WO1999038081A1 - Virtual private network system and method - Google Patents

Virtual private network system and method Download PDF

Info

Publication number
WO1999038081A1
WO1999038081A1 PCT/US1999/001583 US9901583W WO9938081A1 WO 1999038081 A1 WO1999038081 A1 WO 1999038081A1 US 9901583 W US9901583 W US 9901583W WO 9938081 A1 WO9938081 A1 WO 9938081A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
data
private
data packet
remote client
Prior art date
Application number
PCT/US1999/001583
Other languages
French (fr)
Inventor
Gaige B. Paulsen
Amanda Walker
Original Assignee
Ascend Communications, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ascend Communications, Inc. filed Critical Ascend Communications, Inc.
Priority to AU25625/99A priority Critical patent/AU2562599A/en
Priority to EP99905473A priority patent/EP1064602A4/en
Priority to CA002318267A priority patent/CA2318267C/en
Publication of WO1999038081A1 publication Critical patent/WO1999038081A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/067Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/2876Pairs of inter-processing entities at each side of the network, e.g. split proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/59Providing operational support to end devices by off-loading in the network or by emulation, e.g. when they are unavailable
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2212/00Encapsulation of packets

Definitions

  • This invention relates generally to apparatus and methods for accessing
  • the dispersed workforce and the mobile workforce make a
  • a typical private computer data network may be used by a organization for
  • the private computer data network may be constructed
  • WAN wide area network
  • PSTN telephone network
  • a typical network may use
  • ISDN integrated services digital network
  • each leased line must be dedicated to a particular interconnection.
  • PSTN public switched telephone network
  • ISDN switched services over the PSTN
  • frame relay For example, ISDN or frame relay
  • an analog modem may be the best solution for
  • VPN virtual private network
  • private network is a private data network that uses a public data network, instead of
  • VPN virtual private network
  • the organization to be a dedicated private network.
  • the organization to be a dedicated private network.
  • data traffic for the organization may be encrypted at the sender's end and then
  • a VPN can replace an existing private data network, supplement a private data
  • a typical VPN connects one or more
  • Internet has a gateway and a leased line connecting the network to the Internet.
  • the two private networks may communicate with each other.
  • this configuration
  • each network is aware that the other network is at some other location and is connected via a router. As an example, if a company has a central private network in
  • gateway and the VPN to the network in California so that the person in Hong Kong
  • a conventional VPN requires the expense of a leased line and a gateway
  • the invention provides a virtual private network (VPN) which avoids these and
  • a virtual private network system is provided.
  • system also permits an individual to access the private data network without incurring
  • the system also permits an individual to easily connect to the private date network
  • the method comprises establishing a secure commumcations path over the
  • remote client computer encrypting data and commands of the host computer and the
  • Figure 1 is a block diagram illustrating a conventional virtual private network
  • FIG. 2 is a block diagram illustrating a virtual private network in accordance
  • FIG. 3 is a block diagram illustrating more details of the host computer of
  • Figure 4 is a flowchart illustrating a method for establishing a virtual private
  • the invention is particularly applicable to a system and method for providing a
  • an AppleTalk network via a public TCP/IP network, such as the Internet, in a secure
  • Figure 1 is a block diagram illustrating a conventional virtual private network
  • VPN virtual private network
  • the VPN includes a first private network 22 and a second private network
  • Each private network 22, 24 includes a gateway 28, 30 which
  • gateway encrypts data traffic from the private network which is going to enter the
  • a secure communications path 32 referred to as a tunnel
  • VPN virtual private network
  • a node 34 of the first private network 22 may send data which is
  • the gateway 28 encrypted by the gateway 28 through the tunnel 32, and the data is received by the second gateway 30 which decrypts the data and routes it to the appropriate node in the
  • this conventional VPN does not connect a remote individual
  • FIG. 2 is a block diagram illustrating a virtual private network (VPN) 40 in
  • the VPN may include a private network 42 which
  • the private network 42 may be any type of computer
  • the public network may be any type of
  • the private network 42 may include a host computer 48, and a plurality of
  • NODE_l first node
  • NODE_2 second node
  • NODE_N an nth node
  • any node of the private network may share resources with any other node on
  • any node of the private network may share a printer which
  • the host computer 48 establishes a secure
  • the remote client 46 by negotiating the communications protocol with the client 46 and
  • the remote client is treated as a node of the private
  • the remote client 46 may access
  • resources connected to the private network such as a printer, as if the remote client
  • the private network are transparent to the user of the remote client since the user can
  • system encapsulates the data destined for the private data network having a first 11
  • the remote client may interact with the private network as if the remote
  • FIG. 3 illustrates more details of the host computer 48 and the remote client
  • the host computer 48 may include a central processing unit (CPU) 46 in accordance with the invention.
  • the host computer 48 may include a central processing unit (CPU) 46 in accordance with the invention.
  • CPU central processing unit
  • host may be a software application which is executed by the CPU 60 of the host
  • the host 64 may negotiate and establish the secure virtual connection to the
  • the host 64 accepts unencrypted data from the private network, combines
  • a client software application 66 stored in a
  • memory 68 in the client computer 46 is executed by a central processing unit (CPU) 70
  • the client 66 negotiates and establishes the secure
  • the client also receives
  • virtual private network in accordance with the invention is software application based
  • Figure 4 is a flowchart illustrating a method 100 for establishing
  • remote client may request a connection to the host by any conventional method.
  • step 102 once the initial unsecure connection has been established between
  • the negotiated parameters may include the protocol
  • each host and remote client must be able to support both
  • the invention may
  • the host 14 is like to use and any options, such as the encryption, that it would like to use.
  • the host 14 is not limited to use and any options, such as the encryption, that it would like to use.
  • Protocol Request An example of the data formats of the Protocol Request and
  • step 103 if an
  • optional session key negotiation phase 104 is going to occur.
  • first protocol In the first protocol
  • the session key negotiation phase is optional, but later versions of the protocol
  • the session key negotiation phase is
  • session key negotiation phase may include a length word indicating the length of the
  • the data flow is bi-directional and is completed when the host and
  • step 105 If the system determines, in step 105,
  • an authentication phase 106 is entered.
  • the method proceeds to a teardown phase 110 in which the 15
  • the remote client and the host negotiate
  • the host must, at a minimum, send
  • the host may send the remote client, in a Authentication Request, more
  • the host may communicate an
  • the authentication request as described below, to the remote client.
  • the authentication request as described below, to the remote client.
  • request may include one or more authentication type/authentication challenge data
  • the remote client communicates an
  • the remote client selects a particular authentication type and responds with the
  • an implicit session key may be generated by the remote client.
  • the session key may be generated by the following steps. 16
  • the host determines if the response
  • step 107 If the response was successful (i.e., an appropriate
  • a success data structure is sent to the remote client and the method goes to an
  • teardown phase 110 is entered.
  • the data For each piece of encrypted data sent during the established phase, the data may be
  • the tear down phase 110 is begun.
  • the communications channel is forcibly closed by either the remote client or the host.
  • an acknowledgment from the other side may consist of shutting down the connection
  • TCP/IP public network such as the Internet
  • the virtual private network in accordance with the invention may
  • AppleTalk is a proprietary suite of networking protocols which is designed for plug-
  • Internet is permanently assigned a unique IP address by a quasi-governmental entity.
  • AppleTalk assigns a node or device number to a node or device
  • AppleTalk also has a smaller network number range than the Internet and is not
  • servers and network devices that permits users to locate servers and network devices, such as printers, and
  • AppleTalk has the concept of a "zone" which provide a level of scoping for the service 19
  • One advantage of the invention is that the
  • remote client can avoid the network number and zone addressing by connecting the
  • Protocol version Protocol version requested
  • Protocol Version 1
  • Options Bytes 2
  • Options field will contain two
  • the protocol response data uses a similar data format to the Protocol request,
  • the session key negotiation phase may include the session
  • the authentication phase may include an authentication
  • this data must contain at least one authentication
  • type/challenge pair may contain more than one authentication type/challenge pair
  • the Authentication Type must be one of types set forth in Table 5. 23
  • CHAP Challenge-Handshake Authentication Protocol
  • NT RAS compatible CHAP - There is an 8-byte encrypted challenge. A 16-byte response is expected by the Host. This method MUST be supported by all Hosts and Clients.
  • the default authentication method is the NT RAS compatible CHAP with an 8
  • This authentication response data must contain exactly one response to one of
  • Client may choose which of the pairs to respond to if more than one appears in the
  • This data is also sent unencrypted, unless a session key has been negotiated
  • the remote client may be a data structure for data communicated to the remote client and a data
  • success data structure as set forth in Table 7 is sent to the remote client.
  • This successful connection data is sent by the Host when a connection is
  • success data structure thus contains the embedded information about the private data
  • network information such as the AppleTalk default Bridge (or Router) on the network
  • AppleTalk network so that any devices, such as printers or file servers, on the private
  • This connection failure data is sent by the Host when a connection cannot be
  • the error code field contains an optional
  • the host may always return
  • This error data is sent unencrypted, unless a session key has been negotiated in
  • connection is established, then data is communicated between the host and the client
  • Length and Flags contains the length of the following data in the low 10 bits and a set of reserved flags in the upper 6 bits.
  • Source Network the network number that sent the packet.
  • Source Node the node number that sent the packet.
  • Source Socket the socket that sent the pocket.
  • This data is sent from the Host to the Client during the established phase.
  • the data contains the AppleTalk specific information to route the data packet to
  • Length and Flags contains the length of the following data in the low 10 bits and a set of reserved flags in the upper 6 bits.
  • Source Socket the socket that sent the packet.
  • This data is sent from the remote client to the host during the established phase
  • the data includes AppleTalk specific
  • flags set contains data from one data packet that the remote client is sending to the
  • the invention provides a virtual private network system between a
  • the system permits a private data network and remote client that
  • the system also permits an
  • a user of the remote client establishes a secure connection with the
  • remote client is a virtual node of the private network. The user may then transmit data
  • the user of the remote client may issue a print
  • the remote client is a virtual node of the private

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A system and method for remote users to access a private network (42) having a first communications protocol via a public network (44), such as any TCP/IP network having a second different communications protocol, in a secure manner so that the remote user appears to be connected directly to the private network (42) and appears to be a node on that private network (42). A host (48) connected to the private network (42) may execute a host software application which establishes and provides a communications path for secure access of the remote client computer (46). An encrypted data stream may be communicated between the host (48) and the client (46) representing traffic and commands on the network.

