System, method and apparatus that isolate virtual private network (VPN) and best effort traffic to resist denial of service attacks

US 8,543,734 B2
Filed: 03/16/2010
Issued: 09/24/2013
Est. Priority Date: 03/20/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method comprising:

establishing a virtual private network (VPN) that includes a first ingress boundary router and a first egress boundary router, the first egress boundary router being configured to communicate with a destination host, wherein the first ingress boundary router is configured to communicate with a second ingress boundary router of a public data network, and wherein the first egress boundary router is configured to communicate with a second egress boundary router of the public data network, the second egress boundary router being configured to communicate with the destination host;

transmitting only packets originating from sources within the VPN and targeting the destination host to the first egress boundary router via the VPN to prevent denial of service attacks originating from sources outside the VPN; and

transmitting packets originating from sources outside the VPN and targeting the destination host to the second egress boundary router via the public data network.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network architecture in accordance with the present invention includes a communication network that supports one or more network-based Virtual Private Networks (VPNs). The communication network includes a plurality of boundary routers that are connected by access links to CPE edge routers belonging to the one or more VPNs. To prevent traffic from outside a customer'"'"'s VPN (e.g., traffic from other VPNs or the Internet at large) from degrading the QoS provided to traffic from within the customer'"'"'s VPN, the present invention gives precedence to intra-VPN traffic over extra-VPN traffic on each customer'"'"'s access link through access link prioritization or access link capacity allocation, such that extra-VPN traffic cannot interfere with inter-VPN traffic. Granting precedence to intra-VPN traffic over extra-VPN traffic in this manner entails special configuration of network elements and protocols, including partitioning between intra-VPN and extra-VPN traffic on the physical access link using layer 2 multiplexing and the configuration of routing protocols to achieve logical traffic separation between intra-VPN traffic and extra-VPN traffic at the VPN boundary routers and CPE edge routers. By configuring the access networks, the VPN boundary routers and CPE edge routers, and the routing protocols of the edge and boundary routers in this manner, the high-level service of DoS attack prevention is achieved.

Citations

21 Claims

1. A method comprising:
- establishing a virtual private network (VPN) that includes a first ingress boundary router and a first egress boundary router, the first egress boundary router being configured to communicate with a destination host, wherein the first ingress boundary router is configured to communicate with a second ingress boundary router of a public data network, and wherein the first egress boundary router is configured to communicate with a second egress boundary router of the public data network, the second egress boundary router being configured to communicate with the destination host;
  
  transmitting only packets originating from sources within the VPN and targeting the destination host to the first egress boundary router via the VPN to prevent denial of service attacks originating from sources outside the VPN; and
  
  transmitting packets originating from sources outside the VPN and targeting the destination host to the second egress boundary router via the public data network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method according to claim 1, wherein the first egress boundary router and the second egress boundary router utilize separate logical connections over an egress access network to the destination host.
  - 3. A method according to claim 1, wherein the first ingress boundary router and the second ingress boundary router have connectivity to an ingress access network, the ingress access network transmitting packets having both source and destination addresses belonging to the VPN to the first ingress boundary router and transmitting other packets to the second ingress boundary router.
  - 4. A method according to claim 3, wherein the ingress access network has connectivity to a customer premise equipment (CPE) edge router that includes a classifier that classifies at least some packets for routing to one of the first ingress boundary router or the second ingress boundary router based on host service markings in the packets.
  - 5. A method according to claim 1, wherein the VPN is implemented within a Differentiated Services domain.
  - 6. A method according to claim 1, further comprising:
    - assigning a higher priority to traffic received from the first egress boundary router than traffic received from the second egress boundary router.
  - 7. A method according to claim 1, wherein the first egress boundary router is configured to shape traffic destined for the destination host to prevent starvation of traffic of the second egress boundary router.
  - 8. A method according to claim 1, wherein the first egress boundary router is configured to shape traffic destined for the destination host to a first rate, and the second egress boundary router is configured to shape traffic destined the destination host to a second rate, wherein the sum of the first rate and the second rate is no greater than a transmission capacity of an access link to the destination host.
  - 9. A method according to claim 1, wherein the first ingress boundary router includes:
    - first and second logical input interfaces for receiving traffic destined for the VPN and for the public data network, respectively;
      
      first and second logical output interfaces for transmitting traffic over the VPN and the public data network, respectively; and
      
      a forwarding function that switches packets received at the first logical input interface to the first logical output interface and that switches packets received at the second logical input interface to the second logical output interface.
  - 10. A method according to claim 1, wherein the first egress boundary router includes:
    - first and second logical input interfaces for receiving traffic from the VPN and from the public data network, respectively;
      
