Domain isolation through virtual network machines

US 8,271,680 B2
Filed: 11/11/2010
Issued: 09/18/2012
Est. Priority Date: 12/24/1998
Status: Expired due to Term

First Claim

Patent Images

1. A computerized method comprising:

communicating information flows through a single network device between different ones of a plurality of subscriber end stations and nodes of different virtual networks, wherein the single network device includes a plurality of virtual network machines that belong to different ones of the different virtual networks, wherein a subscriber corresponding to each of the plurality of subscriber end stations is currently coupled to one of the plurality of virtual network machines through a different dynamic binding and that virtual network machine communicates the information flow of that subscriber end station, wherein each of the plurality of virtual network machines is virtually independent but shares a set of physical resources of the single network device, wherein each of the plurality of virtual network machines is one of a virtual router and a virtual bridge, and wherein each of the plurality of virtual network machines includes a different network database;

snooping each of the information flows; and

automatically changing, for at least one of the corresponding subscriber end stations, the coupling to a different one of the plurality of virtual network machines based on the snooping by changing the dynamic binding, wherein the automatically changing of the coupling gives access for the at least one corresponding subscriber end station to a different one of the different virtual networks to which the different virtual network machine belongs, and wherein each of the different virtual networks is isolated from other virtual networks associated with other ones of the different virtual network machines.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and device for communicating information resources between subscriber end stations and nodes belonging to different network domains is described. The device instantiates different virtual network machines for different network domains using separate independently administrable network databases. Each of the administrable chores of the separate independently administrable network databases includes the assignment of access control and the configuration of the policies for those network databases. The policies include traffic filtering policies to indicate what kind of information payloads can be carried, traffic and route filtering policies to indicate what paths through the network will be used for each payload carried. Each of the network domains includes one of the different virtual network machines and each of the different network domains is virtually isolated from other network domains.

101 Citations

View as Search Results

15 Claims

1. A computerized method comprising:
- communicating information flows through a single network device between different ones of a plurality of subscriber end stations and nodes of different virtual networks, wherein the single network device includes a plurality of virtual network machines that belong to different ones of the different virtual networks, wherein a subscriber corresponding to each of the plurality of subscriber end stations is currently coupled to one of the plurality of virtual network machines through a different dynamic binding and that virtual network machine communicates the information flow of that subscriber end station, wherein each of the plurality of virtual network machines is virtually independent but shares a set of physical resources of the single network device, wherein each of the plurality of virtual network machines is one of a virtual router and a virtual bridge, and wherein each of the plurality of virtual network machines includes a different network database;
  
  snooping each of the information flows; and
  
  automatically changing, for at least one of the corresponding subscriber end stations, the coupling to a different one of the plurality of virtual network machines based on the snooping by changing the dynamic binding, wherein the automatically changing of the coupling gives access for the at least one corresponding subscriber end station to a different one of the different virtual networks to which the different virtual network machine belongs, and wherein each of the different virtual networks is isolated from other virtual networks associated with other ones of the different virtual network machines.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computerized method of claim 1, wherein the automatically changing the coupling comprises:
    - creating a data structure indicating the coupling of the at least one corresponding subscriber end station to the different one of the plurality of virtual network machines.
  - 3. The computerized method of claim 1, wherein the automatically changing the coupling comprises:
    - deleting a data structure indicating the coupling of the at least one corresponding subscriber end station to the current one of the plurality of virtual network machines.
  - 4. The computerized method of claim 1, wherein the automatically changing the coupling comprises:
    - changing a value of a pointer, so that the coupling indicates the at least one corresponding subscriber end station is coupled to the different one of the plurality of virtual network machines.
  - 5. The computerized method of claim 1, wherein the automatically changing the coupling is further based on authorization the at least one corresponding subscriber end station has to access the different ones of the different virtual networks, wherein the authorization is based on a record associated with the at least one corresponding subscriber end station, and wherein the record indicates which of a subset of the different virtual networks the at least one corresponding subscriber end station can access, and wherein the subset of the plurality of virtual networks includes the different one of the different virtual network machines.

6. A single network device to act as an intermediate station comprising:
- a plurality of transceivers to communicate information flows between a plurality of subscriber end stations and nodes belonging to different virtual networks;
  
