Regional virtual VPN

US 8,837,491 B2
Filed: 05/22/2009
Issued: 09/16/2014
Est. Priority Date: 05/27/2008
Status: Active Grant

First Claim

Patent Images

1. A process of communication, comprising a network abstraction layer (NAL) built on a public Internet, the NAL comprising an overlay network allowing a direct Internet Protocol (IP) communication between endpoints in a virtual private network (VPN) over the Internet, wherein the NAL provides the overlay network between the endpoints, the overlay network being built over the Internet;

anda network virtualization layer (NVL) built on the NAL, the NVL comprising a VPN aggregator using GDOI protocol encryption, providing synchronization of session keys to encrypt a payload between all the endpoints over the NAL such that encrypted traffic is able to be decrypted by any endpoint for an entire session to allow instantly available communication between all the endpoints, wherein communication between all the endpoints does not require using a hub after an initial connection is established, and wherein the VPN aggregator enables aggregation of multiple Group Domain of Interpretation (GDOI) domains;

wherein an IP communication defines data being exchanged between the endpoints via tunnel interfaces,wherein a runnel interface defines an interface on an endpoint that is one side of a point-to-point or point-to-multipoint link with another endpoint;

wherein IP tunnel addresses define all IP addresses of tunnel interfaces of an endpoint,wherein translation of the IP tunnel addresses and all LAN IP subnets of the endpoint interact IP address occurs for each endpoint, andwherein a registration process the IP addressing scheme of the each endpoint is recorded, said IP addressing scheme including public IP addresses and the IP tunnel addresses of the each endpoint and all LAN IP subnets of the each endpoint; and

wherein the endpoint is connected to a non-broadcast multi-access (NBMA) network to discover internetworking layer addresses and subnetwork addresses of a NBMA next hop towards a destination endpoint; and

wherein the NBMA next hop is a Next Hop Resolution Protocol (NHRP).

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for communication. A network abstraction layer (NAL) is built on a public Internet, the NAL comprising an overlay network allowing a direct Internet Protocol (IP) communication between endpoints in a virtual private network (VPN) over the Internet. A network virtualization layer (NVL) is built on the NAL, the NVL comprising a VPN aggregator using DGOI protocol encryption, providing synchronization of session keys to encrypt a payload between all the endpoints over the NAL such that encrypted traffic is able to be decrypted by any endpoint for an entire session to allow instantly available communication between all the endpoints.

Citations

56 Claims

1. A process of communication, comprising a network abstraction layer (NAL) built on a public Internet, the NAL comprising an overlay network allowing a direct Internet Protocol (IP) communication between endpoints in a virtual private network (VPN) over the Internet, wherein the NAL provides the overlay network between the endpoints, the overlay network being built over the Internet;
- anda network virtualization layer (NVL) built on the NAL, the NVL comprising a VPN aggregator using GDOI protocol encryption, providing synchronization of session keys to encrypt a payload between all the endpoints over the NAL such that encrypted traffic is able to be decrypted by any endpoint for an entire session to allow instantly available communication between all the endpoints, wherein communication between all the endpoints does not require using a hub after an initial connection is established, and wherein the VPN aggregator enables aggregation of multiple Group Domain of Interpretation (GDOI) domains;
  
  wherein an IP communication defines data being exchanged between the endpoints via tunnel interfaces,wherein a runnel interface defines an interface on an endpoint that is one side of a point-to-point or point-to-multipoint link with another endpoint;
  
  wherein IP tunnel addresses define all IP addresses of tunnel interfaces of an endpoint,wherein translation of the IP tunnel addresses and all LAN IP subnets of the endpoint interact IP address occurs for each endpoint, andwherein a registration process the IP addressing scheme of the each endpoint is recorded, said IP addressing scheme including public IP addresses and the IP tunnel addresses of the each endpoint and all LAN IP subnets of the each endpoint; and
  
  wherein the endpoint is connected to a non-broadcast multi-access (NBMA) network to discover internetworking layer addresses and subnetwork addresses of a NBMA next hop towards a destination endpoint; and
  
