Point-to-multi-point/non-broadcasting multi-access VPN tunnels

US 7,779,461 B1
Filed: 11/16/2004
Issued: 08/17/2010
Est. Priority Date: 11/16/2004
Status: Active Grant

First Claim

Patent Images

1. A network device, comprising:

a memory to store at least one data table; and

a processing unit to;

establish a virtual private network (VPN) tunnel to a destination,determine a next hop for the VPN tunnel,insert an identifier associated with the next hop, and an address range associated with the destination, into the at least one data table,insert a tunnel identifier corresponding to the established VPN tunnel into the at least one data table, andassociate one or more security parameters, used to encrypt traffic sent via the VPN tunnel, with the tunnel identifier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system establishes a virtual private network (VPN) tunnel to a destination and determines a next hop for the VPN tunnel. The system inserts the next hop, and an address associated with the destination, into an entry of a first table. The system inserts the next hop, and a tunnel identifier corresponding to the established VPN tunnel, into an entry of a second table. The system associates one or more security parameters, used to encrypt traffic sent via the VPN tunnel, with the tunnel identifier.

Citations

39 Claims

1. A network device, comprising:
- a memory to store at least one data table; and
  
  a processing unit to;
  
  establish a virtual private network (VPN) tunnel to a destination,determine a next hop for the VPN tunnel,insert an identifier associated with the next hop, and an address range associated with the destination, into the at least one data table,insert a tunnel identifier corresponding to the established VPN tunnel into the at least one data table, andassociate one or more security parameters, used to encrypt traffic sent via the VPN tunnel, with the tunnel identifier.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The network device of claim 1, where the processing unit is further to:
    - establish a second virtual private network (VPN) tunnel to a second destination,determine a next hop for the second VPN tunnel,insert an identifier associated with the next hop for the second VPN tunnel, and an address range associated with the second destination, into the at least one data table,insert a second tunnel identifier corresponding to the established second VPN tunnel into the at least one data table, andassociate one or more security parameters, used to encrypt traffic sent via the second VPN tunnel, with the second tunnel identifier.
  - 3. The network device of claim 1, where the destination comprises a private network.
  - 4. The network device of claim 3, where the next hop comprises another network device connected to the private network.
  - 5. The network device of claim 1, where the one or more security parameters comprises an Internet Protocol security (IPsec) security parameters index (SPI).
  - 6. The network device of claim 1, further comprising:
    - an interface to;
      
      receive a data unit;
      
      where the processing unit is further to;
      
      retrieve a destination network identifier from the data unit,identify the next hop from the at least one data table using the destination network identifier retrieved from the data unit,retrieve the tunnel identifier from the at least one data table using the retrieved next hop,encrypt the data unit using the security parameters associated with the identified tunnel identifier, andforward the encrypted data unit via the VPN tunnel.

7. A method, performed by a processor, the method comprising:
- establishing, by the processor, a virtual private network (VPN) tunnel to a destination;
  
  determining, by the processor, a next hop for the VPN tunnel;
  
  inserting, by the processor, an identifier associated with the next hop, and an address range associated with the destination, into an entry of a first table;
  
  inserting, by the processor, the identifier associated with the next hop, and a tunnel identifier corresponding to the established VPN tunnel, into an entry of a second table; and
  
  associating, by the processor, one or more security parameters, used to encrypt traffic sent via the VPN tunnel, with the tunnel identifier.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The method of claim 7, further comprising:
    - establishing a second virtual private network (VPN) tunnel to a second destination;
      
      determining a next hop for the second VPN tunnel;
      
      inserting an identifier associated with the next hop for the second VPN tunnel, and an address range associated with the second destination, into another entry of the first table;
      
      inserting the identifier associated with the next hop for the second VPN tunnel, and a second tunnel identifier corresponding to the established second VPN tunnel, into another entry of the second table; and
      