  a set of network databases; and
  
  a non-transitory machine-readable storage medium having stored therein a set of instructions to cause the single network device to,communicate the information flows through the single network device between different ones of the plurality of subscriber end stations and nodes of different virtual networks, wherein the single network device includes a plurality of virtual network machines that belong to different ones of the different virtual networks, wherein a subscriber corresponding to each of the plurality of subscriber end stations is currently coupled to one of the plurality of virtual network machines through a corresponding dynamic binding and that virtual network machine communicates the information flow of that subscriber end station, wherein each of the plurality of virtual network machines is virtually independent but shares a set of physical resources of the single network device, wherein each of the plurality of virtual network machines is one of a virtual router and a virtual bridge, and wherein each of the plurality of virtual network machines includes a different one of the set of network databases,snoop each of the information flows, andautomatically change, for at least one of the corresponding subscriber end stations, the coupling to a different one of the plurality of virtual network machines based on the snooping by changing the corresponding dynamic binding, wherein the automatic change of the coupling gives access for the at least one corresponding subscriber end station to one of the different virtual networks to which the different virtual network machine belongs, and wherein each of the different virtual networks is isolated from other virtual networks associated with other ones of the different virtual network machines.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The single network device of claim 6, wherein the automatic change of the coupling comprises creation of a data structure indicating the coupling of the at least one corresponding subscriber end station to the different one of the plurality of virtual network machines.
  - 8. The single network device of claim 6, wherein the automatic change of the coupling comprises deletion of a data structure indicating the coupling of the at least one corresponding subscriber end station to the current one of the plurality of virtual network machines.
  - 9. The single network device of claim 6, wherein the automatic change of the coupling comprises a change of a value of a pointer, so that the coupling indicates the at least one corresponding subscriber end station is coupled to the different one of the plurality of virtual network machines.
  - 10. The single network device of claim 6, wherein the automatic change of the coupling is further based on authorization the at least one corresponding subscriber end station has to access the one of the different virtual networks, wherein the authorization is based on a record associated with the at least one corresponding subscriber end station, and wherein the record indicates which of a subset of the different virtual networks the at least one corresponding subscriber end station can access, and wherein the subset of the different virtual networks includes the one of the plurality of virtual network machines.

11. A network comprising:
- a set of subscriber end stations;
  
  a set of virtual networks, wherein each of the set of virtual networks comprises a plurality of nodes and links, wherein each of the nodes of each of the set of virtual networks is subject to an administrative authority, wherein each of the set of virtual networks is isolated from the other virtual networks in the set of the virtual networks; and
  
  a single network device coupled between the nodes of the set of virtual networks and the set of subscriber end stations, the single network device having,a set of network databases,a plurality of virtual network machines, wherein each of the plurality of virtual network machines are virtually independent but shares a set of physical resources of that single network device, wherein each of the plurality of virtual network machines is one of a virtual router and a virtual bridge, wherein each of the plurality of virtual network machines is associated with a different one of the set of network databases, wherein a subscriber corresponding to each of the plurality of end stations is currently coupled to one of the plurality of virtual network machines through a dynamic binding, wherein each of the plurality of virtual network machines belongs to a different one of the set of virtual networks, wherein the plurality of virtual network machines communicate information flows between different ones of the plurality of subscriber end stations and nodes of different ones of the set of virtual networks according to the current couplings,wherein the single network device snoops each of the information flows, and wherein the single network device automatically changes, for at least one of the corresponding plurality of subscriber end stations, the coupling to a different one of the plurality of virtual network machines based on the snooping, wherein the automatic change of the coupling gives access for the at least one corresponding subscriber end station to a different one of the set of virtual networks to which the different plurality of virtual network machine belongs.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The network of claim 11, wherein the automatic change of the coupling comprises a creation of a data structure indicating the coupling of the at least one corresponding subscriber end station to the different one of the plurality of virtual network machines.
  - 13. The network of claim 11, wherein the automatic change of the coupling comprises a deletion of a data structure indicating the coupling of the at least one corresponding subscriber end station to the current one of the plurality of virtual network machines.
  - 14. The network of claim 11, wherein the automatic change of the coupling comprises a change of a value of a pointer, so that the coupling indicates the at least one corresponding subscriber end station is coupled to the different one of the plurality of virtual network machines.
  - 15. The network of claim 11, wherein the automatic change of the coupling is further based on authorization the at least one corresponding subscriber end station has to access the one of the set of virtual networks, wherein the authorization is based on a record associated with the at least one corresponding subscriber end station, and wherein the record indicates which of a subset of the set of virtual networks the at least one corresponding subscriber end station can access, and wherein the subset of the plurality of virtual networks includes the one of the set of virtual network machines.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ericsson AB (Telefonaktiebolaget LM Ericsson)
Original Assignee
Ericsson AB (Telefonaktiebolaget LM Ericsson)
Inventors
Salkewicz, William
Primary Examiner(s)
Patel, Chirag R

Application Number

US12/944,607
Publication Number

US 20110060820A1
Time in Patent Office

677 Days
Field of Search

709/238, 709217-219, 709223-226, 370/401
US Class Current

709/238
CPC Class Codes

G06F 21/44   Program or device authentic...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/00   Arrangements for maintenanc...

Domain isolation through virtual network machines

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

101 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Domain isolation through virtual network machines

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links