`
`EXHIBIT
`EXHIBIT
`1020
`1020
`
`
`
`
`
`

`

`as United States
`a2) Patent Application Publication co) Pub. No.: US 2002/0010866 A1
`(43) Pub. Date: Jan. 24, 2002
`
`McCulloughetal.
`
`US 20020010866A1
`
`(54) METHOD AND APPARATUS FOR
`IMPROVING PEER-TO-PEER BANDWIDTH
`BETWEEN REMOTE NETWORKSBY
`COMBINING MULTIPLE CONNECTIONS
`WHICH USE ARBITRARY DATA PATHS
`
`(76)
`
`Inventors: David J. McCullough, Upper
`Brookfield (AU); Wayne Meissner,
`Woolloowin (AU); Craig S.
`Humphrey, Auchenflower (AU);
`Christopher J. Biggs, Chapel Ilill
`(AU); Antonio Basilio Merenda,
`Chapel Hill (AU)
`
`Correspondence Address:
`Claude A. S. Hamrick, Esq
`OPPENHEIMER WOLFF & DONNELLY LLP
`1400 Page Mill Road
`Palo Alto, CA 94304 (US)
`
`(21) Appl. No.:
`
`09/740,494
`
`(22)
`
`Filed:
`
`Dec. 18, 2000
`
`Related U.S. Application Data
`
`(63) Non-provisional of provisional
`60/172,369,filed on Dec. 16, 1999.
`
`application No.
`
`Publication Classification
`
`(51) Unt. C1 caecccccessessesiee HO4L 12/22: HO4K 1/00
`(52) US. Che vassccssssestsssssistsasentasnee 713/201; 709/228
`
`(57)
`
`ABSTRACT
`
`A method and apparatus for increasing peer-to-peer band-
`width between remote networks by combining multiple
`connections, which use arbitrary data paths,
`is disclosed.
`The apparatus is a gateway node, which can be a specifically
`designed computer, open computer platform or extensions to
`firmware resident in a router; gateway or remote access
`server. The method includes origin authentication and data
`confidentiality, packet fragmenting, scquencing directed-
`routing, buffering, fragment encapsulation, packet re-assem-
`bly, and additional encapsulation for traversal of firewalls.
`Packet fragments transferred using the method can travel
`along very diverse paths through intervening public or
`private networks before arriving at the peer, which reas-
`sembles them. This eliminates the problems present
`in
`current aggregation schemes used by prior art, which are
`sensitive to the limitationsin the infrastructure in the service
`
`provider’s points of presence.
`
`Connections to
`public network
`
`
`
`One Link on responder needsa static public
`IP address, all other links can use dynamic
`
`IP addresses
`
`
` Small Network
`
`LocalNetwork2
`
`
`
`
`
`Gateway
`Gateway
`
`(SNG)
`(SNG)
`
`Initiator
`Responder
`
`
`
`LocalNetwork1
`
`Multiple fragments travel through Internet
`independently of each other and are
`aggregated atthe destination, not by the
`equipment at each PoP
`
`
`
`Viptela, Inc. - Exhibit 1020
`Page 1
`
`Viptela, Inc. - Exhibit 1020
`Page 1
`
`

`

`Patent Application Publication
`
`Jan. 24,2002 Sheet 1 of 17
`
`US 2002/0010866 A1
`
`____}]
`
`New
`
`I I l
`
`I I l
`
`18 N, a y—22
`Y ‘28
`A296
`*S
`
`x
`
`¢
`
`II
`
`! I
`
`-----,---| Atlanta
`
`FIG. |
`
`ee
`
`N
`
`12
`
`x
`
`¢
`
`¢
`
`4
`
`pe]
`Comma
`
`New
`
`¢
`
`¢
`
`x
`
`N
`
`~N
`
`14
`
`16
`
`Los
`Angeles
`
`10
`
`Atlanta
`
`FIG. 2
`
`Viptela, Inc. - Exhibit 1020
`Page 2
`
`Viptela, Inc. - Exhibit 1020
`Page 2
`
`

`

`Patent Application Publication
`
`Jan. 24, 2002
`
`Sheet 2 of 17
`
`US 2002/0010866 Al
`
` sjouueudNASIdgXzAllensn
`uoqeunsep0}S/8Ae}
`
`
`
`(gjouuRYg+|.jeuUeYD)Joyoedoye6a166eajbuis
`
`¢Old
`
`Ajouqnd
`
`9Ss]qisseo0e
`
`dOdye4n990sn
`
`
`
`uonebeibbejoauueug
`
`YIOMION [2907
`
`Viptela, Inc. - Exhibit 1020
`Page 3
`
`Viptela, Inc. - Exhibit 1020
`Page 3
`
`
`
`
`

