WO2009058062A1 - An improved mechanism for use in a virtual private network (vpn) - Google Patents

An improved mechanism for use in a virtual private network (vpn) Download PDF

Info

Publication number
WO2009058062A1
WO2009058062A1 PCT/SE2007/050814 SE2007050814W WO2009058062A1 WO 2009058062 A1 WO2009058062 A1 WO 2009058062A1 SE 2007050814 W SE2007050814 W SE 2007050814W WO 2009058062 A1 WO2009058062 A1 WO 2009058062A1
Authority
WO
WIPO (PCT)
Prior art keywords
traffic
gateway
vpn
router
tunnel
Prior art date
Application number
PCT/SE2007/050814
Other languages
French (fr)
Inventor
Hans-Åke LUND
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to PCT/SE2007/050814 priority Critical patent/WO2009058062A1/en
Publication of WO2009058062A1 publication Critical patent/WO2009058062A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling

Definitions

  • the present invention discloses a method for use with a Virtual Private Network, a VPN, which can comprise one or more users, and which is connected to a first gateway through which traffic to and from users in the VPN can be routed.
  • VPN Virtual Private Networks
  • traffic from the users in the VPN is sent to a node in the system which comprises a central so called “anchor" point in the system to which the VPN is connected before it is forwarded to the various services that a user in the VPN wants to access, such as, for example, the Internet, web-servers, fileservers etc.
  • an Access Edge Gateway Such a node will in this text from now on be referred to as an Access Edge Gateway
  • An “anchor” point is thus used in a gateway function such as an Access Edge Gateway and its implementation in Home Virtual Private Networks, HVPN.
  • a gateway function such as an Access Edge Gateway and its implementation in Home Virtual Private Networks, HVPN.
  • all access methods both residential broadband access and remote access methods such as, for example, GPRS, web-portals, etc must have a common anchor point in the Access Edge Gateway, through which all traffic must pass in order to be able to reach the HVPN independently of the location of the user.
  • Such a solution is offered by the present invention in that it discloses a method for use with a Virtual Private Network, a VPN, which can comprise one or more users, and which is connected to a first gateway through which traffic to and from users in the VPN can be routed.
  • a Virtual Private Network a VPN
  • a VPN which can comprise one or more users, and which is connected to a first gateway through which traffic to and from users in the VPN can be routed.
  • the traffic to and from users in the VPN can comprise a first and a second kind of traffic, and the first gateway to which the VPN is connected is in turn connected to a second gateway MASG which can route the traffic to and from the first gateway to and from a first plurality of services .
  • the first and the second gateways can exchange control messages, by means of which a distinction can be made between the first and the second kinds of traffic, by means of which distinction the first kind of traffic is routed via the first gateway to and from the VPN, and the second kind of traffic is routed to and from the first gateway via the second gateway.
  • the first kind of traffic comprises traffic to and from user defined services, and in one embodiment, the first kind of traffic comprises, for example, IPTV (IP based Television) and VoD (Video on Demand).
  • IPTV IP based Television
  • VoD Video on Demand
  • the second kind of traffic can comprise traffic which is exchanged between a user device in the VPN and a remote device which is also part of the VPN.
  • the second kind of traffic comprises Internet traffic.
  • control messages between the first and the second gateway are exchanged via Mobile IP.
  • the invention also discloses a router for use as a gateway in a VPN, with functions which basically allow the router to function according to the method of the invention.
  • Fig 1 shows a system with a prior art VPN
  • Fig 2 shows a conceptual view of a VPN equipped with the invention
  • Fig 3 shows a flowchart of a method of the invention
  • Fig 4 shows a block diagram of a CPE of the invention.
  • Fig 1 shows a basic view of a system 100 with a Virtual Private Network, VPN, 110, for example a VPN for homes, a Home VPN, HVPN.
  • the HVPN 110 comprises one or more users (not shown), and is also equipped with a first gateway GW1 , 120.
  • the first gateway 120 is preferably a so called CPE, Customer Provided Equipment, and serves as router for all of the traffic to and from the HVPN 110.
  • Also shown in fig 1 are different origins 140, 150, 160, 170, of traffic to and from the VPN 110. Examples of such origins or destinations of traffic for the VPN 110 are the Internet, Video on Demand (VoD), Internet based TV (IPTV) etc.
  • VoD Video on Demand
  • IPTV Internet based TV
  • the system 100 is designed in a way which is quite common at present, and thus comprises a second gateway, GW2, 130, which serves as an "anchor point" for all of the traffic to and from the HVPN 110, regardless of the location of the user and the origin of the traffic, and also regardless of the access method of the traffic.
  • GW2 130 serves as an "anchor point" for all of the traffic to and from the HVPN 110, regardless of the location of the user and the origin of the traffic, and also regardless of the access method of the traffic.
  • GPRS web-portal based access, as well as DSL, Digital Subscriber Line, FTTH, Fibre to the Home, which may be of the GPON type, Gigabit Passive Optical Network or Point-to-point, WiMAX, Worldwide Interoperability for Microwave Access or WLAN, Wireless LAN.
  • One of the purposes of the present invention is thus to reduce the risk of "tromboning", as well as reducing the risk for congestion.
