Multi-domain dynamic group virtual private networks

US 8,713,669 B2
Filed: 03/02/2007
Issued: 04/29/2014
Est. Priority Date: 03/02/2007
Status: Active Grant

First Claim

Patent Images

1. A system that facilitates secure communication of data between disparate autonomous systems (AS), the system comprising:

a server including a processing unit coupled to a system memory, the server also including;

a security component associated with a dynamic group virtual private network conforming to a first security policy in a first domain, the first domain defined by a first range of IP addresses, wherein the security component,requests, from a disparate server, keying material and crypto-policy information associated with a disparate dynamic group virtual private network, the disparate dynamic group virtual private network conforming to a second security policy in a disparate domain, the disparate domain defined by a second range of IP addresses, the first security policy being different than the second security policy,receives, from the disparate server in the disparate dynamic group virtual private network, the keying material and the crypto-policy information associated with the disparate dynamic group virtual private network and conforming to the second security policy, andencrypting data using the keying material and the crypto-policy information and sending the encrypted data from a first client in the dynamic group virtual private network to a second client within the disparate dynamic group virtual private network in accordance with the second security policy and; and

a routing component that transmits the encrypted data from the dynamic group virtual private network in the first domain to the disparate server in the disparate dynamic group virtual private network in the disparate domain, wherein the disparate server forwards data decrypted from the encrypted data to the second client in the disparate domain, the routing component being associated with the security component and a plurality of prefixes, each prefix of the plurality of prefixes being part of the routing protocol between the first domain and the disparate domain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and/or methods of secure communication of information between multi-domain virtual private networks (VPNs) are presented. A dynamic group VPN (DGVPN) can reside in one domain and a disparate DGVPN can reside in a disparate domain. An administrative security authority (ASA) can be employed in each domain. Each ASA can generate and exchange respective keying material and crypto-policy information to be used for inter-domain communications when routing data from a member in one DGVPN to a member(s) in the disparate DGVPN, such that an ASA in one domain can facilitate encryption of data in accordance with the policy of the other domain before the data is sent to the other domain. Each ASA can establish a key server to generate the keying material and crypto-policy information associated with its local DGVPN, and such material and information can be propagated to intra-domain members.

43 Citations

View as Search Results

18 Claims

1. A system that facilitates secure communication of data between disparate autonomous systems (AS), the system comprising:
- a server including a processing unit coupled to a system memory, the server also including;
  
  a security component associated with a dynamic group virtual private network conforming to a first security policy in a first domain, the first domain defined by a first range of IP addresses, wherein the security component,requests, from a disparate server, keying material and crypto-policy information associated with a disparate dynamic group virtual private network, the disparate dynamic group virtual private network conforming to a second security policy in a disparate domain, the disparate domain defined by a second range of IP addresses, the first security policy being different than the second security policy,receives, from the disparate server in the disparate dynamic group virtual private network, the keying material and the crypto-policy information associated with the disparate dynamic group virtual private network and conforming to the second security policy, andencrypting data using the keying material and the crypto-policy information and sending the encrypted data from a first client in the dynamic group virtual private network to a second client within the disparate dynamic group virtual private network in accordance with the second security policy and; and
  
  a routing component that transmits the encrypted data from the dynamic group virtual private network in the first domain to the disparate server in the disparate dynamic group virtual private network in the disparate domain, wherein the disparate server forwards data decrypted from the encrypted data to the second client in the disparate domain, the routing component being associated with the security component and a plurality of prefixes, each prefix of the plurality of prefixes being part of the routing protocol between the first domain and the disparate domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the security component is a key server.
  - 3. The system of claim 1, further comprising a disparate routing component that is associated with the disparate dynamic group virtual private network that receives the encrypted data, and a disparate security component associated with the disparate dynamic group virtual private network that decrypts the encrypted data according to the crypto-policy information associated with the disparate dynamic group virtual private network.
  - 4. The system of claim 1, wherein the security component is authenticated prior to obtaining a subset of the keying material and a subset of the crypto-policy information, the security component is authenticated by a disparate security component associated with the disparate dynamic group virtual private network.
  - 5. The system of claim 1, wherein the security component generates a subset of the keying material and a subset of the crypto-policy information associated with the dynamic group virtual private network and transmits such material and information to a disparate security component associated with the disparate dynamic group virtual private network.
  - 6. The system of claim 1, further comprising:
    - an interface component that can employ a virtual private network routing/forwarding instance global-interface outbound crypto-map mapping such that crypto-policy information is applied to data packets outside the first domain.
  - 7. The system of claim 1, wherein a subset of the crypto-policy information is associated with a crypto-policy that comprises a list of prefixes to which the crypto-policy is applied.
  - 8. The system of claim 1, wherein a subset of the crypto-policy information is associated with a crypto-policy, the crypto-policy is associated with prefixes that serve as multicast sources such that at least one receiver in the disparate domain obtains key material associated with and for inter-domain multicast trees.
  - 9. The system of claim 1, wherein the security component secures data in accordance with a crypto-policy associated with at least one of the dynamic group virtual private network associated with the first domain or the disparate dynamic group virtual private network associated with the disparate domain.

