Secure virtual community network system

US 7,949,785 B2
Filed: 03/31/2003
Issued: 05/24/2011
Est. Priority Date: 03/31/2003
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A virtual network system, comprising:

a virtual network manager implemented with a first device memory and a first device processor of a first computing device, the virtual network manager configured to register devices in a virtual network that is defined by a domain name, each device in the virtual network being identified to the other devices by a virtual network address that is unique for each device and not directly routable via a public network, the virtual network manager further configured to distribute a virtual network address to a device when the device is registered in the virtual network;

a route director implemented with a second device memory and a second device processor of a second computing device, the route director configured to communicate data between the devices that are registered in the virtual network, the data being communicated as encapsulated packets from a source device to a destination device, an encapsulated packet including a first virtual network address that corresponds to the source device and a second virtual network address that corresponds to the destination device; and

the virtual network manager further configured to receive a DNS request from the source device, and return a public network address of the route director, a private network address for the destination device, and the second virtual network address that corresponds to the destination device.

View all claims

5 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

A private virtual dynamic network is provided for computing devices coupled to public networks or private networks. This enables computing devices anywhere in the world to join into private enterprise intranets and communicate with each other. In one embodiment, the present invention provides a separate private virtual address realm, seen to each user as a private network, while seamlessly crossing public and private network boundaries. One implementation of the present invention uses an agent to enable an entity to participate in the network without requiring the member to add new hardware or software.

271 Citations

90 Claims

1. A virtual network system, comprising:
- a virtual network manager implemented with a first device memory and a first device processor of a first computing device, the virtual network manager configured to register devices in a virtual network that is defined by a domain name, each device in the virtual network being identified to the other devices by a virtual network address that is unique for each device and not directly routable via a public network, the virtual network manager further configured to distribute a virtual network address to a device when the device is registered in the virtual network;
  
  a route director implemented with a second device memory and a second device processor of a second computing device, the route director configured to communicate data between the devices that are registered in the virtual network, the data being communicated as encapsulated packets from a source device to a destination device, an encapsulated packet including a first virtual network address that corresponds to the source device and a second virtual network address that corresponds to the destination device; and
  
  the virtual network manager further configured to receive a DNS request from the source device, and return a public network address of the route director, a private network address for the destination device, and the second virtual network address that corresponds to the destination device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 2. The system of claim 1 wherein each of the devices communicate with the virtual network manager and the other devices in the virtual network via an associated agent.
  - 3. The system of claim 2 wherein the associated agent is installed on a proxy device which is a proxy agent for one or more of the devices in the virtual network with respect to the virtual network manager and the route director.
  - 4. The system of claim 2 wherein the virtual network manager is further configured to:
    - receive a request from the agent associated with a device in a private network to register the device in the virtual network; and
      
      detect a presence of a NAT device via which the request is routed from the agent to the virtual network manager.
  - 5. The system of claim 4 wherein the virtual network manager is further configured to receive the request from the agent as a message, and detect the presence of the NAT device by comparing a field in a payload of the message with a source address in a header of the message.
  - 6. The system of claim 1 wherein each of the devices include an agent configured to communicate with the virtual network manager and agents of the other devices in the virtual network.
  - 7. The system of claim 1 wherein the virtual network manager is coupled to the public network and has an associated public network address.
  - 8. The system of claim 1 wherein the route director is further configured to receive the encapsulated packets when routed to a public network address corresponding to the route director.
  - 9. The system of claim 1 wherein each of the devices in the virtual network are further identified by at least one physical network address.
  - 10. The system of claim 9 wherein the physical network addresses that are associated with the devices in the virtual network are dynamic.
  - 11. The system of claim 9 wherein the physical network addresses that are associated with the devices in the virtual network are static.
  - 12. The system of claim 9 wherein the physical network addresses that are associated with the devices in the virtual network are private network addresses, and wherein the virtual network addresses are unique in the virtual network so as not to conflict with the private network addresses.
  - 13. The system of claim 9 wherein the source device is coupled to a first private network and accesses a public network via a first NAT device configured to transmit the encapsulated packets, an encapsulated packet further including the physical network address of the source device as a private network address in the first private network.
  - 14. The system of claim 13 wherein the physical network address of the source device is dynamic.
  - 15. The system of claim 13 wherein the physical network address of the source device is static.
  - 16. The system of claim 13 wherein the destination device is coupled to a second private network and accesses the public network via a second NAT device, the encapsulated packet further including the physical network address of the destination device as a private network address in the second private network.
  - 17. The system of claim 16 wherein the physical network address of the destination device is dynamic.
  - 18. The system of claim 16 wherein the physical network address of the destination device is static.
  - 19. The system of claim 16 wherein said first private network and said second private network share at least one network address.
  - 20. The system of claim 1 wherein the route director is further configured to:
    - provide a device-specific pseudo address assignment for the device in the virtual network when the device communicates with the route director via a NAT device; and
      
