System and method for prioritization of traffic through internet access network

US 7,881,199 B2
Filed: 01/04/2006
Issued: 02/01/2011
Est. Priority Date: 01/04/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method of prioritizing a traffic flow in a packet communication system destined for a receiving sub-network hosting a virtual private network (VPN) gateway, the method comprising:

forwarding packets from an end user device to the receiving sub-network through a first gateway in an access network;

at the first gateway in the access network, determining whether the packets from the end user device are requesting a new session with the VPN gateway;

at the first gateway in the access network, non-invasively and, independently of any shared secrets between the VPN gateway and the end user device, using a deep packet inspector to infer from the packets requesting the new session whether the request was accepted by the VPN gateway by monitoring both the traffic flow passing through an egress port to the receiving sub-network and the traffic flow coming from the receiving sub-network through the egress port; and

when it is inferred that the request was accepted by the VPN gateway,using a subscriber and policy management system (SPMS) to determine a new priority level to assign to the new session, wherein the new priority level is higher than a default priority level and is predetermined by the owner of the VPN gateway;

using the SPMS to reconfigure network elements in the access network to permit the traffic flow to the VPN gateway at the new priority level;

using the SPMS to mark the packets from the end user device in the egress port with the new priority level before sending the packets to the VPN gateway; and

maintaining the traffic flow for a session between the VPN gateway and the end user device at the new priority level until the deep packet inspector determines that there is no traffic flow over the VPN gateway other than traffic flow not initiated by a user.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for ensuring that specific traffic flows are adequately prioritized in a public packet communication network even when the network is heavily congested. Per-flow QoS capability is added to VPN tunnels. Connection requests are routed through a specific port in an access provider'"'"'s network to designated VPN gateway. Deep packet inspection is performed on traffic through the port in an attempt to determine whether the connection request was accepted. If the connection request was accepted, the traffic flows associated with that session may be given a specific priority of QoS level when transiting a packet access network.

279 Citations

19 Claims

1. A method of prioritizing a traffic flow in a packet communication system destined for a receiving sub-network hosting a virtual private network (VPN) gateway, the method comprising:
- forwarding packets from an end user device to the receiving sub-network through a first gateway in an access network;
  
  at the first gateway in the access network, determining whether the packets from the end user device are requesting a new session with the VPN gateway;
  
  at the first gateway in the access network, non-invasively and, independently of any shared secrets between the VPN gateway and the end user device, using a deep packet inspector to infer from the packets requesting the new session whether the request was accepted by the VPN gateway by monitoring both the traffic flow passing through an egress port to the receiving sub-network and the traffic flow coming from the receiving sub-network through the egress port; and
  
  when it is inferred that the request was accepted by the VPN gateway,using a subscriber and policy management system (SPMS) to determine a new priority level to assign to the new session, wherein the new priority level is higher than a default priority level and is predetermined by the owner of the VPN gateway;
  
  using the SPMS to reconfigure network elements in the access network to permit the traffic flow to the VPN gateway at the new priority level;
  
  using the SPMS to mark the packets from the end user device in the egress port with the new priority level before sending the packets to the VPN gateway; and
  
  maintaining the traffic flow for a session between the VPN gateway and the end user device at the new priority level until the deep packet inspector determines that there is no traffic flow over the VPN gateway other than traffic flow not initiated by a user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - determining whether the packets have a source address for which the session with the VPN gateway is not currently being maintained.
  - 3. The method of claim 1, further comprising:
    - monitoring the traffic flow for the session using deep packet inspection; and
      
      terminating the session when monitoring of the traffic flow for the session indicates a lack of traffic, other than keep-alive traffic, over the traffic flow for a configured duration.
  - 4. The method of claim 1, further comprising:
    - informing a billing system that the session is maintained at a priority level higher than a default priority level.
  - 5. The method of claim 4, further comprising:
    - informing the billing system of user identification information.
  - 6. The method of claim 1, further comprising:
    - when it is inferred that the request was rejected by the VPN gateway, determining whether the rejection of the request has characteristics of a denial-of-service attack; and
      
