U.S. patent application number 15/180637 was filed with the patent office on 2018-08-09 for methods and systems for creating protocol header for embedded layer two packets.
This patent application is currently assigned to Pismo Labs Technology Limited. The applicant listed for this patent is Pismo Labs Technology Limited. Invention is credited to Alex Wing Hong CHAN, Kam Chiu NG, Patrick Ho Wai Sung.
Application Number | 20180227395 15/180637 |
Document ID | / |
Family ID | 60574291 |
Filed Date | 2018-08-09 |
United States Patent
Application |
20180227395 |
Kind Code |
A9 |
Sung; Patrick Ho Wai ; et
al. |
August 9, 2018 |
METHODS AND SYSTEMS FOR CREATING PROTOCOL HEADER FOR EMBEDDED LAYER
TWO PACKETS
Abstract
Methods and systems for creating protocol header to allow
network device to transfer and receive layer two packets through
multiple network links. One or more layer three packets are used to
encapsulate layer two packets. The protocol header includes a
network link identification and a tunnel sequence number. The
network link identification is used to identify the network link
and the tunnel sequence number is used to identify the sequence of
the one or more layer three packets in a network link. A layer two
packet may be encrypted first before being embedded in the one or
more layer three packets.
Inventors: |
Sung; Patrick Ho Wai; (Hong
Kong, HK) ; CHAN; Alex Wing Hong; (Hong Kong, HK)
; NG; Kam Chiu; (Hong Kong, HK) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Pismo Labs Technology Limited |
Hong Kong |
|
HK |
|
|
Assignee: |
Pismo Labs Technology
Limited
Hong Kong
HK
|
Prior
Publication: |
|
Document Identifier |
Publication Date |
|
US 20170359448 A1 |
December 14, 2017 |
|
|
Family ID: |
60574291 |
Appl. No.: |
15/180637 |
Filed: |
June 13, 2016 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
13881727 |
Jul 12, 2013 |
9369550 |
|
|
PCT/IB11/55042 |
Nov 11, 2011 |
|
|
|
15180637 |
|
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
H04L 63/0428 20130101;
H04L 63/162 20130101; H04L 63/0272 20130101; H04L 12/4633 20130101;
H04L 63/164 20130101; H04L 69/22 20130101 |
International
Class: |
H04L 29/06 20060101
H04L029/06; H04L 12/46 20060101 H04L012/46 |
Claims
1. A method for creating a protocol header for a virtual private
network (VPN) tunnel at a network device, wherein the VPN tunnel is
implemented using one or more network links, comprising the steps
of: a. receiving layer two packets through one or more local area
network (LAN) interfaces, wherein the layer two packet is to be
embedded in one or more layer three packets; b. determining a
network link identification, wherein the network link
identification is for identifying network links the one or more
layer three packets belonging to; c. determining a tunnel sequence
number, wherein the tunnel sequence number is for assisting a
receiving network device to re-order the one or more layer three;
d. determining a global sequence number, wherein the global
sequence number is for arranging the one or more layer three
packets to a correct sequence; e. creating a protocol header,
wherein the protocol header comprises the network link
identification, the tunnel sequence number and the global sequence
number; wherein the one or more layer three packets are sent
through one or more of wide area; wherein the protocol header is
part of payload of the one or more layer three packets.
2. The method of claim 1, further comprising creating a timestamp
indicator, wherein the protocol header further comprises the
timestamp indicator.
3. The method of claim 1, further comprising creating an
acknowledgement indicator, wherein the protocol header further
comprises the acknowledgement indicator.
4. The method of claim 1, further comprising, wherein the protocol
header is stored with encryption information.
5. The method of claim 4, further comprising encrypting the
protocol header and not encrypting the encryption information
stored in the protocol header.
6. The method of claim 1, wherein the protocol header is further
stored with a version indicator, wherein the version indicator is
for specifying version of VPN tunnel protocol used.
7. The method of claim 1, wherein the one or more layer three
packets are sent using user datagram protocol.
8. The method of claim 1, wherein the protocol header is located
next to the header of the one or more layer three packets.
9. The method of claim 1 further comprising encrypting the layer
two packet before embedding the layer two packet in one or more
layer three packets.
10. The method of claim 1 wherein the protocol header is further
stored with acknowledgement information.
