[go: up one dir, main page]

USRE49485E1 - Overlay management protocol for secure routing based on an overlay network - Google Patents

Overlay management protocol for secure routing based on an overlay network Download PDF

Info

Publication number
USRE49485E1
USRE49485E1 US17/160,178 US202117160178A USRE49485E US RE49485 E1 USRE49485 E1 US RE49485E1 US 202117160178 A US202117160178 A US 202117160178A US RE49485 E USRE49485 E US RE49485E
Authority
US
United States
Prior art keywords
overlay
network
secure
controller
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
US17/160,178
Inventor
Atif Khan
Syed Khalid Raza
Nehal Bhau
Himanshu H. Shah
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cisco Technology Inc
Original Assignee
Cisco Technology Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cisco Technology Inc filed Critical Cisco Technology Inc
Priority to US17/160,178 priority Critical patent/USRE49485E1/en
Priority to US17/677,280 priority patent/USRE50105E1/en
Application granted granted Critical
Publication of USRE49485E1 publication Critical patent/USRE49485E1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/64Routing or path finding of packets in data switching networks using an overlay routing layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Definitions

  • the method comprises establishing an overlay domain to control routing between overlay edge routers based on an underlying transport network, wherein said establishing comprises running an overlay management protocol to exchange information within the overlay domain; in accordance with the overlay management protocol defining service routes that exist exclusively within the overlay domain wherein each overlay route includes information on at least service availability within the overlay domain; and selectively using the service routes to control routing between the overlay edge routers; wherein the said routing is through the underlying transport network in a manner in which said overlay routes is shared with the overlay edge routers but not with the underlying transport network via the overlay management protocol.
  • FIG. 1 illustrates an overlay domain (OD), in accordance with one embodiment of the invention.
  • FIGS. 2 - 5 show portions of the overlay domain (OD), in greater detail.
  • FIG. 6 shows a flowchart of a method for creating a secure network, in accordance with one embodiment.
  • FIG. 7 shows a flowchart of a method for routing, in accordance with one embodiment.
  • FIG. 8 shows a high-level block diagram for an overlay controller (OC), in accordance with one embodiment of the invention.
  • FIG. 9 shows a high-level block diagram of hardware for a router, in accordance with one embodiment of the invention
  • VPN Virtual Private Network
  • ICP Interior Gateway Protocol
  • embodiments of the present invention disclose an overlay management protocol (OMP) that may be used to build scalable, dynamic, and secure networks, for example virtual private networks (VPNs), on-demand.
  • OMP overlay management protocol
  • VPNs virtual private networks
  • FIG. 1 shows a deployment scenario for embodiments of the invention.
  • an overlay domain (OD) 100 includes a plurality of overlay edge routers (OERs).
  • OERs overlay edge routers
  • FIG. 1 only four overlay edge routers (OERs) are shown and are indicated by reference numerals 102 , 104 , 106 , and 108 , respectively.
  • the number four is arbitrary and that the overlay domain (OD) 100 may include more or less overlay edge routers (OERs).
  • the overlay edge routers are located at the edge of the OD 100 and are within the control of an enterprise. As such, each overlay edge router (OER) is a customer premises (CP) device.
  • CP customer premises
  • the overlay domain (OD) 100 further comprises at least one overlay controller (OC).
  • O overlay controller
  • FIG. 1 two overlay controllers are shown and are indicated by reference numerals 110 , and 112 , respectively.
  • OERs overlay edge routers
  • the overlay domain (OD) 100 may include more or less overlay controllers than the illustrated number.
  • each overlay edge router is capable of communicating with at least one legacy router (LR).
  • LR legacy router
  • FIG. 1 three legacy routers are shown in FIG. 1 , where they are indicated by reference numerals 114 , 116 , and 118 , respectively.
  • the term “legacy router” is used to refer to any router that is not within the overlay domain (OD) 100 .
  • the overlay domain (OD) 100 may rely on a transport network 120 to provide network transport functionality, as will be described later.
  • the transport network 120 may include any wide area network (WAN) and in some embodiments may include the Internet, other public WAN, a Metro Ethernet or MPLS.
  • WAN wide area network
  • the transport network 120 may include circuits and networks provided by third parties such as carriers, and service providers (SPs).
  • each overlay edge router may be provisioned with transport parameters to allow connection to the transport network 120 . Further, each overlay edge router (OER) may be provisioned with system parameters that include a site ID, a domain ID, a system ID, and an address for a mapping server. In one embodiment, the system ID may be a system-wide IP address.
  • each overlay controller may be provisioned with transport parameters to allow connection to the transport network 120 .
  • each overlay controller may be provisioned with system parameters similar to the system parameters of each overlay edge router (OER).
  • FIGS. 2 - 5 show portions of the overlay domain (OD) 100 in greater detail.
  • each overlay edge router performs a bring-up procedure with an assigned overlay controller (OC) whereby the overlay edge router (OER) and said assigned overlay controller (OC) are first authenticated a mapping server and a secure communications channel (also referred to herein as a “control channel”) is established between said overlay edge router (OER) and overlay controller (OC).
  • OC overlay controller
  • reference numeral 122 shows an example of a control channel that was established as a DTLS tunnel between the overlay edge router (OER) 104 and the overlay controller (OC) 110 via the transport network 120 as a result of the bring up procedure.
  • the plurality of secure communications channels established between each overlay edge router (OER) and an assigned overlay controller (OC) together define an overlay control plane (OCP).
  • secure tunnels may be established between one overlay edge router (OER) and another overlay edge router (OER).
  • reference numeral 124 shows a secure tunnel that may exist as an IPSec tunnel between the overlay edge router (OER) 102 and the overlay edge router (OER) 106 .
  • the tunnel 124 is through the transport network 120 and is used to transport data between its end points in a secure manner.
  • the plurality of tunnels established between the various overlay edge routers (OERs) together form a secure overlay data plane (ODP).
  • communications between an overlay edge router (OER) and an overlay controller (OC) may be facilitated by the use of the overlay protocol (OMP).
  • OMP overlay protocol
  • the OMP may be used to exchange routing, policy, security, and management information between an overlay controller (OC) and an overlay edge router (OER).
  • the OMP may be used to advertise routing information within the overlay domain (OD) 100 , as will be described.
  • the OMP uses TCP as its transport protocol. This eliminates the need to implement explicit update fragmentation, retransmission, acknowledgement, and sequencing.
  • the OMP may listen on TCP port [17900, assigned through IANA].
  • the OMP may be configured to handle overlay routes and transport locators (TLOCs).
  • TLOCs overlay routes and transport locators
  • an overlay route may include the prefixes that establish reachability between endpoints.
  • An overlay route may represent services in a central data center, services at a branch office or collections of hosts and other endpoints in any location of the overlay network.
  • An overlay route may require and resolve onto TLOCs for functional forwarding.
  • an overlay route may be considered to be the equivalent of a prefix carried in any of the BGP AFI/SAFI constructs.
  • a transport locator ties an overlay route to a physical location.
  • the TLOC is the only visible entity of the OMP routing domain to the underlying transport network 120 , and is reachable via routing in the transport network 120 .
  • a TLOC can be directly reachable via an entry in the routing table of the physical network or be represented by a prefix residing on the outside of a NAT device, also present in the aforementioned routing table.
  • the TLOC acts as the next-hop for overlay routes, to continue the BGP-analogy.
  • an OMP speaker advertises to its peers, those overlay routes that it has learned locally from the site to which it is attached along with their location mappings.
  • the OMP may interacts with traditional routing at the sites to which the overlay network extends and imports information from existing protocols, such as OSPF and/or BGP, providing reachability within a given site.
  • existing protocols such as OSPF and/or BGP
  • the overlay environment consists of a central controller and a number of edge-devices.
  • Each edge-device advertises the imported overlay routes to the central controller and the central controller, based on policy-decisions, further distribute the overlay routing information to other edge-devices in the network.
  • Edge-devices are not configured to advertise routing information to each other using the OMP.
  • the OMP-peering sessions between overlay controller (OC) and each overlay edge router (OER) are used exclusively for the exchange of control plane traffic, whereas the overlay data plane (ODP) channels are used for data traffic.
  • each registered overlay edge router collects routes from directly connected networks, static routes, routes learned from the IGP protocols, and potentially BGP for redistribution.
  • the OMP may undertake path-selection, loop avoidance and policy execution on a local speaker basis to decide which overlay routes are installed in the local table of any edge-device. Inherent policies, best path selection and policy influencers are discussed in greater detail later.
  • the OMP may support a variety of message types to enable routing control using the transport network 120 . Examples of the message types
  • the overlay routes may include the following types:
  • Each overlay route may be advertised with the following attributes:
  • TLOCS Transport Locations
  • TLOCs Transport locations
  • TLOCs are the location ids, e.g. a WAN interface connecting into a carrier.
  • TLOCs are denoted by ⁇ System-IP, Link-color ⁇ as described below.
  • IP addresses can move or change (e.g. if it is DHCP assigned).
  • color ⁇ to denote TLOCs ensures that a transport endpoint can be identified irrespective of the interface IP addressing.
  • Each TLOC is advertised separately by the OMP.
  • a TLOC may be advertised with the following attributes:
  • a TLOC may be represented by a system-id plus color where color represents the type of WAN interfaces on an overlay edge router (OER)
  • OER overlay edge router
  • service routes represent services connected to an overlay edge router (OER).
  • the service routes may be advertised by the overlay edge routers (OERs) within the overlay domain (OD) 100 to the overlay controllers (OCs) using service address family Network Layer Reachability Information (NLRI).
  • NLRI Network Layer Reachability Information
  • the OMP may be configured to redistribute the following types of routes automatically it learns either locally or from its routing peers: connected, static, OSPF intra area routes, and OSPF inter area routes.
  • redistribution of BGP and OSPF external routes may require explicit or manual configuration to avoid routing loops and suboptimal routing.
  • the OMP may be used to set the origin type and sub-origin type of each overlay route to the route's origin. Examples of “origin” and “sub-origin” types are provided in the table below:
  • the OMP may be used to carry the metric of the original route. Metric is ‘0’ for connected routes.
  • an overlay edge router may implement a route selection procedure based on origin type and sub-type.
  • An exemplary algorithm for the route selection procedure may be based on an “administrative distance” as follows:
  • an overlay edge router advertises its local routes to its assigned overlay controller (OC) using the OMP. Depending on the network topology, the same route may get advertised from multiple overlay edge routers (OERs).
  • the overlay controller (OC) my the choose the best route based on the following algorithm
  • an overlay route is only installed in the forwarding table of a overlay edge router (OER) if the TLOC it points to is active.
  • OER overlay edge router
  • a TLOC is only active when there is an active BFD session with that TLOC.
  • all overlay routes pointing to that TLOC are removed from the forwarding table.
  • each overlay edge router establishes a separate BFD session with each of the remote TLOCs.
  • a BFD session will only be established with TLOcs to which there is active traffic flow.
  • a TLOC is similar to the NEXT HOP attribute in BGP and is carried in the overlay route NLRI with a type value of 1.
  • the actual TLOC is not carried as an immediate attribute to the prefix, but rather the System-IP of the OMP speaker originating the overlay route. Carrying the System-IP allows for the mapping between overlay routes and TLOCs irrespectively of what the actual TLOC happens to be. This is important since TLOCs can change and will change when traversing NATs, something that OMP is designed to take into consideration.
  • This TLOC attribute points the TLOC AFI/SAFI. Within the SAFI for each TLOC, the detailed information on each specific TLOC can be found. This includes detailed information on the actual next-hop address to use, the actual TLOC.
  • This information includes the public IP address of the TLOC and if NAT is involved, the private and non-translated TLOC-address. This separation of information allows for individual advertisement and invalidation of overlay routes or TLOCs without having to invalidate the other dependent entity.
  • the Site ID is 4 bytes long and is used for identifying if the overlay route belongs a particular site regardless weather site is single or multi homed. Site-ID helps with selecting the routes, inter site routes are always preferred over IGP learned routes. IGP learned routes are preferred over intra site route. This helps in situation where there could be two site routers that are not servicing the same set of overlay edge routers (OERs).
  • OERs overlay edge routers
  • An OMP speaker may use this attribute to control the routing information it accepts, prefers or redistributes. For redistributed routes it could be used to control loops. Community could be attached, removed or modified from an update according to local policies.
  • PREF Preference
  • Any edge-device that receives an overlay route calculates the degree of preference for the route based on the configured policy before considering other attributes of a TLOC.
  • a overlay route carrying a higher preference-value is preferred.
  • Each overlay edge router may be configured to consider this attribute first in its decision process for route selection.
  • the attribute provides two applications; one from the controller's perspective and another from the edge-device perspective. From the controller perspective, when an aggregated shorter prefix is originated by the controller to any of the edge-devices this attributes indicates that specifics of the aggregated range exists and that they are located at location(s) different from that of the aggregate TLOC. In this case, the controller is indicating that a query for the TLOC where the longest match overlay route is located may be performed. From the edge-device perspective, using the advertised aggregate for data-plane traffic can take place in parallel to performing a query for more specific prefixes and the associated TLOCs.
  • the attribute carries the OMP Identifier of the originator of the route. Any controller passing the route should not alter the Originator-ID attribute.
  • the Origin attribute is carried with each overlay route and is used to indicate which routing protocols were registered and/or redistributed by the OMP.
  • This attribute has a value of 2 and is used to carry the actual address of an interface of an OMP speaker. This address may not be the address seen by the rest of the network if NAT is used in the path from the device to the transport network attachment. This is required for fully functional operation in a NAT environment.
  • This attribute has a value of 3 and is used to carry the address used on the outside of a NAT, corresponding to the address carried in the TLOC Private attribute for the network attachment on the inside of the NAT-device.
  • this is the NAT translated address used to forward packets. This is not used as the next hop in the OMP, but only in the forwarding table, making the situation where TLOCs changing due to changing NAT mappings manageable and less disruptive.
  • Preference is a well-known attribute (value 5 is included in all UPDATE messages that are either originated by the edge-device itself or as part of a policy setup at the controller. Any edge-device receiving an overlay route takes the TLOC preference into consideration after considering the overlay route preference. A higher preference is preferred.
  • the color can be set by the edge-device or controller depending on the policy configured at either device, but needs to match across the network for efficient color-based forwarding to take place.
  • An OMP speaker may use this attribute to control routing information flow toward a TLOC.
  • an overlay route is advertised along with its TLOC, both or either can be distributed with a community TAG, to be used to decide how send or receive traffic from/to a group of TLOC's.
  • the Site ID is a four-octet attribute used for identifying overlay routes being sourced from particular sites. It assists in route-selection, since inter-site routes are always preferred over IGP learned routes.
  • the Tunnel Encapsulation attribute is an optional transitive attribute that is composed of a set of Type-Length-Value (TLV) encodings.
  • the type code of the attribute is set to 4.
  • Each TLV contains information corresponding to a particular tunnel technology.
  • the OMP may be used to create a secure network in accordance with a method illustrated in FIG. 6 .
  • the method may include the following processing blocks:
  • Block 600 establish an overlay domain to control routing between overlay edge routers based on an underlying transport network. This step includes running the OMP to exchange information within the overlay domain;
  • Block 602 in accordance with the OMP define service routes that exist exclusively within the overlay domain wherein each overlay route includes information on at least service availability within the overlay domain;
  • Block 604 selectively use the service routes to control routing between the overlay edge routers; wherein the said routing is through the underlying transport network in a manner in which said overlay routes is not shared with the underlying transport network.
  • the OMP may be uses to perform a method for routing. This method is illustrated in the flowchart of FIG. 7 . Referring to FIG. 7 , the method may include the following processing blocks:
  • Block 700 provide an overlay network comprising at least one overlay controller; and a plurality of overlay edge routers communicatively coupled to the at least one overlay controller; wherein the overlay network is associated with an underlying transport network;
  • Block 702 collect by the overlay controller, routing information comprising at least one of authentication information, service information, encryption information, policy information, and access control information; wherein said routing information is carried by an overlay management protocol; and
  • Block 704 orchestrate by the overlay controller, routing through the underlying transport network based on the routing information; wherein said routing information is not exposed to elements of the underlying transport network.
  • FIG. 8 shows an example of hardware 800 that may be used to implement the overlay controller (OC), in accordance with one embodiment.
  • the hardware 800 may includes at least one processor 802 coupled to a memory 804 .
  • the processor 803 may represent one or more processors (e.g., microprocessors), and the memory 804 may represent random access memory (RAM) devices comprising a main storage of the hardware, as well as any supplemental levels of memory e.g., cache memories, non-volatile or back-up memories (e.g. programmable or flash memories), read-only memories, etc.
  • the memory 804 may be considered to include memory storage physically located elsewhere in the hardware, e.g. any cache memory in the processor 802 , as well as any storage capacity used as a virtual memory, e.g., as stored on a mass storage device.
  • the hardware also typically receives a number of inputs and outputs for communicating information externally.
  • the hardware may include one or more user input output devices 806 (e.g., a keyboard, mouse, etc.) and a display 808 .
  • the hardware 800 may also include one or more mass storage devices 810 , e.g., a Universal Serial Bus (USB) or other removable disk drive, a hard disk drive, a Direct Access Storage Device (DASD), an optical drive (e.g. a Compact Disk (CD) drive, a Digital Versatile Disk (DVD) drive, etc.) and/or a USB drive, among others.
  • USB Universal Serial Bus
  • DASD Direct Access Storage Device
  • CD Compact Disk
  • DVD Digital Versatile Disk
  • USB Universal Serial Bus
  • the hardware may include an interface with one or more networks 812 (e.g., a local area network (LAN), a wide area network (WAN), a wireless network, and/or the Internet among others) to permit the communication of information with other computers coupled to the networks.
  • networks 812 e.g., a local area network (LAN), a wide area network (WAN), a wireless network, and/or the Internet among others
  • the hardware typically includes suitable analog and/or digital interfaces between the processor 812 and each of the components, as is well known in the art.
  • the hardware 800 operates under the control of an operating system 314 , and executes application software 816 which includes various computer software applications, components, programs, objects, modules, etc. to perform the techniques described above.
  • routines executed to implement the embodiments of the invention may be implemented as part of an operating system or a specific application, component, program, object, module or sequence of instructions referred to as “computer programs.”
  • the computer programs typically comprise one or more instructions set at various times in various memory and storage devices in a computer, and that, when read and executed by one or more processors in a computer, cause the computer to perform operations necessary to execute elements involving the various aspects of the invention.
  • processors in a computer cause the computer to perform operations necessary to execute elements involving the various aspects of the invention.
  • the various embodiments of the invention are capable of being distributed as a program product in a variety of forms, and that the invention applies equally regardless of the particular type of machine or computer-readable media used to actually effect the distribution.
  • Examples of computer-readable media include but are not limited to recordable type media such as volatile and non-volatile memory devices, USB and other removable media, hard disk drives, optical disks (e.g., Compact Disk Read-Only Memory (CD ROMS), Digital Versatile Disks, (DVDs), etc.), flash drives among others.
  • recordable type media such as volatile and non-volatile memory devices, USB and other removable media
  • hard disk drives such as hard disk drives, optical disks (e.g., Compact Disk Read-Only Memory (CD ROMS), Digital Versatile Disks, (DVDs), etc.), flash drives among others.
  • CD ROMS Compact Disk Read-Only Memory
  • DVDs Digital Versatile Disks
  • flash drives among others.
  • FIG. 9 shows a block diagram of hardware 900 for any of the routers disclosed herein, in accordance with one embodiment of the invention.
  • the hardware 900 includes a routing chip 904 coupled to a forwarding chip 908 .
  • the routing chip 904 performs functions such as path computations, routing table maintenance, and reachability propagation.
  • Components of the routing chip include a CPU or processor 904 , which is coupled to a memory 906 .
  • the memory stores instructions to perform the methods disclosed herein.
  • the forwarding chip is responsible for packet forwarding along a plurality of line interfaces 910

