Dynamic network tunnel endpoint selection

US 8,261,339 B2
Filed: 12/14/2010
Issued: 09/04/2012
Est. Priority Date: 07/26/2007
Status: Active Grant

First Claim

Patent Images

1. A system for establishing a network tunnel across an untrusted network environment, comprisinga computer comprising a processor;

andinstructions which are executable, using the processor, to implement functions comprising;

dynamically selecting, from among a plurality of selectable tunnel endpoints through which a destination host located in an enterprise network is reachable from a client located outside the enterprise network, a particular one of the selectable tunnel endpoints to serve as a gateway for tunneling into the enterprise network, wherein the particular one has a lowest cost for reaching the destination host, according to cost metric information associated with reaching the destination host from each of the selectable tunnel endpoints; and

establishing the network tunnel from the client to the particular one of the selectable tunnel endpoints.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Dynamically selecting an endpoint for a tunnel into an enterprise computing infrastructure. A client dynamically selects a gateway (which may alternatively be referred to as a boundary device or server) as a tunnel endpoint for connecting over a public network (or, more generally, an untrusted network) into an enterprise computing infrastructure. The selection is made, in preferred embodiments, according to least-cost routing metrics pertaining to paths through the enterprise network from the selected gateway to a destination host. The least-cost routing metrics may be computed using factors such as the proximity of selectable tunnel endpoints to the destination host; stability or redundancy of network resources for this gateway; monetary costs of transmitting data over a path between the selectable tunnel endpoints and destination host; congestion on that path; hop count for that path; and/or latency or transmit time for data on that path.

Citations

20 Claims

1. A system for establishing a network tunnel across an untrusted network environment, comprisinga computer comprising a processor;
- andinstructions which are executable, using the processor, to implement functions comprising;
  
  dynamically selecting, from among a plurality of selectable tunnel endpoints through which a destination host located in an enterprise network is reachable from a client located outside the enterprise network, a particular one of the selectable tunnel endpoints to serve as a gateway for tunneling into the enterprise network, wherein the particular one has a lowest cost for reaching the destination host, according to cost metric information associated with reaching the destination host from each of the selectable tunnel endpoints; and
  
  establishing the network tunnel from the client to the particular one of the selectable tunnel endpoints.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system according to claim 1, wherein the network tunnel is a virtual private network (“
    - VPN”
      
      ) tunnel.
  - 3. The system according to claim 1, wherein:
    - the selecting operates at the client;
      
      the establishing operates at the client to initiate the establishing of the network tunnel; and
      
      the cost metric information is specified in a data structure accessible to the client.
  - 4. The system according to claim 1, wherein the cost metric information comprises at least one of:
    - proximity of the selectable tunnel endpoints to the destination host;
      
      stability or redundancy of network resources associated with the selectable tunnel endpoints;
      
      monetary costs of transmitting data over a path between the selectable tunnel endpoints and the destination host;
      
      congestion on the path;
      
      hop count for the path; and
      
      transmit time for data on the path.
  - 5. The system according to claim 1, wherein:
    - each of the selectable tunnel endpoints is identified using a destination filter, the destination filter for each of the selectable tunnel endpoints comprising at least one of;
      
      an identification of the destination host;
      
      a source port number associated with an application that will use the tunnel;
      
      a destination port number associated with the application; and
      
      a destination subnet; and
      
      the selecting compares, for the dynamically selecting, an identification of the destination host to the destination filter for selected ones of the selectable tunnel endpoints until determining that the destination filter for the particular one of the selectable tunnel endpoints applies to the identified destination host.
  - 6. The system according to claim 5, wherein the dynamically selecting further comprises:
    - dynamically issuing a probe for cost metric information for reaching the destination host when a comparison of the identification of the destination host to the destination filter for the selectable tunnel endpoints determines that no destination filter matches the identified destination host; and
      
      performing the dynamically selecting using results received responsive to the dynamically-issued probe.
  - 7. The system according to claim 1, wherein the client is located in an untrusted network environment and the dynamically selecting occurs responsive to a notification sent to the client from an initial tunnel endpoint that serves as the gateway for tunneling into the enterprise network, wherein the notification directs the client to select a different tunnel endpoint as the gateway.
  - 8. The system according to claim 1, wherein the cost metric information associated with reaching the destination host from at least one of the selectable tunnel endpoints is periodically revised.
  - 9. The system according to claim 1, wherein:
    - the particular one of the selectable tunnel endpoints establishes a connection through the enterprise network to the destination host; and
      
      communications between the client and the destination host use the established network tunnel and the established connection.

