-
公开(公告)号:US20070058638A1
公开(公告)日:2007-03-15
申请号:US11226011
申请日:2005-09-14
申请人: James Guichard , W. Wainner , Saul Adler , Khalil Jabr , S. Van de Houten
发明人: James Guichard , W. Wainner , Saul Adler , Khalil Jabr , S. Van de Houten
IPC分类号: H04L12/28
CPC分类号: H04L12/4641 , H04L45/50 , H04L45/66
摘要: A routing mechanism provides network segmentation preservation by route distribution with segment identification, policy distribution for a given VPN segment, and encapsulation/decapsulation for each segment using an Ethernet VLAN_ID, indicative of the VPN segment (subnetwork). Encapsulated segmentation information in a message packet identifies which routing and forwarding table is employed for the next hop. A common routing instance receives the message packets from the common interface, and indexes a corresponding VRF table from the VLAN ID, or segment identifier, indicative of the subnetwork (e.g. segment). In this manner, the routing instance receives the incoming message packet, decapsulates the VLAN ID in the incoming message packet, and indexes the corresponding VRF and policy ID from the VLAN ID, therefore employing a common routing instance over a common subinterface for a plurality of segments (subnetworks) coupled to a particular forwarding device (e.g. VPN router).
摘要翻译: 路由机制通过分段识别,给定VPN段的策略分配以及使用指示VPN段(子网)的以太网VLAN_ID对每个段进行封装/解封装来提供网络分段保护。 消息分组中的封装分段信息标识下一跳采用的路由和转发表。 公共路由实例从公共接口接收消息包,并从指示子网(例如,段)的VLAN ID或段标识符中对相应的VRF表进行索引。 以这种方式,路由实例接收到入消息包,将入局消息包中的VLAN ID解封装,并从VLAN ID中对相应的VRF和策略ID进行索引,因此在公共子接口上采用公共路由实例, 耦合到特定转发设备(例如,VPN路由器)的段(子网络)。
-
公开(公告)号:US20060184999A1
公开(公告)日:2006-08-17
申请号:US11059736
申请日:2005-02-17
申请人: James Guichard , W. Wainner , Brian Weis , David McGrew
发明人: James Guichard , W. Wainner , Brian Weis , David McGrew
CPC分类号: H04L45/00 , H04L45/04 , H04L63/0428 , H04L63/065 , H04L63/102
摘要: A method and apparatus for providing routing protocol support for distributing encryption information is presented. Subnet prefixes reachable on a first customer site in an encrypted manner are identified, as are security groups the subnet prefixes belong to. An advertisement is received at a first Customer Edge (CE) device in the first customer site, the advertisement originating from a Customer (C) device in the first customer site. The advertisement indicates links, subnets to be encrypted, and security group identifiers. The prefixes and the security group identifiers are then propagated across a service provider network to a second CE device located in a second customer site. In such a manner, encryption and authentication is expanded further into a customer site, as customer devices are able to indicate to a service provider network infrastructure and other customer devices in other customer sites which local destinations require encryption/authentication.
-
3.发明申请公开(公告)号:US20070110025A1
公开(公告)日:2007-05-17
申请号:US11273651
申请日:2005-11-14
申请人: James Guichard , W. Wainner , Mohammed Sayeed , Earl Booth , W. Townsley
发明人: James Guichard , W. Wainner , Mohammed Sayeed , Earl Booth , W. Townsley
IPC分类号: H04L12/28
CPC分类号: H04L63/0272 , H04L63/164
摘要: A method and computer program product for providing autonomous system interconnect for a first peer device is presented. The method includes producing routing information at a first peer. Next, the first peer device provides a context identifier in the routing information. A context authenticator is also provided in the routing information at the first peer. The first peer then advertises this routing information to a second peer. The first peer only accepts messages from the second peer which include the context identifier and the context authenticator.
摘要翻译: 提出了一种用于为第一对等设备提供自主系统互连的方法和计算机程序产品。 该方法包括在第一对等端产生路由信息。 接下来,第一对等设备在路由信息中提供上下文标识符。 在第一对等体的路由信息中也提供上下文认证符。 第一对等体然后将该路由信息通告给第二对等体。 第一对等体仅接收来自包括上下文标识符和上下文鉴别器的第二对等体的消息。
-
4.发明申请Methods and apparatus for providing multiple policies for a virtual private network 有权为虚拟专用网提供多种策略的方法和装置公开(公告)号:US20070186009A1
公开(公告)日:2007-08-09
申请号:US11350991
申请日:2006-02-09
申请人: James Guichard , W. Wainner , Brian Weis , Mohamed Khalid
发明人: James Guichard , W. Wainner , Brian Weis , Mohamed Khalid
IPC分类号: G06F15/173
CPC分类号: H04L12/4641 , H04L45/00 , H04L45/42 , H04L45/586 , H04L47/10 , H04L47/125 , H04L47/20 , H04L63/0272
摘要: A system provides a request for a policy from a policy server, and receives the policy from the policy server. The policy indicates processing to be applied to a traffic partition passing through the device. The system configures the policy within a routing structure associated with the traffic partition for the policy in the device, and routes a stream of traffic for the routing structure in accordance with the policy for that routing structure.