  wherein the NBMA next hop is a Next Hop Resolution Protocol (NHRP).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The process of claim 1, further comprising the network abstraction layer is built on top of the NBMA network.
  - 3. The process of claim 2, further comprising selecting at least one of Generic Routing Encapsulation (GRE), Multipoint Generic Routing Encapsulation (mGRE), Dynamic Multipoint VPN (DMVPN), MultiProtocol Label Switching (MPLS) and Overlay Transport Virtualization (OTV).
  - 4. The process of claim 1, wherein at least some of said endpoints communicate with each other in a manner that ensures traffic will transit in an optimized way, wherein said endpoints are spokes and/or hubs.
  - 5. The process of claim 4, wherein the manner comprises exchanging routing information.
  - 6. The process of claim 4, wherein the manner comprises a hub functioning as a client aggregation point and the endpoints functioning as clients, whereby at least some of said endpoints communicate with each other without such communication passing through the hub.
  - 7. The process of claim 1, wherein a hub and said endpoints that are connected to a previous presented hub are connected together in the network abstraction layer, the each endpoint having IP routing information comprising IP routes to the public IP addresses of other endpoints.
  - 8. The process of claim 7, wherein an endpoint routing table of the IP routes from the endpoint to all other endpoints is remotely configured using an automation engine.
  - 9. The process of claim 8, wherein the automation engine is operated manually.
  - 10. The process of claim 8, wherein the automation engine comprises an automation daemon.
  - 11. The process of claim 8, wherein the IP routes of said endpoints are stored in a database for use by the automation engine for generating changes in the endpoint routing table.
  - 12. The process of claim 11, wherein encryption techniques are used to ensure the protection of the data exchanged between the endpoints.
  - 13. The process of claim 12, wherein the protection is selected from a group of protections comprising at least one of privacy, authentication, integrity, and non repudiation of the endpoint.
  - 14. The process of claim 12, wherein an IP tunnel interface using a set of encryption keys is used between each pair of endpoints.
  - 15. The process of claim 14, wherein a GDOI synchronizing protocol is used for distributing the same set of encryption keys to all endpoints participating in said VPN.
  - 16. The process of claim 14, wherein said same set of encryption keys is used for resolving resource management issues among participating endpoints.
  - 17. The process of claim 14, wherein said same set of encryption keys is used for allowing the endpoint to instantly exchange data with other endpoints.
  - 18. The process of claim 8, wherein the automation engine uses a protocol to securely transport and deliver configurations to the endpoints.
  - 19. The process of claim 18, wherein the protocol comprises at least one of Secure Shell (SSH), Simple Network Management Protocol (SNMP), Secure Copy Protocol (SCP), Secure Socket Layer (SSL)-based and Transport Layer Security (TLS)-based protocols.
  - 20. The process of claim 8, wherein the automation engine uses a protocol to transport and deliver configurations to the endpoints.
  - 21. The process of claim 20, wherein the protocol comprises at least one of Telnet, Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP) and Hyper Text Transfer Protocol (HTTP).
  - 22. The process of claim 7, wherein said connectivity is selected from a group of connectivities comprising at least one of endpoint to endpoint connectivity, hub to endpoint connectivity, and endpoint to hub to endpoint connectivity.
  - 23. The process of claim 7, wherein multiple virtual paths can be created over a physical path using virtualization techniques forming the network virtualization layer.
  - 24. The process of claim 23, wherein the endpoints are virtualized.
  - 25. The process of claim 24, wherein a virtualization technique is selected from a group of virtualization protocol comprising at least one of MPLS, GRE, and 802.1q Tagging.

