The present invention relates to the field of data communications and more specifically, to a system and method for connecting Manipulation Equipment or manipulators (MEq) on both sides of a specific network segment such as a Large Bandwidth Delay Product, or “Long Fat Network” (LFN), that supports Enterprise Virtual Private Networks (VPN).
Conventionally, companies have networked geographically dispersed intra-corporation networks together through the use of private lines. This technique allowed for the formation of a network system that was isolated from external networks and therefore, there was some level of assurance that the private network would be secure. However, when intra-corporation communication is conducted over the Internet, thereby taking advantage of the low cost associated with such connectivity, enterprise communication is performed through the use of a Virtual Private Network (VPN). A VPN involves building a virtual private network through the use of a public network such as the Internet by utilizing the Internet Protocol (IP) facilities provided by IP networks as well as lower layer protocols. This results in a private network that is isolated from external networks and also provides quality assurance service of any level, even through the Internet.
A VPN tunnel may extend over a combination of physical networks along the connection. For example, a VPN connection may originate over a terrestrial connection such as the PSTN (Public Switched Telephone Network) and continue through a satellite communication link and/or cellular link and then terminate at a corporate Intranet over an ISDN (Integrated Services Digital Network) line. The VPN may spread over wire line networks and wireless data networks and may run over a specific network segment such as a Large Bandwidth Delay Product (i.e. a “Long Fat Network” (LFN)). A VPN may use a combination of data packets and radio protocols on the wireless side and tunneling protocols on the plane side (fix side, static side). Other VPNs may use the same tunneling protocol along the wireless section as well as the plane side of the VPN. The VPN may be based on a variety of protocols. These protocols include but are not limited to L2TP, GRE, IEEE 802.1Q (VLAN Tagging or VLAN TAG—both terms are used interchangeably herein), and IP-over-IP protocols.
In intra-corporate networks, private IP addresses are often used. IP addresses are divided into public IP addresses and private IP addresses. Public IP addresses are globally defined unique addresses, whereas private IP addresses can be freely defined by a corporation as long as the IP address is compatible with the standard. Thus, it is desirable for private IP addresses to be used when corporations use a VPN service. If multiple VPNs are established simultaneously via an operator's network and private IP addresses are used over the VPNs, it's possible that a private IP address used in one VPN may also be used at the same time in another VPN over the operator network. In addition, a particular VPN connection may carry more than one connection between multiple remote peers to multiple destinations in the corporation's Intranet.
On some occasions, the VPN connection may run over a specific network segment such as a long delay connection or long fat network (LFN) such as a satellite link, fiber cable services, wireless, cellular, etc. It should be noted that the terms: specific network segment; “LFN”; satellite link; fiber cable services; other terrestrial connections; wireless; and cellular are used interchangeably herein. Henceforth, the description of the present invention may use the term ‘LFN’ as a representative term for any of the above group. In order to improve service, a service provider or operator may want to add Manipulation Equipment (MEq) at both a remote operator's zone and a central operator zone. The MEq accelerates the transportation of data over the long delay connection. Common MEq components may operate and manipulate common IP products such as TCP/IP; UDP/IP, etc. However, common MEq components may not manipulate data that constitute encapsulated VPN packets.
The MEq interrupts the communication between a remote client and its final destination over a VPN and then manipulates the data before transmitting the data over the LFN. On the other side of the LFN, a second MEq is installed in order to perform the inverse operation of the first MEq. By doing this, the MEq improves the speed of communication and reduces the volume of data over the LFN lines. Alternately, an MEq may emulate the other side of the connection by impersonating and responding in the name of the other side of the connection. This aspect of the present invention operates to increase the speed of the communication. For example, if an original connection is based on TCP/IP, then the MEq may respond to the requesting device by sending an acknowledge packet directly to the device rather than waiting for the other side of the connection to generate an acknowledge packet. An MEq may manipulate data in the internal layers such as the Transport layer (i.e. TCP) and the Application layer (HTTP, MAPI etc.) as well as actual content (html, gif etc.). Within the context of this description, the terms manipulation, optimization and acceleration are used interchangeably.
Therefore, there is a need to break the VPN tunnels at the input to the MEq and reconstruct (re-tunnel) the VPN tunnels at the output of the MEq. Moreover, the communication between a remote operator's zone (ROZ) and the central operator's premises (COP) may be comprised of multiple VPN tunnels originating from multiple peers that may belong to different corporations that are currently located within the same remote zone, as well as private users that may use the same operator services. Some of those may use the MEq while others may not. Furthermore, the communication to and from a client using the MEq may contain information that is not handled by the MEq. In addition, at the central operator's premises the communication may come from ROZs to multiple corporations via the Internet.
Therefore MEqs, which are located on both sides of an LFN, face several obstacles. For instance, the MEq may be required to first break multiple VPN channels between different peers and different corporations that are currently connected over the LFN between the ROZs and the COP. The MEq may then be required to manipulate the original packet, which is encapsulated in the VPN packet as the payload. Finally, the MEq may need to reconstruct the VPN packet with the manipulated data as the payload packet of the VPN packet and then send it to the appropriate destination via the MEq on the other side of the LFN. On the other side of the LFN a complementary MEq server performs, as needed, the inverse manipulations and then reconstructs the VPN tunnel.
Therefore, there is a need for a system and method for breaking multiple VPN tunnels that lie between ROZs, COPs, and multiple corporate intranets over a data network (such as the Internet or private connection), redirecting the data to a manipulation server, manipulating the data, receiving the manipulated data, and finally reconstructing (restoring) the appropriate VPN tunnels (re-tunneling) again.