MXPA01001278A - Atm virtual private networks - Google Patents

Abstract

A network architecture and service platform for providing virtual private network ("VPN") over an ATM network (110). The architecture provides services for voice, video and data traffic among multiple VPN customers over a shared ATM network by implementing intelligent control devices (150a) to perform enhanced processing of ATM call set-up messages, including validations and routing translations. Hierarchical routing mechanism provided by ATM, along with customized customer addressing schemes, are used to overlay customer VPNs (115a) as higher-level networks onto the shared ATM network. The control devices translate customer ATM VPN address to internal ATM network addresses. The ATM switch (120a) network then performs lower-level network processing, using internal network addressing to set-up a virtual connection for a VPN call. The intelligent control devices may also explicitly state the end-to-end route.

Description

ATM PRIVATE VIRTUAL NETWORKS The present invention relates generally to communication networks and service providers, and specifically, to a network architecture that provides virtual private network services to multiple clients over a common, shared ATM network. The technology of Asynchronous Transfer Mode (ATM) allows a carrier to provide integrated data, video and voice services through a single network. In accordance with standard ATN technology, a shared ATM 10 network, such as the one shown in Figure 1, transfers and routes the video, data, and voice traffic in 53-byte fixed-length packets, from a source 12 to a destination 15, through a series of switches ATM 20 a-g and interconnected links. The ability to carry traffic from multiple media in a single network makes ATM the preferred technology for B - ISDN services. The protocol of the Asynchronous Transfer Mode is oriented to the connections, and the traffic for a "call" ATM is routed as cells through a virtual connection that extends from the source to the destination. As you know, a virtual connection includes Channels Virtual (VC) and Virtual Trajectories (VP) in a hierarchy of multiplexing. A physical transmission system is divided in multiple VCs and VPs, with some being designated for client traffic (bearer channels) and some being designated for signaling. A VC is identified by a Virtual Channel Identifier (VCI), and a VP is identified by a Virtual Path Identifier (VPI). Before transmitting traffic through a bearer channel, the ATM network establishes an ATM call with signaling messages through a signaling channel. First, an originating ATM switch, for example, the switch 20a receives and processes an establishment message containing a Source Address ("SA"), representing the location of the originator of the call, and a Destination Address ("DA"). , which represents the location of the receiver of the call. The originating ATM switch routes the set-up message to a terminating ATM switch, for example, the switch 20f, by means of zero or more intermediate switches, where the terminating ATM switch 20f serves the DA. Each ATM switch processes the establishment message to ensure that it acknowledges the AD and can route the call. From each processing of the establishment message switch, a virtual connection is established from the source to the destination, to transport the client's traffic as cells through the bearer channels. A path connection or virtual channel (VPC or VCC) refers to one or more concatenated links, one of which is illustrated as the link 25 shown in Figure 1 connecting two ATM switches. A VP or VC link is defined as the transport between a point where a VPI / VCI is assigned, and a point at which a VPI / VCI is removed or translated. Specifically, at the input port of a switch, the VCI / VPI is used to determine the output port. The cell is then switched to an external port of the switch, where a VCI / VPI is assigned to the cell. The cell is then transported to the next switch. In this way, a connection (VCC / VPC) extends from the source, usually the input port on the originating ATM switch, to the destination, usually the output port on the terminating ATM switch. The signaling protocol is defined in the ATM standards, in accordance with the interfaces of the network. As shown in Figure 2, the ATM Forum has defined, among other interfaces, a Public User-Network Interface ("UNÍ") 50, defined as the interface between an ATM user and a public ATM network; a User Interface-Private Network 55, defined as the interface between an ATM user and a private ATM network; and a Network-Private Network Interface ("PNNI") 60, defined as the network-network interface between two private networks or switching systems. A description of the signaling procedures can be found through the UNI interface in the "User Networ Interface Signaling Specification" ATM Forum, V4.0, July 1996, the content of which is incorporated herein by reference, and a description of the signaling procedures can be found through the PNNI interface in the ATM Forum "Private Net ork-Net ork Interface Specification", V. 1.0, March 1996, content is incorporated herein by reference. Different ATM characteristics are enabled through the signaling messages defined by these interfaces. A standard feature of PNNI ATM is hierarchical routing. If an ATM switch can not route to a DA for some reason, for example, a congested link, it routes the settlement message to an alternate address, as part of a hierarchical routing scheme. Two standard features provided by the PNNI standard are: 1) the Designated Transit List ("DTL"), which is a list of network node identifiers and optional port identifiers, which describe a complete route through the network , and typically is provided by an originating ATM switch, and passed to each subsequent node or switch in the establishment message; and 2) return turn, which is a mechanism that causes the ATM switch (or other processing node) to return an establishment message to a pre-node if it can not further process or route the set-up message due to link congestion failure or node failure. Currently, ATM networks are more commonly used as private networks, that is, they are owned or operated by an exclusive user, or they are owned / operated by a carrier that provides network services to clients. There are many benefits of using a private network for a client. These include network security, customer fees and billing, abbreviated dialing and other custom call features, and closed user groups. However, private networks and private network services are very expensive and require a lot of administration. Shared network services offer these same features, along with the advantages of lower costs through more efficient use of network resources, and bearer management. However, although an ATM network can be shared among multiple clients, the security of the data network is a significant problem since there is nothing to ensure that a customer's traffic is not routed to, or intercepted by another customer. Basic shared network services are also limited in the personalized calling features and account management services that can be offered.

