WO2013068790A1 - Protocol for layer two multiple network links tunnelling - Google Patents
Protocol for layer two multiple network links tunnelling Download PDFInfo
- Publication number
- WO2013068790A1 WO2013068790A1 PCT/IB2011/055042 IB2011055042W WO2013068790A1 WO 2013068790 A1 WO2013068790 A1 WO 2013068790A1 IB 2011055042 W IB2011055042 W IB 2011055042W WO 2013068790 A1 WO2013068790 A1 WO 2013068790A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- layer
- packets
- network
- tunnel
- packet
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/12—Protocol engines
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
Definitions
- the present invention relates to the field of data communications. More particularly, the present invention relates to a method and apparatus for using tunnel association information to allow multiple network links to tunnel layer two data.
- Layer 2 tunnelling establishes a tunnelling network between multiple distant networks to create a virtual private network (VPN).
- Layer 2 tunnel creation can be either manually by entering correct command to setup the tunnel interfaces, or automatically by having a service in network devices to negotiate the correct tunnel interfaces.
- Layer 2 Tunnelling Protocol (L2TP), a standard published by Internet Engineering Task Force, is a tunnelling protocol used to support layer 2 virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy. IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity. The combination of these two protocols is generally known as L2TP/IPsec.
- L2TP The problem of implementing L2TP is performance because of the number of bytes remaining available for payload is reduced. Under L2TP/IPsec, the number of bytes remaining available for payload is further reduced because of multiple levels of encapsulations. In addition, IPsec is relatively complicated to setup and maintain. The implementation of L2TP or L2TP/IPsec over bonded networks, which two or more logical or physical network connections are combined, further reduces the number of bytes remaining available for payload and increases complexity of setting and maintenance.
- the present invention allows the use of tunnel association information, which contains a network link identification (NLID) and a tunnel sequence number (TSN), in a layer 3 packet to provide layer 2 tunnels over layer 3 networks while improving performance and reducing complexity comparing to other layer 2 tunnelling methods and systems.
- NLID network link identification
- TSN tunnel sequence number
- tunnel association information is stored in a protocol header.
- Tunnel association information includes a network link identification and a tunnel sequence number.
- Network link identification is used to identify the network link and virtual private tunnel the layer three packets belonging to.
- Tunnel sequence number is used to identify the sequence of said one or more layer three packets in a network link.
- a system comprising of processing engine, network interfaces, encapsulation engine, decapsulation engine, protocol engine and storage system is disclosed to solve the problems.
- the processing engine is consisted of the encapsulation engine, decapsulation engine and processing engine.
- the encapsulation engine is used to encapsulate a received layer two packet in one or more to be delivered layer three packets.
- the decapsulation engine is used to decapsulate a layer 3 packet into a part or a complete layer 2 packet and retrieves the protocol header from the layer 3 packet.
- the encryption engine is used to encrypt and decrypt layer 2 packets and layer 3 packet.
- the protocol engine is used to create and retrieve protocol header, which contains tunnel association information.
- the storage system is used to provide instructions to processing engine and to provide temporary storage.
- FIG. 1 is a network diagram illustrating a network environment in which network devices employ an exemplary method of layer 2 virtual private network tunnelling
- FIG. 2 is a flow chart illustrating an exemplary method in which a network device employs layer 2 virtual private network tunnelling when sending a layer 2 packet
- FIG. 3 is a flow chart illustrating an exemplary method in which a network device employs layer 2 virtual private network tunnelling when receiving a layer 3 packet
- FIG. 4 is an exemplary Internet Protocol packet format of present invention
- FIG. 5 is a block diagram illustrating an exemplary system in which a network device employs layer 2 virtual private network tunnelling
- FIG. 6 is a block diagram illustrating the relationship between network connections, network links and virtual private network tunnel.
- FIG. 1 illustrates a network environment of how two distant layer 2 networks can be connected together through layer 3 networks by implementing an embodiment of the present invention.
- the same network environment can be employed to connect three or more distant layer 2 networks through layer 3 networks.
- Layer 2 network protocol that can be employed in the present invention includes Ethernet, Token Ring, Frame Relay, PPP, X.25 and ATM.
- Layer 3 network protocol can be employed in the present invention includes Internet Protocol (IP) version 4, IPv6, Internetwork Packet Exchange, and AppleTalk.
- IP Internet Protocol
- Computing devices 101a, 101b and 101c are connected to switch 102 and are in the same layer 2 network, such that they can communicate to each other through a layer 2 communication protocol.
- Computing devices 102a, 102b and 102c are connected to switch 106 and are in the same layer 2 network, such that they can also communicate to each other through a layer 2 communication protocol.
- any of computing devices 101a, 101b and 101c cannot directly communicate with any of computing devices 102a, 102b and 102c through a layer 2 communication protocol even computing devices 101a, 101b, 101c, 102a, 102b and 102c all use the same layer 2 communication protocol, such as Ethernet. This is because switch 102 and switch 103 are separated by Internet 104.
- VPN virtual private network
- Router 103 routes a layer 2 packets from switch 102 to router 105 through Internet 104 through a VPN by first encapsulating the layer 2 packet into one or more layer 3 packets, then delivering the one or more layer 3 packets through either one or more of network connections 120a, 120b and 120c.
- Network connections 120a, 120b, and 120c connected are connected to router 103 through three network interfaces respectively and can be implemented using optical fiber, Ethernet, ATM, Frame Relay, T1/E1, IPv4, IPv6, wireless technologies, Wi-Fi, WiMax, High-Speed Packet Access technology, and 3GPP Long Term Evolution (LTE). Therefore the one or more layer 3 packets, which may carry different parts of the layer 2 packet, may have different layer 3 source and destination addresses.
- Network connections 120a, 120b and 120c can be provided by the same or different network service providers to connect router 103 to Internet 104.
- network connections 121a and 121b are connected to router 105 two network interfaces respectively and can be implemented using optical fiber, Ethernet, ATM, Frame Relay, T1/E1, IPv4, IPv6, wireless technologies, Wi-Fi, WiMax, High-Speed Packet Access technology, and 3GPP Long Term Evolution (LTE).
- Network connections 121a and 121b can be provided by the same or different network service providers to connect router 105 to Internet 104.
- a network connection such as a LTE connection deployed by an antenna network interface of router 103, can contain one or more network links. Packets belonging to the same VPN can be carried by one or more network connections. Packets belonging to the same VPN can also be carried by one or more network links.
- a network connection can carry multiple VPN tunnels. However, a network link can only carry packets belonging to one VPN tunnel.
- a network link can be use connection-oriented protocol, such as TCP, or a connectionless protocol, such as UDP.
- FIG. 6 illustrates the relationship between network connection, network link and VPN tunnel established in logical network 120a, 120b, 120c, 121a and 121b.
- VPNa is implemented by using two network links, network link 131a and 131b.
- Network link 131a carries packets belonging to VPNa using the source layer 3 address of network connection 121a and the destination layer 3 address of network connection 120b.
- Network link 131b also carries packets belonging to VPNa, but using the source layer 3 address of network connection 121a and the destination layer 3 address of network connection 120c.
- a layer 2 packet is delivered through VPNa from router 105 to router 103, it can be fragmented into two layer 3 packets, which may have same source layer 3 address and different destination layer 3 addresses.
- VPNb is implemented by using three network links, network link 132a, 132b and 132c.
- Network link 132a carries packets belonging to VPNb using the source layer 3 address of network connection 121a and the destination layer 3 address of network connection 120a.
- Network link 132b also carries packets belonging to VPNb, but using the source layer 3 address of network connection 121b and the destination layer 3 address of network connection 120b.
