Methods and apparatus to configure network nodes supporting virtual connections
First Claim
1. In a first provider node of a physical network supporting multiple virtual networks, a method for propagating network data, the method comprising:
- receiving network data associated with a first virtual network to be supported by the physical network;
generating, at the first provider node, a first signature value uniquely associated with an identity of the first virtual network, wherein generating the first signature value includes retrieving a data value, obtaining an encryption key associated with the first virtual network, and applying a function to the data value based on a value of the encryption key to produce the first signature value associated with the identity of the first virtual network; and
transmitting both the network data associated with the first virtual network and the first signature value to a second provider node in the physical network, the first signature value enabling the second provider node to verify that the network data is properly associated with the first virtual network via generation of a second signature value by the second provider node using a routing key of a customer node and determination of whether the first signature value matches the second signature value by the second provider node, the first virtual network being one of multiple virtual networks supported by the second provider node.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer system includes functionality enabling a provider edge router to determine whether network data such as VRF information is properly associated with a corresponding virtual private network. A first node through which the network data is transmitted generates a signature value uniquely associated with the virtual private network. The first node forwards the signature value along with the network data to a second node of the physical network. The second node, in turn, verifies that the network data (such as VRF information) is properly associated with the second node (and virtual network) based on its own generation of a signature value, which is compared with the signature value received from the first node.
56 Citations
27 Claims
-
1. In a first provider node of a physical network supporting multiple virtual networks, a method for propagating network data, the method comprising:
-
receiving network data associated with a first virtual network to be supported by the physical network; generating, at the first provider node, a first signature value uniquely associated with an identity of the first virtual network, wherein generating the first signature value includes retrieving a data value, obtaining an encryption key associated with the first virtual network, and applying a function to the data value based on a value of the encryption key to produce the first signature value associated with the identity of the first virtual network; and transmitting both the network data associated with the first virtual network and the first signature value to a second provider node in the physical network, the first signature value enabling the second provider node to verify that the network data is properly associated with the first virtual network via generation of a second signature value by the second provider node using a routing key of a customer node and determination of whether the first signature value matches the second signature value by the second provider node, the first virtual network being one of multiple virtual networks supported by the second provider node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer system at a first node of a physical network that supports multiple virtual networks, the computer system comprising:
-
a communication interface that supports communication with other nodes of the physical network; a processor; a memory unit that stores instructions associated with an application executed by the processor; and an interconnect coupling the communication interface, the processor, and the memory unit, enabling the computer system to execute the application and perform operations of; receiving network data associated with a first virtual network of the physical network, wherein the network data includes routing information associated with the first virtual network, the routing information being used to support a secured network connection including a logical connection path; generating a first signature value uniquely associated with an identity of the first virtual network, wherein generating the first signature includes retrieving a data value, obtaining an encryption key associated with the first virtual network, and applying a function to the data value based on a value of the encryption key to produce the first signature value associated with the identity of the first virtual network; and transmitting, through the communication interface of the computer system, both the network data associated with the first virtual network and the signature value to a second node in the physical network, the signature value enabling the second node to verify that the network data is properly associated with the first virtual network via generation of a second signature value using a routing key of a customer node and determination of whether the first signature value matches the second signature value by the second node. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
-
26. A computer system at a first provider node of a physical network that supports multiple virtual networks, the computer system comprising:
-
a communication interface that supports communication with other nodes of the physical network; a processor; a memory unit that stores instructions associated with an application executed by the processor; and an interconnect coupling the communication interface, the processor, and the memory unit, enabling the computer system to execute the application and provide; means for receiving network data associated with a first virtual network of the physical network; means for generating, at the first provider node, a signature value uniquely associated with an identity of the first virtual network, wherein generating the first signature value includes retrieving a data value, obtaining an encryption key associated with the first virtual network, and applying a function to the data value based on a value of the encryption key to produce the first signature value associated with the identity of the first virtual network; and means for transmitting, through the communication interface of the computer system, the network data associated with the first virtual network and the signature value to a second provider node in the physical network, the signature value enabling the second provider node to verify that the network data is properly associated with the first virtual network by determination of whether the first signature value matches the second signature value generated by the second node using a routing key of a customer node.
-
-
27. A computer program product including a computer-readable medium having instructions stored thereon for processing data information, such that the instructions, when carried out by a processing device, enable the processing device to perform the steps of:
-
receiving network data associated with a first virtual network of the physical network; generating a signature value uniquely associated with an identity of the first virtual network, wherein generating the signature value includes retrieving a data value, obtaining an encryption key associated with the first virtual network, and applying a function to the data value based on a value of the encryption key to produce the signature value associated with the identity of the first virtual network; and transmitting the network data associated with the first virtual network and the signature value to a second node in the physical network, the signature value enabling the second node to verify that the network data is properly associated with the first virtual network by determination of whether the first signature value matches a the second signature value generated by the second node using a routing key of a customer node.
-
Specification