This invention relates to digital computer network technology. More specifically, it relates to methods and apparatus for facilitating processing and routing of packets in Virtual Private Networks (VPNs).
Broadband access technologies such as cable, fiber optic, and wireless have made rapid progress in recent years. Recently there has been a convergence of voice and data networks which is due in part to US deregulation of the telecommunications industry. In order to stay competitive, companies offering broadband access technologies need to support voice, video, and other high-bandwidth applications over their local access networks. For networks that use a shared access medium to communicate between subscribers and the service provider (e.g., cable networks, wireless networks, etc.), providing reliable high-quality voice/video communication over such networks is not an easy task.
A cable modem network or “cable plant” employs cable modems, which are an improvement of conventional PC data modems and provide high speed connectivity. Cable modems are therefore instrumental in transforming the cable system into a full service provider of video, voice and data telecommunications services. Digital data on upstream and downstream channels of the cable network is carried over radio frequency (“RF”) carrier signals. Cable modems convert digital data to a modulated RF signal for upstream transmission and convert downstream RF signal to digital form. The conversion is done at a subscriber's home. At a cable modem termination system (“CMTS”) located at a Head End of the cable network, the conversions are reversed. The CMTS converts downstream digital data to a modulated RF signal, which is carried over the fiber and coaxial lines to the subscriber premises. The cable modem then demodulates the RF signal and feeds the digital data to a computer. On the return path, the digital data is fed to the cable modem (from an associated PC for example), which converts it to a modulated RF signal. Once the CMTS receives the upstream RF signal, it demodulates it and transmits the digital data to an external source.
FIG. 1 is a block diagram of a typical two-way hybrid fiber-coaxial (HFC) cable network system. It shows a Head End 102 (essentially a distribution hub) which can typically service about 40,000 homes. Head End 102 contains a CMTS 104 that is needed when transmitting and receiving data using cable modems. Primary functions of the CMTS include (1) receiving baseband data inputs from external sources 100 and converting the data for transmission over the cable plant (e.g., converting Ethernet or ATM baseband data to data suitable for transmission over the cable system); (2) providing appropriate Media Access Control (MAC) level packet headers for data received by the cable system, and (3) modulating and demodulating the data to and from the cable system.
Head End 102 connects through pairs of fiber optic lines 106 (one line for each direction) to a series of fiber nodes 108. Each Head End can support normally up to 80 fiber nodes. Pre-HFC cable systems used coaxial cables and conventional distribution nodes. Since a single coaxial cable was capable of transmitting data in both directions, one coaxial cable ran between the Head End and each distribution node. In addition, because cable modems were not used, the Head End of pre-HFC cable systems did not contain a CMTS. Returning to FIG. 1, each of the fiber nodes 108 is connected by a coaxial cable 110 to two-way amplifiers or duplex filters 112, which permit certain frequencies to go in one direction and other frequencies to go in the opposite direction (different frequency ranges are used for upstream and downstream paths). Each fiber node 108 can normally service up to 500 subscribers. Fiber node 108, coaxial cable 110, two-way amplifiers 112, plus distribution amplifiers 114 along with trunk line 116, and subscriber taps, i.e. branch lines 118, make up the coaxial distribution system of an HFC system. Subscriber tap 118 is connected to a cable modem 120. Cable modem 120 is, in turn, connected to a subscriber computer 122.
In order for data to be able to be transmitted effectively over a wide area network such as HFC or other broadband computer networks, a common standard for data transmission is typically adopted by network providers. A commonly used and well known standard for transmission of data or other information over HFC networks is DOCSIS. The DOCSIS standard has been publicly presented as a draft recommendation (J.isc Annex B) to Study Group 9 of the ITU in October 1997. That document is incorporated herein by reference for all purposes.
Virtual Private Networks
As the Public Internet expands and extends its infrastructure globally, the determination to exploit this infrastructure has led to widespread interest in IP based Virtual Private Networks (VPNs). A VPN emulates a private IP network over public or shared infrastructures. A VPN that supports only IP traffic is called an IP-VPN. Virtual Private Networks provide advantages to both the service provider and its customers. For its customers, a VPN can extend the IP capabilities of a corporate site to remote offices and/or users with intranet, extranet, and dial-up services. This connectivity may be achieved at a lower cost to the customer with savings in capital equipment, operations, and services. The service provider is able to make better use of its infrastructure and network administration expertise offering IP VPN connectivity and/or services to its customers.