- Network link 132c also carries packets belonging to VPNb, but using the source layer 3 address of network connection 121b and the destination layer 3 address of network connection 120c.
- layer 3 packets with different source layer 3 addresses and different destination layer 3 addresses can encapsulate layer 2 packet payload that belong to the same tunnel is because of the utilization of tunnel association information inside the layer 3 packets.
- Tunnel association information is represented by a series of bits and contained in the protocol header.
- the protocol header is composed of a series of bits.
- the number of bits representing protocol header varies depending on the nature of information and amount of information to be put in a VPN tunnel.
- the tunnel association information can be encrypted for security purpose.
- a tunnel association includes a network link identification (NLID) and a tunnel sequence number (TSN).
- NLID is used to identify the network link a layer 3 packet belonging to.
- a network link is a link established between two network nodes using a logical network.
- the number of bits representing NLID should be long enough to avoid confusion of the identities of network links.
- the NLID is used to allow receiving router to recognize that the received layer 3 packet belongs to a particular VPN tunnel, instead of other network traffic.
- TSN is used to assist the receiving router, such as router 105, to re-order received layer 3 packets belonging to a network link in a correct sequence.
- TSN is assigned by router 103. According to one embodiment of the present invention, each TSN should be unique during the lifetime of a network link. According to one embodiment of the present invention, a TSN can be reused again when the lifetime of a network link is beyond a time period.
- the number of bits representing TSN should be long enough to avoid confusion of packet sequence. According to one embodiment of the present invention, the number of bits use to represent NLID is 32 bits. According to one embodiment of the present invention, the number of bits use to represent TSN is 32 bits also.
- NLID is unique to a source address, destination address or to a pair of source address and destination address. Therefore the same TSN may be reused for different source address, destination address, or a pair of source and destination address.
- a port number is also part of a NLID.
- Internet 104 is comprised of one or more systems of interconnected computer networks running layer 3 protocols.
- a system of interconnected computer network of Internet 104 can be a private or public computer network.
- router 105 receives the one or more layer 3 packets through either one of or both network connections 121a and 121 from Internet 104, it converts the one or more layer 3 packets back to the layer 2 packet and then delivers the layer 2 packet to switch 106.
- layer 2 packets from switch 106 can also be sent to switch 102. Therefore, computing devices 101a, 101b, and 101c and computing devices 102a, 102b and 102c are in the same VPN and able to communicate with each other using the same layer 2 network protocol.
- the number of network connection between router 103 and Internet 104 is at least one.
- the number of network connection between Internet 104 and router 105 is at least one.
- all layer 3 packets belonging to a VPN tunnel have to pass through the same network connection between router 103 and Internet 104 as well also pass through the same network connection between router 105 and Internet 104.
- the benefits of performance gain, higher redundancy and increased bandwidth provided by the present invention is not significant comparing to L2TP.
- FIG. 2 is a flow chart illustrating one of the embodiments of the present invention by using tunnel association to encapsulate layer 2 packets in layer 3 packets.
- router 103 receives a layer 2 packet at step 201
- router 103 encapsulates the layer 2 packet into one or more layer 3 packets by first creating a protocol header at step 202.
- the protocol header is then filled by router 103 at step 203 with tunnelling association information.
- Tunnel association information is used to allow router 103 to communicate with router 105 in order to associate a layer 3 packet with a VPN tunnel.
- router 103 encrypts layer 2 packet.
- router 103 decides whether the layer 2 packet has to be encrypted by following pre-defined rules set manually or negotiated between network devices. If it is decided the layer 2 packet has to be encrypted, encryption information will be added to the protocol header at step 205. Encryption information include cipher information and seed value information.
- the encryption is conducted by using Advanced Encryption Standard and the associated initialization vector is considered as encryption information and added to tunnel association information and stored in the protocol header.
- the complete layer 2 packet is encrypted.
- the protocol header is also encrypted.
- step 205 and step 206 can be swapped. According to one of the embodiments of the present invention, router 103 does not encrypt layer 2 packets and therefore steps 204, 205 and 206 do not exist.
- a layer 3 packet header information is created.
- the layer 3 packet header is filled with the source address, destination address and port information of router 103.
- router 103 may have more than one layer 3 source address and/or more than one layer 3 destination address.
- the source addresses and destination addresses of layer 3 packets belonging to the same VPN tunnel can be different from each other. For example, at the network illustrated in FIG. 1, three layer 2 packets received by router 103 from switch 102 are encapsulated by three different layer 3 packets.
- the first layer 3 packet is sent by router 103 using network 120a to network connection121a, therefore, the source address and destination address of the first layer 3 packet is the address of network connection 120a and network connection 121a respectively.
- the second layer 3 packet is sent by router 103 using network 120a to network connection 121b, therefore, the source address and destination address of the second layer 3 packet is the address of network connections 120a and network 121b respectively.
- the third layer 3 packet is sent by router 103 using network connection 120c to network connection 121b, therefore, the source address and destination address of the second layer 3 packet is the address of network connection 120c and network 121b respectively.
- Router 103 determines which network connection to use depends on many decision factors, such as network latency and network bandwidth, which are apparent to a skilled person in the art to choose and implement.
- router 103 combines the payload, which is the original layer 2 packet received from switch 102 at step 201, protocol header and layer 3 packet header are combined together to form one or more layer 3 packets.
- router 103 delivers the one or more layer 3 packet to Internet 104.
- the layer 2 packet can be fragmented and be encapsulated into multiple layer 3 packets. The fragmentation can be done by relying on layer 3 fragmentation, such that the protocol header and the layer 2 packet are together considered as one payload and fragmented according to the layer 3 protocol used.
- the first layer 3 packet contains the complete protocol header and part of the layer 2 packets, and subsequent layer 3 packets do not contain the protocol header.
- the fragmentation can be done by relying on the network link protocol, such that each layer 3 packet contains a complete protocol header and part of the layer 2 packet.
- the layer 3 packet header contains information used for routing, including information for data link layer, network layer and transport layer of OSI model.
- FIG. 4 illustrate one embodiment of a layer 3 packet used to carry a VPN tunnel deployed with the present invention.
- the layer 3 packet is an IP packet composed of IP Header 401, UDP Header 402, protocol header 403 and payload 404.
- IP Header 401 is comprised of a series of bits and is the header of IPv4 described in RFC 791 published by Internet Engineering Task Force (IETF) or IPv6 described in RFC 2460 also published by IETF.
- IETF Internet Engineering Task Force
- UDP Header is comprised of a series of bits and carries information of user data protocol described in RFC 768 published by IETF.
- Protocol header 403 is comprised of a series of bits and contains tunnel association information which is described in the present invention.
- Payload 404 is comprised a series of bits and carry a complete or a part of a layer 2 packet.
- the procedure and corresponding information required to establish a VPN tunnel before layer 3 packets can use the VPN tunnel to encapsulate layer 2 packets include access apparent to a skilled person in the art.
- the corresponding information can be inputted by network device administrators and/or can be exchanged between the network devices. It is also apparent to a skilled person in the art how to exchange the VPN tunnel establishment information.
- the number of layer 3 packets used to encapsulate the layer 2 packet depends on many factors, including packet size of the layer 2 packet, the payload size of the layer 3 packets, the conventional allowed size of layer 3 packets in Internet 104, user policy, standards and other factors. It is apparent to a skilled person in the art how to determine the number of layer 3 packets to be used for the encapsulation.
- NLID and TSN can be set to be zero when a layer 2 packet is sent through a network link to check the health status of the network link, the health status of the VPN tunnel or to carry non-payload information. Other than those, the value of NLID and TSN are non-zero because NLID and TSN are used to identify the network link and packet sequence.
