A virtual private network (VPN) is a private data network that makes use of the public telecommunication infrastructure, or ‘backbone,’ maintaining privacy through the use of a tunneling protocol and security procedures. The idea of the VPN is to give the consumer private network capabilities at much lower cost by using the shared public infrastructure.
To implement a VPN, each member of a VPN stores forwarding and authentication information that enables communication with other members of the VPN. The VPN may be secured through the use of encryption keys, which may be stored for point to point connections. The forwarding and key tables can get quite large as the network grows and point to point connections associated with each network device are recorded and secured. Network scalability is therefore an issue in VPN network design.
U.S. patent Ser. No. 10/661,903 describes a mechanism for providing a Secure VPN (SVPN) over a shared backbone without the scalability issues of typical VPNs. Each member that is to be a part of a private network registers with a key server. A trusted ingress point is identified, where the ingress point is an edge device through which members of the private network can gain access to the backbone. A trusted egress point is also identified, where the egress point is an edge device through which members of the private network can gain access to the backbone. A group security association associated with the private network is forwarded to the ingress point and egress point, where the group security association may include an encryption key. When a member of the private network seeks to communicate with another member over the backbone, it forwards the communication to the trusted ingress point. The trusted ingress point uses the security association to transform the communication prior to exposing the communication to the backbone. The transformed communication is forwarded over the backbone to the trusted egress point, which decodes the communication using the security association. Such an arrangement provides a scalable solution for securing VPN communications over the backbone, since the number of security associations are related to the number of private networks, as opposed to the number of private network connections.
U.S. patent Ser. No. 10/661,734 describes a system whereby group security information may be used to secure routing information that is forwarded to devices by a route reflector. A route reflector is a device in a network that operates using the Border Gateway Protocol (BGP). BGP is an Internet protocol that enables groups of routers (called autonomous systems) to share routing information so that efficient, loop-free routes can be established. A BGP route reflector is a centralized device that reflects BGP routing information to each member of a group, thereby removing a need for full mesh connectivity between the clients while achieving the BGP goal of route distribution. U.S. patent Ser. No. 10/661,734 describes securing the routing information using group security associations to further secure the VPN. Group members who discover each other may initiate secure VPN communications through the infrastructure using the group security association, with VPN communications being transformed at the ingress and egress nodes.