Domain isolation through virtual network machines

US 9,047,460 B2
Filed: 03/13/2014
Issued: 06/02/2015
Est. Priority Date: 12/24/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method performed by a server end station communicatively coupled with a single network device that is communicatively coupled with one or more end stations, wherein the server end station stores a plurality of user records, the method comprising:

authenticating, using an authentication, authorization and accounting (AAA) protocol, a user based upon identifying one of the plurality of user records that identifies the user, wherein the user utilizes an end station of the one or more end stations, wherein each of the plurality of user records comprises information indicating which of a plurality of virtual routers the end station of the user is to be currently coupled to, wherein the single network device comprises the plurality of virtual routers that share a set of physical resources of the single network device, and wherein each of the plurality of virtual routers provides access to a different one of a plurality of virtual private networks; and

causing the single network device to communicatively couple the end station of the user with one of the plurality of virtual routers selected based on the information from the user record identified during said authenticating.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and device for communicating information resources between subscriber end stations and nodes belonging to different network domains is described. The device instantiates different virtual network machines for different network domains using separate independently administrable network databases. Each of the administrable chores of the separate independently administrable network databases includes the assignment of access control and the configuration of the policies for those network databases. The policies include traffic filtering policies to indicate what kind of information payloads can be carried, traffic and route filtering policies to indicate what paths through the network will be used for each payload carried. Each of the network domains includes one of the different virtual network machines and each of the different network domains is virtually isolated from other network domains.

Citations

21 Claims

1. A method performed by a server end station communicatively coupled with a single network device that is communicatively coupled with one or more end stations, wherein the server end station stores a plurality of user records, the method comprising:
- authenticating, using an authentication, authorization and accounting (AAA) protocol, a user based upon identifying one of the plurality of user records that identifies the user, wherein the user utilizes an end station of the one or more end stations, wherein each of the plurality of user records comprises information indicating which of a plurality of virtual routers the end station of the user is to be currently coupled to, wherein the single network device comprises the plurality of virtual routers that share a set of physical resources of the single network device, and wherein each of the plurality of virtual routers provides access to a different one of a plurality of virtual private networks; and
  
  causing the single network device to communicatively couple the end station of the user with one of the plurality of virtual routers selected based on the information from the user record identified during said authenticating.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said causing the single network device to communicatively couple the end station of the user with one of the plurality of virtual routers comprises transmitting, using the AAA protocol, the information from the identified user record that indicates the one of the plurality of virtual routers that the end station of the user is to be coupled to.
  - 3. The method of claim 1, wherein the AAA protocol is Remote Authentication Dial In User Service (RADIUS) protocol.
  - 4. The method of claim 3, wherein said identifying the one of the plurality of user records that identifies the user is based upon a username provided by the user and a password provided by the user.
  - 5. The method of claim 1, wherein said information comprises an identifier of one of the plurality of virtual private networks.
  - 6. The method of claim 1, wherein the single network device, after communicatively coupling the end station of the user with the one of the plurality of virtual routers, routes packets for the end station via the one of the plurality of virtual routers using one of a plurality of network databases, wherein each of the plurality of network databases belongs to a different one of the plurality of virtual routers.
  - 7. The method of claim 6, wherein said single network device, responsive to receiving the information from the identified user record that indicates that one of the plurality of virtual routers the end station of the user is to be currently coupled to, creates or updates a binding data structure that associates the end station of the user with the one of the plurality of virtual routers.

8. A server end station to be communicatively coupled with a single network device that is to be communicatively coupled with one or more end stations of one or more users, the server end station comprising:
- a set of one or more processors;
  
  communications hardware to transmit and receive packets; and
  
  a non-transitory computer-readable medium having stored therein a set of instructions that, when executed by the set of processors, cause the server end station to;
  