      store an association of the device-specific pseudo address with a public network address of the NAT device and a port number of the NAT device.
  - 21. The system of claim 1 wherein the route director includes a translator for virtual network address information for a device in the virtual network that is implemented in a private network.
  - 22. The system of claim 1 wherein the virtual network manager is coupled to the public network and includes a public network address.
  - 23. The system of claim 22 wherein the route director is coupled to the public network and includes a different public network address than the public network address of the virtual network manager.
  - 24. The system of claim 22 wherein the route director is coupled to a private network and includes a private network address.
  - 25. The system of claim 1 wherein the encapsulated packets further include virtual IP packets configured for communication of the data, the virtual IP packets being encrypted prior to being encapsulated.
  - 26. The system of claim 25 wherein the virtual IP packets are encrypted using IPSEC.
  - 27. The system of claim 25 wherein the virtual IP packets are encrypted using DES or triple DES.
  - 28. The system of claim 1 wherein the virtual network manager includes a virtual community definition that is defined by the domain name, and includes one or more of the devices that are registered in the virtual network.
  - 29. The system of claim 1 wherein the route director is a public route director in the public network, the system further comprising a private route director in a private network configured to enable access to devices of the private network that are also in the virtual network from devices of the public network that are also in the virtual network.

30. A virtual network manager, comprising:
- a network interface configured for data communication via a virtual network that is defined by a domain name having an associated public network address;
  
  a memory and a processor to implement a register module configured to register devices in a virtual network, the register module further configured to;
  
  receive a registration request from an agent associated with a device;
  
  distribute a virtual network address to the device when the device is registered in the virtual network, the device being identified to other devices in the virtual network by the virtual network address; and
  
  a DNS server for the virtual network, the DNS server configured to receive a DNS request from a first device in the virtual network, and return a network address associated with a network route director, a private network address associated with a second device in the virtual network, and a virtual network address associated with the second device.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37)
- - 31. The virtual network manager of claim 30 further comprising an additional network interface configured for data communication via a public network.
  - 32. The virtual network manager of claim 31 wherein the network interface is a UDP port configured for data communication via the virtual network, and wherein the additional network interface is a TCP port configured for registration communications via the public network.
  - 33. The virtual network manager of claim 30 wherein the network interface is a UDP port configured for data communication via the virtual network.
  - 34. The virtual network manager of claim 30 wherein the register module is further configured to receive the registration request from the agent that is installed on the device for data communication via the virtual network.
  - 35. The virtual network manager of claim 30 further comprising a join module configured to receive a join request from the agent associated with the device to indicate that the device is connected for data communication within the virtual network, the join module further configured to receive a leave request from the agent associated with the device to indicate that the device will be disconnected from data communication within the virtual network.
  - 36. The virtual network manager of claim 35 wherein the join module is further configured to provide virtual network addresses to the devices that are registered in the virtual network.
  - 37. The virtual network manager of claim 35 wherein the join module is further configured to maintain data to associate a virtual network address with a device in the virtual network.

