Application services based on dynamic split tunneling

US 9,137,211 B2
Filed: 05/16/2013
Issued: 09/15/2015
Est. Priority Date: 05/16/2013
Status: Active Grant

First Claim

Patent Images

1. Logic encoded in a tangible, non-transitory computer readable medium for execution by a hardware processor, and when executed operable to:

obtain data representative of a first fully qualified domain name (FQDN) corresponding to a first service and associated with a first network;

receive virtual private network (VPN) configuration data from a security device associated with the first network and a second network;

dynamically create a first tunnel solely for routing traffic directed to the first FQDN;

route traffic directed to the first FQDN onto the first tunnel that is dynamically created using the VPN configuration data; and

route traffic not directed to the first FQDN elsewhere.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example embodiment, a method of dynamically tunneling specific, or per application, services on demand without having to build complex split tunneling policies on Virtual Private Network (VPN) terminators. In particular embodiments, the method can allow for tunneling to multiple data centers on devices with limited, e.g., single, concentrator capabilities.

12 Citations

View as Search Results

21 Claims

1. Logic encoded in a tangible, non-transitory computer readable medium for execution by a hardware processor, and when executed operable to:
- obtain data representative of a first fully qualified domain name (FQDN) corresponding to a first service and associated with a first network;
  
  receive virtual private network (VPN) configuration data from a security device associated with the first network and a second network;
  
  dynamically create a first tunnel solely for routing traffic directed to the first FQDN;
  
  route traffic directed to the first FQDN onto the first tunnel that is dynamically created using the VPN configuration data; and
  
  route traffic not directed to the first FQDN elsewhere.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The logic encoded in the tangible, non-transitory computer readable medium set forth in claim 1, further operable to:
    - allocate a first dummy service Internet Protocol (IP) address corresponding to the first FQDN;
      
      obtain data representative of a second FQDN corresponding to a second service and associated with the second network;
      
      dynamically create a second tunnel solely for routing traffic directed to the second FQDN; and
      
      allocate a second dummy service IP address corresponding to the second FQDN.
  - 3. The logic encoded in the tangible, non-transitory computer readable medium set forth in claim 2, further operable to:
    - intercept a first Domain Name System (DNS) request for a sub-domain associated with the first FQDN;
      
      forward the first DNS request onto the first tunnel;
      
      receive a response to the first DNS request, the response comprising a first service IP address associated with the first network;
      
      map the first service IP address in the response to the first DNS request to a first dummy service IP address allocated to the first FQDN associated with the first tunnel;
      
      replace the first service IP address in the response to the first DNS request with the first dummy service IP address;
      
      forward the response to the first DNS request with the first dummy service IP address;
      
      intercept a second Domain Name System (DNS) request for a sub-domain associated with the second FQDN;
      
      forward the second DNS request onto the second tunnel;
      
      receive a response to the second DNS request, the response comprising a second service IP address associated with the second network;
      
      map the second service IP address in the response to the second DNS request to a second dummy service IP address allocated to the second FQDN;
      
      replace the second service IP address in the response to the first DNS request with the second dummy service IP address; and
      
      forward the response to the second DNS request with the second dummy service IP address.
  - 4. The logic encoded in the tangible, non-transitory computer readable medium set forth in claim 3, wherein the second DNS request comprises a destination address, the logic is further operable to:
    - obtain data representative of an address of a DNS server associated with the second network;
      
      modify the destination address of the second DNS request, the destination address is changed to match the address of the DNS server associated with the second tunnel; and
      
      store data representative of the second DNS request, the data representative of the second DNS comprises the destination address of the second DNS request;
      
      wherein the modified second DNS request forwarded on the second tunnel contains the address of the DNS server associated with the second network as the destination address.
  - 5. The logic encoded in the tangible, non-transitory computer readable medium set forth in claim 4, wherein the second DNS response comprises a source address, the logic is further operable to:
    - match the response to the second DNS request to the stored data representative of the second DNS request;
      
      modify the source address of the response to the second DNS request, wherein the source address is modified to match the destination address of the second DNS request; and
      
      forward the modified response to the second DNS request.
  - 6. The logic encoded in the tangible, non-transitory computer readable medium set forth in claim 3, further operable to:
    - receive a first packet, the first packet having the first dummy service IP address as a destination address;
      
      replace the first dummy service IP address with the first service IP address in the response to the first DNS request;
      
