1. Field of the Invention
The present invention is directed to a process and apparatus for the operation of virtual private networks on a common data packet switching or data packet communication network.
2. Description of the Related Art
The use of an intranet for internal communications within a corporation, business or enterprise is well known. The use of the term xe2x80x9cintranetxe2x80x9d is not standardized and ranges from network levels (Open Systems Interconnection (OSI) layer-3) to higher levels. Subscribers can communicate over the intranet of an enterprise with other subscribers within the enterprise. Furthermore, it is possible to communicate with subscribers outside of the intranet over outgoing connections of the intranet, as for example internet connections. Since intra-enterprise data should generally as a rule be protected against unauthorized access, at least the security-related data of an enterprise is not transmitted over the internet and the intranet within the enterprise is separated and protected from public access over the internet. Data packets are sent over a data packet communication intranet within the enterprise on OSI protocol layer-3 in network nodes (routers). In larger networks, several communication levels are used, wherein the upper communication levels are outfitted with efficient communication systems (routers) and output bandwidths to accommodate a bundling of data communication traffic. In an intranet of an enterprise that is tied into a public telecommunications network in a protected manner, services such as Name Server, Mail, World Wide Web access and Firewall are provided to prevent access from another network, as for example the internet.
The realization of this type of intranet is relatively costly. It is therefore the object of the present invention to provide an intranet that is flexible, economical and secure against external access.
In the present invention the term subscriber identifies a corporation, business or enterprise comprising a plurality or group of spatially separated individual subscribers. For example, a subscriber may be an enterprise with a plurality of spatially separated branch offices. The term individual subscriber is defined as individual computers and/or local area networks (LANs). An intranet for the spatially separated individual subscribers of the subscriber is realized, according to the invention, by a virtual private network (VPN) for the subscriber on a common data packet communication network, as for example data communication over a public telephone network of one or more carriers, the internet, or both, for a plurality of subscribers.
A partial address space of the given homogeneous total address space of the data packet communication network is allocated to the virtual private network of a subscriber such as a firm with a plurality of spatially separated branch offices. The virtual private network of subscriber is separated from the virtual private networks of other subscribers of the data packet communication network. In this respect, a predetermined area for an identification bit sequence for this virtual private network (VPN ID) is allocated in the address of every individual subscriber within the virtual private network. The VPN ID of the virtual private network is identical for every individual subscriber within the virtual private network, even those at remote locations. The separation of the virtual private networks is carried out by filtering data packets and routing information based on the VPN ID bits. The VPN separation is carried out on OSI network layer-3 (layer-3 VPN or L3 VPN).
The virtual private networks of individual subscribers are separated in such a way that when a subscriber of a virtual private network sends a data packet with a destination address containing the ID of his virtual private network, the data packet remains within the virtual private network. However, outgoing gateways, as for example to the internet or to other virtual private networks, can be set up from the virtual private network.
According to the invention, central services may be set up for a virtual private network separately from the central services of another virtual private network, so that these processes can operate independently on shared arrangements for different virtual private networks. For example, name servers of two virtual private networks can be implemented in a shared apparatus, but can run as separate processes which are not visible to one another. It is then possible to implement a central dispatcher process which assigns service inquiries from different VPNs to a VPN-specific service process based on the VPN ID.
Other objects and features of the present invention will become apparent from the following detailed description considered in conjunction with the accompanying drawings. It is to be understood, however, that the drawings are designed solely for purposes of illustration and not as a definition of the limits of the invention, for which reference should be made to the appended claims.