Selective encryption of application session packets
First Claim
1. A method comprising:
- providing a first media at an edge of a first local area network on which a first set of terminals of a first user community of an enterprise reside, the first set of terminals running a first set of local applications on behalf of which the first media aggregation manager is configured to act as a signaling and control proxy;
providing a second media aggregation manager at an edge of a second local area network on which a second set of terminals of a second user community of the enterprise reside, the second set of terminals running a second set of local applications on behalf of which the second media aggregation manager is configured to act as a signaling and control proxy;
reserving a predetermined portion of available bandwidth as a real-time bandwidth pool over a path through an enterprise network between the first media aggregation manager and the second media aggregation manager for real-time communication sessions between the first set of local applications and the second set of local applicationssharing the real-time bandwidth pool among a plurality of real-time communication sessions by selectively admitting application sessions based upon currently available resources in real-time bandwidth pool; and
securely communicating between the first user community and the second user community by selectively encrypting information associated with the plurality of real-time communication sessions.
7 Assignments
0 Petitions
Accused Products
Abstract
Apparatus and methods are provided for multiplexing and selectively encrypting application flows, such as VoIP services, over a pre-allocated bandwidth reservation protocol session. According to one embodiment, a pre-allocated reservation protocol session, such as an RSVP session, is shared by one or more individual application sessions. The reservation protocol session is pre-allocated over a path between a first network device associated with a first user community and a second network device associated with a second user community based upon an estimated usage of the path for individual application sessions between users of the first and second user communities. Subsequently, the one or more individual application sessions are dynamically aggregated by multiplexing application flows associated with the one or more individual application sessions onto the pre-allocated reservation protocol session at the first network device and demultiplexing at the second network device. Additionally, various levels of security may be selectively applied to the application sessions by performing encryption at the first network device and decryption at the second network device.
75 Citations
24 Claims
-
1. A method comprising:
-
providing a first media at an edge of a first local area network on which a first set of terminals of a first user community of an enterprise reside, the first set of terminals running a first set of local applications on behalf of which the first media aggregation manager is configured to act as a signaling and control proxy; providing a second media aggregation manager at an edge of a second local area network on which a second set of terminals of a second user community of the enterprise reside, the second set of terminals running a second set of local applications on behalf of which the second media aggregation manager is configured to act as a signaling and control proxy; reserving a predetermined portion of available bandwidth as a real-time bandwidth pool over a path through an enterprise network between the first media aggregation manager and the second media aggregation manager for real-time communication sessions between the first set of local applications and the second set of local applications sharing the real-time bandwidth pool among a plurality of real-time communication sessions by selectively admitting application sessions based upon currently available resources in real-time bandwidth pool; and securely communicating between the first user community and the second user community by selectively encrypting information associated with the plurality of real-time communication sessions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method comprising:
-
establishing an aggregated reservation protocol session over a path between a first edge device and a second edge device based upon an estimate of a number of individual application sessions needed for the path during a predetermined window of time; and securely communicating and sharing the aggregated reservation protocol session among a plurality of individual application sessions tagging packets associated with corresponding application flows and selectively encrypting application flows for transmission between the first edge device and the second edge device, the tagged packets being multiplexed onto the aggregated reservation protocol session by the first edge device or the second edge device and demultiplexed by the other including removal of the tags from the media packets.
