Method and system for learning network information

US 8,547,874 B2
Filed: 06/30/2005
Issued: 10/01/2013
Est. Priority Date: 06/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

configuring, between a first tunnel endpoint device and a second tunnel endpoint device, a single security association for an interne protocol security (IPsec) tunnel, the first tunnel endpoint device servicing a first plurality of end devices and the second tunnel endpoint device servicing a second plurality of end devices, the second plurality being different from the first plurality of end devices, the single security association defining network traffic policies on network communications between the first and second endpoint devices, the configuring including;

receiving a request, from the first tunnel endpoint device, for configuration information from the second tunnel endpoint device;

sending configuration information to the first tunnel endpoint device, the configuration information including an indication that the second tunnel endpoint device supports a virtual interface;

receiving, from the first tunnel endpoint device, a list of the plurality of sub-network routes to the second tunnel endpoint device;

accepting the list of the plurality of sub-network routes;

sending an acknowledgement to the first tunnel endpoint device, the acknowledgement including a list of the accepted plurality of sub-network routes; and

based on the list of the plurality of sub-network routes, configuring the single security association for the IPsec tunnel, wherein the single security association includes a default route for routing network traffic through the IPsec tunnel;

providing network information about the plurality of sub-network routes to the first and second plurality of end devices; and

using the network information about the plurality of sub-network routes to route network traffic to the first plurality of end devices from the second plurality of end devices through the IPsec tunnel facilitated through the plurality of sub-network routes by the single security association.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for learning network information through a plurality of network devices is provided. The plurality of network devices are configured for IPsec. The method enables negotiation between the network devices to set up a security association and provide network information between the configured network devices. This network information includes a plurality of sub-network routes.

14 Citations

View as Search Results

23 Claims

1. A method comprising:
- configuring, between a first tunnel endpoint device and a second tunnel endpoint device, a single security association for an interne protocol security (IPsec) tunnel, the first tunnel endpoint device servicing a first plurality of end devices and the second tunnel endpoint device servicing a second plurality of end devices, the second plurality being different from the first plurality of end devices, the single security association defining network traffic policies on network communications between the first and second endpoint devices, the configuring including;
  
  receiving a request, from the first tunnel endpoint device, for configuration information from the second tunnel endpoint device;
  
  sending configuration information to the first tunnel endpoint device, the configuration information including an indication that the second tunnel endpoint device supports a virtual interface;
  
  receiving, from the first tunnel endpoint device, a list of the plurality of sub-network routes to the second tunnel endpoint device;
  
  accepting the list of the plurality of sub-network routes;
  
  sending an acknowledgement to the first tunnel endpoint device, the acknowledgement including a list of the accepted plurality of sub-network routes; and
  
  based on the list of the plurality of sub-network routes, configuring the single security association for the IPsec tunnel, wherein the single security association includes a default route for routing network traffic through the IPsec tunnel;
  
  providing network information about the plurality of sub-network routes to the first and second plurality of end devices; and
  
  using the network information about the plurality of sub-network routes to route network traffic to the first plurality of end devices from the second plurality of end devices through the IPsec tunnel facilitated through the plurality of sub-network routes by the single security association.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 10, 11, 12)
- - 2. The method of claim 1, wherein the setting up of the single security association further comprises exchanging sub-network route information between the first tunnel endpoint device and the second tunnel endpoint device.
  - 3. The method of claim 1, wherein setting up the single security association occurs after the first tunnel endpoint device and the second tunnel endpoint device have exchanged a plurality of messages.
  - 4. The method of claim 1, wherein setting up the single security association between the plurality of tunnel endpoint devices further comprises setting up an IPsec security association.
  - 5. The method of claim 1 further comprising negotiating between the plurality of tunnel endpoint devices for re-establishing the single security association, if the single security association has expired.
  - 6. The method of claim 1, wherein IPsec tunnel provides a path for transmitting packets with a plurality of destination IP addresses.
  - 7. The method of claim 6, wherein packets include a single value for an IP address destination that allows the packet to be sent to the plurality of destination IP addresses.
  - 8. The method of claim 7, wherein the IP address used is the same IP address for the plurality of sub-network routes and the network information is used to route the packet through a sub-network route in the plurality of sub-network routes.
  - 10. The method of claim 1, wherein the network traffic from the first plurality of end devices to the second plurality of end devices are configured to comply with the network traffic policies of the single security association.
  - 11. The method of claim 1, wherein requesting configuration information is performed using a MODECONFIG_REQUEST message,wherein sending configuration information to the first tunnel endpoint device is performed using a MODECONFIG_IPSEC_INT_CONFIG attribute in a MODECONFIG_REPLY message, andwherein the indication that the second tunnel endpoint device supports a virtual interface is a value in the MODECONFIG_IPSEC_INT_CONFIG attribute.
  - 12. The method of claim 1, wherein requesting configuration information is performed using an IKE_CFG_REQUEST message,wherein sending configuration information to the first tunnel endpoint device is performed using an IKE_CFG_REPLY message, andwherein sending the list of the plurality of sub-network routes to the second tunnel endpoint device is performed using an IKE_CFG_SET packet.

