1. Field of the Invention
The present invention relates to communication networks and, more particularly, to a method and apparatus for providing network VPN services on demand.
2. Description of the Related Art
Data communication networks may include various computers, servers, nodes, routers, switches, hubs, proxies, and other devices coupled to and configured to pass data to one another. These devices will be referred to herein as “network devices.” Data is communicated through the data communication network by passing data packets (or data cells or segments) between the network devices by utilizing one or more communication links. A particular data packet may be handled by multiple network devices and cross multiple communication links as it travels between its source and its destination over the network.
The various network devices on the communication network communicate with each other using predefined sets of rules, referred to herein as protocols. Different protocols are used to govern different aspects of the communication, such as how signals should be formed for transmission between network devices, various aspects of what the data packets should look like, and how packets should be handled or routed through the network by the network devices.
A secure path through an untrusted network (referred to herein as “network VPN”) may be formed by securing communication resources between two or more networks or network devices to form a VPN tunnel, such as by encrypting or encapsulating transmissions between the networks or network devices. Using VPN tunnels over a public network such as the Internet enables information to be exchanged securely between geographically dispersed sites without obtaining dedicated resources through the public network.
To enable devices on one network VPN site to communicate with devices on another network VPN site via the network VPN tunnel, it is necessary to exchange routing information between the two network VPN sites and with the network devices that will handle the traffic on the tunnel. Likewise, as network devices are added and removed from the networks, or as problems are encountered and fixed in the networks, the routing tables need to be updated and advertised to the other participating sites in the network VPN.
One commonly utilized method of establishing network VPN tunnels is described in Internet Engineering Task Force (IETF) Request For Comments (RFC) 2547, the content of which is hereby incorporated herein by reference. RFC 2547 describes a network VPN architecture in which MultiProtocol Label Switching (MPLS)-based tunnels are used to forward packets over a MPLS communication network. An instance of Border Gateway Protocol (BGP) is used to distribute routes over the MPLS communication network for all network VPNs provisioned through a particular Provider Edge (PE) network device. Routing information for each network VPN serviced by a PE is stored in a separate network VPN routing and forwarding table (VRF) or a distinguishable area of the PE's common VRF.
A separate, but to date unrelated technology, referred to herein as Enterprise Virtual Private Networks (Enterprise VPNs), has also been developed to enable geographically diverse applications to share resources. Enterprise VPNs may be used, for example, to share computational resources, storage resources, programs, and database resources. Enterprise networks focus on application-related issues, such as distributed workflow logic and resource management, coordinated fail-over between participants, problem determination, Quality of Service (QoS), and common security semantics. Several examples of enterprise VPNs include emerging technologies like GRID services and Web services.
Since Enterprise VPNs are generally formed from geographically dispersed network resources, those network resources must be connected to exchange data. To secure data as it is passed between the Enterprise VPN participants, it would be desirable to be able to connect the Enterprise VPN participants using network VPNs. Accordingly, it would be desirable to have an interface between network VPNs and enterprise VPNs to enable network VPN services to be provided on demand.