公开(公告)号：US07688829B2

公开(公告)日：2010-03-30

申请号：US11226011

申请日：2005-09-14

申请人： James N. Guichard ,  W. Scott Wainner ,  Saul Adler ,  Khalil A. Jabr ,  S. Scott Van de Houten

发明人： James N. Guichard ,  W. Scott Wainner ,  Saul Adler ,  Khalil A. Jabr ,  S. Scott Van de Houten

IPC分类号： H04L12/28

CPC分类号： H04L12/4641 ,  H04L45/50 ,  H04L45/66

摘要： A routing mechanism provides network segmentation preservation by route distribution with segment identification, policy distribution for a given VPN segment, and encapsulation/decapsulation for each segment using an Ethernet VLAN_ID, indicative of the VPN segment (subnetwork). Encapsulated segmentation information in a message packet identifies which routing and forwarding table is employed for the next hop. A common routing instance receives the message packets from the common interface, and indexes a corresponding VRF table from the VLAN ID, or segment identifier, indicative of the subnetwork (e.g. segment). In this manner, the routing instance receives the incoming message packet, decapsulates the VLAN ID in the incoming message packet, and indexes the corresponding VRF and policy ID from the VLAN ID, therefore employing a common routing instance over a common subinterface for a plurality of segments (subnetworks) coupled to a particular forwarding device (e.g. VPN router).

摘要翻译： 路由机制通过分段识别，给定VPN段的策略分配以及使用指示VPN段（子网）的以太网VLAN_ID对每个段进行封装/解封装来提供网络分段保护。 消息分组中的封装分段信息标识下一跳采用的路由和转发表。 公共路由实例从公共接口接收消息包，并从指示子网（例如，段）的VLAN ID或段标识符中对相应的VRF表进行索引。 以这种方式，路由实例接收到入消息包，将入局消息包中的VLAN ID解封装，并从VLAN ID中对相应的VRF和策略ID进行索引，因此在公共子接口上采用公共路由实例， 耦合到特定转发设备（例如，VPN路由器）的段（子网络）。

公开(公告)号：US07869436B1

公开(公告)日：2011-01-11

申请号：US11250010

申请日：2005-10-13

申请人： Saul Adler ,  James N. Guichard ,  Luca Martini ,  Venkateswara Rao Yarlagadda ,  W. Scott Wainner

发明人： Saul Adler ,  James N. Guichard ,  Luca Martini ,  Venkateswara Rao Yarlagadda ,  W. Scott Wainner

IPC分类号： H04L12/28

CPC分类号： H04L12/4641 ,  H04L29/12216 ,  H04L61/2007 ,  H04L63/0272 ,  H04L63/08

摘要： A system allows a device to communicate using a virtual network the method by assigning a network address to the device. The network address is selected from a plurality of network addresses that can be assigned to any of a plurality of virtual networks. The system receives a request to authenticate the device, and then determines a virtual network on which to assign the device. The virtual network is selected from the plurality of virtual networks. The system identifies the device as authenticated based on the assigning of the network address and the virtual network.

摘要翻译： 系统允许设备使用虚拟网络通过向设备分配网络地址来进行通信。 从可以分配给多个虚拟网络中的任一个的多个网络地址中选择网络地址。 系统接收到认证设备的请求，然后确定要在其上分配设备的虚拟网络。 从多个虚拟网络中选择虚拟网络。 系统根据网络地址和虚拟网络的分配来识别设备的身份认证。

公开(公告)号：US20100064137A1

公开(公告)日：2010-03-11

申请号：US12231813

申请日：2008-09-05

申请人： David A. McGrew ,  Mark Baugher ,  Saul Adler ,  William C. Melohn

发明人： David A. McGrew ,  Mark Baugher ,  Saul Adler ,  William C. Melohn

IPC分类号： H04L9/00

CPC分类号： H04L63/0464 ,  H04L9/0833 ,  H04L9/3242 ,  H04L63/065

摘要： Systems, methods, and other embodiments associated with processing secure network traffic are described. One example method includes determining whether a device is a preconfigured member of a group key system. If the device is not a preconfigured member then the method selectively establishes membership in the group key system by requesting membership from a group controller. The example method may also include receiving a set of keys from the group controller and being assigned a role by the group controller. The method may further include processing secure network traffic as an inspection point, a rewriting point, and/or a validation point based on the received set of keys and the assigned role(s).