- the tunnel association information further includes a global sequence number (GSN), which is used for arranging packet received of a VPN tunnel to a correct sequence by a receiving network device.
- GSN global sequence number
- each GSN should be unique during the lifetime of a VPN tunnel.
- a GSN can be reused again when the lifetime of a network link is beyond a time period.
- the number of bits representing GSN should be long enough to avoid confusion of packet sequence.
- the number of bits use to represent GSN is 32 bits.
- the tunnel association information further includes a layer 2 tunnelling indicator which is used to inform the receiving network device that the layer 3 packet contains content for layer 2 tunnelling.
- the layer 2 tunnelling indicator can be embedded by using one or more bits in the protocol headers.
- the tunnel association information further includes a data offset indicator, which indicates the number of offsets between User UDP and the protocol header.
- Data offset indicator can be embedded by using one or more bits in the protocol headers.
- the tunnel association information further includes a version indicator, which specifies version of the VPN tunnel protocol being used and allow backward and forward compatibility. Version indicator can be embedded by using one or more bits in the protocol headers.
- the tunnel association information further includes a number of reserved bits, which are reserved for future use when more information has to be carried in the tunnel association information.
- the tunnel association information further includes an optional timestamp indicator, which specifies whether timestamp information is available in the protocol header. Timestamp information can be used to calculate the time difference between the sending of the packet and the receival of the packet or to calculate round trip time between the sending of a packet and receival of the corresponding acknowledgement. Timestamp indicator and timestamp information can be embedded by using one or more bits in the protocol headers.
- the tunnel association information further includes an acknowledgement indicator, which specifies whether acknowledgement information is contained in the protocol header.
- Acknowledgement information is used to keep count of the packets that have been successfully received.
- Acknowledgement indicator and acknowledgement information can be embedded by using one or more bits in the protocol headers.
- acknowledgement information to indicate the highest sequence number, such as TSN, of packets that have been received.
- the tunnel association information further includes an alternative acknowledgement indicator, which specifies whether alternative acknowledgement information is contained in the protocol header.
- Alternative acknowledgement information is used to keep count of the number of packets that have been successfully received and is used to acknowledge that more than one packet is received.
- Alternative acknowledgement indicator and alternative acknowledgement information can be embedded by using one or more bits in the protocol headers.
- the number of bytes used by a protocol header is the number of bytes belonging to the header of the layer 3 packet for routing and the number of bytes belonging to the payload of the encapsulated layer 2 packet subtracting from the total number of bytes of a layer 3 packet.
- FIG. 3 is a flow chart illustrating one of the embodiments of the present invention by using tunnel association to decapsulate layer 2 packets in layer 3 packets.
- router 105 receives a layer 3 packet at step 301 from Internet 104, router 105 determines whether the layer 3 packet belongs to any VPN tunnel by examining the port number of the layer 3 packet. If, at step 302, the port number matches a pre-define port number, router 105 assumes that the layer 3 packet belonging to a VPN tunnel.
- the pre-defined port number can be pre-determined by network administrator, manufacturer of network devices or negotiated between network devices.
- Router 105 then identifies the protocol header at step 303. According to one implementation, the protocol header is located next to the header of the layer 3 packet.
- router 105 As the protocol header containing tunnel association information, by reading NLID stored in protocol header at step 304 router 105 is able to determine which network link and VPN the layer 3 packet belongs to and determines whether the layer 3 packet contains a whole or part of a layer 2 packet.
- the payload of the layer 3 packet is encrypted and router 105 first identifies encryption information from tunnel association information stored in a protocol header at step 305 determines and then decrypt the payload at step 307 with the information retrieved from the protocol header at step 306.
- part of the payload of the layer 3 packet is encrypted, for example, header of the encapsulated layer 2 packet is not encrypted but the content of the layer 2 packet is encrypted.
- the whole payload of the layer 3 packet is encrypted.
- steps 305, 306 and 307 do not exist.
- the layer 3 packet is decapsulated to retrieve a whole or part of a layer 2 packet.
- router 105 When the complete layer 2 packet is decapsulated from one or more layer 3 packets, router 105 is then able to deliver the layer 2 packet at step 309.
- the receiving router such as router 105, does not consider the received layer 3 packets not authentic even the layer 3 packets, which belong to the same VPN tunnel, have different source addresses or destination addresses because the receiving router relies on tunnel association information to recognize authentic layer 3 packets.
- FIG. 5 illustrates a network device implementing one of the embodiments of the present invention.
- a system is comprised of one or more first network interfaces 505 connecting to an internal network; one or more second network interfaces 506 connecting to one or more public and/or private networks; processing engine 501 and storage 507.
- First network interfaces 505 and second network interfaces 506 can be implemented by agents to be connected with optical fiber, cables, or antenna.
- Processing engine 501 can be implemented by using one or more central processing units, network processors, microprocessors, micro-controllers, FPGAs, ASICs or any device capable of performing instructions to perform the basic arithmetical, logical, and input/output operations of the system.
- Encapsulation engine 502 is used to encapsulate a layer 2 packet into one or more layer 3 packets and put the protocol header in each layer 3 packet.
- Decapsulation engine 504 is used to decapsulate a layer 3 packet into a part or a complete layer 2 packet and retrieves the protocol header from the layer 3 packet.
- Encryption engine is used to encrypt and decrypt layer 2 packets and layer 3 packet.
- the functions of encapsulation engine 502, protocol engine 503 and decapsulation engine 504 are carried by processing engine 501.
- encapsulation engine 502, protocol engine 503 and decapsulation engine 504 can be implemented by central processing units, network processors, microprocessors, micro-controllers, FPGAs, ASICs or any device capable of performing instructions to perform the basic arithmetical, logical, and input/output operations of the system
- Storage 507 can be implemented by using DRAM, SDRAM, Flash RAM, optical memory, magnetic memory, hard disk, and/or any other materials that are able to provide storage capability.
- the network device connects to one or more local area networks through one or more first network interfaces 505.
- computing devices communicate with each other through layer 2 technology.
- the network device also connects to one or more wide area networks through one or more second network interfaces 506.
- computing devices communicate with each other through layer 3 technology.
- the network device sets up one or more VPN tunnels with other network devices through one or more wide area networks by using one or more second network interfaces 506.
- Protocol engine 503 is used to create the protocol header, which contains tunnel association information.
- Protocol engine 503 is used to retrieve tunnel association information from the protocol header.
- Storage 507 is used to provide instructions to processing engine 501, to provide temporary storage during encapsulation of a layer 2 packet into one or more layer 3 packets, and to provide temporary storage during decapsulation of one or more layer 3 packets into a layer 2 packet. According to one embodiment of the present invention, storage 507 is used to provide instructions directly to encapsulation engine 502, protocol engine 503 and decapsulation engine 507.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A method and system for using tunnel association information to allow network device to transfer and receive layer two packets through provide a layer two tunnel between different layer two networks through multiple network links. Layer 3 packets are used to encapsulate layer two packets. The tunnel association information includes a network link identification and a tunnel sequence number. The network link identification is used to identify the network link and virtual private tunnel said one or more layer three packets belonging to and the tunnel sequence number is used to identify the sequence of said one or more layer three packets in a network link.
Description
PROTOCOL FOR LAYER TWO MULTIPLE NETWORK
LINKS TUNNELLING
The present invention relates to the
field of data communications. More particularly, the present
invention relates to a method and apparatus for using tunnel
association information to allow multiple network links to
tunnel layer two data.
Layer 2 tunnelling establishes a
tunnelling network between multiple distant networks to
create a virtual private network (VPN). Layer 2 tunnel
creation can be either manually by entering correct command
to setup the tunnel interfaces, or automatically by having a
service in network devices to negotiate the correct tunnel
interfaces.