Description

VIRTUAL PRIVATE NETWORK SYSTEM AND METHOD
Background of the Invention
This invention relates generally to apparatus and methods for accessing
computer networks and in particular to establishing a secure connection between a
remote computer and a private computer network using a public computer network.
In the past, organizations and companies have used private (internal) computer
data networks to connect its users to each other. These private networks are not
accessible to the public and permit sensitive data to be transferred between users within
the company. However, due to the increasing numbers of people who need access to
the private computer data network and the disparate locations of these people, there
are several disadvantages of these conventional private computer networks.
As the number of people in a company grows, the workforce becomes more
dispersed among different locations and there are more employees who are mobile,
such as salespeople who travel around a region of the United States. For example,
some employees may telecommute which requires dial-up access to the private
computer data network. The dispersed workforce and the mobile workforce make a
private computer data network unmanageable because this mobility requires at least
two network connections for each user. In addition, since cellular telephone access has
also become more available, additional connections to the network for this access is
needed. In addition, full-time telecommuters dramatically increase the number of
permanent "remote offices" a company must interconnect which further complicates the private computer data network administration and topology. In addition, as
companies increase in size, due to acquisitions, mergers and expansion, the private
computer data network must support more remote offices and more network nodes.
Thus, as a organization expands, the private computer data network of the organization
becomes unwieldy and unmanageable.
Recently, it has become necessary and desirable to permit employees of the
company to interact "on-line" with customers and suppliers. This function adds a new
dimension of complexity to the private computer data network since multiple private
computer data networks must be interfaced together in a delicate balance of integration
while maintaining some isolation due to security concerns. The individual networks
that are being integrated together typically use different data transfer protocols,
different software applications, different data carriers and different network
management systems. Thus, interfacing these private computer data networks is a
major challenge.
There is also a desire to consolidate and simplify the user interface to the
computer network as well as to the software applications being executed by the
computer network since it is often difficult to keep on top of each new software
application. Thus, the costs of implementing and maintaining a private computer data
network is high and is expected to increase in the future as the factors set forth above
continue to drive up the costs of the private computer data networks. These high costs
are compounded by the high costs for long distance telephone charges for leased lines
and switched services. The number of support staff necessary to manage the complex topologies of these private computer data networks also further increases the costs to
manage the private computer data networks. In addition, software applications which
execute over the private network require separate backup equipment which further
complicates the topology and increases the cost of the private computer data network.
Thus, the costs and complexity of these private computer data networks are continuing
to spiral upwards and there is no foreseeable end in sight.
A typical private computer data network may be used by a organization for
some of its communications needs and may carry exclusively data traffic or a mix of
voice/video and data traffic. The private computer data network may be constructed
with a variety of wide area network (WAN) services that often use the public switched
telephone network (PSTN) as a communications medium. A typical network may use
high speed leased lines that carry voice, facsimile, video and data traffic between major
facilities. These leased lines may include integrated services digital network (ISDN)
lines or conventional Tl telephone lines. Because these leased lines are point-to-point
connections, a mesh topology is necessary to interconnect multiple facilities. In
addition, each leased line must be dedicated to a particular interconnection. A remote
office may use switched services over the PSTN, such as ISDN or frame relay. For
individual mobile employees, an analog modem may be the best solution for
connection to the private computer data network. The private computer data network
with all of these different connections, therefore, is very expensive to implement and
maintain for the reasons set forth above. A virtual private network (VPN), on the other hand, may offer the same
capabilities as a private computer data network, but at a fraction of the cost. A virtual
private network is a private data network that uses a public data network, instead of
leased lines, to carry all of the traffic. The most accessible and less expensive public
data network currently is the Internet which can be accessed worldwide with a
computer and a modem. An Internet-based virtual private network (VPN) is virtual
because although the Internet is freely accessible to the public, the Internet appears to
the organization to be a dedicated private network. In order to accomplish this, the
data traffic for the organization may be encrypted at the sender's end and then
decrypted at the receiver's end so that other users of the public network can intercept
the data traffic, but cannot read it due to the encryption.
A VPN can replace an existing private data network, supplement a private data
network by helping relieve the load on the private data network, handle new software
applications without disturbing the existing private data network or permit new
locations to be easily added to the network. A typical VPN connects one or more
private networks together through the Internet in which the network on each side of the
Internet has a gateway and a leased line connecting the network to the Internet. In
these typical VPNs, the same protocol for each private network, such as TCP/IP, is
used which makes it easier to communicate data between the two networks. To create
the VPN, a secure communications path between the two gateways is formed so that
the two private networks may communicate with each other. In this configuration,
however, each network is aware that the other network is at some other location and is connected via a router. As an example, if a company has a central private network in
California and a remote office in Hong Kong, these two private networks may be
connected via the VPN which reduces long distance telephone call charges. However,
if a single individual is traveling in Hong Kong and want to connect to the private
network in California, the individual must incur long distance telephone charges or, if
there is a remote office in Hong Kong, then the entire private network must be
connected via the VPN to the California private network to communicate data. In
addition, with the conventional VPN described, the individual in Hong Kong is aware
that he is connected to the Hong Kong network which is in turn connected, via the
gateway and the VPN, to the network in California so that the person in Hong Kong
cannot, for example, easily use the network resources of the California network, such
as a printer.
Thus, a conventional VPN requires the expense of a leased line and a gateway
at each end of the VPN and cannot adequately address the needs of a individual who
needs access to the private network. In addition, these conventional VPNs cannot
easily connect networks which have different networking protocols. In addition, these
conventional VPNs cannot be easily used for connecting an individual who needs
remote access to the private network since the entire network with a gateway is needed.
Thus, the invention provides a virtual private network (VPN) which avoids these and
other problems with conventional VPNs and it is to this end that the invention is
directed. Summary of the Invention
In accordance with the invention, a virtual private network system is provided
which connects a private data network and a remote client which does not require
expensive leased lines or gateways to establish a secure communications path. The
system also permits an individual to access the private data network without incurring
any long distance telephone charges. In addition, the system permits a private data
network and remote client that use one communications protocol to communicate with
each other over a public data network that uses a different communications protocol.
The system also permits an individual to easily connect to the private date network
without a remote private network and the individual appears to be a node on the private
network, once connected, so that the individual may access any resources on the
private data network.
In accordance with the invention, a system and method for forming a
communications path between a public access network and a private access network
where the two networks have substantially incompatible transmission protocols is
provided. The method comprises establishing a secure commumcations path over the
public access network between a host computer connected to the private network and a
remote client computer, encrypting data and commands of the host computer and the
client computer, and formatting the encrypted data and commands into a format
compatible for transmission over the public access network. The formatted data and
commands are then transmitted over the public access network. Once the formatted
data and commands has reached its destination, it is decrypted to establish the client computer as a virtual node on the private network. In accordance with another aspect
of the invention, a data structure for communicating data for a private data network
having a first communications protocol over a public access network having a second
communications protocol is provided.
Brief Description of the Drawings
Figure 1 is a block diagram illustrating a conventional virtual private network;
Figure 2 is a block diagram illustrating a virtual private network in accordance
with the invention;
Figure 3 is a block diagram illustrating more details of the host computer of
Figure 1 ; and
Figure 4 is a flowchart illustrating a method for establishing a virtual private
network and communicating secure data over the virtual private network in accordance
with the invention.
Detailed Description of a Preferred Embodiment
The invention is particularly applicable to a system and method for providing a
virtual private network which permits remote users to access a private network, such as
an AppleTalk network, via a public TCP/IP network, such as the Internet, in a secure
manner as if the remote user was one of the nodes on that private network. It is in this context that the invention will be described. It will be appreciated, however, that the
system and method in accordance with the invention has greater utility. Before
describing the invention, a brief description of a conventional virtual private network
(VPN) will be provided.
Figure 1 is a block diagram illustrating a conventional virtual private network
(VPN) 20. The VPN includes a first private network 22 and a second private network
24 connected together through a public computer network 26, such as the Internet. The
communications protocols for the first and second private networks as well as the
public network may be the standard Transmission Control Protocol/Internet Protocol
(TCP/IP). Thus, the communications protocols for the private networks are the same
as the public network. Each private network 22, 24 includes a gateway 28, 30 which
interfaces between the respective private network and the public network. Each
gateway encrypts data traffic from the private network which is going to enter the
public network and decrypts encrypted data received from the public network. In
normal operation, a secure communications path 32, referred to as a tunnel, is formed
over the public network that connects the first and second private networks through the
respective gateways. The combination of the two private networks and the tunnel over
the public network forms the virtual private network (VPN). The VPN is virtual since
it is actually using a public network for the connection, but due to the encryption both
private networks believe that they have a private network over which data may be sent.
For example, a node 34 of the first private network 22 may send data which is
encrypted by the gateway 28 through the tunnel 32, and the data is received by the second gateway 30 which decrypts the data and routes it to the appropriate node in the
second private network. This conventional VPN, however, does not adequately
provide an individual remote user with a system for remotely accessing the private
network because the conventional VPN connects two networks with a tunnel and
would require the individual to be connected to one of the private networks to utilize
the VPN. In addition, this conventional VPN does not connect a remote individual
directly to the private network so that a remote user with a VPN connection cannot
directly access resources, such as a printer, connected to the private network. This
conventional system also does not handle computer networks which have different
communications protocols. Now, the virtual private network system in accordance
with the invention will be described which overcomes these problems with a
conventional VPN.
Figure 2 is a block diagram illustrating a virtual private network (VPN) 40 in
accordance with the invention. The VPN may include a private network 42 which
communicates data using a first communications protocol, a public network 44 which
communicates data using a second communications protocol, and a client node 46 that
is connected for secure communications to the private network 42 through the public
network 44 as described below. The private network 42 may be any type of computer
network, such as an AppleTalk network. The public network may be any type of
publicly accessible computer network such as the Internet.
The private network 42 may include a host computer 48, and a plurality of
network nodes, such as a first node (NODE_l) 50, a second node (NODE_2) 52, and 10
an nth node (NODE_N) 54 which are all connected to the host computer. In normal
operation any node of the private network may share resources with any other node on
the network. For example, any node of the private network may share a printer which
is attached to the private network. The host computer 48 establishes a secure
communications path 56, refeπed to as a tunnel, through the public network 44 with
the remote client 46 by negotiating the communications protocol with the client 46 and
authenticating the identity of the client. Once the secure tunnel has been established
between the private network 42 through the host computer 48 and the public network
44 with the remote client 46, the remote client is treated as a node of the private
network and uses the communications protocol of the private network even though the
public network uses a different protocol. Thus, the remote client 46 may access