摘要翻译： 描述了与处理安全网络业务相关联的系统，方法和其他实施例。 一个示例性方法包括确定设备是组密钥系统的预配置成员。 如果设备不是预配置的成员，则该方法通过从组控制器请求成员资格来选择性地建立组密钥系统中的成员关系。 示例性方法还可以包括从组控制器接收一组密钥并由组控制器分配角色。 该方法还可以包括基于所接收的密钥集合和所分配的角色来将安全网络业务作为检查点，重写点和/或验证点进行处理。

公开(公告)号：US20070058638A1

公开(公告)日：2007-03-15

申请号：US11226011

申请日：2005-09-14

申请人： James Guichard ,  W. Wainner ,  Saul Adler ,  Khalil Jabr ,  S. Van de Houten

发明人： James Guichard ,  W. Wainner ,  Saul Adler ,  Khalil Jabr ,  S. Van de Houten

IPC分类号： H04L12/28

CPC分类号： H04L12/4641 ,  H04L45/50 ,  H04L45/66

摘要： A routing mechanism provides network segmentation preservation by route distribution with segment identification, policy distribution for a given VPN segment, and encapsulation/decapsulation for each segment using an Ethernet VLAN_ID, indicative of the VPN segment (subnetwork). Encapsulated segmentation information in a message packet identifies which routing and forwarding table is employed for the next hop. A common routing instance receives the message packets from the common interface, and indexes a corresponding VRF table from the VLAN ID, or segment identifier, indicative of the subnetwork (e.g. segment). In this manner, the routing instance receives the incoming message packet, decapsulates the VLAN ID in the incoming message packet, and indexes the corresponding VRF and policy ID from the VLAN ID, therefore employing a common routing instance over a common subinterface for a plurality of segments (subnetworks) coupled to a particular forwarding device (e.g. VPN router).

摘要翻译： 路由机制通过分段识别，给定VPN段的策略分配以及使用指示VPN段（子网）的以太网VLAN_ID对每个段进行封装/解封装来提供网络分段保护。 消息分组中的封装分段信息标识下一跳采用的路由和转发表。 公共路由实例从公共接口接收消息包，并从指示子网（例如，段）的VLAN ID或段标识符中对相应的VRF表进行索引。 以这种方式，路由实例接收到入消息包，将入局消息包中的VLAN ID解封装，并从VLAN ID中对相应的VRF和策略ID进行索引，因此在公共子接口上采用公共路由实例， 耦合到特定转发设备（例如，VPN路由器）的段（子网络）。

公开(公告)号：US08347073B2

公开(公告)日：2013-01-01

申请号：US12231813

申请日：2008-09-05

申请人： David A. McGrew ,  Mark Baugher ,  Saul Adler ,  William C. Melohn

发明人： David A. McGrew ,  Mark Baugher ,  Saul Adler ,  William C. Melohn

IPC分类号： H04L29/02 ,  H04L9/08

CPC分类号： H04L63/0464 ,  H04L9/0833 ,  H04L9/3242 ,  H04L63/065

摘要： Systems, methods, and other embodiments associated with processing secure network traffic are described. One example method includes determining whether a device is a preconfigured member of a group key system. If the device is not a preconfigured member then the method selectively establishes membership in the group key system by requesting membership from a group controller. The example method may also include receiving a set of keys from the group controller and being assigned a role by the group controller. The method may further include processing secure network traffic as an inspection point, a rewriting point, and/or a validation point based on the received set of keys and the assigned role(s).

摘要翻译： 描述了与处理安全网络业务相关联的系统，方法和其他实施例。 一个示例性方法包括确定设备是组密钥系统的预配置成员。 如果设备不是预配置的成员，则该方法通过从组控制器请求成员资格来选择性地建立组密钥系统中的成员关系。 示例性方法还可以包括从组控制器接收一组密钥并由组控制器分配角色。 该方法还可以包括基于所接收的密钥集合和所分配的角色来将安全网络业务作为检查点，重写点和/或验证点进行处理。