Automated establishment of addressability of a network device for a target network environment

US 7,313,819 B2
Filed: 09/20/2001
Issued: 12/25/2007
Est. Priority Date: 07/20/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

detecting, by a boot time process of a network device in a factory default configuration, the presence of a removable external storage device on a local internal communications bus connector containing therein addressability data that allows the network device to communicate and be addressable within a network environment in which it will be functioning, the addressability data including an IP address of a remote device configuration server;

after detecting the presence of the storage device, receiving at the network device the addressability data by using a protocol associated with the storage device to transport the addressability data from the storage device to the network device;

establishing addressability of the network device, by the boot time process, to enable it to communicate with and be addressed by other nodes in the network environment by configuring one or more address parameters of the network device based upon the addressability data; and

receiving configuration data from the remote device configuration server, the configuration data including an IP address of a peer VPN device with which the network device may establish a tunnel.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods are provided for remote, automated, and secure network device provisioning over a pre-existing communications network. According to one embodiment, automated establishment of addressability of a network device is supported for a target network environment. A boot time process of a network device in a factory default configuration detects the presence of a storage device containing therein addressability data that allows the network device to communicate and be addressable within the target network environment. After detecting the presence of the storage device, the network device receives the addressability data from the storage device by using a communication protocol associated with the storage device. Finally, addressability of the network device is established to enable it to communicate with and be addressed by other nodes in the target network environment by configuring one or more address parameters of the network device based upon the addressability data.

48 Citations

View as Search Results

60 Claims

1. A method comprising:
- detecting, by a boot time process of a network device in a factory default configuration, the presence of a removable external storage device on a local internal communications bus connector containing therein addressability data that allows the network device to communicate and be addressable within a network environment in which it will be functioning, the addressability data including an IP address of a remote device configuration server;
  
  after detecting the presence of the storage device, receiving at the network device the addressability data by using a protocol associated with the storage device to transport the addressability data from the storage device to the network device;
  
  establishing addressability of the network device, by the boot time process, to enable it to communicate with and be addressed by other nodes in the network environment by configuring one or more address parameters of the network device based upon the addressability data; and
  
  receiving configuration data from the remote device configuration server, the configuration data including an IP address of a peer VPN device with which the network device may establish a tunnel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the network device includes a designated provisioning port, and said detecting the presence of a storage device includes detecting the presence of the storage device coupled to the designated provisioning port.
  - 3. The method of claim 2, wherein the designated provisioning port comprises an asynchronous EIA232-compliant communications port.
  - 4. The method of claim 2, wherein the storage device comprises a hardware token that includes non-volatile, programmable memory.
  - 5. The method of claim 1, wherein the addressability data comprises:
    - a unique Internet Protocol (IP) address for the network device;
      
      a local IP subnet mask for the network device;
      
      an IP address associated with a default gateway for the network device; and
      
      an IP address of a remote device configuration server.
  - 6. The method of claim 1, further comprising the boot time process:
    - encrypting a configuration request using security data retrieved from the storage device; and
      
      transmitting the encrypted configuration request to the remote device configuration server.
  - 7. The method of claim 1, wherein the storage device also contains sufficient configuration data to bring the network device into a fully defined, functional state, and wherein the method further comprises receiving at the network device the configuration data by using the protocol to transport the configuration data from the storage device to the network device.
  - 8. The method of claim 1, further comprising prior to said detecting the presence of a storage device, the storage device or another storage device loading or controlling the loading of firmware into the network device, the firmware including instructions representing the boot time process.
  - 9. The method of claim 1, further comprising transmitting a configuration request to the remote device configuration server from the boot time process, the configuration request including security data retrieved from the storage device or being encrypted based upon the security data.
  - 10. The method of claim 9, wherein the network device comprises a virtual private network (VPN) device, and the method further comprises receiving, in response to the configuration request, configuration data from the remote device configuration server, the configuration data including at least one IP address of a peer VPN device with which the network device will establish a tunnel, and port and protocol numbers for traffic types to be allowed through the tunnel.
  - 11. The method of claim 1, wherein the network device comprises a virtual private network (VPN) gateway.
  - 12. The method of claim 1, wherein the network device comprises a router.
  - 13. The method of claim 1, further comprising prior to said receiving the addressability data and in response to said detecting the presence of a storage device the network device entering into a provisioning mode to handle receipt of the addressability data and said establishing addressability of the network device.
  - 14. The method of claim 1, wherein the storage device comprises a wireless handheld device.
  - 15. The method of claim 1, wherein the storage device comprises a Universal Serial Bus (USB) hardware token.
  - 16. The method of claim 1, wherein the storage device comprises a smart card.
  - 17. The method of claim 1, wherein the storage device comprises a magnetically encoded card.