-
-
11. A method comprising:
-
establishing a Resource Reservation Protocol (RSVP) session between a first network device and a second network device that are part of an Internet Protocol (IP) network; receiving, at the first network device from a first local terminal, a request to initiate a first real-time communication session with a first remote terminal associated with the second network device; allocating a portion of pre-allocated resources associated with the RSVP session to the first real-time communication session between the first local terminal and the first remote terminal; receiving, at the first network device from a second local terminal, a request to initiate a second real-time communication session with a second remote terminal associated with the second network device; allocating portion of the pre-allocated resources associated with the RSVP session to the second real-time communication session between the second local terminal and the second remote terminal; and securely communicating over the RSVP session and sharing the RSVP session between the first real-time communication session and the second real time communication session by encrypting and multiplexing voice packets associated with the first and second real-time communication sessions onto the RSVP session. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method comprising:
-
establishing a Resource Reservation Protocol (RSVP) session between a first network device and a second network device that are part of an Internet Protocol (IP) network; the first network device presenting itself as a recipient of a first call originated by a first local terminal associated with the first network device by providing its logical channel information to the first local terminal rather than providing logical channel information associated with the intended recipient of the first call; the first network device presenting itself as a recipient of a second call originated by a second local terminal associated with the first network device by providing its logical channel information to the second local terminal rather than providing logical channel information associated with the intended recipient of the second call; and the first network device selectively and securely transmitting voice packets from the first local terminal to an intended recipient of the first call and from the second local terminal to the intended recipient of the second call by encrypting and multiplexing the voice packets onto the RSVP session. - View Dependent Claims (17)
-
-
18. A media aggression manager comprising:
-
a resource manager to establish a reservation protocol session with one or more other media aggression managers prior to establishment of any application sessions that share resources associated with the reservation protocol and to subsequently allocate and deallocate the resources in response to anticipated use of application session establishment requests and application session termination requests, respectively; an admission control manager coupled to the resource manager, the admission control manager to provide admission control for application flows based upon availability of the resources as indicated by the resource manager; a media multiplexor coupled to the admission control manager, the media multiplexor to tag media packets received from local application/endpoints that are associated with admitted application flows and to transmit the tagged media packets over the reservation protocol session; a media demultiplexor to forward media packets received from remote application/endpoints to the local application/endpoints based upon tags appended by a media multiplexor of the one or more other media aggregation managers; a media encryptor coupled to the media multiplexor to selectively encrypt media packet received from local application/endpoints that are associated with secure application flows; and a media decryptor coupled to the media demultiplexor to decrypt encrypted media packets received from the remote application/endpoints.
-
-
19. A network device comprising:
-
a storage device having stored therein one or more routines for establishing and managing an aggregated reservation protocol session; a processor coupled to the storage device for executing the one or more routines to pre-allocate the aggregated reservation protocol session and thereafter share the aggregated reservation session among a plurality of individual application sessions, where; the aggregated reservation protocol session is pre-allocated based upon an estimate of the bandwidth requirements to accommodate the plurality of individual application sessions, the plurality of individual application sessions are established between a plurality of local application/endpoints and a plurality of remote application/endpoints; the aggregated reservation protocol session is securely shared by selectively encrypting and multiplexing outbound media packets originated by a local application/endpoint of plurality of local application/endpoints onto the aggregated reservation protocol session, and decrypting and demultiplexing inbound media packets originated by a remote application/endpoint of the plurality of remote application/endpoints from the aggregated reservation protocol session.
-
-
20. A system for secure real-time communications comprising:
-
a first edge device coupled to a first plurality of terminals, the first edge device including a resource manager to reserve a predetermined portion of available bandwidth by establishing a reservation protocol session with one or more other media aggression managers prior to establishment of any application sessions that share resources associated with the reservation protocol; an admission control manager to provide admission control for real-time communication application sessions based upon remaining resources associated with a real-time bandwidth pool, a tunneling control manager that specifies an encryption program and a tunneling protocol; and
,a media encryptor to selectively encrypt information associated with secure application flows based on said encryption program specified by said tunneling control manager; and a second edge device coupled to a second plurality of terminals, the second edge device including a decryptor to decrypt information associated with secure application flows for use by the appropriate terminal of the second plurality of terminals.
-
-
21. A machine-readable medium having stored thereon data representing instructions which, when executed by a processor, cause the processor to:
-
providing a first media at an edge of a first local area network on which a first set of terminals of a first user community of an enterprise reside, the first set of terminals running a first set of local applications on behalf of which the first media aggregation manager is configured to act as a signaling and control proxy; providing a second media aggregation manager at an edge of a second local area network on which a second set of terminals of a second user community of the enterprise reside, the second set of terminals running a second set of local applications on behalf of which the second media aggregation manager is configured to act as a signaling and control proxy; reserving a predetermined portion of available bandwidth as a real-time bandwidth pool over a path through an enterprise network between the first media aggregation manager and the second media aggregation manager for real-time communication sessions between the first set of local applications and the second set of local applications; share the real-time bandwidth pool among a plurality of real-time communication session by selectively admitting application sessions based upon currently available resources to the real-time bandwidth pool; and securely communicate between the first user community and the second user community by selectively encrypting information associated with the plurality of real-time communication sessions. - View Dependent Claims (22, 23, 24)
-
Specification