11. A system for creating a protocol header for a virtual private
network (VPN) tunnel at a network device, wherein the VPN tunnel is
implemented using one or more network links, comprising of: one or
more network interfaces; one or more storage units for storing
program instructions to be executed; one or more processing units
for executing program instructions stored in the one or more
storage units for methods comprising the steps: a. receiving layer
two packets through one or more local area network (LAN)
interfaces, wherein the layer two packet is to be embedded in one
or more layer three packets; b. determining a network link
identification, wherein the network link identification is for
identifying network links the one or more layer three packets
belonging to; c. determining a tunnel sequence number, wherein the
tunnel sequence number is for assisting a receiving network device
to re-order the one or more layer three; d. determining a global
sequence number, wherein the global sequence number is for
arranging the one or more layer three packets to a correct
sequence; e. creating a protocol header, wherein the protocol
header comprises the network link identification, the tunnel
sequence number and the global sequence number; wherein the one or
more layer three packets are sent through one or more of wide area;
wherein the protocol header is part of payload of the one or more
layer three packets.
12. The system of claim 11, wherein the one or more processing unit
further operable for creating a timestamp indicator, wherein the
protocol header further comprises the timestamp indicator.
13. The system of claim 11, wherein the one or more processing unit
further operable for creating an acknowledgement indicator, wherein
the protocol header further comprises the acknowledgement
indicator.
14. The system of claim 11, wherein the one or more storage unit
store protocol header that is further stored with encryption
information.
15. The system of claim 14, wherein the processing unit further
operable for encrypting the protocol header and not encrypting the
encryption information stored in the protocol header.
16. The system of claim 11, wherein the one or more storage unit
store protocol header that is further stored with a version
indicator, wherein the version indicator is for specifying version
of VPN tunnel protocol used.
17. The system for claim 11, wherein the one or more layer three
packets are scat using user datagram protocol.
18. The system of claim 11, wherein the protocol header is located
next to the header of the one or more layer three packets.
19. The system of claim 11, wherein the processing unit is further
operable for encrypting the layer two packet before embedding the
layer two packet in one or more layer three packets.
20. The system of claim 11, wherein the one or more storage unit
store protocol header that is further stored with acknowledgement
information.
Description
RELATED APPLICATIONS
[0001] The present application is a Non-provisional continuation
application which claims the benefits of and is based on U.S.
application Ser. No. 13/881,727 titled "PROTOCOL FOR LAYER TWO
MULTIPLE NETWORK LINKS TUNNELLING" filed on 12 Jul. 2013. The
contents of the above-referenced application are herein
incorporated by reference.
TECHNICAL FIELD
[0002] The present invention relates to the field of data
communications. More particularly, the present invention relates to
methods and systems for creating protocol header to allow multiple
network links to tunnel layer two data.
BACKGROUND
[0003] Layer 2 tunnelling establishes a tunnelling network between
multiple distant networks to create a virtual private network
(VPN). Layer 2 tunnel creation can be either manually by entering
correct command to setup the tunnel interfaces, or automatically by
having a service in network devices to negotiate the correct tunnel
interfaces.
[0004] Layer 2 Tunnelling Protocol (L2TP), a standard published by
Internet Engineering Task Force, is a tunnelling protocol used to
support layer 2 virtual private networks (VPNs). It does not
provide any encryption or confidentiality by itself it relies on an
encryption protocol that it passes within the tunnel to provide
privacy. IPsec is often used to secure L2TP packets by providing
confidentiality, authentication and integrity. The combination of
these two protocols is generally known as L2TP/IPsec.
[0005] The problem of implementing L2TP is performance because of
the number of bytes remaining available for payload is reduced.
Under L2TP/IPsec, the number of bytes remaining available for
payload is further reduced because of multiple levels of
encapsulations. In addition, IPsec is relatively complicated to
setup and maintain. The implementation of L2TP or L2TP/IPsec over
bonded networks, which two or more logical or physical network
connections are combined, further reduces the number of bytes
remaining available for payload and increases complexity of setting
and maintenance.
Advantageous Effects
[0006] The present invention allows the use of tunnel association
information, which contains a network link identification (NLID)
and a tunnel sequence number (TSN), in a layer 3 packet to provide
layer 2 tunnels over layer 3 networks while improving performance
and reducing complexity comparing to other layer 2 tunnelling
methods and systems.
