Virtual private network crossovers based on certificates

US 7,574,738 B2
Filed: 11/06/2002
Issued: 08/11/2009
Est. Priority Date: 11/06/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for permitting a first device on a first Virtual Private Network (VPN) to communicate with a second device on a second VPN, the method comprising:

automatically authenticating, at an interconnection device without reference to a completely centralized decision making process, the first device on the first VPN;

automatically identifying, at the interconnection device without reference to a completely centralized decision making process, VPN parameters of the first VPN related to connecting and forwarding characteristics of the first VPN;

forwarding data from the first device on the first VPN to the second device on the second VPN via the first VPN, the interconnection device and the second VPN, said forwarding step being based on the VPN parameters of the first VPN;

automatically authenticating, at the interconnection device without reference to a completely centralized decision making process, the second device on the second VPN;

automatically identifying, at the interconnection device without reference to a completely centralized decision making process, VPN parameters of the second VPN related to connecting and forwarding characteristics of the second VPN;

reading at least a portion of the VPN parameters of the first VPN and at least a portion of the VPN parameters of the second VPN from a mapping table stored on the interconnection device which contains information related to plural VPNs associated with the interconnection device; and

forwarding data from the second device on the second VPN to the first device on the first VPN via the second VPN, the interconnection device and the first VPN.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for enabling interconnection of VPNs is disclosed. An interconnection device manages an interconnection process at one or more facilities including, for example, a gateway device. The gateway device has information relating to a plurality of VPNs, and may facilitate interconnection between devices on at least two of the VPNs by determining that one device is in fact a member of a first one of the VPNs, and by forwarding connection parameters of the first VPN to the second VPN on an as-needed basis. In this way, the gateway allows interconnection without the need for a completely centralized decision-making process, and does so independently of the type of device and/or VPN(s) being used. Moreover, the gateway may implement only those VPN parameters needed by both VPNs to communicate with one another with a desired level of security, thereby simplifying the routing and forwarding processes associated with the actual communication occurring via the interconnection. The information related to the plurality of VPNs and their respective member devices may be stored in a mapping table at the gateway, and identification parameters of a device seeking interconnection and/or associated VPN parameters may be verified by the use of digital certificates.

123 Citations

View as Search Results

37 Claims

1. A method for permitting a first device on a first Virtual Private Network (VPN) to communicate with a second device on a second VPN, the method comprising:
- automatically authenticating, at an interconnection device without reference to a completely centralized decision making process, the first device on the first VPN;
  
  automatically identifying, at the interconnection device without reference to a completely centralized decision making process, VPN parameters of the first VPN related to connecting and forwarding characteristics of the first VPN;
  
  forwarding data from the first device on the first VPN to the second device on the second VPN via the first VPN, the interconnection device and the second VPN, said forwarding step being based on the VPN parameters of the first VPN;
  
  automatically authenticating, at the interconnection device without reference to a completely centralized decision making process, the second device on the second VPN;
  
  automatically identifying, at the interconnection device without reference to a completely centralized decision making process, VPN parameters of the second VPN related to connecting and forwarding characteristics of the second VPN;
  
  reading at least a portion of the VPN parameters of the first VPN and at least a portion of the VPN parameters of the second VPN from a mapping table stored on the interconnection device which contains information related to plural VPNs associated with the interconnection device; and
  
  forwarding data from the second device on the second VPN to the first device on the first VPN via the second VPN, the interconnection device and the first VPN.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising:
    - selecting parameters from amongst the first and second VPN parameters which provide the most secure transmission of data from the first device to the second device.
  - 3. The method of claim 2, further comprising:
    - sharing a virtual router between the first VPN and the second VPN; and
      
      building a router table common to the first VPN and the second VPN at the virtual router.
  - 4. The method of claim 1, wherein said authenticating of said first device further comprises:
    - establishing an identity of the first device based on an Internet Protocol (IP) address of the first device.
  - 5. The method of claim 1, wherein said authenticating of said first device further comprises:
    - establishing an identity of the first device based on information provided by a user of the first device.
  - 6. The method of claim 1, wherein the mapping table is read-only with respect to an administrator of the interconnection device.
  - 7. The method of claim 1, further comprising:
    - updating the mapping table stored on the interconnection device and containing information related to plural VPNs associated with the interconnection device based on authentication information obtained during the steps of identifying the first and second VPN parameters.
  - 8. The method of claim 1, wherein the first VPN parameters include an identification of a virtual router within the interconnection device used to route the data.
  - 9. The method of claim 1, wherein said authenticating of said first device further comprises:
    - requesting a digital certificate from a certification authority based on identification information related to the first device and received therefrom; and
      
