1. Field of the Invention
The present invention relates generally to a virtual L2TP/VPN tunnel network and a system and method for automatic discovery of VPN tunnels and other layer-2 services. More specifically, a virtual L2TP/VPN tunnel network as well as a system and method for automatic discovery of VPN tunnels, such as L2TP tunnels, and other layer-2 services using a method such as one based on the spanning tree protocol are disclosed.
2. Description of Related Art
Virtual private network (VPN) generally refers to a private network having a secure encrypted connection configured across a public network. VPN allows organizations such as corporations to utilize a public network as its own virtual private communications tool. VPNs appear as private national or international networks to the customer but physically share backbone trunks with other customers.
Implementing a VPN provides cost efficiency advantages by avoiding the expense of setting up a dedicated secure network while providing interconnectivity among remote branches, departments, and/or users through relatively inexpensive services of an Internet service provider (ISP). In particular, VPNs provide a cost-effective alternative to laying cables, leasing lines, and/or subscribing to frame relay services. Thus, VPNs offer the security of a private network via access control and encryption while enjoying the advantage of economies of scale and built-in management facilities of large public networks. However, utilizing VPNs over public networks typically comes at a cost of greater response time and/or lower reliability.
VPN may utilize a tunneling process that encapsulates and transmits communication packets. Tunneling generally involves transmitting data structured in one protocol format within the format of another protocol. In other words, tunneling allows other types of transmission streams to be carried within the prevailing protocol. With respect to VPN, tunneling typically involves encapsulating a network transmission in an IP (Internet Protocol) packet for secure transmission over an IP network. A tunnel provides a temporary portal for passing data through a system such as a proxy, and ceases to exist when the ends of the connection are closed. IP tunneling entails carrying a foreign protocol within an IP packet. For example, using IP tunneling, IPX (Internetwork Packet Exchange) can be encapsulated and transmitted via TCP/IP.
Examples of VPN tunnels include L2TP (Layer 2 Tunneling Protocol) tunnels, IPSec (IP Security) tunnels, PPTP (Point-to-Point Tunneling Protocol), and GRE (Generic Routing Encapsulation). L2TP is an extension to the point-to-point protocol (PPP) for creating VPNs over the Internet. L2TP is a combination of Microsoft""s Point-to-Point Tunneling Protocol and Cisco""s Layer 2 Forwarding (L2F) technology. L2TP supports non-IP protocols such as AppleTalk and IPX as well as the IPSec security protocol. IPSec is a security protocol that provides authentication and encryption over the Internet. In contrast to SSL which provides services at layer 4 and secures communications between two applications, IPSec works at layer 3 and secures everything in the network. Because IPSec was designed for the IP protocol, it has wide industry support and is expected to become the standard for virtual private networks (VPNs) on the Internet.
VPN technology typically involves various hardware components such as a network access server (NAS) and a tunnel server. The NAS is often also referred to as an L2TP access concentrator (LAC). The LAC receives incoming calls for dial-in VPNs and places outgoing calls for dial-out VPNs. Typically, the LAC is maintained by an ISP that provides VPN services to its customers. The tunnel server is often also referred to as the home gateway or the L2TP network server (LNS). The tunnel server terminates dial-in VPNs and initiates dial-out VPNs. Typically, the tunnel server is maintained by the ISP customer and is the contact point for the customer network.
When a remote end user or client wishes to connect to the customer tunnel server, the remote end user first establishes a PPP connection to the ISP LAC such as by dialing in to the ISP LAC. Upon receiving the initial PPP request, the LAC determines that the PPP request is to be forwarded onto a tunnel or other medium which can directly reach the PPP network server capable of authentication and authorization of the remote end user. The LAC identifies the tunnel server to which the end user""s call is to be forwarded and establishes a tunnel with the identified tunnel server. Finally, the tunnel server authenticates the client username and password and establishes the PPP connection with the remote end user client.
The outgoing tunnel server and tunnel may be selected based on, for example, the end user domain name and/or the DNIS (dialed number identification service) information in the incoming call. If the LAC cannot determine the outgoing tunnel or tunnel server, then access is denied and the incoming session is dropped.
