Conditional BGP advertising for dynamic group VPN (DGVPN) clients

US 7,720,995 B2
Filed: 06/08/2007
Issued: 05/18/2010
Est. Priority Date: 06/08/2007
Status: Active Grant

First Claim

Patent Images

1. A method, performed by a first host to determine if communication with a second host is allowed within a group of at least two hosts, comprising:

determining, at the first host, if the host includes a group security policy for secure communication between the hosts within the group, wherein;

wherein the first host controls a first subnet, the first subnet being part of the group; and

the second host controls a second subnet, the second subnet being part of the group;

advertising routing information from the first host to a second host within the group if the first host includes the group security policy, wherein advertising routing information includes;

providing an advertisement message including;

a routing prefix, identifying the first subnet;

a group reference identifying the group security policy; and

a hash combining the routing prefix with the reference;

encrypting the advertisement message using the group security policy; and

sending the encrypted advertisement message to the second host;

refraining from advertising routing information from the first host to the second host if the first host does not include the group security policy;

receiving, at the first host, a routing announcement from the second host, including routing information;

if the routing announcement from the second host includes a second group reference identifying the group security policy, placing the routing information within a routing table contained in the first host; and

if the routing announcement from the second host does not include the second group reference identifying the group security policy, refraining from placing the routing information within the routing table for the first host.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a host within a group, a method for ensuring secure communications is provided. The method involves (a) determining if a group security policy is in place for secure communication between hosts within the group, (b) if the group security policy is in place, advertising routing information to another host within the group, and (c) if the group security policy is not in place, refraining from advertising routing information to the other host. Corresponding apparatus and computer program product embodiments are also provided.

Citations

12 Claims

1. A method, performed by a first host to determine if communication with a second host is allowed within a group of at least two hosts, comprising:
- determining, at the first host, if the host includes a group security policy for secure communication between the hosts within the group, wherein;
  
  wherein the first host controls a first subnet, the first subnet being part of the group; and
  
  the second host controls a second subnet, the second subnet being part of the group;
  
  advertising routing information from the first host to a second host within the group if the first host includes the group security policy, wherein advertising routing information includes;
  
  providing an advertisement message including;
  
  a routing prefix, identifying the first subnet;
  
  a group reference identifying the group security policy; and
  
  a hash combining the routing prefix with the reference;
  
  encrypting the advertisement message using the group security policy; and
  
  sending the encrypted advertisement message to the second host;
  
  refraining from advertising routing information from the first host to the second host if the first host does not include the group security policy;
  
  receiving, at the first host, a routing announcement from the second host, including routing information;
  
  if the routing announcement from the second host includes a second group reference identifying the group security policy, placing the routing information within a routing table contained in the first host; and
  
  if the routing announcement from the second host does not include the second group reference identifying the group security policy, refraining from placing the routing information within the routing table for the first host.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1:
    - wherein the routing announcement from the second host includes;
      
      a second routing prefix;
      
      the second group reference identifying the group security policy; and
      
      a second hash combining the second routing prefix with the second group reference; and
      
      wherein placing the routing information within the routing table includes;
      
      determining if the second group reference, received from the second host, references the same group security policy as provided by the key server; and
      
      confirming that the second hash is properly formed from the second routing prefix and the second group reference.
  - 3. The method of claim 1 wherein the method further comprises:
    - requesting the group security policy from a key server, the key server providing the same group security policy to all hosts within the group.
  - 4. The method of claim 1 wherein the method further comprises communicating with the second host if and only if:
    - the first host includes the group security policy; and
      
      the routing information for the second host has been placed within the routing table of the first host.

5. An apparatus comprising:
- memory, the memory including a routing table;
  
  a network interface, the network interface for connecting to hosts, the apparatus and a subset of the hosts forming a group; and
  
  a controller, coupled to the memory and the network interface, the controller configured to;
  
  determine if the apparatus includes a group security policy for secure communication between the hosts within the group, wherein;
  
  the apparatus controls a first subnet, the first subnet being part of the group; and
  
  at least one of the hosts within the group controls a second subnet, the second subnets being part of the group;
  
  advertise routing information to the at least one of the hosts within the group if the apparatus includes the group security policy, wherein advertising routing information includes;
  
  providing an advertisement message including;
  
  a routing prefix, identifying the first subnet;
  
  a group reference identifying the group security policy; and
  
  a hash combining the routing prefix with the reference;
  
  encrypting the advertisement message using the group security policy, andsending the encrypted advertisement message to the at least one of the hosts within the group;
  
  refrain from advertising routing information to the at least one of the hosts within the group if the apparatus does not include a group security policy;
  
