A computer network is a collection of interconnected computing devices that exchange data and share resources. In a packet-based network, such as the Internet, the computing devices communicate data by dividing the data into small blocks called packets. The packets are individually routed across the network from a source device to a destination device. The destination device extracts the data from the packets and assembles the data into its original form. Dividing the data into packets enables the source device to resend only those individual packets that may be lost during transmission.
Certain devices, referred to as routers, maintain routing information that describes routes through the network. A “route” can generally be defined as a path between two locations on the network. Conventional routers often maintain the routing information in the form of one or more routing tables or other data structures. The form and content of the routing tables often depend on the particular routing algorithm implemented by the router.
Upon receiving incoming packets, the routers examine information within the packets, and forward the packets in accordance with the routing information. In order to maintain an accurate representation of the network, routers periodically exchange routing information in accordance with routing protocols, such as the Border Gateway Protocol (BGP), the Intermediate System to Intermediate System (ISIS) protocol, the Open Shortest Path First (OSPF) protocol, and the Routing Information Protocol (RIP).
Virtual private networks (VPNs) are often used to securely share data over public network infrastructure, such as the Internet. For example, an enterprise that includes multiple geographically separated sites, each site including one or more computing devices, may establish a VPN to allow the computing devices to securely communicate through the Internet or other public network infrastructure.
A number of communication protocols have been developed for establishing a VPN. In general, these protocols allow network devices, such as routers, to establish the VPN as one or more secure data flows across the public network infrastructure. For example, the Internet Engineering Task Force has established a set of Internet Protocol Security (IPSec) protocols that make use of cryptographic technology to establish network “tunnels.” These tunnels allow packets conforming to other network protocols, such as Internet Protocol (IP) packets, to be encapsulated within encrypted packet streams flowing between the sites.
In order to enhance the security of a VPN, the network devices filter network traffic at the ingress and egress of each of the tunnels associated with the VPN. For example, for IPSec tunnels, the network devices configure “selectors” that define permissible source and destination address ranges for the packets permitted through the tunnels. These selectors often require manual configuration based on the network topology and the types of routing protocols supported by the network. Moreover, many routing protocols, e.g., OSPF, BGP, and the like, make use of multicast packets, and utilize defined multicast destination address ranges to exchange routing information. In order to support communication through tunnels via these routing protocols, the selectors often need to be manually configured to support these address ranges. This process may be time consuming, and often requires significant manual labor. In addition, conventional IPSec tunnels allow only a single selector per tunnel. As a result, to support the network topology and communication via the routing protocols, an administrator may configure the selector to allow a large range of addresses, thus compromising security.