Conditional BGP advertising for dynamic group VPN (DGVPN) clients
First Claim
Patent Images
1. A method, performed by a first host to determine if communication with a second host is allowed within a group of at least two hosts, comprising:
- determining, at the first host, if the host includes a group security policy for secure communication between the hosts within the group, wherein;
wherein the first host controls a first subnet, the first subnet being part of the group; and
the second host controls a second subnet, the second subnet being part of the group;
advertising routing information from the first host to a second host within the group if the first host includes the group security policy, wherein advertising routing information includes;
providing an advertisement message including;
a routing prefix, identifying the first subnet;
a group reference identifying the group security policy; and
a hash combining the routing prefix with the reference;
encrypting the advertisement message using the group security policy; and
sending the encrypted advertisement message to the second host;
refraining from advertising routing information from the first host to the second host if the first host does not include the group security policy;
receiving, at the first host, a routing announcement from the second host, including routing information;
if the routing announcement from the second host includes a second group reference identifying the group security policy, placing the routing information within a routing table contained in the first host; and
if the routing announcement from the second host does not include the second group reference identifying the group security policy, refraining from placing the routing information within the routing table for the first host.
1 Assignment
0 Petitions
Accused Products
Abstract
In a host within a group, a method for ensuring secure communications is provided. The method involves (a) determining if a group security policy is in place for secure communication between hosts within the group, (b) if the group security policy is in place, advertising routing information to another host within the group, and (c) if the group security policy is not in place, refraining from advertising routing information to the other host. Corresponding apparatus and computer program product embodiments are also provided.
-
Citations
12 Claims
-
1. A method, performed by a first host to determine if communication with a second host is allowed within a group of at least two hosts, comprising:
-
determining, at the first host, if the host includes a group security policy for secure communication between the hosts within the group, wherein; wherein the first host controls a first subnet, the first subnet being part of the group; and the second host controls a second subnet, the second subnet being part of the group; advertising routing information from the first host to a second host within the group if the first host includes the group security policy, wherein advertising routing information includes; providing an advertisement message including; a routing prefix, identifying the first subnet; a group reference identifying the group security policy; and a hash combining the routing prefix with the reference; encrypting the advertisement message using the group security policy; and sending the encrypted advertisement message to the second host; refraining from advertising routing information from the first host to the second host if the first host does not include the group security policy; receiving, at the first host, a routing announcement from the second host, including routing information; if the routing announcement from the second host includes a second group reference identifying the group security policy, placing the routing information within a routing table contained in the first host; and if the routing announcement from the second host does not include the second group reference identifying the group security policy, refraining from placing the routing information within the routing table for the first host. - View Dependent Claims (2, 3, 4)
-
-
5. An apparatus comprising:
-
memory, the memory including a routing table; a network interface, the network interface for connecting to hosts, the apparatus and a subset of the hosts forming a group; and a controller, coupled to the memory and the network interface, the controller configured to; determine if the apparatus includes a group security policy for secure communication between the hosts within the group, wherein; the apparatus controls a first subnet, the first subnet being part of the group; and at least one of the hosts within the group controls a second subnet, the second subnets being part of the group; advertise routing information to the at least one of the hosts within the group if the apparatus includes the group security policy, wherein advertising routing information includes; providing an advertisement message including; a routing prefix, identifying the first subnet; a group reference identifying the group security policy; and a hash combining the routing prefix with the reference; encrypting the advertisement message using the group security policy, and sending the encrypted advertisement message to the at least one of the hosts within the group; refrain from advertising routing information to the at least one of the hosts within the group if the apparatus does not include a group security policy; receive a routing announcement from the at least one of the hosts within the group, including routing information; if the routing announcement from the at least one of the hosts within the group includes a second group reference identifying the group security policy, place the routing information within the routing table; and if the routing announcement from the at least one of the hosts within the group does not include the second group reference identifying the group security policy, refrain from placing the routing information within the routing table. - View Dependent Claims (6, 7, 8)
-
-
9. A computer program product comprising a computer-readable medium having computer readable instructions recorded thereon for establishing secure communication between hosts within a group, the computer readable instructions being operative, when performed by a computerized device, to cause the computerized device to:
-
determine if the computerized device includes a group security policy for secure communication between the hosts within the group, wherein; the computerized device controls a first subnet, the first subnet being part of the group; and at least one of the hosts within the group controls a second subnet, the second subnet being part of the group; advertise routing information to the at least one of the hosts within the group if the computerized device includes the group security policy, wherein advertising routing information includes; providing an advertisement message including; a routing prefix, identifying the first subnet; a group reference identifying the group security policy; and a hash combining the routing prefix with the reference; encrypting the advertisement message using the group security policy, and sending the encrypted advertisement message to the at least one of the hosts within the group; refrain from advertising routing information to the at least one of the hosts within the group if the computerized device does not include a group security policy; receive a routing announcement from the at least one of the hosts within the group, including routing information; place the routing information within a routing table of the computerized device if the routing announcement from the at least one of the hosts within the group includes a second group reference identifying the group security policy; refrain from placing the routing information within the routing table if the routing announcement from the at least one of the hosts within the group does not include a second group reference identifying the group security policy. - View Dependent Claims (10, 11, 12)
-
Specification