Federation among services for supporting virtual-network overlays

US 8,688,994 B2
Filed: 06/25/2010
Issued: 04/01/2014
Est. Priority Date: 06/25/2010
Status: Active Grant

First Claim

Patent Images

1. One or more computer-readable media devices having computer-executable instructions embodied thereon that, when executed, perform a method for allowing a first overlay governed by a first authority domain to negotiate with a second overlay governed by second authority domain in order to avoid addressing ambiguity, the method comprising:

providing the first overlay that includes members assigned virtual IP addresses from a first address range, wherein a first federation mechanism is associated with the first authority domain and is provisioned to negotiate on behalf of the first overlay;

providing the second overlay that includes members assigned virtual IP addresses from a second address range, wherein a second federation mechanism is associated with the second authority domain and is provisioned to negotiate on behalf of the second overlay; and

invoking a negotiation between the first federation mechanism and the second federation mechanism, wherein the negotiation includes an address-resolution process comprising;

(a) determining a version of internet protocol (IP) to employ when routing communications between the first overlay and the second overlay;

(b) when it is determined to employ IP version 6 (IPv6) addressing, establishing a communication link that is absent a translation mechanism;

(c) when it is determined to employ IP version 4 (IPv4) addressing, determining whether a portion of the first address range and a portion of the second address range overlap;

(d) when it is determined that no overlap exists between the first address range and the second address range, establishing the communication link that is absent the translation mechanism;

(e) when it is determined that the first address range and the second address range overlap, establishing a network address translation (NAT) link that attempts to resolve IPv4 address conflicts between the first overlay and the second overlay; and

wherein establishing the network address translation link comprises;

establishing a communication link between the first overlay and the second overlay;

injecting a translation device into the communication link that functions as an interface for converting overlapping IP addresses; and

sending a request from the first federation mechanism to the second federation mechanism, wherein the request conveys a proposed policy; and

receiving a response from the second federation mechanism, wherein the received response includes addendums to the proposed policy; and

delegating authority over the communication link from the second federation mechanism to the first federation mechanism.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computerized methods, systems, and computer-readable media for promoting cooperation between a first and second virtual network overlay (“overlay”) are provided. The first overlay is governed by a first authority domain and includes members assigned virtual IP addresses from a first address range. The second overlay is governed by a second authority domain, which is associated with a second federation mechanism, for negotiating on behalf of the second overlay. The second federation mechanism is capable of negotiating with, or soliciting delegation of authority from, a first federation mechanism that is associated with the first authority domain. When negotiations are successful or authority is delegated, the second federation mechanism establishes a communication link between the second overlay and the first overlay or joins a member of the second overlay to the first overlay. Joining involves allocating a guest IP address from the first address range to the member.

26 Citations

View as Search Results

13 Claims

1. One or more computer-readable media devices having computer-executable instructions embodied thereon that, when executed, perform a method for allowing a first overlay governed by a first authority domain to negotiate with a second overlay governed by second authority domain in order to avoid addressing ambiguity, the method comprising:
- providing the first overlay that includes members assigned virtual IP addresses from a first address range, wherein a first federation mechanism is associated with the first authority domain and is provisioned to negotiate on behalf of the first overlay;
  
  providing the second overlay that includes members assigned virtual IP addresses from a second address range, wherein a second federation mechanism is associated with the second authority domain and is provisioned to negotiate on behalf of the second overlay; and
  
  invoking a negotiation between the first federation mechanism and the second federation mechanism, wherein the negotiation includes an address-resolution process comprising;
  
  (a) determining a version of internet protocol (IP) to employ when routing communications between the first overlay and the second overlay;
  
  (b) when it is determined to employ IP version 6 (IPv6) addressing, establishing a communication link that is absent a translation mechanism;
  
  (c) when it is determined to employ IP version 4 (IPv4) addressing, determining whether a portion of the first address range and a portion of the second address range overlap;
  
  (d) when it is determined that no overlap exists between the first address range and the second address range, establishing the communication link that is absent the translation mechanism;
  
  (e) when it is determined that the first address range and the second address range overlap, establishing a network address translation (NAT) link that attempts to resolve IPv4 address conflicts between the first overlay and the second overlay; and
  
  wherein establishing the network address translation link comprises;
  
  establishing a communication link between the first overlay and the second overlay;
  
  injecting a translation device into the communication link that functions as an interface for converting overlapping IP addresses; and
  
  sending a request from the first federation mechanism to the second federation mechanism, wherein the request conveys a proposed policy; and
  
  receiving a response from the second federation mechanism, wherein the received response includes addendums to the proposed policy; and
  
  delegating authority over the communication link from the second federation mechanism to the first federation mechanism.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The one or more computer-readable media devices of claim 1, wherein the first overlay represents a virtual network overlay within a cloud computing network that has a plurality of members joined thereto, and wherein the plurality of members include endpoints of a service application that interact via peer-to-peer semantics.
  - 3. The one or more computer-readable media devices of claim 1, wherein the second overlay represents a virtual network overlay within a private enterprise network that has a plurality of members joined thereto, and wherein the plurality of members include endpoints of a service application that interact via peer-to-peer semantics.
  - 4. The one or more computer-readable media devices of claim 1, wherein the communication link enables direct communication via peer-to-peer semantics between members of the first overlay and members of the second overlay without relying on a translation mechanism.
  - 5. The one or more computer-readable media devices of claim 1, wherein data packets sent from an origination endpoint of the first overlay are structured with headers that carry a source IP address in virtual space that point to a target endpoint, and wherein the data packets reach the target endpoint of the second overlay without translation applied.
  - 6. The one or more computer-readable media devices of claim 5, wherein data packets returned from the target endpoint of the second overlay are structured with headers that carry a destination IP address in virtual space that point to the original endpoint, and wherein the data packets reach the origination endpoint of the first overlay without translation applied.
  - 7. The one or more computer-readable media devices of claim 1, wherein delegating authority over the communication link comprises:
    - sending a solicitation to gain delegation of authority to the second federation mechanism; and
      
