IP encryption over resilient BGP/MPLS IP VPN

US 8,284,943 B2
Filed: 01/22/2007
Issued: 10/09/2012
Est. Priority Date: 09/27/2006
Status: Active Grant

First Claim

Patent Images

1. A method for operating on a data packet to provide an enterprise networking environment over a service provider network, comprising:

a customer edge (CE) router function, located within the enterprise network, for;

providing the data packet, wherein the data packet includes a header and payload;

a Policy Enforcement Point (PEP) function for;

applying an IPSec protocol to the data packet, including encrypting the header and payload of the data packet received from the CE router function and forming an encrypted header and encrypted payload of the data packet;

applying a security association policy to the data packet;

maintaining the header of the data packet in non-encrypted form; and

forming an encrypted data packet including;

i) the header of the data packet maintained in non-encrypted form, and ii) the encrypted header and encrypted payload of the data packet;

a provider edge router function, located within the service provider network, for;

applying an MPLS protocol to the encrypted data packet; and

forwarding the encrypted data packet according to the enterprise network VirtualPrivate Network (VPN) routing and forwarding (VRF).

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Encryption of Internet Protocol (IP) traffic using IP Security (IPSec) at the edge of the enterprise network, in such a way as to support resilient BGP/MPLS IP VPN network designs. The IP traffic is securely tunneled within IPSec tunnels from the edge to the edge of the enterprise network. The IPSec traffic is also tunneled within MPLS tunnels from the edge to the edge of the service provider network. The enterprise network thus manages its own IPSec site-to-site VPN. The service provider thus independently manages its own MPLS network. The result provides an IP VPN or Layer 3 MPLS VPN to the enterprise; the enterprise IPSec network can thus be considered as an overlay to the MPLS service provider network.

88 Citations

View as Search Results

20 Claims

1. A method for operating on a data packet to provide an enterprise networking environment over a service provider network, comprising:
- a customer edge (CE) router function, located within the enterprise network, for;
  
  providing the data packet, wherein the data packet includes a header and payload;
  
  a Policy Enforcement Point (PEP) function for;
  
  applying an IPSec protocol to the data packet, including encrypting the header and payload of the data packet received from the CE router function and forming an encrypted header and encrypted payload of the data packet;
  
  applying a security association policy to the data packet;
  
  maintaining the header of the data packet in non-encrypted form; and
  
  forming an encrypted data packet including;
  
  i) the header of the data packet maintained in non-encrypted form, and ii) the encrypted header and encrypted payload of the data packet;
  
  a provider edge router function, located within the service provider network, for;
  
  applying an MPLS protocol to the encrypted data packet; and
  
  forwarding the encrypted data packet according to the enterprise network VirtualPrivate Network (VPN) routing and forwarding (VRF).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16)
- - 2. The method of claim 1, additionally comprising:
    - receiving the security association from a network overlay that is responsible for distributing at least one of security policies and encryption keys to the PEP function.
  - 3. The method of claim 2 wherein the network overlay additionally comprises:
    - a security policy layer; and
      
      an encryption key layer.
  - 4. The method of claim 3 wherein the security policy layer is provided by a Management And Policy (MAP) server and the encryption key layer is provided by a Key Authority Point (KAP) server;
    - and wherein the PEP function is provided by a Policy Enforcement Point (PEP).
  - 5. The method of claim 4 additionally wherein one outbound encryption key is provided for the PEP that becomes the inbound encryption key for other PEPs.
  - 6. The method of claim 4 additionally comprising, by the KAP:
    - generating outbound keys; and
      
      distributing pairs of inbound and outbound keys for each associated PEP.
  - 7. The method of claim 1, additionally comprising:
    - given the data packet received from the CE router function is an IP packet including an IP header, maintaining the IP header in the IP packet in non-encrypted form as an IP address of the encrypted packet; and
      
      wherein encrypting the data packet includes encrypting the entire IP packet both its header and its payload using IPSec ESP.
  - 8. The method of claim 1, additionally comprising:
    - providing resiliency, by connecting two or more CEs to two or more PEs with multiple paths between the CEs and PEs.
  - 9. The method of claim 8 wherein two PEs are controlled by different service providers.
  - 10. The method of claim 8 wherein full mesh connectivity between n, where n is greater than 2, enterprise sites is provided by no more than n tunnels and no more than 2n security associations.
  - 11. The apparatus of claim 10, wherein the PEP is additionally for receiving the security association from a network overlay that is responsible for distributing at least one of security policies and encryption keys to PEPS.
  - 12. The apparatus of claim 11 additionally comprising:
    - a Management And Policy (MAP) server for providing the security policy layer; and
      
      a Key Authority Point (KAP) for providing the encryption key layer.
  - 13. The apparatus of claim 10, additionally comprisinggiven the data packet received from the CE router is an Internet Protocol (IP) packet including an IP header, an IP level packet encryptor that maintains the IP header in the IP packet in non-encrypted form as an IP address of the encrypted packet, and encrypts the entire IP packet both its header and its payload using IP Sec ESP.
  - 15. The apparatus of claim 13 wherein full mesh connectivity between n enterprise sites, where n is greater than 2, is provided by no more than n tunnels and no more than 2n security associations.
  - 16. The apparatus of claim 10, additionally comprising:
    - two or more CEs; and
      
      two or more PEs, with multiple paths through the service provider network made between the CEs and PEs.

14. The apparatus of 13 wherein two PEs are controlled by different service providers.

17. An apparatus for operating on a data packet to provide an enterprise networking environment over a service provider network, comprising:
- a customer edge (CE) router, implemented at least partially in hardware, within the enterprise network for providing the data packet, wherein the data packet includes a header and payload;
  
  a Policy Enforcement Point (PEP) function arranged to;
  
  apply an I PSec protocol to the data packet, including to encrypt the header and payload of the data packet received from the CE router and form an encrypted header and encrypted payload of the data packet;
  
  apply a security association policy to the data packet;
  
  maintain the header of the data packet in non-encrypted form; and
  
  form an encrypted data packet including;
  
  i) the header of the data packet maintained in non-encrypted form and ii) the encrypted header and encrypted payload of the data packet;
  
  and within the service provider network,a provider edge (PE) router arranged to;
  
  apply an MPLS protocol to the encrypted data packet;
  
  forward the encrypted data packet according to enterprise network Virtual Private Network (VPN) routing and forwarding (VRF) tables.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus of claim 17 wherein the network overlay additionally comprises:
    - a security policy layer; and
      
      an encryption key layer.
  - 19. The apparatus of claim 18 wherein one outbound encryption key is provided for each PEP site in the enterprise network, and that key becomes an inbound encryption key for the other PEP sites.
  - 20. The apparatus of claim 18 wherein the KAP additionally generates outbound keys and distributes pairs of inbound and outbound keys for each associated PEP.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certes Networks, Inc.
Original Assignee
Certes Networks, Inc.
Inventors
Carrasco, Serge-Paul
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
CALLAHAN, PAUL E

Application Number

US11/656,077
Publication Number

US 20080075088A1
Time in Patent Office

2,087 Days
Field of Search

709/242, 380/278, 713/160, 726/1
US Class Current

380/278
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 45/00   Routing or path finding of ...

H04L 45/50   using label swapping, e.g. ...

H04L 45/502   Frame based

H04L 63/0272   Virtual private networks

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

IP encryption over resilient BGP/MPLS IP VPN

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

88 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

IP encryption over resilient BGP/MPLS IP VPN

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

88 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links