38. A virtual network system, comprising:
- a computing device that includes at least a memory and a processor configured to implement a network manager of a virtual network that is defined by a public domain name, the network manager configured to distribute virtual network addresses to devices that register as members in the virtual network, each device in the virtual network being identified to the other devices by a virtual network address associated with the device;
  
  a first virtual network agent associated with a first device that is registered as a member in the virtual network;
  
  at least a second virtual network agent associated with at least a second device that is registered as a member in the virtual network;
  
  a route director configured to route communications between the first device and the at least second device in the virtual network via the respective first and second virtual network agents, the communications configured for routing as encapsulated packets that include a first virtual network address that is not directly routable corresponding to the first device and a second virtual network address that is not directly routable corresponding to the at least second device; and
  
  the network manager includes a DNS server configured to provide authoritative responses for DNS queries in the virtual network, the DNS server further configured to receive a DNS query from the first device and return a network address of the route director, a network address of the second device, and the virtual network address of the second device.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 39. The system of claim 38 wherein the route director is a public network route director that includes a public network interface and the network address is a public network address by which the first and second virtual network agents communicate with the public network route director.
  - 40. The system of claim 38 wherein the route director is a private route director that includes a private physical network interface and the network address is a private physical network address.
  - 41. The system of claim 38 wherein the first virtual network agent is installed on the first device for data communication via the virtual network.
  - 42. The system of claim 41 wherein the first device is in a private physical network, has an associated private network address, and has the associated virtual network address that is not directly routable by which the first device can be identified by the at least second virtual network agent from outside of the private physical network.
  - 43. The system of claim 41 wherein the first device is coupled to a public physical network, has an associated public network address, and has the associated virtual network address by which the first device can be identified by the at least second virtual network agent.
  - 44. The system of claim 38 wherein the first virtual network agent is a proxy agent for the first device with respect to the network manager and the route director.
  - 45. The system of claim 38 wherein the first and second devices are configured to access the virtual network from separate private address physical realms.
  - 46. The system of claim 38 wherein the network manager includes at least a first community definition and a second community definition, the first community definition being defined by the public domain name and includes one or more of the devices that are registered in the virtual network, and the second community definition being defined by a different public domain name and includes one or more different devices that are registered in the virtual network.
  - 47. The system of claim 38 wherein the network manager includes a member authenticator configured to authenticate the devices that request to register with the network manager.

48. A computer-implemented method, comprising:
- receiving registration requests from devices that request to be registered as members of a virtual network that is defined by a domain name having an associated public network address in a public network, each of the devices having an associated private network address;
  
  distributing a virtual network address to a device to register the device as a member in the virtual network, each device in the virtual network being identified to the other devices by the virtual network address that is associated with the device;
  
  routing communications between the devices that are registered in the virtual network, the communications being routed as encapsulated packets from a source device to a destination device, an encapsulated packet including a first virtual network address that corresponds to the source device and a second virtual network address that corresponds to the destination device; and
  
