公开(公告)号：US08155130B2

公开(公告)日：2012-04-10

申请号：US12186044

申请日：2008-08-05

申请人： David McGrew ,  Brian Weis ,  W. Scott Wainner

发明人： David McGrew ,  Brian Weis ,  W. Scott Wainner

IPC分类号： H04L12/28 ,  H04L12/56 ,  G04F7/00 ,  G04F17/00 ,  G04F15/16

CPC分类号： H04L63/065 ,  H04L45/50 ,  H04L63/0272

摘要： Techniques for secure communication in a tunnel-less VPN are provided. A key server generates and provides, to each VPN gateway, different, yet mathematically-related keying material. A VPN gateway receives distinct keying material for each designated address block (e.g., subnet) behind the VPN gateway. In response to receiving a packet from one a source host whose address falls within one of the designated address blocks, the VPN gateway identifies the appropriate keying material. The VPN gateway determines an identifier for the address block that includes the destination address. The identifier and the identified keying material are used to generate a key. The VPN gateway encrypts the packet with the key and forwards the encrypted packet to the destination host.

摘要翻译： 提供了在无隧道VPN中进行安全通信的技术。 密钥服务器生成并向每个VPN网关提供不同但数学上相关的密钥材料。 VPN网关为VPN网关后面的每个指定的地址块（例如，子网）接收不同的密钥资料。 响应于从一个地址落在指定地址块之一的源主机接收到一个分组，VPN网关标识适当的密钥材料。 VPN网关确定包含目的地址的地址块的标识符。 标识符和识别的密钥材料用于生成密钥。 VPN网关用密钥加密数据包，并将加密的数据包转发到目标主机。

公开(公告)号：US20100034207A1

公开(公告)日：2010-02-11

申请号：US12186044

申请日：2008-08-05

申请人： David Mcgrew ,  Brian Weis ,  W. Scott Wainner

发明人： David Mcgrew ,  Brian Weis ,  W. Scott Wainner

IPC分类号： H04L12/56

CPC分类号： H04L63/065 ,  H04L45/50 ,  H04L63/0272

摘要： Techniques for secure communication in a tunnel-less VPN are provided. A key server generates and provides, to each VPN gateway, different, yet mathematically-related keying material. A VPN gateway receives distinct keying material for each designated address block (e.g., subnet) behind the VPN gateway. In response to receiving a packet from one a source host whose address falls within one of the designated address blocks, the VPN gateway identifies the appropriate keying material. The VPN gateway determines an identifier for the address block that includes the destination address. The identifier and the identified keying material are used to generate a key. The VPN gateway encrypts the packet with the key and forwards the encrypted packet to the destination host.

摘要翻译： 提供了在无隧道VPN中进行安全通信的技术。 密钥服务器生成并向每个VPN网关提供不同但数学上相关的密钥材料。 VPN网关为VPN网关后面的每个指定的地址块（例如，子网）接收不同的密钥资料。 响应于从一个地址落在指定地址块之一的源主机接收到一个分组，VPN网关标识适当的密钥材料。 VPN网关确定包含目的地址的地址块的标识符。 标识符和识别的密钥材料用于生成密钥。 VPN网关用密钥加密数据包，并将加密的数据包转发到目标主机。

公开(公告)号：US07593398B2

公开(公告)日：2009-09-22

申请号：US11221964

申请日：2005-09-08

申请人： Earl Hardin Booth, III ,  W. Scott Wainner ,  W. Mark Townsley ,  Christopher Metz

发明人： Earl Hardin Booth, III ,  W. Scott Wainner ,  W. Mark Townsley ,  Christopher Metz

IPC分类号： H04L12/28 ,  H04J3/16

CPC分类号： H04L12/4633 ,  H04J3/16

摘要： A method and apparatus for performing Layer 2 (L2) interworking is presented. A L2 Protocol Data Unit (PDU) is received at an L2 Switching Entity (SE). The L2 PDU is converted to a normalized Pseudowire (PW) PDU. The normalized PW PDU is then forwarded to a Layer 3 (L3) Routing Entity (RE). The normalized PDU may be in the form of a predetermined L2 protocol or a L2 agnostic protocol.

摘要翻译： 提出了一种用于执行第2层（L2）互通的方法和装置。 在L2交换实体（SE）处接收到L2协议数据单元（PDU）。 L2 PDU被转换成归一化的伪线（PW）PDU。 归一化的PW PDU然后被转发到第3层（L3）路由实体（RE）。 归一化PDU可以是预定的L2协议或L2不可知协议的形式。

公开(公告)号：US07373660B1

公开(公告)日：2008-05-13

申请号：US10649755

申请日：2003-08-26

申请人： James N. Guichard ,  Daniel C. Tappan ,  Robert Hanzl ,  W. Scott Wainner

发明人： James N. Guichard ,  Daniel C. Tappan ,  Robert Hanzl ,  W. Scott Wainner

IPC分类号： G06F17/00

CPC分类号： H04L47/10 ,  H04L63/0272 ,  H04L63/164 ,  H04L63/20

摘要： A first node generates and transmits a notification message including routing policy attributes such as network address information and a corresponding gateway identifier. The gateway identifier identifies a gateway in a physical network through which future generated data messages shall be forwarded to at least one host computer (e.g., any computer having an associated network address) as indicated by the network address information. A second node receiving the notification message utilizes the routing policy attributes to dynamically update its database identifying how to forward data packets. In this way, nodes (e.g., CE routers) of a network can be dynamically configured to support routing of messages based on the network address information and gateway identifier disseminated along with the notification message.

