Method and apparatus for dynamically securing voice and other delay-sensitive network traffic
First Claim
1. An apparatus for dynamically securing delay-sensitive network traffic, comprising:
- means for receiving, at one or more of a hub router and a spoke router of a packet switched network, a request from a source device for secure network traffic between the source device having a private network address at a source node and a destination device having a private network address at a destination node;
means for obtaining from a route server the private network address of the destination device at the destination node, based on signaling information associated with the request;
means for obtaining, from at least one of a next hop server, a cache at the source node, a call setup signal and a nonstandard data field associated with a call setup confirm signal, a public network address of the destination node associated with the private network address;
means for creating, in response to the request, a virtual circuit between the source node and the destination node based on the public network address of the destination node associated with the private network address;
means for encrypting network traffic for transporting at least from the source node to the destination node over the virtual circuit;
wherein the obtaining means, creating means and encrypting means are in one or more of the routers of the packet switched network;
wherein the virtual circuit comprises a component of a full mesh virtual private network (VPN), wherein the encrypting means conform to the Internet Protocol Security (IPsec) protocol and wherein the delay-sensitive network traffic comprises Voice over Internet Protocol (VoIP), other voice, facsimile, multimedia, teleconferencing or videoconferencing related traffic;
wherein;
the packet switched network comprises at least one hub router and a plurality of spoke routers that are each communicatively coupled with the at least one hub router with a tunnel configured with the VPN there between;
the tunnel between the at least one hub router and each of the spoke routers is in a continuously up condition; and
a source spoke router is configured to dynamically determine, using a next hop routing protocol (NHRP), a destination address for the target spoke router, in response to a request from one of the spoke routers, which functions as the source spoke router, to transmit a packet to a subnet behind another of the spoke routers, which functions as a target spoke router, the at least one hub router functions as an NHRP server and handles the request for the source spoke router; and
the source spoke router and the target spoke router are configured to;
dynamically configure a VPN tunnel between each other, which complies with the IPsec protocol, via a multi-point Generic Routing Encapsulation (mGRE) interface; and
transfer data directly between each other.
1 Assignment
0 Petitions
Accused Products
Abstract
A request is received for secure network traffic from a device having a private network address at a source node. The private network address of a requested destination device is obtained at a destination node from a route server based on signaling information associated with the request. The public network address of the destination node associated with the private network address is obtained. In response to the request, a virtual circuit is created between the source node and the destination node based on the public network address of the destination node. Network traffic is encrypted for transport at least from the source node to the destination node through the virtual circuit. Creating the virtual circuit dynamically in response to the request functions like a fully meshed network but requires less provisioning and maintenance. The process is readily scalable, as with a hub and spoke network but with less delay.
-
Citations
26 Claims
-
1. An apparatus for dynamically securing delay-sensitive network traffic, comprising:
-
means for receiving, at one or more of a hub router and a spoke router of a packet switched network, a request from a source device for secure network traffic between the source device having a private network address at a source node and a destination device having a private network address at a destination node; means for obtaining from a route server the private network address of the destination device at the destination node, based on signaling information associated with the request; means for obtaining, from at least one of a next hop server, a cache at the source node, a call setup signal and a nonstandard data field associated with a call setup confirm signal, a public network address of the destination node associated with the private network address; means for creating, in response to the request, a virtual circuit between the source node and the destination node based on the public network address of the destination node associated with the private network address; means for encrypting network traffic for transporting at least from the source node to the destination node over the virtual circuit; wherein the obtaining means, creating means and encrypting means are in one or more of the routers of the packet switched network; wherein the virtual circuit comprises a component of a full mesh virtual private network (VPN), wherein the encrypting means conform to the Internet Protocol Security (IPsec) protocol and wherein the delay-sensitive network traffic comprises Voice over Internet Protocol (VoIP), other voice, facsimile, multimedia, teleconferencing or videoconferencing related traffic; wherein;
the packet switched network comprises at least one hub router and a plurality of spoke routers that are each communicatively coupled with the at least one hub router with a tunnel configured with the VPN there between;
