System and method for using virtual local area network tags with a virtual private network

US 7,062,566 B2
Filed: 10/24/2002
Issued: 06/13/2006
Est. Priority Date: 10/24/2002
Status: Expired due to Term

First Claim

Patent Images

1. A network access system comprising:

a home agent in communication with a user device via a user session;

an initiating security gateway in communication with the home agent; and

a terminating security gateway in communication with the initiating security gateway via a tunnel,wherein a virtual local area network tag associated with the user session maps to a selector operable in a security policy database associated with an Internet Protocol Security protocol, and wherein the selector maps to a security policy stored within the security policy database.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An exemplary system and method for using a network access system, such as a virtual private network (VPN), are provided. A user device may have a user session with a home agent. Additionally, an initiating security gateway may be in communication with the home agent, and a terminating security gateway may be in communication with the initiating security gateway via a tunnel (e.g., Internet Protocol in Internet Protocol (IP-in-IP) or Internet Protocol security (IPsec) tunnel). Further, a virtual local area network (VLAN) tag associated with the user session may map to a selector operable in a security policy database. The selector may be used to find a security policy defining an IPsec procedure, and the security policy may be applied to the tunnel. Also, the initiating security gateway may also include a Quality of Service (QoS) module that determines QoS markings for a packet traveling along the tunnel.

174 Citations

32 Claims

1. A network access system comprising:
- a home agent in communication with a user device via a user session;
  
  an initiating security gateway in communication with the home agent; and
  
  a terminating security gateway in communication with the initiating security gateway via a tunnel,wherein a virtual local area network tag associated with the user session maps to a selector operable in a security policy database associated with an Internet Protocol Security protocol, and wherein the selector maps to a security policy stored within the security policy database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The network access system of claim 1 further comprising an access server that authenticates the user device and provides the virtual local area network tag to the home agent.
  - 3. The network access system of claim 1, wherein the security policy defines an Internet Protocol security procedure.
  - 4. The network access system of claim 3, wherein the selector maps to the Internet Protocol security procedure, and the Internet Protocol security procedure is applied to the tunnel.
  - 5. The network access system of claim 1, wherein the initiating security gateway further comprises a Quality of Service module that determines a Quality of Service marking for a packet that is sent along the tunnel.
  - 6. The network access system of claim 1, wherein at least a portion of the network access system is a virtual private network.
  - 7. The network access system of claim 1, wherein the user session passes between the user device and the home agent via a foreign agent.
  - 8. The network access system of claim 1, wherein the terminating security gateway is part of a local area network.
  - 9. The network access system of claim 1, wherein the selector includes at least one of an address and domain name associated with the network access system.
  - 10. The network access system of claim 1, wherein the tunnel comprises at least one of an Internet Protocol security tunnel and an Internet Protocol in Internet Protocol tunnel.

11. A method for transmitting a packet via an initiating security gateway, the method comprising the steps of:
- receiving a packet including a virtual local area network tag associated with a user session;
  
  mapping the virtual local area network tag to a selector;
  
  mapping the selector to a security policy stored within a security policy database associated with an Internet Protocol Security protocol;
  
  performing an Internet Protocol security procedure based on the security policy; and
  
  transmitting the packet to a terminating security gateway across a tunnel.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11 further comprising marking the packet with a Quality of Service marking.
  - 13. The method of claim 11, wherein performing an Internet Protocol security procedure comprises adding at least one of an authentication header and encapsulated security payload to the packet.
  - 14. The method of claim 11, wherein performing an Internet Protocol security procedure comprises creating an Internet Protocol security tunnel.
  - 15. The method of claim 11, wherein the selector is an address of the terminating security gateway.
  - 16. The method of claim 15 further comprising creating an Internet Protocol in Internet Protocol tunnel utilizing the address of the terminating security gateway as a destination address.
  - 17. The method of claim 11, wherein the selector is a domain name associated with the terminating security gateway.
  - 18. The method of claim 11 further comprising performing a reverse Internet Protocol security procedure at the terminating gateway to obtain data stored within the packet.
  - 19. The method of claim 11 further comprising a computer readable medium having stored therein instructions for causing a processor to execute the steps of the method of claim 11.

