USOO6970941B1
`
`(12) United States Patent
`Caronni et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 6,970,941 B1
`Nov. 29, 2005
`
`(54) SYSTEM AND METHOD FOR SEPARATING
`ADDRESSES FROM THE DELIVERY
`SCHEME IN A VIRTUAL PRIVATE
`NETWORK
`
`(75) Inventors: Germano Caronni, Palo Alto, CA
`(US); Amit Gupta, Fremont, CA (US);
`Sandeep Kulmar, Santa Clara, CA
`(US); Tom R. Markson, San Mateo,
`CA (US); Christoph L. Schuba,
`Mountain View, CA (US); Glenn C.
`Scott, Mountain View, CA (US)
`(73) Assignee: Sun Microsystems, Inc., Santa Clara,
`CA (US)
`
`(*) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`(21) Appl. No.: 09/458,043
`
`(22) Filed:
`
`Dec. 10, 1999
`
`7
`
`(51) Int. Cl. ....................... G06F 15/173; G06F 15/16
`(52) U.S. Cl. ...................... 709/238; 709/227; 709/228;
`709/231
`(58) Field of Search ................................ 709/203, 212,
`709/217-219, 225, 249,213-216, 223-224,
`709/227–231, 238
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`4,825,354 A 4/1989 Agrawal et al.
`5,115,466 A 5/1992 Presttun et al.
`5,144,665 A 9/1992 Takaragi et al.
`5,220,604 A 6/1993 Gasser et al.
`5,241,599 A 8/1993 Bellovin et al.
`5,331,637 A 7/1994 Francis et al. .............. 370/408
`56. A
`to: R et al.
`5,570,366 A 10/1996 Baker et al. ................ 370/312
`5,572,528. A 11/1996 Shuen ........................ 370/402
`5,623,601 A 4/1997 Vu
`
`
`
`5,636,371 A 6/1997 Yu
`5,664,191 A 9/1997 Davidson et al.
`5,696,763 A 12/1997 Gang, Jr. .................... 370/390
`5,719,942 A 2/1998 Aldred et al.
`5,720,035 A 2/1998 Allegreet al.
`
`3. A As Aziz - - - - - - - - - - - - - - - - - - - - - - - - - - 713/155
`2
`Y-2
`f1998 Mittra
`5,802,320 A 9/1998 Baehr et al.
`5,806,042 A 9/1998 Kelly et al.
`5,832,529 A 11/1998 Wollrath et al.
`5.835,723. A 11/1998 Andrews et al. ............ 709/226
`(Continued)
`FOREIGN PATENT DOCUMENTS
`O 702 477 A2
`3/1996
`........... HO4L 29/06
`
`EP
`
`(Continued)
`OTHER PUBLICATIONS
`“Virtual Private Networks on Vendor Independent Net
`works”, IBM Technical Disclosure Bulletin, vol. 35, No. 4A,
`pp. 326-329 (1992).
`
`(Continued)
`Primary Examiner-Ario Etienne
`ASSistant Examiner-Hussein El-chanti
`(74) Attorney, Agent, or Firm-Finnegan, Henderson,
`Farabow, Garrett & Dunner, LLP
`
`(57)
`
`ABSTRACT
`
`Methods and Systems consistent with the present invention
`establish a virtual network on top of current IP network
`naming Schemes. The Virtual network uses a separate layer
`to create a modification to the IP packet format that is used
`to Separate network behavior from addressing. As a result of
`the modification to the packet format, any type of delivery
`method may be assigned to any address or group of
`addresses. The virtual network also maintains Secure com
`munications between nodes, while providing the flexibility
`signing delivery methods independent of the delivery
`
`7 Claims, 12 Drawing Sheets
`
`812Y- NEXTHEADER =SUPERNET
`614Y- REALSOURCENODED E \to
`616Y-REALDESTINATIONNOBED
`
`822Y-
`
`NEXTHEADER=AH
`
`KEYINFORMATION
`870- 824
`826N SUPERNETNUBERD
`
`SE" \-620
`
`NETHEAER = ESP
`
`SPI
`SESN0.
`
`AUTHENTICATIONCAA
`
`AUTHENTICATION
`HEADER
`
`A.
`
`642^N. WRTASOURCENODEID
`
`ENCAPSULATING
`
`passages 640
`
`880 - 844Y-VIRTUALDESTNATONNEED
`
`852-
`
`3541\
`
`TCP
`
`DAA
`
`PAYLCA
`DAA
`
`\-650
`
`---
`
`AA/SWA Ex. 1003, p.1 of 23
`American Airlines, et. al. v. Intellectual Ventures, et.al.
`IPR2025-00786
`
`