  • a basic principle by means of which the invention achieves this is to implement part of the home VPN functionality in a so called Residential Gateway, which is Customer Premises Equipment, CPE, and which is placed in a user's network at home corresponding to the first gateway 120 in fig 1.
  • CPE Customer Premises Equipment
  • the main reason for this is to obtain a system in which all traffic is not forced to go via the central home VPN anchor point, which is located in the second gateway 130, as shown in fig 1 -
  • Certain kinds of traffic such as, inter alia, broadband traffic to and from the Internet should instead go directly via the nearest Internet connection point in the operator's network, in order to reduce the risk of tromboning and to ensure that bandwidth intense traffic which does not need to go via the VPN's anchor point does not do so.
  • the anchor point for the VPN's remote access will preferably be placed centrally in the network, e.g. in the second gateway 130.
  • VPN's anchor point this can suitably be decided by a function in the first gateway GW1 , based on the IP address of the destination by means of a forwarding table which can be dynamically configured in the first gateway from the second gateway, which is suitably done suitably when the initial connection between the first and second gateways is established
  • the invention's division of functionality between the first and the second gateway, the second gateway being a centrally placed node in the system, makes it possible for a larger part of the traffic to go directly through the operator's backbone network to the Internet or to other servers without any need to pass a central point in the network.
  • Fig 2 shows a schematic view of a system 200 with a HVPN 112 of the invention.
  • System components or objects which are the same as those shown in fig 1 have retained their reference numbers in fig 2.
  • one of the ideas behind the invention is that payload traffic from and to user devices in a VPN such as the VPN 112 in fig 2 should not always have to go through a single point such as an "anchor point" in the second gateway 132.
  • broadband user traffic between a device in the HVPN 112 and the Internet can go directly through the nearest internet connection point in an operator's network.
  • connection points are commonly referred to as Points of Presence, PoP.
  • Other traffic such as Internet based TV, IPTV, and Video on Demand, VoD, will in a system 200 which uses the invention be sent directly between the IPTV and VoD servers in the operator's network and the customer equipment, in this case the first gateway 122.
  • traffic is indicated by means of a generic source of traffic 170 shown as "4" in fig 2.
  • the traffic between source "4" and the first gateway 122 is direct, without passing the second gateway 132.
  • the first gateway 122 is a Customer provided Equipment such as a router.
  • the parts of the system 200 that handle signalling for authentication and which determine which users and devices that belong to the home VPN 112 must still be placed centrally in the system 200, i.e. in the second gateway 132.
  • the anchor point for remote access to the HVPN 112 is also placed centrally in the system 200.
  • the first gateway 122 which from now on will be referred to as the CPE, will set-up a so called tunnel 135 through the operator's network to a central node, the second gateway 132, "GW2".
  • GW2 will have information about the different VPNs in the system 200, and also serves as the anchor point for a number of different remote access methods, such as, for example, mobile telephony access, web access, encrypted tunnels like SSL VPN's etc.
  • the tunnel 135 between the CPE 122 and the GW2 can also be established by GW2.
  • the forwarding rules of the CPE will be set up by the GW2, so that only traffic that should be handled by the GW2 is forwarded across the tunnel.
  • the GW2 will be also able to dynamically change the forwarding rules in the CPE when remote access devices are added to or deleted from the VPN.
  • the GW2 must be able to control or configure the CPE in order to set the traffic forwarding policies, i.e. which traffic such as data or data packets that should be sent through the tunnel 135 to a central anchor point for the VPN, and which traffic such as data or data packets that should be sent directly to destinations such as, for example, the Internet or the operator's service network.
  • traffic forwarding policies i.e. which traffic such as data or data packets that should be sent through the tunnel 135 to a central anchor point for the VPN, and which traffic such as data or data packets that should be sent directly to destinations such as, for example, the Internet or the operator's service network.
  • Such a control or configuration mechanism could suitably be the IP address table mentioned previously, and should preferably be based on a standard like, for example, DSL Forum TR-069.
  • the tunnel 135 should preferably be based on an IP tunnelling mechanism, since the GW2 132 in such a case could be placed in the system 200 without requiring any special L2 mechanism.
  • the set up of the tunnel 135 between the two gateways, i.e. GW1/CPE and GW2 is preferably carried out by means of an exchange of control signalling messages for setup of the tunnel, one example of such messages being Mobile IP signalling.
  • the tunnel 135 When the tunnel 135 has been established, data is preferably sent on the tunnel, the tunnel preferably being carried over Layer 3 in the network (i.e. over IP).
  • the L3 tunnel may be carried over a number of access technologies, such as, for example, DSL, Ethernet, HSPA, High Speed Packet Access, or an optical solution such as, for example, GPON, Gigabit Passive Optical Network.