Layer 2 Tunnelling Protocol (L2TP), a
standard published by Internet Engineering Task Force, is a
tunnelling protocol used to support layer 2 virtual private
networks (VPNs). It does not provide any encryption or
confidentiality by itself; it relies on an encryption
protocol that it passes within the tunnel to provide
privacy. IPsec is often used to secure L2TP packets by
providing confidentiality, authentication and integrity. The
combination of these two protocols is generally known as L2TP/IPsec.
The problem of implementing L2TP is
performance because of the number of bytes remaining
available for payload is reduced. Under L2TP/IPsec, the
number of bytes remaining available for payload is further
reduced because of multiple levels of encapsulations. In
addition, IPsec is relatively complicated to setup and
maintain. The implementation of L2TP or L2TP/IPsec over
bonded networks, which two or more logical or physical
network connections are combined, further reduces the number
of bytes remaining available for payload and increases
complexity of setting and maintenance.
The present invention allows the use of
tunnel association information, which contains a network
link identification (NLID) and a tunnel sequence number
(TSN), in a layer 3 packet to provide layer 2 tunnels over
layer 3 networks while improving performance and reducing
complexity comparing to other layer 2 tunnelling methods and
systems.
To address the problems described
above, the present invention discloses methods and a system
using tunnel association information to solve the problems.
According to embodiments of the present invention, network
devices use tunnel association information when
encapsulating layer 2 packets in layer 3 packets. Tunnel
association information is also used by network devices when
decapsulating layer 2 packets from received layer 3 packets.
The use of tunnel association information allows the layer 3
packets be transmitted and received through different
network links, which belong to the same VPN. Therefore, the
layer 3 packets may have different source address and
destination addresses and results in higher throughout and
reliability. Tunnel association information is stored in a
protocol header. Tunnel association information includes a
network link identification and a tunnel sequence number.
Network link identification is used to identify the network
link and virtual private tunnel the layer three packets
belonging to. Tunnel sequence number is used to identify
the sequence of said one or more layer three packets in a
network link.
A system comprising of processing
engine, network interfaces, encapsulation engine,
decapsulation engine, protocol engine and storage system is
disclosed to solve the problems. The processing engine is
consisted of the encapsulation engine, decapsulation engine
and processing engine. The encapsulation engine is used to
encapsulate a received layer two packet in one or more to be
delivered layer three packets. The decapsulation engine is
used to decapsulate a layer 3 packet into a part or a
complete layer 2 packet and retrieves the protocol header
from the layer 3 packet. The encryption engine is used to
encrypt and decrypt layer 2 packets and layer 3 packet. The
protocol engine is used to create and retrieve protocol
header, which contains tunnel association information. The
storage system is used to provide instructions to processing
engine and to provide temporary storage.
The accompanying drawings, which are
incorporated in and constitute a part of this specification,
illustrate embodiments of the invention and, together with
the description, explain the invention. In the drawings,
FIG. 1 is a network diagram
illustrating a network environment in which network devices
employ an exemplary method of layer 2 virtual private
network tunnelling,
FIG. 2 is a flow chart illustrating an
exemplary method in which a network device employs layer 2
virtual private network tunnelling when sending a layer 2 packet,
FIG. 3 is a flow chart illustrating an
exemplary method in which a network device employs layer 2
virtual private network tunnelling when receiving a layer 3 packet,
FIG. 4 is an exemplary Internet
Protocol packet format of present invention,
FIG. 5 is a block diagram illustrating
an exemplary system in which a network device employs layer
2 virtual private network tunnelling,
FIG. 6 is a block diagram illustrating
the relationship between network connections, network links
and virtual private network tunnel.
Different embodiments will now be
described more fully hereinafter with reference to the
accompanying drawings, in which preferred embodiments are
shown. Many different forms can be set forth and described
embodiments should not be construed as limited to the
embodiments set forth herein. Rather, these embodiments are
provided so that this disclosure will be thorough and
complete, and will fully convey the scope to those skilled
in the art. Like numbers refer to like elements throughout.
FIG. 1 illustrates a network
environment of how two distant layer 2 networks can be
connected together through layer 3 networks by implementing
an embodiment of the present invention. The same network
environment can be employed to connect three or more distant
layer 2 networks through layer 3 networks. Layer 2 network
protocol that can be employed in the present invention
includes Ethernet, Token Ring, Frame Relay, PPP, X.25 and
ATM. Layer 3 network protocol can be employed in the
present invention includes Internet Protocol (IP) version 4,
IPv6, Internetwork Packet Exchange, and AppleTalk.
Similarly, network connections 121a and
121b are connected to router 105 two network interfaces
respectively and can be implemented using optical fiber,
Ethernet, ATM, Frame Relay, T1/E1, IPv4, IPv6, wireless
technologies, Wi-Fi, WiMax, High-Speed Packet Access
technology, and 3GPP Long Term Evolution (LTE). Network
connections 121a and 121b can be provided by the same or
different network service providers to connect router 105 to
Internet 104.
A network connection, such as a LTE
connection deployed by an antenna network interface of
router 103, can contain one or more network links. Packets
belonging to the same VPN can be carried by one or more
network connections. Packets belonging to the same VPN can
also be carried by one or more network links. A network
connection can carry multiple VPN tunnels. However, a
network link can only carry packets belonging to one VPN
tunnel. A network link can be use connection-oriented
protocol, such as TCP, or a connectionless protocol, such as
UDP.
FIG. 6 illustrates the relationship
between network connection, network link and VPN tunnel
established in logical network 120a, 120b, 120c, 121a and
121b. For example, there are two VPNs, VPNa and VPNb,
established between router 105 and router 103. VPNa is
implemented by using two network links, network link 131a
and 131b. Network link 131a carries packets belonging to
VPNa using the source layer 3 address of network connection
121a and the destination layer 3 address of network
connection 120b. Network link 131b also carries packets
belonging to VPNa, but using the source layer 3 address of
network connection 121a and the destination layer 3 address
of network connection 120c. For example, when a layer 2
packet is delivered through VPNa from router 105 to router
103, it can be fragmented into two layer 3 packets, which
may have same source layer 3 address and different
destination layer 3 addresses.
VPNb is implemented by using three
network links, network link 132a, 132b and 132c. Network
link 132a carries packets belonging to VPNb using the source
layer 3 address of network connection 121a and the
destination layer 3 address of network connection 120a.
Network link 132b also carries packets belonging to VPNb,
but using the source layer 3 address of network connection
121b and the destination layer 3 address of network
connection 120b. Network link 132c also carries packets
belonging to VPNb, but using the source layer 3 address of
network connection 121b and the destination layer 3 address
of network connection 120c. When multiple layer 2 packets
are delivered through VPNb from router 105 to router 103,
they can be carried by different network links and therefore
the layer 3 packets encapsulating the layer 2 packets may
have different source layer 3 addresses and different
destination layer 3 addresses.
The reason why layer 3 packets with
different source layer 3 addresses and different destination
layer 3 addresses can encapsulate layer 2 packet payload
that belong to the same tunnel is because of the utilization
of tunnel association information inside the layer 3 packets.
Tunnel association information is
represented by a series of bits and contained in the
protocol header. The protocol header is composed of a
series of bits. The number of bits representing protocol
header varies depending on the nature of information and
amount of information to be put in a VPN tunnel. According
to one of the embodiments of the present invention, the
tunnel association information can be encrypted for security
purpose. According to one of the embodiments of the present
invention, a tunnel association includes a network link
identification (NLID) and a tunnel sequence number (TSN).
The NLID is used to identify the network link a layer 3
packet belonging to. A network link is a link established
between two network nodes using a logical network.
