Electrical computers and digital processing systems: multicomput – Multiple network interconnecting
Reexamination Certificate
1998-09-11
2002-08-20
Rinehart, Mark H. (Department: 2152)
Electrical computers and digital processing systems: multicomput
Multiple network interconnecting
C709S229000, C709S225000, C713S152000, C713S160000, C713S150000, C713S162000, C707S793000
Reexamination Certificate
active
06438612
ABSTRACT:
TECHNICAL FIELD
The invention concerns generally the field of transmitting data in the form of packets between computers in a network. Especially the invention concerns the secure transmission of data packets in a network comprising so-called virtual routers.
BACKGROUND OF THE INVENTION
A network is an arbitrary aggregate of computer devices linked together through wire, cable, fibre and/or wireless connections for transmitting data in the form of packets. The computer devices in a network may be classified to hosts and routers. A host is a computer device in a network arranged to process packets destined to itself, whereas a router is arranged to process packets both to itself and packets destined to other computer devices of the network. Routers may further be sub-classified; some sub-classes are for example IP routers (Internet Protocol) and access routers. The present invention concerns generally the operation of routers, but it has implications also to the operation of other computer devices in a network.
A simple router
100
, illustrated in
FIG. 1
a
, has a number of input lines
101
, a number of output lines
102
(which may physically be the same as the input lines) and a routing processor
103
capable of taking the packets coming on the input lines and forwarding them to the correct output lines in accordance with some explicit or implicit information about the destination of the packets. In the usual case the router has previously stored routing tables that dictate the correct handling of packets. Explicit information above means that each packet contains information about how it should be processed, and implicit information means that from a certain context the router knows how to handle the packet. The router may have obtained the necessary implicit knowledge from some previous packets, or each packet may have a context identifier revealing the correct context.
Recently, the concept of virtual routers has been introduced, as in
FIG. 1
b
. A virtual router
110
,
111
or
112
is a logical concept instead of a physical one. A single physical computing device
113
in a network may house a number of virtual routers that use the same hardware, i.e. the same physical input lines
114
and output lines
115
(which may again physically be the same as the input lines) and the same processor
116
. Conceptually the virtual routers are separate entities, and a suitable multiple access scheme is applied to share the common physical resources between them. It is even possible to construct a virtual network where the connections between hosts go through virtual routers. Multiple virtual networks may rely on the same cabling and the same physical routers without having any knowledge of each other. This is a popular way of implementing virtual private networks or VPNs, each of which can serve for example as the backbone network connecting the branch offices of a large company together.
Instead of a simple cable, two mutually communicating physical routers supporting virtual routers may also be connected by an arbitrarily complex network capable of transmitting data between its nodes. Such a network may contain intermediate routers that may or may not be aware of the multiple virtual networks going through them. There may be numerous physical (possibly routed) paths between any two nodes in the network. The paths may include wireline, cable, fibre and/or wireless segments.
Virtual networks raise a problem in packet labeling, because in the known labeling schemes it is difficult to identify the virtual network to which the packet belongs. In
FIG. 2
a
, a typical data packet
200
comprises a header
201
, a payload or data portion
202
and possibly a checksum
203
(CRC; Cyclic Redundancy Check). The header
201
is arranged into fields that contain, among other information, a source address (not separately shown) identifying the sender of the packet and a destination address (not separately shown) identifying the intended recipient of the packet. As such, the packet can only traverse the logical network in which the addresses are valid, i.e. where the network addressing scheme enables the correct recognition of the sender and the intended recipient. It is possible to temporarily transmit the packet over a different logical network, but the packet must be suitably encapsulated and relabeled.
The process of encapsulating data packets for transmission over a different logical network is called tunneling. Typically, in the case of the IP protocol, tunneling involves adding a new IP header in front of the original packet, setting the protocol field in the new header appropriately, and sending the packet to the desired destination (endpoint of the tunnel). Tunneling may also be implemented by modifying the original packet header fields or replacing them with a different header, as long as a sufficient amount of information about the original packet is saved in the process so that it will be possible to reconstruct the packet at the end of the tunnel into a form sufficiently similar to the original packet entering the tunnel. The exact amount of information that needs to be passed with the packet depends on the network protocols, and information may be passed either explicitly (as part of the tunnelled packet) or implicitly (by the context, as determined e.g. by previously transmitted packets or a context identifier in the tunneled packet).
In the case of tunneling IP traffic between routers over a single network cable or an arbitrarily complex network, a packet is typically wrapped in an outer IP header. The outer source IP address is set to the IP address of the sending node, the outer destination IP address is set to the IP address of the endpoint of the tunnel, and the outer protocol identifier is set to identify the tunneling method. However, if the next router is a virtual router, this simple scheme is not necessarily applicable, because virtual routers typically do not have an IP address of their own. It is not practical to assign a separate IP address to each virtual router, because the number of virtual routers is expected to become very large (there may be hundreds of virtual routers in a single physical computing device) and the number of available IP addresses is limited. Extending the available IP address space by making the IP addresses longer is also not reasonable because it would require a protocol update in millions of computing stations around the world.
Multi-protocol label switching MPLS (as discussed in the Internet Engineering Task Force IETF working groups) can be used to carry labels that identify the virtual network that the packets belong to. Alternatively, the L
2
TP protocol (also discussed in IETF working groups) can be used to tunnel PPP (point-to-point protocol) streams over networks, and can also be used to carry labeling information.
Problems with virtual routers arise also in the context of security mechanisms introduced to enhance the security of data traffic in public networks. The IETF (Internet Engineering Task Force) has defined a set of rules for adding security to the IP protocol and collected them under the designation IPSEC or IP security protocol. IPSEC provides cryptographic authentication and confidentiality of traffic between two communicating network nodes. It can be used in both end-to-end mode, directly between the communicating nodes or hosts, or in tunnel mode between firewalls or routers. Asymmetric connections, where one end is a host and the other end is a firewall or router are also possible. The most important RFC standards published by the IETF and relating to IPSEC are RFC-1825 “Security Architecture for the Internet Protocol”, RFC-1826 “IP Authentication Header” and RFC-1827 IP Encapsulating Security Payload (ESP)”, all by R. Atkinson, NRL, August 1995, all of which are hereby incorporated by reference. RFC stands for Request For Comments, which is an IETF form of standards and recommendations. A complete overview of IPSEC is available to the public at the time of filing of, this patent application at the internet ad
Kivinen Tero
Ylonen Tatu
Fish Ronald Craig
Rinehart Mark H.
Ronald Craig Fish A Law Corporation
SSH Communications Security Ltd.
Vaughn, Jr. William C
LandOfFree
Method and arrangement for secure tunneling of data between... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and arrangement for secure tunneling of data between..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and arrangement for secure tunneling of data between... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2968677