Method and apparatus for dynamically securing voice and other delay-sensitive network traffic

US 7,366,894 B1
Filed: 11/27/2002
Issued: 04/29/2008
Est. Priority Date: 06/25/2002
Status: Active Grant

First Claim

Patent Images

1. An apparatus for dynamically securing delay-sensitive network traffic, comprising:

means for receiving, at one or more of a hub router and a spoke router of a packet switched network, a request from a source device for secure network traffic between the source device having a private network address at a source node and a destination device having a private network address at a destination node;

means for obtaining from a route server the private network address of the destination device at the destination node, based on signaling information associated with the request;

means for obtaining, from at least one of a next hop server, a cache at the source node, a call setup signal and a nonstandard data field associated with a call setup confirm signal, a public network address of the destination node associated with the private network address;

means for creating, in response to the request, a virtual circuit between the source node and the destination node based on the public network address of the destination node associated with the private network address;

means for encrypting network traffic for transporting at least from the source node to the destination node over the virtual circuit;

wherein the obtaining means, creating means and encrypting means are in one or more of the routers of the packet switched network;

wherein the virtual circuit comprises a component of a full mesh virtual private network (VPN), wherein the encrypting means conform to the Internet Protocol Security (IPsec) protocol and wherein the delay-sensitive network traffic comprises Voice over Internet Protocol (VoIP), other voice, facsimile, multimedia, teleconferencing or videoconferencing related traffic;

wherein;

the packet switched network comprises at least one hub router and a plurality of spoke routers that are each communicatively coupled with the at least one hub router with a tunnel configured with the VPN there between;

the tunnel between the at least one hub router and each of the spoke routers is in a continuously up condition; and

a source spoke router is configured to dynamically determine, using a next hop routing protocol (NHRP), a destination address for the target spoke router, in response to a request from one of the spoke routers, which functions as the source spoke router, to transmit a packet to a subnet behind another of the spoke routers, which functions as a target spoke router, the at least one hub router functions as an NHRP server and handles the request for the source spoke router; and

the source spoke router and the target spoke router are configured to;

dynamically configure a VPN tunnel between each other, which complies with the IPsec protocol, via a multi-point Generic Routing Encapsulation (mGRE) interface; and

transfer data directly between each other.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A request is received for secure network traffic from a device having a private network address at a source node. The private network address of a requested destination device is obtained at a destination node from a route server based on signaling information associated with the request. The public network address of the destination node associated with the private network address is obtained. In response to the request, a virtual circuit is created between the source node and the destination node based on the public network address of the destination node. Network traffic is encrypted for transport at least from the source node to the destination node through the virtual circuit. Creating the virtual circuit dynamically in response to the request functions like a fully meshed network but requires less provisioning and maintenance. The process is readily scalable, as with a hub and spoke network but with less delay.

Citations

26 Claims

1. An apparatus for dynamically securing delay-sensitive network traffic, comprising:
- means for receiving, at one or more of a hub router and a spoke router of a packet switched network, a request from a source device for secure network traffic between the source device having a private network address at a source node and a destination device having a private network address at a destination node;
  
  means for obtaining from a route server the private network address of the destination device at the destination node, based on signaling information associated with the request;
  
  means for obtaining, from at least one of a next hop server, a cache at the source node, a call setup signal and a nonstandard data field associated with a call setup confirm signal, a public network address of the destination node associated with the private network address;
  
  means for creating, in response to the request, a virtual circuit between the source node and the destination node based on the public network address of the destination node associated with the private network address;
  
  means for encrypting network traffic for transporting at least from the source node to the destination node over the virtual circuit;
  
  wherein the obtaining means, creating means and encrypting means are in one or more of the routers of the packet switched network;
  
  wherein the virtual circuit comprises a component of a full mesh virtual private network (VPN), wherein the encrypting means conform to the Internet Protocol Security (IPsec) protocol and wherein the delay-sensitive network traffic comprises Voice over Internet Protocol (VoIP), other voice, facsimile, multimedia, teleconferencing or videoconferencing related traffic;
  
  wherein;
  
  the packet switched network comprises at least one hub router and a plurality of spoke routers that are each communicatively coupled with the at least one hub router with a tunnel configured with the VPN there between;
  
  the tunnel between the at least one hub router and each of the spoke routers is in a continuously up condition; and
  
