Dynamic network tunnel endpoint selection

US 7,992,201 B2
Filed: 07/26/2007
Issued: 08/02/2011
Est. Priority Date: 07/26/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of selecting a network tunnel endpoint to serve as a gateway through which a client located outside an enterprise network reaches a destination host located inside the enterprise network, comprising:

dynamically selecting, for the client from among a plurality of selectable tunnel endpoints through which the destination host is reachable, a particular one of the selectable tunnel endpoints to serve as the gateway for tunneling into the enterprise network, wherein the particular one has a lowest cost for reaching the destination host, according to cost metric information associated with reaching the destination host from each of the selectable tunnel endpoints; and

establishing the network tunnel from the client to the particular one of the selectable tunnel endpoints.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Dynamically selecting an endpoint for a tunnel into an enterprise computing infrastructure. A client dynamically selects a gateway (which may alternatively be referred to as a boundary device or server) as a tunnel endpoint for connecting over a public network (or, more generally, an untrusted network) into an enterprise computing infrastructure. The selection is made, in preferred embodiments, according to least-cost routing metrics pertaining to paths through the enterprise network from the selected gateway to a destination host. The least-cost routing metrics may be computed using factors such as the proximity of selectable tunnel endpoints to the destination host; stability or redundancy of network resources for this gateway; monetary costs of transmitting data over a path between the selectable tunnel endpoints and destination host; congestion on that path; hop count for that path; and/or latency or transmit time for data on that path.

53 Citations

View as Search Results

16 Claims

1. A computer-implemented method of selecting a network tunnel endpoint to serve as a gateway through which a client located outside an enterprise network reaches a destination host located inside the enterprise network, comprising:
- dynamically selecting, for the client from among a plurality of selectable tunnel endpoints through which the destination host is reachable, a particular one of the selectable tunnel endpoints to serve as the gateway for tunneling into the enterprise network, wherein the particular one has a lowest cost for reaching the destination host, according to cost metric information associated with reaching the destination host from each of the selectable tunnel endpoints; and
  
  establishing the network tunnel from the client to the particular one of the selectable tunnel endpoints.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method according to claim 1, wherein the network tunnel is a virtual private network (“
    - VPN”
      
      ) tunnel.
  - 3. The method according to claim 1, wherein the dynamically selecting is performed by the client, and the client then initiates the establishing of the network tunnel.
  - 4. The method according to claim 3, wherein the cost metric information is specified in a data structure accessible to the client.
  - 5. The method according to claim 1, wherein the cost metric information comprises at least one of:
    - proximity of the selectable tunnel endpoints to the destination host;
      
      stability or redundancy of network resources associated with the selectable tunnel endpoints;
      
      monetary costs of transmitting data over a path between the selectable tunnel endpoints and the destination host;
      
      congestion on the path;
      
      hop count for the path; and
      
      transmit time for data on the path.
  - 6. The method according to claim 1, wherein each of the selectable tunnel endpoints is identified using a destination filter, the destination filter for each of the selectable tunnel endpoints comprising at least one of:
    - an identification of the destination host;
      
      a source port number associated with an application that will use the tunnel;
      
      a destination port number associated with the application; and
      
      a destination subnet.
  - 7. The method according to claim 6, wherein the dynamically selecting further comprises:
    - dynamically issuing a probe for cost metric information for reaching the destination host when a comparison of the identification of the destination host to the destination filter for the selectable tunnel endpoints determines that no destination filter matches the identified destination host; and
      
      performing the dynamically selecting using results received responsive to the dynamically-issued probe.
  - 8. The method according to claim 6, wherein the dynamically selecting further comprises comparing an identification of the destination host to the destination filter for selected ones of the selectable tunnel endpoints until determining that the destination filter for the particular one of the selectable tunnel endpoints applies to the identified destination host.
  - 9. The method according to claim 1, further comprising:
    - performing the dynamically selecting for each of a plurality of destination hosts located inside the enterprise network, thereby selecting at least two different ones of the selectable tunnel endpoints to serve as gateways for tunneling into the enterprise network from the client; and
      
      performing the establishing, by the client, for each of the at least two different ones of the selectable tunnel endpoints, thereby enabling the client to communicate with each of the plurality of destination hosts using distinct network tunnels from the client to each of the at least two different ones.
  - 10. The method according to claim 1, wherein the client is located in an untrusted network environment and the dynamically selecting occurs responsive to a notification sent to the client from an initial tunnel endpoint that serves as the gateway for tunneling into the enterprise network, wherein the notification directs the client to select a different tunnel endpoint as the gateway.
  - 11. The method according to claim 1, wherein:
    - the dynamically selecting and the establishing are performed by the client, the client being located in an untrusted network environment; and
      
      the cost metric information is distributed to the client upon detecting that the client is preparing to establish the network tunnel.
  - 12. The method according to claim 1, wherein the network tunnel traverses an untrusted network.
  - 13. The method according to claim 1, wherein the network tunnel traverses one of:
    - a private mobile radio network;
      
      a private enterprise network; and
      
      an i2 network.
  - 14. The method according to claim 1, wherein the cost metric information associated with reaching the destination host from at least one of the selectable tunnel endpoints is periodically revised.
  - 15. The method according to claim 1, wherein:
    - the particular one of the selectable tunnel endpoints establishes a connection through the enterprise network to the destination host; and
      
      communications between the client and the destination host use the established network tunnel and the established connection.
  - 16. The method according to claim 1, wherein:
    - the destination host is co-located with the particular one of the selectable tunnel endpoints; and
      
      communications between the client and the destination host use the established network tunnel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Heninger, Ivan M., Marano, Clifford D., Kari, John D., Urgo, David M., Aldridge, M. Lynn, Dill, Peter C.
Primary Examiner(s)
JUNG, DAVID YIUK

Application Number

US11/828,756
Publication Number

US 20090031415A1
Time in Patent Office

1,468 Days
Field of Search

726/15, 726/14, 726/11
US Class Current

726/15
CPC Class Codes

H04L 63/0272 Virtual private networks

Dynamic network tunnel endpoint selection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic network tunnel endpoint selection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links