Overlay management protocol for secure routing based on an overlay network
Abstract
A method for creating a secure network is provided. The method comprises establishing an overlay domain to control routing between overlay edge routers based on an underlying transport network, wherein said establishing comprises running an overlay management protocol to exchange information within the overlay domain; in accordance with the overlay management protocol defining service routes that exist exclusively within the overlay domain wherein each overlay route includes information on at least service availability within the overlay domain; and selectively using the service routes to control routing between the overlay edge routers; wherein the said routing is through the underlying transport network in a manner in which said overlay routes is shared with the overlay edge routers but not with the underlying transport network via the overlay management protocol.
Claims
exact text as granted — not AI-modifiedThe invention claimed is:
1. A method comprising:
at an overlay network comprising an overlay controller and a plurality of overlay edge routers that are within control of an enterprise:
provisioning the overlay controller and the plurality of overlay edge routers with transport parameters to allow respective connections to a public transport network that is not within control of the enterprise;
establishing a secure overlay control plane that includes a plurality of secure control channels between the overlay controller and respective overlay edge routers of the plurality of overlay edge routers;
establishing a secure overlay data plane that includes a plurality of secure tunnels between at least some of the plurality of overlay edge routers, wherein the plurality of secure tunnels go through the public transport network;
collecting, by the overlay controller, routing information comprising at least one of authentication information, service information, encryption information, policy information, and access control information wherein the routing information is carried by an overlay management protocol; and
transmitting, by the overlay controller, the routing information to one or more of the plurality of overlay edge routers over the secure overlay control plane in order to mask the routing information from the public transport network.
2. The method of claim 1 , wherein the provisioning comprises:
provisioning the overlay controller and the plurality of overlay edge routers with respective system parameters that include one or more of a site identifier (ID), a domain ID, a system ID and an address of a mapping server.
3. The method of claim 1 , wherein each of the plurality of secure control channels includes a Datagram Transport Layer Security (DTLS) tunnel.
4. The method of claim 1 , wherein each of the plurality of secure tunnels includes an Internet Protocol Security (IPSec) tunnel.
5. The method of claim 1 , further comprising:
routing, based on the routing information, data traffic over the secure overlay data plane.
6. The method of claim 5 , wherein the routing comprises:
routing the data traffic over the plurality of secure tunnels going through the public transport network.
7. A non-transitory computer-readable medium having stored instructions which when executed by a system cause the system to:
provision an overlay controller and a plurality of overlay edge routers that are within control of an enterprise with transport parameters to allow respective connections to a public transport network that is not within control of the enterprise;
establish a secure overlay control plane that includes a plurality of secure control channels between the overlay controller and respective overlay edge routers of the plurality of overlay edge routers;
establish a secure overlay data plane that includes a plurality of secure tunnels between at least some of the plurality of overlay edge routers, wherein the plurality of secure tunnels go through the public transport network;
collect, by the overlay controller, routing information comprising at least one of authentication information, service information, encryption information, policy information, and access control information wherein the routing information is carried by an overlay management protocol; and
transmit, by the overlay controller, the routing information to one or more of the plurality of overlay edge routers over the secure overlay control plane in order to mask the routing information from the public transport network.
8. The non-transitory computer-readable medium of claim 7 , wherein the provisioning comprises:
provisioning the overlay controller and the plurality of overlay edge routers with respective system parameters that include one or more of a site identifier (ID), a domain ID, a system ID and an address of a mapping server.
9. The non-transitory computer-readable medium of claim 7 , wherein each of the plurality of secure control channels includes a Datagram Transport Layer Security (DTLS) tunnel.
10. The non-transitory computer-readable medium of claim 7 , wherein each of the plurality of secure tunnels includes an Internet Protocol Security (IPSec) tunnel.
11. The non-transitory computer-readable medium of claim 8 , further comprising:
routing, based on the routing information, data traffic over the secure overlay data plane.
12. The non-transitory computer-readable medium of claim 11 , wherein the routing comprises:
routing the data traffic over the plurality of secure tunnels going through the public transport network.
13. A controller, comprising: a processor; and
a memory coupled to the processor, the memory storing instructions which when executed by the processor causes the controller to:
provision an overlay controller and a plurality of overlay edge routers that are within control of an enterprise with transport parameters to allow respective connections to a public transport network that is not within control of the enterprise;
establish a secure overlay control plane that includes a plurality of secure control channels between the overlay controller and respective overlay edge routers of the plurality of overlay edge routers;
establish a secure overlay data plane that includes a plurality of secure tunnels between at least some of the plurality of overlay edge routers, wherein the plurality of secure tunnels go through the public transport network;
collect, by the overlay controller, routing information comprising at least one of authentication information, service information, encryption information, policy information, and access control information; wherein the routing information is carried by an overlay management protocol; and
transmit, by the overlay controller, the routing information to one or more of the plurality of overlay edge routers over the secure overlay control plane in order to mask the routing information from the public transport network.
14. The controller of claim 13 , wherein the provisioning comprises:
provisioning the overlay controller and the plurality of overlay edge routers with respective system parameters that include one or more of a site identifier (ID), a domain ID, a system ID and an address of a mapping server.
15. The controller of claim 13 , wherein each of the plurality of secure control channels includes a Datagram Transport Layer Security (DTLS) tunnel.
16. The controller of claim 13 , wherein each of the plurality of secure tunnels includes an Internet Protocol Security (IPSec) tunnel.
17. The controller of claim 13 , wherein the instructions further cause the controller to:
route, based on the routing information, data traffic over the secure overlay data plane.