  a source spoke router is configured to dynamically determine, using a next hop routing protocol (NHRP), a destination address for the target spoke router, in response to a request from one of the spoke routers, which functions as the source spoke router, to transmit a packet to a subnet behind another of the spoke routers, which functions as a target spoke router, the at least one hub router functions as an NHRP server and handles the request for the source spoke router; and
  
  the source spoke router and the target spoke router are configured to;
  
  dynamically configure a VPN tunnel between each other, which complies with the IPsec protocol, via a multi-point Generic Routing Encapsulation (mGRE) interface; and
  
  transfer data directly between each other.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The apparatus as recited in claim 1 wherein the receiving means comprise means for receiving a request for secure telephony traffic.
  - 3. The apparatus as recited in claim 1 wherein receiving means comprise means for receiving a request for secure video traffic.
  - 4. The apparatus as recited in claim 1 wherein the receiving means comprise means for receiving one or more tonal signals that represent a telephone number of the destination device.
  - 5. The apparatus as recited in claim 1 wherein the next-hop server functions with a next hop resolution protocol (NHRP).
  - 6. The apparatus as recited in claim 1 wherein the cache comprises means for storing mappings of private network addresses to public network addresses.
  - 7. The apparatus as recited in claim 1 wherein the creating means comprises:
    - means for encapsulating a payload packet of the network traffic in a first protocol packet; and
      
      means for encapsulating the first protocol packet in a second protocol packet.
  - 8. The apparatus as recited in claim 1, further comprising means for ensuring the integrity of the network traffic transported between the source node and the destination node over the virtual circuit.
  - 9. The apparatus as recited in claim 1, further comprising means for ensuring the authenticity of the network traffic transported between the source node and the destination node over the virtual circuit.
  - 10. The apparatus as recited in claim 1 wherein the encrypting means comprises:
    - means for encapsulating an encrypted payload packet of the network traffic in a first protocol packet; and
      
      means for encapsulating the first protocol packet in a second protocol packet.
  - 11. The apparatus as recited in claim 1 wherein the signaling information and the call setup signal comply with a signaling or transport protocol that comprises H.225, H.323, SIP, RTP or Q.931.

12. A method for dynamically securing delay-sensitive network traffic, the method comprising the computer-implemented steps of:
- receiving, at one or more of a hub router and a spoke router of a packet switched network, a request from a source device for secure network traffic between the source device at a source node and a destination device at a destination node;
  
  obtaining from one or more of a next-hop server, a cache at the source node, a call setup signal or a nonstandard data field associated with a call setup confirm signal, a public network address for the destination node;
  
  creating, in response to the request, a virtual circuit between the source node and the destination node based on the public network address for the destination node;
  
  andencrypting network traffic for transporting at least from the source node to the destination node through the virtual circuit;
  
  wherein the obtaining, creating and encrypting are performed with the one or more routers of the packet switched network;
  
  wherein the virtual circuit comprises a component of a full mesh virtual private network (VPN), wherein the encrypting conforms to the Internet Protocol Security (IPsec) protocol and wherein the delay-sensitive network traffic comprises Voice over Internet Protocol (VoIP), other voice, facsimile, multimedia, teleconferencing or videoconferencing related traffic;
  
  wherein;
  
  the packet switched network comprises at least one hub router and a plurality of spoke routers that are each communicatively coupled with the at least one hub router with a tunnel configured with the VPN there between;
  
  the tunnel between the at least one hub router and each of the spoke routers is in a continuously up condition; and
  
  upon a request from one of the spoke routers, which functions as a source spoke router, to transmit a packet to a subnet behind another of the spoke routers, which functions as a target spoke router, the source spoke router dynamically determines, using a next hop routing protocol (NHRP), a destination address for the target spoke router;
  
  the at least one hub router functions as an NHRP server and handles the request for the source spoke router; and
  
  the source spoke router and the target spoke router;
  
  dynamically configure a VPN tunnel between each other, which complies with the IPsec protocol, via a multi-point Generic Routing Encapsulation (mGRE) interface; and
  
  transfer data directly between each other.
- View Dependent Claims (13, 14, 15)
- - 13. The method as recited in claim 12 wherein the call setup signal complies with a signalling or transport protocol that comprises H.225, H.323, SIP, RTP or Q.931.
  - 14. The method of claim 12 wherein the source device is associated with a switching device having a public network address.
  - 15. The method of claim 12 wherein the destination device is associated with a switching device having a public network address.