To mitigate the problem, Virtual Private Networks ("VPNs") have been developed, which currently offer circuit-switched voice services to communications clients, and provide the benefits of a private network coupled with efficiencies, lower costs, and administration of the bearer of a shared network. Currently, there is no effective means to use a common ATM network, shared for VPN services to multiple clients for data and video, as well as voice, much less a shared ATM network for VPN services that provides security to prevent multiple clients connected to the network. Shared ATM route traffic to, or receive traffic from, other customers. The present invention is a network architecture and service platform for providing VPN services through a shared ATM network and particularly, provides client services for voice, data, and video traffic for multiple client VPNs through an ATM network shared. Particularly, the invention implements intelligent peripherals, called Intelligent Network Control Processors ("ICPs"), to perform enhanced processing of ATM call set-up messages. The processing implemented in the ICPs includes the validation of VPN addresses and translations of routing The hierarchical routing mechanisms provided by ATM and the custom client routing schemes are used to overlay client VPNs as higher level networks over a shared ATM network. ICPs perform higher level network processing; in particular, translate a client ATM VPN address to an internal ATM network address. Then an ATM switch network performs lower level network processing, using internal network addressing, to establish a virtual connection for a VPN client call. Conveniently, the network architecture provides VPN services within a public ATM network, and offers many intelligent services and enhanced call features, in addition to a basic VPN service. These offered services include intelligent call routing to multiple destinations, enhanced overflow routing, scheduled routing, load balancing, conferencing (including multi-media conferencing), dynamic call routing, account management such as billing and custom reporting, administration of ATM bandwidth, intranet / extranet authentication, selection and closed user groups, and many others. The different characteristics of novelty that characterize the invention are pointed out with particularity in the claims appended to, and forming a part of the description. For a better understanding of the invention, its operational advantages, and the specific objectives achieved by its use, reference should be made to the drawings and descriptive matters in which the preferred embodiments of the invention are illustrated and described. Figure 1 illustrates the basic components of an ATM network. Figure 2 illustrates the types of interfaces and signaling procedures available for routing signals through, and between networks. Figure 3 illustrates the basic components of the ATM Virtual Private Network (VPN) architecture of the invention. Figure 4 illustrates the translation of a message from ESTABLISHMENT (ESTABLISH) to a ESTABLISHMENT + (ESTABLISHMENT +) message. Figure 4 (a) illustrates the steps of the process to generate a call setup + call message. Figure 4 (b) illustrates the process steps implemented by an ICP to process the call SETUP + message. Figure 4 (c) illustrates the process steps implemented by an ICP to perform characteristics of improved call processing. Figure 5 illustrates an example of addressing used in the architecture of the system 100 of the invention. Figure 6 illustrates an example of routing a basic call between two VPN clients in the shared ATM network. Figure 7 illustrates an example of routing a basic call between two VPN clients in the shared ATM network, when the destination ATM switch link fails or is congested. The ATM Virtual Private Network (VPN) Architecture 100 illustrated in Figure 3 comprises the client sites 115a-115f, the ATM switches 120a-120g, and the Intelligent Network Control Processors ("ICPs") 150a and 150b, which comprise components for imitating an ATM network switch (node), ie, it is directed in the same manner as an ATM switch, and resembles an ATM switch for the other real ATM switches in the network. As will be described, the implementation of the ICP's 150a, b enables VPN services through the ATM network. Each ICP is preferably included in a high-performance computer processor, such as a DEC Alpha or IBM RS / 6000 computing platform, and can be a single computer or a distributed computing platform.

