System and method for protected spoke to spoke communication using an unprotected computer network
First Claim
Patent Images
1. A method comprising:
- registering a spoke with a hub;
updating a hub registration table with spoke registration information;
sending the updated hub registration table to a plurality of registered spokes;
using information in the updated hub registration table at a sending spoke to resolve an address of a receiving spoke without accessing the hub, the information in the updated hub registration table at the sending spoke including information sufficient to resolve the address of the receiving spoke even if the sending spoke has not previously sent traffic to the receiving spoke since the sending spoke registered with the hub;
using information in the updated hub registration table at the sending spoke to encrypt traffic to be sent to the receiving spoke without accessing the hub; and
sending the encrypted traffic directly to the receiving spoke without sending the encrypted traffic via the hub.
1 Assignment
0 Petitions
Accused Products
Abstract
Various embodiments of the disclosed subject matter provide methods and systems for improved efficiency and security in spoke-to-spoke network communication. Embodiments provide systems and methods for registering a spoke with a hub, updating a hub registration table with spoke registration information, sending the updated hub registration table to a plurality of registered spokes, using the updated hub registration table at a sending spoke to encrypt traffic to be sent to another spoke, and using the updated hub registration table at a receiving spoke to decrypt traffic received from another spoke.
30 Citations
31 Claims
-
1. A method comprising:
-
registering a spoke with a hub; updating a hub registration table with spoke registration information; sending the updated hub registration table to a plurality of registered spokes; using information in the updated hub registration table at a sending spoke to resolve an address of a receiving spoke without accessing the hub, the information in the updated hub registration table at the sending spoke including information sufficient to resolve the address of the receiving spoke even if the sending spoke has not previously sent traffic to the receiving spoke since the sending spoke registered with the hub; using information in the updated hub registration table at the sending spoke to encrypt traffic to be sent to the receiving spoke without accessing the hub; and sending the encrypted traffic directly to the receiving spoke without sending the encrypted traffic via the hub. - View Dependent Claims (2, 3, 5, 6, 7, 8)
-
-
4. The method as claimed in 1 including obtaining a subnet and a corresponding public key value of the receiving spoke from the updated hub registration table at the sending spoke without accessing the hub, combining the public key value of the receiving spoke with a private key value of the sending spoke to form an encryption key, using the encryption key to create a tunnel to the receiving spoke, and sending the encrypted traffic via the tunnel without transiting the hub.
-
9. A method comprising:
-
registering a first spoke with a hub by providing to the hub first spoke registration information including an IP address, a subnet, and a public key value for the first spoke; receiving an updated hub registration table from the hub, the updated hub registration table including spoke registration information for a plurality of spokes; using information in the updated hub registration table at the first spoke to resolve an address of a second spoke without accessing the hub, the information in the updated hub registration table at the first spoke including information sufficient to resolve the address of the second spoke even if the first spoke has not previously sent traffic to the second spoke since the first spoke registered with the hub; using information in the updated hub registration table at the first spoke to encrypt traffic to be sent to a second spoke without accessing the hub; and sending the encrypted traffic directly from the first spoke to the second spoke without sending the encrypted traffic via the hub. - View Dependent Claims (10, 11)
-
-
12. A method comprising:
-
determining if a tunnel has been established between a first spoke and a second spoke; and if a tunnel has not been established between the first spoke and the second spoke, obtaining a subnet address and a corresponding public key value of the second spoke from a hub registration table at the first spoke without accessing the hub, combining the public key value of the second spoke with a private key value of the first spoke to form an encryption key, using the encryption key to create a tunnel between the first spoke and the second spoke, using information in the hub registration table at the first spoke to encrypt traffic to be sent to the second spoke without accessing the hub, the information in the hub registration table at the first spoke including information sufficient to encrypt traffic to be sent to the second spoke even if the first spoke has not previously sent traffic to the second spoke since the first spoke registered with the hub, and sending the encrypted traffic directly from the first spoke to the second spoke without sending the encrypted traffic via a hub. - View Dependent Claims (13, 14)
-
-
15. A method comprising:
-
receiving encrypted traffic from a first spoke; determining if a tunnel has been established between the first spoke and a second spoke; and if a tunnel has not been established between the first spoke and the second spoke, obtaining an IP address of the first spoke and a corresponding public key value of the first spoke from a hub registration table at the second spoke without accessing the hub, combining the public key value of the first spoke with a private key value of the second spoke to form a decryption key, using the decryption key to create a tunnel between the first spoke and the second spoke, and using information in the hub registration table at the second spoke to decrypt traffic received from the first spoke without accessing the hub, the information in the hub registration table at the second spoke including information sufficient to decrypt traffic received from the first spoke even if the second spoke has not previously received traffic from the first spoke since the second spoke registered with the hub, the encrypted traffic being received directly from the first spoke at the second spoke without being sent via a hub. - View Dependent Claims (16, 17)
