Method and apparatus for supporting multiple customer provisioned IPSec VPNs
First Claim
1. A method of supporting multiple customer provisioned Virtual Private Networks (VPNs) in a scalable manner, the method comprising the steps of:
- instantiating, by a Customer Edge (CE) network element, a Virtual Routing and Forwarding (VRF) process for each of the customer provisioned VPNs to be supported by the CE network element;
establishing, by the CE network element, a separate Internet Protocol Security (IPSec) secure data channel for each VPN to be supported, by obtaining a shared group security association for each VPN from a Group Controller Key Server (GCKS); and
instantiating, by the CE network element, a Network Routing Engine (NRE) process configured to interact with the VRF processes, the NRE process maintaining an interface table containing a mapping between VRF name and interface ID for each of the secure control channels, secure data channels, and local interfaces.
22 Assignments
0 Petitions
Accused Products
Abstract
Customer Traffic may be segregated using customer provisioned IPSec VPNs implemented using group security association for IPSec tunnels, by causing the CE network element to implement multiple VRFs for the several VPNs, each of which may be used for a different segment of the customer'"'"'s traffic. The CE network element may implement a single MPBGP peering session with the GCKS/RR for all VPNs, and may establish secure data channels for each of the VPNs based on the group security associations for each of the VPNs. Although a common MPBGP peering session may be used, routing information for the several VRFs may be separated by applying per-VRF import policies at the CE, so that each VPN only has access to routes intended to be advertised to that VPN.
238 Citations
14 Claims
-
1. A method of supporting multiple customer provisioned Virtual Private Networks (VPNs) in a scalable manner, the method comprising the steps of:
-
instantiating, by a Customer Edge (CE) network element, a Virtual Routing and Forwarding (VRF) process for each of the customer provisioned VPNs to be supported by the CE network element; establishing, by the CE network element, a separate Internet Protocol Security (IPSec) secure data channel for each VPN to be supported, by obtaining a shared group security association for each VPN from a Group Controller Key Server (GCKS); and instantiating, by the CE network element, a Network Routing Engine (NRE) process configured to interact with the VRF processes, the NRE process maintaining an interface table containing a mapping between VRF name and interface ID for each of the secure control channels, secure data channels, and local interfaces. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A network, comprising:
-
a plurality of CE network elements interconnected by a provider network, at least some of the CE network elements being connected to more than one Virtual Private Network (VPN) site, the CE network elements implementing a separate Virtual Routing and Forwarding (VRF) process for each VPN site to which they are attached and implementing a separate Internet Protocol Security (IPSec) secure data channel for each VPN site to which they are attached; a GCKS accessible over the provider network and configured to provide group security associations to the CE network elements for use in creation of the secure data channels; and a route reflector accessible over the provider network and configured to perform route reflection on secure control channels between the route reflector and the CE network elements; wherein the CE network elements are each configured to use one of the secure control channels to transmit routing information for each of the VRFs implemented on that CE network element, wherein the CE network elements instantiate Network Routing Engine (NRE) processes configured to interact with the VRF processes, each NRE process maintaining an interface table containing a mapping between VRF name and interface ID for each of the secure control channels, secure data channels, and local interfaces.
-
-
10. A Customer Edge (CE) network element, comprising:
-
a data plane configured to forward data traffic on a communication network; and a control plane configured to control a manner in which the data plane is configured to forward traffic on the communication network, the control plane containing at least one processor containing control logic that is configured to; instantiate a plurality of Virtual Routing and Forwarding (VRF) process, each of the VRF processes being associated with a separate Virtual Private Network (VPN); establish a separate Internet Protocol Security (IPSec) secure data channel for each VRF process using a group security association for the VPN associated with the VRF; establish a secure control channel for use by all VRF processes between the CE and a routing peering point; and instantiate, by the CE network element, a Network Routing Engine (NRE) process configured to interact with the VRF processes, the NRE process maintaining an interface table containing a mapping between VRF name and interface ID for each of the secure control channels, secure data channels, and local interfaces. - View Dependent Claims (11, 12, 13, 14)
-
Specification