SUMMARY OF THE INVENTION
[0007] To address the problems described above, the present
invention discloses methods and a system using tunnel association
information to solve the problems. According to embodiments of the
present invention, network devices use tunnel association
information when encapsulating layer 2 packets in layer 3 packets.
Tunnel association information is also used by network devices when
decapsulating layer 2 packets from received layer 3 packets. The
use of tunnel association information allows the layer 3 packets be
transmitted and received through different network links, which
belong to the same VPN. Therefore, the layer 3 packets may have
different source address and destination addresses and results in
higher throughout and reliability. Tunnel association information
is stored in a protocol header. Tunnel association information
includes a network link identification and a tunnel sequence
number. Network link identification is used to identify the network
link and virtual private tunnel the layer three packets belonging
to. Tunnel sequence number is used to identify the sequence of said
one or more layer three packets in a network link.
[0008] A system comprising of processing engine, network
interfaces, encapsulation engine, decapsulation engine, protocol
engine and storage system is disclosed to solve the problems. The
processing engine is consisted of the encapsulation engine,
decapsulation engine and processing engine. The encapsulation
engine is used to encapsulate a received layer two packet in one or
more to be delivered layer three packets. The decapsulation engine
is used to decapsulate a layer 3 packet into a part or a complete
layer 2 packet and retrieves the protocol header from the layer 3
packet. The, encryption engine is used to encrypt and decrypt layer
2 packets and layer 3 packet. The protocol engine is used to create
and retrieve protocol header, which contains tunnel association
information. The storage system is used to provide instructions to
processing engine and to provide temporary storage.
BRIEF DESCRIPTION OF DIAGRAMS
[0009] The accompanying drawings, which are incorporated in and
constitute a part of this specification, illustrate embodiments of
the invention and, together with the description, explain the
invention. In the drawings, wherein:
[0010] FIG. 1 is a network diagram illustrating a network
environment in which network devices employ an exemplary method of
layer 2 virtual private network tunnelling;
[0011] FIG. 2 is a flow chart illustrating an exemplary method in
which a network device employs layer 2 virtual private network
tunnelling when sending a layer 2 packet;
[0012] FIG. 3 is a flow chart illustrating an exemplary method in
which a network device employs layer 2 virtual private network
tunnelling when receiving a layer 3 packet;
[0013] FIG. 4 is an exemplary Internet Protocol packet format of
present invention;
[0014] FIG. 5 is a block diagram illustrating an exemplary system
in which a network device employs layer 2 virtual private network
tunnelling;
[0015] FIG. 6 is a block diagram illustrating the relationship
between network connections, network links and virtual private
network tunnel.
MODE(S) FOR CARRYING OUT THE INVENTION
Detailed Descriptions
[0016] Different embodiments will now be described more filly
hereinafter with reference to the accompanying drawings, in which
preferred embodiments are shown. Many different forms can be set
forth and described embodiments should not be construed as limited
to the embodiments set forth herein. Rather, these embodiments are
provided so that this disclosure will be thorough and complete, and
will fully convey the scope to those skilled in the art. Like
numbers refer to like elements throughout.
[0017] FIG. 1 illustrates a network environment of how two distant
layer 2 networks can be connected together through layer 3 networks
by implementing an embodiment of the present invention. The same
network environment can be employed to connect three or more
distant layer 2 networks through layer 3 networks. Layer 2 network
protocol that can be employed in the present invention includes
Ethernet, Token Ring, Frame Relay, PPP, X.25 and ATM. Layer 3
network protocol can be employed in the present invention includes
Internet Protocol (IP) version 4, IPv6, internetwork Packet
Exchange, and AppleTalk.
[0018] Computing devices 101a, 101b and 101c are connected to
switch 102 and are in the same layer 2 network, such that they can
communicate to each other through a layer 2 communication protocol.
Computing devices 102a, 102b and 102c are connected to switch 106
and are in the same layer 2 network, such that they can also
communicate to each other through a layer 2 communication protocol.
However any of computing devices 101a, 101b and 101c cannot
directly communicate with any of computing devices 102a, 102b and
102c through a layer 2 communication protocol even computing
devices 101a, 101b, 101c, 102a, 102b and 102c all use the same
layer 2 communication protocol, such as Ethernet. This is because
switch 102 and switch 103 are separated by Internet 104. In order
to allow computing devices 101a, 101b, and 101c to perceive
computing devices 102a, 102b and 102c are in the same network, a
virtual private network (VPN) has to be established among computing
devices 101a, 101b, 101c, 102a, 102b and 102c. Router 103 and
router 105 together establish a VPN tunnel through Internet 104
between switch 102 and switch 106.
