The technology of virtual private networks (VPN) enables transparent, real-time secured communication between individuals sharing a same field of interest while at the same time using the Internet structure which is unreliable and yet inexpensive.
To communicate transparently and remove the need for non-routable addresses, VPNs use a special encapsulation known as tunneling which creates what is called a tunnel. This operation consists in encapsulating a level A protocol (embedded protocol) in a level B protocol (transport protocol) using an encapsulation protocol C, B being a protocol with a layer of a level higher than or equal to that of A, in a layered model such as the OSI model which describes the services by each of these layers and their interactions.
Here below in the description, by way of an example only, level 2 VPNs are considered, i.e. levels of encapsulation in a level 2 tunnel (a level 2 tunnel means that the embedded protocol is a layer 2 protocol of the OSI model).
The VPNs are often used to interconnect two LANs (local area networks) in order to create a virtual local area network formed by the union of the original two LANs. Secured VPNs include a cryptography and authentication algorithm to guarantee the secrecy of the transported data. A typical VPN configuration based on a tunneling technique is illustrated in FIG. 1a (described in detail here below). In this example, the tunnel endpoints are not integrated in the gateways. The tunnel is set up between two tunnel endpoints and each packet (also called a frame) sent to an apparatus connected to the remote LAN is encapsulated by the local tunnel endpoint and then sent to the remote tunnel endpoint which will de-encapsulate and send it on the remote LAN. An apparatus then is unable, from the source address of a received frame, to determine if it has originated from a local LAN or from a remote LAN. Communication between two apparatuses through the tunnel is called end-to-end communication.
Conventionally, an apparatus known as a bridge is used to connect two disjoined segments (LANs) of a network. An apparatus of this kind corresponds to the layer 2 of the OSI model. Indeed, a bridge is used to filter the frames of the network as a function of their destination address without however being concerned with their content. This therefore increases the maximum distance between two stations (also called source devices or source apparatuses) but also reduces the load observed on each segment. Furthermore, the bridge reduces collision, thus heightening the performance of each segment and therefore of the global-area network. However, the bridge does not enable any filtering of the broadcast or multicast type frames and requires the computation of a spanning tree to prevent data path loops, which create especially message duplication problems.
Algorithms for determining the spanning tree are well known to those skilled in the art and are therefore not described in detail. For example, a description of such an algorithm can be found in the IEEE 802.1D standard. A spanning tree determining algorithm consists in selecting a root bridge and, from this root, in determining a tree of loop-free data path(s) used to communicate by broadcast type messages with all the nodes of the communications network, and in blocking, in the bridges, certain ports connected to redundant paths. The drawback of such a spanning-tree determining technique is that, in certain cases, the non-looped data path is not optimized whereas it could be shorter. Thus, the latency can increase. It may be recalled that latency is the time taken by a frame to travel between the original station and the final destination of the network. Furthermore, spanning-tree determining techniques require the implementation of lengthy and complex protocols to obtain information on topology needed for the detection of the loops and for the configuration of the different nodes in order to eliminate these loops.
A second prior-art technique for preventing data path loops consists of the selection of only one active tunnel endpoint per LAN (several tunnels can be connected to this active tunnel endpoint) and in configuring this active tunnel endpoint in order to prohibit any frame transfer from tunnel to tunnel. The only frame transfers permitted are from one LAN to one or more tunnels connected to it and from one tunnel connected to a LAN towards this LAN. More specifically, if several stations are activated simultaneously on a same LAN, then one of them is selected to create and manage the tunnels while the other stations deactivate their tunnel endpoint functions. This second technique is presented especially in the U.S. Pat. No. 5,870,386.
The major drawback of this second prior art technique lies in the fact that it does not enable the simultaneous functioning of several tunnel endpoints in a same LAN. In this technique, only one station (called an active station) must support the entire load of managing the tunnels. This technique is therefore not suited to cases of active stations having only limited computation and processing resources such as for example camcorders, cameras or again printers.
A third technique, presented especially in the U.S. Pat. No. 6,343,330, proposes to implement a proxy type mechanism.
Such a mechanism prevents data path loops by replacing the source address of an incoming frame arriving from a tunnel to a LAN with the address of the incoming tunnel endpoint. This third prior art technique therefore relies on the fact that each tunnel endpoint knows the address of the other tunnel endpoints presenting the LAN. Thus, the tunnel endpoints are able to decide if a frame should or should not be transmitted on the tunnel. For example, if the source address of the frame is that of another tunnel endpoint, then the packet is described by the tunnel endpoint that has received it.
However, this third prior art technique has a certain number of drawbacks.
First of all, this technique is a complex one (entailing the replacement of source addresses) and costly (in terms of cost of the proxy mechanism and of induced latency).
Furthermore, in certain cases, these proxy mechanisms are not suited to end-to-end communications especially because they involve compromises as regards end-to-end security (especially the security of the network layer such as the IPsec) especially inasmuch as they modify a part of the frames traveling through them.