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for creating a secure network is provided. The method comprises establishing an overlay domain to control routing between overlay edge routers based on an underlying transport network, wherein said establishing comprises running an overlay management protocol to exchange information within the overlay domain; in accordance with the overlay management protocol defining service routes that exist exclusively within the overlay domain wherein each overlay route includes information on at least service availability within the overlay domain; and selectively using the service routes to control routing between the overlay edge routers; wherein the said routing is through the underlying transport network in a manner in which said overlay routes is shared with the overlay edge routers but not with the underlying transport network via the overlay management protocol.

Description

Notice: more than one reissue application has been filed for the reissue of U.S. Pat. No. 10,277,558. The reissue applications are application Ser. Nos: 17/160,178 (the present application), filed Jan. 27, 2021; 17/085,767 filed Oct. 30, 2020; and 17/677,280 filed Feb. 22, 2022.
This application is a continuation reissue of U.S. patent application Ser. No. 17/085,767, filed Oct. 30, 2020, which is a reissue of U.S. Pat. No. 10,277,558, filed Aug. 14, 2017, which is a divisional of U.S. Pat. patent application Ser. No. 15/261,790 9,736,113, filed Sep. 9, 2016, which is a continuation of U.S. Pat. application Ser. No. 14/133,558 9,467,478, filed Dec. 18, 2013. The foregoing applications are incorporated herein by reference.
FIELD
Embodiments of the present invention relate to methods and systems for creating and operating secure wide area networks
BACKGROUND
Today, it remains a challenge for enterprises to build and control scalable secure private wide area networks (WANs) on-demand. This is partly due to the fact that significant network elements such as routers and circuits, being under the control of third parties such as cable providers and other service providers (SPs), are outside the control of said enterprises.
Moreover, from a control point of view, routing within such WANs is largely based on destination addresses alone and is controlled by said third parties. Thus, enterprises lack the ability to control routes within the prior art WANs.
SUMMARY
According to one aspect of the invention, there is a method for creating a secure network is provided. The method comprises establishing an overlay domain to control routing between overlay edge routers based on an underlying transport network, wherein said establishing comprises running an overlay management protocol to exchange information within the overlay domain; in accordance with the overlay management protocol defining service routes that exist exclusively within the overlay domain wherein each overlay route includes information on at least service availability within the overlay domain; and selectively using the service routes to control routing between the overlay edge routers; wherein the said routing is through the underlying transport network in a manner in which said overlay routes is shared with the overlay edge routers but not with the underlying transport network via the overlay management protocol.
Other aspects of the invention will be apparent from the detailed description below.
BRIEF DESCRIPTION OF THE FIGURES
FIG. 1 illustrates an overlay domain (OD), in accordance with one embodiment of the invention.
FIGS. 2-5 show portions of the overlay domain (OD), in greater detail.
FIG. 6 shows a flowchart of a method for creating a secure network, in accordance with one embodiment.
FIG. 7 shows a flowchart of a method for routing, in accordance with one embodiment.
FIG. 8 shows a high-level block diagram for an overlay controller (OC), in accordance with one embodiment of the invention.
FIG. 9 shows a high-level block diagram of hardware for a router, in accordance with one embodiment of the invention
 DETAILED DESCRIPTION
In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the invention. It will be apparent, however, to one skilled in the art that the invention can be practiced without these specific details. In other instances, structures and devices are shown in block or flow diagram form only in order to avoid obscuring the invention. Accommodate
Reference in this specification to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the invention. The appearance of the phrase “in one embodiment” in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Moreover, various features are described which may be exhibited by some embodiments and not by others. Similarly, various requirements are described which may be requirements for some embodiments but not other embodiments.
Moreover, although the following description contains many specifics for the purposes of illustration, anyone skilled in the art will appreciate that many variations and/or alterations to the details are within the scope of the present invention. Similarly, although many of the features of the present invention are described in terms of each other, or in conjunction with each other, one skilled in the art will appreciate that many of these features can be provided independently of other features. Accordingly, this description of the invention is set forth without any loss of generality to, and without imposing limitations upon, the invention.
Glossary of Some Terms Used Herein
WAN—Wide Area Network
IP—Internet Protocol
SP—Service Provider
MPLS—Multiprotocol Label Switching.
DTLS—Datagram Transport Layer Security
IPSec—Internet Protocol Security
OSPF—Open Shortest Path First
BGP—Border Gateway Protocol
AFI—Address Family Identifier
SAFI—Subsequent Address Family Identifier
NLRI—Network Layer Reachability Information
VPN—Virtual Private Network
IANA—Internet Assigned Numbers Authority
NAT—Network Address Translation
ICP—Interior Gateway Protocol
TCP—Transmission Control Protocol
Broadly, embodiments of the present invention disclose an overlay management protocol (OMP) that may be used to build scalable, dynamic, and secure networks, for example virtual private networks (VPNs), on-demand.
FIG. 1 shows a deployment scenario for embodiments of the invention. Referring to FIG. 1 an overlay domain (OD) 100 includes a plurality of overlay edge routers (OERs). In FIG. 1 only four overlay edge routers (OERs) are shown and are indicated by reference numerals 102, 104, 106, and 108, respectively. However, it is to be understood that the number four is arbitrary and that the overlay domain (OD) 100 may include more or less overlay edge routers (OERs).
The overlay edge routers (OERs) are located at the edge of the OD 100 and are within the control of an enterprise. As such, each overlay edge router (OER) is a customer premises (CP) device.
The overlay domain (OD) 100 further comprises at least one overlay controller (OC). In FIG. 1 two overlay controllers are shown and are indicated by reference numerals 110, and 112, respectively. As with the case of the number of the overlay edge routers (OERs), it is to be understood that the overlay domain (OD) 100 may include more or less overlay controllers than the illustrated number.
In one embodiment, each overlay edge router (OER) is capable of communicating with at least one legacy router (LR). For illustrative purposes, three legacy routers are shown in FIG. 1 , where they are indicated by reference numerals 114, 116, and 118, respectively. In general, the term “legacy router” is used to refer to any router that is not within the overlay domain (OD) 100.
In use, the overlay domain (OD) 100 may rely on a transport network 120 to provide network transport functionality, as will be described later. The transport network 120 may include any wide area network (WAN) and in some embodiments may include the Internet, other public WAN, a Metro Ethernet or MPLS. Typically, the transport network 120 may include circuits and networks provided by third parties such as carriers, and service providers (SPs).
In one embodiment, each overlay edge router (OER) may be provisioned with transport parameters to allow connection to the transport network 120. Further, each overlay edge router (OER) may be provisioned with system parameters that include a site ID, a domain ID, a system ID, and an address for a mapping server. In one embodiment, the system ID may be a system-wide IP address.
Similarly, each overlay controller (OC) may be provisioned with transport parameters to allow connection to the transport network 120. Further, each overlay controller (OC) may be provisioned with system parameters similar to the system parameters of each overlay edge router (OER).
Exemplary values for the system and connection parameters are shown in FIGS. 2-5 , which show portions of the overlay domain (OD) 100 in greater detail.
In one embodiment, each overlay edge router (OER) performs a bring-up procedure with an assigned overlay controller (OC) whereby the overlay edge router (OER) and said assigned overlay controller (OC) are first authenticated a mapping server and a secure communications channel (also referred to herein as a “control channel”) is established between said overlay edge router (OER) and overlay controller (OC). Details of the bring up procedure, in accordance with one embodiment of the invention are provided in co-pending U.S. patent application Ser. No. 14/028,518, which is hereby incorporated herein by reference.
Referring to FIG. 1 , reference numeral 122 shows an example of a control channel that was established as a DTLS tunnel between the overlay edge router (OER) 104 and the overlay controller (OC) 110 via the transport network 120 as a result of the bring up procedure. In one embodiment, the plurality of secure communications channels established between each overlay edge router (OER) and an assigned overlay controller (OC) together define an overlay control plane (OCP).
In one embodiment, secure tunnels may be established between one overlay edge router (OER) and another overlay edge router (OER). For example, reference numeral 124 shows a secure tunnel that may exist as an IPSec tunnel between the overlay edge router (OER) 102 and the overlay edge router (OER) 106. The tunnel 124 is through the transport network 120 and is used to transport data between its end points in a secure manner. The plurality of tunnels established between the various overlay edge routers (OERs) together form a secure overlay data plane (ODP).
In one embodiment, communications between an overlay edge router (OER) and an overlay controller (OC) may be facilitated by the use of the overlay protocol (OMP). The OMP may be used to exchange routing, policy, security, and management information between an overlay controller (OC) and an overlay edge router (OER).
In one embodiment, the OMP may be used to advertise routing information within the overlay domain (OD) 100, as will be described.
In one embodiment, the OMP uses TCP as its transport protocol. This eliminates the need to implement explicit update fragmentation, retransmission, acknowledgement, and sequencing. The OMP may listen on TCP port [17900, assigned through IANA].
The OMP may be configured to handle overlay routes and transport locators (TLOCs).
In one embodiment, an overlay route may include the prefixes that establish reachability between endpoints. An overlay route may represent services in a central data center, services at a branch office or collections of hosts and other endpoints in any location of the overlay network. An overlay route may require and resolve onto TLOCs for functional forwarding. In comparison with BGP, an overlay route may be considered to be the equivalent of a prefix carried in any of the BGP AFI/SAFI constructs.
In one embodiment, a transport locator (TLOC) ties an overlay route to a physical location. The TLOC is the only visible entity of the OMP routing domain to the underlying transport network 120, and is reachable via routing in the transport network 120. A TLOC can be directly reachable via an entry in the routing table of the physical network or be represented by a prefix residing on the outside of a NAT device, also present in the aforementioned routing table. The TLOC acts as the next-hop for overlay routes, to continue the BGP-analogy.
In one embodiment, an OMP speaker advertises to its peers, those overlay routes that it has learned locally from the site to which it is attached along with their location mappings. The OMP may interacts with traditional routing at the sites to which the overlay network extends and imports information from existing protocols, such as OSPF and/or BGP, providing reachability within a given site. The importing of routing information from the traditional protocols is subject to inherent, and potentially, user-defined policies.
Since the OMP operates in an overlay networking environment, the notion of routing peers is different from a traditional environment. From a logical point of view, the overlay environment consists of a central controller and a number of edge-devices. Each edge-device advertises the imported overlay routes to the central controller and the central controller, based on policy-decisions, further distribute the overlay routing information to other edge-devices in the network. Edge-devices are not configured to advertise routing information to each other using the OMP. The OMP-peering sessions between overlay controller (OC) and each overlay edge router (OER) are used exclusively for the exchange of control plane traffic, whereas the overlay data plane (ODP) channels are used for data traffic.
In one embodiment, each registered overlay edge router (OER) collects routes from directly connected networks, static routes, routes learned from the IGP protocols, and potentially BGP for redistribution.
The OMP may undertake path-selection, loop avoidance and policy execution on a local speaker basis to decide which overlay routes are installed in the local table of any edge-device. Inherent policies, best path selection and policy influencers are discussed in greater detail later.
In one embodiment, the OMP may support a variety of message types to enable routing control using the transport network 120. Examples of the message types
    • a. HELLO message: This is a message that is sent periodically between peers in a peering session to indicate that each peer is alive and reachable;
    • b. HANDSHAKE message: This is the first message sent by each side after a TCP connection is established. In one embodiment, the handshake message may include the site-id of the site where the route originated. The site-id may be used for route selection and loop detection. The HANDSHAKE message may include a Hold Time, which is a value that is set by a overlay controller (OC) and specifies the time between HELLO messages and UPDATE messages between the overlay controller (OC) and a overlay edge router (OER).
    • c. ALERT message: This message is used by a peer on one end of a connection to notify the peer at the opposite end that an error condition has been detected.
    • d. UPDATE message: This is a type of message that is used to transfer routing information between peers in the overlay domain (OD) 100. An UPDATE message may be used to advertise feasible routes that share common path attributes to a peer, or to withdraw multiple unfeasible routes from service. An UPDATE message may simultaneously advertise a feasible route and withdraw multiple unfeasible routes from service.
    • e. QUERY message: This message is used to send a request for a specific route for which an aggregate or less specific rout exists. This message is sent by an edge-device once it finds out that a group of prefixes received is equipped with the Query attribute.
      Overlay Routes
In one embodiment, the overlay routes may include the following types:
    • a. Connected (also called “direct”);
    • b. Static;
    • c. OSPF (inter, intra, external); and
    • d. BGP.
Each overlay route may be advertised with the following attributes:
    • a. TLOC;
    • b. Site-ID;
    • c. Tag;
    • d. Preference;
    • e. Query;
    • f. Originator-ID; and
    • g. Origin.
Details of the attributes of an overlay route are provided later.
Transport Locations (TLOCS)
TLOCs (Transport locations) are the location ids, e.g. a WAN interface connecting into a carrier. TLOCs are denoted by {System-IP, Link-color} as described below.
The reason for not using an interface IP address to denote a TLOC is that IP addresses can move or change (e.g. if it is DHCP assigned). Using {system-IP, color} to denote TLOCs ensures that a transport endpoint can be identified irrespective of the interface IP addressing.
Each TLOC is advertised separately by the OMP. A TLOC may be advertised with the following attributes:
    • a) TLOC Private;
    • b) TLOC Public;
    • c) Weight;
    • d) Preference;
    • e) TAG;
    • f) Site ID;
    • g) Encapsulation type.
Details of the above attributes of a TLOC are provided later.