      when the rejection of the request has characteristics of the denial-of-service attack, rate limiting within the access network the traffic flow from the end user device.
  - 7. The method of claim 6, further comprising:
    - recording the rejections of the requests; and
      
      when the number of the rejections of the requests exceeds a configured count, determining that the rejection of the request has the characteristics of the denial-of-service attack.
  - 8. The method of claim 6, further comprising:
    - recording the rejections of the requests; and
      
      when the rate of the rejections of the requests is inconsistent with a human interface at the end user device, determining that the rejection of the request has the characteristics of the denial-of-service attack.
  - 9. The method of claim 1, further comprising:
    - preferentially allocating backup power to network elements carrying the traffic flow.

10. A system in an access network for prioritizing a traffic flow in a packet communication system destined for a receiving sub-network hosting a virtual private network (VPN) gateway, the system comprising:
- a subscriber and policy management system (SPMS) that reconfigures network elements within the access network and marks packets from an end user device in an egress port to maintain the traffic flow for a session at a new priority level higher than a default priority level, wherein the new priority level is predetermined by the owner of the VPN gateway;
  
  a first gateway in the access network that forwards the traffic flow to the VPN gateway;
  
  an edge router that forwards the traffic flow to the first gateway in the access network;
  
  means at the VPN gateway in the access network that determine whether the packets from the end user device are requesting a new session with the VPN gateway;
  
  a deep packet inspector in the access network that non-invasively and, independently of any shared secrets between the VPN gateway and the end user device, infers from the packets requesting the new session whether the request was accepted by the VPN gateway by monitoring both the traffic flow passing through an egress port to the receiving sub-network and the traffic flow coming from the receiving sub-network through the egress port; and
  
  means at the VPN gateway to inform the SPMS that the session is to be given the new priority level after it is inferred that the packets requesting the new session were accepted by the VPN gateway until the deep packet inspector determines that there is no traffic flow over the VPN gateway other than traffic flow not initiated by a user.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The system of claim 10, wherein the first gateway in the access network furthering comprises:
    - a port within the edge router.
  - 12. The system of claim 10, wherein the SPMS further comprises:
    - a database that associates a parameter associated with an end user port with either a specific data flow or a virtual path.
  - 13. The system of claim 10, further comprising:
    - a plurality of VPN gateways, each of the VPN gateways having at least one respective address.
  - 14. The system of claim 10, wherein the deep packet inspector is within the edge router.
  - 15. The system of claim 10, wherein the edge router forwards VPN establishment requests through the first gateway.
  - 16. The system of claim 10, wherein the deep packet inspector determines that the new session is established after identifying new source addresses in packets destined for the VPN gateway.
  - 17. The system of claim 10, wherein the deep packet inspector determines that the new session is not established after identifying packet sequences for an authentication rejection.
  - 18. The system of claim 10, further comprising:
    - an alternate gateway that is used when the first gateway is either unavailable or unreachable.
  - 19. The system of claim 10, wherein the deep packet inspector is turned on during a state of emergency.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Krstulich, Zlatko
Primary Examiner(s)
Ryman; Daniel J
Assistant Examiner(s)
BLANTON, JOHN D

Application Number

US11/324,314
Publication Number

US 20070153798A1
Time in Patent Office

1,854 Days
Field of Search

370/392, 370/235, 370/252
US Class Current

370/235
CPC Class Codes

H04L 12/2898   Subscriber equipments DSL m...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/5003   Managing SLA; Interaction b...

H04L 41/5009   Determining service level p...

H04L 41/5022   by giving priorities, e.g. ...

H04L 43/16   Threshold monitoring

H04L 47/10   Flow control; Congestion co...

H04L 47/2433   Allocation of priorities to...

H04L 47/2483   involving identification of...

H04L 47/2491   Mapping quality of service ...

H04L 47/70   Admission control; Resource...

H04L 47/805   QOS or priority aware

H04L 47/825   Involving tunnels, e.g. MPLS

H04L 63/0272   Virtual private networks

System and method for prioritization of traffic through internet access network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

279 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

System and method for prioritization of traffic through internet access network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

279 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others