[0019] Router 103 routes a layer 2 packets from switch 102 to
router 105 through Internet 104 through a VPN by first
encapsulating the layer 2 packet into one or more layer 3 packets,
then delivering the one or more layer 3 packets through either one
or more of network connections 120a, 120b and 120c. Network
connections 120a, 120b, and 120c connected are connected to router
103 through three network interfaces respectively and can be
implemented using optical fiber. Ethernet, ATM, Frame Relay, T1/E1,
IPv4, IPv6, wireless technologies, Wi-Fi, WiMax, High-Speed Packet
Access technology, and 3GPP Long Term Evolution (LTE). Therefore
the one or more layer 3 packets, which may carry different parts of
the layer 2 packet, may have different layer 3 source and
destination addresses. If multiple layer 3 packets are used to
encapsulate one layer 2 packet, the layer 2 packet is fragmented
into multiple layer 3 packets. Network connections 120a, 120b and
120c can be provided by the same or different network ser ice
providers to connect router 103 to Internet 104.
[0020] Similarly, network connections 121a and 121b are connected
to router 105 two network interfaces respectively and can be
implemented using optical fiber, Ethernet, ATM, Frame Relay, T1/E1,
IPv4, IPv6, wireless technologies, Wi-Fi, WiMax, High-Speed Packet
Access technology, and 3GPP Long Term Evolution (LTE). Network
connections 121a and 121b can be provided by the same or different
network service providers to connect router 105 to Internet
104.
[0021] A network connection, such as a LTE connection deployed by
an antenna network interface of router 103, can contain one or more
network links. Packets belonging to the same VPN can be carried by
one or more network connections. Packets belonging to the same VPN
can also be carried by one or more network links. A network
connection can carry multiple VPN tunnels. However, a network link
can only carry packets belonging to one VPN tunnel. A network link
can be use connection-oriented, protocol, such as TCP, or a
connectionless protocol, such as UDP.
[0022] FIG. 6 illustrates the relationship between network
connection, network link and VPN tunnel established in logical
network 120a, 120b, 120c, 121a and 121b. For example, there are two
VPNs, VPNa and VPNb, established between router 105 and router 103.
VPNa is implemented by using two network links, network link 131a
and 131b. Network link 131a carries packets belonging to VPNa using
the source layer 3 address of network connection 121a and the
destination layer 3 address of network connection 120b. Network
link 131b also carries packets belonging to VPNa, but using the
source layer 3 address of network connection 121a and the
destination layer 3 address of network connection 120c. For
example, when a layer 2 packet is delivered through VPNa from
router 105 to router 103, it can be fragmented into two layer 3
packets, which may have same source layer 3 address and different
destination layer 3 addresses.
[0023] VPNb is implemented by using three network links, network
link 132a, 132b and 132c. Network link 132a carries packets
belonging to VPNb using the source layer 3 address of network
connection 121a and the destination layer 3 address of network
connection 120a. Network link 132b also carries packets belonging
to VPNb, but using the source layer 3 address of network connection
121b and the destination layer 3 address of network connection
120b. Network link 132c also carries packets belonging to VPNb, but
using the source layer 3 address of network connection 121b and the
destination layer 3 address of network connection 120c. When
multiple layer 2 packets a delivered through VPNb from router 105
to router 103, they can be carried by different network links and
therefore the layer 3 packets encapsulating the layer 2 packets may
have different source layer 3 addresses and different destination
layer 3 addresses.
[0024] The reason why layer 3 packets with different source layer 3
addresses and different destination layer 3 addresses can
encapsulate layer 2 packet payload that belong to the same tunnel
is because of the utilization of tunnel association information
inside the layer 3 packets.
[0025] Tunnel association information is represented by a series of
bits and contained in the protocol header. The protocol header is
composed of a series of bits. The number of bits representing
protocol header varies depending on the nature of information and
amount of information to be put in a VPN tunnel. According to one
of the embodiments of the present invention, the tunnel association
information can be encrypted for security purpose. According to one
of the embodiments of the present invention, a tunnel association
includes a network link identification (NLID) and a tunnel sequence
number (TSN). The NLID is used to identify the network link a layer
3 packet belonging to. A network link is a link established between
two network nodes using a logical network.
