Multi-tunnel virtual private network

US 9,300,570 B2
Filed: 05/22/2012
Issued: 03/29/2016
Est. Priority Date: 05/22/2012
Status: Active Grant

First Claim

Patent Images

1. A method for controlling Quality-of-Service (“

QoS”

) in a Virtual Private Network (“

VPN”

) in a transport network providing a plurality of QoS bearers, the method comprising;

establishing, between a first VPN endpoint and a second VPN endpoint, a plurality of VPN tunnels through said transport network, said plurality of VPN tunnels including at least a default VPN tunnel associated with a first QoS bearer and an alternate VPN tunnel associated with a second QoS bearer;

establishing at the first and second VPN endpoints a VPN policy which specifies at least two different QoS levels to be applied to transport packets in accordance with at least one characteristic of the application data contained therein, the VPN policy specified independently of a transport network policy established for the transport network which also specifies at least two different QoS levels to be applied to transport packets; and

performing the following steps at said first VPN endpoint;

receiving a first data block of a plurality of data blocks specifying application messages generated by at least two software applications, each said data block comprising application data;

analyzing said first data block to determine at least one said characteristic of the application data contained therein;

applying the VPN policy to said first data block whereby said default VPN tunnel or said alternate VPN tunnel is assigned to the first data block based on the characteristic of the application data in accordance with the VPN policy;

selectively assigning a VPN tunnel indicator to the first data block that defines a QoS in the transport network which is different from the QoS which would be assigned to a transport packet including the first data block by the transport network in the presence of encryption;

encrypting said first data block to generate a VPN payload;

encapsulating said VPN payload with a transport packet header to form a transport packet, said transport packet header including the VPN tunnel indicator which specifies which one of the default VPN tunnel and the alternate VPN tunnel was previously assigned to the first data block; and

communicating said transport packet to the transport network where a QoS policy is applied to assign the transport packet to the first QoS bearer or the second QoS bearer based on the VPN tunnel indicator contained in the transport packet header;

wherein the transport packet is communicated across the transport network using one of the first or second QoS bearers as determined in accordance with the VPN policy, independently of the transport network policy for the application data having said characteristic.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for controlling Quality-of-Service (“QoS”) in a Virtual Private Network (“VPN”) in a transport network providing a plurality of QoS bearers. The methods involve: establishing, between two VPN endpoints, a plurality of VPN tunnels through the transport network, including at least a default VPN tunnel associated with a first QoS bearer and an alternate VPN tunnel associated with a second QoS bearer; receiving and analyzing a data block; applying a VPN policy to assign the data block to either default VPN tunnel or alternate VPN tunnel; and encapsulating the data block in a transport data block including at least one indicator. The indicator specifies whether the transport data block is to be communicated by the transport network using the first QoS bearer or second QoS bearer.

Citations

18 Claims

1. A method for controlling Quality-of-Service (“
- QoS”
  
  ) in a Virtual Private Network (“
  
  VPN”
  
  ) in a transport network providing a plurality of QoS bearers, the method comprising;
  
  establishing, between a first VPN endpoint and a second VPN endpoint, a plurality of VPN tunnels through said transport network, said plurality of VPN tunnels including at least a default VPN tunnel associated with a first QoS bearer and an alternate VPN tunnel associated with a second QoS bearer;
  
  establishing at the first and second VPN endpoints a VPN policy which specifies at least two different QoS levels to be applied to transport packets in accordance with at least one characteristic of the application data contained therein, the VPN policy specified independently of a transport network policy established for the transport network which also specifies at least two different QoS levels to be applied to transport packets; and
  
  performing the following steps at said first VPN endpoint;
  
  receiving a first data block of a plurality of data blocks specifying application messages generated by at least two software applications, each said data block comprising application data;
  
  analyzing said first data block to determine at least one said characteristic of the application data contained therein;
  
  applying the VPN policy to said first data block whereby said default VPN tunnel or said alternate VPN tunnel is assigned to the first data block based on the characteristic of the application data in accordance with the VPN policy;
  
  selectively assigning a VPN tunnel indicator to the first data block that defines a QoS in the transport network which is different from the QoS which would be assigned to a transport packet including the first data block by the transport network in the presence of encryption;
  
  encrypting said first data block to generate a VPN payload;
  
  encapsulating said VPN payload with a transport packet header to form a transport packet, said transport packet header including the VPN tunnel indicator which specifies which one of the default VPN tunnel and the alternate VPN tunnel was previously assigned to the first data block; and
  
  communicating said transport packet to the transport network where a QoS policy is applied to assign the transport packet to the first QoS bearer or the second QoS bearer based on the VPN tunnel indicator contained in the transport packet header;
  
  wherein the transport packet is communicated across the transport network using one of the first or second QoS bearers as determined in accordance with the VPN policy, independently of the transport network policy for the application data having said characteristic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein the first data block is encrypted using a cryptographic key and a cryptographic protocol.
  - 3. The method according to claim 1, wherein said at least one characteristic of said first data block comprises an application identifier, an application type, or an application protocol.
  - 4. The method according to claim 1, wherein said VPN tunnel indicator comprises a port number.
  - 5. The method according to claim 1, wherein said first VPN endpoint is implemented as a VPN client in a remote host computing device and said application data is received from a software application executing in said remote host computing device.
  - 6. The method according to claim 1, wherein said first VPN endpoint is implemented as a VPN server, said second VPN endpoint is implemented as a VPN client, and said application data is received from an application server in communication with said VPN server via a private computer network.
  - 7. The method according to claim 6, further comprising:
    - selecting said VPN policy from a plurality of VPN policies based on a destination address associated with said VPN client.
  - 8. The method according to claim 1, whereinsaid first VPN endpoint is implemented as a VPN server,said second VPN endpoint is implemented as a VPN client, andsaid VPN policy is configured at said transport network and provided to a VPN client via said transport network and said VPN server.
  - 9. The method according to claim 1, further comprising communicating over said default VPN tunnel and said alternate VPN tunnel using a Transport Layer Security (“
    - TLS”
      
      ) protocol provided at layer 4 of a TCP/IP protocol stack.
  - 10. The method according to claim 1, further comprising:
    - performing the following steps at said first VPN endpoint;
      
      receiving a transport data block from said second VPN endpoint, said transport data block comprising a VPN payload and at least one indicator specifying one of said default VPN tunnel and said alternate VPN tunnel;
      
      analyzing said transport data block to determine said indicator;
      
      selecting at least one of a cryptographic key and a cryptographic protocol based on said indicator; and
      
      decrypting said VPN payload using a cryptographic key and a cryptographic protocol in accordance with said selecting.

11. A system for controlling Quality-of-Service (“
- QoS”
  
  ) in a Virtual Private Network (“
  
  VPN”
  
  ) in a transport network providing a plurality of QoS bearers, the system comprising;
  
  at least one electronic circuit configured to;
  
  establish, between a first VPN endpoint and a second VPN endpoint, a plurality of VPN tunnels through said transport network, said plurality of VPN tunnels including at least a default VPN tunnel associated with a first QoS bearer and an alternate VPN tunnel associated with a second QoS bearer;
  
  access a VPN policy which specifies at least two different QoS levels to be applied to transport packets in accordance with at least one characteristic of the application data contained therein, the VPN policy specified independently of a transport network policy established for the transport network which also specifies at least two different QoS levels to be applied to transport packets;
  
  receive a first data block of a plurality of data blocks specifying application messages generated by at least two software applications, each said data block comprising application data;
  
  analyze said first data block to determine at least one said characteristic of the application data contained therein;
  
  apply the VPN policy to said first data block whereby said default VPN tunnel or said alternate VPN tunnel is assigned to the first data block based on the characteristic of the application data in accordance with the VPN policy;
  
  selectively assign a VPN tunnel indicator to the first data block that defines a QoS in the transport network which is different from the QoS which would be assigned to a transport packet including the first data block by the transport network in the presence of encryption;
  
  encrypting said first data block to generate a VPN payload;
  
  encapsulate said VPN payload with a transport packet header to form a transport packet, said transport packet header including at least one VPN tunnel indicator which specifies which one of the default VPN tunnel and the alternate tunnel was previously assigned to the first data block; and
  
  communicate said transport packet to the transport network where a QoS policy is applied to assign the transport packet to the first QoS bearer or the second QoS bearer based on the VPN tunnel indicator contained in the transport packet header;
  
  wherein the transport packet is communicated across the transport network using one of the first or second QoS bearer as determined in accordance with the VPN policy, independently of the transport network policy for said application data having said characteristic.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The system according to claim 11, wherein said at least one electronic circuit further encrypts said first data block using a cryptographic key and a cryptographic protocol prior to said encapsulation.
  - 13. The system according to claim 11, wherein said at least one characteristic of said first data block comprises an application identifier, an application type, or an application protocol.
  - 14. The system according to claim 11, wherein said VPN tunnel indicator comprises a port number.
  - 15. The system according to claim 11, wherein said first VPN endpoint comprises a VPN client in a remote host computing device that includes said at least one electronic circuit, and said application data is received from a software application executing in said remote host computing device.
  - 16. The system according to claim 11, wherein said first VPN endpoint comprises a VPN server that includes said at least one electronic circuit, said second VPN endpoint comprises a VPN client, and said application data is received from an application server in communication with said VPN server via a private computer network.
  - 17. The system according to claim 16, wherein said at least one characteristic comprises a destination address associated with said VPN client, and said at least one electronic circuit further selects said VPN policy based on said destination address.
  - 18. The system according to claim 11, wherein said at least one electronic circuit is further configured to:
    - receive a transport data block from said second VPN endpoint, said transport data block comprising a VPN payload and at least one indicator specifying one of said default VPN tunnel and said alternate VPN tunnel;
      
      analyze said transport data block to determine said indicator;
      
      select at least one of a cryptographic key and a cryptographic protocol based on said indicator; and
      
      decrypt said VPN payload using a cryptographic key and a cryptographic protocol in accordance with said selection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
L3Harris Technologies, Inc.
Original Assignee
Harris Corporation (L3Harris Technologies, Inc.)
Inventors
Hengeveld, Thomas A.
Primary Examiner(s)
Poltorak, Peter

Application Number

US13/477,185
Publication Number

US 20130318345A1
Time in Patent Office

1,407 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 45/22   Alternate routing

H04L 45/302   Route determination based o...

H04L 47/24   Traffic characterised by sp...

Multi-tunnel virtual private network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-tunnel virtual private network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links