A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.
A. Field of the Invention
The present invention relates to a method and device for switching network tunnel connections.
B. Description of the Related Art
A tunnel connection allows a user to access a destination network via an intermediate network such as the public Internet. For example, as seen in FIG. 1, a remote user 10 traveling in San Diego, Calif. wishes to connect to a destination network 20 at his home in Chicago, Ill. Typically, the remote user 10 would place a long distance telephone call over the public switched telephone network to Chicago to directly access the destination network 20 on a dial up access connection.
If the destination network has an Internet access 22, however, a tunnel connection through the Internet 40 may be used to access the destination network 20. To initiate a tunnel connection, the remote user 10 places a local telephone call 12 through the public switched telephone network (xe2x80x9cPSTNxe2x80x9d) 30 and Internet Service Provider (xe2x80x9cISPxe2x80x9d) 42 local point-of-presence in San Diego. In this example, the remote user 10 would be a subscriber to a national ISP 42 with a local dial up access in San Diego. Upon being accessed by the remote user 10, the ISP 42 searches its subscriber database to identify the destination network 20 associated with the remote user 10. To reach the destination network 20, the ISP 42 recognizes the remote user 10 requires a connection or xe2x80x9ctunnelxe2x80x9d over the Internet 40 to the destination network 20. The ISP 42 forms a tunnel connection 50 to the destination network 20 by sending data from remote user 10 to the Internet access point address of the destination network 20. Data sent to the remote user 10 is thus tunneled across the Internet 40 to the destination network 20. The tunnel connection 50 across the Internet 40 thus allows remote access to the destination network 20 by placing a local telephone call.
Such a tunnel connection 50 over the public Internet 40, however, typically requires the destination network 20 to allow public Internet access. In order for the tunnel connection to be established from the ISP 42 to the destination network 20, the destination network 20 usually must typically have a Internet address that is accessible from the ISP 42. The destination network 20 is therefore publicly accessible, without the ability to control access and maintain information secure and protected during tunneling access. Thus, information that the destination network 20 wishes to maintain protected is typically not made accessible to tunnel connections over the public Internet 40.
In addition, the destination network 20 may have a number of resources 22, 24, 26 to accommodate a large number of incoming remote users. The ISP 42 creating tunnels to the destination network 20, however, typically controls the establishing of tunnels to the destination network 20. The destination network has no control over which of its resources 22, 24, 26 are used to handle the incoming tunnel traffic. Thus, a number of ISPs 42, 44, 46 may be directing incoming tunnels to only one of a destination network""s available resources 22, 24, 26. This busy resource may suffer from congestion, while the destination network""s other resources are underutilized.
Accordingly, it is desirable to have the ability to consolidate the control of tunnel access to a destination network for security reasons, as well as, to direct the routing of incoming tunnels to a particular access point of the network. Consolidating control of tunnel access to a destination network also provides other benefits as will be apparent.
The present invention provides switched tunnel connections from a user to a destination or a multiple number of destinations. The present invention determines the appropriate destination for switching incoming tunnel connections based on information relating to the user originating the incoming tunnel. A switched tunnel is then initiated to switch tunnel traffic to the appropriate destination. For example, the present invention may determine from the information relating to the originating user that a switched tunnel connection should be initiated to a destination associated with the originating user.
The present invention provides the ability to impose a security verification on users before initiating a switched tunnel connection to access to the destination. Before allowing access, the originating user of the incoming tunnel is verified to have the proper permission to access the destination. If the user does not have the proper permission, access is denied and the switched tunnel connection is not initiated. The ability to grant either public or private access can be achieved by verification of permissions before switching a tunnel to the destination. Authentic users can be switched to the private access point by initiating a switched tunnel connection. Unauthenticated users are terminated at the public access point and not switched to the destination. By verifying users, controlled access to protected information can be provided by switching tunnels over the public Internet.
The present invention also provides load-balancing to a destination having a multiple number of access points by intelligent switching. Load balancing is achieved by intelligently determining the access points to which switched tunnels are initiated. For example, if the destination has a multiple number of access points, the present invention may switch switched tunnel connections to one of the destination access points based on round robin selection between the available access points. The present invention may also switch switched tunnel connections to one of the destination access points based on the traffic load at the access points. Intelligently switching switched tunnel connections to share traffic load among multiple access points can reduce congestion at the destination.
The present invention also allows the switching of a plurality of tunnels from a user to bundle together a plurality of tunnels from the same user to the destination. The term xe2x80x9cbundlexe2x80x9d, as used herein, is intended to mean a collection of connections or links used collectively for a communication session. To achieve the high bandwidth bundling offered by protocols such as Multi-link PPP, tunnels from the same user must be routed to the same destination. If the switch has already established a switched tunnel to the destination for that user, subsequent incoming tunnel traffic to that destination can be switched over the existing switched tunnel. Thus, a plurality of incoming tunnel connections are bundled together over a switched tunnel connection.
In the described embodiment, a method is provided for establishing a communication link from an originating user to a destination by receiving an incoming tunnel connection, and based on information about the originating user, initiating a switched tunnel connection for switching traffic from the incoming tunnel connection to the destination over the switched tunnel. A database of information or user profiles relating to the originating users is provided and queried for information relating to establishing the communication link to the appropriate destination. Also provided is a tunnel switching device having a process for terminating an incoming tunnel connection, a dispatch process for determining whether a switched tunnel connection is to be made, and an initiation process to initiate a switched tunnel connection for switching traffic between the user and the destination. The tunnel switching device switches the incoming tunnel address to a switched tunnel to access the appropriate destination according to the dispatch process.