      forward the first packet onto the first tunnel with the first service IP address in the response to the first DNS request as the destination address;
      
      receive a second packet, the second packet having the second dummy service IP address as a destination address;
      
      replace the second dummy service IP address with the second service IP address in the response to the second DNS request; and
      
      forward the second packet onto the second tunnel with the second service IP address in the response to the second DNS request as the destination address.
  - 7. The logic encoded in the tangible, non-transitory computer readable medium set forth in claim 3, further operable to:
    - receive a first packet from the first tunnel with a source address matching the first service IP address in the response to the first DNS request;
      
      replace the source address of the first packet with the first dummy service IP address;
      
      forward the first packet with the first dummy service IP address as the source address;
      
      receive a second packet from the second tunnel with a source address matching the second service IP address in the response to the second DNS request;
      
      replace the source address of the second packet with the second dummy service IP address; and
      
      forward the second packet with the second dummy service IP address as the source address.
  - 8. The logic encoded in the tangible, non-transitory computer readable medium set forth in claim 3, further operable to:
    - intercept a third Domain Name System (DNS) request for a sub-domain not associated with the first FQDN and not associated with a second FQDN;
      
      forward the third DNS request onto the first tunnel;
      
      receive a response to the third DNS request, the response comprising a third service IP address; and
      
      forward the response to the third DNS request with the third service IP address.
  - 9. The logic encoded in the tangible, non-transitory computer readable medium set forth in claim 1, further operable to:
    - establish the first tunnel with the security device associated with the first network;
      
      wherein the configuration data is obtained upon establishment of the first tunnel.
  - 10. The logic encoded in the tangible, non-transitory computer readable medium set forth in claim 9, further operable toestablish a second tunnel with the second network employing the VPN configuration data received from the security device;
    - wherein the data representative of a second FQDN is obtained from the second network.

11. A computer implemented method, comprising:
- receiving virtual private network (VPN) configuration data from a security device associated with a first network and a second network;
  
  dynamically creating a plurality of tunnels for routing Domain Name System (DNS) requests;
  
  selectively routing DNS requests for sub-domains associated with the first network through a first tunnel associated with the first network;
  
  selectively routing DNS requests for sub-domains associated with the second network through a second tunnel associated with the second network;
  
  associating service Internet Protocol (IP) addresses for sub-domains associated with the first and second networks to dummy service IP addresses;
  
  replacing the service IP addresses in DNS responses for sub-domains associated with the first and second networks with the dummy service IP addresses; and
  
  forwarding the DNS responses with the dummy service IP addresses.
- View Dependent Claims (12, 13)
- - 12. The computer implemented method set forth in claim 11, further comprising:
    - replacing the destination address for DNS requests for sub-domains associated with the second network to match an address of a DNS server associated with the second network;
      
      storing data representative of DNS requests for sub-domains associated with the second network;
      
      forwarding the DNS requests for sub-domains associated with the second network with the address of the DNS server associated with the second network;
      
      matching DNS responses received from the second network with stored DNS request employing the stored data representative of DNS requests;
      
      replacing the source address of the DNS responses with the destination addresses of the DNS requests; and
      
      forwarding the DNS responses with the destination addresses of the DNS requests.
  - 13. The method set forth in claim 11, further comprising:
    - replacing a destination address of packets having a dummy service IP addresses associated with the first network as the destination address with the appropriate service IP address for the first network;
      
      forwarding the packets with the appropriate service IP address as the destination address for the first network to the first network via the first tunnel;
      
      replacing a destination address of packets having a dummy service IP addresses associated with the second network as the destination address with the appropriate service IP address for the first network;
      
      forwarding the packets with the appropriate service IP address for the second network as the destination address to the second network via the second tunnel;
      
      replacing a source address of packets received from the first network with a dummy service IP addresses associated with the first network;
      
      forwarding the packets with the dummy service IP address associated with the first network as the source address;
      
      replacing a source address of packets received from the second network with a dummy service IP addresses associated with the second network; and
      
      forwarding the packets with the dummy service IP address associated with the second network as the source address.