16. An apparatus for dynamically securing delay-sensitive network traffic, comprising:
- a network interface that is coupled to the data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  receiving, at one or more of a hub router and a spoke router of a packet switched network, a request from a source device for secure network traffic between the source device having a private network address at a source node and a destination device having a private network address at a destination node;
  
  obtaining from a route server the private network address of the destination device at the destination node, based on signaling information associated with the request;
  
  obtaining, from at least one of a next hop server, a cache at the source node, a call setup signal and a nonstandard data field associated with a call setup confirm signal, a public network address of the destination node associated with the private network address;
  
  creating, in response to the request a virtual circuit between the source node and the destination node based on the public network address of the destination node associated with the private network address;
  
  encrypting network traffic for transporting at least from the source node to the destination node over the virtual circuit;
  
  wherein the obtaining, creating and encrypting are performed with the one or more routers of the packet switched network;
  
  wherein the virtual circuit comprises a component of a full mesh virtual private network (VPN), wherein the encrypting conforms to the Internet Protocol Security (IPsec) protocol and wherein the delay-sensitive network traffic comprises Voice over Internet Protocol (VoIP), other voice, facsimile, multimedia, teleconferencing or videoconferencing related traffic;
  
  wherein;
  
  the packet switched network comprises at least one hub router and a plurality of spoke routers that are each communicatively coupled with the at least one hub router with a tunnel configured with the VPN there between;
  
  the tunnel between the at least one hub router and each of the spoke routers is in a continuously up condition; and
  
  a source spoke router is configured to dynamically determine, using a next hop routing protocol (NHRP), a destination address for the target spoke router, upon a request from one of the spoke routers, which functions as the source spoke router, to transmit a packet to a subnet behind another of the spoke routers, which functions as a target spoke router, the at least one hub router functions as an NHRP server and handles the request for the source spoke router; and
  
  the source spoke router and the target spoke router are configured to;
  
  dynamically configure a VPN tunnel between each other, which complies with the IPsec protocol, via a multi-point Generic Routing Encapsulation (mGRE) interface; and
  
  transfer data directly between each other.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 17. The apparatus as recited in claim 16 wherein the instructions, which when executed, cause receiving a request for secure network traffic comprise instructions, which when executed, cause receiving a request for secure telephony traffic.
  - 18. The apparatus as recited in claim 16 wherein the instructions, which when executed, cause receiving a request for secure network traffic comprise instructions, which when executed, cause receiving a request for secure video traffic.
  - 19. The apparatus as recited in claim 16 wherein the instructions, which when executed, cause receiving a request for secure network traffic comprise instructions, which when executed, cause receiving one or more tonal signals that represent a telephone number of the destination device.
  - 20. The apparatus as recited in claim 16 wherein the next-hop server functions with a next hop resolution protocol (NHRP).
  - 21. The apparatus as recited in claim 16 wherein the cache comprises mappings of private network addresses to public network addresses.
  - 22. The apparatus as recited in claim 16 wherein the step of creating a virtual circuit comprises the steps of:
    - encapsulating a payload packet of the network traffic in a first protocol packet;
      
      encapsulating the first protocol packet in a second protocol packet.
  - 23. The apparatus as recited in claim 16, further comprising instructions, which when executed, cause ensuring the integrity of the network traffic transported between the source node and the destination node over the virtual circuit.
  - 24. The apparatus as recited in claim 16, further comprising instructions, which when executed, cause ensuring the authenticity of the network traffic transported between the source node and the destination node over the virtual circuit.
  - 25. The apparatus as recited in claim 16 wherein the step of encrypting network traffic comprises the steps of:
    - encapsulating an encrypted payload packet of the network traffic in a first protocol packet; and
      
      encapsulating the first protocol packet in a second protocol packet.
  - 26. The apparatus as recited in claim 16 wherein the signaling information and the call setup signal comply with a signaling or transport protocol that comprises H.225, H.323, SIP, RTP or Q.931.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sullenberger, Michael L., Kalimuthu, Ramesh, Kalley, Yogesh, Vilhuber, Jan
Primary Examiner(s)
Barrón, Jr.; Gilberto
Assistant Examiner(s)
Brown; Christopher J

Application Number

US10/305,762
Time in Patent Office

1,980 Days
Field of Search

726/15, 726/12, 379/142.07, 379/901, 370/395.54, 713/153
US Class Current

713/153
CPC Class Codes

H04L 63/0272 Virtual private networks

H04L 63/164 at the network layer

Method and apparatus for dynamically securing voice and other delay-sensitive network traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for dynamically securing voice and other delay-sensitive network traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links