      associating one or more security parameters, used to encrypt traffic sent via the second VPN tunnel, with the second tunnel identifier.
  - 9. The method of claim 7, where the destination comprises a private network.
  - 10. The method of claim 9, where the next hop comprises a network device connected to the private network.
  - 11. The method of claim 7, where the one or more security parameters comprises an Internet Protocol security (IPsec) security parameters index (SPI).
  - 12. The method of claim 7, further comprising:
    - determining if the VPN tunnel has been broken; and
      
      disabling the entry in the second table if the VPN tunnel has been broken.
  - 13. The method of claim 12, further comprising:
    - determining if the VPN tunnel has been re-connected; and
      
      enabling the entry in the second table if the VPN tunnel has been re-connected.
  - 14. The method of claim 7, further comprising:
    - receiving a data unit;
      
      retrieving a destination network identifier from the data unit;
      
      retrieving the identifier associated with the next hop from the first table using the destination network identifier retrieved from the data unit;
      
      retrieving the tunnel identifier from the second table using the retrieved identifier associated with the next hop;
      
      encrypting the data unit using the security parameters associated with the retrieved tunnel identifier; and
      
      forwarding the encrypted data unit via the VPN tunnel.

15. A system, comprising:
- a memory to store a first data table and a second data table;
  
  a processing unit to;
  
  establish a virtual private network (VPN) tunnel to a destination,determine a next hop for the VPN tunnel,insert an identifier associated with the next hop, and an address range associated with the destination, into an entry of the first data table,insert the identifier associated with the next hop, and a tunnel identifier corresponding to the established VPN tunnel, into an entry of the second data table, andassociate one or more security parameters, used to encrypt traffic sent via the VPN tunnel, with the tunnel identifier.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The system of claim 15, where the processing unit is further to:
    - establish a second virtual private network (VPN) tunnel to a second destination;
      
      determine a next hop for the second VPN tunnel;
      
      insert an identifier associated with the next hop for the second VPN tunnel, and an address range associated with the second destination, into another entry of the first table;
      
      insert the identifier associated with the next hop for the second VPN tunnel, and a second tunnel identifier corresponding to the established second VPN tunnel, into another entry of the second table; and
      
      associate one or more security parameters, used to encrypt traffic sent via the second VPN tunnel, with the second tunnel identifier.
  - 17. The system of claim 15, where the destination comprises a private network.
  - 18. The system of claim 17, where the next hop comprises a network device connected to the private network.
  - 19. The system of claim 15, where the one or more security parameters comprises an Internet Protocol security (IPsec) security parameters index (SPI).
  - 20. The system of claim 15, further comprising:
    - determining if the VPN tunnel has been broken; and
      
      disabling the entry in the second table if the VPN tunnel has been broken.
  - 21. The system of claim 20, further comprising:
    - determining if the VPN tunnel has been re-connected; and
      
      enabling the entry in the second table if the VPN tunnel has been re-connected.
  - 22. The system of claim 15, further comprising:
    - an interface to;
      
      receive a data unit;
      
      where the processing unit is further to;
      
      retrieve a destination network identifier from the data unit,retrieve the identifier associated with the next hop from the first table using the destination network identifier retrieved from the data unit,retrieve the tunnel identifier from the second table using the retrieved identifier associated with the next hop,encrypt the data unit using the security parameters associated with the retrieved tunnel identifier, andforward the encrypted data unit via the VPN tunnel.