`

`US 6,970,941 B1
`Page 2
`
`WO
`WO
`WO
`
`12/1998 ........... HO4L 12/46
`WO 98/57464
`U.S. PATENT DOCUMENTS
`3/1999 ............. HO4L 9/00
`WO 99/11019
`370/392
`5856.974 A 1/1999 Gervais et all
`7/1999 ........... GO6F 13/00
`WO 99/38081
`... 713/201
`5.884,024 A 3/1999 Lim et al. ....
`OTHER PUBLICATIONS
`... 713/201
`5,931,947 A 8/1999 Burns et al. ....
`5,933,420 A
`8/1999 Jaszewski et al. .......... 370/329
`“V-One's SmartGate VPN”, V-One Corporation Advertise
`5,960,177 A 9/1999 Tanno
`ment, pp. A5-A6.
`5.987,453 A 11/1999 Krishna et al.
`Pakstas, A., “Towards Electronic Commerce Via Science
`5.987,506 A 11/1999 Carter et al.
`Park Multi-Extranets, Computer Communications, vol. 22,
`3. A E Real...
`pp. 1351-1363 (1999).
`6,026,430 A 2/2000 Butman et al.
`Wright, Michele, “Using Policies for Effective Network
`6,049,878 A 4/2000 Caronni et al.
`Management”, International Journal of Network Manage
`6,055,575 A
`4/2000 Paulsen et al.
`ment, vol. 9, pp. 118-125 (1999).
`6,061,346 A 5/2000 Nordman .................... 370/352
`Perkins, Charles E., “Mobile IP," IEEE Communication
`6,061,796 A 5/2000 Chen et al.
`Magazine, pp. 8498 (1997).
`E. A 3: plan et al. ............ 370/395.2
`Perkins, C., “IP Mobility Support," ftp://ftp.isi.edu/in-notes/
`6,128.29s. A 10/2000 Wootton et al. ... zoo
`rfc2002.txt, pp. 1-79 (1996).
`6,130,892. A 10/2000 Short et al. ................. 370401
`Laborde, D., “Understanding and Implementing Effective
`6,141,755. A 10/2000 Dowd et al. ................ 713/200
`VPNS,” Computer Technology Review, Westworld Produc
`6,148,323 A 11/2000 Whitner et al. ............. 718/105
`tion Co., Los Angeles, vol. 18, pp. 12, 14 & 16 (1998).
`6,158,011 A 12/2000 Chen et al.
`Armitage, “IP Multicasting Over ATM Networks," IEEE
`6,173,399 B1
`1/2001 Gilbrech
`6,175,917 B1
`1/2001 Arrow et al.
`Journal On Selected Areas in Communications, Vol. 15, pp.
`6.212,558 B1
`4/2001 Antur et al. ................ 709/221
`445-457 (1997).
`6.212,633 B1
`4/2001 Levy et al.
`Chua et al., “On a Linux Implementation of Mobile IP and
`6.215,877 B1
`4/2001 Matsumoto
`its Effects on TCP Performance,” Computer Communica
`6,219,694 B1
`4/2001 Lazaridis et al. ........... 709/206
`tions, vol. 22, pp. 568-588 (1999).
`6,226,751 B1
`5/2001 Arrow et al. ............... 713/201
`Chung et al., “DCOM and CORBA, Side by Side, Step by
`6,236,652 B1
`5/2001 Preston et al. .............. 370/349
`Step, and Layer by Layer, C Plus Plus Report, Sigs.
`6.243,814 B1
`6/2001 Matena
`Publications, vol. 10 (1998).
`6.279,029 B1
`8/2001 Sampat et al.............. 709203
`De Lima et al., “An Effective Selective Repeat ARQ
`6,292,934 B1
`9/2001 Davidson et al.
`Strategv for High Speed Point-to-Multipoint Communica
`6,304,973 B1 10/2001 Williams
`trategy
`g) Spe
`p
`6,307,837 B1 10/2001 Ichikawa et al. ........... 370/230
`tions." IEEE 47" Vehicular Technology Conference, pp.
`6,308,282 B1
`10/2001 Huang et al. .................. 71,
`1059-1063 (1996).
`6,327,252 B1 12/2001 Silton et al. ................ 370,256
`Deng et al., “Integrating Security in CORBA Based Object
`6,330,671 B1 12/2001 Aziz ..........
`... 713/163
`Architectures, "IEEE. pp. 50-61 (1995).
`6,333,918 B1 12/2001 Hummel .....
`... 370/238
`Edwards, K., “Core Jini,” Prentice Hall PTR, (1999).
`6,335,926 B1
`1/2002 Silton et al. ................ 370/351
`Freier et. A., “The SSL Protocol Version 3.0', Internet Draft,
`6,370.552 B1
`4/2002 Bloomfield
`Netscape Communications, Nov. 18, 1996, pp. Abstract,
`6,374,298 B2
`4/2002 Tanno
`1-72.
`6,377,811 B1
`4/2002 Sood et al.
`3. R s: Man, 0. r r 2: Gleeson, Heinanen, Armitage, “A Framework for IP Based
`6415,323 B1
`7/2002 McCanne et al. ........... 709/225
`Virtual Private Networks’ Online, retrieved from the
`6,452.925 B1* 9/2002 Sistanizadeh et al........ 370/352
`Internet:
`<URL:http://www.alternic.org/drafts/drafts-g-h/
`6,453,419 B1
`9/2002 Flint et al.
`draft-gleeson-vpn-framework-00.txts, retrieved Jun. 27,
`6,463,061 B1 10/2002 Rekhter et al.
`2001.
`6,470,375 B1 10/2002 Whitner et al. ............. 718/105
`Perkins, C.E., “Mobile Networking Through Mobile IP",
`6,484.257 B1 11/2002 Ellis
`IEEE Internet Computing, IEEE Service Center, Piscataway,
`6,487.600 B1* 11/2002 Lynch ........................ 222 New Jersey, vol. 2, No. 1, 1998, pp 1-12.
`E. E. E. E. O. E. Ricciuti M., long Makes CORBA Net Friendly." CNET
`6,515,974 B1
`2/2003 Inoue et al. ................ 370,
`News.Com, pp. 1-2 (1997).
`6,532,543 B1
`3/2003 Smith et al.
`Stevenson et al., “Design of a Key Agile Cryptographic
`6,557,037 B1
`4/2003 Provino
`System for OC-12c Rate ATM," IEEE (1995).
`6,560,707 B2
`5/2003 Curtis et al.
`Teraoka, “VIP: A Protocol Providing Host Migration
`6,567,405 B1* 5/2003 Borella et al. .............. 370/389
`Transparency,” Internetworking. Research and Experience,
`6,600,733 B2
`7/2003 Deng
`vol. 4, pp. 195-221 (1993).
`6,606.708 B1
`8/2003 Devine et al.
`Teraoka, “Host Migration Transparency in IP Networks: The
`6,615,349 B1
`9/2003 Hair
`VIP Approach,” Computer Communications Review, pp.
`6,631,416 B2 10/2003 Bendinelli et al.
`44-65.
`6,693.878 B1
`2/2004 Daruwalla et al.
`Teraoka, “A Network Architecture Providing Host Migra
`FOREIGN PATENT DOCUMENTS
`tion Transparency,” Computer Communication Review, No.
`O813 327 A2 12/1997 ........... HO4L 29/06
`4, pp. 209-220 (1991).
`22
`O 887981 A2 12/1998 .
`HO4L 29/06
`Zhao et al., “Flexible Network Support for Mobility.” A CM,
`WO 89/08887
`9/1989 ........... GoF 13/14
`pp. 145-155 (1998).
`WO/97/48210
`12/1997 ........... HO4L 12/46
`DCOM Technical Overview, Microsoft Corporation (1996).
`WO 98/18269
`4/1998 .
`HO4O 3/OO
`Introduction to OrbixOTM, IONA Technologies PLC
`WO 98/32301
`7/1998 ............ HO4O 7/22
`(1999).
`
`EP
`EP
`WO
`WO
`WO
`WO
`
`
`
`AA/SWA Ex. 1003, p.2 of 23
`American Airlines, et. al. v. Intellectual Ventures, et.al.
`IPR2025-00786
`
`