The ATM switches 120a-120g and the ICP 's 150a, b communicate with each other, and are connected by means of an extended PNNI protocol (referred to herein as "PNNI +"), within a shared ATM network 110. Although Figure 3 shows only a single client, denoted as client "B", connected to the ATM switches in the shared network, the network is of the type that can be used in the support of data services that are provided to multiple clients. In addition to being connected to the shared ATM network, the "B" client has dedicated private line connections, for example, connection 122 between some of its sites. It should be understood that the invention extends to networks with any number of ATM switches and any number of ICPs. There are two types of ICPs that are shown in Figure 3, with an ICP connected to multiple ATM switches. In any particular mode of this architecture, any number of ATM switches can be connected to any number of ICPs, depending on the characteristics of the traffic carried on the network. For example, if there is a high volume of new connections that require establishment, there would need to be a large number of ICPs to handle the load. The present invention employs hierarchical ATM routing to define client Virtual Private Networks (VPNs) within a shared ATM network. A VPN is overlaps in the ATM switch network through the use of Source and Destination addresses that are specific to a customer's VPN plan, and not recognized by ATM switches. The ATM switch network uses internal addressing that is different from client VPN addressing. Thus, ATM ATM routing comprises lower level networks in the ATM hierarchical routing scheme; specifically, those that recognize and direct internal directions. The ICPs 150a, b are processing elements that have intelligence that recognizes the client VPN addresses, and translates the client VPN addresses to internal addresses that are then used to route the client VPN traffic in the ATM switch network. As will be described, the ICPs 150a, b also validate a DA against the SA in the establishment message, to ensure that a call being requested by a client is to a destination within the customer's VPN. This validation provides security for each client VPN within a shared ATM network. Now we will describe the basic methodology for routing VPN calls through the shared ATM network in view of Figures (a) - 4 (c). First, the client placing a VPN call through the shared ATM network 110 sends an ESTABLISH message through a signaling channel (i.e., ERSCC) to an ATM switch originator, for example, the ATM switch 120a in Figure 3, in accordance with the UNI protocol. As shown in Figure 4, the setup message 121 includes a Source Address ("SA") and a Destination Address ("DA"), both representing the client's VPN addresses. Specifically, as shown in Figure 4, the ESTABLISHMENT message that is internal to the network, and that is part of the PNNI between the ATM switch and the ICPs, includes four addressing fields, two of which: Source Address ("SA") and a Destination Address field ("DA") are standard, and two of which, a Source ATM End System Address ("SAESA") field and a Final System Address field Destination ATM ("DAESA"), are non-standard. In this way, the standard ESTABLISHMENT message 121 that the originating ATM switch receives has a SA representing the source VPN address of the client, and the DA representing the destination VPN address of the client. In step 202 in Figure 4 (a), the originating ATM switch receives the ESTABLISH message and, as indicated in step 205, performs a query in the SA and DA address fields. This query can be implemented as a table search, another kind of database query, object pointer, or other different well-known methods. In step 207, a determination is made as to whether the SA and DA addresses are recognized. Whether recognize and find SA and DA, then the ATM switch routes the ESTABLISH message in accordance with standard PNNI processing, as indicated in step 209 in Figure 4 (a). However, if SA and DA are not found or not recognized, and in accordance with the present invention, the SA or DA content, which are the original source and destination VPN addresses, are placed in the SAESA and DAESA proprietary fields. , respectively, as indicated in step 212. Then, as indicated in step 215, an ICP address is inserted in the DA field. In the preferred embodiment, "Anycast" addressing is used to optimize the routing routing to an ICP, through a virtual signaling channel (IRSCC). In step 218, the address of the originating ETM switch is inserted into the SA field to form a new ESTABLISH + 122 message comprising the following address fields, as illustrated in Figure 4: 1) the SA field including the address of the originating ATM Switch port; 2) the SAESA field that has the value of the client's VPN address; 3) the DA field that includes the Anycast address of the ICP; and 4) the DAESA field that has the value of the client's VPN address. The originating ATM switch also calculates the current designated "DTL" transit list to route to the nearest ICP using the address Anycast, as will be described. Using hierarchical routing, the ATM switched network routes the ESTABLISH + message to an ICP, as indicated in step 220, Figure 4 (a). Since the ESTABLISH + message has an internal network address identical in format to that of an ATM switch, the ICPs are used as a higher level network in the hierarchical ATM routing scheme. Routing to an ICP can be unique (each ATM switch routes to a specific ICP), but in the preferred mode, multiple ICPs can be accessed by each ATM switch that uses Anycast addressing. Specifically, the Anycast