Broadband access for virtual private networks

US 7,447,203 B2
Filed: 07/29/2003
Issued: 11/04/2008
Est. Priority Date: 07/29/2003
Status: Active Grant

First Claim

Patent Images

1. A method for providing a virtual private network, by receiving from a customer originating device of a first local area network, a local area network frame for transmission to a customer destination device in a second local area network over broadband access links that include customer local area network edge devices of at least one customer and an ingress edge device and an egress edge device of a service provider network, the method comprising:

assigning to each edge device of the service provider a unicast IPv6 address, from an IPv6 address block of the service provider, that corresponds to a particular local area network of the customer;

assigning to each edge device of the service provider a virtual private network specific multicast IPv6 address, from the IPv6 address block of the service provider, using the virtual private network specific multicasting IPv6 address for multicasting packets to all of the edge devices of the service provider serving the virtual private network;

determining whether an IPv6 packet includes a destination address of a customer destination device, and whether the destination address is mapped to an egress edge device of the service provider,when mapping of the destination address to an egress edge device does not exist, encapsulating the local area network frame in a multicast IPv6 packet, the multicast IPv6 packet including the IPv6 address of the ingress edge device of the service provider as the source address and the multicast IPv6 address of the virtual private network as the destination multicast address;

when mapping of the destination address to an egress edge device does exist, encapsulating the local area network frame in a unicast IPv6 packet, including the unicast IPv6 address of the egress edge device of the service provider;

adding a virtual private network identification header to a header of the IPv6 packet, the virtual private network identification header including a destination option, a virtual private network hop count and an identification number identifying the virtual private network of the customer;

broadcasting the IPv6 packets having multicast addresses through the service provider network to all of the edge devices serving the virtual private network;

transmitting the IPv6 packets having the unicast IPv6 address, through the service provider network to a particular egress device;

authenticating the IPv6 packets at the egress device of the service provider using the virtual private network identification;

discarding any IPv6 packets that cannot be authenticated;

decapsulating and extracting the local area network frame of authenticated IPv6 packets at the egress device of the service provider;

forwarding the decapsulated local area network frame to the destination local area network; and

transmitting the decapsulated customer local area network frame to the customer destination device.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Broadband access is provided to a virtual private network (VPN), including multiple local area networks (LANs) configured to interface with an IPv6 service provider network. Data to be routed from an originating device in an originating LAN to a destination device in a destination LAN is received by an ingress line interface and encapsulated in an IPv6 packet. A unique identification number assigned to the VPN is added to the IPv6 packet. When the destination device'"'"'s address is not mapped to a corresponding egress line interface, the IPv6 packet is broadcast to a multicast address associated with the VPN. When the destination device'"'"'s address is mapped to the egress line interface, the IPv6 packet is unicast to the egress line interface. The data is ultimately received and decapsulated by the egress line interface. After the VPN identification number is verified, the data is transmitted to the destination device.

98 Citations

View as Search Results

20 Claims

1. A method for providing a virtual private network, by receiving from a customer originating device of a first local area network, a local area network frame for transmission to a customer destination device in a second local area network over broadband access links that include customer local area network edge devices of at least one customer and an ingress edge device and an egress edge device of a service provider network, the method comprising:
- assigning to each edge device of the service provider a unicast IPv6 address, from an IPv6 address block of the service provider, that corresponds to a particular local area network of the customer;
  
  assigning to each edge device of the service provider a virtual private network specific multicast IPv6 address, from the IPv6 address block of the service provider, using the virtual private network specific multicasting IPv6 address for multicasting packets to all of the edge devices of the service provider serving the virtual private network;
  
  determining whether an IPv6 packet includes a destination address of a customer destination device, and whether the destination address is mapped to an egress edge device of the service provider,when mapping of the destination address to an egress edge device does not exist, encapsulating the local area network frame in a multicast IPv6 packet, the multicast IPv6 packet including the IPv6 address of the ingress edge device of the service provider as the source address and the multicast IPv6 address of the virtual private network as the destination multicast address;
  