`

`US 6,970,941 B1
`Page 3
`
`Orbix C++ Administrator's Guide, IOWATechnologies PLC
`(1999).
`OrbixNames Programmer's Administrator's Guide, IONA
`Technologies PLC (1999).
`Forman, George H., et al., “The Challenges of Mobile
`Computing,” University of Washington Computer Science &
`Engineering, pp. 1-16 (1994).
`Pike, Rob et al., “Plan 9 from Bell Labs”, 1995, Lucent
`Technologies, pp. 1-25.
`Waldvogel, Marcel et al., “The VersaKey Framework:
`Versatile Group Key Management”, Sep., 1999, Computer
`Engineering and Networks Laboratory (TIK), Eth Zürich,
`
`Switzerland and Sun Microsystems Inc., Network Security
`Group, Palo Alto, California, pp. 1-27.
`SSHIPSEC Express, White Paper, Version 2.0, Mar, 1999,
`SSH Communications Security Ltd., pp. 1-23.
`Aziz, Ashar et al., “Simple Key-Management for Internet
`Protocols (SKIP)", http://www.tik.ee.ethZ.ch/-skip/SKIP.
`html, Sep., 1999, pp. 1-19.
`Aziz, Ashar et al., “Design and Implementation of SKIP',
`INET '95 Conference, Jun. 28, 1995, pp. 1-12.
`Kent, S. et al., “IP Authentication Header', ftp://ftp.lisi.edu/
`in-notes/rfc2402.txt, Nov., 1998, pp. 1.-19.
`* cited by examiner
`
`AA/SWA Ex. 1003, p.3 of 23
`American Airlines, et. al. v. Intellectual Ventures, et.al.
`IPR2025-00786
`
`

`

`U.S. Patent
`
`Nov. 29, 2005
`
`Sheet 1 of 12
`
`US 6,970,941 B1
`
`
`
`AA/SWA Ex. 1003, p.4 of 23
`American Airlines, et. al. v. Intellectual Ventures, et.al.
`IPR2025-00786
`
`

