Prioritized call admission control for internet key exchange

US 7,805,602 B1
Filed: 11/10/2005
Issued: 09/28/2010
Est. Priority Date: 11/10/2005
Status: Active Grant

First Claim

Patent Images

1. A method for prioritizing the setup of a plurality of connections in a Virtual Private Network (VPN) serving a plurality of clients, the method comprising:

providing an aggregation processor operative to perform functions associated with setting up and managing the connections;

predefining at least two Internet Security Association and Key Management Protocol (ISAKMP) client profiles for the VPN, wherein each ISAKMP client profile defines an association with a respective predetermined client category via an ISAKMP match identity command;

adding a priority command to the ISAKMP client profiles, the priority commands indicating a plurality of different priorities;

initiating, by the aggregation processor, connections in the VPN for at least two clients;

matching, by the aggregation processor, the at least two clients with respective profiles selected from the at least two ISAKMP predefined client profiles;

setting up, by the aggregation processor, the VPN connections for the at least two clients according to the priorities of the predefined ISAKMP client profiles.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for communication includes predefining two or more client profiles applicable to clients of a communication network. Virtual Private Network (VPN) connections are initiated between at least two of the clients and the network. At least two of the clients are matched with respective profiles selected from the two or more predefined client profiles. Priorities are assigned to packets exchanged between the at least two of the clients and the network responsively to the profiles. The VPN connections are set up for the at least two of the clients responsively to the priorities.

20 Citations

View as Search Results

28 Claims

1. A method for prioritizing the setup of a plurality of connections in a Virtual Private Network (VPN) serving a plurality of clients, the method comprising:
- providing an aggregation processor operative to perform functions associated with setting up and managing the connections;
  
  predefining at least two Internet Security Association and Key Management Protocol (ISAKMP) client profiles for the VPN, wherein each ISAKMP client profile defines an association with a respective predetermined client category via an ISAKMP match identity command;
  
  adding a priority command to the ISAKMP client profiles, the priority commands indicating a plurality of different priorities;
  
  initiating, by the aggregation processor, connections in the VPN for at least two clients;
  
  matching, by the aggregation processor, the at least two clients with respective profiles selected from the at least two ISAKMP predefined client profiles;
  
  setting up, by the aggregation processor, the VPN connections for the at least two clients according to the priorities of the predefined ISAKMP client profiles.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein initiating the VPN connections comprises receiving at least one request packet from each of the at least two clients to set up the VPN connections.
  - 3. The method according to claim 2, wherein, for each of the at least one request packet, receiving the request packet comprises extracting an identification (ID) payload carried in the packet, and wherein matching the clients comprises mapping the ID payload to one of the at least two predefined ISAKMP client profiles.
  - 4. The method according to claim 1, wherein initiating the VPN connections comprises exchanging Internet Key Exchange (IKE) packets, and wherein setting up a VPN connection comprises establishing the connections using an IKE protocol.
  - 5. The method according to claim 1, wherein setting up the VPN connections comprises connecting the at least two clients to the network over a wide-area network (WAN).
  - 6. The method according to claim 1, wherein setting up the VPN connections comprises connecting at least one remote site to the network.
  - 7. The method according to claim 1, wherein predefining the at least two client profiles comprises defining at least one category, each applicable to at least one client, and defining the priorities of the categories.
  - 8. The method according to claim 1, wherein initiating the VPN connections comprises measuring a resource utilization of a processor carrying out the method and refraining from setting up at least one VPN connection responsively to the priorities when a crossing of a threshold of the resource utilization occurs.
  - 9. The method according to claim 1, wherein assigning the priorities comprises measuring a traffic characteristic of packets exchanged between the at least two clients and the VPN and determining the priorities responsively to the measured traffic characteristic.

10. Apparatus for prioritizing the setup of a plurality of connections in a Virtual Private Network (VPN) serving a plurality of clients, the apparatus comprising:
- a network interface arranged to communicate with the clients; and
  
  an aggregation processor coupled to the network interface and arranged;
  
  to accept definitions of at least two Internet Security Association and Key Management Protocol (ISAKMP) client profiles for the VPN, wherein each ISAKMP client profile defines an association with a respective predetermined client category via an ISAKMP match identity command, and wherein the ISAKMP client profiles are modified to contain priority commands indicating a plurality of different priorities;
  
  to initiate connections for a client in the VPN;
  
  to match a client to a profile selected from the at least two ISAKMP client profiles;
  
  to assign a priority to a packet from the client responsively to the profile; and
  