26. A system of communication, comprising:
- a network abstraction layer (NAL) built on a public Internet, the NAL comprising an overlay network allowing a direct Internet Protocol (IP) communication between endpoints in a virtual private network (VPN) over the Internet, wherein the NAL provides the overlay network between the endpoints, the overlay network being built over the Internet; and
  
  a network virtualization layer (NVL) built on the NAL, the NVL comprising a VPN aggregator using GDOI protocol encryption, providing synchronization of session keys to encrypt a payload between all the endpoints over the NAL such that encrypted traffic is able to be decrypted by any endpoint for an entire session to allow instantly available communication between all the endpoints after an initial connection is established, wherein communication between all the endpoints does not require using a hub, and wherein the VPN aggregator enables aggregation of multiple Group Domain of Interpretation (GDOI) domains;
  
  wherein an IP communication defines data being exchanged between the endpoints via tunnel interfaces,wherein a tunnel interface defines an interface on an endpoint that is one side of a point-to-point or point-to-multipoint link with another endpoint,wherein IP tunnel addresses define all IP addresses of tunnel interfaces of the endpoint,wherein the translation of the IP tunnel addresses and all LAN IP subnets of endpoint internet IP addresses occurs for each endpoint, andwherein at a registration system the IP addressing scheme of the each endpoint is recorded, the IP addressing scheme including public IP addresses and the IP tunnel addresses of the each endpoint, and all LAN IP subnets of the each endpoint; and
  
  wherein the endpoint is connected to a non-broadcast multi-access (NBMA) network to discover internetworking layer addresses and subnetwork addresses of a NBMA next hop towards a destination endpoint; and
  
  wherein the NBMA next hop is a Next Hop Resolution Protocol (NHRP).
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 27. The system of claim 26, further comprising the network abstraction layer is built on top of the NBMA network.
  - 28. The system of claim 27, further comprising selecting at least one of Generic Routing Encapsulation (GRE), Multipoint Generic Routing Encapsulation (mGRE), Dynamic Multipoint VPN (DMVPN), MultiProtocol Label Switching (MPLS) and Overlay Transport Virtualization (OTV).
  - 29. The system of claim 26, wherein at least some of said endpoints communicate with each other in a manner that ensures traffic will transit in an optimized way, wherein said endpoints are spokes and/or hubs.
  - 30. The system of claim 29, wherein the manner comprises exchanging routing information.
  - 31. The system of claim 29, wherein the manner comprises the hub functioning as a client aggregation point and the endpoints functioning as clients, whereby at least some of said endpoints communicate with each other without such communication passing through the hub.
  - 32. The system of claim 26, wherein the hub and said endpoints that are connected to said hub are connected together in the network abstraction layer, the each endpoint having IP routing information comprising IP routes to the public IP addresses of the other endpoint.
  - 33. The system of claim 32, wherein an endpoint routing table of the IP routes from the endpoint to all other endpoints is remotely configured using an automation engine.
  - 34. The system of claim 33, wherein the automation engine is operated manually.
  - 35. The system of claim 33, wherein the automation engine comprises an automation daemon.
  - 36. The system of claim 33, wherein the IP routes of said endpoints are stored in a database for use by the automation engine for generating the changes in the endpoint routing table.
  - 37. The system of claim 36, wherein encryption techniques are used to ensure the protection of the data exchanged between the endpoints.
  - 38. The system of claim 37, wherein the protection is selected from the group of protections consisting of privacy, authentication, integrity, and non repudiation of the endpoint.
  - 39. The system of claim 38, wherein a GDOI synchronizing protocol is used for distributing the same set of encryption keys to all endpoints participating in said VPN.
  - 40. The system of claim 39, wherein the protocol comprises at least one of Secure Shell (SSH), Simple Network Management Protocol (SNMP), Secure Copy Protocol (SCP), Secure Socket Layer (SSL)-based and Transport Layer Security (TLS)-based protocols.
  - 41. The system of claim 37, wherein a tunnel interface using a set of encryption keys is used between each pair of endpoints.
  - 42. The system of claim 41 wherein said same set of encryption keys is used for resolving resource management issues among participating endpoints.
  - 43. The system of claim 41, wherein said same set of encryption keys is used for allowing the endpoint to instantly exchange data with other endpoints.
  - 44. The system of claim 33, wherein the automation engine uses a protocol to securely transport and deliver configurations to the endpoints.
  - 45. The system of claim 33, wherein the automation engine uses a protocol to transport and deliver configurations to the endpoints.
  - 46. The system of claim 45, wherein the protocol comprises at least one of Telnet, Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP) and Hyper Text Transfer Protocol (HTTP).
  - 47. The system of claim 32, wherein said connectivity is selected from a group of connectivities comprising at least one of endpoint to endpoint connectivity, hub to endpoint connectivity, and endpoint to hub to endpoint connectivity.
  - 48. The system of claim 32, wherein multiple virtual paths can be created over a physical path using virtualization techniques forming the network virtualization layer.
  - 49. The system of claim 48, wherein the endpoints are virtualized.
  - 50. The system of claim 49, wherein a virtualization technique is selected from a group of virtualization protocol comprising at least one of MPLS, GRE, and 802.1q Tagging.
  - 51. In the system of claim 26, the endpoint routing data packets to another endpoint.
  - 52. In the system of claim 26, wherein the endpoint is connected to a non-broadcast multi-access (NBMA) network to discover internetworking layer addresses and subnetwork addresses of a NBMA next hop towards a destination endpoint,the endpoint routing, data packets to another endpoint.

53. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors to perform the process of providing a method of communication, comprising:
- a network abstraction layer (NAL) built on a public Internet, the NAL comprising an overlay network allowing a direct Internet Protocol (IP) communication between endpoints in a virtual private network (VPN) over the Internet, wherein the NAL provides an overlay network between the endpoints, the overlay network being built over the Internet; and
  
  a network virtualization layer (NVL) built on the NAL, the NVL comprising a VPN aggregator using GDOI protocol encryption, providing synchronization of session keys to encrypt a payload between all the endpoints over the NAL to allow instantly available communication between all the endpoints, wherein communication between all the endpoints does not require using a hub after an initial connection is established, and wherein the VPN aggregator enables aggregation of multiple Group Domain of Interpretation (GDOI) domains;
  
  wherein an IP communication defines data being exchanged between the endpoints via tunnel interfaces,wherein a runnel interface defines an interface on an endpoint that is one side of a point-to-point or point-to-multipoint link with another endpoint;
  
  wherein IP tunnel addresses define all the IP addresses of tunnel interfaces of the endpoint,wherein the translation of the IP tunnel addresses and all LAN IP subnets of a endpoint Internet IP address occurs for each endpoint, andwherein at a registration process the IP addressing scheme of the each endpoint is recorded, the IP addressing scheme including public IP addresses and the IP tunnel addresses of the each endpoint and all LAN IP subnets of the each endpoint;
  
  wherein the endpoint is connected to a non-broadcast multi-access (NBMA) network to discover internetworking layer addresses and subnetwork addresses of a NBMA next hop towards a destination endpoint; and
  
  wherein the NBMA next hop is a Next Hop Resolution Protocol (NHRP).
- View Dependent Claims (54, 55, 56)
- - 54. The one or more processor readable storage devices of claim 53, further comprising the network abstraction layer is built on top of the NBMA network.
  - 55. The one or more processor readable storage devices of claim 54, wherein an endpoint routing table of IP routes from the endpoint to all other endpoints is remotely configured using an automation engine.
  - 56. The one or more processor readable storage devices of claim 53, wherein an endpoint routing table of IP routes from the endpoint to all other endpoints is remotely configured using an automation engine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gluware IP LLC
Original Assignee
Glue Networks, Inc.
Inventors
Huynh Van, Olivier, Gray, Jeffrey G.
Primary Examiner(s)
Ton, Dang
Assistant Examiner(s)
Mansoury, Nourali

Application Number

US12/471,199
Publication Number

US 20090304004A1
Time in Patent Office

1,943 Days
Field of Search

370/395.31, 370/401, 370/254, 370/351, 709/201, 709/203, 709238-242, 709/229, 713/151, 713/152, 713/155, 713/156, 713/167, 713/168, 713/182, 713/193, 713/201
US Class Current

370/395.31
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/56   Packet switching systems

H04L 45/00   Routing or path finding of ...

H04L 45/17   Shortcut routing, e.g. usin...

H04L 45/64   using an overlay routing layer

H04L 9/30   Public key, i.e. encryption...

Regional virtual VPN

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

56 Claims

Specification

Solutions

Use Cases

Quick Links

Regional virtual VPN

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

56 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links