However, for large scale tunnel deployments, an ISP LAC may be within a network of ISP LACs. The other ISP LACs may have configured other distinct tunnels such that a VPN may be established across multiple ISP LACs. However, each LAC needs to be configured with a forwarding database for the tunneling topology so as to be able to establish such VPNs across multiple ISP LACs. Thus, it is desirable to provide a system and method for automatic discovery of VPN tunnels across a network of LACs.
A virtual L2TP/VPN tunnel network as well as a system and method for automatic discovery of VPN tunnels, such as L2TP tunnels, and other layer-2 services using a method such as one based on the spanning tree protocol are disclosed. It should be appreciated that the present invention can be implemented in numerous ways, including as a process, an apparatus, a system, a device, a method, or a computer readable medium such as a computer readable storage medium or a computer network wherein program instructions are sent over optical or electronic communication lines. Several inventive embodiments of the present invention are described below.
The method for automatic discovery of layer-2 services across a network of layer-2 devices generally comprises transmitting an advertisement message by each tunnel or virtual port of each layer-2 device to the logical neighbors of the device in a virtual topology, the advertisement message containing information for generating a spanning tree based on a spanning tree algorithm, receiving advertisement messages on the tunnels of each layer-2 device, and processing the received advertisement messages to generate a spanning tree topology of the network of layer-2 devices whereby each layer-2 device in the network automatically discovers layer-2 services of other layer-2 devices on the network. The transmitting is preferably repeated at predetermined configurable intervals. It is noted that discovery of L2 services such as by domain name or ID is generally analogous to Ethernet-address discovery by a bridge running the spanning tree protocol.
The resulting spanning tree generally includes a root device selected from the network of layer-2 devices, each tunnel associated with the root device being a designated tunnel of the root device on which advertisement messages are transmitted, a root tunnel for each non-root device, a designated device selected from the pair of devices associated with each tunnel, the associated tunnel being the designated tunnel of the designated device, and blocked tunnels for all other tunnels in the network of layer-2 devices, wherein blocked tunnels are blocked from transmitting advertisement messages. Generally, the transmitting of the advertisement message by each tunnel of each layer-2 device is only on root tunnels and designated tunnels of the layer-2 devices. The resulting spanning tree provides a unique path between each pair of layer-2 devices.
The advertisement message transmitted is the best tunnel advertisement message selected from the advertisement message received and from the advertisement message transmitted on that tunnel. In one implementation, the layer-2 service is a tunnel for establishing a virtual private network and the layer-2 devices are L2TP access concentrators wherein the virtual private network between a remote end client and a tunnel server is via L2TP access concentrators in the network according to the spanning tree topology.
The system for automatic discovery of layer-2 services across a network of layer-2 devices generally comprising a plurality of layer-2 devices. The layer-2 devices are in communication with each other to form the network, wherein each layer-2 device is configured to transmit an advertisement message on each tunnel, the advertisement message containing information for generating a spanning tree based on spanning tree algorithm, to receive advertisement messages on the tunnels of each layer-2 device, and to process the received advertisement messages to generate a spanning tree topology of the network of layer-2 devices whereby each layer-2 device in the network automatically discovers layer-2 services of other layer-2 devices on the network.
The spanning tree protocol enables bridges to discover remote MAC addresses. Adapting and implementing the spanning tree protocol into VPN technology facilitates in maintaining tunneling topology and allows the network of LACs or tunnel switches to be more scalable. In addition, the spanning tree provides a unique path between any pair of nodes, provides for self-heals, and allows redundancy to be easily achieved.
A virtual private tunneling network for enabling communication across a virtual private network between a remote end user device and a destination L2TP network server is also disclosed. The virtual private tunneling network generally comprises a tunnel switch network having a plurality of tunnel switches each in communication with at least one other tunnel switch via a tunnel over an IP network, each of the tunnel switches is preconfigured with a list of tunnels with which it is associated and a list of domains corresponding to each tunnel. One of the tunnel switches in the network is in direct communication with a network adapted to establish a PPP session between the remote end user device and the one tunnel switch. In addition, another one of the tunnel switches in the network is in communication with the destination L2TP network server via a corresponding tunnel, whereby communication packets between the remote end user device and the L2TP network server are encapsulated and transmitted via a plurality of tunnels corresponding to a plurality of the tunnel switches via the IP network.
These and other features and advantages of the present invention will be presented in more detail in the following detailed description and the accompanying figures which illustrate by way of example the principles of the invention.