In one embodiment a TLOC may be represented by a system-id plus color where color represents the type of WAN interfaces on an overlay edge router (OER) A network operator may assign the color. In one embodiment, there may be predefined colors, e.g. default, biz-internet, public internet, metro-ethernet, MPLS, custom1, custom2, custom3, blue, bronze, gold, green, red, silver.
Service Routes
In one embodiment, service routes represent services connected to an overlay edge router (OER). The service routes may be advertised by the overlay edge routers (OERs) within the overlay domain (OD) 100 to the overlay controllers (OCs) using service address family Network Layer Reachability Information (NLRI).
In one embodiment the OMP may be configured to redistribute the following types of routes automatically it learns either locally or from its routing peers: connected, static, OSPF intra area routes, and OSPF inter area routes.
In one embodiment, redistribution of BGP and OSPF external routes may require explicit or manual configuration to avoid routing loops and suboptimal routing.
In one embodiment, the OMP may be used to set the origin type and sub-origin type of each overlay route to the route's origin. Examples of “origin” and “sub-origin” types are provided in the table below:
Origin Protocol Type Sub-Protocol Type
OSPF Intra-area
Inter-area
External-1
External-2
BGP internal
External
Connected
Static
In one embodiment, the OMP may be used to carry the metric of the original route. Metric is ‘0’ for connected routes.
In embodiment, an overlay edge router (OER) may implement a route selection procedure based on origin type and sub-type. An exemplary algorithm for the route selection procedure may be based on an “administrative distance” as follows:
    • An overlay route is an intra-site route if the receiving overlay edge router's site-id is the same as overlay route's site-id; otherwise it is an inter-site route;
    • Administrative Distance of an inter-site overlay route is 15;
    • Administrative Distance of an inter-site overlay route is 150;
    • Administrative distances of other protocols are:
OSPF 110
iBGP 200
eBGP 20
Static 1
Connected 0
Best Path Algorithm and Loop Avoidance
In one embodiment, an overlay edge router (OER) advertises its local routes to its assigned overlay controller (OC) using the OMP. Depending on the network topology, the same route may get advertised from multiple overlay edge routers (OERs).
The overlay controller (OC) my the choose the best route based on the following algorithm
a higher overlay route preference wins
  if equal then
 higher TLOC preference wins
 if equal then
  compare origin type
    { connected over static over EBGP over OSPF Intro over OSPF
inter over OSPF external over IBGP over unknown]
if equal then
lower metric wins
In one embodiment, an overlay route is only installed in the forwarding table of a overlay edge router (OER) if the TLOC it points to is active. In one embodiment, a TLOC is only active when there is an active BFD session with that TLOC. In one embodiment, if a BFD session to a given TLOC becomes inactive then all overlay routes pointing to that TLOC are removed from the forwarding table.
In one embodiment, each overlay edge router (OER) establishes a separate BFD session with each of the remote TLOCs. In another embodiment, a BFD session will only be established with TLOcs to which there is active traffic flow.
Details of the Attributes of an Overlay Route:
TLOC:
A TLOC is similar to the NEXT HOP attribute in BGP and is carried in the overlay route NLRI with a type value of 1. The actual TLOC is not carried as an immediate attribute to the prefix, but rather the System-IP of the OMP speaker originating the overlay route. Carrying the System-IP allows for the mapping between overlay routes and TLOCs irrespectively of what the actual TLOC happens to be. This is important since TLOCs can change and will change when traversing NATs, something that OMP is designed to take into consideration. This TLOC attribute points the TLOC AFI/SAFI. Within the SAFI for each TLOC, the detailed information on each specific TLOC can be found. This includes detailed information on the actual next-hop address to use, the actual TLOC. This information includes the public IP address of the TLOC and if NAT is involved, the private and non-translated TLOC-address. This separation of information allows for individual advertisement and invalidation of overlay routes or TLOCs without having to invalidate the other dependent entity.
Site ID:
The Site ID is 4 bytes long and is used for identifying if the overlay route belongs a particular site regardless weather site is single or multi homed. Site-ID helps with selecting the routes, inter site routes are always preferred over IGP learned routes. IGP learned routes are preferred over intra site route. This helps in situation where there could be two site routers that are not servicing the same set of overlay edge routers (OERs).
Community/TAG:
This is a 4-octet path attribute that is optional and transitive. An OMP speaker may use this attribute to control the routing information it accepts, prefers or redistributes. For redistributed routes it could be used to control loops. Community could be attached, removed or modified from an update according to local policies.
Domain-ID:
This is 4 octet field, this attribute is attached by an overlay controller (OC) and is left empty in updates to peers in the same domain. Updates received from an overlay controller (OC) within a domain is not forwarded to other overlay controllers (OCs) in the same domain unless the overlay controller (OC) is considered higher in the overlay controller (OC) hierarchy. Any controller or group of controller can peer outside of their domain. When an overlay controller (OC) peers outside its domain it will attach its Domain-ID to any updates to guarantee a loop free topology. When a overlay route travels across domains, each overlay controller (OC) that regenerates the update into another domain must prepend its local Domain-ID, unless another controller in the originating domain has already prepended the local Domain-ID. If a receiving controller finds the local Domain-ID in the Domain LIST, the advertisement received SHOULD be ignored.
Preference (PREF):
is a well-known 4 octet attribute, that is included in all UPDATE messages that is either originated by an edge-device itself or part of policy setup at the controller. Any edge-device that receives an overlay route calculates the degree of preference for the route based on the configured policy before considering other attributes of a TLOC. A overlay route carrying a higher preference-value is preferred. Each overlay edge router (OER) may be configured to consider this attribute first in its decision process for route selection.
Query:
This is a one-octet attribute attached to an OMP update carrying an aggregated prefix. The attribute provides two applications; one from the controller's perspective and another from the edge-device perspective. From the controller perspective, when an aggregated shorter prefix is originated by the controller to any of the edge-devices this attributes indicates that specifics of the aggregated range exists and that they are located at location(s) different from that of the aggregate TLOC. In this case, the controller is indicating that a query for the TLOC where the longest match overlay route is located may be performed. From the edge-device perspective, using the advertised aggregate for data-plane traffic can take place in parallel to performing a query for more specific prefixes and the associated TLOCs.
Originator-ID:
This is a four-octet attribute that is mandatory and assigned by originator of a overlay route. The attribute carries the OMP Identifier of the originator of the route. Any controller passing the route should not alter the Originator-ID attribute.
Origin:
The Origin attribute is carried with each overlay route and is used to indicate which routing protocols were registered and/or redistributed by the OMP.
Details of the Attributes of a TLOC, in Accordance with One Embodiment.
TLOC Private:
This attribute has a value of 2 and is used to carry the actual address of an interface of an OMP speaker. This address may not be the address seen by the rest of the network if NAT is used in the path from the device to the transport network attachment. This is required for fully functional operation in a NAT environment.
TLOC Public:
This attribute has a value of 3 and is used to carry the address used on the outside of a NAT, corresponding to the address carried in the TLOC Private attribute for the network attachment on the inside of the NAT-device. For overlay route entries, this is the NAT translated address used to forward packets. This is not used as the next hop in the OMP, but only in the forwarding table, making the situation where TLOCs changing due to changing NAT mappings manageable and less disruptive.
Weight:
This is a four-octet unsigned number attribute with a value of 6. This attribute is used to discriminate among multiple entry points between caused by an overlay route being reachable through several different TLOCs. It is at the discretion of the operator to enable either EMCP or unequal cost multi-path traffic distribution based on the assigned weights.
Preference:
Similar to overlay rout-preference this is used to differentiate between the TLOCs advertising the same overlay route. Preference is a well-known attribute (value 5 is included in all UPDATE messages that are either originated by the edge-device itself or as part of a policy setup at the controller. Any edge-device receiving an overlay route takes the TLOC preference into consideration after considering the overlay route preference. A higher preference is preferred.
Color:
This is a four-octet attribute value used to define the characteristics of the link, define the service type or used it for COS based exit or entry into the TLOC. The color can be set by the edge-device or controller depending on the policy configured at either device, but needs to match across the network for efficient color-based forwarding to take place.
Community/Tag:
This is a four-octet entity, a path attribute that is optional and transitive. An OMP speaker may use this attribute to control routing information flow toward a TLOC. When an overlay route is advertised along with its TLOC, both or either can be distributed with a community TAG, to be used to decide how send or receive traffic from/to a group of TLOC's.
Site ID:
The Site ID is a four-octet attribute used for identifying overlay routes being sourced from particular sites. It assists in route-selection, since inter-site routes are always preferred over IGP learned routes.
Encapsulation:
The Tunnel Encapsulation attribute is an optional transitive attribute that is composed of a set of Type-Length-Value (TLV) encodings. The type code of the attribute is set to 4. Each TLV contains information corresponding to a particular tunnel technology.
In one embodiment the OMP may be used to create a secure network in accordance with a method illustrated in FIG. 6 . Referring to FIG. 6 , the method may include the following processing blocks:
Block 600: establish an overlay domain to control routing between overlay edge routers based on an underlying transport network. This step includes running the OMP to exchange information within the overlay domain;
Block 602: in accordance with the OMP define service routes that exist exclusively within the overlay domain wherein each overlay route includes information on at least service availability within the overlay domain; and
Block 604: selectively use the service routes to control routing between the overlay edge routers; wherein the said routing is through the underlying transport network in a manner in which said overlay routes is not shared with the underlying transport network.
In another embodiment, the OMP may be uses to perform a method for routing. This method is illustrated in the flowchart of FIG. 7 . Referring to FIG. 7 , the method may include the following processing blocks:
Block 700: provide an overlay network comprising at least one overlay controller; and a plurality of overlay edge routers communicatively coupled to the at least one overlay controller; wherein the overlay network is associated with an underlying transport network;
Block 702: collect by the overlay controller, routing information comprising at least one of authentication information, service information, encryption information, policy information, and access control information; wherein said routing information is carried by an overlay management protocol; and
Block 704: orchestrate by the overlay controller, routing through the underlying transport network based on the routing information; wherein said routing information is not exposed to elements of the underlying transport network.
FIG. 8 shows an example of hardware 800 that may be used to implement the overlay controller (OC), in accordance with one embodiment. The hardware 800 may includes at least one processor 802 coupled to a memory 804. The processor 803 may represent one or more processors (e.g., microprocessors), and the memory 804 may represent random access memory (RAM) devices comprising a main storage of the hardware, as well as any supplemental levels of memory e.g., cache memories, non-volatile or back-up memories (e.g. programmable or flash memories), read-only memories, etc. In addition, the memory 804 may be considered to include memory storage physically located elsewhere in the hardware, e.g. any cache memory in the processor 802, as well as any storage capacity used as a virtual memory, e.g., as stored on a mass storage device.
The hardware also typically receives a number of inputs and outputs for communicating information externally. For interface with a user or operator, the hardware may include one or more user input output devices 806 (e.g., a keyboard, mouse, etc.) and a display 808. For additional storage, the hardware 800 may also include one or more mass storage devices 810, e.g., a Universal Serial Bus (USB) or other removable disk drive, a hard disk drive, a Direct Access Storage Device (DASD), an optical drive (e.g. a Compact Disk (CD) drive, a Digital Versatile Disk (DVD) drive, etc.) and/or a USB drive, among others. Furthermore, the hardware may include an interface with one or more networks 812 (e.g., a local area network (LAN), a wide area network (WAN), a wireless network, and/or the Internet among others) to permit the communication of information with other computers coupled to the networks. It should be appreciated that the hardware typically includes suitable analog and/or digital interfaces between the processor 812 and each of the components, as is well known in the art.
The hardware 800 operates under the control of an operating system 314, and executes application software 816 which includes various computer software applications, components, programs, objects, modules, etc. to perform the techniques described above.
In general, the routines executed to implement the embodiments of the invention, may be implemented as part of an operating system or a specific application, component, program, object, module or sequence of instructions referred to as “computer programs.” The computer programs typically comprise one or more instructions set at various times in various memory and storage devices in a computer, and that, when read and executed by one or more processors in a computer, cause the computer to perform operations necessary to execute elements involving the various aspects of the invention. Moreover, while the invention has been described in the context of fully functioning computers and computer systems, those skilled in the art will appreciate that the various embodiments of the invention are capable of being distributed as a program product in a variety of forms, and that the invention applies equally regardless of the particular type of machine or computer-readable media used to actually effect the distribution. Examples of computer-readable media include but are not limited to recordable type media such as volatile and non-volatile memory devices, USB and other removable media, hard disk drives, optical disks (e.g., Compact Disk Read-Only Memory (CD ROMS), Digital Versatile Disks, (DVDs), etc.), flash drives among others.
FIG. 9 shows a block diagram of hardware 900 for any of the routers disclosed herein, in accordance with one embodiment of the invention. Referring to FIG. 9 , the hardware 900 includes a routing chip 904 coupled to a forwarding chip 908. The routing chip 904 performs functions such as path computations, routing table maintenance, and reachability propagation. Components of the routing chip include a CPU or processor 904, which is coupled to a memory 906. The memory stores instructions to perform the methods disclosed herein. The forwarding chip is responsible for packet forwarding along a plurality of line interfaces 910
Although the present invention has been described with reference to specific exemplary embodiments, it will be evident that the various modification and changes can be made to these embodiments without departing from the broader spirit of the invention. Accordingly, the specification and drawings are to be regarded in an illustrative sense rather than in a restrictive sense.