  • the system 200 can achieve the best possible utilization of the existing connectivity between the gateways GW2 and CPE.
  • L2 mechanisms it is also possible to use L2 mechanisms in order to send data over the tunnel 135.
  • Layer 2 may also be used for the tunnel.
  • Fig 3 shows a flow chart of some of the major steps of a method 300 of the invention, Steps which are options or alternatives are shown with dashed lines.
  • the method of the invention is intended for use with a Virtual Private Network which can comprise one or more users and which is connected to a first gateway such as GW1 , through which traffic to and from users in the VPN can be routed.
  • a Virtual Private Network which can comprise one or more users and which is connected to a first gateway such as GW1 , through which traffic to and from users in the VPN can be routed.
  • the traffic comprises a first and a second kind of traffic, and the first gateway being connected to a second gateway such as GW2, which can route the traffic to and from the first gateway to and from a first plurality of services such as the services 140, 150, 160, 170, which are shown in figs 1 and 2.
  • the first and the second gateways can exchange control messages by means of which, as shown in step 315, a distinction can be made between the first and second kinds of traffic, so that, as shown in step 320, the first kind of traffic will be routed via the first gateway to and from the VPN, and the second kind of traffic will be routed to and from the first gateway via the second gateway.
  • the first kind of traffic can comprise traffic to and from user defined services, and as shown in step 335, the first kind of traffic can comprise, for example, IPTV (IP based Television) and Vod (Video On Demand).
  • IPTV IP based Television
  • Vod Video On Demand
  • Step 330 shows that the second kind of traffic can comprise traffic that is between a user device in the VPN and a remote device such as the devices 140, 150, 160, which are, however, part of the VPN.
  • the second kind of traffic can comprise Internet traffic, and as shown in step 340, the control messages between the two gateways are preferably exchanged via Mobile IP.
  • Step 345 shows that the second kind of traffic is routed between the first and second gateway via a so called tunnel, which can be based on an IP tunnelling mechanism which is based on the L3 layer, or on the L2 layer.
  • a major advantage of the invention is that it does not require all traffic from a broadband connection in, for example, a home VPN, to pass a central point in a network that is the anchor point for the VPN. This makes a solution according to the invention much more scalable than previous solutions which are implemented in a centralized manner.
  • the invention also discloses a router which basically has the ability to function according to the method of the invention.
  • a rough block diagram of such a router 400 is shown in fig 4. Blocks or components which are options or alternatives are shown separately, with dashed lines.
  • the blocks of the router are implemented in software, although they may of course also be implemented as a suitable combination of software and hardware. Naturally, means for physical connections or implemented as hardware.
  • the router 400 of the invention means 410 for connection to a Virtual Private Network and means 415 for acting as a CPE gateway in the VPN.
  • the connection means 410 can comprise both physical means, e.g. contacts etc and software.
  • the router comprises means 420 for routing traffic to and from users in the VPN, a traffic which comprises a first and a second kind of traffic, and the router also comprises means 425 for being connected to a second gateway such as the GW2 132 shown in fig 2, which can route the traffic to and from the inventive router to and from a first plurality of services.
  • the connection means 425 can comprise both physical means, e.g. contacts etc and software.
  • the inventive router also comprises means 430 for exchanging control messages with the second gateway (e.g. GW2), by means of which exchange the inventive router can make a distinction between the first and second kinds of traffic, and by means of which distinction the router can route the first kind of traffic to and from the VPN, and the second kind of traffic to and from the second gateway.
  • the second gateway e.g. GW2
  • the first kind of traffic can comprise traffic to and from services defined by the users of the VPN, and can also possibly comprise IPTV (IP based Television) and Vod (Video On Demand).
  • IPTV IP based Television
  • Vod Video On Demand
  • the second kind of traffic can comprise traffic that is between a user device in a VPN to which the inventive router is connected and a remote device that is part of the VPN.
  • the second kind of traffic may comprise Internet traffic.
  • the router 400 may comprise means 435 for exchanging said control messages with the second gateway via Mobile IP, and means 440 for routing said second kind of traffic to and from the second gateway via a so called tunnel.
  • the router 400 can base the tunnel on an IP tunnelling mechanism which is based on the L3 layer, or on the L2 layer.
  • the invention is not limited to the examples of embodiments described above and shown in the drawings, but may be freely varied within the scope of the appended claims.
  • the VPN in which the invention is applied does not need to be a Home VPN, the invention can be applied to a wide variety of VPNs.
  • the set up of the tunnel between the two gateways can be initiated by either gateway, either the CPE gateway, or the second gateway.