18. A method comprising the steps of:
- a step for establishing addressability of a network device that takes the network device during a boot time process from a factory default state to an initial operating state in which the network device can communicate and is addressable within a predetermined network environment using an external removable static storage device on a local internal communications bus connector containing addressability data that includes an IP address of a remote device configuration server; and
  
  a step, responsive to completion of the step for establishing addressability during the boot time process, for provisioning the network device that takes the network device from the initial operating state to a fully defined, functional state in which the network device is configured and ready to process network traffic in the predetermined network environment by acquiring remaining configuration data by way of one or more data transfers over a network from the remote device configuration server by receiving configuration data from the remote device configuration server, the configuration data including an IP address of a peer VPN device with which the network device may establish a tunnel.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, wherein said step for establishing addressability of the network device using an external storage device involves using a hardware token coupled to an asynchronous EIA232-compliant communications port of the network device, the hardware token including a non-volatile, programmable memory having stored therein addressability data including a unique Internet Protocol (IP) address for the network device, an IP address associated with a default gateway for the network device, an IP subnet mask, and an IP address of the remote device configuration server.
  - 20. The method of claim 18, wherein said step for establishing addressability of the network device using an external storage device comprises using a hardware token coupled to a port of the network device controlling the network device using a native console command set of the network device.

21. A method comprising:
- detecting, by a boot time process of a first virtual private network (VPN) device in a factory default configuration, the presence of a removable external hardware token coupled to a designated provisioning port on a local internal communications bus of the first VPN network device, the hardware token including a non-volatile, programmable memory having stored therein addressability data that allows the first VPN device to communicate and be addressable within a predetermined network environment;
  
  after detecting the presence of the hardware token, receiving at the first VPN device the addressability data by using a protocol associated with the hardware token to read the addressability data from the non-volatile, programmable memory of the hardware token;
  
  establishing addressability of the first VPN device, by the boot time process, to enable it to communicate with other network devices in the predetermined network environment by setting one or more address parameters of the first VPN device based upon the addressability data;
  
  transmitting a configuration request to a remote device configuration server from the boot time process, the configuration request including security data read from the hardware token or encrypted based upon the security data;
  
  receiving, in response to the configuration request, tunnel configuration data from the remote device configuration server, the tunnel configuration data including an Internet Protocol (IP) address of a second VPN device associated with the predetermined network environment; and
  
  causing a tunnel to be established between the first VPN device and the second VPN device through a transit network based upon the tunnel configuration data.
- View Dependent Claims (22, 23, 24)
- - 22. The method of claim 21, wherein the transit network comprises a private internetwork.
  - 23. The method of claim 21, wherein the transit network comprises a public internetwork.
  - 24. The method of claim 23, wherein the transit network comprises the Internet.

25. A network device provisioning system comprising:
- a first network device to be placed in an initial operating configuration in which the first network device can communicate and be addressable within a predetermined network environment;
  
  a removable external hardware token to interface with a designated provisioning port on a local internal communications bus of the first network device, the hardware token including a non-volatile, programmable memory having stored therein addressability data for the first network device, the addressability data including an IP address of a remote device configuration server;
  