9. An apparatus comprising:
- a computer processing system including a computer processor coupled to a display and user input device; and
  
  a machine-readable storage medium, being a non-transitory medium, including instructions executable by the computer processor comprising;
  
  one or more instructions for configuring, by the computer processor, a single security association between a first tunnel endpoint device and a second tunnel endpoint device for an interact protocol security (IPsec) tunnel, the first tunnel endpoint device servicing the first plurality of end devices and the second tunnel endpoint device servicing the second plurality of end devices, the second plurality being different from the first plurality of end devices, the single security association defining network traffic policies on network communications between the first and second endpoint devices, the configuring including;
  
  one or more instructions for receiving a request, from the first tunnel endpoint device, for configuration information from the second tunnel endpoint device;
  
  one or more instructions for sending configuration information to the first tunnel endpoint device, the configuration information including an indication that the second tunnel endpoint device supports a virtual interface;
  
  one or more instructions for receiving, from the first tunnel endpoint device, a list of the plurality of sub-network routes to the second tunnel endpoint device;
  
  one or more instructions for accepting the list of the plurality of sub-network routes;
  
  one or more instructions for sending an acknowledgement to the first tunnel endpoint device, the acknowledgement including a list of the accepted plurality of sub-network routes; and
  
  one or more instructions for configuring, based on the list of the plurality of sub-network routes, the single security association for the IPsec tunnel, wherein the single security association includes a default route for routing network traffic through the IPsec tunnel;
  
  one or more instructions for providing network information about the plurality of sub-network routes to the first and second plurality of end devices; and
  
  one or more instructions for using the network information about the plurality of sub-network routes to route network traffic to the first plurality of end devices from the second plurality of end devices through the IPsec tunnel facilitated through the plurality of sub-network routes by the single security association.
- View Dependent Claims (21, 22, 23)
- - 21. The apparatus of claim 9, wherein IPsec tunnel provides a path for transmitting packets with any IP addresses.
  - 22. The apparatus of claim 9, wherein requesting configuration information is performed using a MODECONFIG_REQUEST message,wherein sending configuration information to the first tunnel endpoint device is performed using a MODECONFIG_IPSEC_INT_CONFIG attribute in a MODECONFIG_REPLY message, andwherein the indication that the second tunnel endpoint device supports a virtual interface is a value in the MODECONFIG IPSEC INT CONFIG attribute.
  - 23. The apparatus of claim 9, wherein requesting configuration information is performed using an IKE_CFG_REQUEST message,wherein sending configuration information to the first tunnel endpoint device is performed using an IKE_CFG_REPLY message, andwherein sending the list of the plurality of sub-network routes to the second tunnel endpoint device is performed using an IKE_CFG_SET packet.

13. A system comprising:
- a configuring module for configuring, between a first tunnel endpoint device and a second tunnel endpoint device, a single security association for an interne protocol security (IPsec) tunnel, the first tunnel endpoint device servicing the first plurality of end devices and the second tunnel endpoint device servicing the second plurality of end devices, the second plurality being different from the first plurality of end devices, the single security association defining network traffic policies on network communications between the first and second endpoint devices, the configuring module including;
  
  a receiving module for receiving a request, from the first tunnel endpoint device, for configuration information from the second tunnel endpoint device;
  
  a sending module for sending configuration information to the first tunnel endpoint device, the configuration information including an indication that the second tunnel endpoint device supports a virtual interface;
  
  receiving, from the first tunnel endpoint device using the receiving module, a list of the plurality of sub-network routes to the second tunnel endpoint device;
  