address is a logical group address that can include some or all of the ICPs in the network. The PNNI protocol allows point-to-point connections to be established to those Anycast group addresses. The standard PNNI algorithm determines the ICP member closest to the group, that is, the ICP closest to the originating ATM switch. Algorithm calculations are not performed on a call-by-call basis, since the results will not change frequently. The implementation of anycast addressing in this way enables the use of multiple ICPs in the ATM network, to promote greater reliability and optimization. As mentioned above, an ATM switch can be directly connected to one or more ICPs, but does not have to be connected to any ICP directly; An ATM switch can route messages to an ICP by means of another switch. Preferably, the internal + ESTABLISHMENT message also includes a field containing a proprietary indicator specifying that no bandwidth should be allocated by means of the intermediate ATM switches between the originating ATM switch and the closest ICP referenced by the Anycast address. The ESTABLISH + message also includes the standard quality of the service parameters, such as the bandwidth required for the call, the peak cell transport speed, and so on, of the original establishment message. The high-level processing of the ICP will now be described with reference to Figure 4 (b). In step 225, the ICP receives the ESTABLISH + message from the ATM switch via an enhanced PNNI protocol, called PNNI +. The ICP executes a service program designed to extract the original SA and DA VPN from the respective SAESA and DAESA fields, as indicated in step 228. Then the ICP validates the SA and DA fields in step 230, by means of comparing The addresses contained in these fields with the data of the source and destination addresses valid for each VPN of the client that is stored in a database contained in the ICP. This ensures that the call will be routed to a destination that is inside the client's VPN. The 'validation can be implemented by means of performing any well-known method, for example, a database query or object pointer method. In step 233, a determination is made as to whether the SA or DA is valid for the establishment of the VPN call. If the SA and DA values are invalid, then the call is rejected and the ICP issues a release message to the ATM switch, as indicated in step 235. If the SA and DA values are validated, then in step 238 the ICP executes the logic to translate the source and destination VPN addresses to the internal network addresses that ATM switches can recognize. Specifically, the translated DA address becomes a new destination address and is placed in the DA field of the ESTABLISH + message. The original VPN source and destination addresses are maintained in the AESA parameters of the SETUP + message, as indicated in step 240. It is necessary to keep the original source and destination VPN addresses in the SETUP + message to allow the destination, which can be another network, process the call. Then, as indicated in step 241, a determination is made as to whether the improved features are required or enabled, for example, if they are going to perform other operant characteristics in the fields contained within the ESTABLISH + message in the ICP. If improved features are to be processed, then these enhanced features are processed as indicated in step 242. For example, these features and privileges include, but are not limited to: maximum bandwidth per prefix group SA or DA, the common prefix that distinguishes a virtual private network from the client of another; maximum calls per SA or SA prefix group, and allowed ATM service category, for example, rt - VBR, nrt - VBR, CBR, etc., per SA or SA prefix group. These features and privileges can be indexed by the time of day, the day of the week, or day of the year in the ICP. Alternatively, the ICP can execute a program to modify the DTL in the ESTABLISH + message, to specify the exact path through the ATM network to be used to route the ESTABLISH + message. For example, the ICP can specify a source path that explicitly declares each intermediate switch. The DTL stack may include a last element comprising the anycast address of the ICP, and the destination switch (as determined by the first ICP contacted by the originating ATM switch). If the pointer in this DTL is set to the destination switch, and the arrival arrives at the destination switch, and is blocked, then the destination switch will return the call to the anycast address of the ICP (which may not be the same ICP) in accordance with the PNNI protocol. This ICP can then perform alternative routing to the destination. If the pointer in this DTL is set to ICP, then the enhanced destination processing can be performed before the call termination by the destination switch. Additionally, in step 242, the ICP can perform the intelligent processing of the ESTABLISH + message and the addresses, to provide enhanced call services. For example, a logical destination VPN address can be mapped to multiple physical destinations. The ICP can run a particular service program to decide routing to a single physical address, and can implement load balancing algorithms, termination availability routing, time of day and day of the week routing, and numerous other types of VPN through the ATM routing functions. Then, as indicated in step 243, the ESTABLISH + message is returned from the ICP to the originating ATM switch, that is, its previous node, using the return spin mechanism of the PNNI. As indicated in step 245, the originating ATM switch uses the translated DA, which is an address of