Methods and apparatus to configure network nodes supporting virtual connections

US 7,870,604 B1
Filed: 08/29/2003
Issued: 01/11/2011
Est. Priority Date: 08/29/2003
Status: Active Grant

First Claim

Patent Images

1. In a first provider node of a physical network supporting multiple virtual networks, a method for propagating network data, the method comprising:

receiving network data associated with a first virtual network to be supported by the physical network;

generating, at the first provider node, a first signature value uniquely associated with an identity of the first virtual network, wherein generating the first signature value includes retrieving a data value, obtaining an encryption key associated with the first virtual network, and applying a function to the data value based on a value of the encryption key to produce the first signature value associated with the identity of the first virtual network; and

transmitting both the network data associated with the first virtual network and the first signature value to a second provider node in the physical network, the first signature value enabling the second provider node to verify that the network data is properly associated with the first virtual network via generation of a second signature value by the second provider node using a routing key of a customer node and determination of whether the first signature value matches the second signature value by the second provider node, the first virtual network being one of multiple virtual networks supported by the second provider node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system includes functionality enabling a provider edge router to determine whether network data such as VRF information is properly associated with a corresponding virtual private network. A first node through which the network data is transmitted generates a signature value uniquely associated with the virtual private network. The first node forwards the signature value along with the network data to a second node of the physical network. The second node, in turn, verifies that the network data (such as VRF information) is properly associated with the second node (and virtual network) based on its own generation of a signature value, which is compared with the signature value received from the first node.

56 Citations

View as Search Results

27 Claims

1. In a first provider node of a physical network supporting multiple virtual networks, a method for propagating network data, the method comprising:
- receiving network data associated with a first virtual network to be supported by the physical network;
  
  generating, at the first provider node, a first signature value uniquely associated with an identity of the first virtual network, wherein generating the first signature value includes retrieving a data value, obtaining an encryption key associated with the first virtual network, and applying a function to the data value based on a value of the encryption key to produce the first signature value associated with the identity of the first virtual network; and
  
  transmitting both the network data associated with the first virtual network and the first signature value to a second provider node in the physical network, the first signature value enabling the second provider node to verify that the network data is properly associated with the first virtual network via generation of a second signature value by the second provider node using a routing key of a customer node and determination of whether the first signature value matches the second signature value by the second provider node, the first virtual network being one of multiple virtual networks supported by the second provider node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A method as in claim 1, wherein the data value is a generated random number.
  - 3. A method as in claim 1, wherein transmitting the network data includes:
    - transmitting the first signature value, the retrieved data value, and an identifier of the encryption key associated with the first virtual private network to the second provider node in the physical network.
  - 4. A method as in claim 1, wherein the function is a hash function.
  - 5. A method as in claim 1, wherein the physical network includes a service provider network supporting virtual private networks among multiple customers and the network data includes routing information associated with the virtual private networks.
  - 6. A method as in claim 1, wherein the first signature value is transmitted to the second provider node in an encrypted format, and the network data is transmitted to the second provider node in an unencrypted format.
  - 7. A method as in claim 1 further comprising:
    - generating a notification message to include;
      
      i) the network data associated with the first virtual network, and ii) an identifier value specifying an encryption function associated with the first virtual network, the identifier value enabling the second provider node to select one of multiple index values and verify whether the notification message is properly directed to the first virtual network supported by the second provider node; and
      
      wherein transmitting both the network data associated with the first virtual network and the first signature value to the second provider node includes transmitting the notification message to the second provider node.
  - 8. A method as in claim 1 further comprising:
    - generating a notification message to include;
      
      i) the network data associated with the first virtual network, ii) the data value, iii) the first signature value, and iv) an identifier value specifying the encryption key associated with the first virtual network;
      
      wherein transmitting both the network data associated with the first virtual network and the first signature value to the second provider node includes transmitting the notification message to the second provider node; and
      
      inclusion of the identifier value in the notification message enabling the second provider node to verify whether the notification message is associated with the first virtual network based on steps of;
      
      i) selecting an encryption key as identified by the identifier value, the encryption key being one of multiple encryption keys associated with the multiple virtual networks supported by the second provider node, ii) applying the selected encryption key to the data value in the notification message to produce the second signature value, and iii) comparing the first signature to the second signature value, iv) updating routing information at the second provider node based on the network data if the first signature value is equal to the second signature value.
  - 9. A method as in claim 1, wherein transmitting the network data and first signature value to the second provider node includes:
    - transmitting the network data and first signature value to the second provider node in the physical network based on a target destination provided by an administrator of the physical network, the network data and first signature value transmitted along with a message encoded based on a data distribution protocol.
  - 10. A method as in claim 9, wherein the data distribution protocol is an interautonomous system routing protocol and the message includes an update attribute field to store the first signature value, the data value, and a key identifier associated with the first virtual network;
    - andwherein the first virtual network is a virtual private network.
  - 11. A method as in claim 1 further comprising:
    - generating a notification message to include;
      
      i) the network data associated with the first virtual network, ii) the first signature value, and iii) the retrieved data value.
  - 12. A method as in claim 11, wherein transmitting both the network data associated with the first virtual network and the first signature value to the second provider node includes:
    - transmitting the notification message to the second provider node, the second provider node using the retrieved data value in the notification message to generate the second signature value, the second provider node verifying whether the notification message includes information associated with the first virtual network by comparing the first signature value with the second signature value.
  - 13. A method as in claim 12 further comprising:
    - generating the notification message to include an identifier value used by the second provider node to identify which of multiple encryption keys is to be used by the second provider node to apply to the retrieved data value in the notification message to produce the second signature value.
  - 14. A method as in claim 1 further comprising:
    - transmitting an key identifier indicating one of multiple encryption keys associated with the first virtual network to the second provider node in the physical network, wherein each of the multiple encryption keys is associated with a separate virtual network accessible by the first provider node.
  - 15. A method as in claim 14, wherein the first signature value is generated by applying a hash function to a public data value and a value of the encryption key associated with the key identifier;
    - the method further comprising;
      