  transmitting a response to a DNS request received from one of the devices that are the members in the virtual network, the response to the DNS request including a public network address of a route director that registers the devices, a public network address of the destination device, and the second virtual network address that corresponds to the destination device.
- View Dependent Claims (49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
- - 49. The method of claim 48 further comprising providing the devices in the virtual network with a communication agent.
  - 50. The method of claim 49 wherein said providing the devices in the virtual network with a communication agent includes providing a proxy agent.
  - 51. The method of claim 48 further comprising authenticating the devices as the members in the virtual network.
  - 52. The method of claim 48 further comprising defining a member set of the virtual network that includes one or more of the devices, and assigning the domain name that defines the virtual network.
  - 53. The method of claim 48 further comprising defining at least two member sets of the virtual network that each include one or more of the devices, the at least two member sets having at least one different device.
  - 54. The method of claim 48 further comprising assigning the virtual network address to the device as an IPV4 compliant address.
  - 55. The method of claim 54 wherein the IPV4 compliant address is non-routable.
  - 56. The method of claim 48 further comprising routing network traffic via the public network from a first device having a public network address to a second device having a different public network address, the network traffic being routed as data packets having a source address which is the virtual network address of the first device and a destination address which is the virtual network address of the second device, the data packets being encapsulated to include a second source address which is a public network address of the first device and a second destination address which is the different public network address of the second device.
  - 57. The method of claim 48 further comprising routing network traffic from a first device in a private physical network having a private network address to a second device having a public network address, the network traffic being routed as data packets having a source address which is the virtual network address of the first device, a destination address which is the virtual network address of the second device, and a shim which includes the private network address, the data packets being encapsulated to include a second destination address which is the public network address of the second device.
  - 58. The method of claim 48 further comprising routing network traffic from a first device in a private physical network having a first private network address to a second device in a different private physical network having a second private network address, the network traffic being routed as encapsulated packets having a source address which is the virtual network address of the first device, a destination address which is the virtual network address of the second device, and a shim which includes the first and second private network addresses.
  - 59. The method of claim 58 wherein the first private network address and the second private network address are identical.
  - 60. The method of claim 48 further comprising:
    - receiving a join status request from a first device in the virtual network as a query to determine the status of a second device in the virtual network; and
      
      responding to the join status request to indicate whether or not the second device is joined to the virtual network for data communication.
  - 61. The method of claim 48 further comprising applying a group policy to the devices that are registered as the members of the virtual network.

62. One or more processor readable storage media devices comprising processor readable code that, if executed by a computer device, implements a virtual network manager to:
- receive registration requests from devices that request to be registered as members of a virtual network that is defined by a domain name having an associated public network address in a public network, each of the devices having an associated private network address;
  
  distribute a virtual network address to a device to register the device as a member in the virtual network, each device in the virtual network being identified to the other devices by the virtual network address that is associated with the device;
  
  manage communications routed between the devices that are registered in the virtual network, the communications routed as encapsulated packets from a source device to a destination device, an encapsulated packet including a first virtual network address that corresponds to the source device and a second virtual network address that corresponds to the destination device; and
  
  transmit a response to a DNS request received from one of the devices that are the members in the virtual network, the response to the DNS request including a public network address of the virtual network manager, a public network address of the destination device, and the second virtual network address that corresponds to the destination device.
- View Dependent Claims (63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74)
- - 63. One or more processor readable storage media devices as recited in claim 62 further comprising processor readable code that, if executed, implements the virtual network manager to provide the devices in the virtual network with a communication agent.
  - 64. One or more processor readable storage media devices as recited in claim 63 wherein the virtual network manager provides the as a proxy agent.
  - 65. One or more processor readable storage media devices as recited in claim 62 further comprising processor readable code that, if executed, implements the virtual network manager to define a member set of the virtual network that includes one or more of the devices, and the domain name that defines the virtual network.
  - 66. One or more processor readable storage media devices as recited in claim 62 wherein the virtual network address includes a non-routable IPV4 compliant address.
  - 67. One or more processor readable storage media devices as recited in claim 62 further comprising processor readable code that, if executed, implements the virtual network manager to route network traffic via the public network from a first device having a public network address to a second device having a different public network address.
  - 68. One or more processor readable storage media devices as recited in claim 62 further comprising processor readable code that, if executed, implements the virtual network manager to route network traffic from a first device in a private physical network having a private network address to a second device having a public network address.
  - 69. One or more processor readable storage media devices as recited in claim 62 further comprising processor readable code that, if executed, implements the virtual network manager to route network traffic from a first device in a private physical network having a first private network address to a second device in a different private physical network having a second private network address.
  - 70. One or more processor readable storage media devices as recited in claim 69 wherein the network traffic is routed to the first or second device via a NAT device.
  - 71. One or more processor readable storage media devices as recited in claim 69 wherein the first private network address and the second private network address are identical.
  - 72. One or more processor readable storage media devices as recited in claim 67 wherein the network traffic is routed as encapsulated data packets.
  - 73. One or more processor readable storage media devices as recited in claim 67 wherein the network traffic is routed as encrypted data traffic.
  - 74. One or more processor readable storage media devices as recited in claim 62 further comprising processor readable code that, if executed, implements the virtual network manager to apply a group policy to the devices that are registered as the members of the virtual network.