10. A computer program product for establishing a network tunnel, the computer program product comprising at least one non-transitory computer-usable storage media storing computer-usable program code, wherein the computer-usable program code, when executed on a computer, causes the computer to:
- dynamically select, from among a plurality of selectable tunnel endpoints through which a destination host located in an enterprise network is reachable from a client located outside the enterprise network, a particular one of the selectable tunnel endpoints to serve as a gateway for tunneling into the enterprise network, wherein the particular one has a lowest cost for reaching the destination host, according to cost metric information associated with reaching the destination host from each of the selectable tunnel endpoints; and
  
  establish the network tunnel from the client to the particular one of the selectable tunnel endpoints.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The computer program product according to claim 10, wherein the network tunnel is a virtual private network (“
    - VPN”
      
      ) tunnel.
  - 12. The computer program product according to claim 10, wherein:
    - the dynamically selecting is performed by the client;
      
      the client then initiates the establishing of the network tunnel; and
      
      the cost metric information is specified in a data structure accessible to the client.
  - 13. The computer program product according to claim 10, wherein the cost metric information comprises at least one of:
    - proximity of the selectable tunnel endpoints to the destination host;
      
      stability or redundancy of network resources associated with the selectable tunnel endpoints;
      
      monetary costs of transmitting data over a path between the selectable tunnel endpoints and the destination host;
      
      congestion on the path;
      
      hop count for the path; and
      
      transmit time for data on the path.
  - 14. The computer program product according to claim 10, wherein each of the selectable tunnel endpoints is identified using a destination filter, the destination filter for each of the selectable tunnel endpoints comprising at least one of:
    - an identification of the destination host;
      
      a source port number associated with an application that will use the tunnel;
      
      a destination port number associated with the application; and
      
      a destination subnet.
  - 15. The computer program product according to claim 14, wherein dynamically selecting the particular one further comprises comparing an identification of the destination host to the destination filter for selected ones of the selectable tunnel endpoints until determining that the destination filter for the particular one of the selectable tunnel endpoints applies to the identified destination host.
  - 16. The computer program product according to claim 10, wherein:
    - the dynamically selecting is performed for each of a plurality of destination hosts located inside the enterprise network, thereby selecting at least two different ones of the selectable tunnel endpoints to serve as gateways for tunneling into the enterprise network from the client; and
      
      the establishing is performed, by the client, for each of the at least two different ones of the selectable tunnel endpoints, thereby enabling the client to communicate with each of the plurality of destination hosts using distinct network tunnels from the client to each of the at least two different ones.
  - 17. The computer program product according to claim 10, wherein:
    - dynamically selecting the particular one and establishing the network tunnel are performed by the client, the client being located in an untrusted network environment; and
      
      the cost metric information is distributed to the client upon detecting that the client is preparing to establish the network tunnel.
  - 18. The computer program product according to claim 10, wherein the network tunnel traverses an untrusted network.
  - 19. The computer program product according to claim 10, wherein the network tunnel traverses one of:
    - a private mobile radio network;
      
      a private enterprise network; and
      
      an i2 network.
  - 20. The computer program product according to claim 10, wherein:
    - the destination host is co-located with the particular one of the selectable tunnel endpoints; and
      
      communications between the client and the destination host use the established network tunnel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Aldridge, M. Lynn, Dill, Peter C., Heninger, Ivan M., Kari, John D., Marano, Clifford D., Urgo, David M.
Primary Examiner(s)
Jung, David Y

Application Number

US12/968,200
Publication Number

US 20110083174A1
Time in Patent Office

630 Days
Field of Search

None
US Class Current

726/12
CPC Class Codes

H04L 63/0272 Virtual private networks

Dynamic network tunnel endpoint selection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic network tunnel endpoint selection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links