Method and system for learning network information
First Claim
Patent Images
1. A method comprising:
- configuring, between a first tunnel endpoint device and a second tunnel endpoint device, a single security association for an interne protocol security (IPsec) tunnel, the first tunnel endpoint device servicing a first plurality of end devices and the second tunnel endpoint device servicing a second plurality of end devices, the second plurality being different from the first plurality of end devices, the single security association defining network traffic policies on network communications between the first and second endpoint devices, the configuring including;
receiving a request, from the first tunnel endpoint device, for configuration information from the second tunnel endpoint device;
sending configuration information to the first tunnel endpoint device, the configuration information including an indication that the second tunnel endpoint device supports a virtual interface;
receiving, from the first tunnel endpoint device, a list of the plurality of sub-network routes to the second tunnel endpoint device;
accepting the list of the plurality of sub-network routes;
sending an acknowledgement to the first tunnel endpoint device, the acknowledgement including a list of the accepted plurality of sub-network routes; and
based on the list of the plurality of sub-network routes, configuring the single security association for the IPsec tunnel, wherein the single security association includes a default route for routing network traffic through the IPsec tunnel;
providing network information about the plurality of sub-network routes to the first and second plurality of end devices; and
using the network information about the plurality of sub-network routes to route network traffic to the first plurality of end devices from the second plurality of end devices through the IPsec tunnel facilitated through the plurality of sub-network routes by the single security association.
3 Assignments
0 Petitions
Accused Products
Abstract
A method and system for learning network information through a plurality of network devices is provided. The plurality of network devices are configured for IPsec. The method enables negotiation between the network devices to set up a security association and provide network information between the configured network devices. This network information includes a plurality of sub-network routes.
14 Citations
23 Claims
-
1. A method comprising:
-
configuring, between a first tunnel endpoint device and a second tunnel endpoint device, a single security association for an interne protocol security (IPsec) tunnel, the first tunnel endpoint device servicing a first plurality of end devices and the second tunnel endpoint device servicing a second plurality of end devices, the second plurality being different from the first plurality of end devices, the single security association defining network traffic policies on network communications between the first and second endpoint devices, the configuring including; receiving a request, from the first tunnel endpoint device, for configuration information from the second tunnel endpoint device; sending configuration information to the first tunnel endpoint device, the configuration information including an indication that the second tunnel endpoint device supports a virtual interface; receiving, from the first tunnel endpoint device, a list of the plurality of sub-network routes to the second tunnel endpoint device; accepting the list of the plurality of sub-network routes; sending an acknowledgement to the first tunnel endpoint device, the acknowledgement including a list of the accepted plurality of sub-network routes; and based on the list of the plurality of sub-network routes, configuring the single security association for the IPsec tunnel, wherein the single security association includes a default route for routing network traffic through the IPsec tunnel; providing network information about the plurality of sub-network routes to the first and second plurality of end devices; and using the network information about the plurality of sub-network routes to route network traffic to the first plurality of end devices from the second plurality of end devices through the IPsec tunnel facilitated through the plurality of sub-network routes by the single security association. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 10, 11, 12)
-
-
9. An apparatus comprising:
-
a computer processing system including a computer processor coupled to a display and user input device; and a machine-readable storage medium, being a non-transitory medium, including instructions executable by the computer processor comprising; one or more instructions for configuring, by the computer processor, a single security association between a first tunnel endpoint device and a second tunnel endpoint device for an interact protocol security (IPsec) tunnel, the first tunnel endpoint device servicing the first plurality of end devices and the second tunnel endpoint device servicing the second plurality of end devices, the second plurality being different from the first plurality of end devices, the single security association defining network traffic policies on network communications between the first and second endpoint devices, the configuring including; one or more instructions for receiving a request, from the first tunnel endpoint device, for configuration information from the second tunnel endpoint device; one or more instructions for sending configuration information to the first tunnel endpoint device, the configuration information including an indication that the second tunnel endpoint device supports a virtual interface; one or more instructions for receiving, from the first tunnel endpoint device, a list of the plurality of sub-network routes to the second tunnel endpoint device; one or more instructions for accepting the list of the plurality of sub-network routes; one or more instructions for sending an acknowledgement to the first tunnel endpoint device, the acknowledgement including a list of the accepted plurality of sub-network routes; and one or more instructions for configuring, based on the list of the plurality of sub-network routes, the single security association for the IPsec tunnel, wherein the single security association includes a default route for routing network traffic through the IPsec tunnel; one or more instructions for providing network information about the plurality of sub-network routes to the first and second plurality of end devices; and one or more instructions for using the network information about the plurality of sub-network routes to route network traffic to the first plurality of end devices from the second plurality of end devices through the IPsec tunnel facilitated through the plurality of sub-network routes by the single security association. - View Dependent Claims (21, 22, 23)
-
-
13. A system comprising:
-
a configuring module for configuring, between a first tunnel endpoint device and a second tunnel endpoint device, a single security association for an interne protocol security (IPsec) tunnel, the first tunnel endpoint device servicing the first plurality of end devices and the second tunnel endpoint device servicing the second plurality of end devices, the second plurality being different from the first plurality of end devices, the single security association defining network traffic policies on network communications between the first and second endpoint devices, the configuring module including; a receiving module for receiving a request, from the first tunnel endpoint device, for configuration information from the second tunnel endpoint device; a sending module for sending configuration information to the first tunnel endpoint device, the configuration information including an indication that the second tunnel endpoint device supports a virtual interface; receiving, from the first tunnel endpoint device using the receiving module, a list of the plurality of sub-network routes to the second tunnel endpoint device; an accepting module for accepting the list of the plurality of sub-network routes; sending, by the sending module, an acknowledgement to the first tunnel endpoint device, the acknowledgement including a list of the accepted plurality of sub-network routes; and based on the list of the plurality of sub-network routes, configuring, by the configuring module, the single security association for the IPsec tunnel, wherein the single security association includes a default route for routing network traffic through the IPsec tunnel; a providing module for providing network information about the plurality of sub-network routes to the first and second plurality of end devices; and a routing module for using the network information about the plurality of sub-network routes to route network traffic to the first plurality of end devices from the second plurality of end devices through the IPsec tunnel facilitated through the plurality of sub-network routes by the single security association. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A system comprising:
-
means for configuring, between a first tunnel endpoint device and a second tunnel endpoint device, a single security association for an interne protocol security (IPsec) tunnel, the first tunnel endpoint device servicing the first plurality of end devices and the second tunnel endpoint device servicing the second plurality of end devices, the second plurality being different from the first plurality of end devices, the single security association defining network traffic policies on network communications between the first and second endpoint devices, the configuring including; means for receiving a request, from the first tunnel endpoint device, for configuration information from the second tunnel endpoint device; means for sending configuration information to the first tunnel endpoint device, the configuration information including an indication that the second tunnel endpoint device supports a virtual interface; means for receiving, from the first tunnel endpoint device, a list of the plurality of sub-network routes to the second tunnel endpoint device; means for accepting the list of the plurality of sub-network routes; means for sending an acknowledgement to the first tunnel endpoint device, the acknowledgement including a list of the accepted plurality of sub-network routes; and based on the list of the plurality of sub-network routes, means for configuring the single security association for the IPsec tunnel, wherein the single security association includes a default route for routing network traffic through the IPsec tunnel; means for providing network information about the plurality of sub-network routes to the first and second plurality of end devices; and means for using the network information about the plurality of sub-network routes to route network traffic to the first plurality of end devices from the second plurality of end devices through the IPsec tunnel facilitated through the plurality of sub-network routes by the single security association.
-
Specification