75. A virtual network system, comprising:
- a computing device that includes at least a memory and a processor configured to implement a virtual network manager having a network interface coupled to a virtual network, the virtual network manager including at least one virtual community definition that is defined by a domain name having an associated public network address and a user set of one or more devices that are registered in the virtual network, each device in the virtual network being identified to the other devices by a virtual network address that is associated with the device, the virtual network manager configured to exchange virtual network information with the one or more devices of the user set, the virtual network being accessible by devices in the user set and devices outside of the user set, and the virtual network manager further configured to receive a DNS request from a source device, and return a public network address of a route director, a private network address for a destination device, and a virtual network address that corresponds to the destination device.
- View Dependent Claims (76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90)
- - 76. The system of claim 75 wherein the virtual network manager includes a member register module.
  - 77. The system of claim 75 wherein the virtual network manager includes a member join module.
  - 78. The system of claim 77 wherein the member join module provides a virtual network address to a device that is registered as a member of the network.
  - 79. The system of claim 75 wherein the virtual network manager is further configured to maintain data on an association between at least one virtual network address with at least one device that is registered as a member of the network.
  - 80. The system of claim 75 wherein the virtual network manager includes a DNS server for the virtual community network.
  - 81. The system of claim 75 wherein the virtual network manager includes a NAT device detector for devices connecting with the virtual network manager behind a NAT device.
  - 82. The system of claim 75 wherein the virtual network manager includes at least a second virtual community definition.
  - 83. The system of claim 75 wherein the virtual network manager includes a member authenticator.
  - 84. The system of claim 75 wherein the virtual network manager includes a DNS server configured to provide authoritative responses for DNS queries from devices in the virtual community.
  - 85. The system of claim 75 further comprising at least one route director configured to communicate with the one or more devices in the user set.
  - 86. The system of claim 75 wherein each device registered in the network is configured to communicate with the virtual network manager and other devices in the user set via at least one agent.
  - 87. The system of claim 75 wherein the user set includes at least a first device and a second device, and wherein at least one of said first device and said second device is coupled to a first private network and accesses a public network via a NAT device.
  - 88. The system of claim 87 wherein said first device is coupled to said first private network, and said second device is coupled to a second private network and accesses the public network via a second NAT device.
  - 89. The system of claim 75 wherein communications between the one or more devices in the user set are encrypted.
  - 90. The system of claim 89 wherein the virtual network manager is configured to provide a shared message to the one or more devices in the user set to establish encrypted communications.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Original Assignee
Inpro Network Facility LLC (Intellectual Ventures LLC)
Inventors
Alkhatib, Hasan S., Elwailly, Farid F., Tobagi, Fouad A.
Primary Examiner(s)
Blair; Douglas B

Application Number

US10/403,818
Publication Number

US 20040249911A1
Time in Patent Office

2,976 Days
Field of Search

709/245, 726/15
US Class Current

709/245
CPC Class Codes

G06Q 10/109 Time management, e.g. calen...

G06Q 30/02 Marketing; Price estimation...

Secure virtual community network system

First Claim

5 Assignments

Litigations

0 Petitions

Accused Products

Abstract

271 Citations

90 Claims

Specification

Solutions

Use Cases

Quick Links

Secure virtual community network system

First Claim

5 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

271 Citations

90 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links