Domain isolation through virtual network machines

US 7,281,039 B1
Filed: 06/12/2003
Issued: 10/09/2007
Est. Priority Date: 12/24/1998
Status: Expired due to Term

First Claim

Patent Images

1. A network comprising:

a set or one or more networks;

a set of one or more end stations communicating layer 2 packets with the set of networks, anda single network device coupled between the set of networks and the set of end stations, the single network device having,a first virtual bridge switching certain of said layer 2 packets for a first set of subscribers in accordance with a first network database of a first virtual network,the first database having addressing and policy information of the first virtual network, wherein the first virtual network comprises a first virtual circuit that couples the first virtual bridge to the first virtual network and the first virtual bridge runs protocols that authenticate the first set of subscribers, authorizes access to selected ones of the set of end stations for the first set of subscribers, and records the network activity on the first virtual bridge by the first set of subscribers; and

a second virtual bridge, which is isolated from the first virtual bridge, switching certain layer 2 packets for a second set of subscribers in accordance with a second network database,the second network database having addressing and policy information for a second virtual network, wherein the second virtual network comprises a second virtual circuit that couples the second virtual bridge to the second virtual network and the second virtual bridge runs protocols that authenticate the second set of subscribers, authorizes access to other selected ones of the set of end stations for the second set of subscribers, and records the network activity on the second virtual bridge by the second set of subscribers, and wherein the second network database is separate from the first network database.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer implemented method in which Internet Protocol (IP) packets are routed within a first Internet Service Provider'"'"'s (ISP'"'"'s) domain from a single network device with a first database. The first database includes addresses of the first ISP. IP packets are also routed within a second ISP'"'"'s domain from the single network device with a second database. The second database, which is separate from the first database, includes addresses of the second ISP.

79 Citations

View as Search Results

27 Claims

1. A network comprising:
- a set or one or more networks;
  
  a set of one or more end stations communicating layer 2 packets with the set of networks, anda single network device coupled between the set of networks and the set of end stations, the single network device having,a first virtual bridge switching certain of said layer 2 packets for a first set of subscribers in accordance with a first network database of a first virtual network,the first database having addressing and policy information of the first virtual network, wherein the first virtual network comprises a first virtual circuit that couples the first virtual bridge to the first virtual network and the first virtual bridge runs protocols that authenticate the first set of subscribers, authorizes access to selected ones of the set of end stations for the first set of subscribers, and records the network activity on the first virtual bridge by the first set of subscribers; and
  
  a second virtual bridge, which is isolated from the first virtual bridge, switching certain layer 2 packets for a second set of subscribers in accordance with a second network database,the second network database having addressing and policy information for a second virtual network, wherein the second virtual network comprises a second virtual circuit that couples the second virtual bridge to the second virtual network and the second virtual bridge runs protocols that authenticate the second set of subscribers, authorizes access to other selected ones of the set of end stations for the second set of subscribers, and records the network activity on the second virtual bridge by the second set of subscribers, and wherein the second network database is separate from the first network database.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The network of claim 1 wherein the first virtual network is administered by a corporation.
  - 3. The network of claim 1 wherein the first virtual network is administered by an Internet Service Provider.
  - 4. The network of claim 1 wherein the first virtual network provides a first service and the second virtual network provides it second service.
  - 5. The network of claim 1 wherein the protocols is a Remote Authentication Dial-In User Service protocol.

6. A network comprising:
- a set or one or more networks;
  
  a set of one or more end stations communicating layer 2 packets with the set of networks, anda single network device coupled between the set of networks and the set of end stations, the single network device having,a first virtual bridge switching certain of said layer 2 packets for a first set of subscribers in accordance with a first network database of a first virtual network, the first database having addressing and policy information of the first virtual network, whereinthe first virtual network comprises virtual circuits that couple the first virtual bridge to selected ones of the set of end stations and each of the selected ones of the set of end stations provides a service for the first set of subscribers; and
  
  a second virtual bridge, which is isolated from the first virtual bridge, switching certain layer 2 packets for a second set of subscribers in accordance with a second network database,the second network database having addressing and policy information for a second virtual network and is separate from the first network database, wherein the second virtual network comprises virtual circuits that couple the second virtual bridge to selected other ones of the set of end stations and each of the selected other ones of the set of end stations provides a service for the second set of subscribers.
- View Dependent Claims (7, 8)
- - 7. The network of claim 6 wherein the first virtual network is administered by a corporation.
  - 8. The network of claim 6 wherein the first virtual network is administered by an Internet Service Provider.

9. A network comprising:
- a set or one or more networks;
  
  a set of one or more end stations communicating layer 2 packets with the set of networks, anda single network device coupled between the set of networks and the set of end stations, the single network device having,a first virtual bridge switching certain of said layer 2 packets for a first set of subscribers in accordance with a first network database of a first virtual network, the first network database having addressing and policy information of the first virtual network that defines a first virtual private network layered on top of the first virtual network, wherein the first virtual network comprises virtual circuits that couple the first virtual bridge to selected ones of the set of end stations; and
  
  a second virtual bridge, which is isolated from the first virtual bridge, switching certain layer 2 packets for a second set of subscribers in accordance with a second network database, the second network database having addressing and policy information for a second virtual network that defines a second virtual private network layered on top of the second virtual network, wherein the second virtual network comprises virtual circuits that couple the second virtual bridge to selected other ones of the set of end stations and the second virtual private network is separate from the first virtual private network, and wherein the second network database is separate from the first network database.
- View Dependent Claims (10, 11, 12)
- - 10. The network of claim 9 wherein the first virtual network is administered by a corporation.
  - 11. The network of claim 9 wherein the first virtual network is administered by an Internet Service Provider.
  - 12. The network of claim 9 wherein the first virtual network provides a first service and the second virtual network provides it second service.

