中科微点-全球专利检索

  1. Login
  2. Sign Up

Search Results

5 records (took 0.015 seconds)

    System, method and apparatus that employ virtual private networks to resist IP QoS denial of service attacks
    1.
    发明申请
    System, method and apparatus that employ virtual private networks to resist IP QoS denial of service attacks 审中-公开
    使用虚拟专用网络来抵御IP QoS拒绝服务攻击的系统,方法和装置

    公开(公告)号:US20030115480A1

    公开(公告)日:2003-06-19

    申请号:US10023043

    申请日:2001-12-17

    Applicant: WorldCom, Inc.

    Inventor: David E. McDysan

    IPC: H04L009/00

    CPC classification number: H04L63/1458 H04L63/0272

    Abstract: A network architecture in accordance with the present invention includes a communication network that supports one or more network-based Virtual Private Networks (VPNs). The communication network includes a plurality of boundary routers that are connected by access links to CPE edge routers belonging to the one or more VPNs. To prevent traffic from outside a customer's VPN (e.g., traffic from other VPNs or the Internet at large) from degrading the QoS provided to traffic from within the customer's VPN, the present invention gives precedence to intra-VPN traffic over extra-VPN traffic on each customer's access link through access link prioritization or access link capacity allocation, such that extra-VPN traffic cannot interfere with inter-VPN traffic. Granting precedence to intra-VPN traffic over extra-VPN traffic in this manner entails special configuration of network elements and protocols, including partitioning between intra-VPN and extra-VPN traffic on the physical access link using layer 2 multiplexing and the configuration of routing protocols to achieve logical traffic separation between intra-VPN traffic and extra-VPN traffic at the VPN boundary routers and CPE edge routers. By configuring the access networks, the VPN boundary routers and CPE edge routers, and the routing protocols of the edge and boundary routers in this manner, the high-level service of DoS attack prevention is achieved.

    Abstract translation: 根据本发明的网络架构包括支持一个或多个基于网络的虚拟专用网(VPN)的通信网络。 通信网络包括通过属于一个或多个VPN的CPE边缘路由器的接入链路连接的多个边界路由器。 为了防止客户VPN外的流量(例如,来自其他VPN或互联网的流量)降低客户VPN内的QoS提供的流量,本发明优先于超过VPN的流量, 每个客户的访问链接通过访问链路优先级或访问链路容量分配,使得超VPN流量不能干扰VPN间流量。 以这种方式优先考虑超VPN流量的VPN内流量需要特殊配置网元和协议,包括使用第2层复用和路由协议配置在物理接入链路上进行VPN内VPN和VPN之间的流量分区 实现VPN边界路由器和CPE边缘路由器之间的VPN内流量与VPN外流量之间的逻辑流量分离。 通过以这种方式配置接入网络,VPN边界路由器和CPE边缘路由器以及边缘和边界路由器的路由协议,实现了DoS攻击防范的高级服务。

    Policy-based synchronization of per-class resources between routers in a data network
    2.
    发明申请
    Policy-based synchronization of per-class resources between routers in a data network 有权
    数据网络中路由器之间每类资源的基于策略的同步

    公开(公告)号:US20020194369A1

    公开(公告)日:2002-12-19

    申请号:US10095909

    申请日:2002-03-12

    Applicant: WORLDCOM, Inc.

    Inventor: Diana Rawlins Lei Yao David E. McDysan

    IPC: G06F015/173

    CPC classification number: H04L47/2441 H04L41/08 H04L41/0893 H04L41/5022 H04L47/10 H04L47/20

    Abstract: A data network may include an upstream router having one or more data handling queues, a downstream router, and a policy server. In one embodiment, the policy server includes processing resources, a communication interface in communication with the processing resources, and data storage that stores a configuration manager executable by the processing resources. The configuration manager configures data handling queues of the upstream router to provide a selected bandwidth to one or more of a plurality of service classes of data flows. In addition, the configuration manager transmits to the downstream router one or more virtual pool capacities, each corresponding to a bandwidth at the upstream router for one or more associated service classes among the plurality of service classes. In one embodiment, the configuration manager configures the data handling queues on the upstream router only in response to acknowledgment that one or more virtual pool capacities transmitted to the downstream router were successfully installed.

    Abstract translation: 数据网络可以包括具有一个或多个数据处理队列的上游路由器,下游路由器和策略服务器。 在一个实施例中,策略服务器包括处理资源,与处理资源通信的通信接口以及存储可由处理资源执行的配置管理器的数据存储。 配置管理器配置上游路由器的数据处理队列,以将选定的带宽提供给数据流的多个服务类别中的一个或多个。 此外,配置管理器向下游路由器发送一个或多个虚拟池容量,每个虚拟池容量对应于在多个服务类别中的一个或多个相关联的服务类别的上游路由器处的带宽。 在一个实施例中,配置管理器仅在响应于确认发送到下游路由器的一个或多个虚拟池容量被成功安装的情况下才配置上游路由器上的数据处理队列。

    Edge-based per-flow QoS admission control in a data network
    4.
    发明申请
    Edge-based per-flow QoS admission control in a data network 有权
    数据网络中基于边缘的每流QoS准入控制

    公开(公告)号:US20020194362A1

    公开(公告)日:2002-12-19

    申请号:US10095956

    申请日:2002-03-12

    Applicant: WORLDCOM, Inc.

    Inventor: Diana Rawlins Lei Yao David E. McDysan

    IPC: G06F015/16 G06F015/173

    CPC classification number: H04L47/10 H04L45/10 H04L45/30 H04L47/15 H04L47/20 H04L47/2408 H04L47/2441 H04L47/70 H04L47/724 H04L47/805 H04L47/822

    Abstract: In one embodiment of the invention, a network system includes a boundary router, a second router, and an upstream link of the second router coupled between to the output port of the boundary router and an input port of the second router. The second router includes an admission control function and a data plane. In response to a request to reserve resources for a flow through the second router, the admission control function performs admission control for both the upstream link and its downstream link. In a preferred embodiment, the second router performs admission control for the upstream link only if the second router is a receiving edge router for the flow. Because the second router performs admission control for its upstream link, the boundary router transmits the request toward an upstream router without performing admission control for the link.

    Abstract translation: 在本发明的一个实施例中,网络系统包括边界路由器,第二路由器和耦合在边界路由器的输出端口和第二路由器的输入端口之间的第二路由器的上游链路。 第二路由器包括准入控制功能和数据平面。 响应于为通过第二路由器的流量预留资源的请求,接纳控制功能对上游链路及其下游链路执行准入控制。 在优选实施例中,仅当第二路由器是流的接收边缘路由器时,第二路由器才执行上游链路的准入控制。 因为第二路由器为其上行链路执行准入控制,所以边界路由器向上游路由器发送请求,而不对该链路执行准入控制。

Patent Agency Ranking