System and method of establishing trusted operability between networks in a network functions virtualization environment

US 9,749,294 B1
Filed: 09/08/2015
Issued: 08/29/2017
Est. Priority Date: 09/08/2015
Status: Active Grant

First Claim

Patent Images

1. A system for establishing a trusted end-to-end communication link between different Network Function Virtualization (NFV) networks, comprising:

a first server associated with a first NFV network, wherein the first server comprises a processor coupled to memory and is configured to;

generate and send a first trust ticket establishing the security protocol for communicating with the first NFV network, a request to engage in communication with a second server associated with a second NFV network, and trusted data from the first NFV network, wherein the first NFV network is executing in a trusted security zone that provides hardware assisted security, and wherein the second server comprises a processor coupled to memory; and

disable communication with the first NFV network after the first trust ticket, request and trusted data are sent;

a virtual machine stored on the first NFV network, wherein the virtual machine executes virtualized network functions and is executing in a trusted security zone; and

a session border controller executing in a trusted security zone, wherein the session border controller comprises a trust node and an application stored on the trust node, configured to;

receive the first trust ticket, request, and trusted data from the first server;

transmit the first trust ticket and request to a second session border controller, wherein the second session border controller transmits the request and first trust ticket to the second server associated with the second NFV network;

receive a response to the request and a second trust ticket from the second server, wherein the second trust ticket establishes the security protocol for communicating with the second NFV network, wherein the response and second trust ticket are transmitted from the second session border controller to the first session border controller, and wherein the second NFV network is executing in in a trusted security zone, that provides hardware assisted security;

compare the first and second trust tickets for compatibility; and

transmit the trusted data to the second server if the trust tickets are compatible.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for establishing a trusted end-to-end communication link between different NFV networks is disclosed. The system comprises a server operating in a trusted security zone and configured to generate and send a trust ticket, a communication request, and disable communication with the first NFV network. The system further comprises a virtual machine executing virtualized network functions and a session border controller. The session border controller is configured to receive the trust ticket, request, and trusted data from the first server; transmit the trust ticket and request to a second session border controller, wherein the trust ticket and request are transmitted to a second server associated with a second NFV network, and receive a response and second trust ticket from the second NFV network, compare the first and second trust ticket for compatibility, and transmit the trusted data if the trust tickets are compatible.

Citations

20 Claims

1. A system for establishing a trusted end-to-end communication link between different Network Function Virtualization (NFV) networks, comprising:
- a first server associated with a first NFV network, wherein the first server comprises a processor coupled to memory and is configured to;
  
  generate and send a first trust ticket establishing the security protocol for communicating with the first NFV network, a request to engage in communication with a second server associated with a second NFV network, and trusted data from the first NFV network, wherein the first NFV network is executing in a trusted security zone that provides hardware assisted security, and wherein the second server comprises a processor coupled to memory; and
  
  disable communication with the first NFV network after the first trust ticket, request and trusted data are sent;
  
  a virtual machine stored on the first NFV network, wherein the virtual machine executes virtualized network functions and is executing in a trusted security zone; and
  
  a session border controller executing in a trusted security zone, wherein the session border controller comprises a trust node and an application stored on the trust node, configured to;
  
  receive the first trust ticket, request, and trusted data from the first server;
  
  transmit the first trust ticket and request to a second session border controller, wherein the second session border controller transmits the request and first trust ticket to the second server associated with the second NFV network;
  
  receive a response to the request and a second trust ticket from the second server, wherein the second trust ticket establishes the security protocol for communicating with the second NFV network, wherein the response and second trust ticket are transmitted from the second session border controller to the first session border controller, and wherein the second NFV network is executing in in a trusted security zone, that provides hardware assisted security;
  
  compare the first and second trust tickets for compatibility; and
  
  transmit the trusted data to the second server if the trust tickets are compatible.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the first NFV network and the second NFV network comprise one of the following group:
    - a compute network, a data network, a server, or other computer system in communication with a network operating in an NFV environment.
  - 3. The system of claim 1, wherein the first session border controller, executing in a trusted security zone, transmits data to the second NFV network by way of an outbound session router.
  - 4. The system of claim 3, wherein the second session border controller, executing in a trusted security zone, transmits data to the first NFV network by way of an inbound session router.
  - 5. The system of claim 4, wherein the outbound session router and inbound session router transmit data on independent pathways.
  - 6. The system of claim 1, wherein the first and second session border controller are located on the same device.
  - 7. The system of claim 1, wherein the second server is configured to disable communication between the second session border controller and the second server after the transmission of the trusted data is complete.

8. A system for establishing a trusted end-to-end communication link between different Network Function Virtualization (NFV) networks, comprising:
- a first server associated with a first NFV network, wherein the first server comprises a processor coupled to memory and is configured to;
  
  generate and send a first trust ticket establishing the security protocol for communicating with the first NFV network, a request to engage in communication with a second server associated with a second NFV network, and trusted data from the first NFV network, wherein the first NFV network is executing in a trusted security zone that provides hardware assisted security, and wherein the second server comprises a processor coupled to memory; and
  
  disable communication with the first NFV network after the first trust ticket, request and trusted data are sent;
  
  a virtual machine stored on the first NFV network, wherein the virtual machine executes virtualized network functions and is executing in a trusted security zone; and
  
  a session border controller executing in a trusted security zone, wherein the session border controller comprises a trust node and an application stored on the trust node, configured to;
  
  receive the first trust ticket, request, and trusted data from the first server;
  
  transmit the first trust ticket and request to a second session border controller, wherein the second session border controller transmits the request and first trust ticket to the second server associated with the second NFV network;
  
  receive a response to the request and a second trust ticket from the second server, wherein the second trust ticket establishes the security protocol for communicating with the second NFV network, wherein the response and second trust ticket are transmitted from the second session border controller to the first session border controller, and wherein the second NFV network is executing in a trusted security zone that provides hardware assisted security;
  
  compare the first and second trust tickets for compatibility; and
  
  transmit, in response to a determination that the first and second trust tickets are incompatible, a message to the first server refusing to transmit the trusted data.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8, wherein the first NFV network and the second NFV network comprise one of the following group:
    - a compute network, a data network, a server, or other computer system in communication with a network operating in an NFV environment.
  - 10. The system of claim 8, wherein the first session border controller, executing in a trusted security zone, transmits data to the second NFV network by way of an outbound session router.
  - 11. The system of claim 10, wherein the second session border controller, executing in a trusted security zone, transmits data to the first NFV network by way of an inbound session router.
  - 12. The system of claim 11, wherein the outbound session router and inbound session router transmit data on independent pathways.
  - 13. The system of claim 8, wherein the first and second session border controller are located on the same device.
  - 14. The system of claim 8, wherein the first session border controller is configured to disable communication with the second session border controller and the second server after refusing transmission of the trusted data.
  - 15. The system of claim 8, wherein the first NFV network provides core network services to a radio access network (RAN) that provides communication service to user equipment (UE), where the RAN supports at least one of an orthogonal frequency division multiple access, a code division multiple access (CDMA), a global system for mobile communication, and a worldwide interoperability for microwave access wireless communication protocol.

16. A method of establishing a trusted end-to-end communication link between different Network Function Virtualization (NFV) networks, comprising:
- receiving, by a first session border controller, from a first server associated with a first NFV network, a first ticket of trust establishing the security protocol for communicating with the first NFV network, a request to engage in communication with a second server, the second server associated with a second NFV network, and trusted data from the first NFV network, wherein the first NFV network is executing in a trusted security zone that provides hardware assisted security;
  
  disabling communication between the first session border controller and the first server after the first trust ticket, request, and trusted data have been sent;
  
  transmitting, by the first session border controller executing in a trusted security zone, the first trust ticket and request through an outbound session router to a second session border controller;
  
  transmitting, by the second session border controller executing in a trusted security zone, the first trust ticket and request to the second server;
  
  generating, by the second server, a second trust ticket establishing the security protocol for communicating with the second NFV network, and a response to the request for communication from the first server, wherein the second NFV network is executing in a trusted security zone that provides hardware assisted security;
  
  transmitting, by the second server to the second session border controller executing in a trusted security zone, the second trust ticket and response;
  
  transmitting, by the second session border controller through an inbound session router, the second trust ticket and response to the first session border controller;
  
  comparing, by the first session border controller, the first and second trust tickets for compatibility; and
  
  transmitting, by the first session border controller executing in a trusted security zone, the trusted data to the second server associated with the second NFV network through the outbound session router.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein the second server disables communication between the second session border controller and the second server after transmission of the trusted data is complete.
  - 18. The method of claim 16, wherein the first session border controller is configured to send a message to the first server that the first and second trust tickets are incompatible.
  - 19. The method of claim 16, wherein the first session border controller refuses to transmit the trusted data where the first and second trust tickets are incompatible.
  - 20. The method of claim 19, wherein the first session border controller is further configured to send a message to the first server that no trusted data was transmitted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
T-Mobile Innovations LLC (Deutsche Telekom AG)
Original Assignee
Sprint Communications Company LP (Deutsche Telekom AG)
Inventors
Marquardt, Ronald R., Paczkowski, Lyle W., Rajagopal, Arun
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gundry, Stephen

Application Number

US14/847,992
Time in Patent Office

721 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/4557   Distribution of virtual mac...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 67/1001   for accessing one among a p...

H04L 67/60   Scheduling or organising th...

System and method of establishing trusted operability between networks in a network functions virtualization environment

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of establishing trusted operability between networks in a network functions virtualization environment

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links