Various forms of Virtual Private Networking (VPN) technologies allow a private network to be formed between geographically separate sites, using the resources of a provider network. Existing VPN technologies are primarily aimed at the enterprise sector, and connect sites of an enterprise. In addition they may allow home workers to access the network of their employer from their home office, or allow “road warriors” to access the network of their employer while travelling. A VPN can be established at networking Layer 2 or Layer 3.
One type of existing Layer 2 VPN technology is the Virtual Private LAN Service (VPLS) over MPLS as described in the Internet Engineering Task Force (IETF) Requests for Comments (RFCs), numbers 4664, 4761 and 4762. This provides Ethernet multipoint-to-multipoint communication over IP/MPLS networks. Geographically dispersed sites share the same Ethernet broadcast domain and traffic between the sites is carried by a full mesh topology of “pseudo-wires” between the sites. One of the difficulties of VPLS is that when a new end point connects to the network, there is a discovery process to discover all the other end points associated with the Virtual Private LAN service, followed by signalling to set up a mesh of service-specific pseudo-wires to serve the new end point. This can take some time to achieve, will have intermediate states where only partial connectivity is available, and will generate a significant amount of telemetry due to the inefficiency of utilizing an N-squared mesh.
The process of creating, and updating the topology of, a VPN is further complicated when it is necessary to support roaming communication users who can connect to various points in a provider network, with the connection points often being unknown in advance. A proposal “Radius/L2TP Based VPLS”, Heinanen, J, <draft-heinanen-radius-l2tp-vpls-00.txt>, describes the use of a Remote Authentication Dial In User Service (RADIUS) server as a repository for a list of VPN sites. If a new site, called a Customer Edge (CE) request to join a VPN is granted, the provider network node that it is connected to, the Provider Edge (PE) learns the identifier of the Customer Edge (CE) VPN and IP addresses of the VPN's PEs. This still requires the new PE to establish an L2TP Control Connection with each of the other PEs of the VPN. While having some desirable characteristics for the desired service model, this approach focused primarily on discovery of endpoints via a central registration authority.
As noted above, existing VPN technologies are primarily aimed at the enterprise sector, and are typically considered too difficult, or inflexible, to be applied at a residential scale or with fulfillment times that render them undesirable for roaming users.
Some specialist applications exist for allowing a user to remotely access a device or application on a home network, while away from their home. One example is described in WO 2005/122025 A2 (Sling Media). A personal media broadcasting system allows video distribution from a media source in the home to a media player at a remote location over a computer network and allows a user to view and control the media source in the home over the computer network. These specialist applications typically require bespoke software on a device in the home network and on the roaming device, and require configuration of the home network's firewall to allow the application to communicate with the roaming device. These applications typically interface directly with Layer 3, with traffic being carried over the Internet.
The present invention seeks to provide an alternative way of providing a Virtual Private Network across a provider network.