Methods and apparatus for scalable, distributed management of virtual private networks

US 7,403,980 B2
Filed: 04/26/2001
Issued: 07/22/2008
Est. Priority Date: 11/08/2000
Status: Expired due to Term

First Claim

Patent Images

1. A group management system comprising:

a plurality of interconnected nodes communicatively coupled with each other as member nodes of a virtual private network (“

VPN”

), wherein all communications between said interconnected nodes are encrypted by said interconnected nodes; and

a plurality of master nodes, different from the plurality of interconnected nodes, each of the master nodes controlling admission and departure in the VPN for an associated non-empty subset of the member nodes and further facilitating said communications between said plurality of interconnected nodes, wherein in the event one of the master nodes fails, the associated subset of member nodes will be automatically reassigned to one or more other of the master nodes,wherein a membership change in at least one of the subsets is performed without notifying all of the master nodes not associated with the changed subset.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A groupware management system for collaborative groups is disclosed that is scalable to support large, dynamic, multiple, and other virtual VPNs. The system may introduce a graph (or hierarchical) structure to the VPN, providing multiple master nodes controlling membership in subsets of the collaborative group. Use of multiple master nodes in a graph-structured (or hierarchical) network topology often relaxes the need for a single, centralized, globally consistent view of VPN group membership, and enables distribution of the management burden among multiple master nodes. Membership in the VPN may be changed dynamically by the second master node for the member nodes of the second subset, without requiring the first master node to dynamically update its group membership records to reflect the change and in many cases without even having to notify the first master node (and vice versa), for example. In further embodiments, the use of multiple master nodes may increase the reliability and efficiency of VPNs, such as by enabling load balancing of master node tasks. Fail-over mechanisms may also be used to transparently re-route management tasks to an alternate master node especially in the case of failure of the current master node serving a given member node.

69 Citations

View as Search Results

30 Claims

1. A group management system comprising:
- a plurality of interconnected nodes communicatively coupled with each other as member nodes of a virtual private network (“
  
  VPN”
  
  ), wherein all communications between said interconnected nodes are encrypted by said interconnected nodes; and
  
  a plurality of master nodes, different from the plurality of interconnected nodes, each of the master nodes controlling admission and departure in the VPN for an associated non-empty subset of the member nodes and further facilitating said communications between said plurality of interconnected nodes, wherein in the event one of the master nodes fails, the associated subset of member nodes will be automatically reassigned to one or more other of the master nodes,wherein a membership change in at least one of the subsets is performed without notifying all of the master nodes not associated with the changed subset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein at least two of the subsets do not share any member nodes in common.
  - 3. The system of claim 1, wherein at least two of the subsets share at least one member node in common.
  - 4. The system of claim 3, wherein a communication involving said common member node can be transmitted along multiple paths.
  - 5. The system of claim 4, further comprising an intrusion detection mechanism that receives said multiple-path communication as input.
  - 6. The system of claim 1, wherein each of the member nodes is associated with at least one of the master nodes as a back-up master.
  - 7. The system of claim 1, wherein the plurality of interconnected nodes is communicatively coupled as part of a peer-to-peer network.
  - 8. The system of claim 1, wherein the plurality of master nodes is part of an edge-based content delivery network.
  - 9. The system of claim 1, wherein the member nodes are allocated to the subsets at least partly based upon one or more criteria of connectivity between each of the member nodes and the corresponding master nodes.
  - 10. The system of claim 9, wherein the connectivity criteria are selected from a group of criteria comprising geographical distance, topological distance, bandwidth, latency, jitter, financial cost, and political boundaries.
  - 11. The system of claim 1, wherein at least one of the master nodes further controls membership in another virtual overlay group different from the VPN.
  - 12. The system of claim 1, wherein a communication from a first one of the subsets of the member nodes uses a first encryption key, and a communication from a second one of the subsets uses a second encryption key that is different from the first encryption key.
  - 13. The system of claim 12, wherein one or more of the master nodes are operable to translate between encryption keys.
  - 14. The system of claim 1, wherein a communication from a first one of the subsets of the member nodes and a communication from a second one of the subsets of the member nodes both use the same encryption key.
  - 15. The system of claim 1, wherein at least one of the master nodes is operable to remotely install software communication mechanisms for a new member node of the VPN without the necessity of installing augmented hardware for the new member node.

16. A method for managing a group, the method comprising:
- providing a plurality of interconnected nodes communicatively coupled with each other as member nodes of a virtual private network (“
  
  VPN”
  
  ), wherein all communications between said interconnected nodes are encrypted by said interconnected nodes; and
  
  providing a plurality of master nodes, different from the plurality of interconnected nodes, each of the master nodes controlling admission and departure in the VPN for an associated non-empty subset of the member nodes and further facilitating said communications between said plurality of interconnected nodes, wherein in the event one of the master nodes fails, the associated subset of member nodes will be automatically reassigned to one or more other of the master nodes,wherein a membership change in at least one of the subsets is performed without notifying all of the master nodes not associated with the changed subset.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The method of claim 16, wherein at least two of the subsets do not share any member nodes in common.
  - 18. The method of claim 16, wherein at least two of the subsets share at least one member node in common.
  - 19. The method of claim 18, wherein a communication involving said common member node can be transmitted along multiple paths.
  - 20. The method of claim 19, further comprising an intrusion detection mechanism that receives said multiple-path communication as input.
  - 21. The method of claim 16, wherein each of the member nodes is associated with at least one of the master nodes as a back-up master.
  - 22. The method of claim 16, wherein the plurality of interconnected nodes is communicatively coupled as part of a peer-to-peer network.
  - 23. The method of claim 16, wherein the plurality of master nodes is part of an edge-based content delivery network.
  - 24. The method of claim 16, wherein the member nodes are allocated to the subsets at least partly based upon one or more criteria of connectivity between each of the member nodes and the corresponding master nodes.
  - 25. The method of claim 24, wherein the connectivity criteria are selected from a group of criteria comprising geographical distance, topological distance, bandwidth, latency, jitter, financial cost, and political boundaries.
  - 26. The method of claim 16, wherein at least one of the master nodes further controls membership in another virtual overlay group different from the VPN.
  - 27. The method of claim 16, wherein a communication from a first one of the subsets of the member nodes uses a first encryption key, and a communication from a second one of the subsets uses a second encryption key that is different from the first encryption key.
  - 28. The method of claim 27, wherein one or more of the master nodes are operable to translate between encryption keys.
  - 29. The method of claim 16, wherein a communication from a first one of the subsets of the member nodes and a communication from a second one of the subsets of the member nodes both use the same encryption key.
  - 30. The method of claim 16, wherein at least one of the master nodes is operable to remotely install software communication mechanisms for a new member node of the VPN without the necessity of installing augmented hardware for the new member node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Systems, Inc.
Original Assignee
SRI International, Inc.
Inventors
Stringer-Calvert, David W. J., Dawson, Steven Mark, Lincoln, Patrick D.
Primary Examiner(s)
Patel, Niketa I

Application Number

US09/844,693
Publication Number

US 20020055989A1
Time in Patent Office

2,644 Days
Field of Search

709220-224, 709/239, 709/249, 709/252
US Class Current

709/220
CPC Class Codes

H04L 12/4679   Arrangements for the regist...

H04L 41/00   Arrangements for maintenanc...

H04L 41/40   using virtualisation of net...

H04L 69/40   for recovering from a failu...

H04L 9/40   Network security protocols

Methods and apparatus for scalable, distributed management of virtual private networks

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

69 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for scalable, distributed management of virtual private networks

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links