  when mapping of the destination address to an egress edge device does exist, encapsulating the local area network frame in a unicast IPv6 packet, including the unicast IPv6 address of the egress edge device of the service provider;
  
  adding a virtual private network identification header to a header of the IPv6 packet, the virtual private network identification header including a destination option, a virtual private network hop count and an identification number identifying the virtual private network of the customer;
  
  broadcasting the IPv6 packets having multicast addresses through the service provider network to all of the edge devices serving the virtual private network;
  
  transmitting the IPv6 packets having the unicast IPv6 address, through the service provider network to a particular egress device;
  
  authenticating the IPv6 packets at the egress device of the service provider using the virtual private network identification;
  
  discarding any IPv6 packets that cannot be authenticated;
  
  decapsulating and extracting the local area network frame of authenticated IPv6 packets at the egress device of the service provider;
  
  forwarding the decapsulated local area network frame to the destination local area network; and
  
  transmitting the decapsulated customer local area network frame to the customer destination device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1 wherein the ingress edge device of the service provider adds the virtual private network identification number to the IPv6 packet header.
  - 3. The method according to claim 1 wherein the customer local area network edge device adds the virtual private network identification number to the IPv6 packet header, and the ingress edge device confirms the virtual private network identification number.
  - 4. The method according to claim 1, in which the IPv6 packet is discarded when the egress edge device does not recognize the destination option type in the header.
  - 5. The method according to claim 1, in which the virtual private network hop number is incremented every time the IPv6 packet is forwarded by an edge device of the service provider network.
  - 6. The method according to claim 1, in which the egress edge device includes a virtual learning bridge for authenticating the IPv6 packet, the egress edge device determines whether the virtual private network identification number of the received IPv6 packet matches the assigned customer virtual private network identification number, and any IPv6 packets that do not include a matching virtual private network identification number are discarded.
  - 7. The method according to claim 1, in which destination local area network edge device of the customer determines whether the virtual private network identification number of the received IPv6 packet matches the assigned virtual private network identification number and discards unauthorized packets.
  - 8. The method according to claim 1, wherein the authentication of the virtual private network identification numbers can be disabled in the service provider network or the destination local area network to enable interworking among a plurality of virtual private networks.
  - 9. The method according to claim 1, in which the egress edge device includes a virtual learning bridge for learning and caching a mapping of identification information, including an Ethernet MAC address or an identification number of the originating customer device, to the IPv6 address of the ingress edge device, from which the local area network frame was sent, such that when the egress edge device receives subsequent local area network frames from the customer destination device destined for the customer originating device, the egress edge device encapsulates the local area network frame in a unicast IPv6 packet and unicasts the IPv6 packet to the ingress edge device using the cached mapping.
  - 10. The method according to claim 1, in which edge devices of the service provider are configured to recognize and authenticate multiple, previously assigned virtual private network identification numbers, corresponding to interworking virtual private networks, instead of a single virtual private network identification number corresponding to one customer.

11. A service provider network for providing a virtual private network, for receiving from a customer originating device of a first local area network, a local area network frame for transmission to a customer destination device in a second local area network over broadband access links that include local area network edge devices of the customer coupled to the service provider network, the service provider network comprising:
- a plurality of ingress edge devices and egress edge devices;
  
  each edge device being assigned a unicast IPv6 address, from an IPv6 address block of the service provider, that corresponds to a particular local area network of the customer;
  
  each edge device also being assigned a virtual private network specific multicast IPv6 address, from the IPv6 address block of the service provider, which is used for multicasting packets to all of the edge devices of the service provider serving the virtual private network;
  