`

`U.S. Patent
`
`
`
`2005 NOW. 29
`
`Sheet 2 of 12
`
`US 6,970,941 B1
`
`
`
`,
`
`ZOZ
`
`ZOZ
`
`AA/SWA Ex. 1003, p.5 of 23
`American Airlines, et. al. v. Intellectual Ventures, et.al.
`IPR2025-00786
`
`

`

`U.S. Patent
`
`Nov. 29, 2005
`
`Sheet 3 of 12
`
`US 6,970,941 B1
`
`O
`
`S. CY)
`
`4.
`d
`O
`CC
`
`&
`C)
`
`OO O
`v.
`CN
`cr)
`Cy)
`
`On O
`
`99
`
`OO
`
`S
`
`st Cy)
`
`O
`V
`cy)
`
`CY
`
`9
`
`CN
`cy
`
`S
`cy
`
`CC
`
`O
`Z
`
`CN
`CN
`cy)
`
`AA/SWA Ex. 1003, p.6 of 23
`American Airlines, et. al. v. Intellectual Ventures, et.al.
`IPR2025-00786
`
`

`

`U.S. Patent
`
`Nov. 29, 2005
`
`Sheet 4 of 12
`
`US 6,970,941 B1
`
`&
`cy
`
`O
`
`OO
`V CY)
`
`CO
`v
`cy)
`
`O
`?
`O
`Z
`
`?h
`
`9
`
`O O
`2
`
`CC
`
`O
`O
`Z
`
`N
`(5
`N
`U
`
`S
`
`s
`
`AA/SWA Ex. 1003, p.7 of 23
`American Airlines, et. al. v. Intellectual Ventures, et.al.
`IPR2025-00786
`
`

`

`U.S. Patent
`
`Nov. 29, 2005
`
`Sheet 5 of 12
`
`970,941 B1
`US 6
`9
`
`
`
`BOJOW HEST)
`
`
`
`ECOW TENYJE)Z99
`
`079OSWS
`
`
`
`909
`
`Z09
`
`AA/SWA Ex. 1003, p.8 of 23
`American Airlines, et. al. v. Intellectual Ventures, et.al.
`IPR2025-00786
`
`

`

`U.S. Patent
`
`Nov. 29, 2005
`
`Sheet 6 of 12
`
`US 6,970,941 B1
`
`
`
`612
`
`614
`
`NEXT HEADER = SUPERNET
`
`REAL SOURCE NODED
`
`
`
`OUTERP
`HEADER
`
`610
`
`616
`
`REALDESTINATIONNODEID
`
`622
`
`624
`
`626
`
`670
`
`NEXT HEADER = AH
`
`KEY INFORMATION
`
`SUPERNET NUMBERD
`
`NEXT HEADER = ESP
`
`SUPERNET
`HEADER
`
`620
`
`
`
`SEGNO.
`
`AUTHENTICATION
`HEADER
`
`630
`
`
`
`AUTHENTICATION DATA
`
`642
`
`VIRTUAL SOURCE NODE ID
`
`660
`
`
`
`644
`
`652
`
`654
`
`ENCAPSULATING
`SECURITY
`PAYLOAD HEADER
`
`640
`
`VIRTUAL DESTINATION NODEID
`
`TCP
`
`DATA
`
`PAYLOAD
`DATA
`
`650
`
`FIG. 6
`
`AA/SWA Ex. 1003, p.9 of 23
`American Airlines, et. al. v. Intellectual Ventures, et.al.
`IPR2025-00786
`
`

`

`U.S. Patent
`
`Nov. 29, 2005
`
`Sheet 7 of 12
`
`US 6,970,941 B1
`
`
`
`RECEIVE AND AUTHENTICATE
`SUPERNET NAME, USERID,
`PASSWORD AND VADDR
`
`702
`
`
`
`AUTHENTICATED
`BY SASD?
`
`
`
`704
`
`YES
`
`SASD CREATES ADDRESS
`MAPPNG
`
`SASD TRANSMITS ADDRESSING
`INFORMATION TO KMS
`
`KMD GENERATES A KEY ID AND A
`KEY, RETURNS KEY ID AND KEY TO
`KMS AND MULTICASTS INFO
`
`7O6
`
`708
`
`710
`
`SASD RETURNS INFO TO SNLOGIN
`
`712
`
`SNLOGIN TRANSMITS INFO TO
`KMC
`
`714
`
`KMC REGISTERS WITH KMD AND
`KMS
`
`716
`
`N
`
`FIG. 7A
`
`AA/SWA Ex. 1003, p.10 of 23
`American Airlines, et. al. v. Intellectual Ventures, et.al.
`IPR2025-00786
`
`