      establishing a security association between the first device and the interconnection device.
  - 10. The method of claim 9, wherein the digital certificate includes VPN parameters defined by a customer of a VPN service provider.
  - 11. The method of claim 9, wherein the digital certificate is associated with the first device.
  - 12. The method of claim 9, wherein the digital certificate is associated with the first VPN.
  - 13. The method of claim 1, wherein the VPN parameters are preloaded at the interconnection device by an administrator of the interconnection device.
  - 14. The method of claim 1, wherein first VPN parameters are dynamically loaded at the interconnection device based on a digital certificate associated with the first device or the first VPN.
  - 15. The method of claim 1, wherein first VPN parameters include packet filtering rules for determining a forwarding status of the data.
  - 16. The method of claim 1, wherein said operation of forwarding data further comprises:
    - forwarding the data to a proxy server, the proxy server operable to determine a forwarding status of packets associated with the data; and
      
      forwarding a copy of the data from the first device to the second device when permitted by the proxy server.

17. A method for forwarding communications between a first device on a first Virtual Private Network (VPN) and a second device on a second VPN via an interconnection device, the method comprising:
- receiving first identification information from the first device on the first VPN at a first filtering and forwarding engine within the interconnection device;
  
  forwarding the first identification information to a control subsystem within the interconnection device;
  
  automatically authenticating the first device as a member of the first VPN, the first device authenticating step including automatically verifying, at the control subsystem within the interconnection device without reference to a completely centralized decision making process, first VPN parameters associated with the first VPN;
  
  providing the first VPN parameters to the first filtering and forwarding engine;
  
  forwarding the communications from the first device to the second device via the first filtering and forwarding engine and in accordance with the first VPN parameters;
  
  receiving second identification information from the second device on the second VPN at a second filtering and forwarding engine within the interconnection device;
  
  forwarding the second identification information to the control subsystem within the interconnection device;
  
  automatically authenticating the second device as a member of the second VPN, the second device authenticating step including automatically verifying, at the control subsystem within the interconnection device without reference to a completely centralized decision making process, second VPN parameters associated with the second VPN;
  
  providing the second VPN parameters to the second filtering and forwarding engine;
  
  forwarding further communications from the second device to the first device via the second filtering and forwarding engine and in accordance with the second VPN parameters; and
  
  updating the VPN parameters within a mapping table containing VPN parameter categories for each of plural VPNs associated with the interconnection device.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The method of claim 17, wherein said first identification information further comprises an Internet Protocol (IP) address of the first device.
  - 19. The method of claim 17, wherein said first identification information further comprises user authentication information entered by a user of the first device.
  - 20. The method of claim 17 wherein said forwarding further comprises:
    - sending a request from the first filtering and forwarding engine to the control subsystem for a digital certificate;
      
      obtaining the digital certificate from an external certification authority; and
      
      extracting at least a subset of the first VPN parameters from the digital certificate.
  - 21. The method of claim 20, wherein the digital certificate includes first VPN parameters defined by a customer leasing the VPN from a carrier.
  - 22. The method of claim 20, further comprising:
    - establishing a security association between the first device and the interconnection device.
  - 23. The method of claim 17, wherein the second device is the interconnection device.
  - 24. The method of claim 17, wherein the first VPN parameters include routing and filtering rules associated with the first VPN.
  - 25. The method of claim 17, wherein the first VPN parameters include an identification of a virtual router within the interconnection device used to route the data.

26. An interconnection device for allowing communications between a first device on a first Virtual Private Network (VPN) and a second device on a second VPN, the interconnection device comprising:
- a mapping table containing VPN information describing operations of the first and second VPNs;
  
  first and second filtering and forwarding engines operable to receive first and second identification information related to the first device on the first VPN and the second device on the second VPN, respectively; and
  
  a control subsystem operable to automatically authenticate, without reference to a completely centralized decision making process, the first device on the first VPN and the second device on the second VPN based on the first identification information and the second identification information, respectively,wherein the control subsystem is further operable to automatically identify, without reference to a completely centralized decision making process, first VPN information related to the first device on the first VPN and second VPN information related to the second device on the second VPN, and to modify the first and second VPN information within the mapping table such that the first and second filtering and forwarding engines transmit the communications between the first device on the first VPN to the second device on the second VPN in accordance therewith.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34)
- - 27. The interconnection device of claim 26, further comprising:
    - a virtual router operable to route the communications between the first device on the first VPN and the second device on the second VPN; and
      
      a router table stored on the virtual router that is common to the first VPN and the second VPN.
  - 28. The interconnection device of claim 26, wherein the mapping table is read-only with respect to an administrator of the interconnection device.
  - 29. The interconnection device of claim 26, further comprising:
    - a virtual router within the interconnection device connected to the filtering and forwarding engines and operable to route the communications.
  - 30. The interconnection device of claim 26, wherein said control subsystem sends a request to a certification authority for a digital certificate, based on the first identification information, and thereafter establishes a security association between the first device and the interconnection device.
  - 31. The interconnection device of claim 26, wherein VPN parameters are preloaded in the mapping table by an administrator of the interconnection device.
  - 32. The interconnection device of claim 26, wherein first VPN parameters are dynamically loaded at the interconnection device based on a digital certificate associated with the first device or the first VPN.
  - 33. The interconnection device of claim 26, wherein the first filtering and forwarding engine implements packet filtering rules for determining a forwarding status of the data, based on the first VPN information.
  - 34. The interconnection device of claim 26, wherein the first filtering and forwarding engine is further operable to forward the communications to a proxy server, the proxy server operable to determine a forwarding status of packets associated with the communications, the first filtering and forwarding engine further operable to forward a copy of the data from the first device to the second device when permitted by the proxy server.

35. An article of manufacture, which comprises a computer readable medium having stored therein a computer program for carrying out a method for connecting a first device on a first Virtual Private Network (VPN) to a second device on a second VPN, the computer program comprising:
- a first code segment for receiving first and second authentication requests from the first device on the first VPN and second device on the second VPN, respectively;
  
  a second code segment for automatically authenticating the first device as a member of the first VPN and for automatically authenticating the second device as a member of the second VPN, in response to the first and second authentication requests, respectively, the automatically authenticating steps being performed without reference to a completely centralized decision making process;
  
  a third code segment for automatically determining, without reference to a completely centralized decision making process, parameters associated with intra VPN data traffic including routing and forwarding parameters;
  
  a fourth code segment for implementing the routing and forwarding parameters with respect to communications between the first device and the second device; and
  
  a fifth code segment for updating the routing and forwarding parameters within a mapping table implemented by a sixth code segment.
- View Dependent Claims (36, 37)
- - 36. The article of manufacture of claim 35, wherein said second code segment further comprises:
    - a code segment for obtaining a digital certificate from an external certification authority; and
      
      a code segment for extracting at least a subset of the routing and forwarding parameters from the digital certificate.
  - 37. The article of manufacture of claim 35, further comprising:
    - a code segment for routing communications based on the routing and forwarding parameters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Corporation (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property II LP (AT&T, Inc.)
Inventors
Galand, Claude, Hericourt, Olivier, Le Pennec, Jean-Francois, Daude, Olivier, Fieschi, Jacques
Primary Examiner(s)
Tran, Tongoc

Application Number

US10/288,574
Publication Number

US 20040088542A1
Time in Patent Office

2,470 Days
Field of Search

726/15, 726 11- 14, 370/401, 709/225, 709/229, 709/237, 709/238, 713/156, 713/169, 713/168, 713/175, 713/153, 713/170, 713/161
US Class Current

726/15
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0236   Filtering by address, proto...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0869   for achieving mutual authen...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

Virtual private network crossovers based on certificates

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

123 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual private network crossovers based on certificates

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

123 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links