摘要翻译: 系统从策略服务器提供对策略的请求,并从策略服务器接收策略。 该策略指示要应用于通过设备的流量分区的处理。 系统在与设备中策略的流量分配相关联的路由结构中配置策略,并根据路由结构的策略为路由结构路由流量流。
-
公开(公告)号:US20060198368A1
公开(公告)日:2006-09-07
申请号:US11072086
申请日:2005-03-04
申请人: James Guichard , W. Wainner , John Mullooly , Brian Weis
发明人: James Guichard , W. Wainner , John Mullooly , Brian Weis
CPC分类号: H04L63/0272 , H04L12/18 , H04L12/4641 , H04L63/0428
摘要: A method, apparatus and computer program product for providing secure multipoint Internet Protocol Virtual Private Networks (IPVPNs) is presented. A packet lookup is performed in order to determine a next hop. A VPN label is pushed on the packet, as is an IP tunnel header. Group encryption through the use of DGVPN is further utilized. In such a manner secure connectivity and network partitioning are provided in a single solution.
摘要翻译: 提出了一种用于提供安全多点互联网协议虚拟专用网络(IPVPN)的方法,装置和计算机程序产品。 执行分组查找以确定下一跳。 VPN标签被推送到数据包,IP隧道头也是如此。 进一步利用通过使用DGVPN进行组加密。 以这种方式,在单一解决方案中提供了安全的连接和网络划分。
-
公开(公告)号:US08751613B1
公开(公告)日:2014-06-10
申请号:US12942678
申请日:2010-11-09
申请人: Jan Medved , David Ward , James Guichard
发明人: Jan Medved , David Ward , James Guichard
IPC分类号: G06F15/177
CPC分类号: H04L45/021 , H04L29/12066 , H04L41/12 , H04L45/00 , H04L45/028 , H04L45/04 , H04L47/10 , H04L61/1511 , H04L67/1021 , H04L67/104
摘要: In general, techniques are described for enhancing the Application-Layer Traffic Optimization (ALTO) service to supplement network topological grouping with location-based groupings to account for endpoint mobility. For example, as described herein, an ALTO server maintains physical location information for a network of one or more endpoints that provides a service. A PID generator of the ALTO server aggregates the endpoints into a set of one or more PIDs based at least on the physical location information for the endpoints, wherein each PID is associated with a subset of the endpoints. The ALTO server generates network and cost maps for the ALTO service that include PID entries to identify a respective subset of the endpoints associated with each of the set of PIDs and cost entries that incorporate cost that reflect physical distances among endpoints.
摘要翻译: 通常,描述了用于增强应用层业务优化(ALTO)服务的技术,以基于位置分组来补充网络拓扑分组以解决端点移动性。 例如,如本文所述,ALTO服务器维护提供服务的一个或多个端点的网络的物理位置信息。 至少基于端点的物理位置信息,ALTO服务器的PID发生器将端点聚合成一组一个或多个PID,其中每个PID与端点的子集相关联。 ALTO服务器生成包含PID条目的ALTO服务的网络和成本图,以识别与该组PID中的每一个相关联的端点的相应子集以及包含反映端点之间的物理距离的成本的成本条目。
-
公开(公告)号:US08711838B1
公开(公告)日:2014-04-29
申请号:US13243310
申请日:2011-09-23
申请人: James Guichard , David Ward , Jan Medved , Maciek Konstantynowicz
发明人: James Guichard , David Ward , Jan Medved , Maciek Konstantynowicz
IPC分类号: H04L12/28
CPC分类号: H04L12/4633 , H04L12/4645
摘要: In general, techniques are described for transmitting MPLS labels over a network. More specifically, a network device such a router receives a packet to be forwarded according to a label switching protocol, such as Multi-Protocol Label Switching (MPLS). The router may determine a service instance for the packet based on a client device from which the packet originated. The network device may determine one or more services to apply to the packet based on the service instance for the packet and generate a label which having a service instance portion and a service information portion. The network device may append the label to the packet to form an MPLS-encapsulated packet, and may forward the MPLS-encapsulated packet via an output interface according to the label switching protocol.
