IP encryption over resilient BGP/MPLS IP VPN
First Claim
1. A method for operating on a data packet to provide an enterprise networking environment over a service provider network, comprising:
- a customer edge (CE) router function, located within the enterprise network, for;
providing the data packet, wherein the data packet includes a header and payload;
a Policy Enforcement Point (PEP) function for;
applying an IPSec protocol to the data packet, including encrypting the header and payload of the data packet received from the CE router function and forming an encrypted header and encrypted payload of the data packet;
applying a security association policy to the data packet;
maintaining the header of the data packet in non-encrypted form; and
forming an encrypted data packet including;
i) the header of the data packet maintained in non-encrypted form, and ii) the encrypted header and encrypted payload of the data packet;
a provider edge router function, located within the service provider network, for;
applying an MPLS protocol to the encrypted data packet; and
forwarding the encrypted data packet according to the enterprise network VirtualPrivate Network (VPN) routing and forwarding (VRF).
12 Assignments
0 Petitions
Accused Products
Abstract
Encryption of Internet Protocol (IP) traffic using IP Security (IPSec) at the edge of the enterprise network, in such a way as to support resilient BGP/MPLS IP VPN network designs. The IP traffic is securely tunneled within IPSec tunnels from the edge to the edge of the enterprise network. The IPSec traffic is also tunneled within MPLS tunnels from the edge to the edge of the service provider network. The enterprise network thus manages its own IPSec site-to-site VPN. The service provider thus independently manages its own MPLS network. The result provides an IP VPN or Layer 3 MPLS VPN to the enterprise; the enterprise IPSec network can thus be considered as an overlay to the MPLS service provider network.
-
Citations
20 Claims
-
1. A method for operating on a data packet to provide an enterprise networking environment over a service provider network, comprising:
-
a customer edge (CE) router function, located within the enterprise network, for; providing the data packet, wherein the data packet includes a header and payload; a Policy Enforcement Point (PEP) function for; applying an IPSec protocol to the data packet, including encrypting the header and payload of the data packet received from the CE router function and forming an encrypted header and encrypted payload of the data packet; applying a security association policy to the data packet; maintaining the header of the data packet in non-encrypted form; and forming an encrypted data packet including;
i) the header of the data packet maintained in non-encrypted form, and ii) the encrypted header and encrypted payload of the data packet;a provider edge router function, located within the service provider network, for; applying an MPLS protocol to the encrypted data packet; and forwarding the encrypted data packet according to the enterprise network VirtualPrivate Network (VPN) routing and forwarding (VRF). - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16)
-
-
14. The apparatus of 13 wherein two PEs are controlled by different service providers.
-
17. An apparatus for operating on a data packet to provide an enterprise networking environment over a service provider network, comprising:
-
a customer edge (CE) router, implemented at least partially in hardware, within the enterprise network for providing the data packet, wherein the data packet includes a header and payload; a Policy Enforcement Point (PEP) function arranged to;
apply an I PSec protocol to the data packet, including to encrypt the header and payload of the data packet received from the CE router and form an encrypted header and encrypted payload of the data packet;
apply a security association policy to the data packet;
maintain the header of the data packet in non-encrypted form; and
form an encrypted data packet including;
i) the header of the data packet maintained in non-encrypted form and ii) the encrypted header and encrypted payload of the data packet;and within the service provider network, a provider edge (PE) router arranged to;
apply an MPLS protocol to the encrypted data packet;
forward the encrypted data packet according to enterprise network Virtual Private Network (VPN) routing and forwarding (VRF) tables. - View Dependent Claims (18, 19, 20)
-
Specification