As it is possible that there are
multiple network links implemented between two network
devices using the same pair of layer 3 source address and
destination address, the number of bits representing NLID
should be long enough to avoid confusion of the identities
of network links. In addition, the NLID is used to allow
receiving router to recognize that the received layer 3
packet belongs to a particular VPN tunnel, instead of other
network traffic. TSN is used to assist the receiving
router, such as router 105, to re-order received layer 3
packets belonging to a network link in a correct sequence.
TSN is assigned by router 103. According to one embodiment
of the present invention, each TSN should be unique during
the lifetime of a network link. According to one embodiment
of the present invention, a TSN can be reused again when the
lifetime of a network link is beyond a time period. The
number of bits representing TSN should be long enough to
avoid confusion of packet sequence. According to one
embodiment of the present invention, the number of bits use
to represent NLID is 32 bits. According to one embodiment
of the present invention, the number of bits use to
represent TSN is 32 bits also.
According to one of the embodiments of
the present invention, NLID is unique to a source address,
destination address or to a pair of source address and
destination address. Therefore the same TSN may be reused
for different source address, destination address, or a pair
of source and destination address. According to one of the
embodiments of the present invention, a port number is also
part of a NLID.
According to one of the embodiments of
the present invention, the number of network connection
between router 103 and Internet 104 is at least one.
According to one embodiment of the present invention, the
number of network connection between Internet 104 and router
105 is at least one. When there is only one network
connection between router 103 and Internet 104 as well as
one network connection between Internet 104 and router 106,
all layer 3 packets belonging to a VPN tunnel have to pass
through the same network connection between router 103 and
Internet 104 as well also pass through the same network
connection between router 105 and Internet 104. In this
circumstance, the benefits of performance gain, higher
redundancy and increased bandwidth provided by the present
invention is not significant comparing to L2TP.
Method
FIG. 2 is a flow chart illustrating one
of the embodiments of the present invention by using tunnel
association to encapsulate layer 2 packets in layer 3
packets. When router 103 receives a layer 2 packet at step
201, router 103 encapsulates the layer 2 packet into one or
more layer 3 packets by first creating a protocol header at
step 202. The protocol header is then filled by router 103
at step 203 with tunnelling association information. Tunnel
association information is used to allow router 103 to
communicate with router 105 in order to associate a layer 3
packet with a VPN tunnel.
According to one of the embodiments of
the present invention, router 103 encrypts layer 2 packet.
At step 204, router 103 decides whether the layer 2 packet
has to be encrypted by following pre-defined rules set
manually or negotiated between network devices. If it is
decided the layer 2 packet has to be encrypted, encryption
information will be added to the protocol header at step
205. Encryption information include cipher information and
seed value information. According to one of the embodiments
of the present invention, the encryption is conducted by
using Advanced Encryption Standard and the associated
initialization vector is considered as encryption
information and added to tunnel association information and
stored in the protocol header. At step 206, according to
one embodiment, the complete layer 2 packet is encrypted.
According to another embodiment, the protocol header is also
encrypted. When the protocol header is encrypted,
encryption information stored in the protocol header is not
encrypted in order to facilitate the decryption process at
the receiving network device. The ordering of step 205 and
step 206 can be swapped. According to one of the
embodiments of the present invention, router 103 does not
encrypt layer 2 packets and therefore steps 204, 205 and 206
do not exist.
At step 207, a layer 3 packet header
information is created. The layer 3 packet header is filled
with the source address, destination address and port
information of router 103. However, when router 103 has
more than one network connections, router 103 may have more
than one layer 3 source address and/or more than one layer 3
destination address. When layer 3 packets are delivered to
Internet 104 by more than one network connections, the
source addresses and destination addresses of layer 3
packets belonging to the same VPN tunnel can be different
from each other. For example, at the network illustrated in
FIG. 1, three layer 2 packets received by router 103 from
switch 102 are encapsulated by three different layer 3
packets. The first layer 3 packet is sent by router 103
using network 120a to network connection121a, therefore, the
source address and destination address of the first layer 3
packet is the address of network connection 120a and network
connection 121a respectively. The second layer 3 packet is
sent by router 103 using network 120a to network connection
121b, therefore, the source address and destination address
of the second layer 3 packet is the address of network
connections 120a and network 121b respectively. The third
layer 3 packet is sent by router 103 using network
connection 120c to network connection 121b, therefore, the
source address and destination address of the second layer 3
packet is the address of network connection 120c and network
121b respectively. Router 103 determines which network
connection to use depends on many decision factors, such as
network latency and network bandwidth, which are apparent to
a skilled person in the art to choose and implement.
At step 208, router 103 combines the
payload, which is the original layer 2 packet received from
switch 102 at step 201, protocol header and layer 3 packet
header are combined together to form one or more layer 3
packets. At step 209, router 103 delivers the one or more
layer 3 packet to Internet 104. When one layer 3 packet
is not large enough to encapsulate the protocol header and
complete layer 2 packet together, the layer 2 packet can be
fragmented and be encapsulated into multiple layer 3
packets. The fragmentation can be done by relying on layer
3 fragmentation, such that the protocol header and the layer
2 packet are together considered as one payload and
fragmented according to the layer 3 protocol used.
Therefore, the first layer 3 packet contains the complete
protocol header and part of the layer 2 packets, and
subsequent layer 3 packets do not contain the protocol
header. On the other hand, the fragmentation can be done by
relying on the network link protocol, such that each layer 3
packet contains a complete protocol header and part of the
layer 2 packet.
According to one of the embodiments of
the present invention, the layer 3 packet header contains
information used for routing, including information for data
link layer, network layer and transport layer of OSI model.
Figure 4 illustrate one embodiment of a
layer 3 packet used to carry a VPN tunnel deployed with the
present invention. The layer 3 packet is an IP packet
composed of IP Header 401, UDP Header 402, protocol header
403 and payload 404. IP Header 401 is comprised of a series
of bits and is the header of IPv4 described in RFC 791
published by Internet Engineering Task Force (IETF) or IPv6
described in RFC 2460 also published by IETF. UDP Header is
comprised of a series of bits and carries information of
user data protocol described in RFC 768 published by IETF.
Protocol header 403 is comprised of a series of bits and
contains tunnel association information which is described
in the present invention. Payload 404 is comprised a series
of bits and carry a complete or a part of a layer 2 packet.
The procedure and corresponding
information required to establish a VPN tunnel before layer
3 packets can use the VPN tunnel to encapsulate layer 2
packets include access apparent to a skilled person in the
art. The corresponding information can be inputted by
network device administrators and/or can be exchanged
between the network devices. It is also apparent to a
skilled person in the art how to exchange the VPN tunnel
establishment information.
The number of layer 3 packets used to
encapsulate the layer 2 packet depends on many factors,
including packet size of the layer 2 packet, the payload
size of the layer 3 packets, the conventional allowed size
of layer 3 packets in Internet 104, user policy, standards
and other factors. It is apparent to a skilled person in
the art how to determine the number of layer 3 packets to be
used for the encapsulation.
NLID and TSN can be set to be zero when
a layer 2 packet is sent through a network link to check the
health status of the network link, the health status of the
VPN tunnel or to carry non-payload information. Other than
those, the value of NLID and TSN are non-zero because NLID
and TSN are used to identify the network link and packet
sequence.
According to one of the embodiments of
the present invention, the tunnel association information
further includes a global sequence number (GSN), which is
used for arranging packet received of a VPN tunnel to a
correct sequence by a receiving network device. According to
one embodiment of the present invention, each GSN should be
unique during the lifetime of a VPN tunnel. According to
one embodiment of the present invention, a GSN can be reused
again when the lifetime of a network link is beyond a time
period. The number of bits representing GSN should be long
enough to avoid confusion of packet sequence. According to
one embodiment of the present invention, the number of bits
use to represent GSN is 32 bits.