`

`Patent Application Publication
`
`Jan. 24, 2002
`
`Sheet 3 of 17
`
`US 2002/0010866 Al
`
`v8
`
`he]
`
`~~
`
`
`
`YAOMJON[FEWS
`
`bur
`
`vDIA
`
`
`
`
`oqndones8speeuJepuodsadUOYU]8UO
`
`
`OIWeUApBSNUeDSHUI]JeUjO|[e‘SSespped|
`
`
`
`
`yous]U|YBnosuyjeAey}sjusWHeadninW
`ou)Aqjou‘uoeuSsepeu;yepoyeHes66e
`erepue18ujoYyoeaJoAUapUadapul
`o(ONS)5Aemayesenod
`zZve
`QLSWun]©||szeapuodsay
`dOdyoesyejuawdinba
`soyelyiu (ONS)
`
`SaSSalppedj
`
`of
`
`0]suoqOeUUCD
`
`YIOMIOUOI|GNd
`
`| YJOMJON [e907
`
`Viptela, Inc. - Exhibit 1020
`Page 4
`
`Viptela, Inc. - Exhibit 1020
`Page 4
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`Jan. 24, 2002
`
`Sheet 4 of 17
`
`US 2002/0010866 Al
`
`96OOl86v6 UOHBSIJUSP!HQ-9F Bus
`
`yinydSdSapeojAeddlyeulbuC
`Joesdl
`
`LUNSYOSYOJepesyyq-9L1
`
`
`
`cOlQALdAYONA
`
`GS.LVOILNSAHLNV
`
`§Didi
`
`60
`
`dsd
`
`JapeeyH
`
`LL
`
`
`
`JeSyOUOeyUEWBeYG-E|
`
`
`
`SIq-9}Yybu9g|je}OL
`
`
`
`BOIAIBSJOOdALrope1 vosion,
`
`
`
`
`
`
`
`ssaippedjsd/JNosyiq-7e
`
`SSOlpped]UONEUNSAPHq
`
`of
`
`9DI
`
`Viptela, Inc. - Exhibit 1020
`Page 5
`
`Viptela, Inc. - Exhibit 1020
`Page 5
`
`
`
`

`

`Patent Application Publication
`
`Jan. 24, 2002
`
`Sheet 5 of 17
`
`US 2002/0010866 Al
`
`
`
`AOVdSSNOILVOMddV
`
`pueweguCuipmpueg
`
`
`
`(uolioduoneaiddy)
`
`S9SO}OJOSeysiqeisy»
`
`8ElVELOl
`
`
`
`uoljeinByuogJabeuewNdA
`
`
`
`
`
`AnnJapuodsayjossalppydjWqGngajowey-
`
`
`
`
`
`JepuodsoyJosysewJouqnspueSSauppegq]@]BAUd«
`
`
`
`
`
`shayUodAsuepukeuoIssag.
`
`
`
`suiyjuobjeuoydAouapueuoyeousyiny+
`
`
`
`
`
`
`
`
`
`
`
`SAIJOeye]ssureyweyy+BlepJO}uoWeInNsdesusaqOL«
`
`
`
`
`
`
`
`aoBeueyyur]uodILiogUOTeoI|ddyssbeueyyojpung
`
`
`
`
`
`
`
`
`
`
`
`JepuodsaipuesuaBeueyyyur]9a]pung‘NdAa}owea
`
`
`
`
`
`7TTTpoyeinsdeousgo.sobessoyy-
`
`
`
`uoSUoI}OaUUONjealsAud
`
`puewsgquCYipimpueg
`
`puewep
`
`
`
`ADVdSTANYA
`
`sonsieys
`
`pueBununosjeyoeg«
`
`Buryoyeuwwpod
`
`
`
`ploysasu}WpiMpueg
`
`sjexoeddg]Jo
`
`(uolOgjousay)
`
`
`JospueSssalppy«
`
`Gulssyl-4dl
`
`waysAsqns
`
`ViOIAMOWLSJOYSAVdiainpowAyunsesdI
`
`991o9l
`
`BunnoypeedIGYAOMION
`
`
`
`
`joaa0oOo}yjayoedaoIO4.
`
`
`
`UOdlHoO,gjauJayJebeuRWs]pung
`
`SOA]oyeonueUINEpueeyeaug
`
`AUllddd
`
`SSOIPPPdlOAI
`
`Jepuodses]uoeulseq«+
`
`
`
`ese4O1-uoUJO}Buoueyeqpeo7.
`
`AUlldddJOSSeuppe
`
`uoyejuewbelygl«
`
`
`dlSisSouppesoinos
`
`
`jouJOajeinsdeousqo]oO}apleq
`
`
`
`poyeinsdeoueqo,40}Buloueyeqpeo)
`
`Viptela, Inc. - Exhibit 1020
`Page 6
`
`
`
`
`
`
`
`Joyeriuluaamjeqsbhuiddeuspue[edo]UaaMisqsudjsueNaGessayy-
`
`
`
`
`
`Viptela, Inc. - Exhibit 1020
`Page 6
`
`
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`Jan. 24, 2002 Sheet 6 of 17
`
`US 2002/0010866 Al
`
`TCP
`
`nN
`c
`8
`a
`&
`3
`a}
`cae
`Ee
`a
`
`
`
`
`TCPConn
`BundleManager
`IPSecESP
`
`TCPConn
`
`o
`
`=wo
`2
`&
`
`Viptela, Inc. - Exhibit 1020
`Page 7
`
`
`BundleManager
`IPSecESP
`
`
`S
`O-
`om
`
`oO
`
`TCP
`
`Viptela, Inc. - Exhibit 1020
`Page 7
`
`

