| US 7,526,658 B1 | ||
| Scalable, distributed method and apparatus for transforming packets to enable secure communication between two stations | ||
| Haixiang He, Woburn, Mass. (US); Donald Fedyk, Groton, Mass. (US); and Lakshminath Dondeti, Chelmsford, Mass. (US) | ||
| Assigned to Nortel Networks Limited, St. Laurent, Quebec (Canada) | ||
| Filed on Sep. 12, 2003, as Appl. No. 10/661,903. | ||
| Claims priority of provisional application 60/442657, filed on Jan. 24, 2003. | ||
| This patent is subject to a terminal disclaimer. | ||
| Int. Cl. H04L 9/32 (2006.01); H04L 9/00 (2006.01); G06F 11/30 (2006.01) | ||
| U.S. Cl. 713—193 [713/190; 713/191; 713/192; 713/194; 726/27; 726/28; 726/29; 726/30; 726/23] | 6 Claims |
| 1. A method of securing packet data transferred between a first and second member of a private network coupled to client edge
devices over a backbone comprising a plurality of provider devices including provider edge devices, the backbone operating
according to a routing protocol, the method comprising the steps of:
encapsulating a private address of a packet from the first member with a group header including a public address associated
with the first member and a group address to generate a tunneled packet;
transforming, at a client edge device, the tunneled packet by first applying a same group security association associated
with the private network to the tunneled packet of a different non-group point-to-point connection to provide a secure tunneled
packet and then adding a header field to the secure tunneled packet, the added header field including a gateway address associated
with the first member of the private network and a destination address of the second member of the private network to provide
a client transformed packet;
forwarding the client transformed packet to a provider edge device; and
replacing, at the provider edge device, a destination field of the packet with a group identifier associated with the private
network for routing the packet across the backbone.
|