Claims (46)

The invention claimed is:
1. A method comprising:
at an overlay network comprising an overlay controller and a plurality of overlay edge routers that are within control of an enterprise:
provisioning the overlay controller and the plurality of overlay edge routers with transport parameters to allow respective connections to a public transport network that is not within control of the enterprise;
establishing a secure overlay control plane that includes a plurality of secure control channels between the overlay controller and respective overlay edge routers of the plurality of overlay edge routers;
establishing a secure overlay data plane that includes a plurality of secure tunnels between at least some of the plurality of overlay edge routers, wherein the plurality of secure tunnels go through the public transport network;
collecting, by the overlay controller, routing information comprising at least one of authentication information, service information, encryption information, policy information, and access control information wherein the routing information is carried by an overlay management protocol; and
transmitting, by the overlay controller, the routing information to one or more of the plurality of overlay edge routers over the secure overlay control plane in order to mask the routing information from the public transport network.
2. The method of claim 1, wherein the provisioning comprises:
provisioning the overlay controller and the plurality of overlay edge routers with respective system parameters that include one or more of a site identifier (ID), a domain ID, a system ID and an address of a mapping server.
3. The method of claim 1, wherein each of the plurality of secure control channels includes a Datagram Transport Layer Security (DTLS) tunnel.
4. The method of claim 1, wherein each of the plurality of secure tunnels includes an Internet Protocol Security (IPSec) tunnel.
5. The method of claim 1, further comprising:
routing, based on the routing information, data traffic over the secure overlay data plane.
6. The method of claim 5, wherein the routing comprises:
routing the data traffic over the plurality of secure tunnels going through the public transport network.
7. A non-transitory computer-readable medium having stored instructions which when executed by a system cause the system to:
provision an overlay controller and a plurality of overlay edge routers that are within control of an enterprise with transport parameters to allow respective connections to a public transport network that is not within control of the enterprise;
establish a secure overlay control plane that includes a plurality of secure control channels between the overlay controller and respective overlay edge routers of the plurality of overlay edge routers;
establish a secure overlay data plane that includes a plurality of secure tunnels between at least some of the plurality of overlay edge routers, wherein the plurality of secure tunnels go through the public transport network;
collect, by the overlay controller, routing information comprising at least one of authentication information, service information, encryption information, policy information, and access control information wherein the routing information is carried by an overlay management protocol; and
transmit, by the overlay controller, the routing information to one or more of the plurality of overlay edge routers over the secure overlay control plane in order to mask the routing information from the public transport network.
8. The non-transitory computer-readable medium of claim 7, wherein the provisioning comprises:
provisioning the overlay controller and the plurality of overlay edge routers with respective system parameters that include one or more of a site identifier (ID), a domain ID, a system ID and an address of a mapping server.
9. The non-transitory computer-readable medium of claim 7, wherein each of the plurality of secure control channels includes a Datagram Transport Layer Security (DTLS) tunnel.
10. The non-transitory computer-readable medium of claim 7, wherein each of the plurality of secure tunnels includes an Internet Protocol Security (IPSec) tunnel.
11. The non-transitory computer-readable medium of claim 8, further comprising:
routing, based on the routing information, data traffic over the secure overlay data plane.
12. The non-transitory computer-readable medium of claim 11, wherein the routing comprises:
routing the data traffic over the plurality of secure tunnels going through the public transport network.
13. A controller, comprising: a processor; and
a memory coupled to the processor, the memory storing instructions which when executed by the processor causes the controller to:
provision an overlay controller and a plurality of overlay edge routers that are within control of an enterprise with transport parameters to allow respective connections to a public transport network that is not within control of the enterprise;
establish a secure overlay control plane that includes a plurality of secure control channels between the overlay controller and respective overlay edge routers of the plurality of overlay edge routers;
establish a secure overlay data plane that includes a plurality of secure tunnels between at least some of the plurality of overlay edge routers, wherein the plurality of secure tunnels go through the public transport network;
collect, by the overlay controller, routing information comprising at least one of authentication information, service information, encryption information, policy information, and access control information; wherein the routing information is carried by an overlay management protocol; and
transmit, by the overlay controller, the routing information to one or more of the plurality of overlay edge routers over the secure overlay control plane in order to mask the routing information from the public transport network.
14. The controller of claim 13, wherein the provisioning comprises:
provisioning the overlay controller and the plurality of overlay edge routers with respective system parameters that include one or more of a site identifier (ID), a domain ID, a system ID and an address of a mapping server.
15. The controller of claim 13, wherein each of the plurality of secure control channels includes a Datagram Transport Layer Security (DTLS) tunnel.
16. The controller of claim 13, wherein each of the plurality of secure tunnels includes an Internet Protocol Security (IPSec) tunnel.
17. The controller of claim 13, wherein the instructions further cause the controller to:
route, based on the routing information, data traffic over the secure overlay data plane.
18. An overlay network system, comprising:
a controller and a plurality of overlay network devices configured to use transport parameters to connect to an underlying transport network that is not within control of an enterprise network, the controller comprising:
a processor;
a memory coupled to the processor, the memory storing instructions which when executed by the processor causes the controller to:
create a secure overlay control plane by establishing, over the underlying transport network, secure control connections with the plurality of overlay network devices, and
transmit, over corresponding ones of the secure control connections, messages including overlay routing information to the overlay network devices thereby preventing exposure of the overlay routing information to the underlying transport network, wherein the transmitted overlay routing information includes policy data that affects how each overlay network device of the plurality of overlay network devices forwards network traffic to the other overlay network devices;
each of the plurality of overlay network devices operative to:
establish, over the underlying transport network, secure network layer tunnels with one or more of the other overlay network devices, wherein the secure network layer tunnels form a secure overlay data plane,
collect route information including network reachability information for endpoints available at a physical site associated with the corresponding overlay network device,
distribute the collected route information to the controller over a corresponding secure control connection,
maintain the overlay routing information received from the controller, and
forward, based on the overlay routing information, network traffic to selected ones of the overlay network devices using corresponding ones of the secure network layer tunnels.
19. The overlay network system of claim 18, wherein the overlay routing information comprises one or more overlay routes, wherein each overlay route comprises information identifying a service or collection of endpoints and a next-hop identifier, the next-hop identifier corresponding to an overlay network device in the overlay network having reachability to the service or the collection of endpoints.
20. The overlay network system of claim 18, wherein the policy data comprises a preference value associated with an overlay route.
21. The overlay network system of claim 18, wherein the overlay network devices are each operative to transmit the collected route information to the controller.
22. The overlay network system of claim 18, wherein each of the overlay network devices are operative to collect the route information by interacting with one or more routers at the physical site associated with the corresponding overlay network device.
23. The overlay network system of claim 22, wherein each of the overlay network devices are operative to implement a routing protocol to interact with the one or more routers.
24. The overlay network system of claim 23, wherein the routing protocol is any one of the Open Shortest Path First (OSPF) or the border gateway protocol (BGP).
25. The overlay network system of claim 18, wherein the collected route information further includes network reachability information for services available at a physical site associated with a given overlay network device.
26. The overlay network system of claim 18, wherein the secure network layer tunnels are IPSec tunnels.
27. An overlay network device, comprising
a processor;
a memory coupled to the processor, the memory storing instructions which when executed by the processor causes the overlay network device to:
create a secure overlay control plane by establishing, over an underlying transport network, a secure control connection with a controller; and
receive, over the secure control connection thereby preventing exposure of overlay routing information to the underlying transport network, messages from the controller, the messages including the overlay routing information, wherein the overlay routing information includes policy data for one or more overlay routes;
establish, over the underlying transport network, secure network layer tunnels with one or more other overlay network devices of an overlay network, wherein the secure network layer tunnels form a secure overlay data plane,
collect route information including network reachability information for endpoints available at a physical site associated with the overlay network device;
distribute the collected route information to the controller over a corresponding secure control connection; and
maintain in the memory the overlay routing information received from the controller, and
a forwarding component operative to:
forward, based on the overlay routing information and policy data, network traffic to selected ones of the overlay network devices using corresponding ones of the secure network layer tunnels,
wherein the overlay network device and the controller are configured to use transport parameters to connect to the underlying transport network that is not within control of an enterprise network.
28. The overlay network device of claim 27, wherein the overlay routing information comprises one or more overlay routes, wherein each overlay route comprises information identifying a service or collection of endpoints and a next-hop identifier, the next-hop identifier corresponding to an overlay network device in the overlay network having reachability to the service or the collection of endpoints.
29. The overlay network device of claim 27, wherein the policy data comprises a preference value associated with an overlay route.
30. The overlay network device of claim 27, wherein the instructions are further operative cause the overlay network device to transmit the collected route information to the controller.
31. The overlay network device of claim 27, wherein the instructions are further operative cause the overlay network device to collect the route information by interacting with one or more routers at the physical site associated with the corresponding overlay network device.
32. The overlay network device of claim 31, wherein the instructions are further operative cause the overlay network device to implement a routing protocol to interact with the one or more routers.
33. The overlay network device of claim 32, wherein the routing protocol is any one of the Open Shortest Path First (OSPF) or the border gateway protocol (BGP).
34. The overlay network device of claim 29, wherein the collected route information further includes network reachability information for services available at a physical site associated with a given overlay network device.
35. The overlay network device of claim 27, wherein the secure network layer tunnels are IPSec tunnels.
36. The overlay network device of claim 27, wherein the forwarding component is a forwarding chip.
37. The overlay network device of claim 36, wherein the forwarding component is a forwarding chip coupled to one or more line interfaces.
38. An overlay network controller, comprising
a processor;
a memory coupled to the processor, the memory storing instructions which when executed by the processor causes the controller to:
creating a secure overlay control plane by establishing, over an underlying transport network, secure control connections with a plurality of overlay network devices of an overlay network, and
transmit, over corresponding ones of the secure control connections, messages including overlay routing information to the overlay network devices thereby preventing exposure of the overlay routing information to the underlying transport network, wherein the transmitted overlay routing information includes policy data that affects how each overlay network device of the plurality of overlay network devices forwards network traffic to the other overlay network devices within the overlay network;
wherein the plurality of overlay network devices are each operative to:
establish, over the underlying transport network, secure network layer tunnels with one or more of the other overlay network devices, wherein the secure network layer tunnels form a secure overlay data plane,
collect route information including network reachability information for endpoints available at a physical site associated with the corresponding overlay network device;
distribute the collected route information to the controller over a corresponding secure control connection,
maintain the overlay routing information received from the controller, and
forward, based on the overlay routing information, network traffic to selected ones of the overlay network devices using corresponding ones of the secure network layer tunnels,
wherein the controller and the plurality of overlay network devices are configured to use transport parameters to connect to the underlying transport network that is not within control of an enterprise network.
39. The overlay network controller of claim 38, wherein the overlay routing information comprises one or more overlay routes, wherein each overlay route comprises information identifying a service or collection of endpoints and a next-hop identifier, the next-hop identifier corresponding to an overlay network device in the overlay network having reachability to the service or the collection of endpoints.
40. The overlay network controller of claim 38, wherein the policy data comprises a preference value associated with an overlay route.
41. The overlay network controller of claim 38, wherein the instructions are further operative cause the controller to receive the collected route information from the overlay network devices over corresponding ones of the control connections.
42. The overlay network controller of claim 38, wherein the route information is collected by the overlay network devices by interacting with one or more routers at the physical site associated with the corresponding overlay network device.
43. The overlay network controller of claim 38, wherein the overlay network devices collect the route information by implementing a routing protocol to interact with the one or more routers.
44. The overlay network controller of claim 43, wherein the routing protocol is any one of the Open Shortest Path First (OSPF) or the border gateway protocol (BGP).
45. The overlay network controller of claim 38, wherein the collected route information further includes network reachability information for services available at a physical site associated with a given overlay network device.
46. The overlay network controller of claim 38, wherein the secure network layer tunnels are IPSec tunnels.
US17/160,178 2013-12-18 2021-01-27 Overlay management protocol for secure routing based on an overlay network Active USRE49485E1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US17/160,178 USRE49485E1 (en) 2013-12-18 2021-01-27 Overlay management protocol for secure routing based on an overlay network
US17/677,280 USRE50105E1 (en) 2013-12-18 2022-02-22 Overlay management protocol for secure routing based on an overlay network