resources connected to the private network, such as a printer, as if the remote client
were directly connected to the private network. Therefore, with the VPN in
accordance with the invention, the various connections between the remote client and
the private network are transparent to the user of the remote client since the user can
use the private network in any manner that a user directly connected to the private
network can.
With the VPN in accordance with the invention, a gateway at each end of the
virtual private network is not required. In addition, data traffic for the private network
which has a first data communications protocol may be communicated over a public
computer network which has a different communications protocol. In particular, the
system encapsulates the data destined for the private data network having a first 11
protocol in a data packet that may be sent over the public network, as described in
more detail below. Thus, once the secure virtual private network connection has been
established, the remote client may interact with the private network as if the remote
client was directly connected to the private network. The virtual private network in
accordance with the invention also permits an individual remote user to easily establish
a connection with a distant private network without the need for a remote private
network and a leased line or long distance telephone charges. Now, more details about
the host computer 48 and the remote client 46 in accordance with the invention will be
described.
Figure 3 illustrates more details of the host computer 48 and the remote client
46 in accordance with the invention. The host computer 48 may include a central
processing unit (CPU) 60, a memory 62 and a host 64 stored in the memory 62. The
host may be a software application which is executed by the CPU 60 of the host
computer. When a remote client contacts the private network 42 to establish a secure
connection, the host 64 may negotiate and establish the secure virtual connection to the
remote client 46, as described below. Once the secure connection has been
established, the host 64 accepts unencrypted data from the private network, combines
the data with a header containing information about the protocol of the private data
network, encrypts the data and the header, and communicates the encrypted data and
header, over the secure communications path, to the remote client. The host also
receives encrypted data with a header from the remote client, decrypts the data and the 12
header, and passes the data traffic onto the appropriate node in the private network
based on the header information, as described below.
Similarly, at the remote client 46, a client software application 66 stored in a
memory 68 in the client computer 46 is executed by a central processing unit (CPU) 70
in the client computer 46. The client 66 negotiates and establishes the secure
commumcations path with the host computer, combines the data with an appropriate
header, encrypt the data traffic and the header destined for the client computer, and
communicate the encrypted data to the host computer. The client also receives
encrypted data traffic from the host computer, decrypts it, and passes the data traffic
onto other software application which are being executed by the CPU 70. Thus, the
virtual private network in accordance with the invention is software application based
so that expensive hardware, such as a gateway and leased lines, are not necessary. The
software applications also permit the data between the client and host, which have a
first communications protocol, to be communicated over a public computer network
which has a second different communications protocol. Now, a method for
establishing and communicating data traffic over the virtual private network in
accordance with the invention will be described.
Figure 4 is a flowchart illustrating a method 100 for establishing and
communicating data over the virtual private network in accordance with the invention.
An example of the phases and data formats for the communications between an
AppleTalk network host and an AppleTalk remote client over the Internet will be
described below, but the invention is not limited to that example and may be used to 13
communicate data between any hosts and remote clients having a different
communications protocol than the public data network. To begin the method, the
remote client may request a connection to the host by any conventional method.
In step 102, once the initial unsecure connection has been established between
the host and the client, a protocol negotiation phase occurs in which the host and the
client negotiate the parameters that will govern the subsequent communications
between the host and the client. The negotiated parameters may include the protocol
version, the compression level, and the encryption technique. Each of these parameters
has a default setting that must be available for either the host or the remote client to
request so that there is a minimum set of functionality which may be implemented. To
ensure backwards compatibility of any host or remote client, each host or client will
implement at least a first protocol version so that there is backwards compatibility for
future versions. These parameters will be described in more detail below. In addition,
for the encryption parameter, each host and remote client must be able to support both
data encryption standard (DES) type encryption as well as some form of non-DES
encryption to permit communications between hosts and clients that are licensed for
use within the United States as well as outside of the United States. The invention may
use a plurality of different well-known non-DES encryption methods and these
encryption methods will not be described here. The protocol negotiation phase is
started when the connection is established and is initiated by the remote client sending
the host a Protocol Request in which it communicates which protocol version it would
like to use and any options, such as the encryption, that it would like to use. The host 14
then sends the remote client a Protocol Response verifying the protocol version
number and any options. An example of the data formats of the Protocol Request and
Protocol Response in the context of an AppleTalk network are provided below.
Once the protocol has been negotiated, it is determined, in step 103, if an
optional session key negotiation phase 104 is going to occur. In the first protocol
version, the session key negotiation phase is optional, but later versions of the protocol
will require the session key negotiation phase. The session key negotiation phase is
thus entered if a session key bit in the Protocol Request is set during the protocol
negotiation phase. During the session key negotiation phase, data is exchanged
between the host and remote client for the purpose of setting up an encryption key that
is used for the remainder of the communication. In a preferred embodiment, a well
known Diffie-Hellman key exchange method is used, but any other conventional key
exchange method may be used. If the session key phase and the Diffie-Hellman key
exchange method are not being used, the encryption key is chosen during an
authentication phase 106, as described below. The data communicated during the
session key negotiation phase may include a length word indicating the length of the
data and the data. The data flow is bi-directional and is completed when the host and
the remote client have agreed on a session key. If the system determines, in step 105,
that a session key has been established, an authentication phase 106 is entered. In the
event that a session key is not successfully negotiated during the session key
negotiation phase, the method proceeds to a teardown phase 110 in which the 15
communications between the host and the remote client is terminated and the methods
ends.
During the authentication phase 106, the remote client and the host negotiate
what type of authentication is used for the commumcations and then provides
challenges and responses to authenticate the identity of the remote client. Due to the
wide variety of security requirements and methods, the host must, at a minimum, send
a request with at least one default authentication type identifier and an associated
challenge. However, if the host has the ability to use more than one authentication
method, then the host may send the remote client, in a Authentication Request, more
than one authentication type identifier and their associated challenges as described
below. Thus, to start the authentication phase, the host may communicate an
authentication request, as described below, to the remote client. The authentication
request may include one or more authentication type/authentication challenge data
pairs. In response to the authentication request, the remote client communicates an
authentication response back to the host which includes exactly one authentication
type/response data pair. If the host sends more than one authentication type/challenge
pair, the remote client selects a particular authentication type and responds with the
authentication type/response pair for only that particular authentication type. An
example of the types of authentication methods is set forth below.
If the session key negotiation phase is not used, then, during a successful
authentication phase, an implicit session key may be generated by the remote client. In
a prefeπed embodiment, the session key may be generated by the following steps. 16
First, a Unicode string containing the password from the client is concatenated with the
challenge from the authentication request. Next, a SHA-1 hash value over the resultant
concatenated data is calculated and the initial bytes of the hash value may then be used
as the session key which may be communicated back to the host.
In response to the authentication response, the host determines if the response
was successful or not in step 107. If the response was successful (i.e., an appropriate
response to the challenge was received which verifies the identity of the remote client),
a success data structure is sent to the remote client and the method goes to an
established phase 108, as described below. If the response was not successful (i.e., an
appropriate response to the challenge was not received so that the identity of the
remote client can not be verified), then an error code is sent to the remote client and the
teardown phase 110 is entered.
During a typical successful secure communications session, most of the time is
spent in the established phase 108 in which encrypted data including the header is
communicated between the remote client and the host. The header, as described
below, contains information required by the communications protocol of the private
network (i.e., the host and the remote client) to appropriately route data. Thus, the
communications protocol information for the private network is embedded in the
encrypted data packet so that the data destined for the private data network may be
communicated over the public network having a different communications protocol.
For each piece of encrypted data sent during the established phase, the data may be
preceded by a length and flag word which contains the length of the data in bytes and 17
six bits of flags. Since the data is typically sent over a TCP/IP based public network, a
PUSH bit in the flag bits must be set to accelerate the processing of the transactions
once a complete unit of data has been received.
If an unsuccessful session key negotiation, an unsuccessful authentication, or
the end of the established phase occurs, then the tear down phase 110 is begun. During
the tear down phase, there is no data traffic between the remote client and the host and
the communications channel is forcibly closed by either the remote client or the host.
During the teardown phase, when one side shuts down the communications channel ,
an acknowledgment from the other side may consist of shutting down the connection
from that side as well so nothing remains of the communications path. After the
teardown phase, the method has been completed. The method, therefore sets up a
communication session as needed and then tears down the communications path once
the communications have been completed.
Now, an example of the data formats for a system and method in accordance
with the invention for communicating AppleTalk data between a remote client and a
host over a TCP/IP public network, such as the Internet, will be described. As
described above, the virtual private network in accordance with the invention may
connect any private network having a first communications protocol to a public
network having a second different communications protocol securely to permit remote
users to access the private network in a secure manner wherein the remote user appears
to be one of the nodes in the private network. In this example, the data formats for
each of the communications phases are set forth and explained. For each different 18
private data network with a different communications protocol, these data formats will
vary slightly. The bytes of these data formats are sent across the network connection
path over the Internet using a Network Byte Order protocol in which the most
significant byte is communicated first.
To better understand the utility of the invention in the context of a connection
between an AppleTalk private network and a AppleTalk remote client over the
TCP/IP-based Internet, the differences between the protocol for the AppleTalk network
and the Internet will be described before describing the data formats for this example.
AppleTalk is a proprietary suite of networking protocols which is designed for plug-
and-play operation whereas TCP/IP is designed to be administered. In particular, the
Internet or any other TCP/IP network has been designed such that each node on the
Internet is permanently assigned a unique IP address by a quasi-governmental entity.
AppleTalk, on the other hand, assigns a node or device number to a node or device
when the nodes or devices are actually placed on the network to provide the plug-and-
play functionality. Therefore, the two networking protocols assigns network numbers
in different manners.
AppleTalk also has a smaller network number range than the Internet and is not
centrally administered so that AppleTalk networks can not be arbitrarily connected to
each other without substantial planning to ensure that the connected nodes do not have
overlapping network numbers. In AppleTalk, there is also a service location protocol
that permits users to locate servers and network devices, such as printers, and
AppleTalk has the concept of a "zone" which provide a level of scoping for the service 19
location protocol. In order to access the network services on a particular network, you
must have access to the particular zone. One advantage of the invention is that the
remote client can avoid the network number and zone addressing by connecting the
user of the remote client directly on the AppleTalk network as a virtual node in the zone
of the host computer in a secure manner. Thus, once the user of the remote client is
securely connected to the AppleTalk network over the Internet, the user sees all of the
devices of the AppleTalk network, such as printers and file servers, in a familiar
manner which permits them to access any device on the private network. Now, an
example of the data formats for the invention when connecting an AppleTalk private