  an accepting module for accepting the list of the plurality of sub-network routes;
  
  sending, by the sending module, an acknowledgement to the first tunnel endpoint device, the acknowledgement including a list of the accepted plurality of sub-network routes; and
  
  based on the list of the plurality of sub-network routes, configuring, by the configuring module, the single security association for the IPsec tunnel, wherein the single security association includes a default route for routing network traffic through the IPsec tunnel;
  
  a providing module for providing network information about the plurality of sub-network routes to the first and second plurality of end devices; and
  
  a routing module for using the network information about the plurality of sub-network routes to route network traffic to the first plurality of end devices from the second plurality of end devices through the IPsec tunnel facilitated through the plurality of sub-network routes by the single security association.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the setting module comprises an IKE setting module for setting up an Internet Key Exchange (IKE) single security association between the plurality of tunnel endpoint devices of the IPsec tunnel.
  - 15. The system of claim 13, wherein the setting module comprises an IPsec setting module for setting up an IPsec single security association between the plurality of tunnel endpoint devices of the IPsec tunnel.
  - 16. The system of claim 13, wherein the plurality of tunnel endpoint devices are at least one of a network routing device, a client, a server, a proxy, a host.
  - 17. The system of claim 13, wherein an IPsec interface provides inline encapsulation of network traffic.
  - 18. The system of claim 13, wherein requesting configuration information is performed using a MODECONFIG_REQUEST message,wherein sending configuration information to the first tunnel endpoint device is performed using a MODECONFIG_IPSEC_INT_CONFIG attribute in a MODECONFIG_REPLY message, andwherein the indication that the second tunnel endpoint device supports a virtual interface is a value in the MODECONFIG_IPSEC_INT_CONFIG attribute.
  - 19. The system of claim 13, wherein requesting configuration information is performed using an IKE_CFG_REQUEST message,wherein sending configuration information to the first tunnel endpoint device is performed using an IKE_CFG_REPLY message, andwherein sending the list of the plurality of sub-network routes to the second tunnel endpoint device is performed using an IKE_CFG_SET packet.

20. A system comprising:
- means for configuring, between a first tunnel endpoint device and a second tunnel endpoint device, a single security association for an interne protocol security (IPsec) tunnel, the first tunnel endpoint device servicing the first plurality of end devices and the second tunnel endpoint device servicing the second plurality of end devices, the second plurality being different from the first plurality of end devices, the single security association defining network traffic policies on network communications between the first and second endpoint devices, the configuring including;
  
  means for receiving a request, from the first tunnel endpoint device, for configuration information from the second tunnel endpoint device;
  
  means for sending configuration information to the first tunnel endpoint device, the configuration information including an indication that the second tunnel endpoint device supports a virtual interface;
  
  means for receiving, from the first tunnel endpoint device, a list of the plurality of sub-network routes to the second tunnel endpoint device;
  
  means for accepting the list of the plurality of sub-network routes;
  
  means for sending an acknowledgement to the first tunnel endpoint device, the acknowledgement including a list of the accepted plurality of sub-network routes; and
  
  based on the list of the plurality of sub-network routes, means for configuring the single security association for the IPsec tunnel, wherein the single security association includes a default route for routing network traffic through the IPsec tunnel;
  
  means for providing network information about the plurality of sub-network routes to the first and second plurality of end devices; and
  
  means for using the network information about the plurality of sub-network routes to route network traffic to the first plurality of end devices from the second plurality of end devices through the IPsec tunnel facilitated through the plurality of sub-network routes by the single security association.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Nandy, Kousik, Bafna, Manikchand Roopchand, Sethi, Pratima Pramod, Patil, Shashidhar P.
Primary Examiner(s)
Ton, Dang
Assistant Examiner(s)
KAVLESKI, RYAN C

Application Number

US11/173,441
Publication Number

US 20070002768A1
Time in Patent Office

3,015 Days
Field of Search

370/255, 709/222, 709/229, 713/168, 713/153, 726/3, 726 12- 15
US Class Current

370/255
CPC Class Codes

H04L 41/16   using machine learning or a...

H04L 41/28   Restricting access to netwo...

H04L 63/0272   Virtual private networks

H04L 63/164   at the network layer

Method and system for learning network information

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for learning network information

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links