a packet based network.
  - 32. The computer program product as defined by claim 26 further comprising:
    - program code for authenticating the request to confirm the identity of the given network device.
  - 33. The computer program product as defined by claim 26 wherein each network identifier is an Internet Protocol address.
  - 34. The computer program product as defined by claim 26 further comprising:
    - program code for receiving a remove message from a remove network device;
      
      program code for retrieving all network device identifiers from the network device memory set;
      
      program code for generating a first message having a remove identifier identifying a remove network device; and
      
      program code for forwarding the first message to all network devices identified by retrieved network device identifiers.
  - 35. The computer program product as defined in claim 34 wherein in response to receipt of the first message, at least one of the network devices in the set of network devices disconnects a communication tunnel between at least one network device and remove network device.
  - 36. The computer program produce as defined by claim 34 further comprising:
    - program code for generating a second message having the retrieved network device identifiers; and
      
      program code for forwarding the second message to the remove network device.
  - 37. The computer program as defined by claim 26 wherein the join message and notify message include data identifying the given virtual private network.
  - 38. The computer program product as defined by claim 26 further comprising:
    - program code for generating the notify message; and
      
      program code for generating the join message.

39. A method of managing a virtual private network having a set of member network devices, each member network device being identified by a device identifier, the method comprising:
- maintaining a storage device having the device identifier of each member of the set of network devices, the storage device being updated as network devices are added to and removed from the virtual private network;
  
  receiving a request for a given network device to join the virtual private network, the request being received from the given network device, the request having a given network device identifier that identifies the given network device and data identifying the virtual private network;
  
  generating a notify message having the given network device identifier;
  
  generating a join message having the device identifiers in the storage device;
  
  forwarding the notify message to each of the set of network device;
  
  establishing an encrypted communication tunnel between the given network device and at least one of the set of network devices; and
  
  forwarding the join message to the given network device.
- View Dependent Claims (40, 41, 42, 43, 44, 45)
- - 40. The method as defined in claim 39 wherein in response to receipt of the notify message, at least one of the set of network devices communicates with the given network device to establish the communication tunnel with the given network device.
  - 41. The method as defined by claim 39 wherein in response to receipt of the join message, the given network device communicates with at least one of the member network devices to establish the communication tunnel with the at least one member network device.
  - 42. The method as defined by claim 39 further comprising:
    - authenticating the request to confirm the identity of the given network device.
  - 43. The method as defined by claim 39 further comprising:
    - receiving a remove message from a remove network device;
      
      retrieving all device identifiers from the storage device; and
      
      forwarding a first message to all network devices identified by retrieved device identifiers, each first message including a remove identifier identifying the remove network device.
  - 44. The method as defined by claim 43 wherein in response to receipt of the first message, at least one of the member network devices disconnects a communication tunnel between the at least one member network device and the remove network device.
  - 45. The method as defined by claim 43 further comprising:
    - forwarding a second message to the remove network device, the second message including the retrieved device identifiers.

46. A computer program product for use on a computer system for managing a virtual private network having a set of member network devices, each member network device being identified by a device identifier, the computer program product comprising a computer usable medium having computer readable program code thereon, the computer readable program code including:
- program code for maintaining a storage device having the device identifier of each member of the set of network devices, the storage device being updated as network devices are added to and removed from the virtual private network;
  
  program code for receiving a request for a given network device to join the virtual private network, the request being received from the given network device, the request having a given network device identifier that identifies the given network device and data identifying the virtual private network;
  
  program code for forwarding the notify message to each of the set of network devices;
  
  program code for establishing an encrypted communication tunnel between the given network device and at least one of the set of network devices; and
  
  program code for forwarding the join message to the given network device.
- View Dependent Claims (47, 48, 49, 50, 51, 52)
- - 47. The computer program product as defined by claim 46 wherein in response to receipt of the notify message, at least one of the set of network devices communicates with the given network device to establish the communication tunnel with the given network device.
  - 48. The computer program product as defined by claim 46 wherein in response to receipt of the join message, the given network device communicates with at least one of the member network devices to establish the communication tunnel with the at least one member network device.
  - 49. The computer program as defined by claim 46 further comprising:
    - program code for authenticating the request to confirm the identity of the given network device.
  - 50. The computer program product as defined by claim 46 further comprising:
    - program code for receiving a remove message from a remove network device;
      
      program code for retrieving all device identifiers from the storage device; and
      
      program code for forwarding a first message to all network devices identified by retrieved device identifiers, each first message including a remove identifier identifying the remove network device.
  - 51. The computer program product as defined by claim 50 wherein in response to receipt of the first message, at least one of the member network devices disconnects a communication tunnel between the at least one member network device and the remove network device.
  - 52. The computer program product as defined by claim 50 further comprising:
    - program code for forwarding a second message to the remove network device, the second message including the retrieved device identifiers.

53. A method of managing a virtual private network, the method comprising:
- a given network device transmitting a request for the given network device to join the virtual private network having a set of network devices, the request having a given network device identifier that identifies the given network device;
  
  retrieving, from a network device memory set, a set of network device identifiers that identify all network devices in the set of network devices;
  
  forwarding a notify message to each network device in the set of network devices, the notify message including the given network device identifier;
  
  forwarding a join message to the given network device, the join message including the set of network device identifiers;
  
  establishing an encrypted communication tunnel between the given network device and at least one of the set of network devices; and
  
  storing, in the network device memory set, the given network device identifier.
- View Dependent Claims (54)
- - 54. The method as defined by claim 53 further comprising:
    - receiving the notify message;
      
      retrieving the given network device identifier from the received notify message; and
      
      establishing the communication tunnel to the given network device after the given network device identifier is retrieved.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Clearinghouse LLC (RPX Corporation)
Original Assignee
Nortel Networks Limited (Nortel Networks Corporation)
Inventors
Madsen, Tove, Wiget, Marcel, Andersson, Loa
Primary Examiner(s)
Pham, Chi
Assistant Examiner(s)
George, Keith M.

Application Number

US09/417,864
Time in Patent Office

2,134 Days
Field of Search

370/352, 370/260, 370/261, 370/262, 370/401, 709/203, 709/204, 709/205, 709/227
US Class Current

370/401
CPC Class Codes

H04L 12/4679   Arrangements for the regist...

H04L 41/28   Restricting access to netwo...

H04L 41/40   using virtualisation of net...

H04L 63/0272   Virtual private networks

Virtual private network management system

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual private network management system

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links