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US14/133,558 US9467478B1 (en) 2013-12-18 2013-12-18 Overlay management protocol for secure routing based on an overlay network
US15/261,790 US9736113B1 (en) 2013-12-18 2016-09-09 Overlay management protocol for secure routing based on an overlay network
US15/677,001 US10277558B2 (en) 2013-12-18 2017-08-14 Overlay management protocol for secure routing based on an overlay network
US17/085,767 USRE50148E1 (en) 2013-12-18 2020-10-30 Overlay management protocol for secure routing based on an overlay network
US17/160,178 USRE49485E1 (en) 2013-12-18 2021-01-27 Overlay management protocol for secure routing based on an overlay network

Related Parent Applications (3)

Application Number Title Priority Date Filing Date
US15/261,790 Division US9736113B1 (en) 2013-12-18 2016-09-09 Overlay management protocol for secure routing based on an overlay network
US15/677,001 Reissue US10277558B2 (en) 2013-12-18 2017-08-14 Overlay management protocol for secure routing based on an overlay network
US17/085,767 Continuation USRE50148E1 (en) 2013-12-18 2020-10-30 Overlay management protocol for secure routing based on an overlay network

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/677,280 Continuation USRE50105E1 (en) 2013-12-18 2022-02-22 Overlay management protocol for secure routing based on an overlay network

Publications (1)

Publication Number Publication Date
USRE49485E1 true USRE49485E1 (en) 2023-04-04

Family

ID=57046110

Family Applications (6)

Application Number Title Priority Date Filing Date
US14/133,558 Expired - Fee Related US9467478B1 (en) 2013-12-18 2013-12-18 Overlay management protocol for secure routing based on an overlay network
US15/261,790 Active US9736113B1 (en) 2013-12-18 2016-09-09 Overlay management protocol for secure routing based on an overlay network
US15/677,001 Ceased US10277558B2 (en) 2013-12-18 2017-08-14 Overlay management protocol for secure routing based on an overlay network
US17/085,767 Active USRE50148E1 (en) 2013-12-18 2020-10-30 Overlay management protocol for secure routing based on an overlay network
US17/160,178 Active USRE49485E1 (en) 2013-12-18 2021-01-27 Overlay management protocol for secure routing based on an overlay network
US17/677,280 Active USRE50105E1 (en) 2013-12-18 2022-02-22 Overlay management protocol for secure routing based on an overlay network

Family Applications Before (4)

Application Number Title Priority Date Filing Date
US14/133,558 Expired - Fee Related US9467478B1 (en) 2013-12-18 2013-12-18 Overlay management protocol for secure routing based on an overlay network
US15/261,790 Active US9736113B1 (en) 2013-12-18 2016-09-09 Overlay management protocol for secure routing based on an overlay network
US15/677,001 Ceased US10277558B2 (en) 2013-12-18 2017-08-14 Overlay management protocol for secure routing based on an overlay network
US17/085,767 Active USRE50148E1 (en) 2013-12-18 2020-10-30 Overlay management protocol for secure routing based on an overlay network

Family Applications After (1)

Application Number Title Priority Date Filing Date
US17/677,280 Active USRE50105E1 (en) 2013-12-18 2022-02-22 Overlay management protocol for secure routing based on an overlay network

Country Status (1)

Country Link
US (6) US9467478B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230216733A1 (en) * 2021-12-31 2023-07-06 Fortinet, Inc. Distributed node discovery and overlay path management on a data communication network

Families Citing this family (96)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8560634B2 (en) * 2007-10-17 2013-10-15 Dispersive Networks, Inc. Apparatus, systems and methods utilizing dispersive networking
US9083650B2 (en) * 2012-10-16 2015-07-14 Cable Television Laboratories, Inc. Overlay network
US9882713B1 (en) 2013-01-30 2018-01-30 vIPtela Inc. Method and system for key generation, distribution and management
US10454714B2 (en) 2013-07-10 2019-10-22 Nicira, Inc. Method and system of overlay flow control
US10749711B2 (en) 2013-07-10 2020-08-18 Nicira, Inc. Network-link method useful for a last-mile connectivity in an edge-gateway multipath system
US10142254B1 (en) 2013-09-16 2018-11-27 Cisco Technology, Inc. Service chaining based on labels in control and forwarding
US9467478B1 (en) 2013-12-18 2016-10-11 vIPtela Inc. Overlay management protocol for secure routing based on an overlay network
US10135789B2 (en) 2015-04-13 2018-11-20 Nicira, Inc. Method and system of establishing a virtual private network in a cloud service for branch networking
US10425382B2 (en) 2015-04-13 2019-09-24 Nicira, Inc. Method and system of a cloud-based multipath routing protocol
US10498652B2 (en) 2015-04-13 2019-12-03 Nicira, Inc. Method and system of application-aware routing with crowdsourcing
US9980303B2 (en) 2015-12-18 2018-05-22 Cisco Technology, Inc. Establishing a private network using multi-uplink capable network devices
US10212223B2 (en) * 2016-09-30 2019-02-19 Hewlett Packard Enterprise Development Lp Overlay network management
CN107959636B (en) * 2016-10-17 2021-01-26 新华三技术有限公司 Method and device for sending BGP (Border gateway protocol) message
US11252079B2 (en) 2017-01-31 2022-02-15 Vmware, Inc. High performance software-defined core network
US20180219765A1 (en) 2017-01-31 2018-08-02 Waltz Networks Method and Apparatus for Network Traffic Control Optimization
US20200036624A1 (en) 2017-01-31 2020-01-30 The Mode Group High performance software-defined core network
US11706127B2 (en) 2017-01-31 2023-07-18 Vmware, Inc. High performance software-defined core network
US10992568B2 (en) 2017-01-31 2021-04-27 Vmware, Inc. High performance software-defined core network
US10992558B1 (en) 2017-11-06 2021-04-27 Vmware, Inc. Method and apparatus for distributed data network traffic optimization
US11121962B2 (en) 2017-01-31 2021-09-14 Vmware, Inc. High performance software-defined core network
US10778528B2 (en) 2017-02-11 2020-09-15 Nicira, Inc. Method and system of connecting to a multipath hub in a cluster
US10476802B2 (en) 2017-03-23 2019-11-12 Cisco Technology, Inc. System and method for reactive path selection
US10523539B2 (en) 2017-06-22 2019-12-31 Nicira, Inc. Method and system of resiliency in cloud-delivered SD-WAN
US10999165B2 (en) 2017-10-02 2021-05-04 Vmware, Inc. Three tiers of SaaS providers for deploying compute and network infrastructure in the public cloud
US11115480B2 (en) 2017-10-02 2021-09-07 Vmware, Inc. Layer four optimization for a virtual network defined over public cloud
US10999100B2 (en) 2017-10-02 2021-05-04 Vmware, Inc. Identifying multiple nodes in a virtual network defined over a set of public clouds to connect to an external SAAS provider
US11089111B2 (en) 2017-10-02 2021-08-10 Vmware, Inc. Layer four optimization for a virtual network defined over public cloud
US10805114B2 (en) 2017-10-02 2020-10-13 Vmware, Inc. Processing data messages of a virtual network that are sent to and received from external service machines
US11223514B2 (en) 2017-11-09 2022-01-11 Nicira, Inc. Method and system of a dynamic high-availability mode based on current wide area network connectivity
US20190207844A1 (en) * 2018-01-03 2019-07-04 Hewlett Packard Enterprise Development Lp Determining routing decisions in a software-defined wide area network
US10999197B2 (en) * 2018-11-30 2021-05-04 Cisco Technology, Inc. End-to-end identity-aware routing across multiple administrative domains
US11258628B2 (en) * 2019-06-24 2022-02-22 Cisco Technology, Inc. Plug and play at sites using TLOC-extension
US11343137B2 (en) * 2019-08-23 2022-05-24 Cisco Technology, Inc. Dynamic selection of active router based on network conditions
US10999137B2 (en) 2019-08-27 2021-05-04 Vmware, Inc. Providing recommendations for implementing virtual networks
US11044190B2 (en) 2019-10-28 2021-06-22 Vmware, Inc. Managing forwarding elements at edge nodes connected to a virtual network
US11683262B2 (en) * 2019-11-26 2023-06-20 Cisco Technology, Inc. Group-based policies for inter-domain traffic
US11394640B2 (en) 2019-12-12 2022-07-19 Vmware, Inc. Collecting and analyzing data regarding flows associated with DPI parameters
US11489783B2 (en) 2019-12-12 2022-11-01 Vmware, Inc. Performing deep packet inspection in a software defined wide area network
CN113163276B (en) * 2020-01-22 2025-02-25 华为技术有限公司 Method, device and system for publishing routing information
US11418997B2 (en) 2020-01-24 2022-08-16 Vmware, Inc. Using heart beats to monitor operational state of service classes of a QoS aware network link
US11431616B2 (en) * 2020-02-18 2022-08-30 Nokia Solutions And Networks Oy Loop detection in multiprotocol label switching
US11245641B2 (en) 2020-07-02 2022-02-08 Vmware, Inc. Methods and apparatus for application aware hub clustering techniques for a hyper scale SD-WAN
US12052168B2 (en) * 2020-07-27 2024-07-30 Juniper Networks, Inc. Route target constraint to filter routes advertised to a node in a seamless MPLS or seamless SR network
US11709710B2 (en) 2020-07-30 2023-07-25 Vmware, Inc. Memory allocator for I/O operations
US11595302B2 (en) 2020-09-23 2023-02-28 Ciena Corporation Controlling routing behavior during router table-memory exhaustion events
US11991076B1 (en) * 2020-10-01 2024-05-21 Cisco Technology, Inc. Optimized MVPN route exchange in SD-WAN environments
US11146500B1 (en) 2020-11-03 2021-10-12 Cisco Technology, Inc. Optimized transport resource allocation using centralized control policy
US11575591B2 (en) 2020-11-17 2023-02-07 Vmware, Inc. Autonomous distributed forwarding plane traceability based anomaly detection in application traffic for hyper-scale SD-WAN
CN114553773B (en) * 2020-11-24 2022-11-22 中国科学院声学研究所 A Hierarchical Identifier Addressing Method
US11575600B2 (en) 2020-11-24 2023-02-07 Vmware, Inc. Tunnel-less SD-WAN
US11929903B2 (en) 2020-12-29 2024-03-12 VMware LLC Emulating packet flows to assess network links for SD-WAN
US12218845B2 (en) 2021-01-18 2025-02-04 VMware LLC Network-aware load balancing
CN116783874A (en) 2021-01-18 2023-09-19 Vm维尔股份有限公司 Network aware load balancing
US11979325B2 (en) 2021-01-28 2024-05-07 VMware LLC Dynamic SD-WAN hub cluster scaling with machine learning
CN114915582B (en) * 2021-02-09 2025-09-12 华为技术有限公司 Message forwarding method, device and system
US12368676B2 (en) 2021-04-29 2025-07-22 VMware LLC Methods for micro-segmentation in SD-WAN for virtual networks
US11381499B1 (en) 2021-05-03 2022-07-05 Vmware, Inc. Routing meshes for facilitating routing through an SD-WAN
US12009987B2 (en) 2021-05-03 2024-06-11 VMware LLC Methods to support dynamic transit paths through hub clustering across branches in SD-WAN
US11729065B2 (en) 2021-05-06 2023-08-15 Vmware, Inc. Methods for application defined virtual network service among multiple transport in SD-WAN
US11658900B2 (en) 2021-06-16 2023-05-23 Ciena Corporation Responding to operator commands in a multi-homing ethernet virtual private network (EVPN)
US12250114B2 (en) 2021-06-18 2025-03-11 VMware LLC Method and apparatus for deploying tenant deployable elements across public clouds based on harvested performance metrics of sub-types of resource elements in the public clouds
US12015536B2 (en) 2021-06-18 2024-06-18 VMware LLC Method and apparatus for deploying tenant deployable elements across public clouds based on harvested performance metrics of types of resource elements in the public clouds
US11489720B1 (en) 2021-06-18 2022-11-01 Vmware, Inc. Method and apparatus to evaluate resource elements and public clouds for deploying tenant deployable elements based on harvested performance metrics
US12047282B2 (en) 2021-07-22 2024-07-23 VMware LLC Methods for smart bandwidth aggregation based dynamic overlay selection among preferred exits in SD-WAN
US11375005B1 (en) 2021-07-24 2022-06-28 Vmware, Inc. High availability solutions for a secure access service edge application
US12267364B2 (en) 2021-07-24 2025-04-01 VMware LLC Network management services in a virtual network
US11777841B2 (en) 2021-08-31 2023-10-03 Ciena Corporation Handling diversity constraints with Segment Routing and centralized PCE
US11863350B2 (en) 2021-09-09 2024-01-02 Ciena Corporation Fast convergence of E-Tree with a dual homed root node
US11870684B2 (en) 2021-09-09 2024-01-09 Ciena Corporation Micro-loop avoidance in networks
US11882032B2 (en) 2021-09-30 2024-01-23 Ciena Corporation Emulating MPLS-TP behavior with non-revertive candidate paths in Segment Routing
US11757757B2 (en) 2021-09-30 2023-09-12 Ciena Corporation Handling bandwidth reservations with segment routing and centralized PCE under real-time topology changes
US11943146B2 (en) 2021-10-01 2024-03-26 VMware LLC Traffic prioritization in SD-WAN
US11824769B2 (en) 2021-11-08 2023-11-21 Ciena Corporation Incrementally eliminating BGP-LU using SR policies and PCE
US11722400B2 (en) 2021-11-08 2023-08-08 Ciena Corporation Centralized approach to SR-TE paths with bandwidth guarantee using a single SID
WO2023114649A1 (en) * 2021-12-14 2023-06-22 Cisco Technology, Inc. Method for sharing a control connection
US11552879B1 (en) 2021-12-14 2023-01-10 Ciena Corporation Creating a packet with a loopback label stack to detect network link/node failures
US11778038B2 (en) * 2021-12-14 2023-10-03 Cisco Technology, Inc. Systems and methods for sharing a control connection
US12184557B2 (en) 2022-01-04 2024-12-31 VMware LLC Explicit congestion notification in a virtual environment
US12425395B2 (en) 2022-01-15 2025-09-23 VMware LLC Method and system of securely adding an edge device operating in a public network to an SD-WAN
US12021746B2 (en) * 2022-02-17 2024-06-25 Cisco Technology, Inc. Inter-working of a software-defined wide-area network (SD-WAN) domain and a segment routing (SR) domain
US12170611B2 (en) 2022-03-03 2024-12-17 Ciena Corporation Control plane based enhanced TI-LFA node protection scheme for SR-TE paths
US12199868B2 (en) * 2022-05-27 2025-01-14 Cisco Technology, Inc. Optimizing IPSec for hierarchical SD-WAN
US11909815B2 (en) 2022-06-06 2024-02-20 VMware LLC Routing based on geolocation costs
US12166661B2 (en) 2022-07-18 2024-12-10 VMware LLC DNS-based GSLB-aware SD-WAN for low latency SaaS applications
US12316524B2 (en) 2022-07-20 2025-05-27 VMware LLC Modifying an SD-wan based on flow metrics
US12261772B2 (en) 2022-09-12 2025-03-25 Ciena Corporation Variable preemption for LSP tunnels
US12081435B2 (en) 2022-11-29 2024-09-03 Ciena Corporation Distribution of SRv6 modes of operation via routing protocols
US11831548B1 (en) 2022-11-29 2023-11-28 Ciena Corporation Distinguishing SRv6 micro-SID destination address from IPv6 destination address
US12057993B1 (en) 2023-03-27 2024-08-06 VMware LLC Identifying and remediating anomalies in a self-healing network
US12034587B1 (en) 2023-03-27 2024-07-09 VMware LLC Identifying and remediating anomalies in a self-healing network
US12425332B2 (en) 2023-03-27 2025-09-23 VMware LLC Remediating anomalies in a self-healing network
US12407731B2 (en) * 2023-07-13 2025-09-02 Cisco Technology, Inc. Routing techniques for enhanced network security
US20250038957A1 (en) * 2023-07-27 2025-01-30 Cisco Technology, Inc. Managing encryption keys of secure tunnels in multi-tenant edge devices
US12261777B2 (en) 2023-08-16 2025-03-25 VMware LLC Forwarding packets in multi-regional large scale deployments with distributed gateways
US12355655B2 (en) 2023-08-16 2025-07-08 VMware LLC Forwarding packets in multi-regional large scale deployments with distributed gateways
US20250071120A1 (en) * 2023-08-22 2025-02-27 Akamai Technologies, Inc. Global mapping to internal applications