  receive a routing announcement from the at least one of the hosts within the group, including routing information;
  
  if the routing announcement from the at least one of the hosts within the group includes a second group reference identifying the group security policy, place the routing information within the routing table; and
  
  if the routing announcement from the at least one of the hosts within the group does not include the second group reference identifying the group security policy, refrain from placing the routing information within the routing table.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5 wherein:
    - the routing announcement from the at least one the hosts within the group includes;
      
      a second routing prefix;
      
      the second group reference identifying the group security policy; and
      
      a second hash combining the second routing prefix with the second group reference; and
      
      when placing the routing information within the routing table the controller is configured to;
      
      determine if the second reference, received from the at least one the hosts within the group, references the same group security policy as the group security policy in place, included within the apparatus; and
      
      confirm that the second hash is properly formed from the second routing prefix and the second group reference.
  - 7. The apparatus of claim 5 wherein the controller is further configured to:
    - request the group security policy from a key server, the key server providing the same group security policy to all of the hosts within the group.
  - 8. The apparatus of claim 5 wherein the controller is further configured to communicate with the at least one of the hosts within the group if and only if:
    - the group security policy is in place; and
      
      the routing information for at least one of the hosts within the group has been placed within the routing table.

9. A computer program product comprising a computer-readable medium having computer readable instructions recorded thereon for establishing secure communication between hosts within a group, the computer readable instructions being operative, when performed by a computerized device, to cause the computerized device to:
- determine if the computerized device includes a group security policy for secure communication between the hosts within the group, wherein;
  
  the computerized device controls a first subnet, the first subnet being part of the group; and
  
  at least one of the hosts within the group controls a second subnet, the second subnet being part of the group;
  
  advertise routing information to the at least one of the hosts within the group if the computerized device includes the group security policy,wherein advertising routing information includes;
  
  providing an advertisement message including;
  
  a routing prefix, identifying the first subnet;
  
  a group reference identifying the group security policy; and
  
  a hash combining the routing prefix with the reference;
  
  encrypting the advertisement message using the group security policy, andsending the encrypted advertisement message to the at least one of the hosts within the group;
  
  refrain from advertising routing information to the at least one of the hosts within the group if the computerized device does not include a group security policy;
  
  receive a routing announcement from the at least one of the hosts within the group, including routing information;
  
  place the routing information within a routing table of the computerized device if the routing announcement from the at least one of the hosts within the group includes a second group reference identifying the group security policy;
  
  refrain from placing the routing information within the routing table if the routing announcement from the at least one of the hosts within the group does not include a second group reference identifying the group security policy.
- View Dependent Claims (10, 11, 12)
- - 10. The computer program product of claim 9 wherein:
    - the routing announcement from the at least one of the hosts within the group includes;
      
      a second routing prefix;
      
      the second group reference identifying the group security policy; and
      
      a second hash combining the second routing prefix with the second group reference; and
      
      when placing the routing information within the routing table, the computer readable instructions are operative, when performed by the computerized device, to cause the computerized device to;
      
      determine if the second group reference, received from the at least one of the hosts within the group, references the same group security policy as the group security policy in place, for secure communication between the at least one of the hosts within the group; and
      
      confirm that the second hash is properly formed from the second routing prefix and the second group reference.
  - 11. The computer program product of claim 9 wherein the computer readable instructions are further operative, when performed by the computerized device, to cause the computerized device to:
    - request the group security policy from a key server, the key server providing the same group security policy to all of the hosts within the group.
  - 12. The computer program product of claim 9 wherein the computer readable instructions are further operative, when performed by the computerized device, to cause the computerized device to communicate with the at least one of the hosts within the group if and only if:
    - the group security policy is in place; and
      
      the routing information for the at least one of the hosts within the group has been placed within the routing table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Guichard, James N., Wainner, W. Scott
Primary Examiner(s)
Chan; Wing F
Assistant Examiner(s)
WILLIS, JONATHAN U

Application Number

US11/811,381
Publication Number

US 20080307110A1
Time in Patent Office

1,075 Days
Field of Search

379/112.01, 707/2, 707/8, 707/201, 709/225, 709/227, 709/238, 709/244, 709/249, 713/155, 713/163, 713/169, 713/171, 726/1, 726/5, 726/6, 726/14, 726/15, 726/18, 726/27, 370/392, 370/400, 370/401
US Class Current

709/242
CPC Class Codes

H04L 63/065 for group communications cr...

H04L 63/104 Grouping of entities

Conditional BGP advertising for dynamic group VPN (DGVPN) clients

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Conditional BGP advertising for dynamic group VPN (DGVPN) clients

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links