internal network, to route the ESTABLISH + message, through the ATM switch network, to an ATM terminator switch. Each ATM switch processes the ESTABLISH + message to confirm that it can process the call, based on the QOS parameters, the required bandwidth, a recognizable DA, and so on, with each ATM switch reserving bandwidth for the call . After receipt of the SETUP message * on the terminating ATM switch, a process is performed by means of which the destination address VPN of the original client of the DAESA field is extracted, and placed in the DA field of the ESTABLISH message. In the same way, the source address VPN of the original client is extracted from the SAESA field and placed in the SA field of the ESTABLISHMENT message. The original client VPN addresses are used by the customer's destination site. The ATM terminator switch then routes the SETUP message to the client's destination site through the UNI. It must be understood that the processing of the message of ESTABLISHMENT + by each ATM switch establishes a VCC / VPC to transport the client traffic as ATM cells through the bearer channels. If, for some reason, the terminating ATM switch can not route the SETUP + message to the destination, it uses the return turn to route the message to an ICP switch, which is not a standard procedure in the destination switch. This can be the same ICP or a different one to the ICP that first received the ESTABLISHMENT * message. The message includes the source and destination VPN addresses of the original client, so that the ICP can use these, if necessary, to determine an alternative DA. The ICP performs overflow routing by determining an alternative DA that directs the same client destination, but uses a different internal network address to do that. An internal network address points to an ATM switch port, such that an alternative DA will route the message to the same destination, through another ATM switch port. The ICP adds the alternative DA to a SETUP message *, and uses the return turn to send this message to the first terminating ATM switch, which then routes the SETUP * message to the alternate DA, which may be or may not be in another ATM switch. This method allows the termination of a call even if the terminating port is on a different switch. For example, with reference to Figure 3, the first choice UNI 117 is shown by connecting the ATM switch 120f to the client site B 6. If the UNIX 117 is congested or fails, then the ATM switch 120f returns the call to the ICP 150b , which inserts an alternative DA that identifies an ATM switch 120g, the UNI 116 as the alternative destination. Figure 5 illustrates an example of addressing employed in the system architecture 100 of the invention. The addresses are represented in the stenographic notation of the form "a.b.c" as is commonly used in the PNNI specification of the ATM Forum. This format illustrates the common prefixes in the 20-octet NSAP-based address format, specified in the ATM Forum signaling specification. In Figure 5, the first character of the address of all client sites is represented as "B", the ATM switches are represented as "X" and the ICPs are represented as "Z". The interfaces between the clients and the ATM network switches carry both the user data and the signaling according to ATM standards, on an Inferíase User-Network (UNÍ). Optionally, the client signaling channels can be connected directly to an ICP. Another option is for the network to provide the PNNI routing services to the clients, using the external routing and signaling control channels ("ERSCCs") 135-140, as shown in Figure 5. Within the network, the PNNI + interfaces between the ATM switches carry the user data, the PNN1 + signaling, as well as the PNNI routing information network level "X". The ATM switches extend the PNNI protocol by adjusting the Internal Routing and Signaling Control Channels ("IRSCCs") 141-148 to the ICPs, using the Anycast addresses for the "Z" prefix. As described, the anycast address locates the "closest" node that supports the functions that are associated with the anycast address. The use of the anycast between the switches and the ICPs provides benefits such as: 1) it allows the ICPs, Z.l and Z.2, to act as backups of one another; and 2) the assignment of the "closest" node of any anycast routing provides a load balance through the ICPs by manipulating the "closest" PNNI metrics. These metrics include the administrative cost, the available bandwidth, and the QoS. In addition to providing connectivity between the switch and the IP, the IRSCC logical links also interconnect the ICPs so that they can act as backups of each other, and also enable the ICPs to converge on a broad common network view using the PNNI + protocol . In the case where the network provides the PNNI service to the clients, the ATM switches connect the PNNI routing control channel of the user (by omitting in VPI = 0, VCI = 17) to the nearest ICP, using the same address anycast. This is done by configuring the switch to prevent any user from disguising themselves as an "X" prefix node and gaining access to the internal routing protocol. These connections are called External Routing and Signaling Control Channels (ERSCCs) 135-140, as shown in Figure 5. The ICP nodes ("Z" level addresses) are aware of the topology of the physical ATM network. level "X" and the status through the messages that are exchanged over the logical ISRCCs links 141-148. The ICP nodes are also aware of all the virtual private addresses in the network (for example, "A", "B", "C", etc.), as well as the subscription parameters ordered by the different VPN clients. Figure 6 