摘要翻译： 第一节点生成并发送包括诸如网络地址信息和对应的网关标识符的路由策略属性的通知消息。 网关标识符标识物理网络中的网关，未来生成的数据消息将被转发到至少一个主机计算机（例如，具有相关网络地址的任何计算机），如网络地址信息所示。 接收到通知消息的第二节点利用路由策略属性来动态地更新其数据库，以识别如何转发数据分组。 以这种方式，网络的节点（例如，CE路由器）可以被动态地配置为基于与通知消息一起分发的网络地址信息和网关标识符来支持消息的路由。

公开(公告)号：US08001252B2

公开(公告)日：2011-08-16

申请号：US12415396

申请日：2009-03-31

申请人： James N. Guichard ,  Mohammed Sayeed ,  Bertrand Duvivier ,  Daniel C. Tappan ,  W. Scott Wainner ,  Earl Hardin Booth ,  Christopher Metz ,  W. Mark Townsley ,  Wojciech Dec

发明人： James N. Guichard ,  Mohammed Sayeed ,  Bertrand Duvivier ,  Daniel C. Tappan ,  W. Scott Wainner ,  Earl Hardin Booth ,  Christopher Metz ,  W. Mark Townsley ,  Wojciech Dec

IPC分类号： G06F15/16

CPC分类号： H04L12/4633

摘要： A method, apparatus and computer program product for routing data within a packet-switched network using a PW wherein the PW is terminated directly on the layer-3 routing device such that certain services and applications can be utilized is presented. The method, apparatus and computer program product receives an encapsulated layer-2 Protocol Data Unit (PDU) from a pseudowire emulating a service. The encapsulation is removed from the encapsulated layer-2 PDU and a layer-2 circuit associated with the pseudowire is terminated. The circuit is treated as an interface and the PDU is forwarded based on upper layer protocol information within the PDU.

摘要翻译： 一种用于使用PW在分组交换网络内路由数据的方法，装置和计算机程序产品，其中PW直接终止在第3层路由设备上，使得可以利用某些服务和应用。 方法，装置和计算机程序产品从模拟服务的伪线接收封装的第二层协议数据单元（PDU）。 从封装层2 PDU去除封装，并终止与伪线相关联的二层电路。 该电路被视为一个接口，并且基于PDU内的上层协议信息转发PDU。

公开(公告)号：US07869436B1

公开(公告)日：2011-01-11

申请号：US11250010

申请日：2005-10-13

申请人： Saul Adler ,  James N. Guichard ,  Luca Martini ,  Venkateswara Rao Yarlagadda ,  W. Scott Wainner

发明人： Saul Adler ,  James N. Guichard ,  Luca Martini ,  Venkateswara Rao Yarlagadda ,  W. Scott Wainner

IPC分类号： H04L12/28

CPC分类号： H04L12/4641 ,  H04L29/12216 ,  H04L61/2007 ,  H04L63/0272 ,  H04L63/08

摘要： A system allows a device to communicate using a virtual network the method by assigning a network address to the device. The network address is selected from a plurality of network addresses that can be assigned to any of a plurality of virtual networks. The system receives a request to authenticate the device, and then determines a virtual network on which to assign the device. The virtual network is selected from the plurality of virtual networks. The system identifies the device as authenticated based on the assigning of the network address and the virtual network.

摘要翻译： 系统允许设备使用虚拟网络通过向设备分配网络地址来进行通信。 从可以分配给多个虚拟网络中的任一个的多个网络地址中选择网络地址。 系统接收到认证设备的请求，然后确定要在其上分配设备的虚拟网络。 从多个虚拟网络中选择虚拟网络。 系统根据网络地址和虚拟网络的分配来识别设备的身份认证。

公开(公告)号：US07509491B1

公开(公告)日：2009-03-24

申请号：US10867266

申请日：2004-06-14

申请人： W. Scott Wainner ,  James N. Guichard ,  Brian E. Weis ,  David A. McGrew

发明人： W. Scott Wainner ,  James N. Guichard ,  Brian E. Weis ,  David A. McGrew

IPC分类号： H04L9/00

CPC分类号： H04L63/0272 ,  H04L9/0833 ,  H04L9/321 ,  H04L63/0435 ,  H04L63/065 ,  H04L63/08 ,  H04L63/164

摘要： Conventional mechanisms exist for denoting such a communications group (group) and for establishing point-to-point, or unicast, secure connections between members of the communications group. In a particular arrangement, group members employ a group key operable for multicast security for unicast communication, thus avoiding establishing additional unicast keys for each communication between group members. Since the recipient of such a unicast message may not know the source, however, the use of the group key assures the recipient that the sender is a member of the same group. Accordingly, a system which enumerates a set of subranges (subnets) included in a particular group, such as a VPN, and establishing a group key corresponding to the group applies the group key to communications from the group members in the subnet. The group key is associated with the group ID by enumerating the address prefixes corresponding to each of the subnets in the group, and examining outgoing transmissions for destination addresses matching one of the address prefixes corresponding to the group.

摘要翻译： 存在用于表示这样的通信组（组）和用于在通信组的成员之间建立点对点或单播安全连接的常规机制。 在特定的布置中，组成员使用可用于单播通信的组播安全性的组密钥，从而避免为组成员之间的每个通信建立附加的单播密钥。 由于这样的单播消息的接收者可能不知道源，所以使用组密钥确保接收方发送者是同一组的成员。 因此，枚举包括在特定组（例如VPN）中的一组子范围（子网）的系统并且建立与该组相对应的组密钥的组密钥用于从子网中的组成员进行通信。 通过列举与组中的每个子网相对应的地址前缀，并且检查与对应于该组的一个地址前缀匹配的目的地地址的传出传输，组密钥与组ID相关联。