Browse Prior Art Database

TECHNIQUES FOR ABSTRACTING NETWORK COMPLEXITY FROM AN EXTERNAL INTERNET PROTOCOL SECURITY VIRTUAL PRIVATE NETWORK DEVICE

IP.com Disclosure Number: IPCOM000212428D
Publication Date: 2011-Nov-11
Document File: 3 page(s) / 83K

Publishing Venue

The IP.com Prior Art Database

Related People

Craig Hill: AUTHOR

Abstract

Techniques are provided to leverage methods that make use of separating a forwarding Internet Protocol (IP) address (e.g., IP version 4 (IPv4) and IP version 6 (IPv6)) from an actual user-specific host address (e.g., IPv4, IPv6, virtual private network (VPN) version 4 (VPNv4), VPN version 6 (VPNv6)). These techniques allow for optimization of forwarding and security of network that utilize external IP Security (IPSec) VPN devices (IVD) when IP packet-layer encryption is required. In order to eliminate limitations of IVDs, the techniques described herein involve forwarding addresses from user specific “protected” host addresses. This allows for optimized packet forwarding mechanisms and to leverage the full security of the IVDs.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 3

  TECHNIQUES FOR ABSTRACTING NETWORK COMPLEXITY FROM AN EXTERNAL INTERNET PROTOCOL SECURITY VIRTUAL PRIVATE NETWORK DEVICE

AUTHORS:

  Craig Hill
Anthony Grieco

CISCO SYSTEMS, INC.

ABSTRACT


Techniques are provided to leverage methods that make use of separating a

forwarding Internet Protocol (IP) address (e.g., IP version 4 (IPv4) and IP version 6 (IPv6)) from an actual user-specific host address (e.g., IPv4, IPv6, virtual private network (VPN) version 4 (VPNv4), VPN version 6 (VPNv6)). These techniques allow for optimization of forwarding and security of network that utilize external IP Security (IPSec) VPN devices (IVD) when IP packet-layer encryption is required. In order to eliminate limitations of IVDs, the techniques described herein involve forwarding addresses from user specific "protected" host addresses. This allows for optimized packet forwarding mechanisms and to leverage the full security of the IVDs.

DETAILED DESCRIPTION

    Often Internet Protocol (IP) Security (IPSec) Virtual Private Network (VPN) devices (IVD) are required in network communication paths. For example, when location leveraging and identity separation between network devices are required, an IVD may be deployed within the network. An example of an IVD deployed in such a network is shown in FIG. 1. The location and identity separation requirements in the network requires IP packet forwarding that leverages a single IP source address for communicating between any two or more secure routing devices (SRDs). In essence, the IVD acts as a forwarding proxy for any host-to-host communication that exists between peers in endpoint prefix (EP) address spaces for each SRD.

Copyright 2011 Cisco Systems, Inc. 1


Page 02 of 3

    According to the techniques described herein, the SRD leverages a care of address (CoA) as the single source of forwarding between any other peer SRD (and, e.g., IVD) when the hosts behind the SRD (in a unique address space that is hidden from the rest of the network) need communication capabilities with other hosts across the network. The major advantage in this method is the ability to have many EPs/hosts behind a single SRD. Forwarding from the SRD to the IVD requires that only a single source IP address (CoA) be known in the source IVD. This in turn requires knowing only a single source CoA address that has been designated on each SRD within a network.

    The techniques described herein also involve leveraging any IP-in-IP encapsulation scheming utilizing a multipoint method. This may allow a single source IP address to forward a packet from the SRD to the IVD, regardless of how many destination sites (i.e....