Virtual private network (VPN)-aware customer premises equipment (CPE) edge router

US 7,447,151 B2
Filed: 05/12/2004
Issued: 11/04/2008
Est. Priority Date: 03/20/2001
Status: Active Grant

First Claim

Patent Images

1. A method for supporting a virtual private network (VPN), the method comprising:

designating a first port of a router for packets transmitted internal to the VPN, the first port corresponding to a communication link;

designating a second port of the router for packets transmitted external to the VPN, the second port corresponding to the communication link;

determining whether a received packet is internal to the VPN;

transmitting the received packet over the first port if the received packet is determined to be internal to the VPN; and

preventing a Denial-of-Service (DoS) attack with respect to the communication link by allocating capacity on the communication link to ensure a predetermined Quality of Service (QoS) level for transmission of the packets internal to the VPN.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network architecture includes a communication network that supports one or more network-based Virtual Private Networks (VPNs). The communication network includes a plurality of boundary routers that are connected by access links to CPE edge routers belonging to the one or more VPNs. To prevent traffic from outside a customer'"'"'s VPN (e.g., traffic from other VPNs or the Internet at large) from degrading the QoS provided to traffic from within the customer'"'"'s VPN, the present invention gives precedence to intra-VPN traffic over extra-VPN traffic on each customer'"'"'s access link through access link prioritization or access link capacity allocation, such that extra-VPN traffic cannot interfere with inter-VPN traffic. Granting precedence to intra-VPN traffic over extra-VPN traffic in this manner entails partitioning between intra-VPN and extra-VPN traffic on the physical access link using layer 2 multiplexing and configuration of routing protocols to achieve logical traffic separation between intra-VPN traffic and extra-VPN traffic at the VPN boundary routers and CPE edge routers. By configuring the access networks, the VPN boundary routers and CPE edge routers, and the routing protocols of the edge and boundary routers in this manner, the high-level service of DoS attack prevention is achieved.

Citations

16 Claims

1. A method for supporting a virtual private network (VPN), the method comprising:
- designating a first port of a router for packets transmitted internal to the VPN, the first port corresponding to a communication link;
  
  designating a second port of the router for packets transmitted external to the VPN, the second port corresponding to the communication link;
  
  determining whether a received packet is internal to the VPN;
  
  transmitting the received packet over the first port if the received packet is determined to be internal to the VPN; and
  
  preventing a Denial-of-Service (DoS) attack with respect to the communication link by allocating capacity on the communication link to ensure a predetermined Quality of Service (QoS) level for transmission of the packets internal to the VPN.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method according to claim 1, wherein the router is a boundary router in communication with a customer premise router over the communication link.
  - 3. A method according to claim 1, wherein the received packet includes a Differentiated Services Code Point (DSCP) field, the method further comprising:
    - setting the Differentiated Services Code Point (DSCP) field according to one of a plurality of Quality of Service (QoS) levels.
  - 4. A method according to claim 1, wherein the packets external to the VPN correspond to another VPN.
  - 5. A method according to claim 1, the method further comprising:
    - communicating with a first boundary router coupled to the VPN.
  - 6. A method according to claim 5, the method further comprising:
    - communicating with a second boundary router coupled to a public data network.

7. A routing device for supporting a virtual private network (VPN), the device comprising:
- a first port designated for packets transmitted internal to the VPN;
  
  a second port designated for packets transmitted external to the VPN, wherein the first port and the second port couples to a communication link; and
  
  a classifier configured to determine whether a received packet is internal to the VPN, wherein the received packet is transmitted over the first port if the received packet is determined to be internal to the VPN,wherein a Denial-of-Service (DoS) attack with respect to the communication link is prevented by allocating capacity on the communication link to ensure a predetermined Quality of Service (QoS) level for transmission of the packets internal to the VPN.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. A device according to claim 7, wherein the routing device is a boundary router.
  - 9. A device according to claim 7, wherein the received packet includes a Differentiated Services Code Point (DSCP) field that is set according to one of a plurality of Quality of Service (QoS) levels.
  - 10. A device according to claim 7, wherein the received packet is forwarded over the communication link to a customer premise equipment (CPE) router.
  - 11. A device according to claim 7, wherein the packets external to the VPN correspond to another VPN.
  - 12. A device according to claim 7, the device further comprising:
    - a third port configured to communicate with a first boundary router coupled to the VPN.
  - 13. A device according to claim 12, the device further comprising:
    - a fourth port configured to communicate with a second boundary router coupled to a public data network.