摘要翻译: 通常,描述了通过网络传输MPLS标签的技术。 更具体地,诸如路由器的网络设备根据诸如多协议标签交换(MPLS)的标签交换协议来接收要转发的分组。 路由器可以基于从其发起分组的客户端设备来确定分组的服务实例。 网络设备可以基于分组的服务实例来确定应用于分组的一个或多个服务,并且生成具有服务实例部分和服务信息部分的标签。 网络设备可以将标签附加到分组,形成MPLS封装的分组,并且可以根据标签交换协议经由输出接口转发MPLS封装的分组。
-
公开(公告)号:US20130343174A1
公开(公告)日:2013-12-26
申请号:US13533961
申请日:2012-06-26
申请人: James Guichard , David Ward
发明人: James Guichard , David Ward
CPC分类号: H04L45/28 , H04L41/0659 , H04L41/5025 , H04L45/22
摘要: Techniques are described for detecting failure or degradation of a service enabling technology function independent from an operational state of a service node hosting the service enabling technology function. For example, a service node may provide one or more service enabling technology functions, and service engineered paths may be traffic-engineered through a network to service node network devices that host a service enabling technology function. A monitor component at the service layer of the service node can detect failure or degradation of one or more service enabling technology functions provided by the service node. The monitor component reports detection of failure or degradation to a fault detection network protocol in a forwarding plane of the service node. The fault detection network protocol communicates with an ingress router of a service engineered path to trigger fast reroute by the ingress of traffic flows to bypass the affected service enabling technology function.
摘要翻译: 描述了用于检测服务使能技术功能的独立于承载服务使能技术功能的服务节点的操作状态的故障或劣化的技术。 例如,服务节点可以提供一个或多个服务启用技术功能,并且服务设计路径可以通过网络进行业务量设计,以服务承载服务使能技术功能的节点网络设备。 服务节点的服务层的监视器组件可以检测由服务节点提供的一个或多个服务使能技术功能的故障或劣化。 监视器组件报告在服务节点的转发平面中检测到故障检测网络协议的故障或劣化。 故障检测网络协议与服务工程路由的入口路由器进行通信,通过流量流入引发快速重路由,绕过受影响的业务使能技术功能。
-
公开(公告)号:US07693047B2
公开(公告)日:2010-04-06
申请号:US11287801
申请日:2005-11-28
摘要: A novel fast reroute (FRR) technique is provided for quickly and efficiently rerouting selected types of network traffic in response to a node or link failure at the edge of a computer network. According to the technique, the network includes first and second edge devices that function as “FRR mates,” such that network traffic originally destined for one FRR mate may be quickly rerouted to the other without having to wait for conventional network convergence. When an edge device receives rerouted packets originally destined for its FRR mate, the device responds by forwarding only those rerouted packets matching the selected traffic types; rerouted packets that do not match the selected traffic types are dropped or otherwise discarded. The first and second edge devices may be statically configured as FRR mates, e.g., by a network administrator, or they may be configured to automatically detect their compatibility as FRR mates.
摘要翻译: 提供了一种新颖的快速重路由(FRR)技术,用于响应于计算机网络边缘的节点或链路故障,快速有效地重新路由所选类型的网络流量。 根据该技术,该网络包括用作“FRR配对”的第一和第二边缘设备,使得最初发往一个FRR配对的网络业务可能被快速重新路由到另一个,而不必等待传统的网络融合。 当边缘设备接收到最初发往FRR配置的重新路由的报文时,设备只通过转发与所选流量类型匹配的那些重新路由的报文进行响应; 与所选流量类型不匹配的重路由数据包将被丢弃或以其他方式丢弃。 第一和第二边缘设备可以被静态配置为FRR配对,例如由网络管理员,或者它们可以被配置为自动检测它们作为FRR配对的兼容性。
-
10.发明申请Methods and apparatus for error recovery in opaque networks using encrypted error locations 审中-公开使用加密错误位置的不透明网络中的错误恢复方法和装置公开(公告)号:US20060274645A1
公开(公告)日:2006-12-07
申请号:US11146520
申请日:2005-06-07
IPC分类号: H04L12/26
摘要: In response to a failure within a sub-network of a heterogeneous network, an external device is signaled that the failure has occurred by inclusion of an encoded identifier of the failure location with the signaling. The encoded identifier enables identification of the failure location within the sub-network while masking the identity of the failure location to the external device, and may be realized by using an encrypted sub-object or a token that is associated with the failure location information, which remains stored within the sub-network. The external device responds by issuing a path-establishment message indicating that a new communications path should be established and should exclude the failure location as identified by the encoded identifier, which is included in the path-establishment message. A device within the sub-network responds by determining whether a path segment for the new communications path can be provided while excluding the failure location as identified by the encoded identifier from the path-establishment message, and further path-setup functions are performed based on the determination.
摘要翻译: 响应于异构网络的子网内的故障,外部设备被发信号通知包含失败位置的编码标识符与信令发生故障。 编码的标识符能够识别子网内的故障位置,同时屏蔽到外部设备的故障位置的身份,并且可以通过使用加密的子对象或与故障位置信息相关联的令牌来实现, 其保持在子网内。 外部设备通过发出指示应该建立新的通信路径的路径建立消息来进行响应,并且应当排除由包含在路径建立消息中的编码标识符标识的故障位置。 子网内的设备通过确定是否可以提供用于新通信路径的路径段,同时从路径建立消息中排除由编码标识符识别的故障位置,并且基于 决心。
-
-
-
-
-
-
-
-
-
搜索结果
36 条记录 (耗时 0.03 秒)