[0026] As it is possible that there are multiple network links
implemented between two network devices using the same pair of
layer 3 source address and destination address, the number of bits
representing NLID should be long enough to avoid confusion of the
identities of network links. In addition, the NLID is used to allow
receiving router to recognize that the received layer 3 packet
belongs to a particular VPN tunnel, instead of other network
traffic. TSN is used to assist the receiving router, such as router
105, to re-order received layer 3 packets belonging to a network
link in a coiled sequence. TSN is assigned by router 103. According
to one embodiment of the present invention, each TSN should be
unique during the lifetime of a network link. According to one
embodiment of the present invention, a TSN can be reused again when
the lifetime of a network link is beyond a time period. The number
of bits representing TSN should be long enough to avoid confusion
of packet sequence. According to one embodiment of the present
invention, the number of bits use to represent NLID is 32 bits.
According to one embodiment of the present invention, the number of
bits use to represent TSN is 32 bits also.
[0027] According to one of the embodiments of the present
invention, NLID is unique to a source address, destination address
or to a pair of source address and destination address. Therefore
the same TSN may be reused for different source address,
destination address, or a pair of source and destination address.
According to one of tie embodiments of the present invention, a
port number is also part of a NLID.
[0028] Internet 104 is comprised of one or more systems of
interconnected computer networks running layer 3 protocols. A
system of interconnected computer network of Internet 104 can be a
private or public computer network. When router 105 receives the
one or more layer 3 packets through either one of or both network
connections 121a and 121 from Internet 104, it converts the one or
more layer 3 packets back to the layer 2 packet and then delivers
the layer 2 packet to switch 106. Using the same VPN tunnel, layer
2 packets from switch 106 can also be sent to switch 102.
Therefore, computing devices 101a, 101b, and 101c and computing
devices 102a, 102b and 102c are in the same VPN and able to
communicate with each other using the same layer 2 network
protocol.
[0029] According to one of the embodiments of the present
invention, the number of network connection between router 103 and
Internet 104 is at least one. According to one embodiment of the
present invention, the number of network connection between
Internet 104 and router 105 is at least one. When there is only one
network connection between router 103 and Internet 104 as well as
one network connection between Internet 104 and router 106, all
layer 3 packets belonging to a VPN tunnel have to pass through the
same network connection between router 103 and Internet 104 as well
also pass through the same network connection between router 105
and Internet 104. In this circumstance, the benefits of performance
gain, higher redundancy and increased bandwidth provided by the
present invention is not significant comparing to L2TP.
[0030] Method
[0031] FIG. 2 is a flow chart illustrating one of the embodiments
of the present invention by using tunnel association to encapsulate
layer 2 packets in layer 3 packets. When router 103 receives a
layer 2 packet at step 201, router 103 encapsulates the layer 2
packet into one or more layer 3 packets by first creating a
protocol header at step 202. The protocol header is then filled by
router 103 at step 203 with tunnelling association information.
Tunnel association information is used to allow router 103 to
communicate with router 105 in order to associate a layer 3 packet
with a VPN tunnel.
[0032] According to one of the embodiments of the present
invention, router 103 encrypts layer 2 packet. At step 204, router
103 decides whether the layer 2 packet has to be encrypted by
following pre-defined rules set manually or negotiated between
network devices. If it is decided the layer 2 packet has to be
encrypted, encryption information will be added to the protocol
header at step 205. Encryption information include cipher
information and seed value information. According to one of the
embodiments of the present invention, the encryption is conducted
by using Advanced Encryption Standard and the associated
initialization vector is considered as encryption information and
added to tunnel association information and stored in the protocol
header. At step 206, according to one embodiment, the complete
layer 2 packet is encrypted. According to another embodiment, the
protocol header is also encrypted. When the protocol header is
encrypted, encryption information stored in the protocol header is
not encrypted in order to facilitate the decryption process at the
receiving network device. The ordering of step 205 and step 206 can
be swapped. According to one of the embodiments of the present
invention, router 103 does not encrypt layer 2 packets and
therefore steps 204, 205 and 206 do not exist.
[0033] At step 207, a layer 3 packet header information is created.