20. A network system comprising:
- a home agent in communication with a user device via a user session;
  
  an access server that authenticates the user device and provides a virtual local area network tag for the user session to the home agent;
  
  an initiating security gateway that receives a packet including the virtual local area network tag from the home agent, wherein the initiating security gateway includes a selector table mapping the virtual local area network tag to a selector;
  
  a security policy database that is associated with a Internet Protocol Security protocol, wherein the security policy database maps the selector to at least one security policy defining an Internet Protocol security procedure, wherein the Internet Protocol security procedure is applied to the packet; and
  
  a receiving network including a terminating security gateway that receives the packet from the initiating security gateway via a tunnel.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The network system of claim 20, wherein the initiating security gateway further comprises a Quality of Service module that determines a Quality of Service marking for the packet.
  - 22. The network system of claim 20, wherein the initiating security gateway further comprises an Internet Protocol security module for creating at least one of an authentication header and encapsulating security payload for the packet.
  - 23. The network system of claim 20, wherein the access server stores a user profile for the user device that maps the virtual local area network tag to a network domain.
  - 24. The network system of claim 20, wherein the user device receives the virtual local area network tag from the access server and stores the information in a mobility binding record.
  - 25. The network system of claim 20, wherein the initiating security gateway receives and recognizes Ethernet frames that have virtual local area network tags.
  - 26. The network system of claim 20, wherein the tunnel comprises at least one of an Internet Protocol in Internet Protocol tunnel and an Internet Protocol security tunnel.
  - 27. The network system of claim 20, wherein at least a portion of the network system is a virtual private network.

28. An initiating security gateway comprising:
- a selector module including a filtering mechanism for identifying a virtual local area network tag associated with a user session within a packet and a selector table for mapping the virtual local area network tag to a selector;
  
  a security policy database associated with an Internet Protocol Security protocol for mapping the selector to an Internet Protocol security policy; and
  
  an Internet Protocol Security module for applying the Internet Protocol security policy to the packet while sending the packet to a terminating security gateway.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The initiating security gateway of claim 28 further comprising a Quality of Service module that includes a Quality of Service table, wherein at least one of the virtual local area network tag and the selector maps to a Quality of Service marking within the Quality of Service table.
  - 30. The initiating security gateway of claim 29, wherein the Quality of Service module marks the packet with the Quality of Service marking before sending the packet to the terminating security gateway.
  - 31. The initiating security gateway of claim 28, wherein the Internet Protocol security module creates an Internet Protocol security tunnel for sending the packet to the terminating security gateway.
  - 32. The initiating security gateway of claim 28, wherein the Internet Protocol security module adds at least one of an authentication header and an encapsulated security payload to the packet before sending the packet to the terminating security gateway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Valtrus Innovations Limited (f/k/a Dolya Holdco 9 Limited) (Key Patent Innovations Limited)
Original Assignee
3Com Corporation (HP Inc.)
Inventors
Warrier, Chandra, Amara, Satish, Kung, Ching
Primary Examiner(s)
Follansbee, John
Assistant Examiner(s)
LEE, PHILIP C

Application Number

US10/279,364
Publication Number

US 20040083295A1
Time in Patent Office

1,328 Days
Field of Search

709/229, 709/236, 707/9, 707/10, 713/201, 713/202, 370/395.21
US Class Current

709/229
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 12/4645   Details on frame tagging ro...

H04L 2463/102   applying security measure f...

H04L 63/0272   Virtual private networks

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04W 28/24   Negotiating SLA [Service Le...

H04W 8/04   Registration at HLR or HSS ...

H04W 80/04   Network layer protocols, e....

System and method for using virtual local area network tags with a virtual private network

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

174 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for using virtual local area network tags with a virtual private network

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

174 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links