  wherein the first network device is to automatically initiate an addressability phase during a boot time process in response to detecting the presence of the hardware token on the designated provisioning port, during the addressability phase, the addressability phase including receiving the addressability data from the hardware token and transitioning from a current configuration to the initial operating configuration during the boot time process, andwherein the first network device is further to automatically initiate a configuration phase, the configuration phase including receiving configuration data from the remote device configuration server, the configuration data including an IP address of a peer VPN device with which the network device may establish a tunnel.
- View Dependent Claims (26, 27, 28)
- - 26. The network device provisioning system of claim 25, further comprising:
    - a remote device configuration server to manage access to a plurality of sets of configuration data including a first set of configuration data for the first network device;
      
      wherein the non-volatile, programmable memory of the hardware token additionally has stored therein a unique identifier corresponding to the first set of configuration data, andwherein the first network device is to automatically initiate the configuration phase in response to completion of the addressability phase, during the configuration phase, the first network device transmits a configuration request that includes the unique identifier to the remote device configuration server and the remote device configuration server responds to the configuration request by supplying the first set of configuration data to the first network device.
  - 27. The network device provisioning system of claim 26, wherein the first network device comprises a first virtual private network (VPN) device, and wherein the first set of configuration data includes an IP address of a second VPN device with which the first network device will establish a tunnel, and port and protocol numbers for traffic types to be allowed through the tunnel.
  - 28. The network device provisioning system of claim 26, wherein the first network device comprises a router, and wherein the first set of configuration data includes access control list (ACL) information.

29. A network device comprising:
- a provisioning interface to receive addressability data from a removable external storage device on a local internal communications bus, the addressability data allowing the network device to communicate and be addressable within a target network environment, the addressability data including an IP address of a remote device configuration server;
  
  one or more flash memory modules having stored therein firmware to;
  
  check for the presence of the storage device during boot time processing,cause the addressability data to be received from the storage device using a protocol associated with the storage device if the storage device is present,establish addressability of the network device by configuring one or more address parameters of the network device based upon the addressability data;
  
  receive configuration data from the remote device configuration server, the configuration data including an IP address of a peer VPN device with which the network device may establish a tunnel; and
  
  a processor coupled to the one or more flash memory modules to execute the firmware in response to reset or power up.
- View Dependent Claims (30, 31, 32, 33)
- - 30. The network device of claim 29, wherein the provisioning interface comprises an asynchronous EIA232-compliant communications port.
  - 31. The network device of claim 29, wherein the firmware further transmits a configuration request to the a remote device configuration server, the configuration request including security data retrieved from the storage device or being encrypted based upon the security data.
  - 32. The network device of claim 31, wherein the network device comprises a virtual private network (VPN) device, and the firmware further receives, in response to the configuration request, configuration data from the remote device configuration server, the configuration data including at least one IP address of a peer VPN device with which the network device will establish a tunnel, and port and protocol numbers for traffic types to be allowed through the tunnel.
  - 33. The network device of claim 31, wherein the network device comprises a router, and the firmware further receives, in response to the configuration request, configuration data from the remote device configuration server, the configuration data including access control list (ACL) information.

34. A machine-readable medium having stored thereon data representing instructions that, if executed by a processor of a network device, cause the processor to:
- detect, during a boot time process, the presence of a removable external static storage device on a local internal communications bus connector, the storage device containing therein addressability data that allows the network device to communicate and be addressable within a network environment in which it will be functioning, the addressability data including an IP address of a remote device configuration server;
  
  receive the addressability data by using a protocol associated with the Storage device to transport the addressability data from the storage device to the network device;
  
  establish addressability of the network device during the boot time process to enable it to communicate with and be addressed by other nodes in the network environment by configuring one or more address parameters of the network device based upon the addressability data; and
  
  receive configuration data from the remote device configuration server, the configuration data including an IP address of a peer VPN device with which the network device may establish a tunnel.
- View Dependent Claims (35, 36, 37)
- - 35. The machine-readable medium of claim 34, wherein the addressability data further comprises:
    - a unique Internet Protocol (IP) address fur the network device;
      
      a local IP subnet mask for the network device; and
      
      an IP address associated with a default gateway for the network device.
  - 36. The machine-readable medium of claim 34, wherein the instructions further include instructions which, if executed by the processor, cause the processor to transmit a configuration request to the remote device configuration server, the configuration request including security data based upon information retrieved from the storage device.
  - 37. The machine-readable medium of claim 34, wherein the network device comprises a virtual private network (VPN) device, and wherein the instructions further include instructions which, if executed by the processor, cause the processor to receive, in response to the configuration request, configuration data from the remote device configuration server, the configuration data including at least one IP address of a peer VPN device with which the network device will establish a tunnel, and port and protocol numbers for traffic types to be allowed through the tunnel.