illustrates an example of a basic call of the client user with the address B.l.1.6 to the client user with address B.3.4.5.6. The Bll client site (of which the user Bl1.6 is part by default, in accordance with PNNI) is connected to the network through an interface with the internal address Xl1.2 The user B.3.4.5.6 is part of the site from client B.3, which is double-connected to two switches in the network by means of the interfaces with the internal addresses X.2.2.3 and X.2.3.4, as illustrated in Figure 6. Initially, as indicated by arrow 170, the The originating user sends an ESTABLISH signaling message through the local ATM network, which determines that the call to the shared network must be routed through the X.1.1.2 interface. The SETUP message includes the Destination Address (B .3.4.5.6) and the Origin Direction SA (Bll6) (See Figure 4 (a)). Then, as indicated by arrow 172, the originating switch, X.l.l, takes this information and creates a SET establishment * message and sends it over its IRSCC 141 to the nearest ICP (Z.l). The closest ICP (Z.l) is located using any anycast address in the "Z" prefix. The SETUP * message includes the address of the interface over which the signaling message was received, for example in the AESA parameter. The ESTABLISHMENT * message does not reserve any bandwidth over the network, because it is sent over the virtual IRSCC connection to the closest ICP. The ICP is aware of the logical configuration of the client and the physical interconnection to the network, either through the order of input data or through a dynamic routing service. Then, as indicated by arrow 174, the ICP translates the destination address (B.3.4.5.6) to the X address of the physical network (X.2.2.3). This translation is done by using the interface address (ie, X.1.1.2) that is included in the SETUP message * for identify the customer and the associated dial plan for this call. The number that was dialed in the DAESA is used as a search within the routing plan to determine the direction of the physical X-level network. Now a SET * message modified with SA (X.1.1.2) and DA (X.2.2.3) and the original SA and DA is created in the parameters of the ATM Final System Address (AESA). Then, this modified ESTABLISHMENT message is "rotated back" over the IRSCC to the originating switch X.l.l. The "return loop" is part of the PNNI protocol, as described in the standards published by the ATM Forum. As part of the intelligence provided by the ICP, the ICP can fill the Designated Transit List of the ESTABLISHMENT * message. For example, a DTL can specify a stack of last-in, first-out-of-address lists to route the message as follows: X.l.l, X.1.2, X.1.3; X.2.1, X.2.2, where the underlined element is the element to be processed later in the address lists. This DTL forces the call to take this particular route, for example, to minimize the delay as noted, or subscribed by the subscriber. Alternatively, the ICP could have left the routing completely to the ATM switching network by not returning the DTL at all. The ESTABLISHMENT message * acts effectively as a proxy establishment message for the ATM switch. The Origin Address (X.1.1.2) identifies the originating interface. Finally, the steps indicated by arrows 176a and 176b proceed in parallel. As indicated by arrow 176a, the ICP having the address Zl updates the other ICPs (only Z.2 in this sample example) if the call attempt results in a significant change in the state to be disclosed to other ICPs in the network, for example, if the call is a relatively large bandwidth call. As indicated by arrow 176b, the normal call attempt is made in accordance with the PNNI standard between the ATM switches by the ICP, as illustrated in Figure 6. If the ICP did not specify a specific route, by means of the DTL, In the signaling message that was turned back, then the ATM switches will select a path from Xll to X.2.2. using an algorithm that is based on the switch. In the preferred embodiment, however, it is the algorithm that is implemented in the ICP that determines the DTL to "reserve" the bandwidth for the VPNs of the specific client. As the switches connect the call, they communicate significant state changes to the ICPs for which those currently have an IRSCC session established. If the call is terminated at the destination switch and the target switch interface is functional and can accept the additional connection, then the destination switch replaces the SA and DA fields in the signaling message with the DA and SA parameters in the AESA fields and sends the signaling message to the customer site B.3. Normally, the client network B.3 would then complete the SVC call to the destination address B.3.4.5.6. Figure 7 illustrates the same network and example call as described with reference to Figure 6, however, the target interface X.2.2.3 fails, or becomes congested when the call attempt arrives at the X.2.2 switch intended for the client's site B.3. Specifically, the switch X.2.2. turn the SETUP message back to the Z level in the hierarchy in step 5. This special level of the hierarchy does not reserve a bandwidth and through the automatic discovery of the network together with the double hosted nature of B.3, the node Z.2 of the ICP then returns the revised ESTABLISHMENT message (ESTABLISHMENT *) in step 6. The network then completes the call via the alternative link to its destination, in step 7. Note that in normal PNNI, a destination that Hosting in a dual way may become blocked, even if the alternate link could complete the call. In the implementation described by this description, the call is always completed if resources are available.

