Virtual private network (VPN)-aware customer premises equipment (CPE) edge router
First Claim
1. A method for supporting a virtual private network (VPN), the method comprising:
- designating a first port of a router for packets transmitted internal to the VPN, the first port corresponding to a communication link;
designating a second port of the router for packets transmitted external to the VPN, the second port corresponding to the communication link;
determining whether a received packet is internal to the VPN;
transmitting the received packet over the first port if the received packet is determined to be internal to the VPN; and
preventing a Denial-of-Service (DoS) attack with respect to the communication link by allocating capacity on the communication link to ensure a predetermined Quality of Service (QoS) level for transmission of the packets internal to the VPN.
5 Assignments
0 Petitions
Accused Products
Abstract
A network architecture includes a communication network that supports one or more network-based Virtual Private Networks (VPNs). The communication network includes a plurality of boundary routers that are connected by access links to CPE edge routers belonging to the one or more VPNs. To prevent traffic from outside a customer'"'"'s VPN (e.g., traffic from other VPNs or the Internet at large) from degrading the QoS provided to traffic from within the customer'"'"'s VPN, the present invention gives precedence to intra-VPN traffic over extra-VPN traffic on each customer'"'"'s access link through access link prioritization or access link capacity allocation, such that extra-VPN traffic cannot interfere with inter-VPN traffic. Granting precedence to intra-VPN traffic over extra-VPN traffic in this manner entails partitioning between intra-VPN and extra-VPN traffic on the physical access link using layer 2 multiplexing and configuration of routing protocols to achieve logical traffic separation between intra-VPN traffic and extra-VPN traffic at the VPN boundary routers and CPE edge routers. By configuring the access networks, the VPN boundary routers and CPE edge routers, and the routing protocols of the edge and boundary routers in this manner, the high-level service of DoS attack prevention is achieved.
-
Citations
16 Claims
-
1. A method for supporting a virtual private network (VPN), the method comprising:
-
designating a first port of a router for packets transmitted internal to the VPN, the first port corresponding to a communication link; designating a second port of the router for packets transmitted external to the VPN, the second port corresponding to the communication link; determining whether a received packet is internal to the VPN; transmitting the received packet over the first port if the received packet is determined to be internal to the VPN; and preventing a Denial-of-Service (DoS) attack with respect to the communication link by allocating capacity on the communication link to ensure a predetermined Quality of Service (QoS) level for transmission of the packets internal to the VPN. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A routing device for supporting a virtual private network (VPN), the device comprising:
-
a first port designated for packets transmitted internal to the VPN; a second port designated for packets transmitted external to the VPN, wherein the first port and the second port couples to a communication link; and a classifier configured to determine whether a received packet is internal to the VPN, wherein the received packet is transmitted over the first port if the received packet is determined to be internal to the VPN, wherein a Denial-of-Service (DoS) attack with respect to the communication link is prevented by allocating capacity on the communication link to ensure a predetermined Quality of Service (QoS) level for transmission of the packets internal to the VPN. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A device for supporting a virtual private network (VPN), the device comprising:
-
a first network port configured to receive a packet from a host; and a second network port coupled to a communication link for transporting the packet to a boundary router that interfaces the VPN, wherein the boundary router has a first communication port designated for packets transmitted internal to the VPN and a second communication port for packets transmitted external to the VPN, the first communication port and the second communication port being configured to couple to the communication link, wherein the boundary router prevents a Denial-of-Service (DoS) attack with respect to the communication link by allocating capacity on the communication link to ensure a predetermined Quality of Service (QoS) level for transmission of the packets internal to the VPN. - View Dependent Claims (15, 16)
-
Specification