      enabling the second provider node to generate the second signature value in order to be compared with the first signature value.
  - 16. A method as in claim 15, wherein the key identifier enables the second provider node to identify and access a corresponding encryption key, if any, associated with the key identifier at the second provider node.
  - 17. A method as in claim 16 further comprising:
    - enabling the second provider node to apply the hash function to the public data value and the corresponding encryption key, if any, associated with the key identifier to generate the second signature value; and
      
      wherein the second provider node is capable of updating forwarding tables in accordance with the network data upon determining that the second signature value is equivalent to the first signature value, the forwarding tables being updated for the virtual private network associated with the key identifier.

18. A computer system at a first node of a physical network that supports multiple virtual networks, the computer system comprising:
- a communication interface that supports communication with other nodes of the physical network;
  
  a processor;
  
  a memory unit that stores instructions associated with an application executed by the processor; and
  
  an interconnect coupling the communication interface, the processor, and the memory unit, enabling the computer system to execute the application and perform operations of;
  
  receiving network data associated with a first virtual network of the physical network, wherein the network data includes routing information associated with the first virtual network, the routing information being used to support a secured network connection including a logical connection path;
  
  generating a first signature value uniquely associated with an identity of the first virtual network, wherein generating the first signature includes retrieving a data value, obtaining an encryption key associated with the first virtual network, and applying a function to the data value based on a value of the encryption key to produce the first signature value associated with the identity of the first virtual network; and
  
  transmitting, through the communication interface of the computer system, both the network data associated with the first virtual network and the signature value to a second node in the physical network, the signature value enabling the second node to verify that the network data is properly associated with the first virtual network via generation of a second signature value using a routing key of a customer node and determination of whether the first signature value matches the second signature value by the second node.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. A computer system as in claim 18, wherein the data value is a generated random number.
  - 20. A computer system as in claim 18 that, wherein transmitting the network data, additionally performs an operation of:
    - transmitting the first signature value, the retrieved data value, and an identifier of the encryption key associated with the first virtual private network to the second node in the physical network.
  - 21. A computer system as in claim 18 that additionally performs an operation of:
    - transmitting key identifier indicating one of multiple encryption keys associated with the first virtual network to the second node in the physical network, wherein each of the multiple encryption keys is associated with a separate virtual network accessible by the first node.
  - 22. A computer system as in claim 18 that, wherein applying the function includes applying a hash function.
  - 23. A computer system as in claim 18, wherein the physical network includes a service provider network supporting virtual private networks among multiple customers and the network data includes routing information associated with the virtual private networks.
  - 24. A computer system as in claim 18 that, when transmitting the network data and first signature value to a second node, additionally performs an operation of:
    - transmitting the network data and first signature value to the second node in the physical network based on a target destination provided by an administrator of the physical network, the network data and first signature value transmitted along with a message encoded based on a data distribution protocol.
  - 25. A method as in claim 24, wherein the data distribution protocol is an interautonomous system routing protocol and the message includes an update attribute field to store the first signature value, the data value, and a key identifier associated with the first virtual network;
    - andwherein the first virtual network is a virtual private network.

26. A computer system at a first provider node of a physical network that supports multiple virtual networks, the computer system comprising:
- a communication interface that supports communication with other nodes of the physical network;
  
  a processor;
  
  a memory unit that stores instructions associated with an application executed by the processor; and
  
  an interconnect coupling the communication interface, the processor, and the memory unit, enabling the computer system to execute the application and provide;
  
  means for receiving network data associated with a first virtual network of the physical network;
  
  means for generating, at the first provider node, a signature value uniquely associated with an identity of the first virtual network, wherein generating the first signature value includes retrieving a data value, obtaining an encryption key associated with the first virtual network, and applying a function to the data value based on a value of the encryption key to produce the first signature value associated with the identity of the first virtual network; and
  
  means for transmitting, through the communication interface of the computer system, the network data associated with the first virtual network and the signature value to a second provider node in the physical network, the signature value enabling the second provider node to verify that the network data is properly associated with the first virtual network by determination of whether the first signature value matches the second signature value generated by the second node using a routing key of a customer node.

27. A computer program product including a computer-readable medium having instructions stored thereon for processing data information, such that the instructions, when carried out by a processing device, enable the processing device to perform the steps of:
- receiving network data associated with a first virtual network of the physical network;
  
  generating a signature value uniquely associated with an identity of the first virtual network, wherein generating the signature value includes retrieving a data value, obtaining an encryption key associated with the first virtual network, and applying a function to the data value based on a value of the encryption key to produce the signature value associated with the identity of the first virtual network; and
  
  transmitting the network data associated with the first virtual network and the signature value to a second node in the physical network, the signature value enabling the second node to verify that the network data is properly associated with the first virtual network by determination of whether the first signature value matches a the second signature value generated by the second node using a routing key of a customer node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Behringer, Michael H., Guichard, James N.
Primary Examiner(s)
Lipman; Jacob

Application Number

US10/652,058
Time in Patent Office

2,692 Days
Field of Search

726/15
US Class Current

726/15
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/06   for supporting key manageme...

H04L 63/20   for managing network securi...

Methods and apparatus to configure network nodes supporting virtual connections

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

56 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus to configure network nodes supporting virtual connections

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links