The layer 3 packet header is filled with the source address,
destination address and port information of router 103. However,
when router 103 has more than one network connections, router 103
may have more than one layer 3 source address and/or more than one
layer 3 destination address. When layer 3 packets are delivered to
Internet 104 by more than one network connections, the source
addresses and destination addresses of layer 3 packets belonging to
the same VPN tunnel can be different from each other. For example,
at the network illustrated in FIG. 1, three layer 2 packets
received by router 103 from switch 102 are encapsulated by three
different layer 3 packets. The first layer 3 packet is sent by
router 103 using network 120a to network connection 121a,
therefore, the source address and destination address of the first
layer 3 packet is the address of network connection 120a and
network connection 121a respectively. The second layer 3 packet is
sent by router 103 using network 120a to network connection 121b,
therefore, the source address and destination address of the second
layer 3 packet is the address of network connections 120a and
network 121b respectively. The third layer 3 packet is sent by
router 103 using network connection 120c to network connection
121b, therefore, the source address and destination address of the
second layer 3 packet is the address of network connection 120c and
network 121b respectively. Router 103 determines which network
connection to use depends on many decision factors, such as network
latency and network bandwidth, which are apparent to a skilled
person in the art to choose and implement.
[0034] At step 208, router 103 combines the payload, which is the
original layer 2 packet received from switch 102 at step 201,
protocol header and layer 3 packet header are combined together to
form one or more layer 3 packets. At step 209, router 103 delivers
the one or more layer 3 packet to Internet 104. When one layer 3
packet is not large enough to encapsulate the protocol header and
complete layer 2 packet together, the layer 2 packet can be
fragmented and be encapsulated into multiple layer 3 packets. The
fragmentation can be done by relying on layer 3 fragmentation, such
that the protocol header and the layer 2 packet are together
considered as one payload and fragmented according to the layer 3
protocol used. Therefore, the first layer 3 packet contains the
complete protocol header and part of the layer 2 packets and
subsequent layer 3 packets do not contain the protocol header. On
the other hand, the fragmentation can be done by relying on the
network link protocol, such that each layer 3 packet contains a
complete protocol header and part of the layer 2 packet.
[0035] According to one of the embodiments of the present
invention, the layer 3 packet header contains information used for
routing, including information for data link layer, network layer
and transport layer of OSI model.
[0036] FIG. 4 illustrate one embodiment of a layer 3 packet used to
carry a VPN tunnel deployed with the present invention. The layer 3
packet is an IP packet composed of IP Header 401, UDP Header 402,
protocol header 403 and payload 404. IP Header 401 is comprised of
a series of bits and is the header of IPv4 described in RFC 791
published by Internet Engineering Task Force (IETF) or IPv6
described in RFC 2460 also published by IETF. UDP Header is
comprised of a series of bits and carries information of user data
protocol described in RFC 768 published by IETF. Protocol header
403 is comprised of a series of bits and contains tunnel
association information which is described in the present
invention. Payload 404 is comprised a series of bits and carry a
complete or a part of a layer 2 packet.
[0037] The procedure and corresponding information required to
establish a VPN tunnel before layer 3 packets can use the VPN
tunnel to encapsulate layer 2 packets include access apparent to a
skilled person in the art. The corresponding information can be
inputted by network device administrators and/or can be exchanged
between the network devices. It is also apparent to a skilled
person in the art how to exchange the VPN tunnel establishment
information.
[0038] The number of layer 3 packets used to encapsulate the layer
2 packet depends on many factors, including packet size of the
layer 2 packet, the payload size of the layer 3 packets, the
conventional allowed size of layer 3 packets in Internet 104, user
policy, standards and other factors. It is apparent to a skilled
person in the art how to determine the number of layer 3 packets to
be used for the encapsulation.
[0039] NLID and TSN can be set to be zero when a layer 2 packet is
sent through a network link to check the health status of the
network link, the health status of the VPN tunnel or to carry
non-payload information. Other than those, the value of NLID and
TSN are non-zero because NLID and TSN are used to identify the
network link and packet sequence.
[0040] According to one of the embodiments of the present
invention, the tunnel association information further includes a
global sequence number (GSN), which is used for arranging packet
received of a VPN tunnel to a correct sequence by a receiving
network device. According to one embodiment of the present
invention, each GSN should be unique during the lifetime of a VPN
tunnel. According to one embodiment of the present invention, a GSN
can be reused again when the lifetime of a network link is beyond a
time period. The number of bits representing GSN should be long
enough to avoid confusion of packet sequence. According to one
embodiment of the present invention, the number of bits use to
represent GSN is 32 bits.