  to set up a VPN connection for the client responsively to the priority.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus according to claim 10, wherein the processor and network interface are arranged to receive a request packet from a client to set up a VPN connection.
  - 12. The apparatus according to claim 11, wherein, for the request packet, the processor is arranged to extract an identification (ID) payload carried in the packet and to map the ID payload to an ISAKMP client profile.
  - 13. The apparatus according to claim 10, wherein the processor and the network interface are arranged to send and receive Internet Key Exchange (IKE) packets and to establish a VPN connection using an IKE protocol.
  - 14. The apparatus according to claim 10, wherein at least one of the clients communicates with the network over a wide-area network (WAN).
  - 15. The apparatus according to claim 10, wherein at least one of the clients comprises a remote site of the network.
  - 16. The apparatus according to claim 10, wherein the client profiles define one or more categories, each applicable to at least one client, and wherein the priorities define a priority relationship among the one or more categories.
  - 17. The apparatus according to claim 10, wherein the processor is arranged to measure a resource utilization of the processor and to refrain from setting up at least one VPN connection responsively to the priorities when a crossing of a threshold of the resource utilization occurs.
  - 18. The apparatus according to claim 10, wherein the processor is arranged to measure a traffic characteristic of the packets exchanged between the at least two of the clients and the network and to determine the priorities responsively to the measured traffic characteristic.

19. An apparatus for prioritizing the setup of a plurality of connections in a Virtual Private Network (VPN) serving a plurality of clients, the apparatus comprising:
- means for predefining at least two Internet Security Association and Key Management Protocol (ISAKMP) client profiles for the VPN, wherein each ISAKMP client profile defines an association with a respective predetermined client category via an ISAKMP match identity command;
  
  means for adding a priority command to the ISAKMP client profiles, the priority commands indicating a plurality of different priorities;
  
  means for initiating connections in the VPN for at least two clients;
  
  means for matching the at least two clients with respective profiles selected from the at least two predefined ISAKMP client profiles;
  
  means for setting up the VPN connections for the at least two clients according to the priorities of the predefined ISAKMP client profiles.

20. A computer software product for prioritizing the setup of a plurality of connections in a Virtual Private Network (VPN) serving a plurality of clients, the product comprising a computer-readable medium in which program instructions are stored, which instructions, when executed by a processor, cause the processor:
- to accept a definition of at least two Internet Security Association and Key Management Protocol (ISAKMP) client profiles for the VPN, wherein each ISAKMP client profile defines an association with a respective predetermined client category via an ISAKMP match identity command, the ISAKMP client profiles modified to contain priority commands indicating a plurality of different priorities;
  
  to initiate connections for a client in the VPN;
  
  to match a client to a profile selected from the at least two ISAKMP client profiles;
  
  to assign a priority to a packet from the client responsively to the ISAKMP client profile; and
  
  to set up a VPN connection for the client responsively to the priority.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The product according to claim 20, wherein the instructions cause the processor to receive a request packet from a client to set up a VPN connection.
  - 22. The product according to claim 21, wherein, for the request packet, the processor is arranged to extract an identification (ID) payload carried in the packet and to map the ID payload to an ISAKMP client profile.
  - 23. The product according to claim 20, wherein the instructions cause the processor to send and receive Internet Key Exchange (IKE) packets and to establish a VPN connection using an IKE protocol.
  - 24. The product according to claim 20, wherein at least one of the clients communicates with the network over a wide-area network (WAN).
  - 25. The product according to claim 20, wherein at least one of the clients comprises a remote site of the network.
  - 26. The product according to claim 20, wherein the client profiles define one or more categories, each applicable to at least one of the clients, and wherein the priorities define a priority relationship among the one or more categories.
  - 27. The product according to claim 20, wherein the instructions cause the processor to measure a resource utilization of at least one of the one or more processors and to refrain from setting up at least one VPN connection responsively to the priorities when a crossing of a threshold of the resource utilization occurs.
  - 28. The product according to claim 20, wherein the instructions cause the processor to measure a traffic characteristic of the packets exchanged between the at least two of the clients and the network and to determine the priorities responsively to the measured traffic characteristic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Halcvi, Ido, Karpati, Danny, Zilberman, Alon
Primary Examiner(s)
COLIN, CARL G

Application Number

US11/271,321
Time in Patent Office

1,783 Days
Field of Search

713/150, 713/154, 713/160, 713/166, 726/13, 726/15
US Class Current

713/150
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0272   Virtual private networks

H04L 63/062   for key distribution, e.g. ...

H04L 63/164   at the network layer

H04L 67/14   Session management for real...

H04L 67/306   User profiles

Prioritized call admission control for internet key exchange

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Prioritized call admission control for internet key exchange

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links