According to one of the embodiments of
the present invention, the tunnel association information
further includes a layer 2 tunnelling indicator which is
used to inform the receiving network device that the layer 3
packet contains content for layer 2 tunnelling. The layer 2
tunnelling indicator can be embedded by using one or more
bits in the protocol headers.
According to one of the embodiments of
the present invention, the tunnel association information
further includes a data offset indicator, which indicates
the number of offsets between User UDP and the protocol
header. Data offset indicator can be embedded by using one
or more bits in the protocol headers.
According to one of the embodiments of
the present invention, the tunnel association information
further includes a version indicator, which specifies
version of the VPN tunnel protocol being used and allow
backward and forward compatibility. Version indicator can
be embedded by using one or more bits in the protocol headers.
According to one of the embodiments of
the present invention, the tunnel association information
further includes a number of reserved bits, which are
reserved for future use when more information has to be
carried in the tunnel association information.
According to one of the embodiments of
the present invention, the tunnel association information
further includes an optional timestamp indicator, which
specifies whether timestamp information is available in the
protocol header. Timestamp information can be used to
calculate the time difference between the sending of the
packet and the receival of the packet or to calculate round
trip time between the sending of a packet and receival of
the corresponding acknowledgement. Timestamp indicator and
timestamp information can be embedded by using one or more
bits in the protocol headers.
According to one of the embodiments of
the present invention, the tunnel association information
further includes an acknowledgement indicator, which
specifies whether acknowledgement information is contained
in the protocol header. Acknowledgement information is
used to keep count of the packets that have been
successfully received. Acknowledgement indicator and
acknowledgement information can be embedded by using one or
more bits in the protocol headers. According to one of the
embodiments of the present invention, acknowledgement
information to indicate the highest sequence number, such as
TSN, of packets that have been received.
According to one of the embodiments of
the present invention, the tunnel association information
further includes an alternative acknowledgement indicator,
which specifies whether alternative acknowledgement
information is contained in the protocol header.
Alternative acknowledgement information is used to keep
count of the number of packets that have been successfully
received and is used to acknowledge that more than one
packet is received. Alternative acknowledgement indicator
and alternative acknowledgement information can be embedded
by using one or more bits in the protocol headers.
According to one of the embodiments of
the present invention, the number of bytes used by a
protocol header is the number of bytes belonging to the
header of the layer 3 packet for routing and the number of
bytes belonging to the payload of the encapsulated layer 2
packet subtracting from the total number of bytes of a layer
3 packet.
FIG. 3 is a flow chart illustrating one
of the embodiments of the present invention by using tunnel
association to decapsulate layer 2 packets in layer 3
packets. When router 105 receives a layer 3 packet at step
301 from Internet 104, router 105 determines whether the
layer 3 packet belongs to any VPN tunnel by examining the
port number of the layer 3 packet. If, at step 302, the
port number matches a pre-define port number, router 105
assumes that the layer 3 packet belonging to a VPN tunnel.
The pre-defined port number can be pre-determined by network
administrator, manufacturer of network devices or negotiated
between network devices. Router 105 then identifies the
protocol header at step 303. According to one
implementation, the protocol header is located next to the
header of the layer 3 packet.
As the protocol header containing
tunnel association information, by reading NLID stored in
protocol header at step 304 router 105 is able to determine
which network link and VPN the layer 3 packet belongs to and
determines whether the layer 3 packet contains a whole or
part of a layer 2 packet. When the payload of the layer 3
packet is encrypted and router 105 first identifies
encryption information from tunnel association information
stored in a protocol header at step 305 determines and then
decrypt the payload at step 307 with the information
retrieved from the protocol header at step 306. According
to one of the embodiments of the present invention, part of
the payload of the layer 3 packet is encrypted, for example,
header of the encapsulated layer 2 packet is not encrypted
but the content of the layer 2 packet is encrypted.
According to one embodiment, the whole payload of the layer
3 packet is encrypted.
According to one embodiment, when the
layer 3 packet does not contain encrypted payload, steps
305, 306 and 307 do not exist.
At step 308, the layer 3 packet is
decapsulated to retrieve a whole or part of a layer 2
packet.
When the complete layer 2 packet is
decapsulated from one or more layer 3 packets, router 105 is
then able to deliver the layer 2 packet at step 309.
According to one embodiment, the
receiving router, such as router 105, does not consider the
received layer 3 packets not authentic even the layer 3
packets, which belong to the same VPN tunnel, have different
source addresses or destination addresses because the
receiving router relies on tunnel association information to
recognize authentic layer 3 packets. The situation happens
when there are more than one network connections carrying
layer 3 packets for a VPN tunnel. Under the same situation,
prior arts consider some of the layer 3 packets are not
authentic because the source addresses are different or the
destination addresses are different.
System
FIG. 5 illustrates a network device
implementing one of the embodiments of the present
invention. A system is comprised of one or more first
network interfaces 505 connecting to an internal network;
one or more second network interfaces 506 connecting to one
or more public and/or private networks; processing engine
501 and storage 507. First network interfaces 505 and
second network interfaces 506 can be implemented by agents
to be connected with optical fiber, cables, or antenna.
Processing engine 501 can be implemented by using one or
more central processing units, network processors,
microprocessors, micro-controllers, FPGAs, ASICs or any
device capable of performing instructions to perform the
basic arithmetical, logical, and input/output operations of
the system.
The network device connects to one or
more local area networks through one or more first network
interfaces 505. In a local area network, computing devices
communicate with each other through layer 2 technology. The
network device also connects to one or more wide area
networks through one or more second network interfaces 506.
At a wide area network, computing devices communicate with
each other through layer 3 technology. The network device
sets up one or more VPN tunnels with other network devices
through one or more wide area networks by using one or more
second network interfaces 506.
When a layer 2 packet is received at
one of first network interfaces 505 and to be delivered to
another local area network through a VPN tunnel, the layer 2
packet is encapsulated first in one or more layer 3 packets
along with a protocol header by encapsulation engine 502,
then is delivered to a wide area network through one or more
second network interfaces 506. Protocol engine 503 is used
to create the protocol header, which contains tunnel
association information.
When a layer 3 packet, which contains a
whole or a part of a layer 2 packet originated from another
local area network, is received at one of second network
interfaces 505 through a VPN tunnel and to be delivered to
the local area network, a protocol header is retrieved from
the layer 3 packet and then decapsulated to retrieve the
whole or part of the layer 2 packet by using protocol engine
502 and decapsulation engine 504. If the layer 2 packet is
fragmented into one or more layer 3 packets, the network
device will not deliver the layer 2 packet to the local area
network until the whole layer 2 packet is available.
Protocol engine 503 is used to retrieve tunnel association
information from the protocol header.
Those skilled in the art will
appreciate that many different combinations of hardware will
be suitable for practicing the present invention.
Alternative embodiments will become
apparent to those skilled in the art to which the present
invention pertains without departing from its spirit and
scope. Accordingly, the scope of the present invention is
defined by the appended claims rather than the foregoing
description.
Claims (27)
- A method for computer networking, the method comprising: performing by one or more processors, one or more network interfaces, or a combination of one or more processors and one or more network interfaces in a network device: receiving a layer two packet; creating a protocol header, wherein tunnel association information is stored in said protocol header, wherein said tunnel association information includes a network link identification and a tunnel sequence number; encapsulating said layer two packet into one or more layer three packets with said protocol header, wherein said layer three packets have the same or different source addresses, wherein said layer three packets have the same or different destination addresses; delivering said one or more layer three packets to one or more said network interfaces; wherein said network link identification is used to identify the network link and virtual private tunnel said layer two packet belonging to; wherein said tunnel sequence number is used to identify the sequence of said one or more layer three packets in a network link.
