VPN discovery server

US 8,296,839 B2
Filed: 06/06/2006
Issued: 10/23/2012
Est. Priority Date: 06/06/2006
Status: Active Grant

First Claim

Patent Images

1. A method for enabling routing among a plurality of protected enclaves, wherein each of the protected enclaves includes one or more plain text (PT) networks and is supported by one or more Virtual Private Network (VPN) gateways of a plurality of VPN gateways, the method comprising:

registering a VPN gateway with one or more prefix discovery servers, wherein registering said VPN gateway comprises registering, with said one or more prefix discovery servers, network prefixes within said protected enclaves reachable by said VPN gateway;

receiving from said one or more prefix discovery servers, at said VPN gateway, registered network prefixes within said protected enclaves, including receiving mappings, generated by said one or more prefix discovery servers, between said registered network prefixes and VPN gateways enabled to reach said registered network prefixes. wherein the mappings have associated metrics for using said VPN gateways to reach said registered network prefixes;

distributing said mappings and associated metrics to said protected enclaves reachable by said VPN gateway; and

determining, using said received mappings and associated metrics, routing paths between said protected enclaves reachable by said VPN gateway and other protected enclaves of said plurality of protected enclaves.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for enabling robust routing between protected enclaves over an unsecured network are provided herein. In one aspect, the present invention provides methods and systems for enabling routing among a plurality of protected enclaves, each supported by one or more secure gateways, over an unsecured network. Methods and systems according to the present invention achieve key routing requirements while presenting solutions that can be readily scaled to large network environments. In another aspect, the present invention provides methods and systems for implementing a Prefix Discovery Server (PDS) that enables the mapping of Plain Text (PT) networks to secure gateways, maintains current network routing information, and assists VPN gateways in determining routes to remote protected enclaves.

17 Citations

View as Search Results

21 Claims

1. A method for enabling routing among a plurality of protected enclaves, wherein each of the protected enclaves includes one or more plain text (PT) networks and is supported by one or more Virtual Private Network (VPN) gateways of a plurality of VPN gateways, the method comprising:
- registering a VPN gateway with one or more prefix discovery servers, wherein registering said VPN gateway comprises registering, with said one or more prefix discovery servers, network prefixes within said protected enclaves reachable by said VPN gateway;
  
  receiving from said one or more prefix discovery servers, at said VPN gateway, registered network prefixes within said protected enclaves, including receiving mappings, generated by said one or more prefix discovery servers, between said registered network prefixes and VPN gateways enabled to reach said registered network prefixes. wherein the mappings have associated metrics for using said VPN gateways to reach said registered network prefixes;
  
  distributing said mappings and associated metrics to said protected enclaves reachable by said VPN gateway; and
  
  determining, using said received mappings and associated metrics, routing paths between said protected enclaves reachable by said VPN gateway and other protected enclaves of said plurality of protected enclaves.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - pre-configuring said VPN gateway with a set of reachable network prefixes.
  - 3. The method of claim 1, further comprising:
    - dynamically discovering reachable network prefixes at said VPN gateway.
  - 4. The method of claim 1, wherein registering said VPN gateway further comprises registering, with said one or more prefix discovery servers, one or more metrics associated with said VPN gateway.
  - 5. The method of claim 4, wherein said one more metrics include one or more of application types supported by said VPN gateway, traffic types supported by said VPN gateway, prefix administrative costs associated with said VPN gateway, and preference values associated with said VPN gateway.
  - 6. The method of claim 1, wherein said mappings and associated metrics are transmitted by said one or more prefix discovery servers to said VPN gateway.
  - 7. The method of claim 6, further comprising:
    - transmitting a query to said one or more prefix discovery servers, wherein said query includes a target network prefix; and
      
      receiving from said one or prefix discovery servers mappings associated with said target network prefix.
  - 8. The method of claim 6, wherein said mappings and associated metrics are periodically distributed to said plurality of VPN gateways.
  - 9. The method of claim 1, further comprising:
    - selecting a first remote VPN gateway for reaching a network prefix from said VPN gateway; and
      
      establishing a first security association (SA) between said VPN gateway and said first remote VPN gateway.
  - 10. The method of claim 9, wherein said selecting step comprises selecting said first remote VPN gateway according to one or more of application types supported by said first remote VPN gateway, traffic types supported by said first remote VPN gateway, prefix administrative costs associated with said first remote VPN gateway, and preference values associated with said first remote VPN gateway.
  - 11. The method of claim 9, further comprising:
    - measuring a performance level of said first SA; and
      
      comparing said measured performance level to a threshold.
  - 12. The method of claim 11, further comprising, if said measured performance level is lower than said threshold:
    - modifying said first SA;
      
      orcanceling said first SA and establishing a second SA between said VPN gateway and a second remote VPN gateway, wherein said second remote VPN gateway reaches said network prefix.