23. A method, performed by a device, comprising:
- receiving, at a processor of the device, a data unit;
  
  performing, by the processor, a route lookup to retrieve a next hop identifier from a routing table that corresponds to a destination of the data unit;
  
  retrieving, by the processor, a tunnel identifier from a second table using the retrieved next hop identifier;
  
  forwarding, by the processor, the data unit via a tunnel corresponding to the tunnel identifier, where the tunnel comprises a virtual private network (VPN) tunnel; and
  
  encrypting the data unit using security parameters associated with the tunnel identifier.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. The method of claim 23, where performing a route lookup comprises:
    - indexing the routing table using a network identifier associated with the destination of the data unit to retrieve the next hop identifier.
  - 25. The method of claim 23, where retrieving a tunnel identifier from the second table comprises:
    - indexing the second table using the retrieved next hop identifier to retrieve the tunnel identifier.
  - 26. The method of claim 23, where the next hop identifier comprises a network address associated with a network device.
  - 27. The method of claim 26, where the network device is at one end of the tunnel.
  - 28. The method of claim 23, where the destination comprises a private network.
  - 29. The method of claim 28, where the next hop identifier is associated with a network device connected to the private network.

30. A system, comprising:
- a memory to store a first table and a second table;
  
  an interface to;
  
  receive a data unit; and
  
  a processing unit to;
  
  perform a route lookup to retrieve a next hop identifier from the first table that corresponds to a destination of the data unit,retrieve a virtual private network (VPN) tunnel identifier from the second table using the retrieved next hop identifier,forward the data unit via a VPN tunnel corresponding to the VPN tunnel identifier, andencrypt the data unit using security parameters associated with the VPN tunnel identifier.
- View Dependent Claims (31, 32, 33, 34, 35, 36)
- - 31. The system of claim 30, where performing a route lookup comprises:
    - indexing the routing table using a network identifier associated with the destination of the data unit to retrieve the next hop identifier.
  - 32. The system of claim 30, where retrieving a tunnel identifier from the second table comprises:
    - indexing the second table using the retrieved next hop identifier to retrieve the tunnel identifier.
  - 33. The system of claim 30, where the next hop identifier comprises a network address associated with a network device.
  - 34. The system of claim 33, where the network device is at one end of the tunnel.
  - 35. The system of claim 30, where the destination comprises a private network.
  - 36. The system of claim 35, where the next hop identifier is associated with a network device connected to the private network.

37. A system, comprising:
- means for establishing a virtual private network (VPN) tunnel to a destination;
  
  means for determining a next hop for the VPN tunnel;
  
  means for inserting an identifier associated with the next hop, and an address range associated with the destination, into a first entry of a first table;
  
  means for inserting the identifier associated with the next hop, and a tunnel identifier corresponding to the established VPN tunnel, into a second entry of a second table; and
  
  means for associating one or more security parameters, used to encrypt traffic sent via the VPN tunnel, with the tunnel identifier.

38. A network device, comprising:
- a data structure that comprises;
  
  a first data table comprising an identifier associated with a first next hop along a first virtual private network (VPN) tunnel to a first destination indexed to an address range associated with the first destination, anda second data table comprising a first tunnel identifier, corresponding to the first VPN tunnel, indexed to the identifier associated with the first next hop; and
  
  a processor to;
  
  retrieve the first tunnel identifier from the second table, andforward a data unit via a VPN tunnel corresponding to the first tunnel identifier.
- View Dependent Claims (39)
- - 39. The network device of claim 38, where the first data table further comprises an identifier associated with a second next hop along a second virtual private network (VPN) tunnel to a second destination indexed to an address range associated with the second destination, andwhere the second data table comprises a second tunnel identifier, corresponding to the second VPN tunnel, indexed to the identifier associated with the second next hop.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Cheng, Yonghui, Liu, Changming, Shieh, Choung-Yaw
Primary Examiner(s)
Cervetti; David Garcia

Application Number

US10/988,835
Time in Patent Office

2,100 Days
Field of Search

726/255, 726/247, 726/15, 713/150
US Class Current

726/15
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 45/00   Routing or path finding of ...

H04L 63/0272   Virtual private networks

H04L 63/20   for managing network securi...

H04L 9/40   Network security protocols

Point-to-multi-point/non-broadcasting multi-access VPN tunnels

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Point-to-multi-point/non-broadcasting multi-access VPN tunnels

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links