14. A network device comprising:
- a hardware processor; and
  
  logic operable to;
  
  obtain data representative of a first fully qualified domain name (FQDN) corresponding to a first service and associated with a first network;
  
  receive virtual private network (VPN) configuration data from a security device associated with the first network and a second network;
  
  dynamically create a first tunnel solely for routing traffic directed to the first FQDN;
  
  route traffic directed to the first FQDN onto the first tunnel that is dynamically created using the VPN configuration data; and
  
  route traffic not directed to the first FQDN elsewhere.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The network device of claim 14, wherein the logic is further operable to:
    - allocate a first dummy service Internet Protocol (IP) address corresponding to the first FQDN;
      
      obtain data representative of a second FQDN corresponding to a second service and associated with the second network;
      
      dynamically create a second tunnel solely for routing traffic directed to the second FQDN; and
      
      allocate a second dummy service IP address corresponding to the second FQDN.
  - 16. The network device of claim 15, wherein the logic is further operable to:
    - intercept a first Domain Name System (DNS) request for a sub-domain associated with the first FQDN;
      
      forward the first DNS request onto the first tunnel;
      
      receive a response to the first DNS request, the response comprising a first service IP address associated with the first network;
      
      map the first service IP address in the response to the first DNS request to a first dummy service IP address allocated to the first FQDN associated with the first tunnel;
      
      replace the first service IP address in the response to the first DNS request with the first dummy service IP address;
      
      forward the response to the first DNS request with the first dummy service IP address;
      
      intercept a second Domain Name System (DNS) request for a sub-domain associated with the second FQDN;
      
      forward the second DNS request onto the second tunnel;
      
      receive a response to the second DNS request, the response comprising a second service IP address associated with the second network;
      
      map the second service IP address in the response to the second DNS request to a second dummy service IP address allocated to the second FQDN;
      
      replace the second service IP address in the response to the first DNS request with the second dummy service IP address; and
      
      forward the response to the second DNS request with the second dummy service IP address.
  - 17. The network device of claim 16, wherein the logic is further operable to:
    - obtain data representative of an address of a DNS server associated with the second network;
      
      modify the destination address of the second DNS request, the destination address is changed to match the address of the DNS server associated with the second tunnel; and
      
      store data representative of the second DNS request, the data representative of the second DNS comprises the destination address of the second DNS request;
      
      wherein the modified second DNS request forwarded on the second tunnel contains the address of the DNS server associated with the second network as the destination address.
  - 18. The network device of claim 17, wherein the logic is further operable to:
    - match the response to the second DNS request to the stored data representative of the second DNS request;
      
      modify the source address of the response to the second DNS request, wherein the source address is modified to match the destination address of the second DNS request; and
      
      forward the modified response to the second DNS request.
  - 19. The network device of claim 16, wherein the logic is further operable to:
    - receive a first packet, the first packet having the first dummy service IP address as a destination address;
      
      replace the first dummy service IP address with the first service IP address in the response to the first DNS request;
      
      forward the first packet onto the first tunnel with the first service IP address in the response to the first DNS request as the destination address;
      
      receive a second packet, the second packet having the second dummy service IP address as a destination address;
      
      replace the second dummy service IP address with the second service IP address in the response to the second DNS request; and
      
      forward the second packet onto the second tunnel with the second service IP address in the response to the second DNS request as the destination address.
  - 20. The network device of claim 16, wherein the logic is further operable to:
    - receive a first packet from the first tunnel with a source address matching the first service IP address in the response to the first DNS request;
      
      replace the source address of the first packet with the first dummy service IP address;
      
      forward the first packet with the first dummy service IP address as the source address;
      
      receive a second packet from the second tunnel with a source address matching the second service IP address in the response to the second DNS request;
      
      replace the source address of the second packet with the second dummy service IP address; and
      
      forward the second packet with the second dummy service IP address as the source address.
  - 21. The network device of claim 16, wherein the logic is further operable to:
    - intercept a third Domain Name System (DNS) request for a sub-domain not associated with the first FQDN and not associated with a second FQDN;
      
      forward the third DNS request onto the first tunnel;
      
      receive a response to the third DNS request, the response comprising a third service IP address; and
      
      forward the response to the third DNS request with the third service IP address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Parla, Vincent E., Santau, Vlad, Champagne, Timothy Steven Jr., Munz, Kerry Hannigan
Primary Examiner(s)
LEE, JASON T

Application Number

US13/895,744
Publication Number

US 20140344917A1
Time in Patent Office

852 Days
Field of Search

726/15, 709/245
US Class Current

1/1
CPC Class Codes

H04L 45/74   Address processing for routing

H04L 61/4511   using domain name system [DNS]

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0272   Virtual private networks

Application services based on dynamic split tunneling

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

12 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Application services based on dynamic split tunneling

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others