There are many ways in which IP VPN services may be implemented, such as, for example, Virtual Leased Lines, Virtual Private Routed Networks, Virtual Private Dial Networks, Virtual Private LAN Segments, etc. Additionally VPNs may be implemented using a variety of protocols, such as, for example, IP Security (IPSec) Protocol, Layer 2 Tunneling Protocol, Multiprotocol Label Switching (MPLS) Protocol, etc.
A conventional technique for implementing a VPN across a wide area network may be accomplished through the use of an IP Security (IPSec) Protocol which establishes a secure IPSec “tunnel” between a remote user/node and a private LAN. An example of this is shown in FIG. 2 of the drawings. FIG. 2 shows a schematic block diagram of how an IPSec Protocol may be used to manage Virtual Private Network (VPN) flows over an HFC network. As shown in FIG. 2, the HFC network 220 comprises a plurality of cable modems, depicted by cable modems CM1-CM5. In the example of FIG. 2, it is assumed that cable modems CM4 and CM5 are remote nodes which are members of the Virtual Private Network VPN1. The VPN1 network is owned and/or managed by Enterprise A 250. The remaining cable modems in the cable network CM1, CM2, CM3 (collectively identified by reference number 205) are not members of any VPN.
In order for cable modem CM4 to communicate with the VPN1 network located at Enterprise A, it utilizes an IPSec Protocol to establish an IPSec “tunnel” 202a which provides a secure communication path from CM4, across the HFC network 220 and backbone network 230, to the VPN1 gateway 252. Likewise, in order for cable modem CM5 to connect to the virtual private network VPN1 located at Enterprise A, it utilizes the IPSec Protocol to establish a secure tunnel 204a across the HFC network 220 and backbone network 230 to connect into the virtual private network VPN1 via gateway 252.
Although the use of IPSec Protocol to manage VPN flows across a public network (as shown, for example, in FIG. 2) is advantageous in that it provides secure end-to-end data encryption, it also suffers from a number of disadvantages. For example, a significant amount of overhead (e.g. memory/processing resources) is required to run IPSec on the endpoints of the IPSec tunnel. Additionally, implementing a VPN using IPSec Protocol requires additional intelligence to be incorporated in each of the end devices (e.g., PCs, cable modems, gateways, etc.). In FIG. 2, for example, each cable modem wishing to be a member of a particular VPN must be configured to support IPSec Protocol, and must also be specifically configured to access a specific VPN gateway in order to access the VPN network. This technique of maintaining the intelligence in the end device (such as, for example a cable modem) may be considered undesirable, particularly where software upgrades, maintenance, diagnostics, etc. are frequently required.
Another disadvantage of the IPSec-implemented VPN (as shown in FIG. 2) is that the IPSec Protocol is set up such that the routing information embedded within a VPN packet can only be used by a specific VPN gateway, and can not be used by other switching or routing devices in the network to switch/route the VPN packet to its destination address. Thus, any data transmission between cable modem CM4 and cable modem CM5 must first be routed through VPN gateway 252, whereupon the VPN gateway then uses the routing information in the packet to route it to its final destination.
For example, if cable modem CM4 (FIG. 2) wishes to send a packet to cable modem CM5, conceivably it should be possible to route the packet locally, within the HFC network, without requiring that the packet be routed outside the HFC network (e.g. through the backbone network 230 or gateway 252). However, because each of the IPSec tunnels 202a and 204a have been set-up to be secure from end-to-end, the only way CM4 can communicate with CM5 is to first send the packet through gateway 252 via tunnel 202a, whereupon gateway 252 will then forward the packet to CM5 via tunnel 204a. Not only does this technique increase the communication delay between CM4 and CM5, but it also adds to traffic congestion across the backbone network 230 and gateway 252.
Accordingly, there exists a continual need to provide improved techniques for implementing and managing VPN flows over public or shared infrastructures.