Figure 4 (c) is a flow chart illustrating a slight variation in the process of a simple translation of the routing address that enables VPN services over ATM, as described in Figure 4 (b). Specifically, Figure 4 (c) shows an example of a process that the ICP could perform to facilitate the call characteristics that could be provided as part of the processing of the establishment message by the ICP closest to the destination. In the example illustrated in Figure 4 (c), steps 225 '-235', validation of the VPN address is performed in the same manner as described with respect to the corresponding steps 225-235 shown in Figure 4 (b). However, as indicated in step 250 in Figure 4 (c), a questionnaire is performed on the original DA to determine if some options for call processing were enabled. In this way, in step 255 a determination is made as to whether the features are going to be processed. If the improved features are to be processed, then these improved features are processed as indicated in step 260. The improved call features that may be enabled by the basic system architecture described herein include: routing characteristics of multiple routes such as: scheduled routing, example, routing time of day, destination load balancing, dynamic virtual routing, load balance techniques of the ICP, for example, based on the circular allocation or the determination of the dynamic cost between the ICP links. Other enhanced features of the VPN over ATM service that can be implemented in the ICP include: video, data, voice and multimedia conferences; Account management to provide billing and reporting features according to specifications; and other features that are inherently characteristic of shared ATM networks such as: bandwidth management, Intranet / Extranet authentication, classification and closed user groups, ability to put guaranteed virtual mainline, virtual routing, and intelligent management for put in the network and accounting services. The improved processing features and privileges described herein can also be realized with respect to Figure (b), step 242. The processing of improved features generally results in a translation of the destination address to a network address. internal, which is based on any number of parameters other than just the SA, as indicated in step 265. If the improved features are not going to be processed, then the process performs steps 238 '-243', which correspond to steps 238-243 as it described above with respect to Figure 4 (b). In the preferred embodiment, the ICP 150 comprises the software and hardware elements that can provide call processing and other intelligent call routing services for calls that are received at the ATM switches. In particular, after receiving the call from the ATM switch, one or more managed objects can be sent that provide a specific call processing service, within a general purpose platform - independent computing environment to process the received call . Although not shown, the ICP could include one or more gateway elements of the Protocol that have an Inferred Card of the respective Network for the physical connection to the switching factory, ie, the ATM switch. In addition to providing the physical interface, the Network Inferior Card manipulates the lower layer processing of the ATM protocol. Each ICP controls the routing of calls within the resource complex comprising the ATM switching network. In this way, the ICP can be considered as part of a higher level processing network that is separate and distinct from the ATM switching network. The foregoing merely illustrates the principles of the present invention. Those skilled in the art will be able to devise different modifications which, although not explicitly described or shown herein, embrace the principles of the invention and are therefore within its spirit and scope. For example, the actual implementations of the processing that are shown and described with respect to Figures 4 (a) - 4 (c) may vary in accordance with the switching software technology that is employed. In accordance with the above, in other embodiments the validation of the VPN address may occur after processing of the enhanced feature, or as part of the processing of the enhanced feature.

Claims (25)

1. A system for providing virtual private network services over an ATM network shared by multiple users, the ATM network having a plurality of ATM switches that are interconnected by links, each ATM switch adapted to route ATM call traffic within the public ATM network , the system comprising: an interface element for generating a call setup message that is associated with a call of the particular network to be routed within the public ATM network, the configuration message comprising the information that includes the address of the original source of a call initiator and an original destination address of a call receiver that is subscribed to that private network; a processing network that includes control processing nodes that are interconnected with one or more ATM switches of the public ATM network; elements that are implemented in the ATM switch to receive the establishment message and to modify the establishment message, to include an address of the control processing node, while embedding the addresses of the original source and the destination within the message of modified establishment; Y elements for routing the modified establishment message from an ATM switch to a nearby control processing node at the address specified in that modified establishment message; including the control processing node elements for converting the original embedded source and the destination addresses of the modified establishment message, within the ATM network addresses that the ATM switches can recognize and route the modified establishment message back to the switch ATM to enable the call of the private network that is going to be routed over the public ATM network. The system as claimed in Claim 1, wherein the control processing nodes include elements for validating the original embedded source and the destination addresses of the modified establishment message. The system as claimed in Claim 1, wherein the element for modifying the establishment message includes elements for inserting an address of any control processing node in that processing network. The system as claimed in Claim 1, wherein the element for routing the modified settlement message from an ATM switch to a control processing node, includes routing of that modified establishment message through one or more intermediate ATM switches. The system as claimed in Claim 1, wherein the control processing node further includes the element to append to the modified settlement message a designated transit list specifying the route for that private network call through the public ATM network. 6. The system as claimed in the Claim 1, wherein the control processing node including the element for sending the modified setup message back to an ATM switch to route that call through the public network includes a return turn mechanism. The system as claimed in Claim 2, wherein the control processing node includes the element for performing enhanced call processing features, the validating element that includes elements to determine if processing is to be performed. the enhanced call feature. The system as claimed in Claim 1, wherein the ATM network addresses that ATM switches recognize include an address of an ATM. terminating ATM switch that connects to the call receiver, the modified establishment message being routed to that terminating switch. 