`

`U.S. Patent
`
`Nov. 29, 2005
`
`Sheet 8 of 12
`
`US 6,970,941 B1
`
`
`
`SNLOGIN CONFIGURES SNSL
`
`718
`
`SNLOGIN RUNS IN SUPERNET
`CONTEXT
`
`720
`
`SNLOGIN SPAWNS SHELL
`
`722
`
`
`
`
`
`AA/SWA Ex. 1003, p.11 of 23
`American Airlines, et. al. v. Intellectual Ventures, et.al.
`IPR2025-00786
`
`

`

`U.S. Patent
`
`Nov. 29, 2005
`
`Sheet 9 of 12
`
`US 6,970,941 B1
`
`SEND PACKET
`
`RECEIVE PACKET FROM NODE A
`
`802
`
`ACCESSADDRESS MAPPING
`
`804
`
`
`
`
`
`
`
`
`
`
`
`
`
`NO
`
`SNSL
`CONFIGURED 2
`
`806
`
`YES
`
`OBTAIN KEY
`
`808
`
`ENCRYPT PACKET
`
`810
`
`AUTHENTICATE SENDER
`
`812
`
`PASS TO PLAYER
`
`814
`
`END
`
`FIG. 8
`
`AA/SWA Ex. 1003, p.12 of 23
`American Airlines, et. al. v. Intellectual Ventures, et.al.
`IPR2025-00786
`
`

`

`U.S. Patent
`
`Nov. 29, 2005
`
`Sheet 10 of 12
`
`US 6,970,941 B1
`
`RECEIVE PACKET
`
`RECEIVE PACKET
`
`901
`
`NO
`
`SNSL
`CONFIGURED?
`
`902
`
`YES
`
`OBTAIN KEY
`
`904
`
`DECRYPT
`
`906
`
`AUTHENTICATE SENDER
`
`908
`
`PASS PACKET TO PLAYER
`
`910
`
`
`
`
`
`
`
`
`
`END
`
`FIG. 9
`
`AA/SWA Ex. 1003, p.13 of 23
`American Airlines, et. al. v. Intellectual Ventures, et.al.
`IPR2025-00786
`
`

`

`U.S. Patent
`
`Nov. 29, 2005
`
`Sheet 11 of 12
`
`US 6,970,941 B1
`
`LOGOUT
`
`SNLOGOUT RECEIVES NODE ID
`
`1OO2
`
`SNOGOUT REQUESTS LOGOUT
`
`1004
`
`SASD REMOVES ADDRESS
`MAPPING
`
`1 OO6
`
`SASD INFORMS KMS AND
`TERMINATE KMC
`
`1008
`
`KMS CHANGES KEY
`
`1010
`
`END
`
`FIG. 10
`
`AA/SWA Ex. 1003, p.14 of 23
`American Airlines, et. al. v. Intellectual Ventures, et.al.
`IPR2025-00786
`
`

`

`U.S. Patent
`
`Nov. 29, 2005
`
`Sheet 12 of 12
`
`US 6,970,941 B1
`
`WELSÅS
`
`
`
`8E/W|
`
`|NEITO
`
`_LNE|TO 8 ENW
`
`AA/SWA Ex. 1003, p.15 of 23
`American Airlines, et. al. v. Intellectual Ventures, et.al.
`IPR2025-00786
`
`

`

`US 6,970,941 B1
`
`1
`SYSTEMAND METHOD FOR SEPARATING
`ADDRESSES FROM THE DELIVERY
`SCHEME IN A VIRTUAL PRIVATE
`NETWORK
`
`RELATED APPLICATIONS
`
`2
`very expensive and require a Staff of information technology
`perSonnel to maintain them. This maintenance requirement
`is burdensome on many organizations whose main business
`is not related to the data processing industry (e.g., a clothing
`manufacturer) because they are not well Suited to handle
`Such data processing needs.
`Another drawback to enterprise networks is that they are
`geographically restrictive. The term “geographically restric
`tive' refers to the requirement that if a user is not physically
`located Such that they can plug their device directly into the
`enterprise network, the user cannot typically utilize it. To
`alleviate the problem of geographic restrictiveneSS, Virtual
`private networks have been developed.
`In a virtual private network (VPN), a remote device or
`network connected to the Internet may connect to the
`enterprise network through a firewall. This allows the
`remote device to access resources on the enterprise network
`even though it may not be located near any component of the
`enterprise network. For example, FIG. 1 depicts a VPN 100,
`where enterprise network 102 is connected to the Internet
`104 via firewall 106. By using VPN 100, a remote device
`D 108 may communicate with enterprise network 102 via
`Internet 104 and firewall 106. Thus, D, 108 may be plugged
`into an Internet portal virtually anywhere within the world
`and make use of the resources on enterprise network 102.
`To perform this functionality, D 108 utilizes a technique
`known as tunneling to ensure that the communication
`between itself and enterprise network 102 is secure in that it
`cannot be viewed by an interloper. “Tunneling” refers to
`encapsulating one packet inside another when packets are
`transferred between two end points (e.g., D 108 and VPN
`software 109 running on firewall 106). The packets may be
`encrypted at their origin and decrypted at their destination.
`For example, FIG. 2A depicts a packet 200 with a source
`Internet protocol (IP) address 202, a destination IP address
`204, and data 206. It should be appreciated that packet 200
`contains other information not depicted, Such as the Source
`and destination port. As shown in FIG. 2B, the tunneling
`technique forms a new packet 208 out of packet 200 by
`encrypting it and adding both a new Source IP address 210
`and a new destination IP address 212. In this manner, the
`contents of the original packet (i.e., 202, 204, and 206) are
`not visible to any entity other than the destination. Referring
`back to FIG. 1, by using tunneling, remote device D 108
`may communicate and utilize the resources of the enterprise
`network 102 in a secure manner.
`Although VPNs alleviate the problem of geographic
`restrictiveness, they impose Significant processing overhead
`when two remote devices communicate. For example, if
`remote device D 108 wants to communicate with remote
`device D. 110, D sends a packet using tunneling to VPN
`Software 109, where the packet is decrypted and then
`transferred to the enterprise network 102. Then, the enter
`prise network 102 sends the packet to VPN software 109,
`where it is encrypted again and transferred to D. Given this
`processing overhead, it is burdensome for two remote
`devices to communicate in a VPN environment.
`Each address used by the VPN contains implicit infor
`mation as to the delivery Scheme (e.g., broadcast, mutlicast,
`or unicast) to use. For example, the well-known “224.X.X.x”
`IP range relates to multicast addresses. Some addresses are
`even bound to a designated interface. For example, the
`“127.X.X.x” IP range is bound to a loopback interface on the
`Internet. Forcing an address to be associated with a delivery
`method unnecessarily restricts addressing Schema. In the
`example mentioned above, a destination address in the
`"127.X.X.X' range always refers to the loopback interface
`
`U.S. patent application Ser. No. 09/457,917, entitled
`“TRULY ANONYMOUS COMMUNICATIONS USING
`SUPERNETS WITH THE PROVISION OF TOPOLOGY
`HIDING, filed Dec. 10, 1999.
`U.S. patent application Ser. No. 09/457.889, entitled
`“METHOD AND SYSTEM FOR FACILITATING RELO
`CATION OF DEVICES ON ANETWORK,” filed Dec. 10,
`1999.
`U.S. patent application Ser. No. 09/457,916, entitled
`“SANDBOXING APPLICATIONS IN A PRIVATE NET
`WORK USING A PUBLIC-NETWORK INFRASTRUC
`TURE, filed Dec. 10, 1999.
`U.S. patent application Ser. No. 09/457,894, entitled
`“SECURE ADDRESS RESOLUTION FOR A PRIVATE
`NETWORK USING A PUBLIC NETWORK INFRA
`STRUCTURE, filed Dec. 10, 1999.
`U.S. patent application Ser. No. 09/458,020, entitled
`“DECOUPLING ACCESS CONTROL FROM KEY MAN
`25
`AGEMENT IN A NETWORK, filed Dec. 10, 1999.
`U.S. patent application Ser. No. 09/457,895, entitled
`“CHANNEL-SPECIFICFILE SYSTEM VIEWS IN APRI
`VATE NETWORK USING A PUBLIC NETWORK
`INFRASTRUCTURE, filed Dec. 10, 1999.
`U.S. patent application Ser. No. 09/458,040, entitled
`“PRIVATE NETWORK USING A PUBLIC-NETWORK
`INFRASTRUCTURE, filed Dec. 10, 1999.
`U.S. patent application Ser. No. 09/457,914, entitled
`“SYSTEMAND METHOD FORENABLING SCALABLE
`35
`SECURITY IN A VIRTUAL PRIVATE NETWORK, filed
`Dec. 10, 1999.
`U.S. patent application Ser. No. 09/457,915, entitled
`“USING MULTICASTING TO PROVIDE ETHERNET
`LIKE COMMUNICATION BEHAVIOR TO SELECTED
`PEERS ON A NETWORK,” filed Dec. 10, 1999.
`U.S. patent application Ser. No. 09/457,896, entitled
`“ANYCASTING IN A PRIVATE NETWORK USING A
`PUBLIC NETWORKINFRASTRUCTURE,” filed Dec. 10,
`1999.
`U.S. patent application Ser. No. 09/458,021, entitled
`“SCALABLE SECURITY ASSOCIATIONS FOR
`GROUPS FOR USE IN A PRIVATE NETWORK USINGA
`PUBLIC-NETWORK INFRASTRUCTURE,” filed Dec.
`10, 1999.
`U.S. patent application Ser. No. 09/458,044, entitled
`“ENABLING SIMULTANEOUS PROVISION OF INFRA
`STRUCTURE SERVICES.” filed Dec. 10, 1999.
`
`15
`
`40
`
`45
`
`50
`
`FIELD OF THE INVENTION
`
`The present invention relates generally to data processing
`Systems and, more particularly, to a private network using a
`public-network infrastructure.
`
`BACKGROUND OF THE INVENTION
`
`AS part of their day-to-day business, many organizations
`require an enterprise network, a private network with lease
`lines, dedicated channels, and network connectivity devices,
`Such as routers, Switches, and bridges. These components,
`collectively known as the network’s “infrastructure,” are
`
`55
`
`60
`
`65
`
`AA/SWA Ex. 1003, p.16 of 23
`American Airlines, et. al. v. Intellectual Ventures, et.al.
`IPR2025-00786
`
`

