Virtual private network crossovers based on certificates

US 20040088542A1
Filed: 11/06/2002
Published: 05/06/2004
Est. Priority Date: 11/06/2002
Status: Active Grant

First Claim

Patent Images

1. A method for permitting a first device on a Virtual Private Network (VPN) to communicate with a second device outside the VPN, comprising:

authenticating, at an interconnection device, the first device;

authenticating, at the interconnection device, VPN parameters related to connecting and forwarding characteristics of the VPN with which the first device is associated; and

forwarding data from the first device to the second device via the VPN and the interconnection device, said forwarding operation based on the VPN parameters.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for enabling interconnection of VPNs is disclosed. An interconnection device manages an interconnection process at one or more facilities including, for example, a gateway device. The gateway device has information relating to a plurality of VPNs, and may facilitate interconnection between devices on at least two of the VPNs by determining that one device is in fact a member of a first one of the VPNs, and by forwarding connection parameters of the first VPN to the second VPN on an as-needed basis. In this way, the gateway allows interconnection without the need for a completely centralized decision-making process, and does so independently of the type of device and/or VPN(s) being used. Moreover, the gateway may implement only those VPN parameters needed by both VPNs to communicate with one another with a desired level of security, thereby simplifying the routing and forwarding processes associated with the actual communication occurring via the interconnection. The information related to the plurality of VPNs and their respective member devices may be stored in a mapping table at the gateway, and identification parameters of a device seeking interconnection and/or associated VPN parameters may be verified by the use of digital certificates.

298 Citations

47 Claims

1. A method for permitting a first device on a Virtual Private Network (VPN) to communicate with a second device outside the VPN, comprising:
- authenticating, at an interconnection device, the first device;
  
  authenticating, at the interconnection device, VPN parameters related to connecting and forwarding characteristics of the VPN with which the first device is associated; and
  
  forwarding data from the first device to the second device via the VPN and the interconnection device, said forwarding operation based on the VPN parameters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein the second device is a member of a second VPN.
  - 3. The method of claim 2, further comprising:
    - authenticating, at the interconnection device, the second device;
      
      authenticating, at the interconnection device, a second set of VPN parameters related to connecting and forwarding characteristics of the second VPN with which the second device is associated; and
      
      forwarding data from the first device to the second device via the first VPN, the interconnection device and the second VPN.
  - 4. The method of claim 3, further comprising:
    - selecting parameters from amongst the first and second sets of VPN parameters which provide the most secure transmission of data from the first device to the second device.
  - 5. The method of claim 4, further comprising:
    - sharing a virtual router between the first VPN and the second VPN; and
      
      building a router table common to the first VPN and the second VPN at the virtual router.
  - 6. The method of claim 1, wherein said authenticating of said first device further comprises:
    - establishing an identity of the first device based on an Internet Protocol (IP) address of the first device.
  - 7. The method of claim 1, wherein said authenticating of said first device further comprises:
    - establishing an identity of the first device based on information provided by a user of the first device.
  - 8. The method of claim 1, further comprising:
    - reading at least a portion of the VPN parameters from a mapping table stored on the interconnection device which contains information related to VPNs associated with the interconnection device.
  - 9. The method of claim 8, wherein the mapping table is read-only with respect to an administrator of the interconnection device.
  - 10. The method of claim 1, further comprising:
    - updating a mapping table stored on the interconnection device and containing information related to VPNs associated with the interconnection device, based on authentication information obtained during said operation of authenticating VPN parameters.
  - 11. The method of claim 1, wherein the VPN parameters include an identification of a virtual router within the interconnection device used to route the data.
  - 12. The method of claim 8, wherein said authenticating of said first device further comprises:
    - requesting a digital certificate from a certification authority based on identification information related to the first device and received therefrom; and
      