10. A method that facilitates communication of data between disparate autonomous systems (AS), the method comprising:
- sending a request for keying material and crypto-policy information conforming to a second security policy from a first server in a first dynamic group virtual private network to a second server in a second dynamic group virtual private network, wherein the first dynamic group virtual private network is within a first range of IP addresses and conforms to a first security policy, and the second dynamic group virtual private network is within a second range of IP addresses and conforms to the second security policy, the first security policy being different than the second security policy;
  
  receiving from the second server in the second dynamic group virtual private network, at the first server within the first dynamic group virtual private network, the keying material and crypto-policy information conforming to the second security policy from the second dynamic group virtual private network, the keying material and the crypto-policy information are associated with the second dynamic group virtual private network, the crypto-policy information being associated with a plurality of prefixes, each prefix of the plurality of prefixes being part of a routing protocol between the first dynamic group virtual private network and the second dynamic group virtual private network;
  
  encrypting data packets, received from a first client, in accordance with the crypto-policy information and using the keying material, the data packets are encrypted on the first server in the first dynamic group virtual private network; and
  
  transmitting the encrypted data packets from the first server in the first dynamic group virtual private network to the second server in the second dynamic group virtual private network, wherein the second server forwards data decrypted from the encrypted data to a second client in the second dynamic group virtual private network.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, further comprising:
    - generating the keying material and the crypto-policy information; and
      
      propagating the keying material and crypto-policy information to the first server.
  - 12. The method of claim 11, further comprising:
    - decrypting the data packets after the data packets are received in the second dynamic group virtual private network, the data packets are decrypted in the second dynamic group virtual private network; and
      
      transferring the decrypted data packets to the second client associated with the second dynamic group virtual private network.
  - 13. The method of claim 12, further comprising:
    - routing the data packets to the prefixes in the second dynamic group virtual private network.
  - 14. The method of claim 10, further comprising:
    - contacting a disparate security component within the second server in the second dynamic group virtual private network;
      
      authenticating communication between a security component on the first server within the first dynamic group virtual private network and the disparate security component;
      
      establishing a secure channel between the security component and the disparate security component to facilitate the transfer of the keying material and the crypto-policy information;
      
      requesting the keying material and the crypto-policy information;
      
      generating the keying material and the crypto-policy information on the disparate security component; and
      
      sending the keying material and the crypto-policy information to the security component via the secure channel.
  - 15. The method of claim 10, further comprising:
    - generating a list of prefixes associated with the crypto-policy information; and
      
      sending the list of prefixes with the crypto-policy information.
  - 16. The method of claim 10, further comprising:
    - tagging the plurality of prefixes during router distribution.

17. A non-transitory computer-readable storage medium containing instructions, which when executed by a processor cause the processor to:
- send a request for keying material and crypto-policy information conforming to a second security policy from a first server in a first dynamic group virtual private network to a second server in a second dynamic group virtual private network, wherein the first dynamic group virtual private network is within a first service provider network and conforms to a first security policy, and the second dynamic group virtual private network is within a second service provider network and conforms to the second security policy, the first security policy being different than the second security policy;
  
  receive from the second server in the second dynamic group virtual private network, on the first server within the first dynamic group virtual private network, the keying material and crypto-policy information conforming to the second security policy from the second dynamic group virtual private network, the keying material and the crypto-policy information allowing secure access to the second dynamic group virtual private network, the crypto-policy information being associated with a plurality of prefixes, each prefix of the plurality of prefixes being part of a routing protocol between the first dynamic group virtual private network and the second dynamic group virtual private network;
  
  encrypt data packets, received from a first client, in accordance with the crypto-policy information on the first server within the first dynamic group virtual private network and using the keying material; and
  
  transmit the encrypted data packets from the first server in the first dynamic group virtual private network to the second server in the second dynamic group virtual private network, wherein the second server forwards data decrypted from the encrypted data to a second client in the second dynamic group virtual private network.

18. A method that facilitates secure communication between disparate service provider networks, the method comprising:
- receiving a request for keying material and crypto-policy information conforming to a first security policy from a second server located within a second dynamic group virtual private network operating within a second service provider network by a first server within a first dynamic group virtual private network operating within a first service provider network for secure communication between a first client within the first dynamic group virtual private, the first dynamic group virtual private associated with a first range of IP addresses and conforming to a first security policy, and a second client within the second dynamic group virtual private, the second dynamic group virtual private associated with a second range of IP addresses and conforming to a second security policy, the request originating from within the second dynamic group virtual private, the first security policy being different than the second security policy;
  
  sending to the second server, based on the received request, key material and crypto-policy information conforming to the first security policy over a secure communication channel;
  
  receiving, on the first server, encrypted data packets addressed to the first client from the second client within the first dynamic group virtual private, the data packets secured according to the crypto-policy information and using the key material shared with the second dynamic group virtual private by the first dynamic group virtual private;
  
  decrypting, on the first server, the encrypted data packets using the key material and the crypto-policy information, the crypto-policy information being associated with a plurality of prefixes, each prefix of the plurality of prefixes being part of the routing protocol between the first dynamic group virtual private and the second dynamic group virtual private; and
  
  delivering, from the first server, the decrypted data packets to the first client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Guichard, James Neil, Wainner, Warren Scott, Weis, Brian E.
Primary Examiner(s)
Lagor, Alexander

Application Number

US11/681,277
Publication Number

US 20080215880A1
Time in Patent Office

2,615 Days
Field of Search

713/162, 380/277, 726/15, 726/13, 726/1, 726/3, 726/2, 726/11, 726/14
US Class Current

726/15
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/065   for group communications cr...

Multi-domain dynamic group virtual private networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Multi-domain dynamic group virtual private networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others