1. Field of the Invention
The present invention relates generally to virtual private networks on the Internet, and more specifically to a virtual private network established through an ATM (asynchronous transfer mode) network that is in turn configured as part of the Internet.
2. Description of the Related Art
The virtual private network (VPN) is one that interconnects a number of local area networks through a public switched packet network such as the Internet for transferring IP (internet protocol) packets between IP nodes identified by IP addresses assigned uniquely within the VPN. Such a virtual private network is described in xe2x80x9cBuilding and Managing Virtual Private Networksxe2x80x9d, Chapter 7, FIG. 7.8, Dave Kosiur, Wiley Computer Publishing.
The known virtual private network uses a VPN router as shown in FIG. 1. The VPN router has a VPN packet transfer unit 102, a tunneling unit 104 and an internet packet transfer unit 106, all of which are provided between a private network interface 101 associated with its own local area network and a public network interface 108 through which the router accesses the Internet. Both packet transfer units 102 and 106 are respectively associated with routing tables 103 and 107 to search for information necessary for routing an VPN packet to appropriate destination based on destination IP address contained in the packet. Tunneling unit 104 is associated with an address translation table 105 for appending an IP header to a VPN packet received from the VPN packet transfer unit 102 to formulate an IP packet for transmission to the internet via the internet packet transfer unit 106. When the tunneling unit 104 receives an IP packet from the Internet via the internet packet transfer unit 106, it removes an IP header from the packet and forward the remaining VPN packet to the associated LAN via the VPN packet transfer unit 102.
On the other hand, a need may exist to guarantee quality of service (QoS) on the virtual private network. That may not be a problem for a VPN if it is based on a single internet service provider that runs its own network and can segregate its customers"" traffic from other Internet traffic. However, if a VPN is based on multiple internet service providers, the QoS parameters used in one internet service provider may also be used in other internet service providers. In such VPNs, it is impossible to uniquely identify the quality of service for each VPN packet to guarantee its performance.
A virtual connection established between source and destination IP addresses in an ATM (asynchronous transfer mode) network may be a solution to guaranteeing quality of service on a VPN. xe2x80x9cNBMA Next Hop Resolution Protocol (NHRP)xe2x80x9d, J. Luciani et al, RFC2332, IETF, April 1998 describes a system that automatically establishes a virtual channel connection as a router-short cut route over an ATM network in a non-broadcast multiple access mode. In this system, a destination ATM address is obtained by consulting an IP routing table to formulate an address resolution request packet. The packet is then forwarded to the Internet and an address resolution reply packet that contains the destination ATM address is received from the Internet. The received destination ATM address is then mapped to an IP address in a virtual connection table. However, routers on the Internet are not provided with a routing table for use with virtual private networks. Therefore, the current automatic VCC setup system is incapable of establishing QoS guaranteed virtual connections.
It is therefore an object of the present invention to provide a virtual private network in which virtual connections are automatically established through the Internet for different quality of services.
According to the present invention, there is provided a router for building a virtual private network (VPN) through an ATM (asynchronous transfer mode) network configured as part of a public switched packet network. The router comprises a connection setup table having a plurality of entries, each entry including a pair of internet protocol (IP) addresses respectively identifying source and destination nodes of the virtual private network, a quality-of-service parameter, an ATM address field, and a virtual connection (VC) field. Control circuitry is provided for (a) receiving a VPN packet and detecting a corresponding entry in the table that contains IP addresses of the packet and making a search through the corresponding table entry for contents of the ATM address field and the VC field thereof, (b) appending an IP header to the VPN packet, if the ATM address field contains no data, to formulate an address resolution request packet and forwarding the packet to the public switched packet network, (c) receiving an address resolution reply packet therefrom and storing a destination ATM address contained in the reply packet into the ATM address field, and (d) if the ATM address field contains a destination ATM address and the VC field contains no data, establishing a virtual connection to the destination ATM address according to the quality-of-service parameter of the corresponding table entry and storing a connection identifier identifying the established virtual connection in the VC field, and if the VC field contains a connection identifier, forwarding the VPN packet over an established virtual connection identified by the connection identifier.
The control circuitry is further arranged to append an IP header to the VPN packet to formulate an IP packet if the corresponding entry is not detected in the table and forward the IP packet to the public switched packet network.
Preferably, each entry of the connection setup table includes an on/off field, and a time table is provided having a plurality of entries respectively corresponding to the entries of the connection setup table for mapping time schedule data. Triggering circuitry is provided for monitoring the time schedule data of each entry of the time table and storing an indication in the on/off field of each entry of the connection setup table according to the monitored data of the corresponding entry of the time table. The control circuitry is arranged to enable or disable contents of each entry of the connection setup table depending on the indication stored in the on/off field of the entry.