      a first logical output interface and a second logical output interface respectively coupled to separate first and second logical connections on an egress access network, wherein the first logical output interface transmits traffic received from the VPN utilizing the first logical connection and the second logical output interface transmits traffic received from the public data network utilizing the second logical connection; and
      
      a forwarding function that switches packets received at the second logical input interface to the second logical output interface.
  - 11. A method according to claim 10, wherein the first egress boundary router includes a scheduler, coupled to each of the first and second logical output interfaces, that transmits packets from the first and second logical output interfaces onto the egress access network, wherein the scheduler grants a higher priority to traffic from the first logical output interface than to traffic from the second logical output interface.
  - 12. A method according to claim 11, wherein the scheduler is configured to perform work-conserving scheduling on outgoing traffic from the first and second logical output interfaces.
  - 13. A method according to claim 10, wherein the VPN is one of a plurality of VPNs, and wherein the forwarding function has a corresponding plurality of VPN forwarding tables and a shared forwarding table for best effort traffic.

14. A method comprising:
- determining whether traffic received from a source is internal virtual private network (VPN) traffic or external virtual private network (VPN) traffic;
  
  directing the traffic to a destination over a virtual private network (VPN) if the traffic is determined to be internal VPN traffic;
  
  directing the traffic to the destination over a public data network if the traffic is determined to be external VPN traffic, wherein the internal VPN traffic is assigned a higher precedence than the external VPN traffic to prevent denial of service attacks;
  
  forwarding the internal VPN traffic over a first logical connection to a first ingress boundary router within the VPN that includes a first egress boundary router having connectivity to the destination; and
  
  forwarding the external VPN traffic over a second logical connection to a second ingress boundary router within the public data network that includes a second egress boundary router having connectivity to the destination.
- View Dependent Claims (15, 16, 17)
- - 15. A method according to claim 14, wherein the first ingress boundary router and the second ingress boundary router have connectivity to an ingress access network, the ingress access network transmitting packets having both source and destination addresses belonging to the VPN to the first ingress boundary router and transmitting other packets to the second ingress boundary router.
  - 16. A method according to claim 14, further comprising:
    - classifying the traffic for routing to one of the first ingress boundary router or the second ingress boundary router based on host service markings in the traffic.
  - 17. A method according to claim 14, wherein the VPN is implemented within a Differentiated Services domain.

18. An apparatus comprising:
- a processor having a forwarding function configured to determine whether traffic received from a source is internal virtual private network (VPN) traffic or external virtual private network (VPN) traffic, the forwarding function being configured to direct the traffic to a destination over a virtual private network (VPN) if the traffic is determined to be internal VPN traffic, and the forwarding function being configured to direct the traffic to the destination over a public data network if the traffic is determined to be external VPN traffic,wherein the internal VPN traffic is assigned a higher precedence than the external VPN traffic to prevent denial of service attacks, andwherein the forwarding function is further configured to forward the internal VPN traffic over a first logical connection to a first ingress boundary router within the VPN that includes a first egress boundary router having connectivity to the destination, and to forward the external VPN traffic over a second logical connection to a second ingress boundary router within the public data network that includes a second egress boundary router having connectivity to the destination.
- View Dependent Claims (19, 20, 21)
- - 19. An apparatus according to claim 18, wherein the first ingress boundary router and the second ingress boundary router have connectivity to an ingress access network, the ingress access network transmitting packets having both source and destination addresses belonging to the VPN to the first ingress boundary router and transmitting other packets to the second ingress boundary router.
  - 20. An apparatus according to claim 18, further comprising:
    - a classifier configured to classify the traffic for routing to one of the first ingress boundary router or the second ingress boundary router based on host service markings in the traffic.
  - 21. An apparatus according to claim 18, wherein the VPN is implemented within a Differentiated Services domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Business Global LLC (Verizon Communications Inc.)
Inventors
McDysan, David E.
Primary Examiner(s)
Duong, Oanh

Application Number

US12/725,193
Publication Number

US 20100175125A1
Time in Patent Office

1,288 Days
Field of Search

709/238, 709/240, 709/243, 709/249, 709/232, 709/235, 709/239, 709/245, 370/231, 370/235, 370/395.42, 370/237, 713/153
US Class Current

709/249
CPC Class Codes

G06Q 20/102   Bill distribution or payments

G06Q 30/04   Billing or invoicing

G06Q 40/00   Finance; Insurance; Tax str...

H04L 12/14   Charging , metering or bill...

H04L 12/1403   Architecture for metering, ...

H04L 12/1446   inter-operator billing

H04L 41/00   Arrangements for maintenanc...