      establishing a security association between the first device and the interconnection device.
  - 13. The method of claim 12, wherein the digital certificate includes VPN parameters defined by a customer of a VPN service provider.
  - 14. The method of claim 12, wherein the digital certificate is associated with the first device.
  - 15. The method of claim 12, wherein the digital certificate is associated with the VPN.
  - 16. The method of claim 1, wherein VPN parameters are preloaded at the interconnection device by an administrator of the interconnection device.
  - 17. The method of claim 1, wherein VPN parameters are dynamically loaded at the interconnection device based on a digital certificate associated with the first device or the VPN.
  - 18. The method of claim 1, wherein VPN parameters include packet filtering rules for determining a forwarding status of the data.
  - 19. The method of claim 1, wherein said operation of forwarding data further comprises:
    - forwarding the data to a proxy server, the proxy server operable to determine a forwarding status of packets associated with the data; and
      
      forwarding a copy of the data from the first device to the second device when permitted by the proxy server.

20. A method for forwarding communications from a first device on a Virtual Private Network (VPN) to a second device via an interconnection device, the method comprising:
- receiving identification information from the first device at a filtering and forwarding engine within the interconnection device;
  
  forwarding the identification information to a control subsystem within the interconnection device;
  
  authenticating the first device as a member of the VPN including/verifying, at the control subsystem, VPN parameters associated with the VPN;
  
  providing the VPN parameters to the filtering and forwarding engine; and
  
  forwarding the communications from the first device to the second device via the filtering and forwarding engine and in accordance with the VPN parameters.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 21. The method of claim 20, wherein said identification information further comprises an Internet Protocol (IP) address of the first device.
  - 22. The method of claim 20, wherein said identification information further comprises user authentication information entered by a user of the first device.
  - 23. The method of claim 20, further comprising:
    - updating the VPN parameters within a mapping table containing VPN parameter categories for each VPN associated with the interconnection device.
  - 24. The method of claim 23, wherein said forwarding further comprises:
    - sending a request from the filtering and forwarding engine to the control subsystem for a digital certificate;
      
      obtaining the digital certificate from an external certification authority; and
      
      extracting at least a subset of the VPN parameters from the digital certificate.
  - 25. The method of claim 24, wherein the digital certificate includes VPN parameters defined by a customer leasing the VPN from a carrier.
  - 26. The method of claim 24, further comprising:
    - establishing a security association between the first device and the interconnection device.
  - 27. The method of claim 20, wherein the second device is the interconnection device.
  - 28. The method of claim 20, wherein the VPN parameters include routing and filtering rules associated with the VPN.
  - 29. The method of claim 20, wherein the VPN parameters include an identification of a virtual router within the interconnection device used to route the data.

30. An interconnection device for allowing communications between a first device on a Virtual Private Network (VPN) and a second device not on the VPN, the interconnection device comprising:
- a mapping table containing VPN information describing operations of the VPN;
  
  a filtering and forwarding engine operable to receive identification information related to the first device; and
  
  a control subsystem operable to authenticate the first device based on the identification information, the control subsystem further operable to authenticate VPN information related to the first device and to modify the VPN information within the mapping table such that the filtering and forwarding engine transmits the communications from the first device to the second device in accordance therewith.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 31. The interconnection device of claim 30, wherein the second device is a member of a second VPN, and further wherein the control subsystem is operable to authenticate the second device as a member of the second VPN, authenticate a second set of VPN information describing operations of the second VPN, and modify the second set of VPN information within the mapping table such that the filtering and forwarding engine transmits the communications from the first device to the second device in accordance therewith.
  - 32. The interconnection device of claim 31, further comprising:
    - a virtual router operable to route the communications between the first device on the first VPN and the second device on the second VPN; and
      