38. A method of deploying a network device comprising:
- providing a network device;
  
  providing a removable external hardware token to interface with a designated provisioning port on a local internal communication bus of the network device;
  
  programming a non-volatile memory of the hardware token with addressability data for the network device, which is capable of automatically initiating an addressability phase during a boot time process in response to detecting the presence of the hardware token on the designated provisioning port, the addressability phase causing the network device to receive the addressability data from the hardware token and transition from a current configuration to an initial operating configuration in which the network device can communicate and be addressable within a predetermined network environment;
  
  programming the non-volatile memory of the hardware token with an IP address of a remote device configuration server for a configuration phase, the configuration phase causing the network device to receive configuration data from the remote configuration server, the configuration data including an IP address of a peer VPN device with which the network device may establish a tunnel; and
  
  separately shipping the network device and the programmed storage device to a network site at which the network device will be installed within the predetermined network environment.
- View Dependent Claims (39, 40, 41, 42, 43, 44)
- - 39. The method of claim 38, wherein the network device is capable of automatically initiating the a configuration phase in response to the completion of the addressability phase, during which the network device transmits a configuration request to a remote configuration server responsible for managing access to a remote configuration database, the method further comprising:
    - uploading configuration data for the network device into the remote configuration database and associating the configuration data with a unique set of security dataprogramming the non-volatile memory of the hardware token with the unique set of security data to be provided to the network device for inclusion withthe configuration request.
  - 40. The method of claim 38, wherein the addressability data comprises:
    - a unique Internet Protocol (IP) address for the network device;
      
      a local IP subnet mask for the network device;
      
      an IP address associated with a default gateway for the network device; and
      
      an IP address of a remote device configuration server.
  - 41. The method of claim 39, wherein the network device comprises a virtual private network (VPN) device, and the configuration data comprises at least one IP address of a peer VPN device with which the network device will establish a tunnel, and port and protocol numbers for traffic types to be allowed through the tunnel.
  - 42. The method of claim 41, wherein in response to receiving the configuration data, the network device causes a tunnel to be established with the peer VPN device through a transit network.
  - 43. The method of claim 38, wherein the network device comprises a router.
  - 44. The method of claim 38, wherein the designated provisioning port comprises an asynchronous EIA232-compliant communications port.

45. A method of installing a network device comprising:
- receiving delivery of a network device that is capable of automatically initiating an addressability phase during a boot time process in response to detecting the presence of a removable external hardware token on a designated provisioning port of a local internal communications bus of the network device and capable of automatically initiating a configuration phase in response to completion of the addressability phase;
  
  receiving delivery of the hardware token, the hardware token to interface with the designated provisioning port of the network device, the hardware token including a non-volatile, programmable memory having stored therein addressability data to place the network device in an initial operating State in which the network device can communicate and be addressable within a predetermined network environment, the addressability data including an IP address of a remote device configuration server;
  
  communicatively coupling the network device with the predetermined network environment;
  
  initiating the add ressability phase by coupling the hardware token to the designated provisioning port of the network device and causing the network device to boot, the addressability phase causing the network device to receive the addressability data from the hardware token and transition from a current configuration to the initial operating configuration during the boot time process; and
  
  initiating the configuration phase by receiving configuration data from the remote device configuration server, the configuration data including an IP address of a peer VPN device with which the network device may establish a tunnel.
- View Dependent Claims (46, 47, 48, 49, 50, 51)
- - 46. The method of claim 45, wherein the non-volatile, programmable memory of the hardware token additionally has stored therein a unique identifier associated with a set of configuration data for the network device and stored in a remote configuration database, and wherein during the configuration phase, the network device causes the set of configuration data to be delivered to the network device by transmitting a configuration request including the unique identifier to a remote configuration server that is responsible for managing access to the remote configuration database.
  - 47. The method of claim 45, wherein the addressability data further comprises:
    - a unique Internet Protocol (IP) address for the network device;
      