Citations (125)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6044396A (en) 1995-12-14 2000-03-28 Time Warner Cable, A Division Of Time Warner Entertainment Company, L.P. Method and apparatus for utilizing the available bit rate in a constrained variable bit rate channel
US6289419B1 (en) 1998-03-06 2001-09-11 Sharp Kabushiki Kaisha Consistency control device merging updated memory blocks
US6535607B1 (en) 1998-11-02 2003-03-18 International Business Machines Corporation Method and apparatus for providing interoperability between key recovery and non-key recovery systems
US6594361B1 (en) 1994-08-19 2003-07-15 Thomson Licensing S.A. High speed signal processing smart card
US20030140142A1 (en) 2002-01-18 2003-07-24 David Marples Initiating connections through firewalls and network address translators
US6611872B1 (en) * 1999-01-11 2003-08-26 Fastforward Networks, Inc. Performing multicast communication in computer networks by using overlay routing
US6675225B1 (en) 1999-08-26 2004-01-06 International Business Machines Corporation Method and system for algorithm-based address-evading network snoop avoider
US20040034702A1 (en) 2002-08-16 2004-02-19 Nortel Networks Limited Method and apparatus for exchanging intra-domain routing information between VPN sites
US20040088369A1 (en) 2002-10-31 2004-05-06 Yeager William J. Peer trust evaluation using mobile agents in peer-to-peer networks
US20040103205A1 (en) 1998-10-30 2004-05-27 Science Applications International Corporation Method for establishing secure communication link between computers of virtual private network
US20040184603A1 (en) 2003-03-21 2004-09-23 Pearson David Spencer Systems and methods for quantum cryptographic key transport
US20040203590A1 (en) 2002-09-11 2004-10-14 Koninklijke Philips Electronics N.V. Set-up of wireless consumer electronics device using a learning remote control
US20050021610A1 (en) 2003-06-27 2005-01-27 Bruno Bozionek Method and arrangement for accessing a first terminal in a first communication network from a second communication node in a second communication network
US20050044356A1 (en) 1999-12-22 2005-02-24 Sunil Srivastava Method and apparatus for distributing and updating private keys of multicast group managers using directory replication
US20050071280A1 (en) 2003-09-25 2005-03-31 Convergys Information Management Group, Inc. System and method for federated rights management
US20050094814A1 (en) 2003-10-31 2005-05-05 Tadahiro Aihara Electronic apparatus and encryption key updating
US20060015643A1 (en) 2004-01-23 2006-01-19 Fredrik Orava Method of sending information through a tree and ring topology of a network system
CN1254059C (en) 2002-12-10 2006-04-26 华为技术有限公司 Method of realizing special multiple-protocol label exchanging virtual network
US20060088031A1 (en) 2004-10-26 2006-04-27 Gargi Nalawade Method and apparatus for providing multicast messages within a virtual private network across a data communication network
US20060155721A1 (en) 2005-01-12 2006-07-13 Network Appliance, Inc. Buffering proxy for telnet access
US20060165233A1 (en) 2003-12-17 2006-07-27 Masao Nonaka Methods and apparatuses for distributing system secret parameter group and encrypted intermediate key group for generating content encryption and decryption deys
US7117530B1 (en) 1999-12-07 2006-10-03 Watchguard Technologies, Inc. Tunnel designation system for virtual private networks
US20060221830A1 (en) 2005-03-31 2006-10-05 Sbc Knowledge Ventures Lp Method and apparatus for managing end-to-end quality of service policies in a communication system
US7120682B1 (en) 2001-03-08 2006-10-10 Cisco Technology, Inc. Virtual private networks for voice over networks applications
US20060233180A1 (en) 2005-04-14 2006-10-19 Alcatel Systems and methods for managing network services between private networks
US20060288209A1 (en) 2005-06-20 2006-12-21 Vogler Dean H Method and apparatus for secure inter-processor communications
US20070086431A1 (en) 2005-10-13 2007-04-19 Abu-Amara Hosame H Privacy proxy of a digital security system for distributing media content to a local area network
US20070104115A1 (en) 2005-11-10 2007-05-10 Dan Decasper Overlay network infrastructure
US20070118885A1 (en) 2005-11-23 2007-05-24 Elrod Craig T Unique SNiP for use in secure data networking and identity management
US20070140110A1 (en) 2005-12-21 2007-06-21 Microsoft Corporation Peer communities
US20070153782A1 (en) * 2005-12-30 2007-07-05 Gregory Fletcher Reliable, high-throughput, high-performance transport and routing mechanism for arbitrary data flows
US7251824B2 (en) 2000-12-19 2007-07-31 Intel Corporation Accessing a private network
US20070185814A1 (en) 2005-10-18 2007-08-09 Intertrust Technologies Corporation Digital rights management engine systems and methods
US20070230688A1 (en) 2005-08-18 2007-10-04 Nec Corporation Secret communication system and method for generating shared secret information
US20070248232A1 (en) 2006-04-10 2007-10-25 Honeywell International Inc. Cryptographic key sharing method
US20070299954A1 (en) 2006-06-27 2007-12-27 International Business Machines Corporation System, method and program for determining a network path by which to send a message
US20080013738A1 (en) 2006-04-19 2008-01-17 Nec Corporation Secret communications system and channel control method
US20080080716A1 (en) 2006-09-29 2008-04-03 Mcalister Donald Kent Back-up for key authority point for scaling and high availability for stateful failover
US20080130902A1 (en) 2006-04-10 2008-06-05 Honeywell International Inc. Secure wireless instrumentation network system
US20080147820A1 (en) 2006-12-19 2008-06-19 Nec Corporation Method and system for managing shared information
US20080273704A1 (en) 2005-12-01 2008-11-06 Karl Norrman Method and Apparatus for Delivering Keying Information
US20080298367A1 (en) * 2007-05-30 2008-12-04 Fuji Xerox Co., Ltd. Virtual network connection system, virtual network connection apparatus, and computer-readable medium
US20090193253A1 (en) 2005-11-04 2009-07-30 Rainer Falk Method and server for providing a mobile key
US20090216910A1 (en) 2007-04-23 2009-08-27 Duchesneau David D Computing infrastructure
US20090220080A1 (en) 2008-02-29 2009-09-03 Michael Herne Application-Level Service Access to Encrypted Data Streams
US20090296924A1 (en) 2008-05-30 2009-12-03 Infineon Technologies North America Corp. Key management for communication networks
US20100014677A1 (en) 2007-06-28 2010-01-21 Taichi Sato Group subordinate terminal, group managing terminal, server, key updating system, and key updating method therefor
US20100058082A1 (en) 2008-08-27 2010-03-04 Lenovo (Singapore) Ple., Ltd. Maintaining network link during suspend state
US20100064008A1 (en) 2007-03-13 2010-03-11 Huawei Technologies Co., Ltd. Peer-to-peer network system, proxy service peer, and method for peer interworking between overlay networks
US20100122084A1 (en) 2007-07-24 2010-05-13 Huawei Technologies Co., Ltd. Method, apparatus and system for registering new member in group key management
US20100169563A1 (en) 2008-12-30 2010-07-01 Jeremy Horner Content Addressable Memory and Method
US20100169471A1 (en) * 2003-03-11 2010-07-01 Nortel Networks Limited Verification of Configuration Information in BGP VPNs
US20100281251A1 (en) 2008-06-12 2010-11-04 Telefonaktiebolaget L M Ericsson (Publ) Mobile Virtual Private Networks
US20100325423A1 (en) 2009-06-22 2010-12-23 Craig Stephen Etchegoyen System and Method for Securing an Electronic Communication
US20110010553A1 (en) 2009-07-10 2011-01-13 Robert S Cahn On-Line Membership Verification
US20110021196A1 (en) * 2009-07-27 2011-01-27 Cisco Technology, Inc. Access class based picocell policy enforcement
US20110064222A1 (en) 2008-05-19 2011-03-17 Qinetiq Limited Quantum key distribution involving moveable key device
US20110075674A1 (en) 2009-09-30 2011-03-31 Alcatel-Lucent Usa Inc. Scalable architecture for enterprise extension in a cloud topology
US7925592B1 (en) 2006-09-27 2011-04-12 Qurio Holdings, Inc. System and method of using a proxy server to manage lazy content distribution in a social network
US20110110377A1 (en) 2009-11-06 2011-05-12 Microsoft Corporation Employing Overlays for Securing Connections Across Networks
US20110164750A1 (en) 2008-09-17 2011-07-07 Koninklijke Phillips Electronics N.V. Method for communicating in a network, a communication device and a system therefor
US7995573B2 (en) 2004-12-06 2011-08-09 Swisscom Ag Method and system for mobile network nodes in heterogeneous networks
US8023504B2 (en) 2008-08-27 2011-09-20 Cisco Technology, Inc. Integrating security server policies with optimized routing control
US20110296510A1 (en) 2010-05-27 2011-12-01 Microsoft Corporation Protecting user credentials using an intermediary component
US20120051221A1 (en) 2009-05-06 2012-03-01 Dinh Thai Bui Traffic-engineered connection establishment across resource domains for data transport
US20120092986A1 (en) 2010-10-15 2012-04-19 Futurewei Technologies, Inc. System And Method For Computing A Backup Egress Of A Point-To-Multi-Point Label Switched Path
US20120134361A1 (en) 2009-12-18 2012-05-31 Wong Wendy C System and method of utilizing a framework for information routing in large-scale distributed systems using swarm intelligence
US20120180122A1 (en) 2009-09-18 2012-07-12 Zte Corporation Implementation method and system of virtual private network
US8224971B1 (en) 2009-12-28 2012-07-17 Amazon Technologies, Inc. Using virtual networking devices and routing information to initiate external actions
US20120266209A1 (en) 2012-06-11 2012-10-18 David Jeffrey Gooding Method of Secure Electric Power Grid Operations Using Common Cyber Security Services
US20120284370A1 (en) 2011-05-02 2012-11-08 Authentec, Inc. Method, system, or user device for adaptive bandwidth control of proxy multimedia server
WO2013007496A1 (en) 2011-07-08 2013-01-17 Alcatel Lucent Centralized system for routing ethernet packets over an internet protocol network
US20130034094A1 (en) 2011-08-05 2013-02-07 International Business Machines Corporation Virtual Switch Data Control In A Distributed Overlay Network
US20130051559A1 (en) 2011-08-26 2013-02-28 Shinichi Baba Key sharing device, key sharing method, and computer program product
US20130114465A1 (en) * 2011-11-09 2013-05-09 SunGard Availability Serives, LP Layer 2 on ramp supporting scalability of virtual data center resources
US20130121142A1 (en) 2010-07-05 2013-05-16 Huawei Technologies Co., Ltd. Method and apparatus for forwarding multicast traffic
US20130163446A1 (en) 2011-12-22 2013-06-27 Voipfuture Gmbh Correlation of Media Plane and Signaling Plane of Media Services in a Packet-Switched Network
US20130182712A1 (en) 2012-01-13 2013-07-18 Dan Aguayo System and method for managing site-to-site vpns of a cloud managed network
US20130201909A1 (en) 2012-02-06 2013-08-08 Juniper Networks, Inc. Mobile node host route installation and withdrawal
US8516552B2 (en) 2009-01-28 2013-08-20 Headwater Partners I Llc Verifiable service policy implementation for intermediate networking devices
US8515079B1 (en) 2007-01-26 2013-08-20 Cisco Technology, Inc. Hybrid rekey distribution in a virtual private network environment
US20130223444A1 (en) 2012-02-23 2013-08-29 Christopher D. Liljenstolpe System and methods for managing network packet forwarding with a controller
US20130251154A1 (en) 2012-03-23 2013-09-26 Yoshimichi Tanizawa Key generating device and key generating method
US20130266007A1 (en) 2012-04-10 2013-10-10 International Business Machines Corporation Switch routing table utilizing software defined network (sdn) controller programmed route segregation and prioritization
US8594323B2 (en) 2004-09-21 2013-11-26 Rockstar Consortium Us Lp Method and apparatus for generating large numbers of encryption keys
US20130332602A1 (en) * 2012-06-06 2013-12-12 Juniper Networks, Inc. Physical path determination for virtual network packet flows
US20130329725A1 (en) 2012-06-06 2013-12-12 Juniper Networks, Inc. Facilitating operation of one or more virtual networks
US20130335582A1 (en) 2012-06-15 2013-12-19 Fujitsu Limited Method of controlling information processing apparatus and information processing apparatus
US20140003425A1 (en) 2012-06-29 2014-01-02 Futurewei Technologies, Inc. Implementing a Multicast Virtual Private Network by Using Multicast Resource Reservation Protocol-Traffic Engineering
US20140071990A1 (en) * 2012-09-07 2014-03-13 International Business Machines Corporation Overlay network capable of supporting storage area network (san) traffic
US20140079059A1 (en) * 2009-03-29 2014-03-20 Ltn Global Communications, Inc. System and method that routes flows via multicast flow transport for groups
US20140153457A1 (en) 2012-12-05 2014-06-05 T-Mobile USA, Inc Energy-Efficient Push/Poll Notification Service
US20140153572A1 (en) 2012-11-30 2014-06-05 Georg Hampel Software-defined network overlay
US20140189363A1 (en) 2012-12-28 2014-07-03 Moka5, Inc. Separate cryptographic keys for protecting different operations on data
US20140223520A1 (en) 2011-08-30 2014-08-07 Securepush Ltd. Guardian control over electronic actions
US20140294018A1 (en) 2011-11-11 2014-10-02 Pismo Labs Technology Limited Protocol for layer two multiple network links tunnelling
US20140297438A1 (en) 2005-01-21 2014-10-02 Robin Dua Method and system of processing payments using a proxy credential
US8868698B2 (en) 2004-06-05 2014-10-21 Sonos, Inc. Establishing a secure wireless network with minimum human intervention
US20140313892A1 (en) * 2013-04-19 2014-10-23 International Business Machines Corporation Overlay network priority inheritance
US8879739B2 (en) 2012-11-26 2014-11-04 Nagravision S.A. Method, system and device for securely transferring digital content between electronic devices within a communication network managed by a management center
US20140331050A1 (en) 2011-04-15 2014-11-06 Quintessence Labs Pty Ltd. Qkd key management system
US20140380039A1 (en) 1998-10-30 2014-12-25 Virnetx, Inc. System and method employing an agile network protocol for secure communications using secure domain names
US20150006737A1 (en) * 2012-11-19 2015-01-01 Huawei Technologies Co., Ltd. Method, apparatus, and system for providing network traversing service
US20150033298A1 (en) 2013-07-25 2015-01-29 Phantom Technologies, Inc. Device authentication using proxy automatic configuration script requests
US8954740B1 (en) 2010-10-04 2015-02-10 Symantec Corporation Session key proxy decryption method to secure content in a one-to-many relationship
US8959333B2 (en) 2006-06-01 2015-02-17 Nokia Siemens Networks Gmbh & Co. Kg Method and system for providing a mesh key
US20150106620A1 (en) 2013-10-15 2015-04-16 Intuit Inc. Method and system for providing a secure secrets proxy
US20150103839A1 (en) * 2013-10-13 2015-04-16 Nicira, Inc. Bridging between Network Segments with a Logical Router
US20150127797A1 (en) 2013-11-05 2015-05-07 Cisco Technology, Inc. System and method for multi-path load balancing in network fabrics
WO2015092491A1 (en) 2013-12-20 2015-06-25 Pismo Labs Technology Limited Methods and systems for transmitting and receiving packets
US20150229490A1 (en) 2014-02-12 2015-08-13 Hob Gmbh & Co. Kg Communication system for transmittingunder a tunnel protocol between at least two data computers via a wide area network and a method for running such a communication system
US20150256521A1 (en) 2009-10-31 2015-09-10 Saife, Inc. Secure communication system for mobile devices
US20160036785A1 (en) 2013-03-13 2016-02-04 Jumpto Media Inc. Secure network communication
US20160080268A1 (en) 2014-09-16 2016-03-17 CloudGenix, Inc. Methods and systems for hub high availability and network load and scaling
US20160226762A1 (en) 2015-01-30 2016-08-04 Nicira, Inc. Implementing logical router uplinks
US9450817B1 (en) * 2013-03-15 2016-09-20 Juniper Networks, Inc. Software defined network controller
US9467478B1 (en) 2013-12-18 2016-10-11 vIPtela Inc. Overlay management protocol for secure routing based on an overlay network
US20170076291A1 (en) 2015-09-10 2017-03-16 Transworld Holdings PCC Limited (S1 Technology Cell) Proxy device for representing multiple credentials
US9659170B2 (en) 2015-01-02 2017-05-23 Senteon LLC Securing data on untrusted devices
US20170155628A1 (en) 2015-12-01 2017-06-01 Encrypted Dynamics LLC Device, system and method for fast and secure proxy re-encryption
US20170223154A1 (en) 2015-01-30 2017-08-03 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for connecting a gateway router to a set of scalable virtual ip network appliances in overlay networks
US20180054438A1 (en) 2015-03-02 2018-02-22 Microsoft Technology Licensing, Llc Proxy service for uploading data from a source to a destination
US20180091417A1 (en) 2015-04-07 2018-03-29 Umbra Technologies Ltd. System and method for virtual interfaces and advanced smart routing in a global virtual network
US9980303B2 (en) 2015-12-18 2018-05-22 Cisco Technology, Inc. Establishing a private network using multi-uplink capable network devices
US10298672B2 (en) 2015-12-18 2019-05-21 Cisco Technology, Inc. Global contact-point registry for peer network devices