      a router table stored on the virtual router that is common to the first VPN and the second VPN.
  - 33. The interconnection device of claim 30, wherein the mapping table is read-only with respect to an administrator of the interconnection device.
  - 34. The interconnection device of claim 30, further comprising:
    - a virtual router within the interconnection device connected to the filtering and forwarding engine and operable to route the communications.
  - 35. The interconnection device of claim 30, wherein said control subsystem sends a request to a certification authority for a digital certificate, based on the identification information, and thereafter establishes a security association between the first device and the interconnection device.
  - 36. The interconnection device of claim 30, wherein VPN parameters are preloaded in the mapping table by an administrator of the interconnection device.
  - 37. The interconnection device of claim 30, wherein VPN parameters are dynamically loaded at the interconnection device based on a digital certificate associated with the first device or the VPN.
  - 38. The interconnection device of claim 30, wherein the filtering and forwarding engine implements packet filtering rules for determining a forwarding status of the data, based on the VPN information.
  - 39. The interconnection device of claim 30, wherein the filtering and forwarding engine is further operable to forward the communications to a proxy server, the proxy server operable to determine a forwarding status of packets associated with the communications, the filtering and forwarding engine further operable to forward a copy of the data from the first device to the second device when permitted by the proxy server.

40. An article of manufacture, which comprises a computer readable medium having stored therein a computer program carrying out a method for connecting a first device on a Virtual Private Network (VPN) to a second device not on the VPN, the computer program comprising:
- a first code segment for receiving an authentication request from the first device;
  
  a second code segment for authenticating the first device as a member of the VPN, in response to the authentication request;
  
  a third code segment for authenticating parameters associated with intra-VPN data traffic including routing and forwarding parameters; and
  
  a fourth code segment for implementing the routing and forwarding parameters with respect to communications between the first device and the second device.
- View Dependent Claims (41, 42, 43, 44)
- - 41. The article of manufacture of claim 40, wherein said fourth code segment further comprises:
    - a fifth code segment for updating the routing and forwarding parameters within a mapping table implemented by a sixth code segment.
  - 42. The article of manufacture of claim 40, wherein said second code segment further comprises:
    - a fifth code segment for obtaining a digital certificate from an external certification authority; and
      
      a sixth code segment for extracting at least a subset of the routing and forwarding parameters from the digital certificate.
  - 43. The article of manufacture of claim 40, further comprising:
    - a fifth code segment for routing communications based on the routing and forwarding parameters.
  - 44. The article of manufacture of claim 40, wherein the second device is on a second VPN.

45. A system for cross-connecting a first device on a first Virtual Private Network (VPN) to a second device on a second VPN, the system comprising:
- an identification subsystem operable to identify the first device and the second device and output identification information accordingly;
  
  an authentication subsystem operable to receive the identification information and authenticate the first device and the second device as members of the first VPN and the second VPN, respectively, based thereon, and to output authentication information accordingly, the authentication information including a first set of rules governing data transmission over the first VPN and a second set of rules governing transmission over the second VPN;
  
  a matching subsystem operable to receive the authentication information and match the first set of rules to the second set of rules such that secure transmission occurs between the first and second devices via the first and second VPNs.

46. A method for connecting a first device on a first Virtual Private Network (VPN) to a second device on a second VPN, the method comprising:
- receiving, at an interconnection device, a first certificate identifying properties of the first device and the first VPN, and a second certificate identifying properties of the second device and the second VPN;
  
  comparing the first and second certificates at the interconnection device, the interconnection device storing information related to a predetermined number of VPNs of which the first and second VPNs are a subset; and
  
  allowing interconnection of the first and second devices based on the comparing operation.

47. A system for connecting a first device on a Virtual Private Network (VPN) to a second device not on the VPN, the system comprising:
- means for authenticating the first device as a member of the VPN;
  
  means for authenticating VPN parameters associated with the first VPN; and
  
  means for transmitting communications between the first device and the second device, based on the VPN parameters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Corporation (AT&T, Inc.)
Original Assignee
AT&T Corporation (AT&T, Inc.)
Inventors
Daude, Olivier, Le Pennec, Jean-Francois, Fieschi, Jacques, Galand, Claude, Hericourt, Olivier

Granted Patent

US 7,574,738 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0236   Filtering by address, proto...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0869   for achieving mutual authen...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

Virtual private network crossovers based on certificates

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

298 Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual private network crossovers based on certificates

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

298 Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links