Abstract

The invention discloses a method (300) for use with a Virtual Private Network, a VPN (110), the VPN being connected to a first gateway (122) through which traffic to and from users in the VPN (110) can be routed, said traffic comprising a first and a second kind of traffic, the first gateway (122) being connected to a second gateway (132) which can route the traffic to and from the first gateway. According to the method, the first (122) and the second (132) gateways can exchange control messages (310) by means of which a distinction (315) can be made between said first and second kinds of traffic, so that the first kind of traffic is routed (320) via the first gateway to and from the VPN, and the second kind of traffic is routed (320) to and from the first gateway via the second gateway.

Description

AN IMPROVED MECHJkNISM FOR USE IN A VIRTUAL PRIVATE
NETWORK (VPN)
TECHNICAL FIELD The present invention discloses a method for use with a Virtual Private Network, a VPN, which can comprise one or more users, and which is connected to a first gateway through which traffic to and from users in the VPN can be routed.
BACKGROUND
In current implementations of so called Virtual Private Networks, VPN, traffic from the users in the VPN is sent to a node in the system which comprises a central so called "anchor" point in the system to which the VPN is connected before it is forwarded to the various services that a user in the VPN wants to access, such as, for example, the Internet, web-servers, fileservers etc. Such a node will in this text from now on be referred to as an Access Edge Gateway
An "anchor" point is thus used in a gateway function such as an Access Edge Gateway and its implementation in Home Virtual Private Networks, HVPN. In a HPVN, all access methods, both residential broadband access and remote access methods such as, for example, GPRS, web-portals, etc must have a common anchor point in the Access Edge Gateway, through which all traffic must pass in order to be able to reach the HVPN independently of the location of the user.
The traditional Access Edge Gateway solution works well, but since the traffic has to pass the VPN anchor point, all traffic will be routed via that central point, even if the destination of the traffic is placed close to the source of the traffic in the network, a phenomenon which is commonly referred to as "tromboning" in network design, and which it is desired to avoid. One result of the "tromboning" caused by the use of an anchor point as described above is that bandwidth-intense broadband traffic will always pass through the node which contains the anchor point of the VPN.
SUMMARY
Thus, as has been described above, there is a need for a solution for use in VPNs such as Home VPNs, and by means of which, for example, "tromboning" can be avoided.
Such a solution is offered by the present invention in that it discloses a method for use with a Virtual Private Network, a VPN, which can comprise one or more users, and which is connected to a first gateway through which traffic to and from users in the VPN can be routed.
The traffic to and from users in the VPN can comprise a first and a second kind of traffic, and the first gateway to which the VPN is connected is in turn connected to a second gateway MASG which can route the traffic to and from the first gateway to and from a first plurality of services .
According to the method of the invention the first and the second gateways can exchange control messages, by means of which a distinction can be made between the first and the second kinds of traffic, by means of which distinction the first kind of traffic is routed via the first gateway to and from the VPN, and the second kind of traffic is routed to and from the first gateway via the second gateway.
Suitably, the first kind of traffic comprises traffic to and from user defined services, and in one embodiment, the first kind of traffic comprises, for example, IPTV (IP based Television) and VoD (Video on Demand).
In addition, the second kind of traffic can comprise traffic which is exchanged between a user device in the VPN and a remote device which is also part of the VPN. In one embodiment of the invention, the second kind of traffic comprises Internet traffic.
Suitably but not necessarily, the control messages between the first and the second gateway are exchanged via Mobile IP.
The invention also discloses a router for use as a gateway in a VPN, with functions which basically allow the router to function according to the method of the invention.
BRIEF DESCRIPTION OF THE DRAWINGS
The invention will be described in more detail in the following, with reference to the appended drawings, in which
Fig 1 shows a system with a prior art VPN, and
Fig 2 shows a conceptual view of a VPN equipped with the invention, and Fig 3 shows a flowchart of a method of the invention, and Fig 4 shows a block diagram of a CPE of the invention.
DETAILED DESCRIPTION
Fig 1 shows a basic view of a system 100 with a Virtual Private Network, VPN, 110, for example a VPN for homes, a Home VPN, HVPN. The HVPN 110 comprises one or more users (not shown), and is also equipped with a first gateway GW1 , 120. The first gateway 120 is preferably a so called CPE, Customer Provided Equipment, and serves as router for all of the traffic to and from the HVPN 110. Also shown in fig 1 are different origins 140, 150, 160, 170, of traffic to and from the VPN 110. Examples of such origins or destinations of traffic for the VPN 110 are the Internet, Video on Demand (VoD), Internet based TV (IPTV) etc.
The system 100 is designed in a way which is quite common at present, and thus comprises a second gateway, GW2, 130, which serves as an "anchor point" for all of the traffic to and from the HVPN 110, regardless of the location of the user and the origin of the traffic, and also regardless of the access method of the traffic. As examples of different kinds of access methods, mention might be made of GPRS, web-portal based access, as well as DSL, Digital Subscriber Line, FTTH, Fibre to the Home, which may be of the GPON type, Gigabit Passive Optical Network or Point-to-point, WiMAX, Worldwide Interoperability for Microwave Access or WLAN, Wireless LAN.