network and a remote client over the Internet will be described.
During the protocol negotiation phase, as described above, there is a protocol
request from the host and a protocol response from the remote client. The data formats
of the protocol request and protocol response are set forth in Tables 1 - 3 below.
Table 1- Protocol Request
Byte Offset Width Contents
0 2 bytes Total Bytes: Total number of bytes in the transaction (excluding this field)
2 2 bytes Protocol Version: Protocol version requested
4 2 bytes Options Bytes: Length of the following data bytes
6 specified by the previous Options: Any options to be requested field
Figure imgf000021_0001
20
In version 1 of the protocol, the Total Bytes in the protocol request is 6, the
Protocol Version is 1, the Options Bytes is 2, and the Options field will contain two
bytes which represent 16 individual flag bits. For other versions of the protocol, these
fields may contain different values. The meanings of the flag bits in the protocol
request data format are set forth below in Table 2.
Table 2 - Option Flag Bits Format
Byte Location Meaning
15-2 Reserved for future options. These must be 0 in the first version of the protocol. 1 Use session key negotiation. If this bit is set, the requester wants to use the Session Key Negotiation phase. If not, it is requested that the phase be omitted.
Use DES encryption. If this bit is set, the requester wants to use DES encryption. If it is not set, an alternate encryption method is to be used.
Thus, using the options fields in the first version of the protocol, the session
key negotiation phase and the type of encryption may be chosen. With future versions
of the protocol, additional options may be selected. The format of the Protocol
Response will now be described with reference to Table 3.
21
Table 3 - Protocol Response
Byte Offset Width Contents
0 2 bytes Total Bytes: Total number of bytes in the transaction (excluding this field)
2 2 bytes Protocol Version: Protocol version to be used
4 2 bytes Options Bytes: Length of the following data bytes
6 specified in Options Bytes Options: Any options that are in use
Figure imgf000023_0001
The protocol response data uses a similar data format to the Protocol request,
and contains the same data. However, when returned from the Host to the Client in
the Protocol Negotiation phase, this data establishes the actual communication protocol
and data format to be followed during the Established phase. The data communicated
during the protocol negotiation phase is unencrypted since the secure communications
path has not yet been established. Now, the data formats for the optional session key
negotiation phase will be described.
The session key negotiation phase, as described above, may include the session
negotiation request and the session negotiation response. The data format for both of
these pieces of data are identical for all responses and requests. In particular, each data
packet contains a 2 byte length field followed by the data used for the negotiation of
the session key for use in the well-known Diffie-Hellman key exchange method. Once 22
again, the data is sent unencrypted since no secure communications channel has been
established.
The authentication phase, as described above, may include an authentication
request and an authentication response, whose data formats are set forth below in
Tables 4-6.
Table 4 - Authentication Request
Byte Offset Width Contents
0 2 bytes Total Bytes: Total number of bytes in the transaction (excluding this field) 2 2 bytes Authentication Type: Identifies the authentication type 4 2 bytes Challenge Bytes: The number of bytes that follow for the challenge (0 or more) 6 specified in Challenge: The data for the challenge in the Challenge Bytes authentication. The exact contents vary based on the authentication method.
Figure imgf000024_0001
As described above, this data must contain at least one authentication
type/challenge pair, but may contain more than one authentication type/challenge pair
if the host supports more than one type of authentication. In version 1 of the protocol,
the Authentication Type must be one of types set forth in Table 5. 23
Table 5 - Authentication Types
Authentication Description Type
0 No authentication.
No bytes follow for the challenge (may not be supported by any server). A 0-length response is expected by Hosts which request this method.
1 - Clear Text There is no challenge (may not be supported by any server). A authentication. 0-length challenge is sent, and the Host expects the user name and password of the client to be sent in clear text.
Challenge-Handshake Authentication Protocol (CHAP) - There is an 8-byte encrypted challenge. A 24-byte response is expected by the Host. This method MAY be supported by Hosts and Clients.
NT RAS compatible CHAP - There is an 8-byte encrypted challenge. A 16-byte response is expected by the Host. This method MUST be supported by all Hosts and Clients.
As shown, there are several different authentication methods which may be
used. The default authentication method is the NT RAS compatible CHAP with an 8
byte challenge and a 16 byte response. Again, since no secure communications path
has been established, this data is sent unencrypted. Now, the data format of the
authentication response is described with reference to Table 6.
24
Table 6 - Authentication Response
Byte Offset Width Contents
0 2 bytes Total Bytes: Total number of bytes in the transaction (excluding this field)
2 2 bytes Authentication Type: Identifies the authentication type
4 2 bytes Response Bytes: Number of bytes in the authentication response
6 specified in Response: The data which responds to the Challenge.
Response The length and exact contents vary based on the
Bytes authentication type and the challenge.
Response up to 32 User Name: The clear text version of the user name. Bytes +6 The name is terminated by the end of the data (based on Total Bytes).
Figure imgf000026_0001
This authentication response data must contain exactly one response to one of
the Authentication Type/Challenge pairs in the preceding Authentication Request. The
Client may choose which of the pairs to respond to if more than one appears in the
Authentication Request. The User Name in the response specifies which user is
requesting access and is used in conjunction with the Response to authenticate the user.
This data is also sent unencrypted, unless a session key has been negotiated
previously in the Session Key Negotiation phase, in which case it is encrypted.
During the initial portion of the established phase, there may be a success data
structure or a failure data structure and then during the actual established phase there
may be a data structure for data communicated to the remote client and a data
structure for data communicated to the host. These data structures are set forth below 25
in Tables 7 - 11. If a successful secure connection is established, then a connections
success data structure, as set forth in Table 7 is sent to the remote client.
Table 7 - Connection Success
Byte Offset Width Contents
0 2 bytes Total Bytes: Total number of bytes in the transaction (excluding this field)
2 2 bytes Success: always contains 0
4 2 bytes Client Network Number: the assigned network number for the Client
6 l byte Client Node Number: the node number of the Client for the nearest AppleTalk Bridge
7 l byte Bridge Node Number: the node number of the nearest AppleTalk Bridge
8 2 bytes Bridge Network Number: the network number of the nearest AppleTalk Bridge
10 2 bytes Network Range Start: The start of the network range for the AppleTalk network connected to the Host
12 2 bytes Network Range End: The end of the network range for the AppleTalk network connected to the Host
Figure imgf000027_0001
This successful connection data is sent by the Host when a connection is
successfully established between the Client and the Host. It contains the data
necessary to configure the AppleTalk connection on the Client side. The connection
success data structure thus contains the embedded information about the private data
network communications protocol so that private network data may be communicated
over the public network which has a different communications protocol. For example,
the Bridge Node Number and Bridge Network Number specify AppleTalk specific 26
network information, such as the AppleTalk default Bridge (or Router) on the network
that the Host resides on. This embedded private data network information permits the
client and the host to format their data formats, as set forth in Tables 10 and 11, for the
particular connection to the particular type of private data network. This embedded
information also permits the remote client to be treated as a virtual node of the
AppleTalk network so that any devices, such as printers or file servers, on the private
network may be accessed by the user of the remote client. The connection success
data structure is sent unencrypted, unless a session key has been negotiated in the
Session Key Negotiation phase, in which case it is encrypted. The connection failure
data format is set forth in Table 8.
Table 8 - Connection Failure
Byte Offset Width Contents
0 2 bytes Total Bytes: Total number of bytes in the transaction (excluding this field)
2 2 bytes Error Code: Contains the error code sent by the Host
Figure imgf000028_0001
This connection failure data is sent by the Host when a connection cannot be
successfully established between the Client and the Host. It contains a length field and
only one other field, an Error Code field. The error code field contains an optional
representation of why the connection failed. As a default, the host may always return
an "Undefined Error" message, which gives no information on why it rejected the
request. An example of the error codes are set forth below in Table 9. 27
Table 9 - Error Codes
Error Code Description
1 Unsupported Authentication. This is returned when the Client sent an Authentication Response for an Authentication type which was not in the Authentication Request.
Failed Authentication. The specified User Name and Response were not valid for the authentication type and Challenge specified. Note: This could be any kind of error from unknown user to invalid password.
3 No Free Ports. The Host does not have any available ports. 4 Already Logged On. The specified User Name is already in use on this server, and multiple logins of the same user are disallowed.
OxFFFF Undefined Error. An error prevented the connection from succeeding.
This error data is sent unencrypted, unless a session key has been negotiated in
the Session Key Negotiation phase, in which case it is encrypted. If the connection
failure data structure is sent, then the communications session ends. If a successful
connection is established, then data is communicated between the host and the client
using the data format for established data to the remote client as set forth in Table 10.
28
Table 10 - Established Data (To Client)
Byte Offset Width Contents
0 2 bytes Length and Flags: contains the length of the following data in the low 10 bits and a set of reserved flags in the upper 6 bits.
2 2 bytes Source Network: the network number that sent the packet.
4 l byte Source Node: the node number that sent the packet.
5 l byte Destination Socket: the socket that the packet is being sent to.
6 l byte Source Socket: the socket that sent the pocket.
7 1 byte Type: the AppleTalk type of the packet.
8 Specified by Payload: the data from the original packet. the Length
Figure imgf000030_0001
This data is sent from the Host to the Client during the established phase. As
shown, the data contains the AppleTalk specific information to route the data packet to
the client. This data is always encrypted. The basic format (with no flags set) contains
data from one packet on the AppleTalk network that is destined for the Client. An
example of the data format for data from the remote client to the host is set forth in
Table 11.
29
Table 11 - Established Data (From Client)
Byte Offset Width Contents
0 2 bytes Length and Flags: contains the length of the following data in the low 10 bits and a set of reserved flags in the upper 6 bits.
2 2 bytes Destination Network: the network number the packet is being sent to.
4 l byte Destination Node: the node number the packet is being sent to.
5 l byte Destination Socket: the socket that the packet is being sent to.
6 l byte Source Socket: the socket that sent the packet.
7 l byte Type: the AppleTalk type of the packet.
8 Specified by Payload: the data for the packet. the Length
Figure imgf000031_0001
This data is sent from the remote client to the host during the established phase
in order to communicate data packets. The data includes AppleTalk specific
information to route the client's data packets to the appropriate node on the private
data network. The established data from the remote client to the host is always
encrypted to ensure a secure communications channel. The basic format (without any
flags set) contains data from one data packet that the remote client is sending to the
host which is the AppleTalk network. There are not any special data formats for the
teardown phase since no data is communicated between the remote client and the host
during the teardown phase.
In summary, the invention provides a virtual private network system between a
private data network and a remote client which does not require expensive leased lines 30
or gateways to establish a secure communications path in which the remote client
becomes a virtual node of the private network. The system also permits an individual
to access the private data network without incurring any long distance telephone
charges. In addition, the system permits a private data network and remote client that
use a first communications protocol to communicate with each other over a public data
network that uses a different communications protocol. The system also permits an
individual to easily connect to the private date network as a virtual node without a
remote private network and the individual appears to be a node on the private network,
once connected, so that the individual may access any resources on the private data
network.
In operation, a user of the remote client establishes a secure connection with the
host of the private computer network through the authentication process so that the
remote client is a virtual node of the private network. The user may then transmit data
and commands in the private network's communication protocol over the public
network through the secure communications path and receive data and commands back
from the private network. For example, the user of the remote client may issue a print
command to a printer attached to the private network, that print command is
encapsulated in an encrypted data packet sent over the public access network, the host
computer decrypts the print command and passes the print command on to the printer
attached to the private network. Thus, the remote client is a virtual node of the private
network and the user of the remote client may access any of the resources of the private
network as if the remote client was an actual physical node of the private network. 31
While the foregoing has been with reference to a particular embodiment of the
invention, it will be appreciated by those skilled in the art that changes in this
embodiment may be made without departing from the principles and spirit of the
invention, the scope of which is defined by the appended claims.

Claims

32Claim?:
1. A method for forming a virtual node for a private access network
having a private access communications protocol over a public access network having
a public access communications protocol, the virtual node being a remote client
computer and the method comprising:
establishing a secure communications path over the public access network
between a host computer connected to the private network and a remote client
computer to establish the remote client computer as a virtual node of the private
network;
generating a data packet to be transmitted over the secure communications
path, the data packet including data and information about routing the data in the data
packet in accordance with the private access communications protocol;
encrypting said data packet;
encapsulating said encrypted data packet into second data packet having a
format compatible with the public access commumcations protocol;
transmitting the second data packet over the public access network;
unpacking the encrypted data packet from said second data packet; and
decrypting the data packet received from the public access network to route the
data in the data packet over the private access network using the information about the
private access communications protocol. 33
2. The method of Claim 1, wherein said establishing further comprises
negotiating a communications protocol compatible with the private network between
the host computer connected to the public access network and the remote client
computer, and authenticating the identity of the remote client computer.
3. The method of Claim 2, wherein the authentication comprises
generating a challenge at the host computer, communicating said challenge to the
remote client computer, and receiving a challenge response from the remote client
computer.
4. The method of claim 1 further comprising negotiating a session key for
communicating between the host and the client.
5. The method of Claim 1 , wherein generating the information in the data
packet comprises generating a network node identification number for the remote
client node.
6. The method of Claim 5, wherein said private access network comprises
an AppleTalk communications network.
7. The method of Claim 6, wherein said public access network comprises
the Internet. 34
8. A virtual node for a private access network having a private access
communications protocol over a public access network having a public access
commumcations protocol, the virtual node being a remote client computer and
comprising:
means for establishing a secure communications path over the public access
network between a host computer connected to the private network and a remote client
computer to establish the remote client computer as a virtual node of the private
network;
means for generating a data packet to be transmitted over the secure
communications path, the data packet including data and information about routing the
data in the data packet in accordance with the private access communications protocol;
means for encrypting said data packet;
means for encapsulating said encrypted data packet into second data packet
having a format compatible with the public access communications protocol;
means for transmitting the second data packet over the public access network;
means for unpacking the encrypted data packet from said second data packet;
and
means for decrypting the data packet received from the public access network
to route the data in the data packet over the private access network using the
information about the private access communications protocol. 35
9. The virtual node of Claim 8, wherein said establishing means further
comprises means for negotiating a communications protocol compatible with the
private network between the host computer connected to the public access network and
the remote client computer, and means for authenticating the identity of the remote
client computer.
10. The virtual node of Claim 9, wherein the authentication means
comprises means for generating a challenge at the host computer, means for
communicating said challenge to the remote client computer, and means for receiving a
challenge response from the remote client computer.
11. The virtual node of claim 8 further comprising negotiating a session key
for communicating between the host and the client.
12. The virtual node of Claim 8, wherein said means for generating the
information in the data packet comprises means for generating a network node
identification number for the remote client node.
13. The virtual node of Claim 12, wherein said private access network
comprises an AppleTalk communications network. 36
14. The virtual node of Claim 13, wherein said public access network
comprises the Internet.
PCT/US1999/001583 1998-01-26 1999-01-26 Virtual private network system and method WO1999038081A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
AU25625/99A AU2562599A (en) 1998-01-26 1999-01-26 Virtual private network system and method
EP99905473A EP1064602A4 (en) 1998-01-26 1999-01-26 Virtual private network system and method
CA002318267A CA2318267C (en) 1998-01-26 1999-01-26 Virtual private network system and method

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US09/013,122 1998-01-26
US09/013,122 US6055575A (en) 1997-01-28 1998-01-26 Virtual private network system and method

Publications (1)

Publication Number Publication Date
WO1999038081A1 true WO1999038081A1 (en) 1999-07-29

Family

ID=21758422

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1999/001583 WO1999038081A1 (en) 1998-01-26 1999-01-26 Virtual private network system and method

Country Status (5)

Country Link
US (1) US6055575A (en)
EP (1) EP1064602A4 (en)
AU (1) AU2562599A (en)
CA (1) CA2318267C (en)
WO (1) WO1999038081A1 (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001045351A2 (en) * 1999-12-10 2001-06-21 Sun Microsystems, Inc. Scalable security for groups in a virtual private network
US6502135B1 (en) 1998-10-30 2002-12-31 Science Applications International Corporation Agile network protocol for secure communications with assured system availability
GB2384667A (en) * 2002-01-04 2003-07-30 Sun Microsystems Inc Transmitting Security Data in Network Addressing Information over a Supernet
EP1451708A2 (en) * 2001-12-10 2004-09-01 Virtual Locality Ltd. Apparatus and method for optimized and secured reflection of network services to remote locations
US6798782B1 (en) 1999-12-10 2004-09-28 Sun Microsystems, Inc. Truly anonymous communications using supernets, with the provision of topology hiding
US6826616B2 (en) 1998-10-30 2004-11-30 Science Applications International Corp. Method for establishing secure communication link between computers of virtual private network
EP1501256A2 (en) 2003-06-30 2005-01-26 Microsoft Corporation System and method for automatic negotiation of a security protocol
US6870842B1 (en) 1999-12-10 2005-03-22 Sun Microsystems, Inc. Using multicasting to provide ethernet-like communication behavior to selected peers on a network
US6970941B1 (en) 1999-12-10 2005-11-29 Sun Microsystems, Inc. System and method for separating addresses from the delivery scheme in a virtual private network
US7010604B1 (en) 1998-10-30 2006-03-07 Science Applications International Corporation Agile network protocol for secure communications with assured system availability
US7336790B1 (en) 1999-12-10 2008-02-26 Sun Microsystems Inc. Decoupling access control from key management in a network
EP1934780A1 (en) * 2005-09-12 2008-06-25 Microsoft Corporation Creating secure interactive connections with remote resources
US8843643B2 (en) 1998-10-30 2014-09-23 Virnetx, Inc. System and method employing an agile network protocol for secure communications using secure domain names
US10511573B2 (en) 1998-10-30 2019-12-17 Virnetx, Inc. Agile network protocol for secure communications using secure domain names

Families Citing this family (133)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10361802B1 (en) 1999-02-01 2019-07-23 Blanding Hovenweep, Llc Adaptive pattern recognition based control system and method
US6771590B1 (en) * 1996-08-22 2004-08-03 Tellabs Operations, Inc. Communication system clock synchronization techniques
US5790514A (en) * 1996-08-22 1998-08-04 Tellabs Operations, Inc. Multi-point OFDM/DMT digital communications system including remote service unit with improved receiver architecture
US6118758A (en) * 1996-08-22 2000-09-12 Tellabs Operations, Inc. Multi-point OFDM/DMT digital communications system including remote service unit with improved transmitter architecture
NZ336275A (en) * 1997-01-24 2002-02-01 Extricity Inc A system and method for creating, executing and maintaining cross-enterprise processes
US6226748B1 (en) * 1997-06-12 2001-05-01 Vpnet Technologies, Inc. Architecture for virtual private networks
US6209097B1 (en) * 1997-12-05 2001-03-27 Tokyo Electron Device Limited Content protection method and content protection system
US7369556B1 (en) 1997-12-23 2008-05-06 Cisco Technology, Inc. Router for virtual private network employing tag switching
US6339595B1 (en) * 1997-12-23 2002-01-15 Cisco Technology, Inc. Peer-model support for virtual private networks with potentially overlapping addresses
US6119171A (en) * 1998-01-29 2000-09-12 Ip Dynamics, Inc. Domain name routing
JP3013834B2 (en) * 1998-01-30 2000-02-28 日本電気株式会社 Call processing method of VPN service
CA2228687A1 (en) * 1998-02-04 1999-08-04 Brett Howard Secured virtual private networks
ES2389626T3 (en) 1998-04-03 2012-10-29 Tellabs Operations, Inc. Shortening filter for impulse response, with additional spectral restrictions, for transmission of multiple carriers
US7440498B2 (en) 2002-12-17 2008-10-21 Tellabs Operations, Inc. Time domain equalization for discrete multi-tone systems
US6631175B2 (en) * 1998-04-03 2003-10-07 Tellabs Operations, Inc. Spectrally constrained impulse shortening filter for a discrete multi-tone receiver
US6434619B1 (en) * 1998-04-29 2002-08-13 Alcatel Canada Inc. Internet-enabled service management system and method
US6449272B1 (en) * 1998-05-08 2002-09-10 Lucent Technologies Inc. Multi-hop point-to-point protocol
US6795424B1 (en) 1998-06-30 2004-09-21 Tellabs Operations, Inc. Method and apparatus for interference suppression in orthogonal frequency division multiplexed (OFDM) wireless communication systems
US6571289B1 (en) * 1998-08-03 2003-05-27 Sun Microsystems, Inc. Chained registrations for mobile IP
US6308281B1 (en) * 1998-09-02 2001-10-23 International Business Machines Corporation Virtual client to gateway connection over multiple physical connections
US6487600B1 (en) * 1998-09-12 2002-11-26 Thomas W. Lynch System and method for supporting multimedia communications upon a dynamically configured member network
US6539021B1 (en) * 1998-10-02 2003-03-25 Nortel Networks Limited Role based management independent of the hardware topology
US7373655B1 (en) 1998-12-22 2008-05-13 At&T Mobility Ii Llc System for securing inbound and outbound data packet flow in a computer network
US7307990B2 (en) * 1999-01-19 2007-12-11 Cisco Technology, Inc. Shared communications network employing virtual-private-network identifiers
US6636898B1 (en) * 1999-01-29 2003-10-21 International Business Machines Corporation System and method for central management of connections in a virtual private network
US6988199B2 (en) * 2000-07-07 2006-01-17 Message Secure Secure and reliable document delivery
US20020019932A1 (en) * 1999-06-10 2002-02-14 Eng-Whatt Toh Cryptographically secure network
US20020101998A1 (en) * 1999-06-10 2002-08-01 Chee-Hong Wong Fast escrow delivery
US6684331B1 (en) 1999-12-22 2004-01-27 Cisco Technology, Inc. Method and apparatus for distributing and updating group controllers over a wide area network using a tree structure
US7103185B1 (en) 1999-12-22 2006-09-05 Cisco Technology, Inc. Method and apparatus for distributing and updating private keys of multicast group managers using directory replication
US7434046B1 (en) 1999-09-10 2008-10-07 Cisco Technology, Inc. Method and apparatus providing secure multicast group communication
US7013389B1 (en) 1999-09-29 2006-03-14 Cisco Technology, Inc. Method and apparatus for creating a secure communication channel among multiple event service nodes
US7260716B1 (en) 1999-09-29 2007-08-21 Cisco Technology, Inc. Method for overcoming the single point of failure of the central group controller in a binary tree group key exchange approach
US6987855B1 (en) * 1999-09-10 2006-01-17 Cisco Technology, Inc. Operational optimization of a shared secret Diffie-Hellman key exchange among broadcast or multicast groups
US7181014B1 (en) 1999-09-10 2007-02-20 Cisco Technology, Inc. Processing method for key exchange among broadcast or multicast groups that provides a more efficient substitute for Diffie-Hellman key exchange
US6643287B1 (en) * 1999-11-24 2003-11-04 Pluris, Inc. Apparatus and method for forwarding encapsulated data packets on a network having multiple links between nodes
US7765581B1 (en) 1999-12-10 2010-07-27 Oracle America, Inc. System and method for enabling scalable security in a virtual private network
US6977929B1 (en) 1999-12-10 2005-12-20 Sun Microsystems, Inc. Method and system for facilitating relocation of devices on a network
US6938169B1 (en) 1999-12-10 2005-08-30 Sun Microsystems, Inc. Channel-specific file system views in a private network using a public-network infrastructure
US7089211B1 (en) * 2000-01-12 2006-08-08 Cisco Technology, Inc. Directory enabled secure multicast group communications
US6529868B1 (en) * 2000-03-28 2003-03-04 Tellabs Operations, Inc. Communication system noise cancellation power signal calculation techniques
US6981041B2 (en) * 2000-04-13 2005-12-27 Aep Networks, Inc. Apparatus and accompanying methods for providing, through a centralized server site, an integrated virtual office environment, remotely accessible via a network-connected web browser, with remote network monitoring and management capabilities
US7020696B1 (en) * 2000-05-20 2006-03-28 Ciena Corp. Distributed user management information in telecommunications networks
US6941457B1 (en) 2000-06-30 2005-09-06 Cisco Technology, Inc. Establishing a new shared secret key over a broadcast channel for a multicast group based on an old shared secret key
US7251728B2 (en) 2000-07-07 2007-07-31 Message Secure Corporation Secure and reliable document delivery using routing lists
US6647109B1 (en) * 2000-07-21 2003-11-11 Conexant Systems, Inc. Network telephony
US20020143960A1 (en) * 2000-08-02 2002-10-03 Erez Goren Virtual network generation system and method
DE10045975A1 (en) * 2000-09-16 2002-04-11 Bosch Gmbh Robert Procedure for controlling access
US20020048372A1 (en) * 2000-10-19 2002-04-25 Eng-Whatt Toh Universal signature object for digital data
US8996698B1 (en) * 2000-11-03 2015-03-31 Truphone Limited Cooperative network for mobile internet access
KR20010066996A (en) * 2000-11-07 2001-07-12 이광세 ASIC of VPN using IP-Sec(internet protocol-security)
US7660902B2 (en) * 2000-11-20 2010-02-09 Rsa Security, Inc. Dynamic file access control and management
US6986061B1 (en) 2000-11-20 2006-01-10 International Business Machines Corporation Integrated system for network layer security and fine-grained identity-based access control
US20040054902A1 (en) * 2000-12-06 2004-03-18 Yoshinori Fujimoto Virtual private network
US7181519B2 (en) * 2000-12-11 2007-02-20 Silverback Technologies, Inc. Distributed network monitoring and control system
US6931529B2 (en) 2001-01-05 2005-08-16 International Business Machines Corporation Establishing consistent, end-to-end protection for a user datagram
US9954686B2 (en) 2001-01-18 2018-04-24 Virnetx, Inc. Systems and methods for certifying devices to communicate securely
US7209479B2 (en) 2001-01-18 2007-04-24 Science Application International Corp. Third party VPN certification
DE10108408A1 (en) * 2001-02-21 2002-08-29 Gloocorp Ag Virtual private network has secure data exchange with internet key distribution
US7181017B1 (en) 2001-03-23 2007-02-20 David Felsher System and method for secure three-party communications
US20020144144A1 (en) * 2001-03-27 2002-10-03 Jeffrey Weiss Method and system for common control of virtual private network devices
US20020143872A1 (en) * 2001-03-27 2002-10-03 Jeffrey Weiss Multiple service management platform utilizing common directory
US20020154635A1 (en) * 2001-04-23 2002-10-24 Sun Microsystems, Inc. System and method for extending private networks onto public infrastructure using supernets
US7099947B1 (en) * 2001-06-08 2006-08-29 Cisco Technology, Inc. Method and apparatus providing controlled access of requests from virtual private network devices to managed information objects using simple network management protocol
US7526480B2 (en) * 2001-06-08 2009-04-28 Cisco Technology, Inc. Method and apparatus for controlled access of requests from virtual private network devices to managed information objects using simple network management protocol and multi-topology routing
US20050198379A1 (en) 2001-06-13 2005-09-08 Citrix Systems, Inc. Automatically reconnecting a client across reliable and persistent communication sessions
US7562146B2 (en) * 2003-10-10 2009-07-14 Citrix Systems, Inc. Encapsulating protocol for session persistence and reliability
KR20010107790A (en) * 2001-07-06 2001-12-07 김인규 Method of establishing virtual private network and VPN gateway using thereof
US7827292B2 (en) * 2001-07-23 2010-11-02 At&T Intellectual Property Ii, L.P. Flexible automated connection to virtual private networks
US8239531B1 (en) 2001-07-23 2012-08-07 At&T Intellectual Property Ii, L.P. Method and apparatus for connection to virtual private networks for secure transactions
US7827278B2 (en) * 2001-07-23 2010-11-02 At&T Intellectual Property Ii, L.P. System for automated connection to virtual private networks related applications
US20030079030A1 (en) * 2001-08-22 2003-04-24 Cocotis Thomas A. Output management system and method for enabling access to private network resources
US7089304B2 (en) * 2001-08-30 2006-08-08 Microsoft Corporation Metered Internet usage
US20030046586A1 (en) * 2001-09-05 2003-03-06 Satyam Bheemarasetti Secure remote access to data between peers
US20030067902A1 (en) * 2001-09-21 2003-04-10 Skeba Kirk W. Method for providing multiple certified radio modules with a baseband
US7334125B1 (en) 2001-11-27 2008-02-19 Cisco Technology, Inc. Facilitating secure communications among multicast nodes in a telecommunications network
KR100412041B1 (en) * 2002-01-04 2003-12-24 삼성전자주식회사 Home Gateway and method for executing security protocol function
US7984157B2 (en) * 2002-02-26 2011-07-19 Citrix Systems, Inc. Persistent and reliable session securely traversing network components using an encapsulating protocol
US7661129B2 (en) * 2002-02-26 2010-02-09 Citrix Systems, Inc. Secure traversal of network components
US7188182B2 (en) * 2002-03-20 2007-03-06 Microsoft Corporation Selecting an appropriate transfer mechanism for transferring an object
US7363363B2 (en) * 2002-05-17 2008-04-22 Xds, Inc. System and method for provisioning universal stateless digital and computing services
US7937471B2 (en) * 2002-06-03 2011-05-03 Inpro Network Facility, Llc Creating a public identity for an entity on a network
US7143136B1 (en) * 2002-06-06 2006-11-28 Cadence Design Systems, Inc. Secure inter-company collaboration environment
US7546360B2 (en) * 2002-06-06 2009-06-09 Cadence Design Systems, Inc. Isolated working chamber associated with a secure inter-company collaboration environment
US7325140B2 (en) * 2003-06-13 2008-01-29 Engedi Technologies, Inc. Secure management access control for computers, embedded and card embodiment
AU2003276819A1 (en) * 2002-06-13 2003-12-31 Engedi Technologies, Inc. Out-of-band remote management station
US20050193103A1 (en) * 2002-06-18 2005-09-01 John Drabik Method and apparatus for automatic configuration and management of a virtual private network
US7546372B2 (en) * 2002-07-11 2009-06-09 Ibeam Systems, Inc. System and method for providing to multiple user computers concurrent telephonic access to multiple remote devices
US8234358B2 (en) * 2002-08-30 2012-07-31 Inpro Network Facility, Llc Communicating with an entity inside a private network using an existing connection to initiate communication
US7139828B2 (en) * 2002-08-30 2006-11-21 Ip Dynamics, Inc. Accessing an entity inside a private network
JP2004104280A (en) * 2002-09-06 2004-04-02 Yamatake Corp Interface apparatus for encrypted network supervision
US7689722B1 (en) * 2002-10-07 2010-03-30 Cisco Technology, Inc. Methods and apparatus for virtual private network fault tolerance
US7448068B2 (en) * 2002-10-21 2008-11-04 Microsoft Corporation Automatic client authentication for a wireless network protected by PEAP, EAP-TLS, or other extensible authentication protocols
US8332464B2 (en) * 2002-12-13 2012-12-11 Anxebusiness Corp. System and method for remote network access
US8244875B2 (en) * 2002-12-13 2012-08-14 ANXeBusiness Corporation Secure network computing
US7633909B1 (en) 2002-12-20 2009-12-15 Sprint Spectrum L.P. Method and system for providing multiple connections from a common wireless access point
US7298702B1 (en) * 2002-12-20 2007-11-20 Sprint Spectrum L.P. Method and system for providing remote telephone service via a wireless local area network
US7207058B2 (en) * 2002-12-31 2007-04-17 American Express Travel Related Services Company, Inc. Method and system for transmitting authentication context information
US9818136B1 (en) 2003-02-05 2017-11-14 Steven M. Hoffberg System and method for determining contingent relevance
US7949785B2 (en) 2003-03-31 2011-05-24 Inpro Network Facility, Llc Secure virtual community network system
JP2004328029A (en) * 2003-04-21 2004-11-18 Nec Corp Network access system
US7715380B2 (en) * 2003-06-19 2010-05-11 Cisco Technology, Inc. Apparatus and methods for handling shared services through virtual route forwarding (VRF)-aware-NAT
US7916739B2 (en) * 2003-06-24 2011-03-29 Ntt Docomo, Inc. Location privacy for internet protocol networks using cryptographically protected prefixes
US8719053B2 (en) * 2003-07-17 2014-05-06 Ventana Medical Systems, Inc. Laboratory instrumentation information management and control network
AU2004302108C1 (en) * 2003-08-08 2010-09-16 Keiko Ogawa Communication system, communication device, communication method, and communication program for realizing the same
US7437457B1 (en) * 2003-09-08 2008-10-14 Aol Llc, A Delaware Limited Liability Company Regulating concurrent logins associated with a single account
US20050198262A1 (en) * 2004-01-14 2005-09-08 Jon Barry Method and system for measuring remote-access VPN quality of service
US20050228848A1 (en) * 2004-03-22 2005-10-13 Thurston Stacy D Method and system for operating a peer network
US7519719B2 (en) * 2004-04-15 2009-04-14 Agilent Technologies, Inc. Automatic creation of protocol dependent control path for instrument application
US7693977B2 (en) * 2004-12-30 2010-04-06 Intel Corporation Systems and methods for virtualizing functions and decentralizing service delivery in a flat network of interconnected personal devices
US8874477B2 (en) 2005-10-04 2014-10-28 Steven Mark Hoffberg Multifactorial optimization system and method
US8250151B2 (en) * 2005-10-12 2012-08-21 Bloomberg Finance L.P. System and method for providing secure data transmission
US7783985B2 (en) * 2006-01-04 2010-08-24 Citrix Systems, Inc. Systems and methods for transferring data between computing devices
US7953803B2 (en) * 2006-02-08 2011-05-31 International Business Machines Corporation Multiple login instant messaging
US8429396B1 (en) * 2006-05-31 2013-04-23 Juniper Networks, Inc. Peer discovery and secure communication in failover schemes
US8280431B2 (en) 2006-12-29 2012-10-02 Intel Corporation Apparatus for end-user transparent utilization of computational, storage, and network capacity of mobile devices, and associated methods
US7940778B2 (en) * 2007-06-29 2011-05-10 Intel Corporation Cross-layer approach to virtualized overlay on ad hoc networks
US20090059837A1 (en) * 2007-08-31 2009-03-05 Morgan Kurk System and method for management and administration of repeaters and antenna systems
US8190707B2 (en) 2007-10-20 2012-05-29 Citrix Systems, Inc. System and method for transferring data among computing environments
WO2009055717A1 (en) * 2007-10-24 2009-04-30 Jonathan Peter Deutsch Various methods and apparatuses for a central station to allocate virtual ip addresses
US7817636B2 (en) * 2008-01-30 2010-10-19 Cisco Technology, Inc. Obtaining information on forwarding decisions for a packet flow
US8286232B2 (en) 2009-03-13 2012-10-09 Novell, Inc. System and method for transparent cloud access
US8699499B2 (en) * 2010-12-08 2014-04-15 At&T Intellectual Property I, L.P. Methods and apparatus to provision cloud computing network elements
US9363313B2 (en) * 2012-06-11 2016-06-07 Cisco Technology, Inc. Reducing virtual IP-address (VIP) failure detection time
US9060025B2 (en) 2013-02-05 2015-06-16 Fortinet, Inc. Cloud-based security policy configuration
US9877123B2 (en) 2015-07-02 2018-01-23 Gn Hearing A/S Method of manufacturing a hearing device and hearing device with certificate
US9887848B2 (en) 2015-07-02 2018-02-06 Gn Hearing A/S Client device with certificate and related method
DK201570433A1 (en) 2015-07-02 2017-01-30 Gn Hearing As Hearing device with model control and associated methods
US10158955B2 (en) 2015-07-02 2018-12-18 Gn Hearing A/S Rights management in a hearing device
US10318720B2 (en) 2015-07-02 2019-06-11 Gn Hearing A/S Hearing device with communication logging and related method
US10158953B2 (en) 2015-07-02 2018-12-18 Gn Hearing A/S Hearing device and method of updating a hearing device
US10104522B2 (en) * 2015-07-02 2018-10-16 Gn Hearing A/S Hearing device and method of hearing device communication
US9942201B1 (en) 2015-12-16 2018-04-10 vIPtela Inc. Context specific keys