- A method for computer networking, the method comprising: performing by one or more processors, one or more network interfaces, or a combination of one or more processors and one or more network interfaces in a network device: receiving one or more layer three packets through one or more network interfaces, wherein said layer three packets may not have the same source addresses, wherein said layer three packets may not have the same destination addresses; retrieving protocol header from each layer three packet, wherein tunnel association information is stored in said protocol header, wherein said tunnel association information includes a network link identification and a tunnel sequence number; decapsulating a layer two packet from said one or more layer three packets; delivering said layer two packet to one of said network interfaces; wherein said network link identification is used to identify the network link and virtual private tunnel said layer two packet belonging to; wherein said tunnel sequence number is used to identify the sequence of said one or more layer three packets in a network link.
- The method of claim 1 or 2, further comprising: encrypting payload of said one or more layer three packets.
- The method of claim 1 or 2, wherein said tunnel association information includes initialization vector when the payload of said one or more layer three packets are encrypted.
- The method of claim 1 or 2, wherein said tunnel association information includes a global sequence number.
- The method of claim 1 or 2, wherein said tunnel association information includes a version indicator.
- The method of claim 1 or 2, wherein said tunnel association information includes a timestamp indicator.
- The method of claim 1 or 2, wherein said tunnel association information includes an acknowledgement indicator.
- The method of claim 1 or 2, wherein said layer two packets is an Ethernet packet.
- The method of claim 1 or 2, wherein said one or more layer three packets are Internet Protocol packets.
- The method of claim 1 or 2, wherein said one or more layer three packets are delivered using User Datagram Protocol.
- The method of claim 1 or 2, wherein said network link identification is thirty-two bits long.
- The method of claim 1 or 2, wherein said tunnel sequence number is thirty-two bits long.
- The method of claim 2, further comprising: arranging said one or more layer three packets into correct order before said decapsulation.
- A network device that transfers and receives communications data, comprising one or more local area networks network interfaces connected to one or more local area networks; one or more wide area networks network interfaces connected to one or more wide area networks; a processing engine coupled to said one or more local area networks network interfaces and said one or more wide area networks network interfaces comprising an encapsulation engine to encapsulate a received layer two packet in one or more to be delivered layer three packets, a decapsulation engine to decapsulate one or more received layer three packets to a to be delivered layer two packet, and a protocol engine to process tunnel association information, wherein tunnel association information includes a network link identification and a tunnel sequence number; a storage system to provide instructions to said processing engine; wherein said network link identification is used to identify the network link and virtual private tunnel said layer two packet belonging to; wherein said tunnel sequence number is used to identify the sequence of said one or more layer three packets in a network link.
- The network device of claim 15, further comprising: encrypting payload of said one or more layer three packets.
- The network device of claim 15, wherein said tunnel association information includes initialization vector when the payload of said one or more layer three packets are encrypted.
- The network device of claim 15, wherein said tunnel association information includes a global sequence number.
- The network device of claim 15, wherein said tunnel association information includes a version indicator.
- The network device of claim 15, wherein said tunnel association information includes a timestamp indicator.
- The network device of claim 15, wherein said tunnel association information includes an acknowledgement indicator.
- The network device of claim 15, wherein said layer two packet is an Ethernet packet.
- The network device of claim 15, wherein said one or more layer three packets are Internet Protocol packets.
- The network device of claim 15, wherein said one or more layer three packets are delivered using User Datagram Protocol.
- The network device of claim 15, wherein said network link identification is thirty-two bits long.
- The network device of claim 15, wherein said tunnel sequence number is thirty-two bits long.
- The network device of claim 15, further comprising: arranging said one or more layer three packets into correct order before said decapsulation.
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201180074664.7A CN104067562B (en) | 2011-11-11 | 2011-11-11 | Agreement for second layer Multi net voting link tunnel |
PCT/IB2011/055042 WO2013068790A1 (en) | 2011-11-11 | 2011-11-11 | Protocol for layer two multiple network links tunnelling |
US13/881,727 US9369550B2 (en) | 2011-11-11 | 2011-11-11 | Protocol for layer two multiple network links tunnelling |
EP11875527.1A EP2777217B1 (en) | 2011-11-11 | 2011-11-11 | Protocol for layer two multiple network links tunnelling |
CN201711146334.XA CN107682370B (en) | 2011-11-11 | 2011-11-11 | Method and system for creating protocol headers for embedded layer two packets |
US15/180,637 US10044841B2 (en) | 2011-11-11 | 2016-06-13 | Methods and systems for creating protocol header for embedded layer two packets |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/IB2011/055042 WO2013068790A1 (en) | 2011-11-11 | 2011-11-11 | Protocol for layer two multiple network links tunnelling |
Related Child Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/881,727 A-371-Of-International US9369550B2 (en) | 2011-11-11 | 2011-11-11 | Protocol for layer two multiple network links tunnelling |
US15/180,637 Continuation US10044841B2 (en) | 2011-11-11 | 2016-06-13 | Methods and systems for creating protocol header for embedded layer two packets |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2013068790A1 true WO2013068790A1 (en) | 2013-05-16 |
Family
ID=48288599
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IB2011/055042 WO2013068790A1 (en) | 2011-11-11 | 2011-11-11 | Protocol for layer two multiple network links tunnelling |
Country Status (4)
Country | Link |
---|---|
US (1) | US9369550B2 (en) |
EP (1) | EP2777217B1 (en) |
CN (2) | CN107682370B (en) |
WO (1) | WO2013068790A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2017027501A1 (en) | 2015-08-10 | 2017-02-16 | Hughes Network Systems, Llc | CARRIER GRADE ETHERNET LAYER 2 OVER LAYER 3 SATELLITE BACKBONES (L2oL3SB) |
GB2524131B (en) * | 2013-10-28 | 2020-07-08 | Pismo Labs Technology Ltd | Methods and systems for transmitting broadcast data |
EP4243383A4 (en) * | 2020-12-23 | 2024-04-24 | ZTE Corporation | Message transmission method and system, and network device and storage medium |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10044841B2 (en) * | 2011-11-11 | 2018-08-07 | Pismo Labs Technology Limited | Methods and systems for creating protocol header for embedded layer two packets |
US9882713B1 (en) * | 2013-01-30 | 2018-01-30 | vIPtela Inc. | Method and system for key generation, distribution and management |
US9467478B1 (en) | 2013-12-18 | 2016-10-11 | vIPtela Inc. | Overlay management protocol for secure routing based on an overlay network |
US10044502B2 (en) | 2015-07-31 | 2018-08-07 | Nicira, Inc. | Distributed VPN service |
US10567347B2 (en) * | 2015-07-31 | 2020-02-18 | Nicira, Inc. | Distributed tunneling for VPN |