As has been mentioned previously in this text, in a system such as the system 100 of fig 1 , since all of the traffic to and from the VPN 110, i.e. all of the traffic to and from the first gateway 120, is routed via the second gateway 130, there is a risk that the so called "tromboning effect" might arise, as well as a risk of congestion, since even high bandwidth broadband traffic such as, for example, Internet traffic, has to pass through the second gateway 130 which serves as the anchor point of the HVPN 110.
One of the purposes of the present invention is thus to reduce the risk of "tromboning", as well as reducing the risk for congestion. A basic principle by means of which the invention achieves this is to implement part of the home VPN functionality in a so called Residential Gateway, which is Customer Premises Equipment, CPE, and which is placed in a user's network at home corresponding to the first gateway 120 in fig 1. The main reason for this is to obtain a system in which all traffic is not forced to go via the central home VPN anchor point, which is located in the second gateway 130, as shown in fig 1 -
Certain kinds of traffic, such as, inter alia, broadband traffic to and from the Internet should instead go directly via the nearest Internet connection point in the operator's network, in order to reduce the risk of tromboning and to ensure that bandwidth intense traffic which does not need to go via the VPN's anchor point does not do so. However, even in a HVPN of the invention, the anchor point for the VPN's remote access will preferably be placed centrally in the network, e.g. in the second gateway 130.
When it comes to the issue of deciding which traffic that should go directly to the nearest Internet connection point and which traffic that should go via the
VPN's anchor point, this can suitably be decided by a function in the first gateway GW1 , based on the IP address of the destination by means of a forwarding table which can be dynamically configured in the first gateway from the second gateway, which is suitably done suitably when the initial connection between the first and second gateways is established
The invention's division of functionality between the first and the second gateway, the second gateway being a centrally placed node in the system, makes it possible for a larger part of the traffic to go directly through the operator's backbone network to the Internet or to other servers without any need to pass a central point in the network.
Fig 2 shows a schematic view of a system 200 with a HVPN 112 of the invention. System components or objects which are the same as those shown in fig 1 have retained their reference numbers in fig 2.
Thus, as has emerged from the description, one of the ideas behind the invention is that payload traffic from and to user devices in a VPN such as the VPN 112 in fig 2 should not always have to go through a single point such as an "anchor point" in the second gateway 132.
As an example, broadband user traffic between a device in the HVPN 112 and the Internet can go directly through the nearest internet connection point in an operator's network. Such connection points are commonly referred to as Points of Presence, PoP. Other traffic, such as Internet based TV, IPTV, and Video on Demand, VoD, will in a system 200 which uses the invention be sent directly between the IPTV and VoD servers in the operator's network and the customer equipment, in this case the first gateway 122. Such traffic is indicated by means of a generic source of traffic 170 shown as "4" in fig 2.
As is symbolically indicated in fig 2, the traffic between source "4" and the first gateway 122 is direct, without passing the second gateway 132. Suitably, the first gateway 122 is a Customer provided Equipment such as a router.
However, even in a system 200 of the invention, user traffic that is exchanged between a user device in the HVPN 112 and a remote device which is part of the HVPN 112 will go through a central anchor point for the HVPN 112, located in the second gateway 132. The same applies for services in the HVPN that is common to all user devices in the HVPN and thus need to be located at a central point in the VPN.
The parts of the system 200 that handle signalling for authentication and which determine which users and devices that belong to the home VPN 112 must still be placed centrally in the system 200, i.e. in the second gateway 132. In addition, the anchor point for remote access to the HVPN 112 is also placed centrally in the system 200.
Turning now to the mechanism by means of which the system 200 establishes the connections between the HVPN 112 and the second gateway 132, as well as the connections to the sources of traffic which do not need to go via the anchor point in the gateway 132, the following procedure is preferably applied:
The first gateway 122, which from now on will be referred to as the CPE, will set-up a so called tunnel 135 through the operator's network to a central node, the second gateway 132, "GW2". GW2 will have information about the different VPNs in the system 200, and also serves as the anchor point for a number of different remote access methods, such as, for example, mobile telephony access, web access, encrypted tunnels like SSL VPN's etc. Naturally, in another embodiment of the invention, the tunnel 135 between the CPE 122 and the GW2 can also be established by GW2.
As the tunnel 135 between the CPE and the GW2 is established, the forwarding rules of the CPE will be set up by the GW2, so that only traffic that should be handled by the GW2 is forwarded across the tunnel. The GW2 will be also able to dynamically change the forwarding rules in the CPE when remote access devices are added to or deleted from the VPN.
As mentioned previously, the GW2 must be able to control or configure the CPE in order to set the traffic forwarding policies, i.e. which traffic such as data or data packets that should be sent through the tunnel 135 to a central anchor point for the VPN, and which traffic such as data or data packets that should be sent directly to destinations such as, for example, the Internet or the operator's service network. Such a control or configuration mechanism could suitably be the IP address table mentioned previously, and should preferably be based on a standard like, for example, DSL Forum TR-069.
The tunnel 135 should preferably be based on an IP tunnelling mechanism, since the GW2 132 in such a case could be placed in the system 200 without requiring any special L2 mechanism.
The set up of the tunnel 135 between the two gateways, i.e. GW1/CPE and GW2 is preferably carried out by means of an exchange of control signalling messages for setup of the tunnel, one example of such messages being Mobile IP signalling.
When the tunnel 135 has been established, data is preferably sent on the tunnel, the tunnel preferably being carried over Layer 3 in the network (i.e. over IP). The L3 tunnel may be carried over a number of access technologies, such as, for example, DSL, Ethernet, HSPA, High Speed Packet Access, or an optical solution such as, for example, GPON, Gigabit Passive Optical Network.
By means of the L3 mechanism, the system 200 can achieve the best possible utilization of the existing connectivity between the gateways GW2 and CPE. However, it is also possible to use L2 mechanisms in order to send data over the tunnel 135. However, if the access technology supports Layer 2 tunnels, Layer 2 may also be used for the tunnel.
Fig 3 shows a flow chart of some of the major steps of a method 300 of the invention, Steps which are options or alternatives are shown with dashed lines.
Thus, the method of the invention is intended for use with a Virtual Private Network which can comprise one or more users and which is connected to a first gateway such as GW1 , through which traffic to and from users in the VPN can be routed.
The traffic comprises a first and a second kind of traffic, and the first gateway being connected to a second gateway such as GW2, which can route the traffic to and from the first gateway to and from a first plurality of services such as the services 140, 150, 160, 170, which are shown in figs 1 and 2.
As shown in step 310, according to the inventive method, the first and the second gateways can exchange control messages by means of which, as shown in step 315, a distinction can be made between the first and second kinds of traffic, so that, as shown in step 320, the first kind of traffic will be routed via the first gateway to and from the VPN, and the second kind of traffic will be routed to and from the first gateway via the second gateway.
As shown in step 325, the first kind of traffic can comprise traffic to and from user defined services, and as shown in step 335, the first kind of traffic can comprise, for example, IPTV (IP based Television) and Vod (Video On Demand).
Step 330 shows that the second kind of traffic can comprise traffic that is between a user device in the VPN and a remote device such as the devices 140, 150, 160, which are, however, part of the VPN.
As indicated in step 350, the second kind of traffic can comprise Internet traffic, and as shown in step 340, the control messages between the two gateways are preferably exchanged via Mobile IP.
Step 345 shows that the second kind of traffic is routed between the first and second gateway via a so called tunnel, which can be based on an IP tunnelling mechanism which is based on the L3 layer, or on the L2 layer.
As has emerged from the description above, a major advantage of the invention is that it does not require all traffic from a broadband connection in, for example, a home VPN, to pass a central point in a network that is the anchor point for the VPN. This makes a solution according to the invention much more scalable than previous solutions which are implemented in a centralized manner.
The invention also discloses a router which basically has the ability to function according to the method of the invention. A rough block diagram of such a router 400 is shown in fig 4. Blocks or components which are options or alternatives are shown separately, with dashed lines. Suitably, the blocks of the router are implemented in software, although they may of course also be implemented as a suitable combination of software and hardware. Naturally, means for physical connections or implemented as hardware.
Thus, as shown in fig 4, the router 400 of the invention means 410 for connection to a Virtual Private Network and means 415 for acting as a CPE gateway in the VPN. The connection means 410 can comprise both physical means, e.g. contacts etc and software.
In addition, the router comprises means 420 for routing traffic to and from users in the VPN, a traffic which comprises a first and a second kind of traffic, and the router also comprises means 425 for being connected to a second gateway such as the GW2 132 shown in fig 2, which can route the traffic to and from the inventive router to and from a first plurality of services. The connection means 425 can comprise both physical means, e.g. contacts etc and software.
The inventive router also comprises means 430 for exchanging control messages with the second gateway (e.g. GW2), by means of which exchange the inventive router can make a distinction between the first and second kinds of traffic, and by means of which distinction the router can route the first kind of traffic to and from the VPN, and the second kind of traffic to and from the second gateway.
In a router 400 of the invention, the first kind of traffic can comprise traffic to and from services defined by the users of the VPN, and can also possibly comprise IPTV (IP based Television) and Vod (Video On Demand).
In the router 400, the second kind of traffic can comprise traffic that is between a user device in a VPN to which the inventive router is connected and a remote device that is part of the VPN. In the inventive router 400, the second kind of traffic may comprise Internet traffic.
As indicated in fig 4, the router 400 may comprise means 435 for exchanging said control messages with the second gateway via Mobile IP, and means 440 for routing said second kind of traffic to and from the second gateway via a so called tunnel. According to the invention, the router 400 can base the tunnel on an IP tunnelling mechanism which is based on the L3 layer, or on the L2 layer.
The invention is not limited to the examples of embodiments described above and shown in the drawings, but may be freely varied within the scope of the appended claims. For example, the VPN in which the invention is applied does not need to be a Home VPN, the invention can be applied to a wide variety of VPNs.
Also, the set up of the tunnel between the two gateways can be initiated by either gateway, either the CPE gateway, or the second gateway.

Claims

1. A router (400) which comprises means (410) for connection to a Virtual Private Network and means (415) for acting as a CPE gateway in the VPN, the router additionally comprising means (420) for routing traffic to and from users in the VPN, said traffic comprising a first and a second kind of traffic, the router also comprising means (425) for being connected to a second gateway (132) which can route the traffic to and from the CPE gateway to and from a first plurality of services (140, 150, 160, 170), the router (400) being characterized in that it comprises means (430) for exchanging control messages with the second gateway, by means of which exchange the router can make a distinction between the first and second kinds of traffic, and by means of which distinction the router can route the first kind of traffic to and from the VPN, and the second kind of traffic to and from the second gateway.
2. The router (400) of claim 1 , in which the first kind of traffic comprises traffic to and from services defined by the users of the VPN.
3. The router (400) of claim 1 or 2, in which the first kind of traffic comprises, IPTV (IP based Television) and VoD (Video on Demand).
4. The router (400) of any of claims 1-3, in which the second kind of traffic comprises traffic that is between a user device in the VPN (112) and a remote device (140, 150, 160) that is part of the VPN.
5. The router (400) of any of claims 1-4, in which the second kind of traffic comprises Internet traffic.
6. The router (400) of any of claims 1-5, which comprises means (435) for exchanging said control messages with the second gateway via Mobile IP.
7. The router (400) of any of claims 1-6, which comprises means (440) for routing said second kind of traffic to and from the second gateway via a so called tunnel.
8. The router (400, 440) of claim 7, which bases the tunnel on an L3, Layer 3, based tunnelling mechanism.
9. The router (400, 440) of claim 8, which bases the tunnel on an L2, Layer 2, based tunnelling mechanism.
10. A method (300) for use with a Virtual Private Network, a VPN (110), which VPN can comprise one or more users, the VPN being connected to a first gateway (122) through which traffic to and from users in the VPN (110) can be routed, said traffic comprising a first and a second kind of traffic, the first gateway (122) being connected to a second gateway (132) which can route the traffic to and from the first gateway to and from a first plurality of services (140, 150, 160, 170) , the method (300) being characterized in that the first (122) and the second (132) gateways can exchange control messages (310) by means of which a distinction (315) can be made between said first and second kinds of traffic, by means of which distinction the first kind of traffic is routed (320) via the first gateway to and from the VPN, and the second kind of traffic is routed (320) to and from the first gateway via the second gateway.
11. The method (300, 325) of claim 10, according to which the first kind of traffic comprises traffic to and from user defined services.
12. The method (300, 335) of claim 10 or 11 , according to which the first kind of traffic comprises, for example, IPTV (IP based Television) and Vod (Video On Demand).
13. The method (300, 330) of any of claims 10-12, according to which the second kind of traffic comprises traffic that is between a user device in the VPN (112) and a remote device (140, 150, 160) that is part of the VPN.
14. The method (300, 350) of any of claims 10-13, according to which the second kind of traffic comprises Internet traffic.
15. The method (300, 340) of any of claims 10-14, according to which said control messages are used to establish a so called data tunnel, the messages being exchanged via Mobile IP.
16. The method (300, 345) of any of claims 10-15, according to which the second kind of traffic is routed between the first and second gateway via a so called tunnel.
17. The method (300, 345) of claim 16, according to which the tunnel is based on an L3, Layer 3, based tunnelling mechanism
18. The method (300, 345) of claim 16, according to which the tunnel is based on an L2, Layer 2, based tunnelling mechanism.
PCT/SE2007/050814 2007-11-02 2007-11-02 An improved mechanism for use in a virtual private network (vpn) WO2009058062A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/SE2007/050814 WO2009058062A1 (en) 2007-11-02 2007-11-02 An improved mechanism for use in a virtual private network (vpn)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SE2007/050814 WO2009058062A1 (en) 2007-11-02 2007-11-02 An improved mechanism for use in a virtual private network (vpn)