`

`3
`and can never be changed. Because of this limitation, it is
`extremely hard to experiment with new or different address
`ing Schemes on a large Scale. For example, IPv6, a new
`addressing Scheme has yet to be fully deployed on the
`Internet because of the different addressing scheme. IPv6 is
`described in greater detail in "ftp://ftp.lisi.edu/in-notes/
`rfc2373.txt.
`Therefore, it is desirable to provide addressing function
`ality that easily integrates and Supports existing infrastruc
`ture Services while at the same time allows for multiple
`delivery Schemes.
`
`SUMMARY OF THE INVENTION
`
`Methods and Systems consistent with the present inven
`tion overcome the shortcomings of existing delivery
`Schemes and addressing by establishing a virtual network on
`top of current IP network delivery schemes. The virtual
`network uses a separate layer to create a modification to the
`IP packet format that is used to separate network behavior
`from addressing. As a result of the modification to the packet
`format, any type of delivery Scheme may be assigned to any
`address or group of addresses. The Virtual network also
`maintains Secure communications between nodes, while
`providing the flexibility of assigning delivery methods inde
`pendent of the delivery addresses.
`In accordance with the purpose of the invention as
`embodied and broadly described herein, a computer is
`connected to a public network infrastructure over which a
`private network operates. The private network has a plurality
`of nodes, and the computer comprises a memory and a
`processor. The memory contains one of the plurality of
`nodes for communicating over the private network. The
`memory also contains a Security layer that receives from the
`one node communications containing internal addresses that
`are Suitable for use in communicating within the private
`network, and that translates the internal addresses into
`external addresses that are Suitable for use in communicating
`over the public-network infrastructure. The internal address
`does not identify a delivery Scheme used by the computer.
`The Security layer also encrypts the communications, and
`that transmits the communications over the public network
`to destinations of the communications. The processor runs
`the one node and the Security layer.
`In another implementation, a method in a public network
`having a network infrastructure that is used by a private
`network over which a plurality of clients communicate with
`a plurality of web server. The private network uses a
`plurality of delivery Schemes to communicate between the
`clients and web servers in the private network, and each of
`the Web Servers have a corresponding external address. The
`method requests an internal address from an address Server.
`The internal address corresponds to a set of Web Servers and
`is not associated with a delivery Scheme. Based on the
`Selected delivery Scheme, the method places the client in a
`context Such that the client is capable of communicating
`with the set of web servers on the private network. Once
`placed, the method Sends the packet from the client to the Set
`of Web Servers by accessing the address mapping and adding
`the external address to the packet and by causing delivery of
`the packet to the Web Server to occur in a Secure manner.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`This invention is pointed out with particularity in the
`appended claims. The above and further advantages of this
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`US 6,970,941 B1
`
`4
`invention may be better understood by referring to the
`following description taken in conjunction with the accom
`panying drawings, in which:
`FIG. 1 depicts a conventional virtual private network
`(VPN) system;
`FIG. 2A depicts a conventional network packet;
`FIG. 2B depicts the packet of FIG. 2A after it has been
`encrypted in accordance with a conventional tunneling tech
`nique;
`FIG. 3 depicts a data processing System Suitable for use
`with methods and Systems consistent with the present inven
`tion;
`FIG. 4 depicts the nodes depicted in FIG. 3 communicat
`ing over multiple channels,
`FIG. 5 depicts two devices depicted in FIG. 3 in greater
`detail;
`FIG. 6 depicts a datagram packet used by the present
`invention;
`FIGS. 7A and 7B depict a flow chart of the steps per
`formed when a VPN in a manner consistent with the present
`invention;
`FIG. 8 depicts a flow chart of the steps performed when
`sending a packet from a node of the VPN in a manner
`consistent with the present invention;
`FIG. 9 depicts a flow chart of the steps performed when
`receiving a packet by a node of the VPN in a manner
`consistent with the present invention;
`FIG. 10 depicts a flow chart of the steps performed when
`logging out of a VPN in a manner consistent with the present
`invention; and
`FIG. 11 depicts an embodiment of a web server environ
`ment System for use with the invention.
`
`DETAILED DESCRIPTION
`
`Methods and Systems consistent with the present inven
`tion overcome the Shortcomings of existing networks by
`establishing a “Supernet,” which is a private network that
`uses components from a public-network infrastructure. A
`Supernet allows an organization to utilize a public-network
`infrastructure for its enterprise network So that the organi
`Zation no longer has to maintain a private network infra
`Structure; instead, the organization may have the infrastruc
`ture maintained for them by one or more Service providers
`or other organizations that Specialize in Such connectivity
`matters. AS Such, the burden of maintaining an enterprise
`network is greatly reduced. Moreover, a Supernet is not
`geographically restrictive, So a user may plug their device
`into the Internet from virtually any portal in the world and
`still be able to use the resources of their private network in
`a Secure and robust manner.
`Supernets also provide heterogeneous addressing func
`tionality. The Supernet uses a separate layer that isolates
`address names of nodes from addressing Schemes and deliv
`ery schemes. The Supernet contains a modification to the IP
`packet format that can be used to Separate network behavior
`from addressing. As a result of the modification, any deliv
`ery Scheme may be assigned to any address, or group of
`addresses.
`
`Overview
`FIG. 3 depicts a data processing system 300 suitable for
`use with methods and Systems consistent with the present
`invention. Data processing System 300 comprises a number
`of devices, such as computers 302-312, connected to a
`public network, such as the Internet 314. A Supernet's
`infrastructure uses components from the Internet because
`
`AA/SWA Ex. 1003, p.17 of 23
`American Airlines, et. al. v. Intellectual Ventures, et.al.
`IPR2025-00786
`
`

