1. Field of the Invention
This invention relates to the field of providing security within a network, and more particularly relates to a method and system for supporting security within a network by including information related to the security of a network within a packet.
2. Description of the Related Art
The rapid increase in the size and complexity of networks continually creates new security challenges. Furthermore, the advent of new technologies can result in new security vulnerabilities, while the number of security threats that can potentially exploit these vulnerabilities is constantly increasing. This is true of all manner of networks, including enterprise networks, service provider networks, and the like. Thus, the need for securing networks is increasing, and at the same time, providing security for networks is becoming more and more difficult.
In an effort to keep up with the increasing need for security within networks, network administrators typically upgrade network software and hardware on a regular basis. Upgrading an entire network can be expensive and time consuming; therefore, administrators often update networks by upgrading one region of the network at a time. Upgrading a network one region at a time can create new security challenges. Such an approach leaves portions of the network unprotected from security threats, which can result in compromising the security of the entire network.
Network administrators also face additional challenges when transferring data across a network that does not support a procedure for providing security within the network. For example, many enterprise networks connect to remote networks by using the Internet as a transporting network. In this configuration, virtual private networks are often implemented to provide network security. Virtual private networks typically use tunneling to create a private network across the Internet. Tunneling is the process of encapsulating a packet with a header that is understood by the transporting network and the tunnel endpoints. In other words, the packet's original header is encapsulated by a header that is added by the tunneling protocol, and the transporting network sees only the new header. Tunneling can be used to transport a packet that uses a protocol not supported on a network to send the packet over such a network.
Unfortunately, implementing tunneling in a network also has its disadvantages. For example, networks that implement tunneling are difficult to manage and tend to lack scalability. These challenge are due, at least in part, to the point-to-point nature of tunneling and the configuration overhead associated with implementing the tunnel. Each tunnel head and end needs to know all the tunnel destination points. Furthermore, to be effective, a network that implements tunneling typically needs a mesh of tunnels. Thus, to implement tunneling in a network, routing in the network needs to be re-worked in order to forward traffic down the tunnels appropriately.
What is needed, then, is a scalable solution for maintaining the security of a network across a portion of a network that does not support a procedure for providing security within the network. The approach should be able to provide security within a network in a manner that does not require the point-to-point transmission of information. Preferably, such an approach could be implemented in a portion of the network at a time. The approach should be implemented without incurring a disproportionate administrative burden or consuming inordinately large amounts of network resources, while at the same time the approach should be able to work with existing and future network protocols.