      a local IP subnet mask for the network device; and
      
      an IP address associated witha default gateway for the network device.
  - 48. The method of claim 46, wherein the network device comprises a virtual private network (VPN) device, and the set of configuration data comprises at least one IP address of a peer VPN device with which the network device will establish a tunnel, and port and protocol numbers for traffic types to be allowed through the tunnel.
  - 49. The method of claim 48, wherein in response to receiving the configuration data, the network device causes a tunnel to be established with the peer VPN device through a transit network.
  - 50. The method of claim 45, wherein the network device comprises a router.
  - 51. The method of claim 45, wherein the designated provisioning port comprises an asynchronous EIA232-compliant communications port.

52. A method of delivering a network device comprising:
- shipping a fully operational network device in a factory default configuration to a customer network site at which the network device will be installed within a predetermined network environment, the network device capable of automaticallyinitiating an addressability phase in response to detecting the presence of a removable external smart hardware storage device on a designated provisioning port of a local internal communications bus of the network device, and capable of initiating a configuration phase in response to completion of the addressability phase; and
  
  if the customer has requested an automated provisioning feature, thenprogramming a removable external smart hardware storage device with addressability data for the network device, the smart hardware storage device to interface with the designated provisioning port of the network device and cause the addressability phase to be initiated during a boot time process, the addressability phase causing the addressability data to be transferred from the smart hardware storage device to the network device and enablingthe network device to transition from the factory default configuration to an initial operating configuration during a boot time process in which the network device can communicate and be addressable within the predetermined network environment, the addressability data including an IP address of a remote device Configuration server from which the network device may receive configuration including an IP address of a peer VPN device with which the network device may establish a tunnel, andshipping the programmed smart hardware storage device to the customer network site.
- View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60)
- - 53. The method of claim 52, wherein during the configuration phase the network device transmits a configuration request to a remote configuration server responsible for managing access to a remote configuration database, the method further comprising:
    - uploading configuration data for the network device into the remote configuration database and associating the configuration data with a unique set of security data; and
      
      programming the smart hardware storage device with the unique set of security data to be provided to the network device for inclusion with the configuration request.
  - 54. The method of claim 52, wherein the addressability data comprises:
    - a unique Internet Protocol (IP) address for the network device;
      
      a local IP subnet mask for the network device; and
      
      an IP address associated with a default gateway for the network device.
  - 55. The method of claim 53, wherein the network device comprises a virtual private network (VPN) device, and the configuration data comprises at least one IP address of a peer VPN device with which the network device will establish a tunnel, and port and protocol numbers for traffic types to be allowed through the tunnel.
  - 56. The method of claim 55, wherein in response to receiving the configuration data, the network device causes a tunnel to be established with the peer VPN device trough a transit network.
  - 57. The method of claim 52, wherein the network device comprises a router.
  - 58. The method of claim 52, wherein the designated provisioning port comprises an asynchronous EIA232-compliant communications port.
  - 59. The method of claim 52, wherein the network device and the programmed smart hardware storage device are shipped separately to the customer network site.
  - 60. The method of claim 52, wherein the programmed smart hardware storage device interfaces with the designated provisioning port of the network device via one or more intermediate devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Robison, Victor C., Pang, Dayman, Burnett, Keith L.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
POLTORAK, PIOTR

Application Number

US09/957,879
Publication Number

US 20030018889A1
Time in Patent Office

2,287 Days
Field of Search

713 1- 2, 713/100, 710 8- 10, 726/15
US Class Current

726/15
CPC Class Codes

H04L 41/0809   Plug-and-play configuration

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

Automated establishment of addressability of a network device for a target network environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

48 Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

Automated establishment of addressability of a network device for a target network environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links