18. A method comprising:
providing an overlay domain operating through an underlying transport network, wherein the underlying transport network is not within control of an enterprise network and is accessible by a third party from whom network traffic should be obscured, wherein the overlay domain includes a central controller and at least a first overlay edge device and a second overlay edge device, wherein each overlay edge device is communicatively coupled to the central controller and configured to use transport parameters provided by the central controller; creating a secure overlay control plane by establishing first and second secure overlay control connections between the overlay edge devices and the central controller; establishing, over the underlying transport network, one or more secure network layer tunnels between the first overlay edge device and the second overlay edge device, wherein the first overlay edge device provides connectivity network resources outside the overlay domain, wherein the one or more secure network layer tunnels form a secure overlay data plane; distributing overlay route information to the overlay edge routers through the overlay domain via the secure overlay control connections thereby preventing exposure of the overlay routing information to the underlying transport network; using the overlay route information to control routing of packets through the one or more secure network layer tunnels, wherein the overlay route information distributed over the transport network to the overlay edge routers is masked from the view of the third party.
19. The method of claim 18 , wherein the underlying transport network includes a WAN.
20. The method of claim 18 , wherein the underlying transport network includes a portion provided by a third party.
21. The method of claim 18 , wherein the overlay domain further includes a third overlay edge router; and wherein the method further comprises:
establishing further secure overlay control connections between the third overlay edge device and the central controller, establishing further secure network layer tunnels between the third overlay router and the first and second overlay edge routers; and wherein the overlay route information is used to control routing of packets through the secure network layer tunnels associated with the third overlay edge device.
22. The method of claim 18 , wherein the central controller communicates with the plurality of overlay edge routers via an overlay protocol.
23. The method of claim 22 , wherein the overlay protocol is used to mask the overlay route information distributed to the overlay edge routers.
24. The method of claim 22 , wherein the overlay protocol is used to mask the overlay data sent over the secure network layer tunnels.
25. A system, comprising:
an overlay domain associated with an underlying transport network, wherein the underlying transport network is not within control of an enterprise network and is accessible by a third party from whom data should be obscured, the overlay domain including a central controller and a plurality of overlay edge routers, wherein the plurality of overlay edge routers are communicatively coupled to the central controller and provisioned with parameters provided by the central controller, and wherein the central controller is configured to:
create a secure overlay control plane by establishing, over the underlying transport network, secure control connections with the plurality of overlay edge routers;
distribute, over the secure control connections, information associated with overlay routes to the plurality of overlay edge routers thereby preventing exposure of the information to the underlying transport network; and
selectively use the information associated with overlay routes to control routing between the plurality of overlay edge routers through the underlying transport network, the overlay routes existing exclusively within the overlay domain, wherein the overlay routes are masked from the view of the third party;
wherein each of the overlay edge routers are configured to:
establish, over the underlying transport network, secure network layer tunnels with other overlay edge routers, wherein the secure network layer tunnels form a secure overlay data plane.
26. The system of claim 25 , wherein the underlying transport network includes a WAN.
27. The system of claim 25 , wherein the underlying transport network includes a portion provided by a third party.
28. The system of claim 25 , wherein the central controller communicates with the plurality of overlay edge routers via an overlay protocol.
29. The system for providing routing of claim 25 , wherein the overlay domain comprises the secure overlay control plane to provide communications between the central controller and the plurality of overlay edge routers through the underlying transport network.
30. The system for providing routing of claim 25 , wherein the overlay domain comprises the secure overlay data plane to route data between the plurality of overlay edge routers through the underlying transport network.
31. The system for providing routing of claim 25 , wherein the information associated with overlay routes comprises information representing reachability between respective overlay edge routers.
32. A system comprising:
a non-transitory computer-readable logic and an overlay domain associated with an underlying transport network, wherein the underlying transport network is not within control of an enterprise network and is accessible by a third party from whom data should be obscured, the overlay domain including a central controller and a plurality of overlay edge routers configured to use transport parameters provided by the central controller, wherein the logic, when executed, is operable to cause the system to:
create a secure overlay control plane by establishing first and second secure overlay control connections between the overlay edge devices and the central controller;
establish, over the underlying transport network, one or more secure network layer tunnels between the first overlay edge device and the second overlay edge device, wherein the first overlay edge device provides connectivity network resources outside the overlay domain and, the one or more secure network layer tunnels form a secure overlay data plane;
distribute overlay route information to the overlay edge routers through the overlay domain via the secure overlay control connections thereby preventing exposure of the overlay routing information to the underlying transport network; and
use the overlay route information to control routing of packets through the one or more secure network layer tunnels, wherein the overlay route information distributed to the overlay edge routers is masked from the view of the third party.
33. The system of claim 32 , wherein the underlying transport network includes a WAN.
34. The system of claim 32 , wherein the underlying transport network includes a portion provided by a third party.
35. The system of claim 32 , wherein the overlay domain further includes a third overlay edge router, and wherein the logic, when executed, is further operable to:
establish further secure overlay control connections between the third overlay edge device and the central controller, establish further secure network layer tunnels between the third overlay router and the first and second overlay edge routers; and wherein the overlay route information is used to control routing of packets through the secure network layer tunnels associated with the third overlay edge device.
36. The system of claim 32 , wherein the logic, when executed, is further operable to establish communication between the central controller and the plurality of overlay edge routers via an overlay protocol.
37. The system of claim 32 , wherein the overlay protocol is used to mask the overlay route information distributed to the overlay edge routers.
38. The system of claim 32 , wherein the overlay protocol is used to mask the overlay data sent over the secure network layer tunnels.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.