H04L 43/00   Arrangements for monitoring...

H04L 43/06   Generation of reports

H04L 43/0817   by checking functioning

H04L 43/16   Threshold monitoring

H04L 47/10   Flow control; Congestion co...

H04L 47/125   by balancing the load, e.g....

H04L 47/19   at layers above the network...

H04L 47/2408   for supporting different se...

H04L 47/2433   Allocation of priorities to...

H04L 47/2441   relying on flow classificat...

H04L 61/00   Network arrangements, proto...

H04L 61/4523   using lightweight directory...

H04L 61/4535   using an address exchange p...

H04L 61/4557 : Directories for hybrid netw...

H04L 63/0272 : Virtual private networks

H04L 63/102 : Entity profiles

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1458 : Denial of Service

H04L 65/103 : in the network

H04L 65/104 : in the network

H04L 65/1043 : Gateway controllers, e.g. m...

H04L 65/1069 : Session establishment or de...

H04L 65/1094 : Inter-user-equipment sessio...

H04L 65/1096 : Supplementary features, e.g...

H04L 65/1101 : Session protocols

H04L 65/1104 : Session initiation protocol...

H04L 65/401 : wherein the services involv...

H04L 65/612 : for unicast

H04L 65/762 : at the source reformatting...

H04L 67/06 : specially adapted for file ...

H04L 67/14 : Session management for real...

H04L 67/303 : Terminal profiles

H04L 67/306 : User profiles

H04L 67/34 : involving the movement of s...

H04L 67/51 : Discovery or management the...

H04L 67/52 : specially adapted for the l...

H04L 67/563 : Data redirection of data ne...

H04L 67/61 : taking into account QoS or ...

H04L 69/08 : Protocols for interworking;...

H04L 69/329 : in the application layer [O...

H04L 9/40 : Network security protocols

H04M 15/00 : Arrangements for metering, ...

H04M 15/06 : Recording class or number o...

H04M 15/41 : Billing record details, i.e...

H04M 15/43 : Billing software details

H04M 15/44 : Augmented, consolidated or ...

H04M 15/47 : Fraud detection or preventi...

H04M 15/49 : Connection to several servi...

H04M 15/51 : for resellers, retailers or...

H04M 15/52 : for operator independent bi...

H04M 15/53 : using mediation

H04M 15/55 : for hybrid networks

H04M 15/56 : for VoIP communications

H04M 15/58 : based on statistics of usag...

H04M 15/63 : based on the content carrie...

H04M 15/745 : Customizing according to wi...

H04M 15/80 : Rating or billing plans; Ta...

H04M 15/8207 : Time based data metric aspe...

H04M 15/8214 : Data or packet based

H04M 15/8292 : Charging for signaling or u...

H04M 2207/203 : composed of PSTN and data n...

H04M 2215/0104 : Augmented, consolidated or ...

H04M 2215/0108 : Customization according to ...

H04M 2215/0148 : Fraud detection or preventi...

H04M 2215/0152 : General billing plans, rate...

H04M 2215/0164 : Billing record, e.g. Call D...

H04M 2215/0168 : On line or real-time flexib...

H04M 2215/0172 : Mediation, i.e. device or p...

H04M 2215/0176 : Billing arrangements using ...

H04M 2215/0188 : Network monitoring; statist...

H04M 2215/2013 : Fixed data network, e.g. PD...

H04M 2215/202 : VoIP; Packet switched telep...

H04M 2215/2046 : Hybrid network

H04M 2215/22 : Bandwidth or usage-sensitve...

H04M 2215/44 : Charging/billing arrangemen...

H04M 2215/46 : Connection to several servi...

H04M 2215/54 : Resellers-retail or service...

H04M 2215/7813 : Time based data, e.g. VoIP ...

H04M 2215/782 : Data or packet based

H04M 3/2218 : Call detail recording

H04M 3/42229 : Personal communication serv...

H04M 3/46 : Arrangements for calling a ...

H04M 3/465 : Arrangements for simultaneo...

H04M 7/006 : Networks other than PSTN/IS...

H04M 7/0075 : Details of addressing, dire...

H04M 7/0078 : Security; Fraud detection; ...

H04M 7/1205 : where the types of switchin...

H04M 7/128 : Details of addressing, dire...

H04Q 3/0029 : Provisions for intelligent ...

H04W 4/02 : Services making use of loca...

H04W 4/029 : Location-based management o...

H04W 4/20 : Services signaling; Auxilia...

View All

System, method and apparatus that isolate virtual private network (VPN) and best effort traffic to resist denial of service attacks

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and apparatus that isolate virtual private network (VPN) and best effort traffic to resist denial of service attacks

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links