      receiving a confirmation from the second federation mechanism agreeing to delegate authority of the communication link to the first federation mechanism.

8. One or more computer-readable media devices having computer-executable instructions embodied thereon that, when executed, perform a method for allowing a first overlay governed by a first authority domain to negotiate with a second overlay governed by second authority domain in order to avoid addressing ambiguity, the method comprising:
- providing the first overlay that includes members assigned virtual IP addresses from a first address range, wherein a first federation mechanism is associated with the first authority domain and is provisioned to negotiate on behalf of the first overlay;
  
  providing the second overlay that includes members assigned virtual IP addresses from a second address range, wherein a second federation mechanism is associated with the second authority domain and is provisioned to negotiate on behalf of the second overlay; and
  
  invoking a negotiation between the first federation mechanism and the second federation mechanism, wherein the negotiation includes an address-resolution process comprising;
  
  (a) determining a version of internet protocol (IP) to employ when routing communications between the first overlay and the second overlay;
  
  (b) when it is determined to employ IP version 6 (IPv6) addressing, establishing a communication link that is absent a translation mechanism;
  
  (c) when it is determined to employ IP version 4 (IPv4) addressing, determining whether a portion of the first address range and a portion of the second address range overlap;
  
  (d) when it is determined that no overlap exists between the first address range and the second address range, establishing the communication link that is absent the translation mechanism; and
  
  (e) when it is determined that the first address range and the second address range overlap, establishing a network address translation (NAT) link that attempts to resolve IPv4 address conflicts between the first overlay and the second overlay; and
  
  wherein establishing the network address translation link comprises;
  
  establishing a communication link between the first overlay and the second overlay;
  
  injecting a translation device into the communication link that functions as an interface for converting overlapping IP addresses; and
  
  negotiating to gain authority over the communication link, wherein negotiating comprises;
  
  sending a request from the first federation mechanism to the second federation mechanism, wherein the request conveys a proposed policy; and
  
  receiving a response from the second federation mechanism, wherein the received response includes addendums to the proposed policy or the received response includes acceptance to the proposed policy,wherein when the received response includes addendums to the proposed policy;
  
  replying to the response with an acceptance of the addendums; and
  
  receiving an indication that the second federation mechanism confers delegating authority of the communication link to the first federation mechanism andwherein when the received response includes acceptance to the proposed policy;
  
  receiving a delegation of authority from the second federation mechanism to the first federation mechanism; and
  
  transferring authority from the first federation mechanism to an administrator of the first overlay to provision and to enforce the proposed policy upon the communication link.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The one or more computer-readable media devices of claim 8, wherein the first overlay represents a virtual network overlay within a cloud computing network that has a plurality of members joined thereto, and wherein the plurality of members include endpoints of a service application that interact via peer-to-peer semantics.
  - 10. The one or more computer-readable media devices of claim 8, wherein the second overlay represents a virtual network overlay within a private enterprise network that has a plurality of members joined thereto, and wherein the plurality of members include endpoints of a service application that interact via peer-to-peer semantics.
  - 11. The one or more computer-readable media devices of claim 8, wherein the communication link enables direct communication via peer-to-peer semantics between members of the first overlay and members of the second overlay without relying on a translation mechanism.
  - 12. The one or more computer-readable media devices of claim 8, wherein data packets sent from an origination endpoint of the first overlay are structured with headers that carry a source IP address in virtual space that point to a target endpoint, and wherein the data packets reach the target endpoint of the second overlay without translation applied.
  - 13. The one or more computer-readable media devices of claim 12, wherein data packets returned from the target endpoint of the second overlay are structured with headers that carry a destination IP address in virtual space that point to the original endpoint, and wherein the data packets reach the origination endpoint of the first overlay without translation applied.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Alkhatib, Hasan, Outhred, Geoffrey, Bansal, Deepak, Panasyuk, Anatoliy, Rangegowda, Dharshan, Chavez, Anthony
Primary Examiner(s)
SHAW, BRIAN F

Application Number

US12/823,891
Publication Number

US 20110320821A1
Time in Patent Office

1,376 Days
Field of Search

713/176, 713/161, 709/249, 709/223, 370/466, 370/390, 370/254
US Class Current

713/176
CPC Class Codes

G06F 21/31   User authentication

H04L 2209/60   Digital content management,...

H04L 61/2535   Multiple local networks, e....

H04L 61/2546   Arrangements for avoiding u...

H04L 61/5046   Resolving address allocatio...

H04L 63/0815   providing single-sign-on or...

H04L 63/104   Grouping of entities

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

Federation among services for supporting virtual-network overlays

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Federation among services for supporting virtual-network overlays

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links