System, method and apparatus that isolate virtual private network (VPN) and best effort traffic to resist denial of service attacks
First Claim
1. A method comprising:
- establishing a virtual private network (VPN) that includes a first ingress boundary router and a first egress boundary router, the first egress boundary router being configured to communicate with a destination host, wherein the first ingress boundary router is configured to communicate with a second ingress boundary router of a public data network, and wherein the first egress boundary router is configured to communicate with a second egress boundary router of the public data network, the second egress boundary router being configured to communicate with the destination host;
transmitting only packets originating from sources within the VPN and targeting the destination host to the first egress boundary router via the VPN to prevent denial of service attacks originating from sources outside the VPN; and
transmitting packets originating from sources outside the VPN and targeting the destination host to the second egress boundary router via the public data network.
6 Assignments
0 Petitions
Accused Products
Abstract
A network architecture in accordance with the present invention includes a communication network that supports one or more network-based Virtual Private Networks (VPNs). The communication network includes a plurality of boundary routers that are connected by access links to CPE edge routers belonging to the one or more VPNs. To prevent traffic from outside a customer'"'"'s VPN (e.g., traffic from other VPNs or the Internet at large) from degrading the QoS provided to traffic from within the customer'"'"'s VPN, the present invention gives precedence to intra-VPN traffic over extra-VPN traffic on each customer'"'"'s access link through access link prioritization or access link capacity allocation, such that extra-VPN traffic cannot interfere with inter-VPN traffic. Granting precedence to intra-VPN traffic over extra-VPN traffic in this manner entails special configuration of network elements and protocols, including partitioning between intra-VPN and extra-VPN traffic on the physical access link using layer 2 multiplexing and the configuration of routing protocols to achieve logical traffic separation between intra-VPN traffic and extra-VPN traffic at the VPN boundary routers and CPE edge routers. By configuring the access networks, the VPN boundary routers and CPE edge routers, and the routing protocols of the edge and boundary routers in this manner, the high-level service of DoS attack prevention is achieved.
-
Citations
21 Claims
-
1. A method comprising:
-
establishing a virtual private network (VPN) that includes a first ingress boundary router and a first egress boundary router, the first egress boundary router being configured to communicate with a destination host, wherein the first ingress boundary router is configured to communicate with a second ingress boundary router of a public data network, and wherein the first egress boundary router is configured to communicate with a second egress boundary router of the public data network, the second egress boundary router being configured to communicate with the destination host; transmitting only packets originating from sources within the VPN and targeting the destination host to the first egress boundary router via the VPN to prevent denial of service attacks originating from sources outside the VPN; and transmitting packets originating from sources outside the VPN and targeting the destination host to the second egress boundary router via the public data network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method comprising:
-
determining whether traffic received from a source is internal virtual private network (VPN) traffic or external virtual private network (VPN) traffic; directing the traffic to a destination over a virtual private network (VPN) if the traffic is determined to be internal VPN traffic; directing the traffic to the destination over a public data network if the traffic is determined to be external VPN traffic, wherein the internal VPN traffic is assigned a higher precedence than the external VPN traffic to prevent denial of service attacks; forwarding the internal VPN traffic over a first logical connection to a first ingress boundary router within the VPN that includes a first egress boundary router having connectivity to the destination; and forwarding the external VPN traffic over a second logical connection to a second ingress boundary router within the public data network that includes a second egress boundary router having connectivity to the destination. - View Dependent Claims (15, 16, 17)
-
-
18. An apparatus comprising:
-
a processor having a forwarding function configured to determine whether traffic received from a source is internal virtual private network (VPN) traffic or external virtual private network (VPN) traffic, the forwarding function being configured to direct the traffic to a destination over a virtual private network (VPN) if the traffic is determined to be internal VPN traffic, and the forwarding function being configured to direct the traffic to the destination over a public data network if the traffic is determined to be external VPN traffic, wherein the internal VPN traffic is assigned a higher precedence than the external VPN traffic to prevent denial of service attacks, and wherein the forwarding function is further configured to forward the internal VPN traffic over a first logical connection to a first ingress boundary router within the VPN that includes a first egress boundary router having connectivity to the destination, and to forward the external VPN traffic over a second logical connection to a second ingress boundary router within the public data network that includes a second egress boundary router having connectivity to the destination. - View Dependent Claims (19, 20, 21)
-
Specification