Browse Prior Art Database

Design of a simple network to manage multiple VPNs

IP.com Disclosure Number: IPCOM000014351D
Original Publication Date: 2002-Jan-22
Included in the Prior Art Database: 2003-Jun-19
Document File: 6 page(s) / 136K

Publishing Venue

IBM

Abstract

1. Abstract Nowadays, VPN (Virtual Private Network) is a hot network technology to save a cost and provide high security connection with using Internet (i.e. without using a dedicated

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 30% of the total text.

Page 1 of 6

Design of a simple network to manage multiple VPNs

1. Abstract

Nowadays, VPN (Virtual Private Network) is a hot network
technology to save a cost and provide high security connection
with using Internet (i.e. without using a dedicated
peer-to-peer line). In order to make connectivity between
several end-to-ends by VPN, it is regular for both end routers
to establish a virtual private IP connection by IP
encapsulation technique, called tunneling mechanism. ISP
(Internet Service Provider) or service vendor etc. proposes
this solution to their customers to maintain and operate these
premises, monitor these services, make a good collaboration
with each other. In this style, when these providers need to
make many connections for each customer, lots of VPN segments
are located in the provider-side. It must be troublesome for
the provider because their VPN segments are completely
independent networks and must be separated for security reason,
but usually one maintainer maintains several customer premises
and one operation center wants to operate every VPN segment
without moving to each VPN site located in the provider. Thus
it has been said maintenance of multiple VPN segments would
require annoying operation to the system maintainer or the
operator.

My invention solves these kinds of problems very easily, using
a simple network design. It doesn't request to have some
special equipment. It makes two segments based on several
security policies.

2. Requirement to manage multiple VPN segments

The simplest way to make connectivity among VPNs and
maintainers is using direct connection (Fig.1). But this
requires every VPN must have physical connections to operator's
terminal (e.g., NMS) and maintainers. This means whenever
provider sets a VPN segment up for a new customer, maintainer
and operator need to walk through every VPN segment in order to
connect their responsible services, or leading a physical line
to proper area where might be sparsely located is necessary.

1

Page 2 of 6

Customer-1 Customer-2 Customer-3 Customer-4 Customer-5

Service Provider Network

Customer-1 Customer-2 Customer-3 Customer-4 Customer-5

Service Provider Network

Operator Site

R

R

R

R

R

R

R

R

R

R

Internet

Internet

RR RRR

VPN-1 VPN-2 VPN-3 VPN-4 VPN-5

RR RRR

VPN-1 VPN-2 VPN-3 VPN-4 VPN-5

R

R

Operator Site

Fig.1. Direct Connection Fig.2. Router Segmentation

To make it smart, we would consider using routers to gather
each VPN segment (Fig. 2). As it'll be seen, every maintainer
and operator will send/receive packets toward/from these
routers and he must connect to each VPN segment. This design,
unfortunately, will indicate following issues;

        1. we must prepare a network interface card for each
customer.

        2. we must prohibit the traffic from VPNs to VPNs to
keep each security.

        3. we must permit incoming and outgoing traffic only
for administrated
maintainers and operators
4. we cannot use legacy router if customers' network
addresses are
duplicated.

To solve this kind of problem, designing following two
independent...