  each edge device determining whether an IPv6 packet includes a destination address of a customer destination device, and whether the destination address is mapped to an egress edge device of the service provider,when mapping of the destination address to an egress edge device does not exist, encapsulating the local area network frame in a multicast IPv6 packet, the multicast IPv6 packet including the IPv6 address of the ingress edge device of the service provider as the source address and the multicast IPv6 address of the virtual private network as the destination multicast address;
  
  when mapping of the destination address to an egress edge device does exist, encapsulating the local area network frame in a unicast IPv6 packet, including the unicast IPv6 address of the egress edge device of the service provider;
  
  wherein a virtual private network identification header is added to a header of the IPv6 packet, the virtual private network identification header including a destination option, a virtual private network hop count and an identification number identifying the virtual private network of the customer;
  
  wherein the IPv6 packets having multicast addresses are broadcast through the service provider network to all of the edge devices serving the virtual private network;
  
  wherein the IPv6 packets having the unicast IPv6 address are transmitted through the service provider network to a particular egress device;
  
  wherein the IPv6 packets are authenticated at the egress devices of the service provider;
  
  wherein any IPv6 packets that cannot be authenticated are discarded;
  
  wherein the local area network frame of authenticated IPv6 packets are decapsulated and extracted at the egress device of the service provider;
  
  wherein the decapsulated local area network frames are forwarded to the destination local area network; and
  
  wherein the decapsulated local area network frames are transmitted to the customer destination device.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The network according to claim 11 wherein the ingress edge device of the service provider adds the virtual private network identification number to the IPv6 packet header.
  - 13. The network according to claim 11 wherein the customer edge device adds the virtual private network identification number to the IPv6 packet header, and the ingress edge device confirms the virtual private network identification number.
  - 14. The network according to claim 11, in which the IPv6 packet is discarded when the egress edge device does not recognize the destination option type in the header.
  - 15. The network according to claim 11, in which the virtual private network hop number is incremented every time the IPv6 packet is forwarded by an edge device of the service provider network.
  - 16. The network according to claim 11, in which the egress edge device includes a virtual learning bridge for authenticating the IPv6 packet, the egress edge device determines whether the virtual private network identification number of the received IPv6 packet matches the assigned customer virtual private network identification number, and any IPv6 packets that do not include a matching virtual private network identification number are discarded.
  - 17. The network according to claim 11, in which destination local area network edge device of the customer determines whether the virtual private network identification number of the received IPv6 packet matches the assigned virtual private network identification number and discards unauthorized packets.
  - 18. The network according to claim 11, wherein the authentication of the virtual private network identification numbers can be disabled in the service provider network or the destination local area network to enable interworking among a plurality of virtual private networks.
  - 19. The network according to claim 11, in which the egress edge device includes a virtual learning bridge for learning and caching a mapping of identification information, including an Ethernet MAC address or an identification number of the originating customer device, to the IPv6 address of the ingress edge device, from which the local area network frame was sent, such that when the egress edge device receives subsequent local area network frames from the customer destination device destined for the customer originating device, the egress edge device encapsulates the local area network frame in a unicast IPv6 packet and unicasts the IPv6 packet to the ingress edge device using the cached mapping.
  - 20. The network according to claim 11, in which edge devices of the service provider are configured to recognize and authenticate multiple, previously assigned virtual private network identification numbers, corresponding to interworking virtual private networks, instead of a single virtual private network identification number corresponding to one customer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Marlow Technologies, Llc
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Allen, Keith Joseph, Chen, Weijing
Primary Examiner(s)
Wilson; Robert W

Application Number

US10/628,238
Publication Number

US 20050025143A1
Time in Patent Office

1,925 Days
Field of Search

None
US Class Current

370/389
CPC Class Codes

H04L 12/46   Interconnection of networks

H04L 12/4625   Single bridge functionality...

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 45/74   Address processing for routing

H04L 49/354   for supporting virtual loca...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 65/611   for multicast or broadcast ...

H04L 69/22   Parsing or analysis of headers

Broadband access for virtual private networks

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Broadband access for virtual private networks

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links