Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular node for directing data and applying cryptography
Reexamination Certificate
1999-07-22
2004-06-15
Vu, Kim (Department: 2135)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular node for directing data and applying cryptography
C713S163000, C713S152000
Reexamination Certificate
active
06751729
ABSTRACT:
BACKGROUND
This invention relates to establishing and operating virtual private data networks.
Virtual private networks (VPNs) leverage the flexibility and cost advantages of the Internet by passing information over the Internet, or other shared Internet Protocol (IP) network, in a secure manner. VPNs enable enterprises to securely bridge geographically separated computers or local networks over the Internet as an alternative to using expensive, leased-line networks and other remote-access solutions. Internet Service Providers (ISPs), recognizing the benefits of VPNs, are beginning to offer multi-tiered VPN services to their customers.
Businesses, recognizing the benefits of VPNs, employ VPNs to support a wide variety of connectivity needs including remote dial-up access for telecommuters and mobile users, private line augmentation and replacement of existing leased-line and frame relay networks, extranet networking for secure and controlled wide area access to corporate information resources by their business partners, and segmented intranet networking for secure partitioning of internal traffic across both the wide area and the local area.
An important impetus for the adoption of VPN technology by businesses is the significant cost saving associated with the replacement of expensive remote access servers and associated long distance dial-up charges, the substitution of inexpensive and ubiquitous Internet access for expensive leased lines and frame relay access, and the introduction of a flexible, fast, secure, and inexpensive mechanism for exchanging data with suppliers and customers.
At the present time, a number of standards and proprietary schemes exist for encrypting and authenticating data packets that traverse public or private data networks. In December 1995, the Internet Engineering Task Force (IETF) published five Requests for Comments (RFCs) that define formats and methods for encrypting and authenticating Internet Protocol (IP) packets. More recently, the IETF has published a series of Internet Drafts that update the formats and methods for encrypting and authenticating IP packets. The IETF initiative is called Internet Protocol Security (IPSec).
The IETF is currently in the process of defining a data link layer security protocol that is known by the name Layer 2 Tunneling Protocol (L2TP). L2TP encapsulates data link layer PPP frames and transmits them across public data networks by prepending an IP header to the encapsulated PPP frames.
Microsoft Corporation has implemented a proprietary data link layer security protocol called Point to Point Tunneling Protocol (PPTP) that encrypts data layer PPP frames and transmits them across public data networks by prepending an IP header to the encrypted PPP frames.
The IETF has also published a series of Internet Drafts intended to address the standardization of a key management protocol by which IPSec devices negotiate their security associations and keying material. The original name for this key management scheme was called ISAKMP/OAKLEY; the more current name is the Internet Key Exchange (IKE).
SUMMARY
In one aspect, in general, the invention is a node device for providing secure communication services over a data network, such as the Internet or another public or private packet-switched network, to multiple computers that are coupled through the node device and multiple other node devices. The node device includes a network communication interface for coupling the node device to the data network. For example, the network communication interface is an Ethernet interface that is coupled to a cable modem or a digital subscriber loop (DSL) modem or a serial interface coupled to a telephone modem for communicating with an Internet service provider. The node device is, for example, an edge device located at a customer premises or at an Internet POP, a network device located at an intermediate point in the Internet, or can be implemented in software on a computer at the customer premises. The node device includes a data storage containing cryptographic information including information that is private to the node device. The information that is private to the node device can include a private key of a public/private key pair known only to the node device, and can further include a certificate, such as a X.509 format certificate, which includes a public key of the public/private key pair. The node device also includes a tunneling communication service coupled to the network interface and is configured to maintain an encrypted communication tunnel with each of the multiple other node devices using the cryptographic information. For example, the encrypted communication tunnels are implemented using the IPsec or PPTP protocols. The node device further includes a routing database for holding routing data and a router coupled to the tunneling communication service and to the routing database. The router is configured to accept communication from a first of the computers that includes an address of a second of the computers, to select one of the other node devices based on the address of the second computer and the routing data, and to pass the communication through the encrypted communication tunnel to the selected node device.
The node device can include one or more of the following features:
The router accepts the communication from the first of the computers from the tunneling communication service after that communication is received by the tunneling communication service through one of the encrypted tunnels to the other node device.
The node device further includes a management module configured to communicate with a server over the data network, to use the information in the data storage that is private to the node device for authentication with the server, and to accept cryptographic information from the server for storing in the data storage for use by the tunneling communication service in maintaining the encrypted tunnels.
The management module is configured to receive communication policy information from the server, for example information that the node device uses to limit or prioritize communication between node devices.
The node device further includes a local communication interface, such as an Ethernet interface, coupling the node device to the first of the computers. The router accepts the communication from the first of the computers through the local communication interface.
The node device further includes a communication agent coupled to the local communication interface configured to accept a broadcast communication from the first of the computers. That broadcast communication is addressed to a multiple of other devices, for example being a message broadcast according to the BOOTP or DCHP protocol, or another type of request for configuration data from the first local computer. The communication agent is configured to forward the communication over one or more of the encrypted communication tunnels to the other node devices.
The communication agent can select one or more of the encrypted communication tunnels prior to forwarding the communication. For example, a DCHP message can be forwarded over a single tunnel to another node device to which a DCHP server is locally coupled, thereby avoiding forwarding the broadcast communication to other node devices to which DCHP servers are not connected. Selecting the tunnels can be based on configuration data provided by a management server.
The router is further configured to accept routing data over the encrypted communication tunnel from the other node devices, for example according to the RIPv2 or OSPF protocols, and to update the routing database using the accepted routing data.
Each of the encrypted communication tunnels belong to one of multiple sets of tunnels, or VPN “domains,” and the router is configured to prevent forwarding of communication received from a tunnel in one domain to a tunnel in another domain.
In another aspect, in general, the invention is a node device for providing secure communication services over a data network to multiple computers th
Giniger Michael L.
Hilton Warren S.
Seal James
Spatial Adventures, Inc.
Vu Kim
LandOfFree
Automated operation and security system for virtual private... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Automated operation and security system for virtual private..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Automated operation and security system for virtual private... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3324830