US9980303B2 (en) | 2015-12-18 | 2018-05-22 | Cisco Technology, Inc. | Establishing a private network using multi-uplink capable network devices |
US11108592B2 (en) * | 2016-01-21 | 2021-08-31 | Cox Communications, Inc. | Systems and methods for implementing a layer two proxy for wireless network data |
US9942787B1 (en) * | 2016-03-22 | 2018-04-10 | Amazon Technologies, Inc. | Virtual private network connection quality analysis |
US10447591B2 (en) | 2016-08-30 | 2019-10-15 | Oracle International Corporation | Executing multiple virtual private network (VPN) endpoints associated with an endpoint pool address |
US10630657B2 (en) * | 2017-03-02 | 2020-04-21 | ColorTokens, Inc. | System and method for enhancing the security of data packets exchanged across a computer network |
CN107040446B (en) * | 2017-03-13 | 2021-04-09 | 安徽新华博信息技术股份有限公司 | VPN tunnel protocol realizing method |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1468007A (en) * | 2002-07-10 | 2004-01-14 | 华为技术有限公司 | Virtual switch for supplying virtual LAN service and method |
US20070283429A1 (en) * | 2006-05-30 | 2007-12-06 | A10 Networks Inc. | Sequence number based TCP session proxy |
CN102123002A (en) * | 2011-03-07 | 2011-07-13 | 上海华为技术有限公司 | Frequency synchronization method based on Internet protocol security protocol (IPsec) and related equipment |
Family Cites Families (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
SG152901A1 (en) * | 1999-09-21 | 2009-06-29 | Interdigital Tech Corp | Multiuser detector for variable spreading factors |
US6732314B1 (en) * | 2000-05-26 | 2004-05-04 | 3Com Corporation | Method and apparatus for L2TP forward error correction |
US7342942B1 (en) * | 2001-02-07 | 2008-03-11 | Cortina Systems, Inc. | Multi-service segmentation and reassembly device that maintains only one reassembly context per active output port |
US7194766B2 (en) * | 2001-06-12 | 2007-03-20 | Corrent Corporation | Method and system for high-speed processing IPSec security protocol packets |
US7221675B2 (en) * | 2001-12-07 | 2007-05-22 | Nortel Networks Limited | Address resolution method for a virtual private network, and customer edge device for implementing the method |
US7237260B2 (en) * | 2003-07-08 | 2007-06-26 | Matsushita Electric Industrial Co., Ltd. | Method for dynamic selection for secure and firewall friendly communication protocols between multiple distributed modules |
US8146148B2 (en) * | 2003-11-19 | 2012-03-27 | Cisco Technology, Inc. | Tunneled security groups |
CN1780294B (en) * | 2004-11-26 | 2010-07-07 | 中兴通讯股份有限公司 | Method for realizing virtual special network based on point-to-point protocol of Ethernet |
US7769869B2 (en) * | 2006-08-21 | 2010-08-03 | Citrix Systems, Inc. | Systems and methods of providing server initiated connections on a virtual private network |
US8165088B2 (en) * | 2006-09-13 | 2012-04-24 | Toshiba America Research, Inc. | MIH protocol state machine |
US8050267B2 (en) * | 2007-02-19 | 2011-11-01 | Cisco Technology, Inc. | Simple virtual private network for small local area networks |
US8023419B2 (en) * | 2007-05-14 | 2011-09-20 | Cisco Technology, Inc. | Remote monitoring of real-time internet protocol media streams |
CN101110745A (en) * | 2007-08-14 | 2008-01-23 | 华为技术有限公司 | Method, device and system for engaging second layer network and third layer network |
US8181009B2 (en) * | 2009-03-03 | 2012-05-15 | Harris Corporation | VLAN tagging over IPSec tunnels |
US8867349B2 (en) * | 2009-05-18 | 2014-10-21 | Cisco Technology, Inc. | Regulation of network traffic in virtual private networks |
-
2011
- 2011-11-11 CN CN201711146334.XA patent/CN107682370B/en active Active
- 2011-11-11 US US13/881,727 patent/US9369550B2/en active Active
- 2011-11-11 CN CN201180074664.7A patent/CN104067562B/en active Active
- 2011-11-11 EP EP11875527.1A patent/EP2777217B1/en active Active
- 2011-11-11 WO PCT/IB2011/055042 patent/WO2013068790A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1468007A (en) * | 2002-07-10 | 2004-01-14 | 华为技术有限公司 | Virtual switch for supplying virtual LAN service and method |
US20070283429A1 (en) * | 2006-05-30 | 2007-12-06 | A10 Networks Inc. | Sequence number based TCP session proxy |
CN102123002A (en) * | 2011-03-07 | 2011-07-13 | 上海华为技术有限公司 | Frequency synchronization method based on Internet protocol security protocol (IPsec) and related equipment |
Non-Patent Citations (1)
Title |
---|
LAU J. ET AL., LAYER TWO TUNNELING PROTOCOL -VERSION 3 (L2TPV3, 1 March 2005 (2005-03-01) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2524131B (en) * | 2013-10-28 | 2020-07-08 | Pismo Labs Technology Ltd | Methods and systems for transmitting broadcast data |
WO2017027501A1 (en) | 2015-08-10 | 2017-02-16 | Hughes Network Systems, Llc | CARRIER GRADE ETHERNET LAYER 2 OVER LAYER 3 SATELLITE BACKBONES (L2oL3SB) |
EP3335125A4 (en) * | 2015-08-10 | 2019-02-27 | Hughes Network Systems, LLC | CARRIER GRADE ETHERNET LAYER 2 OVER LAYER 3 SATELLITE BACKBONES (L2oL3SB) |
EP4243383A4 (en) * | 2020-12-23 | 2024-04-24 | ZTE Corporation | Message transmission method and system, and network device and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN107682370B (en) | 2020-07-17 |
EP2777217B1 (en) | 2020-01-08 |
CN104067562A (en) | 2014-09-24 |
US9369550B2 (en) | 2016-06-14 |
CN104067562B (en) | 2017-12-15 |
CN107682370A (en) | 2018-02-09 |
EP2777217A1 (en) | 2014-09-17 |
EP2777217A4 (en) | 2015-06-24 |
US20140294018A1 (en) | 2014-10-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2777217B1 (en) | Protocol for layer two multiple network links tunnelling | |
US10044841B2 (en) | Methods and systems for creating protocol header for embedded layer two packets | |
EP2853070B1 (en) | Multi-tunnel virtual private network | |
US8181009B2 (en) | VLAN tagging over IPSec tunnels | |
CN107995052B (en) | Method and apparatus for common control protocol for wired and wireless nodes | |
US8775790B2 (en) | System and method for providing secure network communications | |
US20170104851A1 (en) | Multi-hop wan macsec over ip | |
CN103188351B (en) | IPSec VPN traffic method for processing business and system under IPv6 environment | |
EP4020915A1 (en) | Message transmission method and device, and computer storage medium | |
US9445384B2 (en) | Mobile device to generate multiple maximum transfer units and data transfer method | |
CN107306198B (en) | Message forwarding method, device and system | |
US20190372948A1 (en) | Scalable flow based ipsec processing | |
US20190124055A1 (en) | Ethernet security system and method | |
CN106161386B (en) | Method and device for realizing IPsec (Internet protocol Security) shunt | |
CN111698245A (en) | VxLAN security gateway and two-layer security network construction method based on state cryptographic algorithm | |
CN108924157B (en) | Message forwarding method and device based on IPSec VPN | |
CN112600802B (en) | SRv6 encrypted message and SRv6 message encryption and decryption methods and devices | |
WO2020228130A1 (en) | Communication method and system for network management server and network element of communication device | |
EP2600569B1 (en) | Method, apparatus and system for processing a tunnel packet | |
WO2005008997A1 (en) | Hardware acceleration for unified ipsec and l2tp with ipsec processing in a device that integrates wired and wireless lan, l2 and l3 switching functionality | |
CN111866865A (en) | Data transmission method, wireless private network establishment method and system | |
US20130133063A1 (en) | Tunneling-based method of bypassing internet access denial | |
US11750581B1 (en) | Secure communication network | |
WO2023159346A1 (en) | Communication devices and methods therein for facilitating ipsec communications | |
JP6075871B2 (en) | Network system, communication control method, communication control apparatus, and communication control program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11875527 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13881727 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2011875527 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |