Method of providing an encrypted multipoint VPN service
First Claim
1. A method of providing an encrypted multipoint Virtual Private Network (VPN) service comprising:
- receiving a first packet of a plurality of packets at an ingress Provider Edge (PE) router in a network including a hub and an egress PE router, the plurality of packets destined for a remote server in communication with said egress PE router;
performing a lookup at said ingress PE router for a destination prefix of said first packet, and determining that a next-hop for said first packet is reachable through a tunnel;
sending, by said ingress PE router, a resolution request to said hub to acquire a routable Internet Protocol (IP) address associated with said egress PE router;
encapsulating, encrypting and sending a first subset of said plurality of packets to said hub, said first subset of said plurality of packets including packets received until a resolution reply is received by said ingress PE router and until Security Associations (SAs) have been exchanged between said ingress PE router and said egress PE router, said first subset of said plurality of packets carrying a bit set in a header indicating that said header includes a tunnel IP address of said egress PE router which should be used for forwarding said first subset of said plurality of packets;
receiving a resolution reply from said hub at said ingress PE router;
updating a next-hop cache of said ingress PE router;
exchanging IPSec SAs with said egress PE router;
updating an FIB entry with said SAs; and
establishing the VPN between said egress PE router and said ingress PE router, and forwarding a second subset of said plurality of packets including all packets subsequent to the first subset of said plurality of packets destined for said egress PE router directly towards said egress PE router across said VPN established between said egress PE router and said ingress PE router.
0 Assignments
0 Petitions
Accused Products
Abstract
A method, apparatus and computer program product for providing an encrypted multipoint Virtual Private Network (VPN) service is presented. A first packet of a plurality of packets is received at an ingress provider edge (PE) the plurality of packets destined for a remote server in communication with said egress PE router. A lookup for a destination prefix of a first packet is preformed, and a determination made that a next-hop for the first packet is reachable through a mGRE tunnel. A resolution request is sent to a hub to acquire a routable IP address. The packets sent to the hub are encapsulated, and encrypting until a resolution reply is received and until security associations (SAs) have been exchanged. Then a VPN is established between the ingress and egress PEs and is used for all subsequent packets.
37 Citations
20 Claims
-
1. A method of providing an encrypted multipoint Virtual Private Network (VPN) service comprising:
-
receiving a first packet of a plurality of packets at an ingress Provider Edge (PE) router in a network including a hub and an egress PE router, the plurality of packets destined for a remote server in communication with said egress PE router; performing a lookup at said ingress PE router for a destination prefix of said first packet, and determining that a next-hop for said first packet is reachable through a tunnel; sending, by said ingress PE router, a resolution request to said hub to acquire a routable Internet Protocol (IP) address associated with said egress PE router; encapsulating, encrypting and sending a first subset of said plurality of packets to said hub, said first subset of said plurality of packets including packets received until a resolution reply is received by said ingress PE router and until Security Associations (SAs) have been exchanged between said ingress PE router and said egress PE router, said first subset of said plurality of packets carrying a bit set in a header indicating that said header includes a tunnel IP address of said egress PE router which should be used for forwarding said first subset of said plurality of packets; receiving a resolution reply from said hub at said ingress PE router; updating a next-hop cache of said ingress PE router; exchanging IPSec SAs with said egress PE router; updating an FIB entry with said SAs; and establishing the VPN between said egress PE router and said ingress PE router, and forwarding a second subset of said plurality of packets including all packets subsequent to the first subset of said plurality of packets destined for said egress PE router directly towards said egress PE router across said VPN established between said egress PE router and said ingress PE router. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer readable medium having computer readable code thereon for providing an encrypted multipoint Virtual Private Network (VPN) service, the medium comprising:
-
instructions for receiving a first packet of a plurality of packets at an ingress Provider Edge (PE) router in a network including a hub and an egress PE router, the plurality of packets destined for a remote server in communication with said egress PE router; instructions for performing a lookup at said ingress PE router for a destination prefix of said first packet, and determining that a next-hop for said first packet is reachable through a tunnel; instructions for sending, by said ingress PE router, a resolution request to said hub to acquire a routable Internet Protocol (IP) address associated with said egress PE router; instructions for encapsulating, encrypting and sending a first subset of said plurality of packets to said hub, said first subset of said plurality of packets including packets received until a resolution reply is received by said ingress PE router and until Security Associations (SAs) have been exchanged between said ingress PE router and said egress PE router, said first subset of said plurality of packets carrying a bit set in a header that indicates said header includes a tunnel IP address of said egress PE router to be used for forwarding said first subset of said plurality of packets; instructions for receiving a resolution reply from said hub at said ingress PE router; instructions for updating a next-hop cache of said ingress PE router; instructions for exchanging IPSec SAs with said egress PE router; instructions for updating an FIB entry with said SAs; and instructions for establishing the VPN between said egress PE router and said ingress PE router, and forwarding a second subset of said plurality of packets including all packets subsequent to the first subset of said plurality of packets destined for said egress PE router directly towards said egress PE router across said VPN established between said egress PE router and said ingress PE router. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. An ingress Provider Edge (PE) router comprising:
-
a memory; a processor; a communications interface; an interconnection mechanism coupling the memory, the processor and the communications interface; and wherein the memory is encoded with an application providing an encrypted multipoint Virtual Private Network (VPN) service that when performed on the processor, provides a process for processing information, the process causing the computer system to perform the operations of; receiving a first packet of a plurality of packets in a network including a hub and an egress Provider Edge (PE) router, the plurality of packets destined for a remote server in communication with said egress PE router; performing a lookup at said ingress PE router for a destination prefix of said first packet, and determining that a next-hop for said first packet is reachable through a tunnel; sending a resolution request to said hub to acquire a routable Internet Protocol (IP) address associated with said egress PE router; encapsulating, encrypting and sending a first subset of said plurality of packets to said hub until a resolution reply is received and until Security Associations (SAs) have been exchanged between said ingress PE router and said egress PE router, said first subset of said plurality of packets carrying a bit set in a header indicating that said header includes a tunnel IP address of said egress PE router which should be used for forwarding said first subset of said plurality of packets; receiving a resolution reply from said hub; updating a next-hop cache; exchanging SAs with said egress PE router; updating an FIB entry with said SAs; and establishing the VPN with said ingress PE router, and forwarding a second subset of said plurality of packets including all packets subsequent to the first subset of said plurality of packets destined for said egress PE router directly towards said egress PE router across said VPN established between said egress PE router and said ingress PE router. - View Dependent Claims (16, 17)
-
-
18. A hub comprising:
-
a memory; a processor; a communications interface; an interconnection mechanism coupling the memory, the processor and the communications interface; and wherein the memory is encoded with an application providing an encrypted multipoint Virtual Private Network (VPN) service that when performed on the processor, provides a process for processing information, the process causing the computer system to perform the operations of; receiving, from an ingress Provider Edge (PE) router, a resolution request to provide a routable Internet Protocol (IP) address associated with said egress PE router; receiving packets at said hub until a resolution reply is sent to said ingress PE router and until Security Associations (SAs) have been exchanged between said ingress PE router and said egress PE router, said packets carrying a bit set in a header indicating that said header includes a tunnel IP address of said egress PE router which should be used for forwarding said packets; and providing a resolution reply to said ingress PE router. - View Dependent Claims (19, 20)
-
Specification