13. A system for enabling routing among a plurality of protected enclaves, wherein each of said protected enclaves includes one or more plain text (PT) networks and is supported by one or more Virtual Private Network (VPN) gateways, the system comprising:
- a VPN gateway; and
  
  one or more prefix discovery servers (PDS);
  
  wherein said VPN gateways includes a first processor configured to perform a first method, the first method comprising;
  
  registering, with said one or more PDS(s), network prefixes within said protected enclaves reachable by said VPN gateway;
  
  receiving, from said one or more PDS(s), registered network prefixes within said protected enclaves, including receiving mappings between said registered network prefixes and VPN gateways enabled to reach said registered network prefixes wherein the mappings have associated metrics for using said VPN gateways to reach said registered network prefixes; and
  
  determining, using said received mappings and associated metrics, routing paths between said protected enclaves reachable by said VPN gateway and other protected enclaves of said plurality of protected enclaves, andwherein each of said one or more PDS(s) includes a second processor configured to perform a second method, the second method comprising;
  
  generating said mappings between said registered network prefixes and said VPN gateways; and
  
  distributing said mappings and associated metrics to said VPN gateway.
- View Dependent Claims (14, 15, 16)
- - 14. The system of claim 13, wherein the first method further comprises:
    - selecting a first remote VPN gateway for reaching a network prefix from said VPN gateway; and
      
      establishing a first security association (SA) between said VPN gateway and said first remote VPN gateway.
  - 15. The system of claim 14, wherein said selecting comprises selecting said first remote VPN gateway according to one or more of application types supported by said first remote VPN gateway, traffic types supported by said first remote VPN gateway, prefix administrative costs associated with said first remote VPN gateway, and preference values associated with said first remote VPN gateway.
  - 16. The system of claim 14, wherein the first method further comprises:
    - measuring a performance level of said first SA; and
      
      modifying said first SA according to said measured performance level.

17. A method for enabling routing among a plurality of protected enclaves, wherein each of the protected enclaves includes one or more plain text (PT) networks and is supported by one or more Virtual Private Network (VPN) gateways of a plurality of VPN gateways, the method comprising:
- receiving a registration requests from a VPN gateways of the plurality of VPN gateways, wherein said registration requests includes network prefixes within said protected enclaves reachable by the VPN gateway;
  
  generating mappings between registered network prefixes and VPN gateways enabled to reach said registered network prefixes, wherein said mappings have associated metrics for using said VPN gateways to reach said registered network prefixes;
  
  transmitting the generated mappings to the VPN gateways;
  
  receiving a query from the VPN gateway, wherein said query includes a target network prefix; and
  
  transmitting to said VPN gateway mappings associated with said target network prefix, including addresses of VPN gateways of the plurality of VPN gateways enabled to reach said target network prefix.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The method of claim 17, wherein the method is performed by a Prefix Discovery Server (PDS).
  - 19. The method of claim 18, further comprising:
    - exchanging the generated mappings with other Prefix Discovery Servers.
  - 20. The method of claim 17, further comprising:
    - dynamically updating the generated mappings based on changes in network conditions and/or topology.
  - 21. The method of claim 20, further comprising:
    - periodically distributing the generated mappings to registered VPN gateways.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mitre Corporation
Original Assignee
Mitre Corporation
Inventors
Sax, William C., Wollman, William, Jegers, Egil H.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Nobahar, Abdulhakim

Application Number

US11/447,092
Publication Number

US 20080022391A1
Time in Patent Office

2,331 Days
Field of Search

726/2, 726/3, 726/11, 726/12, 726/14, 726/15, 713/150, 713/153, 713/189
US Class Current

726/15
CPC Class Codes

H04L 12/4679   Arrangements for the regist...

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/22   Alternate routing

H04L 45/28   using route fault recovery

H04L 63/0272   Virtual private networks

VPN discovery server

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

VPN discovery server

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links