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5594796A (en) 1994-10-05 1997-01-14 Motorola, Inc. Method and apparatus for detecting unauthorized distribution of data
US6275470B1 (en) 1999-06-18 2001-08-14 Digital Island, Inc. On-demand overlay routing for computer-based communication networks
ATE326805T1 (en) 2000-06-15 2006-06-15 Ericsson Telefon Ab L M METHOD AND ARRANGEMENTS IN A TELECOMMUNICATIONS SYSTEM
US7567510B2 (en) 2003-02-13 2009-07-28 Cisco Technology, Inc. Security groups
US7836490B2 (en) 2003-10-29 2010-11-16 Cisco Technology, Inc. Method and apparatus for providing network security using security labeling
US7756256B1 (en) 2003-11-26 2010-07-13 Openwave Systems Inc. Unified and best messaging systems for communication devices
US20050198351A1 (en) 2004-02-20 2005-09-08 Microsoft Corporation Content-based routing
PL1896051T3 (en) 2005-06-28 2015-04-30 Oncothyreon Inc Method of treating patients with a mucinous glycoprotein (muc-1) vaccine
US8607302B2 (en) 2006-11-29 2013-12-10 Red Hat, Inc. Method and system for sharing labeled information between different security realms
US8619775B2 (en) 2008-07-21 2013-12-31 Ltn Global Communications, Inc. Scalable flow transport and delivery network and associated methods and systems
CN102136990B (en) 2010-06-09 2013-11-06 华为技术有限公司 Service routing method and system of service superposition network
US9294507B1 (en) 2012-06-27 2016-03-22 Amazon Technologies, Inc. Techniques for data security in a multi-tenant environment
US9380025B2 (en) 2013-07-03 2016-06-28 Cisco Technology, Inc. Method and apparatus for ingress filtering
US10038629B2 (en) 2014-09-11 2018-07-31 Microsoft Technology Licensing, Llc Virtual machine migration using label based underlay network forwarding

