Tunnel interface for securing traffic over a network

US 9,391,964 B2
Filed: 01/27/2016
Issued: 07/12/2016
Est. Priority Date: 09/13/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method comprising:

instantiating, within each of a plurality of service processing switches of a service provider, a plurality of virtual routers (VRs), wherein each VR of the plurality of VRs is supported by an object group and each object of the object group supports a network service;

assigning one or more VRs of the plurality of VRs to a subscriber of a plurality of subscribers of the service provider;

receiving, by a service management system (SMS) of the service provider, a request to establish an Internet Protocol (IP) connection between a first location of the subscriber and a second location of the subscriber; and

establishing a tunnel between a first service processing switch of the plurality of service processing switches and a second service processing switch of the plurality of service processing switches coupled in communication with the first service processing switch through a public network, including;

binding an encryption configuration decision associated with the request with a routing configuration of a first packet routing node of the first service processing switch, by, when the request is to establish a secure IP connection, configuring, the first packet routing node (i) to cause all packets transmitted from the first location to the second location to be encrypted prior to transmission through the public network and (ii) to cause all packets received from the second location to be decrypted after transmission through the public network; and

binding the encryption configuration decision with a routing configuration of a second packet routing node of the second service processing switch, by, when the request is to establish a secure IP connection, configuring, the second packet routing node (i) to cause all packets transmitted from the second location to the first location to be encrypted prior to transmission through the public network and (ii) to cause all packets received from the first location to be decrypted after transmission through the public network.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for a flexible, scalable hardware and software platform that allows a managed security service provider to easily provide security services to multiple customers are provided. According to one embodiment, a method is provided for delivering customized network services to subscribers of the service provider. A request is received, at a service management system (SMS) of the service provider, to establish an Internet Protocol (IP) connection between a first and second location of a first subscriber of the managed security service provider. Responsive to the request, the SMS causes a tunnel to be established between a first and second service processing switch of the service provider which are coupled in communication via a public network and associated with the first location and the second location, respectively.

291 Citations

14 Claims

1. A method comprising:
- instantiating, within each of a plurality of service processing switches of a service provider, a plurality of virtual routers (VRs), wherein each VR of the plurality of VRs is supported by an object group and each object of the object group supports a network service;
  
  assigning one or more VRs of the plurality of VRs to a subscriber of a plurality of subscribers of the service provider;
  
  receiving, by a service management system (SMS) of the service provider, a request to establish an Internet Protocol (IP) connection between a first location of the subscriber and a second location of the subscriber; and
  
  establishing a tunnel between a first service processing switch of the plurality of service processing switches and a second service processing switch of the plurality of service processing switches coupled in communication with the first service processing switch through a public network, including;
  
  binding an encryption configuration decision associated with the request with a routing configuration of a first packet routing node of the first service processing switch, by, when the request is to establish a secure IP connection, configuring, the first packet routing node (i) to cause all packets transmitted from the first location to the second location to be encrypted prior to transmission through the public network and (ii) to cause all packets received from the second location to be decrypted after transmission through the public network; and
  
  binding the encryption configuration decision with a routing configuration of a second packet routing node of the second service processing switch, by, when the request is to establish a secure IP connection, configuring, the second packet routing node (i) to cause all packets transmitted from the second location to the first location to be encrypted prior to transmission through the public network and (ii) to cause all packets received from the first location to be decrypted after transmission through the public network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the object group includes a routing object, a packet filtering object, a firewall object and a network address translation (NAT) object.
  - 3. The method of claim 1, wherein each VR of the plurality of VRs comprises a separate instantiation.
  - 4. The method of claim 1, wherein the SMS is operable to perform services including one or more of:
    - configuration of hardware of the service processing switch, definition of subscribers, determination of network services and generation of Internet Protocol security (IPSec) public/private key pairs.
  - 5. The method of claim 1, further comprising providing customized network services to the subscriber by the one or more VRs assigned to the subscriber, wherein the customized network services can be enabled or disabled on a subscriber-by-subscriber basis by adding one or more objects to or omitting the one or more objects from the object group.
  - 6. The method of claim 1, further comprising:
    - assigning a unique processor identifier (PEID) to each of a plurality of processors of the service processing switch;
      
      assigning a logical queue identifier (LQID) to each object of an object group of a VR of the plurality of VRs;
      
      receiving, by the service processing switch, a packet that includes a PEID value and an LQID value;
      
      directing the received packet to a processor of the plurality of processors to which the PEID value has been assigned; and
      
      further directing the received packet within the processor to an object of the object group to which the LQID value has been assigned.
  - 7. The method of claim 1, wherein the tunnel is formed using a first virtual encrypting router running in the first service processing switch coupled to a first virtual decrypting router running in the second service processing switch and a second virtual encrypting router running in the second service processing switch coupled to a second virtual decrypting router running in the first service processing switch.

8. A system operable by a service provider, the system comprising:
- a service management system (SMS) configured to operate within a service provider network;
  
  a plurality of virtual routers (VRs) instantiated within a plurality of service processing switches within the service provider network, wherein each VR of the plurality of VRs is supported by an object group and each object of the object group supports a network service;
  
  wherein the SMS is further configured to;
  
  assign one or more of the plurality of VRs to a subscriber of a plurality of subscribers of the service provider;
  
  receive a request to establish an Internet Protocol (IP) connection between a first location of the subscriber and a second location of the subscriber;
  
  establish a tunnel between a first service processing switch of the plurality of service processing switches and a second service processing switch of the plurality of service processing switches coupled in communication with the first service processing switch through a public network;
  
  bind an encryption configuration decision associated with the request with a routing configuration of a first packet routing node of the first service processing switch, by, when the request is to establish a secure IP connection, configuring, the first packet routing node (i) to cause all packets transmitted from the first location to the second location to be encrypted prior to transmission through the public network and (ii) to cause all packets received from the second location to be decrypted after transmission through the public network; and
  
  bind the encryption configuration decision with a routing configuration of a second packet routing node of the second service processing switch, by, when the request is to establish a secure IP connection, configuring, the second packet routing node (i) to cause all packets transmitted from the second location to the first location to be encrypted prior to transmission through the public network and (ii) to cause all packets received from the first location to be decrypted after transmission through the public network.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the object group includes a routing object, a packet filtering object, a firewall object and a network address translation (NAT) object.
  - 10. The system of claim 8, wherein each VR of the plurality of VRs comprises a separate instantiation.
  - 11. The system of claim 8, wherein the SMS further provides one or more of:
    - configuration of hardware, defining subscribers, determining services, and generation of IP security (IPSec) public/private key pairs.
  - 12. The system of claim 8, wherein the SMS further provides customized network services to a subscriber of the service provider network, wherein the customized network services can be enabled or disabled on a subscriber-by-subscriber basis by adding one or more objects to or omitting the one or more objects from the object group.
  - 13. The system of claim 8, wherein the SMS is further configured to:
    - assign a unique processor identifier (PEID) to each of a plurality of processors within the plurality of service processing switches;
      
      assign a logical queue identifier (LQID) to each object of an object group of a VR of the plurality of VRs;
      
      direct the received packet to a processor of the plurality of processors to which the PEID value has been assigned; and
      
      further direct the received packet within the processor to an object of the object group to which the LQID value has been assigned.
  - 14. The system of claim 8, wherein the first packet routing node comprises a first virtual encrypting router and a first virtual decrypting router running in the first service processing switch, wherein the second packet routing node comprises a second virtual encrypting router and a second virtual decrypting router running in the second service processing switch and wherein the first virtual encrypting router is coupled to the first virtual decrypting router and the second virtual encrypting router is coupled to the second virtual decrypting router.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Sun, Chih-Tiang, Yum, Kiho, Matthews, Abraham R.
Primary Examiner(s)
LE, CHAU D

Application Number

US15/008,270
Publication Number

US 20160142384A1
Time in Patent Office

167 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/08   Configuration management of...

H04L 41/0895   Configuration of virtualise...

H04L 45/14   Routing performance; Theore...

H04L 61/256   NAT traversal

H04L 61/2592   using tunnelling or encapsu...

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

Tunnel interface for securing traffic over a network

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

291 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Tunnel interface for securing traffic over a network

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

291 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others