  authenticate, using an authentication, authorization and accounting (AAA) protocol, a user of the one or more users based upon identifying one of a plurality of user records stored by the server end station that identifies the user, wherein the plurality of user records comprise information indicating which of a plurality of virtual routers the one or more end stations of the one or more users are to be communicatively coupled to, wherein the single network device comprises the plurality of virtual routers that share a set of physical resources of the single network device, and wherein each of the plurality of virtual routers provides access to a different one of a plurality of virtual private networks, andcause the single network device to communicatively couple an end station of the user with one of the plurality of virtual routers selected based on the information from the user record identified during said authentication.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The server end station of claim 8, wherein said set of instructions cause the server end station to cause the single network device to communicatively couple the end station of the user with the one of the plurality of virtual routers by causing the single network device to transmit, using the AAA protocol, the information from the identified user record that indicates the one of the plurality of virtual routers the end station of the user is to be coupled to.
  - 10. The server end station of claim 8, wherein the AAA protocol is Remote Authentication Dial In User Service (RADIUS) protocol.
  - 11. The server end station of claim 10, wherein said identifying the one of the plurality of user records that identifies the user is based upon a username provided by the user and a password provided by the user.
  - 12. The server end station of claim 8, wherein said information comprises an identifier of one of the plurality of virtual private networks.
  - 13. The server end station of claim 8, wherein the single network device, after communicatively coupling the end station of the user with the one of the plurality of virtual routers, is to route packets for the end station via the one of the plurality of virtual routers using one of a plurality of network databases, wherein each of the plurality of network databases belongs to a different one of the plurality of virtual routers.
  - 14. The server end station of claim 8, wherein said single network device, responsive to a receipt of the information from the identified user record that indicates the one of the plurality of virtual routers the end station of the user is to be coupled to, is to create or update a binding data structure that associates the end station of the user with the one of the plurality of virtual routers.

15. A non-transitory computer-readable storage medium that stores instructions which, when executed by a set of one or more processors of a server end station, cause the server end station to perform operations comprising:
- authenticating, using an authentication, authorization and accounting (AAA) protocol, a user based upon identifying one of a plurality of user records that identifies the user, wherein the user utilizes an end station of one or more end stations that are communicatively coupled with a single network device, wherein each of the plurality of user records comprises information indicating which of a plurality of virtual routers the end station of the user is to be coupled to, wherein the single network device comprises the plurality of virtual routers that share a set of physical resources of the single network device, and wherein each of the plurality of virtual routers provides access to a different one of a plurality of virtual private networks; and
  
  causing the single network device to communicatively couple the end station of the user with one of the plurality of virtual routers selected based on the information from the user record identified during said authenticating.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein said causing the single network device to communicatively couple the end station of the user with one of the plurality of virtual routers comprises transmitting, using the AAA protocol, the information from the identified user record that indicates the one of the plurality of virtual routers the end station of the user is to be coupled to.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein the AAA protocol is Remote Authentication Dial In User Service (RADIUS) protocol.
  - 18. The non-transitory computer-readable storage medium of claim 17, wherein said identifying the one of the plurality of user records that identifies the user is based upon a username provided by the user and a password provided by the user.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein said information comprises an identifier of one of the plurality of virtual private networks.
  - 20. The non-transitory computer-readable storage medium of claim 15, wherein the single network device, after communicatively coupling the end station of the user with the one of the plurality of virtual routers, routes packets for the end station via the one of the plurality of virtual routers using one of a plurality of network databases, wherein each of the plurality of network databases belongs to a different one of the plurality of virtual routers.
  - 21. The non-transitory computer-readable storage medium of claim 20, wherein said single network device, responsive receiving the information from the identified user record that indicates the one of the plurality of virtual routers the end station of the user is to be currently coupled to, creates or updates a binding data structure that associates the end station of the user with the one of the plurality of virtual routers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ericsson AB (Telefonaktiebolaget LM Ericsson)
Original Assignee
Ericsson AB (Telefonaktiebolaget LM Ericsson)
Inventors
Salkewicz, William
Primary Examiner(s)
Patel, Chirag R

Application Number

US14/210,002
Publication Number

US 20140196123A1
Time in Patent Office

446 Days
Field of Search

709223-227
US Class Current

1/1
CPC Class Codes

G06F 21/44   Program or device authentic...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/00   Arrangements for maintenanc...

Domain isolation through virtual network machines

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Domain isolation through virtual network machines

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links