Patent Citations (131)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6594361B1 (en) 1994-08-19 2003-07-15 Thomson Licensing S.A. High speed signal processing smart card
US6044396A (en) 1995-12-14 2000-03-28 Time Warner Cable, A Division Of Time Warner Entertainment Company, L.P. Method and apparatus for utilizing the available bit rate in a constrained variable bit rate channel
US6289419B1 (en) 1998-03-06 2001-09-11 Sharp Kabushiki Kaisha Consistency control device merging updated memory blocks
US20140380039A1 (en) 1998-10-30 2014-12-25 Virnetx, Inc. System and method employing an agile network protocol for secure communications using secure domain names
US20040103205A1 (en) 1998-10-30 2004-05-27 Science Applications International Corporation Method for establishing secure communication link between computers of virtual private network
US6535607B1 (en) 1998-11-02 2003-03-18 International Business Machines Corporation Method and apparatus for providing interoperability between key recovery and non-key recovery systems
US6611872B1 (en) * 1999-01-11 2003-08-26 Fastforward Networks, Inc. Performing multicast communication in computer networks by using overlay routing
US6675225B1 (en) 1999-08-26 2004-01-06 International Business Machines Corporation Method and system for algorithm-based address-evading network snoop avoider
US7117530B1 (en) 1999-12-07 2006-10-03 Watchguard Technologies, Inc. Tunnel designation system for virtual private networks
US20050044356A1 (en) 1999-12-22 2005-02-24 Sunil Srivastava Method and apparatus for distributing and updating private keys of multicast group managers using directory replication
US7251824B2 (en) 2000-12-19 2007-07-31 Intel Corporation Accessing a private network
US7120682B1 (en) 2001-03-08 2006-10-10 Cisco Technology, Inc. Virtual private networks for voice over networks applications
US20030140142A1 (en) 2002-01-18 2003-07-24 David Marples Initiating connections through firewalls and network address translators
US20040034702A1 (en) 2002-08-16 2004-02-19 Nortel Networks Limited Method and apparatus for exchanging intra-domain routing information between VPN sites
US20040203590A1 (en) 2002-09-11 2004-10-14 Koninklijke Philips Electronics N.V. Set-up of wireless consumer electronics device using a learning remote control
US20040088369A1 (en) 2002-10-31 2004-05-06 Yeager William J. Peer trust evaluation using mobile agents in peer-to-peer networks
CN1254059C (en) 2002-12-10 2006-04-26 华为技术有限公司 Method of realizing special multiple-protocol label exchanging virtual network
US20100169471A1 (en) * 2003-03-11 2010-07-01 Nortel Networks Limited Verification of Configuration Information in BGP VPNs
US20040184603A1 (en) 2003-03-21 2004-09-23 Pearson David Spencer Systems and methods for quantum cryptographic key transport
US20050021610A1 (en) 2003-06-27 2005-01-27 Bruno Bozionek Method and arrangement for accessing a first terminal in a first communication network from a second communication node in a second communication network
US20050071280A1 (en) 2003-09-25 2005-03-31 Convergys Information Management Group, Inc. System and method for federated rights management
US20050094814A1 (en) 2003-10-31 2005-05-05 Tadahiro Aihara Electronic apparatus and encryption key updating
US20060165233A1 (en) 2003-12-17 2006-07-27 Masao Nonaka Methods and apparatuses for distributing system secret parameter group and encrypted intermediate key group for generating content encryption and decryption deys
US20060015643A1 (en) 2004-01-23 2006-01-19 Fredrik Orava Method of sending information through a tree and ring topology of a network system
US8868698B2 (en) 2004-06-05 2014-10-21 Sonos, Inc. Establishing a secure wireless network with minimum human intervention
US8594323B2 (en) 2004-09-21 2013-11-26 Rockstar Consortium Us Lp Method and apparatus for generating large numbers of encryption keys
US20060088031A1 (en) 2004-10-26 2006-04-27 Gargi Nalawade Method and apparatus for providing multicast messages within a virtual private network across a data communication network
US7995573B2 (en) 2004-12-06 2011-08-09 Swisscom Ag Method and system for mobile network nodes in heterogeneous networks
US20060155721A1 (en) 2005-01-12 2006-07-13 Network Appliance, Inc. Buffering proxy for telnet access
US20140297438A1 (en) 2005-01-21 2014-10-02 Robin Dua Method and system of processing payments using a proxy credential
US20060221830A1 (en) 2005-03-31 2006-10-05 Sbc Knowledge Ventures Lp Method and apparatus for managing end-to-end quality of service policies in a communication system
US20060233180A1 (en) 2005-04-14 2006-10-19 Alcatel Systems and methods for managing network services between private networks
US20060288209A1 (en) 2005-06-20 2006-12-21 Vogler Dean H Method and apparatus for secure inter-processor communications
US20070230688A1 (en) 2005-08-18 2007-10-04 Nec Corporation Secret communication system and method for generating shared secret information
US20070086431A1 (en) 2005-10-13 2007-04-19 Abu-Amara Hosame H Privacy proxy of a digital security system for distributing media content to a local area network
US20070185814A1 (en) 2005-10-18 2007-08-09 Intertrust Technologies Corporation Digital rights management engine systems and methods
US20090193253A1 (en) 2005-11-04 2009-07-30 Rainer Falk Method and server for providing a mobile key
US20070104115A1 (en) 2005-11-10 2007-05-10 Dan Decasper Overlay network infrastructure
US20070118885A1 (en) 2005-11-23 2007-05-24 Elrod Craig T Unique SNiP for use in secure data networking and identity management
US20080273704A1 (en) 2005-12-01 2008-11-06 Karl Norrman Method and Apparatus for Delivering Keying Information
US20070140110A1 (en) 2005-12-21 2007-06-21 Microsoft Corporation Peer communities
US20070153782A1 (en) * 2005-12-30 2007-07-05 Gregory Fletcher Reliable, high-throughput, high-performance transport and routing mechanism for arbitrary data flows
US20070248232A1 (en) 2006-04-10 2007-10-25 Honeywell International Inc. Cryptographic key sharing method
US20080130902A1 (en) 2006-04-10 2008-06-05 Honeywell International Inc. Secure wireless instrumentation network system
US20080013738A1 (en) 2006-04-19 2008-01-17 Nec Corporation Secret communications system and channel control method
US8041039B2 (en) 2006-04-19 2011-10-18 Nec Corporation Secret communications system and channel control method
US8959333B2 (en) 2006-06-01 2015-02-17 Nokia Siemens Networks Gmbh & Co. Kg Method and system for providing a mesh key
US20070299954A1 (en) 2006-06-27 2007-12-27 International Business Machines Corporation System, method and program for determining a network path by which to send a message
US7925592B1 (en) 2006-09-27 2011-04-12 Qurio Holdings, Inc. System and method of using a proxy server to manage lazy content distribution in a social network
US20080080716A1 (en) 2006-09-29 2008-04-03 Mcalister Donald Kent Back-up for key authority point for scaling and high availability for stateful failover
US20080147820A1 (en) 2006-12-19 2008-06-19 Nec Corporation Method and system for managing shared information
US8515079B1 (en) 2007-01-26 2013-08-20 Cisco Technology, Inc. Hybrid rekey distribution in a virtual private network environment
US20100064008A1 (en) 2007-03-13 2010-03-11 Huawei Technologies Co., Ltd. Peer-to-peer network system, proxy service peer, and method for peer interworking between overlay networks
US20130306276A1 (en) 2007-04-23 2013-11-21 David D Duchesneau Computing infrastructure
US20090216910A1 (en) 2007-04-23 2009-08-27 Duchesneau David D Computing infrastructure
US20080298367A1 (en) * 2007-05-30 2008-12-04 Fuji Xerox Co., Ltd. Virtual network connection system, virtual network connection apparatus, and computer-readable medium
US20100014677A1 (en) 2007-06-28 2010-01-21 Taichi Sato Group subordinate terminal, group managing terminal, server, key updating system, and key updating method therefor
US20100122084A1 (en) 2007-07-24 2010-05-13 Huawei Technologies Co., Ltd. Method, apparatus and system for registering new member in group key management
US20090220080A1 (en) 2008-02-29 2009-09-03 Michael Herne Application-Level Service Access to Encrypted Data Streams
US20110064222A1 (en) 2008-05-19 2011-03-17 Qinetiq Limited Quantum key distribution involving moveable key device
US20090296924A1 (en) 2008-05-30 2009-12-03 Infineon Technologies North America Corp. Key management for communication networks
US20100281251A1 (en) 2008-06-12 2010-11-04 Telefonaktiebolaget L M Ericsson (Publ) Mobile Virtual Private Networks
US8023504B2 (en) 2008-08-27 2011-09-20 Cisco Technology, Inc. Integrating security server policies with optimized routing control
US20100058082A1 (en) 2008-08-27 2010-03-04 Lenovo (Singapore) Ple., Ltd. Maintaining network link during suspend state
US20110164750A1 (en) 2008-09-17 2011-07-07 Koninklijke Phillips Electronics N.V. Method for communicating in a network, a communication device and a system therefor
US20100169563A1 (en) 2008-12-30 2010-07-01 Jeremy Horner Content Addressable Memory and Method
US8516552B2 (en) 2009-01-28 2013-08-20 Headwater Partners I Llc Verifiable service policy implementation for intermediate networking devices
US20140079059A1 (en) * 2009-03-29 2014-03-20 Ltn Global Communications, Inc. System and method that routes flows via multicast flow transport for groups
US20120051221A1 (en) 2009-05-06 2012-03-01 Dinh Thai Bui Traffic-engineered connection establishment across resource domains for data transport
US20100325423A1 (en) 2009-06-22 2010-12-23 Craig Stephen Etchegoyen System and Method for Securing an Electronic Communication
US20110010553A1 (en) 2009-07-10 2011-01-13 Robert S Cahn On-Line Membership Verification
US20110021196A1 (en) * 2009-07-27 2011-01-27 Cisco Technology, Inc. Access class based picocell policy enforcement
US20120180122A1 (en) 2009-09-18 2012-07-12 Zte Corporation Implementation method and system of virtual private network
US20110075674A1 (en) 2009-09-30 2011-03-31 Alcatel-Lucent Usa Inc. Scalable architecture for enterprise extension in a cloud topology
US20150256521A1 (en) 2009-10-31 2015-09-10 Saife, Inc. Secure communication system for mobile devices
US20110110377A1 (en) 2009-11-06 2011-05-12 Microsoft Corporation Employing Overlays for Securing Connections Across Networks
US20120134361A1 (en) 2009-12-18 2012-05-31 Wong Wendy C System and method of utilizing a framework for information routing in large-scale distributed systems using swarm intelligence
US8224971B1 (en) 2009-12-28 2012-07-17 Amazon Technologies, Inc. Using virtual networking devices and routing information to initiate external actions
US20110296510A1 (en) 2010-05-27 2011-12-01 Microsoft Corporation Protecting user credentials using an intermediary component
US20130121142A1 (en) 2010-07-05 2013-05-16 Huawei Technologies Co., Ltd. Method and apparatus for forwarding multicast traffic
US8954740B1 (en) 2010-10-04 2015-02-10 Symantec Corporation Session key proxy decryption method to secure content in a one-to-many relationship
US20120092986A1 (en) 2010-10-15 2012-04-19 Futurewei Technologies, Inc. System And Method For Computing A Backup Egress Of A Point-To-Multi-Point Label Switched Path
US20140331050A1 (en) 2011-04-15 2014-11-06 Quintessence Labs Pty Ltd. Qkd key management system
US20120284370A1 (en) 2011-05-02 2012-11-08 Authentec, Inc. Method, system, or user device for adaptive bandwidth control of proxy multimedia server
WO2013007496A1 (en) 2011-07-08 2013-01-17 Alcatel Lucent Centralized system for routing ethernet packets over an internet protocol network
US20130034094A1 (en) 2011-08-05 2013-02-07 International Business Machines Corporation Virtual Switch Data Control In A Distributed Overlay Network
US20130051559A1 (en) 2011-08-26 2013-02-28 Shinichi Baba Key sharing device, key sharing method, and computer program product
US20140223520A1 (en) 2011-08-30 2014-08-07 Securepush Ltd. Guardian control over electronic actions
US20130114465A1 (en) * 2011-11-09 2013-05-09 SunGard Availability Serives, LP Layer 2 on ramp supporting scalability of virtual data center resources
US20140294018A1 (en) 2011-11-11 2014-10-02 Pismo Labs Technology Limited Protocol for layer two multiple network links tunnelling
US20130163446A1 (en) 2011-12-22 2013-06-27 Voipfuture Gmbh Correlation of Media Plane and Signaling Plane of Media Services in a Packet-Switched Network
US20150092603A1 (en) 2012-01-13 2015-04-02 Cisco Technology, Inc. System and method for managing site-to-site vpns of a cloud managed network
US20130182712A1 (en) 2012-01-13 2013-07-18 Dan Aguayo System and method for managing site-to-site vpns of a cloud managed network
US20130201909A1 (en) 2012-02-06 2013-08-08 Juniper Networks, Inc. Mobile node host route installation and withdrawal
US20130223444A1 (en) 2012-02-23 2013-08-29 Christopher D. Liljenstolpe System and methods for managing network packet forwarding with a controller
US20130251154A1 (en) 2012-03-23 2013-09-26 Yoshimichi Tanizawa Key generating device and key generating method
US20130266007A1 (en) 2012-04-10 2013-10-10 International Business Machines Corporation Switch routing table utilizing software defined network (sdn) controller programmed route segregation and prioritization
US20130332602A1 (en) * 2012-06-06 2013-12-12 Juniper Networks, Inc. Physical path determination for virtual network packet flows
US20130329725A1 (en) 2012-06-06 2013-12-12 Juniper Networks, Inc. Facilitating operation of one or more virtual networks
US20120266209A1 (en) 2012-06-11 2012-10-18 David Jeffrey Gooding Method of Secure Electric Power Grid Operations Using Common Cyber Security Services
US20130335582A1 (en) 2012-06-15 2013-12-19 Fujitsu Limited Method of controlling information processing apparatus and information processing apparatus
US20140003425A1 (en) 2012-06-29 2014-01-02 Futurewei Technologies, Inc. Implementing a Multicast Virtual Private Network by Using Multicast Resource Reservation Protocol-Traffic Engineering
US20140071990A1 (en) * 2012-09-07 2014-03-13 International Business Machines Corporation Overlay network capable of supporting storage area network (san) traffic
US20150006737A1 (en) * 2012-11-19 2015-01-01 Huawei Technologies Co., Ltd. Method, apparatus, and system for providing network traversing service
US8879739B2 (en) 2012-11-26 2014-11-04 Nagravision S.A. Method, system and device for securely transferring digital content between electronic devices within a communication network managed by a management center
US20140153572A1 (en) 2012-11-30 2014-06-05 Georg Hampel Software-defined network overlay
US20140153457A1 (en) 2012-12-05 2014-06-05 T-Mobile USA, Inc Energy-Efficient Push/Poll Notification Service
US20140189363A1 (en) 2012-12-28 2014-07-03 Moka5, Inc. Separate cryptographic keys for protecting different operations on data
US20160036785A1 (en) 2013-03-13 2016-02-04 Jumpto Media Inc. Secure network communication
US9450817B1 (en) * 2013-03-15 2016-09-20 Juniper Networks, Inc. Software defined network controller
US20140313892A1 (en) * 2013-04-19 2014-10-23 International Business Machines Corporation Overlay network priority inheritance
US20150033298A1 (en) 2013-07-25 2015-01-29 Phantom Technologies, Inc. Device authentication using proxy automatic configuration script requests
US20150103839A1 (en) * 2013-10-13 2015-04-16 Nicira, Inc. Bridging between Network Segments with a Logical Router
US20150106620A1 (en) 2013-10-15 2015-04-16 Intuit Inc. Method and system for providing a secure secrets proxy
US20150127797A1 (en) 2013-11-05 2015-05-07 Cisco Technology, Inc. System and method for multi-path load balancing in network fabrics
US10277558B2 (en) 2013-12-18 2019-04-30 Cisco Technology, Inc. Overlay management protocol for secure routing based on an overlay network
US9736113B1 (en) 2013-12-18 2017-08-15 vIPtela Inc. Overlay management protocol for secure routing based on an overlay network
US9467478B1 (en) 2013-12-18 2016-10-11 vIPtela Inc. Overlay management protocol for secure routing based on an overlay network
WO2015092491A1 (en) 2013-12-20 2015-06-25 Pismo Labs Technology Limited Methods and systems for transmitting and receiving packets
US20150229490A1 (en) 2014-02-12 2015-08-13 Hob Gmbh & Co. Kg Communication system for transmittingunder a tunnel protocol between at least two data computers via a wide area network and a method for running such a communication system
US20160080268A1 (en) 2014-09-16 2016-03-17 CloudGenix, Inc. Methods and systems for hub high availability and network load and scaling
US9659170B2 (en) 2015-01-02 2017-05-23 Senteon LLC Securing data on untrusted devices
US20160226762A1 (en) 2015-01-30 2016-08-04 Nicira, Inc. Implementing logical router uplinks
US20170223154A1 (en) 2015-01-30 2017-08-03 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for connecting a gateway router to a set of scalable virtual ip network appliances in overlay networks
US20180054438A1 (en) 2015-03-02 2018-02-22 Microsoft Technology Licensing, Llc Proxy service for uploading data from a source to a destination
US20180091417A1 (en) 2015-04-07 2018-03-29 Umbra Technologies Ltd. System and method for virtual interfaces and advanced smart routing in a global virtual network
US20170076291A1 (en) 2015-09-10 2017-03-16 Transworld Holdings PCC Limited (S1 Technology Cell) Proxy device for representing multiple credentials
US20170155628A1 (en) 2015-12-01 2017-06-01 Encrypted Dynamics LLC Device, system and method for fast and secure proxy re-encryption
US9980303B2 (en) 2015-12-18 2018-05-22 Cisco Technology, Inc. Establishing a private network using multi-uplink capable network devices
US10298672B2 (en) 2015-12-18 2019-05-21 Cisco Technology, Inc. Global contact-point registry for peer network devices
US10917926B2 (en) 2015-12-18 2021-02-09 Cisco Technology, Inc. Establishing a private network using multi-uplink capable network devices

Non-Patent Citations (8)

* Cited by examiner, † Cited by third party
Title
"Aruba Central Support Page: Advertising Overlay Routes", Hewlett Packard Enterprise Development, 2021, 8 pages, https://help.central.arubanetworks.com/latest/documentation/online_help/content/gateways/cfg/routing/overlay_routing.htm.
"Aruba Central Support Page", Hewlett Packard Enterprise Development, 2021, 2 pages, https://help.central.arubanetworks.com/latest/documentation/online_help/content/gateways/cfg/overlay-orchestration/tunnel-orchestration.htm.
"Aruba SD-WAN Solution, User Guide", Hewlett Packard Enterprise Company, 2019, 316 pages.
"FAQ: Vormetric Key Management Key Vault", Version 5.2, May 14, 2012, 5 pages.
"FAQ: Vormetric Key Management—Key Agent for Oracle Transparent Data Encryption", Version 7.2, Jul. 2, 2012, 8 pages, Vormetric.com.
"Ipsec UDP Mode in Silver Peak Unity EdgeConnect", Silver Peak, Whitepaper, 12 pages, https://www.silver-peak.com/sites/default/files/userdocs/silver-peak-whitepaper-ipsec-udp-1018_1.pdf.
"OpenFlow Switch Specification" Dec. 31, 2009, Open Networking Foundation, Version 1.0.0. *
Lara et al., "Network Innovation using OpenFlow: A Survey". IEEE Communications Surveys & Tutorials, vol. 16, No. 1, First Quarter 2014, pp. 1-21.

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230216733A1 (en) * 2021-12-31 2023-07-06 Fortinet, Inc. Distributed node discovery and overlay path management on a data communication network
US12381777B2 (en) * 2021-12-31 2025-08-05 Fortinet, Inc. Distributed node discovery and overlay path management on a data communication network

Also Published As

Publication number Publication date
US10277558B2 (en) 2019-04-30
US20180109493A1 (en) 2018-04-19
US9467478B1 (en) 2016-10-11
US9736113B1 (en) 2017-08-15
USRE50148E1 (en) 2024-09-24
USRE50105E1 (en) 2024-08-27

Similar Documents

Publication Publication Date Title
USRE50105E1 (en) Overlay management protocol for secure routing based on an overlay network
US10454821B2 (en) Creating and maintaining segment routed traffic engineering policies via border gateway protocol
US9264361B2 (en) System and method for implementing multiple label distribution protocol (LDP) instances in a network node
US7486659B1 (en) Method and apparatus for exchanging routing information between virtual private network sites
EP3420708B1 (en) Dynamic re-route in a redundant system of a packet network
WO2019105462A1 (en) Method and apparatus for sending packet, method and apparatus for processing packet, pe node, and node
US11881963B2 (en) Service-based transport classes for mapping services to tunnels
US20210385150A1 (en) Provisioning non-colored segment routing label switched paths via segment routing policies in border gateway protocol
US9762537B1 (en) Secure path selection within computer networks
CN106105116B (en) Procedure for adding alternate paths for IS-IS default routes
US20170070416A1 (en) Method and apparatus for modifying forwarding states in a network device of a software defined network
US11317272B2 (en) Method and system for enabling broadband roaming services
US12317179B2 (en) Dynamic access network selection based on application orchestration information in an edge cloud system
WO2021009554A1 (en) Method and system for secured information exchange between intermediate and endpoint nodes in a communications network
US20240267257A1 (en) Service-based transport classes for mapping services to tunnels
WO2020255150A1 (en) Method and system to transmit broadcast, unknown unicast, or multicast (bum) traffic for multiple ethernet virtual private network (evpn) instances (evis)
US12244495B2 (en) Method and apparatus for layer 2 route calculation in a route reflector network device
CN114978975A (en) Fast rerouting of BUM traffic in ethernet virtual private networks
US20240364515A1 (en) Securing multi-path tcp (mptcp) with wireguard protocol
WO2020100150A1 (en) Routing protocol blobs for efficient route computations and route downloads
US20250247336A1 (en) Routing improvement to reduce impact of out-of-resource condition
US11669256B2 (en) Storage resource controller in a 5G network system
Jain Analyzing Control Plane Traffic

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY