Multi-domain dynamic group virtual private networks
First Claim
1. A system that facilitates secure communication of data between disparate autonomous systems (AS), the system comprising:
- a server including a processing unit coupled to a system memory, the server also including;
a security component associated with a dynamic group virtual private network conforming to a first security policy in a first domain, the first domain defined by a first range of IP addresses, wherein the security component,requests, from a disparate server, keying material and crypto-policy information associated with a disparate dynamic group virtual private network, the disparate dynamic group virtual private network conforming to a second security policy in a disparate domain, the disparate domain defined by a second range of IP addresses, the first security policy being different than the second security policy,receives, from the disparate server in the disparate dynamic group virtual private network, the keying material and the crypto-policy information associated with the disparate dynamic group virtual private network and conforming to the second security policy, andencrypting data using the keying material and the crypto-policy information and sending the encrypted data from a first client in the dynamic group virtual private network to a second client within the disparate dynamic group virtual private network in accordance with the second security policy and; and
a routing component that transmits the encrypted data from the dynamic group virtual private network in the first domain to the disparate server in the disparate dynamic group virtual private network in the disparate domain, wherein the disparate server forwards data decrypted from the encrypted data to the second client in the disparate domain, the routing component being associated with the security component and a plurality of prefixes, each prefix of the plurality of prefixes being part of the routing protocol between the first domain and the disparate domain.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and/or methods of secure communication of information between multi-domain virtual private networks (VPNs) are presented. A dynamic group VPN (DGVPN) can reside in one domain and a disparate DGVPN can reside in a disparate domain. An administrative security authority (ASA) can be employed in each domain. Each ASA can generate and exchange respective keying material and crypto-policy information to be used for inter-domain communications when routing data from a member in one DGVPN to a member(s) in the disparate DGVPN, such that an ASA in one domain can facilitate encryption of data in accordance with the policy of the other domain before the data is sent to the other domain. Each ASA can establish a key server to generate the keying material and crypto-policy information associated with its local DGVPN, and such material and information can be propagated to intra-domain members.
43 Citations
18 Claims
-
1. A system that facilitates secure communication of data between disparate autonomous systems (AS), the system comprising:
-
a server including a processing unit coupled to a system memory, the server also including; a security component associated with a dynamic group virtual private network conforming to a first security policy in a first domain, the first domain defined by a first range of IP addresses, wherein the security component, requests, from a disparate server, keying material and crypto-policy information associated with a disparate dynamic group virtual private network, the disparate dynamic group virtual private network conforming to a second security policy in a disparate domain, the disparate domain defined by a second range of IP addresses, the first security policy being different than the second security policy, receives, from the disparate server in the disparate dynamic group virtual private network, the keying material and the crypto-policy information associated with the disparate dynamic group virtual private network and conforming to the second security policy, and encrypting data using the keying material and the crypto-policy information and sending the encrypted data from a first client in the dynamic group virtual private network to a second client within the disparate dynamic group virtual private network in accordance with the second security policy and; and a routing component that transmits the encrypted data from the dynamic group virtual private network in the first domain to the disparate server in the disparate dynamic group virtual private network in the disparate domain, wherein the disparate server forwards data decrypted from the encrypted data to the second client in the disparate domain, the routing component being associated with the security component and a plurality of prefixes, each prefix of the plurality of prefixes being part of the routing protocol between the first domain and the disparate domain. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method that facilitates communication of data between disparate autonomous systems (AS), the method comprising:
-
sending a request for keying material and crypto-policy information conforming to a second security policy from a first server in a first dynamic group virtual private network to a second server in a second dynamic group virtual private network, wherein the first dynamic group virtual private network is within a first range of IP addresses and conforms to a first security policy, and the second dynamic group virtual private network is within a second range of IP addresses and conforms to the second security policy, the first security policy being different than the second security policy; receiving from the second server in the second dynamic group virtual private network, at the first server within the first dynamic group virtual private network, the keying material and crypto-policy information conforming to the second security policy from the second dynamic group virtual private network, the keying material and the crypto-policy information are associated with the second dynamic group virtual private network, the crypto-policy information being associated with a plurality of prefixes, each prefix of the plurality of prefixes being part of a routing protocol between the first dynamic group virtual private network and the second dynamic group virtual private network; encrypting data packets, received from a first client, in accordance with the crypto-policy information and using the keying material, the data packets are encrypted on the first server in the first dynamic group virtual private network; and transmitting the encrypted data packets from the first server in the first dynamic group virtual private network to the second server in the second dynamic group virtual private network, wherein the second server forwards data decrypted from the encrypted data to a second client in the second dynamic group virtual private network. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable storage medium containing instructions, which when executed by a processor cause the processor to:
-
send a request for keying material and crypto-policy information conforming to a second security policy from a first server in a first dynamic group virtual private network to a second server in a second dynamic group virtual private network, wherein the first dynamic group virtual private network is within a first service provider network and conforms to a first security policy, and the second dynamic group virtual private network is within a second service provider network and conforms to the second security policy, the first security policy being different than the second security policy; receive from the second server in the second dynamic group virtual private network, on the first server within the first dynamic group virtual private network, the keying material and crypto-policy information conforming to the second security policy from the second dynamic group virtual private network, the keying material and the crypto-policy information allowing secure access to the second dynamic group virtual private network, the crypto-policy information being associated with a plurality of prefixes, each prefix of the plurality of prefixes being part of a routing protocol between the first dynamic group virtual private network and the second dynamic group virtual private network; encrypt data packets, received from a first client, in accordance with the crypto-policy information on the first server within the first dynamic group virtual private network and using the keying material; and transmit the encrypted data packets from the first server in the first dynamic group virtual private network to the second server in the second dynamic group virtual private network, wherein the second server forwards data decrypted from the encrypted data to a second client in the second dynamic group virtual private network.
-
-
18. A method that facilitates secure communication between disparate service provider networks, the method comprising:
-
receiving a request for keying material and crypto-policy information conforming to a first security policy from a second server located within a second dynamic group virtual private network operating within a second service provider network by a first server within a first dynamic group virtual private network operating within a first service provider network for secure communication between a first client within the first dynamic group virtual private, the first dynamic group virtual private associated with a first range of IP addresses and conforming to a first security policy, and a second client within the second dynamic group virtual private, the second dynamic group virtual private associated with a second range of IP addresses and conforming to a second security policy, the request originating from within the second dynamic group virtual private, the first security policy being different than the second security policy; sending to the second server, based on the received request, key material and crypto-policy information conforming to the first security policy over a secure communication channel; receiving, on the first server, encrypted data packets addressed to the first client from the second client within the first dynamic group virtual private, the data packets secured according to the crypto-policy information and using the key material shared with the second dynamic group virtual private by the first dynamic group virtual private; decrypting, on the first server, the encrypted data packets using the key material and the crypto-policy information, the crypto-policy information being associated with a plurality of prefixes, each prefix of the plurality of prefixes being part of the routing protocol between the first dynamic group virtual private and the second dynamic group virtual private; and delivering, from the first server, the decrypted data packets to the first client.
-
Specification