Publications (1)

Publication Number Publication Date
WO2009058062A1 true WO2009058062A1 (en) 2009-05-07

Family

ID=40591284

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2007/050814 WO2009058062A1 (en) 2007-11-02 2007-11-02 An improved mechanism for use in a virtual private network (vpn)

Country Status (1)

Country Link
WO (1) WO2009058062A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030112755A1 (en) * 2001-03-20 2003-06-19 Worldcom, Inc. Virtual private network (VPN)-aware customer premises equipment (CPE) edge router
US6693878B1 (en) * 1999-10-15 2004-02-17 Cisco Technology, Inc. Technique and apparatus for using node ID as virtual private network (VPN) identifiers
WO2007103608A2 (en) * 2006-03-07 2007-09-13 Cisco Technology, Inc. Managing traffic within and between virtual private networks when using a session border controller

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6693878B1 (en) * 1999-10-15 2004-02-17 Cisco Technology, Inc. Technique and apparatus for using node ID as virtual private network (VPN) identifiers
US20030112755A1 (en) * 2001-03-20 2003-06-19 Worldcom, Inc. Virtual private network (VPN)-aware customer premises equipment (CPE) edge router
WO2007103608A2 (en) * 2006-03-07 2007-09-13 Cisco Technology, Inc. Managing traffic within and between virtual private networks when using a session border controller

Similar Documents

Publication Publication Date Title
US11646964B2 (en) System, apparatus and method for providing a virtual network edge and overlay with virtual control plane
US20230224246A1 (en) System, apparatus and method for providing a virtual network edge and overlay with virtual control plane
US8121126B1 (en) Layer two (L2) network access node having data plane MPLS
EP1816796B1 (en) Bi-directional forwarding in ethernet-based service domains over networks
US6065061A (en) Internet protocol based network architecture for cable television access with switched fallback
KR101340495B1 (en) Implementation method and system of virtual private network
US8085791B1 (en) Using layer two control protocol (L2CP) for data plane MPLS within an L2 network access node
US7283529B2 (en) Method and system for supporting a dedicated label switched path for a virtual private network over a label switched communication network
US9049047B2 (en) Method for providing scalable multicast service in a virtual private LAN service
US8036237B2 (en) System and method for transparent virtual routing
US8451833B2 (en) System and method for transparent virtual routing
Komilov et al. Improving the use of virtual lan (vlan) technology
US20060203820A1 (en) Method and system for communicating and isolating packetized data through a plurality of last-mile carriers to form a multi-node intranet
WO2011032472A1 (en) Virtual private network implemaentation method and system
US8873431B1 (en) Communications system and method for maintaining topology in a VLAN environment
WO2018171396A1 (en) Data transmission method, device and system
US8437357B2 (en) Method of connecting VLAN systems to other networks via a router
CN108702324B (en) Device for client LAN expansion
US20080186967A1 (en) Method for supporting source-specific multicast forwarding over ethernet and device thereof
WO2007104201A1 (en) A method for forwarding message in the service tunnel of the ethernet application and a system thereof
KR100728292B1 (en) Apparatus for Control of Virtual LAN and Method thereof
CN110199504B (en) Method and system for enhanced use of switching fabric within central office delivery point
US7715391B1 (en) System and method for optimal delivery of multicast content
Cisco Product Overview
Cisco M

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07835398

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07835398

Country of ref document: EP

Kind code of ref document: A1