[0041] According to one of the embodiments of the present
invention, the tunnel association information further includes a
layer 2 tunnelling indicator which is used to inform the receiving
network device that the layer 3 packet contains content for layer 2
tunnelling. The layer 2 tunnelling indicator can be embedded by
using one or more bits in the protocol headers.
[0042] According to one of the embodiments of the present
invention, the tunnel association information further includes a
data offset indicator which indicates the number of offsets between
User UDP and the protocol header. Data offset indicator can be
embedded by using one or more bits in the protocol headers.
[0043] According to one of the embodiments of the present
invention, the tunnel association information further includes a
version indicator, which specifies version of the VPN tunnel
protocol being used and allow backward and forward compatibility.
Version indicator can be embedded by using one or more bits in the
protocol headers.
[0044] According to one of the embodiments of the present
invention, the tunnel association information further includes an
optional timestamp indicator, which specifies whether timestamp
information is available in the protocol header. Timestamp
information can be used to calculate the time difference between
the sending of the packet and the receival of the packet or to
calculate round trip time between the sending of a packet and
receival of the corresponding acknowledgement. Timestamp indicator
and timestamp information can be embedded by using one or more bits
in the protocol headers.
[0045] According to one of the embodiments of the present
invention, the tunnel association information further includes an
acknowledgement indicator, which specifies whether acknowledgement
information is contained in the protocol header. Acknowledgement
information is used to keep count of the packets that have been
successfully received. Acknowledgement indicator and
acknowledgement information can be embedded by using one or more
bits in the protocol headers. According to one of the embodiments
of the present invention, acknowledgement information to indicate
the highest sequence number, such as TSN, of packets that have been
received.
[0046] According to one of the embodiments of the present
invention, the tunnel association information further includes an
alternative acknowledgement indicator, which specifies whether
alternative acknowledgement information is contained in the
protocol header. Alternative acknowledgement information is used to
keep count of the number of packets that have been successfully
received and is used to acknowledge that more than one packet is
received. Alternative acknowledgement indicator and alternative
acknowledgement information can be embedded by using one or more
bits in the protocol headers.
[0047] According to one of the embodiments of the present
invention, the number of bytes used by a protocol header is the
number of bytes belonging to the header of the layer 3 packet for
routing and the number of bytes belonging to the payload of the
encapsulated layer 2 packet subtracting from the total number of
bytes of a layer 3 packet.
[0048] FIG. 3 is a flow chart illustrating one of the embodiments
of the present invention by using tunnel association to decapsulate
layer 2 packets in layer 3 packets. When router 105 receives a
layer 3 packet at step 301 from Internet 104, router 105 determines
whether the layer 3 packet belongs to any VPN tunnel by examining
the port number of the layer 3 packet. If, at step 302, the port
number matches a pre-define port number, router 105 assumes that
the layer 3 packet belonging to a VPN tunnel. The pre-defined port
number can be pre-determined by network administrator, manufacturer
of network devices or negotiated between network devices. Router
105 then identifies the protocol header at step 303. According to
one implementation, the protocol header is located next to the
header of the layer 3 packet.
[0049] As the protocol header containing tunnel association
information, by reading NLID stored in protocol header at step 304
router 105 is able to determine which network link and VPN the
layer 3 packet belongs to and determines whether the layer 3 packet
contains a whole or part of a layer 2 packet. When the payload of
the layer 3 packet is encrypted and router 105 first identifies
encryption information from tunnel association information stored
in a protocol header at step 305 deters lines and then decrypt the
payload at step 307 with the information retrieved from the
protocol header at step 306. According to one of the embodiments of
the present invention, part of the payload of the layer 3 packet is
encrypted, for example, header of the encapsulated layer 2 packet
is not encrypted but the content of the layer 2 packet is
encrypted. According to one embodiment, the whole payload of the
layer 3 packet is encrypted.
[0050] According to one embodiment, when the layer 3 packet does
not contain encrypted payload, steps 305, 306 and 307 do not
exist.
[0051] At step 308, the layer 3 packet is decapsulated to retrieve
a whole or part of a layer 2 packet.
[0052] When the complete layer 2 packet is decapsulated from one or
more layer 3 packets, router 105 is then able to deliver the layer
2 packet at step 309.