13. A network comprising:
- a set or one or more networks;
  
  a set of one or more end stations communicating layer 2 packets with the set of networks, anda single network device coupled between the set of networks and the set of end stations, the single network device having,a first virtual bridge switching certain of said layer 2 packets for a first set of subscribers in accordance with a first network database of a first virtual network, the first database having addressing and policy information of the first virtual network that defines a first virtual private network layered on top of the first virtual network, whereinthe first virtual network comprises virtual circuits that couple the first virtual bridge to selected ones of the set of end stations, andthe first virtual bridge runs protocols that authenticate the first set of subscribers, authorizes access to selected ones of the set of end stations for the first set of subscribers, and records the network activity on the first virtual bridge by the first set of subscribers; and
  
  a second virtual bridge, which is isolated from the first virtual bridge, switching certain layer 2 packets for a second set of subscribers in accordance with a second network database, the second network database having addressing and policy information for a second virtual network that defines a second virtual private network layered on top of the second virtual network and the second network database is separate from the first network database, whereinthe second virtual network comprises virtual circuits that couple the second virtual bridge to selected other ones of the set of end stations and the second virtual private network is separate from the first virtual private network, andthe second virtual bridge runs protocols that authenticate the second set of subscribers, authorizes access to other selected ones of the set of end stations for the second set of subscribers, and records the network activity on the second virtual bridge by the second set of subscribers.

14. A method of creating links between multiple subscriber end stations and multiple network domains comprising:
- providing a network device including an electronic memory encoded with multiple respective virtual routers, each of said respective virtual routers include a respective separate corresponding network database which includes respective control information to forward data within a respective network domain, said each of respective virtual routers respectively each including at least one respective network interface for the respective network domain;
  
  providing respective subscriber records in an electronic memory that include respective information as to network domains to which respective subscriber end stations of respective subscribers can access;
  
  searching respective subscriber records to identify respective network domains that may be accessed by a respective subscriber end station of a respective subscriber; and
  
  binding respective subscribers to respective network domains identified from searching respective subscriber records.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method of claim 14 further including:
    - providing respective subscriber authentication information and respective subscriber authorization information in respective subscriber records;
      
      providing subscriber authentication and authorization services; and
      
      authenticating and authorizing subscriber access to respective network domains using respective subscriber records and the subscriber authentication and authorization services.
  - 16. The method of claim 14 wherein the respective subscribers are bound to the respective network domain with respective virtual circuits.
  - 17. The method of claim 14 further including:
    - providing in respective subscriber records multiple possible network domain binding options for a respective subscriber.
  - 18. The method of claim 14 wherein,information in respective subscriber records identify multiple respective possible network domains to which respective subscriber end stations of respective subscribers may be bound;
    - andinformation in respective subscriber records provide respective criteria for selecting between multiple respective network domains for a respective subscriber.
  - 19. The method of claim 14, further comprising:
    - dynamically binding subscribers to respective network interfaces for respective network domains with the respective binding data structure.
  - 20. The method of claim 19, further comprising:
    - changing the binding of one of the subscribers to a different one of the network interfaces for a different one of the network domains, where in the change is based on the one subscriber'"'"'s subscriber record.
  - 21. The method of claim 20, wherein the binding change is based on time of day.

22. A subscriber management system comprising:
- a network device including an electronic memory encoded with multiple respective virtual network machines in the memory, each of said respective virtual network machines including separate corresponding respective network databases which includes respective control information to forward data within a respective network domain, said each of respective virtual network machines respectively including at least one respective network interface to the respective network domain, and wherein each of the multiple respective virtual network machines is one of a virtual router and a virtual bridge;
  
  respective subscriber records in an electronic memory that include respective information as to network domains to which respective subscriber end stations of respective subscribers are bound;
  
  a computer program in electronic memory that searches respective subscriber records to identify respective network domains that may be accessed by respective subscriber ends stations of respective subscribers; and
  
  respective binding data structures that respectively bind respective subscribers to respective network interfaces to respective network domains identified from searching respective subscriber records.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The system of claim 22 wherein,information in respective subscriber records identify multiple respective possible network domains to which respective subscriber end stations of respective subscribers may be bound;
    - andinformation in respective subscriber records provide respective criteria for selecting between multiple respective network domains for respective subscribers.
  - 24. The system of claim 22, further including:
    - respective subscriber authentication information and respective subscriber authorization information in respective subscriber records,wherein the computer program further includes subscriber authentication and authorization services; and
      
      authenticating and authorizing subscriber access to respective network domains using respective subscriber records and the subscriber authentication and authorization services.
  - 25. The system of claim 22, wherein the computer program further comprises:
    - dynamically binding subscribers to respective network interfaces for respective network domains with the respective binding data structure.
  - 26. The system of claim 25, wherein the computer program further comprises:
    - changing the binding of one of the subscribers to a different one of the network interfaces for a different one of the network domains, where in the change is based on the one subscriber'"'"'s subscriber record.
  - 27. The system of claim 26, wherein the binding change is based on time of day.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ericsson AB (Telefonaktiebolaget LM Ericsson)
Original Assignee
Redback Networks Inc. (Telefonaktiebolaget LM Ericsson)
Inventors
Salkewicz, William
Primary Examiner(s)
VU, THONG H

Application Number

US10/461,761
Time in Patent Office

1,580 Days
Field of Search

709/249, 709220-229, 709/238, 709/239, 718/100, 370/351, 370/352, 707/103, 711/202
US Class Current

709/223
CPC Class Codes

G06F 21/44   Program or device authentic...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/00   Arrangements for maintenanc...

Domain isolation through virtual network machines

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

79 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Domain isolation through virtual network machines

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links