the tunnel between the at least one hub router and each of the spoke routers is in a continuously up condition; anda source spoke router is configured to dynamically determine, using a next hop routing protocol (NHRP), a destination address for the target spoke router, in response to a request from one of the spoke routers, which functions as the source spoke router, to transmit a packet to a subnet behind another of the spoke routers, which functions as a target spoke router, the at least one hub router functions as an NHRP server and handles the request for the source spoke router; and the source spoke router and the target spoke router are configured to; dynamically configure a VPN tunnel between each other, which complies with the IPsec protocol, via a multi-point Generic Routing Encapsulation (mGRE) interface; and transfer data directly between each other. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for dynamically securing delay-sensitive network traffic, the method comprising the computer-implemented steps of:
-
receiving, at one or more of a hub router and a spoke router of a packet switched network, a request from a source device for secure network traffic between the source device at a source node and a destination device at a destination node; obtaining from one or more of a next-hop server, a cache at the source node, a call setup signal or a nonstandard data field associated with a call setup confirm signal, a public network address for the destination node; creating, in response to the request, a virtual circuit between the source node and the destination node based on the public network address for the destination node; and encrypting network traffic for transporting at least from the source node to the destination node through the virtual circuit; wherein the obtaining, creating and encrypting are performed with the one or more routers of the packet switched network; wherein the virtual circuit comprises a component of a full mesh virtual private network (VPN), wherein the encrypting conforms to the Internet Protocol Security (IPsec) protocol and wherein the delay-sensitive network traffic comprises Voice over Internet Protocol (VoIP), other voice, facsimile, multimedia, teleconferencing or videoconferencing related traffic; wherein;
the packet switched network comprises at least one hub router and a plurality of spoke routers that are each communicatively coupled with the at least one hub router with a tunnel configured with the VPN there between;
the tunnel between the at least one hub router and each of the spoke routers is in a continuously up condition; andupon a request from one of the spoke routers, which functions as a source spoke router, to transmit a packet to a subnet behind another of the spoke routers, which functions as a target spoke router, the source spoke router dynamically determines, using a next hop routing protocol (NHRP), a destination address for the target spoke router; the at least one hub router functions as an NHRP server and handles the request for the source spoke router; and the source spoke router and the target spoke router; dynamically configure a VPN tunnel between each other, which complies with the IPsec protocol, via a multi-point Generic Routing Encapsulation (mGRE) interface; and transfer data directly between each other. - View Dependent Claims (13, 14, 15)
-
-
16. An apparatus for dynamically securing delay-sensitive network traffic, comprising:
-
a network interface that is coupled to the data network for receiving one or more packet flows therefrom; a processor; one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of; receiving, at one or more of a hub router and a spoke router of a packet switched network, a request from a source device for secure network traffic between the source device having a private network address at a source node and a destination device having a private network address at a destination node; obtaining from a route server the private network address of the destination device at the destination node, based on signaling information associated with the request; obtaining, from at least one of a next hop server, a cache at the source node, a call setup signal and a nonstandard data field associated with a call setup confirm signal, a public network address of the destination node associated with the private network address; creating, in response to the request a virtual circuit between the source node and the destination node based on the public network address of the destination node associated with the private network address; encrypting network traffic for transporting at least from the source node to the destination node over the virtual circuit; wherein the obtaining, creating and encrypting are performed with the one or more routers of the packet switched network; wherein the virtual circuit comprises a component of a full mesh virtual private network (VPN), wherein the encrypting conforms to the Internet Protocol Security (IPsec) protocol and wherein the delay-sensitive network traffic comprises Voice over Internet Protocol (VoIP), other voice, facsimile, multimedia, teleconferencing or videoconferencing related traffic; wherein;
the packet switched network comprises at least one hub router and a plurality of spoke routers that are each communicatively coupled with the at least one hub router with a tunnel configured with the VPN there between;
the tunnel between the at least one hub router and each of the spoke routers is in a continuously up condition; anda source spoke router is configured to dynamically determine, using a next hop routing protocol (NHRP), a destination address for the target spoke router, upon a request from one of the spoke routers, which functions as the source spoke router, to transmit a packet to a subnet behind another of the spoke routers, which functions as a target spoke router, the at least one hub router functions as an NHRP server and handles the request for the source spoke router; and the source spoke router and the target spoke router are configured to; dynamically configure a VPN tunnel between each other, which complies with the IPsec protocol, via a multi-point Generic Routing Encapsulation (mGRE) interface; and transfer data directly between each other. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
Specification