`

`US 6,970,941 B1
`
`15
`
`S
`devices 302,304, and 312 contain nodes that together form
`a Supernet and that communicate by using the infrastructure
`of the Internet. These nodes 316, 318, 320, and 322 are
`communicative entities (e.g., processes) running within a
`particular device and are able to communicate among them
`Selves as well as access the resources of the Supernet in a
`Secure manner. When communicating among themselves,
`the nodes 316, 318,320, and 322 serve as end points for the
`communications, and no other processes or devices that are
`not part of the Supernet are able to communicate with the
`Supernet's nodes or utilize the Supernet's resources. The
`Supernet also includes an administrative node 306 to admin
`ister to the needs of the Supernet.
`It should be noted that since the nodes of the Supernet rely
`on the Internet for connectivity, if the device on which a
`node is running relocates to another geographic location, the
`device can be plugged into an Internet portal and the node
`running on that device can quickly resume the use of the
`resources of the Supernet. It should also be noted that Since
`a Supernet is layered on top of an existing network, it
`operates independently of the transport layer. Thus, the
`nodes of a Supernet may communicate over different trans
`ports, such as IP, IPX, X.25, or ATM, as well as different
`physical layers, Such as RF communication, cellular com
`munication, Satellite links, or land-based linkS.
`25
`As shown in FIG. 4, a Supernet includes a number of
`channels that its nodes 316-322 can communicate over. A
`“channel” refers to a collection of virtual links through the
`public-network infrastructure that connect the nodes on the
`channel Such that only these nodes can communicate over it.
`A node on a channel may send a message to another node on
`that channel, known as a unicast message, or it can send a
`message to all other nodes on that channel, known as a
`multicast message. For example, channel 1 402 connects
`node A 316 and node C 320, and channel 2 404 connects
`node B318, node C320, and node D322. Each Supernet has
`any number of preconfigured channels over which the nodes
`on that channel can communicate. In an alternative embodi
`ment, the channels are dynamically defined.
`In addition to communication, the channels may be used
`to share resources. For example, channel 1 402 may be
`configured to share a file system as part of node C 320 such
`that node A 316 can utilize the file system of node C in a
`Secure manner. In this case, node C 320 Serves as a file
`System manager by receiving file System requests (e.g.,
`open, close, read, write, etc.) and by Satisfying the requests
`by manipulating a portion of the Secondary Storage on its
`local machine. To maintain security, node C 320 stores the
`data in an encrypted form So that it is unreadable by others.
`Such Security is important because the Secondary Storage
`may not be under the control of the owners of the Supernet,
`but may instead be leased from a Service provider. Addi
`tionally, channel 2 404 may be configured to share the
`computing resources of node D 322 such that nodes B318
`and C 320 send code to node D for execution. By using
`channels in this manner, resources on a public network can
`be shared in a Secure manner.
`A Supernet provides a number of features to ensure Secure
`and robust communication among its nodes. First, the SyS
`tem provides authentication and admission control So that
`nodes become members of the Supernet under Strict control
`to prevent unauthorized acceSS. Second, the Supernet pro
`vides communication Security Services So that the Sender of
`a message is authenticated and communication between end
`points occurs in a Secure manner by using encryption. Third,
`the System provides key management to reduce the possi
`bility of an intruder obtaining an encryption key and pen
`
`35
`
`6
`etrating a Secure communication Session. The System does
`So by providing one key per channel and by changing the
`key for a channel whenever a node joins or leaves the
`channel. Alternatively, the System may use a different Secu
`rity policy.
`Fourth, the System provides address translation in a trans
`parent manner. Since the Supernet is a private network
`constructed from the infrastructure of another network, the
`Supernet has its own internal addressing Scheme, Separate
`from the addressing Scheme of the underlying public net
`work. Thus, when a packet from a Supernet node is Sent to
`another Supernet node, it travels through the public network.
`To do So, the Supernet performs address transla