9. The system as claimed in Claim 8, where the terminating ATM switch extracts the addresses of the original source and destination from the destination, enabling the completion of a call configuration to route that call to the receiver of the call. The system as claimed in Claim 8, characterized in that it further includes elements that are implemented in the ATM switch to route the modified setup message back to the control processing node, to re-route that modified setup message to the destination address by means of an alternative ATM switch. 11. An apparatus for providing private network message routing services for multiple clients within a shared ATM network, having a plurality of ATM switches that are interconnected by links, each ATM switch adapted to route call traffic within the shared ATM network, in accordance with an ATM routing protocol, the apparatus comprising: an interface element for generating a first set-up message corresponding to a call that initiated a caller from the private network at a source location and routed that first set-up message to a first ATM switch, the first set-up message identifying a unique source address of the caller's private network and a unique destination address of the private network of a call receiver; elements that are implemented in the originating ATM switch to convert the first establishment message into a second establishment message, the second establishment message having the unique source address of the private network and the unique destination address of the private network included in the same; one or more control processing elements that are interconnected with each ATM switch and adapted to receive the second set-up message from an ATM switch, each control processing element to recognize the unique source and destination addresses of the network private of that call and modify the unique source and destination addresses of the private network in the second message within the internal source and destination addresses that ATM switches can recognize; and the element that is implemented in the control processing element to send the second modified setup message back to the ATM switch of origin, the ATM routing protocol establishing a signal path to route the ATM call between the calling party of the private network and the receiver. 1

2. The apparatus as claimed in Claim 11, wherein the routing protocol ATM is a hierarchical message routing scheme. The apparatus as claimed in Claim 11, wherein the ATM routing protocol operates in accordance with a PNNI protocol. 14. The apparatus as claimed in Claim 11, wherein one or more of the control processing elements further includes elements for validating the unique source and destination addresses of the private network, which are associated with the caller. 15. The apparatus as claimed in Claim 14, wherein the element to be validated includes elements to obtain access to the unique source and destination addresses of the private network that are associated with the caller and compare them with the source and destination addresses of the private network that they are included in the second establishment message. The apparatus as claimed in Claim 13, wherein the element that is implemented in the control processing elements for sending the second modified setup message back to the First ATM switch, includes a return turn mechanism that is implemented in the PNNI. The apparatus as claimed in Claim 11, wherein the element that is implemented in the control processing elements for sending the second modified setup message back to the first ATM switch includes a designated traffic list that specifies one or more switches that are interconnected to route the ATM call within the shared ATM network. 18. The apparatus as claimed in Claim 11, characterized in that it further includes elements that enable the routing of overflow calls by determining the alternative addresses when the second set-up message can not be routed through an ATM switch. 19. The apparatus as claimed in Claim 11, wherein the interface element generates and routes the first set-up message in accordance with a standard UNI protocol. 20. The apparatus as claimed in Claim 1, wherein the element for modifying the set-up message includes elements to prevent the allocation of bandwidth in the one or more ATM switches, when that message is being routed. Modified establishment to a control processing node through one or more ATM switches. 21. A method for providing private network message routing services for multiple clients within a shared ATM network having a plurality of ATM switches that are interconnected by links, each ATM switch adapted to route ATM call traffic within of said shared ATM network, in accordance with an ATM routing protocol, the method comprising: (a) generating a first set-up message corresponding to a call that is initiated by a caller of the private network at a location of source and routing that first set-up message to a first ATM switch, the first set-up message comprising a unique source address of the calling party's private network and a unique destination address of the private network of a call receiver; (b) converting the first establishment message into a second set-up message having the unique source address of the private network and the unique destination address of the private network included therein; (c) routing the second set-up message from the ATM switch to one or more control processing elements that are interconnected with the ATM switch and that are adapted to recognize the unique source and destination addresses of the private network of the call: (d) modify the unique source and destination addresses of the private network included in the second message, within the internal source and destination addresses that ATM switches recognize; (e) sending the second modified setup message back to the originating ATM switch; and (f) enabling the ATM routing protocol to establish a signal path for routing the ATM call between the calling party of the private network and the receiver, based on the second modified establishment message. 22. The method of compliance with Claim 21, wherein the enabling step (f) includes the implementation of a hierarchical message routing scheme for routing the ATM call between the calling party of the private network and the receiver. 2

3. The method of compliance with Claim 22, wherein the hierarchical message routing scheme operates in accordance with an ATM PNNI protocol. 2

4. The method according to claim 21, wherein step (d) to modify the Second message includes the step of validating the unique source and destination addresses of the private network that are associated with the caller. 2

5. The method according to claim 21, wherein the validation step includes the steps of: obtaining access to the valid source and destination addresses of the private network that are associated with the caller; and comparing the valid source and destination addresses of the private network with the source and destination addresses of the private network that are contained in the second establishment message.