14. A device for supporting a virtual private network (VPN), the device comprising:
- a first network port configured to receive a packet from a host; and
  
  a second network port coupled to a communication link for transporting the packet to a boundary router that interfaces the VPN,wherein the boundary router has a first communication port designated for packets transmitted internal to the VPN and a second communication port for packets transmitted external to the VPN, the first communication port and the second communication port being configured to couple to the communication link,wherein the boundary router prevents a Denial-of-Service (DoS) attack with respect to the communication link by allocating capacity on the communication link to ensure a predetermined Quality of Service (QoS) level for transmission of the packets internal to the VPN.
- View Dependent Claims (15, 16)
- - 15. A device according to claim 14, wherein the device is a customer premise equipment (CPE) router.
  - 16. A device according to claim 14, further comprising:
    - a third network port configured to communicate with another boundary router coupled to a public data network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Business Global LLC (Verizon Communications Inc.)
Inventors
McDysan, David E.
Primary Examiner(s)
Pham; Chi H.
Assistant Examiner(s)
Elallam; Ahmed

Application Number

US10/843,761
Publication Number

US 20040208122A1
Time in Patent Office

1,637 Days
Field of Search

370/229, 370/231, 370/230.1, 370/235, 370/235.1, 370/237, 370/351, 370/352, 370/355, 370/389, 370/392, 370/395.2, 370/395.21, 370/395.31, 370/395.4, 370/395.52, 370/395.53, 370/395.7, 370/395.42, 370/395.5, 370/395.71, 370/401, 370/409, 370/412, 370/428, 370/468, 709/228, 709/229, 709/240, 726 12- 15
US Class Current

370/231
CPC Class Codes

H04L 12/14   Charging , metering or bill...

H04L 12/1403   Architecture for metering, ...

H04L 12/1446   inter-operator billing

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/467   Arrangements for supporting...

H04L 41/00   Arrangements for maintenanc...

H04L 41/122   of virtualised topologies, ...

H04L 47/10   Flow control; Congestion co...

H04L 47/125   by balancing the load, e.g....

H04L 47/2408   for supporting different se...

H04L 47/2433   Allocation of priorities to...

H04L 47/2441   relying on flow classificat...

H04L 47/70   Admission control; Resource...

H04L 47/805   QOS or priority aware

H04L 47/825   Involving tunnels, e.g. MPLS

H04L 61/4523   using lightweight directory...

H04L 61/4535   using an address exchange p...

H04L 61/4557   Directories for hybrid netw...

H04L 63/0272   Virtual private networks

H04L 63/1458   Denial of Service

H04L 65/103 : in the network

H04L 65/104 : in the network

H04L 65/1043 : Gateway controllers, e.g. m...

H04L 65/1069 : Session establishment or de...

H04L 65/1096 : Supplementary features, e.g...

H04L 65/1101 : Session protocols

H04L 65/1104 : Session initiation protocol...

H04L 65/612 : for unicast

H04L 65/762 : at the source reformatting...

H04L 65/80 : Responding to QoS

H04L 67/06 : specially adapted for file ...

H04L 67/14 : Session management for real...

H04L 67/303 : Terminal profiles

H04L 67/306 : User profiles

H04L 67/34 : involving the movement of s...

H04L 67/51 : Discovery or management the...

H04L 67/52 : specially adapted for the l...

H04L 69/08 : Protocols for interworking;...

H04L 69/329 : in the application layer [O...

H04L 9/40 : Network security protocols

H04M 15/00 : Arrangements for metering, ...

H04M 15/43 : Billing software details

H04M 15/47 : Fraud detection or preventi...

H04M 15/53 : using mediation

H04M 15/55 : for hybrid networks

H04M 15/56 : for VoIP communications

H04M 15/63 : based on the content carrie...

H04M 15/8292 : Charging for signaling or u...

H04M 2207/35 : virtual private networks

H04M 2215/0148 : Fraud detection or preventi...

H04M 2215/0172 : Mediation, i.e. device or p...

H04M 2215/202 : VoIP; Packet switched telep...

H04M 2215/2046 : Hybrid network

H04M 2215/22 : Bandwidth or usage-sensitve...

H04M 2215/44 : Charging/billing arrangemen...

H04M 2242/06 : Lines and connections with ...

H04M 3/42187 : Lines and connections with ...

H04M 7/006 : Networks other than PSTN/IS...

H04M 7/0078 : Security; Fraud detection; ...

H04Q 2213/13166 : Fault prevention

H04Q 2213/13384 : Inter-PBX traffic, PBX netw...

H04Q 2213/13389 : LAN, internet

H04Q 2213/13399 : Virtual channel/circuits

H04Q 3/0029 : Provisions for intelligent ...

H04W 12/126 : Anti-theft arrangements, e....

View All

Virtual private network (VPN)-aware customer premises equipment (CPE) edge router

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual private network (VPN)-aware customer premises equipment (CPE) edge router

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links