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5416842A (en) * 1994-06-10 1995-05-16 Sun Microsystems, Inc. Method and apparatus for key-management scheme for use with internet protocols at site firewalls
US5548646A (en) * 1994-09-15 1996-08-20 Sun Microsystems, Inc. System for signatureless transmission and reception of data packets between computer networks
US5550984A (en) * 1994-12-07 1996-08-27 Matsushita Electric Corporation Of America Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information
US5835726A (en) * 1993-12-15 1998-11-10 Check Point Software Technologies Ltd. System for securing the flow of and selectively modifying packets in a computer network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5444782A (en) * 1993-03-09 1995-08-22 Uunet Technologies, Inc. Computer network encryption/decryption device
CA2176032A1 (en) * 1994-01-13 1995-07-20 Bankers Trust Company Cryptographic system and method with key escrow feature
US6487661B2 (en) * 1995-04-21 2002-11-26 Certicom Corp. Key agreement and transport protocol

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5835726A (en) * 1993-12-15 1998-11-10 Check Point Software Technologies Ltd. System for securing the flow of and selectively modifying packets in a computer network
US5416842A (en) * 1994-06-10 1995-05-16 Sun Microsystems, Inc. Method and apparatus for key-management scheme for use with internet protocols at site firewalls
US5548646A (en) * 1994-09-15 1996-08-20 Sun Microsystems, Inc. System for signatureless transmission and reception of data packets between computer networks
US5550984A (en) * 1994-12-07 1996-08-27 Matsushita Electric Corporation Of America Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP1064602A4 *

Cited By (53)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8874771B2 (en) 1998-10-30 2014-10-28 Virnetx, Inc. Agile network protocol for secure communications with assured system availability
US8904516B2 (en) 1998-10-30 2014-12-02 Virnetx, Inc. System and method employing an agile network protocol for secure communications using secure domain names
US6502135B1 (en) 1998-10-30 2002-12-31 Science Applications International Corporation Agile network protocol for secure communications with assured system availability
US9374346B2 (en) 1998-10-30 2016-06-21 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
US9094399B2 (en) 1998-10-30 2015-07-28 Virnetx, Inc. Method for establishing secure communication link between computers of virtual private network
US6618761B2 (en) 1998-10-30 2003-09-09 Science Applications International Corp. Agile network protocol for secure communications with assured system availability
US9077695B2 (en) 1998-10-30 2015-07-07 Virnetx, Inc. System and method for establishing an encrypted communication link based on IP address lookup requests
US9077694B2 (en) 1998-10-30 2015-07-07 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
US9037713B2 (en) 1998-10-30 2015-05-19 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
US6826616B2 (en) 1998-10-30 2004-11-30 Science Applications International Corp. Method for establishing secure communication link between computers of virtual private network
US6834310B2 (en) 1998-10-30 2004-12-21 Science Applications International Corp. Preventing packet flooding of a computer on a computer network
US6839759B2 (en) 1998-10-30 2005-01-04 Science Applications International Corp. Method for establishing secure communication link between computers of virtual private network without user entering any cryptographic information
US9413766B2 (en) 1998-10-30 2016-08-09 Virnetx, Inc. Method for establishing connection between devices
US10511573B2 (en) 1998-10-30 2019-12-17 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
US9038163B2 (en) 1998-10-30 2015-05-19 Virnetx, Inc. Systems and methods for connecting network devices over communication network
US6907473B2 (en) 1998-10-30 2005-06-14 Science Applications International Corp. Agile network protocol for secure communications with assured system availability
US9027115B2 (en) 1998-10-30 2015-05-05 Virnetx, Inc. System and method for using a registered name to connect network devices with a link that uses encryption
US9967240B2 (en) 1998-10-30 2018-05-08 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
US8943201B2 (en) 1998-10-30 2015-01-27 Virnetx, Inc. Method for establishing encrypted channel
US7133930B2 (en) 1998-10-30 2006-11-07 Science Applications International Corporation Agile network protocol for secure communications with assured system availability
US10187387B2 (en) 1998-10-30 2019-01-22 Virnetx, Inc. Method for establishing connection between devices
US7188180B2 (en) 1998-10-30 2007-03-06 Vimetx, Inc. Method for establishing secure communication link between computers of virtual private network
US9386000B2 (en) 1998-10-30 2016-07-05 Virnetx, Inc. System and method for establishing a communication link
US9100375B2 (en) 1998-10-30 2015-08-04 Virnetx, Inc. System and method employing an agile network protocol for secure communications using secure domain names
US7010604B1 (en) 1998-10-30 2006-03-07 Science Applications International Corporation Agile network protocol for secure communications with assured system availability
US9860283B2 (en) 1998-10-30 2018-01-02 Virnetx, Inc. Agile network protocol for secure video communications with assured system availability
US9819649B2 (en) 1998-10-30 2017-11-14 Virnetx, Inc. System and method employing an agile network protocol for secure communications using secure domain names
US8868705B2 (en) 1998-10-30 2014-10-21 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
US8850009B2 (en) 1998-10-30 2014-09-30 Virnetx, Inc. System and method employing an agile network protocol for secure communications using secure domain names
US9479426B2 (en) 1998-10-30 2016-10-25 Virnetz, Inc. Agile network protocol for secure communications with assured system availability
US8843643B2 (en) 1998-10-30 2014-09-23 Virnetx, Inc. System and method employing an agile network protocol for secure communications using secure domain names
WO2001045351A2 (en) * 1999-12-10 2001-06-21 Sun Microsystems, Inc. Scalable security for groups in a virtual private network
US6798782B1 (en) 1999-12-10 2004-09-28 Sun Microsystems, Inc. Truly anonymous communications using supernets, with the provision of topology hiding
US7336790B1 (en) 1999-12-10 2008-02-26 Sun Microsystems Inc. Decoupling access control from key management in a network
WO2001045351A3 (en) * 1999-12-10 2002-03-21 Sun Microsystems Inc Scalable security for groups in a virtual private network
US6970941B1 (en) 1999-12-10 2005-11-29 Sun Microsystems, Inc. System and method for separating addresses from the delivery scheme in a virtual private network
US6870842B1 (en) 1999-12-10 2005-03-22 Sun Microsystems, Inc. Using multicasting to provide ethernet-like communication behavior to selected peers on a network
US7685309B2 (en) 1999-12-10 2010-03-23 Sun Microsystems, Inc. System and method for separating addresses from the delivery scheme in a virtual private network
EP2197176A1 (en) * 2000-02-15 2010-06-16 VirnetX Inc. Agile network protocol for secure communications with assured system availability
WO2001061922A3 (en) * 2000-02-15 2003-03-06 Science Applic Int Corp Agile network protocol for secure communications with assured system availability
EP1451708A2 (en) * 2001-12-10 2004-09-01 Virtual Locality Ltd. Apparatus and method for optimized and secured reflection of network services to remote locations
EP1451708A4 (en) * 2001-12-10 2006-10-11 Sap Portals Israel Ltd Apparatus and method for optimized and secured reflection of network services to remote locations
GB2384667B (en) * 2002-01-04 2004-02-25 Sun Microsystems Inc Method and apparatus for conveying a security context in addressing information
GB2384667A (en) * 2002-01-04 2003-07-30 Sun Microsystems Inc Transmitting Security Data in Network Addressing Information over a Supernet
US7254835B2 (en) 2002-01-04 2007-08-07 Sun Microsystems, Inc. Method and apparatus for conveying a security context in addressing information
EP1501256A2 (en) 2003-06-30 2005-01-26 Microsoft Corporation System and method for automatic negotiation of a security protocol
US7526640B2 (en) 2003-06-30 2009-04-28 Microsoft Corporation System and method for automatic negotiation of a security protocol
EP1501256A3 (en) * 2003-06-30 2007-02-21 Microsoft Corporation System and method for automatic negotiation of a security protocol
JP2005025739A (en) * 2003-06-30 2005-01-27 Microsoft Corp System and method for automatic negotiation of security protocol
US9038162B2 (en) 2005-09-12 2015-05-19 Microsoft Technology Licensing, Llc Creating secure interactive connections with remote resources
US8220042B2 (en) 2005-09-12 2012-07-10 Microsoft Corporation Creating secure interactive connections with remote resources
EP1934780A4 (en) * 2005-09-12 2010-01-13 Microsoft Corp Creating secure interactive connections with remote resources
EP1934780A1 (en) * 2005-09-12 2008-06-25 Microsoft Corporation Creating secure interactive connections with remote resources

Also Published As

Publication number Publication date
CA2318267A1 (en) 1999-07-29
AU2562599A (en) 1999-08-09
EP1064602A4 (en) 2005-08-31
EP1064602A1 (en) 2001-01-03
CA2318267C (en) 2005-12-06
US6055575A (en) 2000-04-25

Similar Documents

Publication Publication Date Title
US6055575A (en) Virtual private network system and method
Satran et al. Internet small computer systems interface (iSCSI)
Myers Simple authentication and security layer (SASL)
US8522337B2 (en) Selecting a security format conversion for wired and wireless devices
US5918019A (en) Virtual dial-up protocol for network communication
US7159242B2 (en) Secure IPsec tunnels with a background system accessible via a gateway implementing NAT
EP1501256B1 (en) System and method for automatic negotiation of a security protocol
CA2394456C (en) Flexible automated connection to virtual private networks
JP4632315B2 (en) Method and system for single sign-on operation providing grid access and network access
US7768941B1 (en) Method and system for initiating a virtual private network over a shared network on behalf of a wireless terminal
EP1635502B1 (en) Session control server and communication system
JP4407452B2 (en) Server, VPN client, VPN system, and software
Zorn Microsoft vendor-specific RADIUS attributes
EP0838930A2 (en) Pseudo network adapter for frame capture, encapsulation and encryption
US20040158716A1 (en) Authentication and authorisation based secure ip connections for terminals
JP2002082907A (en) Security function substitution method in data communication and its system, and recording medium
US7316030B2 (en) Method and system for authenticating a personal security device vis-à-vis at least one remote computer system
Chadalapaka et al. Internet small computer system interface (iSCSI) protocol (consolidated)
CN109005179A (en) Network security tunnel establishing method based on port controlling
Beadles et al. Criteria for Evaluating Network Access Server Protocols
KR100471790B1 (en) Device for sending data using multi-tunneled virtual private network gateway
Myers RFC2222: Simple Authentication and Security Layer (SASL)
Ts'o Telnet Data Encryption Option
TW512263B (en) On-demand system and method for access repeater used in Virtual Private Network
JP2003152805A (en) Public access system and apparatus, and server

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM HR HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG UZ VN YU ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
ENP Entry into the national phase

Ref document number: 2318267

Country of ref document: CA

Ref country code: CA

Ref document number: 2318267

Kind code of ref document: A

Format of ref document f/p: F

WWE Wipo information: entry into national phase

Ref document number: 1999905473

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: KR

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWP Wipo information: published in national office

Ref document number: 1999905473

Country of ref document: EP