-
-
18. An apparatus comprising:
-
means for registering a spoke with a hub; means for updating a hub registration table with spoke registration information; means for sending the updated hub registration table to a plurality of registered spokes; means for using information in the updated hub registration table at a sending spoke to resolve an address of a receiving spoke without accessing the hub, the information in the updated hub registration table at the sending spoke including information sufficient to resolve the address of the receiving spoke even if the sending spoke has not previously sent traffic to the receiving spoke since the sending spoke registered with the hub; using information in the updated hub registration table at the sending spoke to encrypt traffic to be sent to the receiving spoke without accessing the hub; and means for sending the encrypted traffic directly to a receiving spoke without sending the encrypted traffic via the hub. - View Dependent Claims (19, 20, 21, 22)
-
-
23. An apparatus comprising:
-
means for receiving encrypted traffic from a first spoke; means for determining if a tunnel has been established between the first spoke and a second spoke; and if a tunnel has not been established between the first spoke and the second spoke, means for obtaining an IP address of the first spoke and a corresponding public key value of the first spoke from a hub registration table at the second spoke without accessing the hub, means for combining the public key value of the first spoke with a private key value of the second spoke to form a decryption key, means for using the decryption key to create a tunnel between the first spoke and the second spoke, and means for using information in the hub registration table at the second spoke to decrypt traffic received from the first spoke without accessing the hub, the information in the hub registration table at the second spoke including information sufficient to decrypt traffic received from the first spoke even if the second spoke has not previously received traffic from the first spoke since the second spoke registered with the hub, the encrypted traffic being received directly from the first spoke at the second spoke without being sent via a hub. - View Dependent Claims (24, 25)
-
-
26. An article of manufacture comprising at least one non-transitory machine readable storage medium having one or more computer programs stored thereon and operable on one or more computing systems to:
-
register a spoke with a hub; update a hub registration table with spoke registration information; send the updated hub registration table to a plurality of registered spokes; use information in the updated hub registration table at a sending spoke to resolve an address of a receiving spoke without accessing the hub, the information in the updated hub registration table at the sending spoke including information sufficient to resolve the address of the receiving spoke even if the sending spoke has not previously sent traffic to the receiving spoke since the sending spoke registered with the hub; use information in the updated hub registration table at the sending spoke to encrypt traffic to be sent to the receiving spoke without accessing the hub; and send the encrypted traffic directly to a receiving spoke without sending the encrypted traffic via the hub. - View Dependent Claims (27)
-
-
28. An article of manufacture comprising at least one machine readable storage medium having one or more computer programs stored thereon and operable on one or more computing systems to:
-
receive encrypted traffic from a first spoke; determine if a tunnel has been established between the first spoke and a second spoke; and if a tunnel has not been established between the first spoke and the second spoke, obtain an IP address of the first spoke and a corresponding public key value of the first spoke from a hub registration table at the second spoke without accessing the hub, combine the public key value of the first spoke with a private key value of the second spoke to form a decryption key, use the decryption key to create a tunnel between the first spoke and the second spoke, and use information in the hub registration table at the second spoke to decrypt traffic received from the first spoke without accessing the hub, the information in the hub registration table at the second spoke including information sufficient to decrypt traffic received from the first spoke even if the second spoke has not previously received traffic from the first spoke since the second spoke registered with the hub, the encrypted traffic being received directly from the first spoke at the second spoke without being sent via a hub. - View Dependent Claims (29)
-
-
30. A system comprising:
-
a hub to retain a hub registration table; and one or more spokes in data communication with the hub via a network, the spokes being programmed to; register with the hub; receive an updated hub registration table from the hub; use information in the updated hub registration table at a sending spoke to resolve an address of a receiving spoke without accessing the hub, the information in the updated hub registration table at the sending spoke including information sufficient to resolve the address of the receiving spoke even if the sending spoke has not previously sent traffic to the receiving spoke since the sending spoke registered with the hub; use information in the updated hub registration table at the sending spoke to encrypt traffic to be sent to the receiving spoke without accessing the hub; and send the encrypted traffic directly to a receiving spoke without sending the encrypted traffic via the hub. - View Dependent Claims (31)
-
Specification