Broadband access for virtual private networks
First Claim
1. A method for providing a virtual private network, by receiving from a customer originating device of a first local area network, a local area network frame for transmission to a customer destination device in a second local area network over broadband access links that include customer local area network edge devices of at least one customer and an ingress edge device and an egress edge device of a service provider network, the method comprising:
- assigning to each edge device of the service provider a unicast IPv6 address, from an IPv6 address block of the service provider, that corresponds to a particular local area network of the customer;
assigning to each edge device of the service provider a virtual private network specific multicast IPv6 address, from the IPv6 address block of the service provider, using the virtual private network specific multicasting IPv6 address for multicasting packets to all of the edge devices of the service provider serving the virtual private network;
determining whether an IPv6 packet includes a destination address of a customer destination device, and whether the destination address is mapped to an egress edge device of the service provider,when mapping of the destination address to an egress edge device does not exist, encapsulating the local area network frame in a multicast IPv6 packet, the multicast IPv6 packet including the IPv6 address of the ingress edge device of the service provider as the source address and the multicast IPv6 address of the virtual private network as the destination multicast address;
when mapping of the destination address to an egress edge device does exist, encapsulating the local area network frame in a unicast IPv6 packet, including the unicast IPv6 address of the egress edge device of the service provider;
adding a virtual private network identification header to a header of the IPv6 packet, the virtual private network identification header including a destination option, a virtual private network hop count and an identification number identifying the virtual private network of the customer;
broadcasting the IPv6 packets having multicast addresses through the service provider network to all of the edge devices serving the virtual private network;
transmitting the IPv6 packets having the unicast IPv6 address, through the service provider network to a particular egress device;
authenticating the IPv6 packets at the egress device of the service provider using the virtual private network identification;
discarding any IPv6 packets that cannot be authenticated;
decapsulating and extracting the local area network frame of authenticated IPv6 packets at the egress device of the service provider;
forwarding the decapsulated local area network frame to the destination local area network; and
transmitting the decapsulated customer local area network frame to the customer destination device.
4 Assignments
0 Petitions
Accused Products
Abstract
Broadband access is provided to a virtual private network (VPN), including multiple local area networks (LANs) configured to interface with an IPv6 service provider network. Data to be routed from an originating device in an originating LAN to a destination device in a destination LAN is received by an ingress line interface and encapsulated in an IPv6 packet. A unique identification number assigned to the VPN is added to the IPv6 packet. When the destination device'"'"'s address is not mapped to a corresponding egress line interface, the IPv6 packet is broadcast to a multicast address associated with the VPN. When the destination device'"'"'s address is mapped to the egress line interface, the IPv6 packet is unicast to the egress line interface. The data is ultimately received and decapsulated by the egress line interface. After the VPN identification number is verified, the data is transmitted to the destination device.
98 Citations
20 Claims
-
1. A method for providing a virtual private network, by receiving from a customer originating device of a first local area network, a local area network frame for transmission to a customer destination device in a second local area network over broadband access links that include customer local area network edge devices of at least one customer and an ingress edge device and an egress edge device of a service provider network, the method comprising:
-
assigning to each edge device of the service provider a unicast IPv6 address, from an IPv6 address block of the service provider, that corresponds to a particular local area network of the customer; assigning to each edge device of the service provider a virtual private network specific multicast IPv6 address, from the IPv6 address block of the service provider, using the virtual private network specific multicasting IPv6 address for multicasting packets to all of the edge devices of the service provider serving the virtual private network; determining whether an IPv6 packet includes a destination address of a customer destination device, and whether the destination address is mapped to an egress edge device of the service provider, when mapping of the destination address to an egress edge device does not exist, encapsulating the local area network frame in a multicast IPv6 packet, the multicast IPv6 packet including the IPv6 address of the ingress edge device of the service provider as the source address and the multicast IPv6 address of the virtual private network as the destination multicast address; when mapping of the destination address to an egress edge device does exist, encapsulating the local area network frame in a unicast IPv6 packet, including the unicast IPv6 address of the egress edge device of the service provider; adding a virtual private network identification header to a header of the IPv6 packet, the virtual private network identification header including a destination option, a virtual private network hop count and an identification number identifying the virtual private network of the customer; broadcasting the IPv6 packets having multicast addresses through the service provider network to all of the edge devices serving the virtual private network; transmitting the IPv6 packets having the unicast IPv6 address, through the service provider network to a particular egress device; authenticating the IPv6 packets at the egress device of the service provider using the virtual private network identification; discarding any IPv6 packets that cannot be authenticated; decapsulating and extracting the local area network frame of authenticated IPv6 packets at the egress device of the service provider; forwarding the decapsulated local area network frame to the destination local area network; and transmitting the decapsulated customer local area network frame to the customer destination device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A service provider network for providing a virtual private network, for receiving from a customer originating device of a first local area network, a local area network frame for transmission to a customer destination device in a second local area network over broadband access links that include local area network edge devices of the customer coupled to the service provider network, the service provider network comprising:
a plurality of ingress edge devices and egress edge devices; each edge device being assigned a unicast IPv6 address, from an IPv6 address block of the service provider, that corresponds to a particular local area network of the customer; each edge device also being assigned a virtual private network specific multicast IPv6 address, from the IPv6 address block of the service provider, which is used for multicasting packets to all of the edge devices of the service provider serving the virtual private network; each edge device determining whether an IPv6 packet includes a destination address of a customer destination device, and whether the destination address is mapped to an egress edge device of the service provider, when mapping of the destination address to an egress edge device does not exist, encapsulating the local area network frame in a multicast IPv6 packet, the multicast IPv6 packet including the IPv6 address of the ingress edge device of the service provider as the source address and the multicast IPv6 address of the virtual private network as the destination multicast address; when mapping of the destination address to an egress edge device does exist, encapsulating the local area network frame in a unicast IPv6 packet, including the unicast IPv6 address of the egress edge device of the service provider; wherein a virtual private network identification header is added to a header of the IPv6 packet, the virtual private network identification header including a destination option, a virtual private network hop count and an identification number identifying the virtual private network of the customer; wherein the IPv6 packets having multicast addresses are broadcast through the service provider network to all of the edge devices serving the virtual private network; wherein the IPv6 packets having the unicast IPv6 address are transmitted through the service provider network to a particular egress device; wherein the IPv6 packets are authenticated at the egress devices of the service provider; wherein any IPv6 packets that cannot be authenticated are discarded; wherein the local area network frame of authenticated IPv6 packets are decapsulated and extracted at the egress device of the service provider; wherein the decapsulated local area network frames are forwarded to the destination local area network; and wherein the decapsulated local area network frames are transmitted to the customer destination device. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
Specification