[0053] According to one embodiment, the receiving router, such as
router 105, does not consider the received layer 3 packets not
authentic even the layer 3 packets, which belong to the same VPN
tunnel, have different source addresses or destination addresses
because the receiving router relies on tunnel association
information to recognize authentic layer 3 packets. The situation
happens when there are more than one network connections carrying
layer 3 packets for a VPN tunnel. Under the same situation, prior
arts consider some of the layer 3 packets are not authentic because
the source addresses are different or the destination addresses are
different.
[0054] System
[0055] FIG. 5 illustrates a network device implementing one of the
embodiments of the present invention. A system is comprised of one
or more first network interfaces 505 connecting to an internal
network; one or more second network interfaces 506 connecting to
one or more public and/or private networks; processing engine 501
and storage 507. First network interfaces 505 and second network
interfaces 506 can be implemented by agents to be connected with
optical fiber, cables, or antenna. Processing engine 501 can be
implemented by using one or more central processing units, network
processors, microprocessors, micro-controllers, FPGAs, ASICs or any
device capable of performing instructions to perform the basic
arithmetical logical, and input/output operations of the
system.
[0056] Encapsulation engine 502 is used to encapsulate a layer 2
packet into one or more layer 3 packets and put the protocol header
in each layer 3 packet. Decapsulation engine 504 is used to
decapsulate a layer 3 packet into a part or a complete layer 2
packet and retrieves the protocol header from the layer 3 packet.
Encryption engine is used to encrypt and decrypt layer 2 packets
and layer 3 packet. Those skilled in the art will appreciate that
many different implementations to encapsulate, decapsulate, encrypt
and decrypt packets suitable for practicing the present invention.
The functions of encapsulation engine 502, protocol engine 503 and
decapsulation engine 504 are carried by processing engine 501.
Alternatively, the functions of encapsulation engine 502, protocol
engine 503 and decapsulation engine 504 can be implemented by
central processing units, network processors, microprocessors,
micro-controllers, FPGAs, ASICs or any device capable of performing
instructions to perform the basic arithmetical, logical, and
input/output operations of the system.
[0057] Storage 507 can be implemented by using DRAM, SDRAM, Flash
RAM, optical memory, magnetic memory, hard disk, and/or any other
materials that are able to provide storage capability.
[0058] The network device connects to one or more local area
networks through one or more first network interfaces 505. In a
local area network, computing devices communicate with each other
through layer 2 technology. The network device also connects to one
or more wide area networks through one or more second network
interfaces 506. At a wide area network, computing devices
communicate with each other through layer 3 technology. The network
device sets up one or more VPN tunnels with other network devices
through one or more wide area networks by using one or more second
network interfaces 506.
[0059] When a layer 2 packet is received at one of first network
interfaces 505 and to be delivered to another local area network
through a VPN tunnel, the layer 2 packet is encapsulated first in
one or more layer 3 packets along with a protocol header by
encapsulation engine 502, then is delivered to a wide area network
through one or more second network interfaces 506. Protocol engine
503 is used to create the protocol header, which contains tunnel
association information.
[0060] When a layer 3 packet, which contains a whole or a part of a
layer 2 packet originated from another local area network, is
received at one of second network interfaces 505 through a VPN
tunnel and to be delivered to the local area network, a protocol
header is retrieved from the layer 3 packet and then decapsulated
to retrieve the whole or part of the layer 2 packet by using
protocol engine 502 and decapsulation engine 504. If the layer 2
packet is fragmented into one or more layer 3 packets, the network
device will not deliver the layer 2 packet to the local area
network until the whole layer 2 packet is available. Protocol
engine 503 is used to retrieve tunnel association information from
the protocol header.
[0061] Storage 507 is used to provide instructions to processing
engine 501, to provide temporary storage during encapsulation of a
layer 2 packet into one or more layer 3 packets, and to provide
temporary storage during decapsulation of one or more layer 3
packets into a layer 2 packet. According to one embodiment of the
present invention, storage 507 is used to provide instructions
directly to encapsulation engine 502, protocol engine 503 and
decapsulation engine 507.
[0062] Those skilled in the art will appreciate that many different
combinations of hardware will be suitable for practicing the
present invention.
[0063] Alternative embodiments will become apparent to those
skilled in the art to which the present invention pertains without
departing from its spirit and scope. Accordingly, the scope of the
present invention is defined by the appended claims rather than the
foregoing description.
* * * * *