`

`IPHeader
`
`&O
`
`o@o = O
`
`Patent Application Publication
`
`Jan. 24,2002 Sheet 7 of 17
`
`Encrypted
`
`
`
` ForIPSec—
`
`o.
`
`182
`
`FIG.8
`
`US 2002/0010866 A1
`
`Viptela, Inc. - Exhibit 1020
`Page 8
`
`Viptela, Inc. - Exhibit 1020
`Page 8
`
`

`

`Patent Application Publication
`
`Jan. 24,2002 Sheet 8 of 17
`
`US 2002/0010866 A1
`
`START
`
`Receive Packet from
`iocal LAN
`
`| IP TRANSMIT a
`
`210
`
`214
`
`218
`
`Is Packet IPSec
`encapsulated?
`
`238
`Consult Routing Table
`
`242
`
`Apply IP Filter rules to non-
`
`
`
`
`VPN traffic but pass IPSec Search IPSec Security Database
`Exists?
`
`
`IPSec Flow
`
`230
`Apply IP Filter rules to VPN
`Data Traific before Encryption
`
`| IPSec ESPTransforms |
`
`234
`
`246
`
`Packet Destined
`for Bundle?
`
`
`\YES
`
`
` IVC
`Bundle
`
`Process
`
`NO
`
`250
`Output via PPP Link with IP
`Address from Routing Table
`
`FIG. 9A
`
`Viptela, Inc. - Exhibit 1020
`Page 9
`
`Viptela, Inc. - Exhibit 1020
`Page 9
`
`

`

`Patent Application Publication
`
`Jan. 24,2002 Sheet 9 of 17
`
`US 2002/0010866 A1
`
`
` IVC
`
`
`Bundle
`Process
`
`254
`
`
`
`
`TCP
`Encapsulate the
`Data Packet?
`
`258
`
`Choose Inferior Virtual Circuit
`
`Fragmentto chosen
`Fragment Length
`
`282
`
`286
`
`Choose IVC for TCP Stream
`
`29
`
`0
`
`TCP Encapsulate and add IP
`and Bundle Headers
`
`270
`
`
`
`
`
`FragmentPacketup to size of
`MTU
`
`266
`
`Translate IPSec IP Headerto
`Match IVC
`
`
`
`NDR uses IP Filter to Match
`IVC address with PPP
`
`interfaces
`
`
`
`274
`
`Forward to correct PPP Link
`
`IVC
`Bundle
`
`System
`
`
`278
`v
`es
`
`
`Is there more
`No
`Data in Packet?
`
`
`START
`
`FIG. 9B
`
`Viptela, Inc. - Exhibit 1020
`Page 10
`
`Viptela, Inc. - Exhibit 1020
`Page 10
`
`

`

`Patent Application Publication
`
`Jan. 24,2002 Sheet 10 of 17
`
`US 2002/0010866 Al
`
`START
`
`Apply Traffic Filter Rules
`
`308
`
`Packet needs to
`
`
`300 304
`
`
`
`
`
`
`
`Destined for appropriate
`
` application
`Type of Packet?
`
`312
`
`F
`
`d to Host
`
`Other IP
`
`
`
`Other TCP
`
`
`Destined for appropriate
`Tunnel Data
`
`Packet?
`application
`328
`
`Remove IP, TCP and Bundle
`Headers
`
`Yes
`
`FIG. 10A
`
`Viptela, Inc. - Exhibit 1020
`Page 11
`
`Viptela, Inc. - Exhibit 1020
`Page 11
`
`

`

`Patent Application Publication
`
`Jan. 24,2002 Sheet 11 of 17
`
`US 2002/0010866 Al
`
`
`Tunnel Data
`
`Packet?
`
`Exists?
`
`
`
`Yes
`
`Search for Bundle Match
`
`
`
`
`
` IPSec Flow
`
`Discard Packet
`
`
`
`
`
`Remove ESP
`Header and
`
`
`Decrypt
`
`
`
`
`
`
`The Bundle
`
`Exists?
`
`Yes
`
`44
`
`3
`
`235
`
`Translate ESP IP Address to
`VPN Tunnel IP Address
`
`FIG. 10B
`
`Viptela, Inc. - Exhibit 1020
`Page 12
`
`Viptela, Inc. - Exhibit 1020
`Page 12
`
`

`

`Patent Application Publication
`
`Jan. 24,2002 Sheet 12 of 17
`
`US 2002/0010866 Al
`
`360
`
`Data
`IV Packet
`
`
`
`364
` Use TCP
`encapsulation
`for tunnel data
`
`
`
`
`
`
`
`
`
`376
`
`368
`
`Add bundle header
`
`Addresstranslation
`only
`
`380
`
`384
`
`Add TCP Header
`
`Add IP Header
`
`372
`
`PPP links
`
`FIG, 11
`
`Viptela, Inc. - Exhibit 1020
`Page 13
`
`Viptela, Inc. - Exhibit 1020
`Page 13
`
`

`

`Patent Application Publication
`
`Jan. 24, 2002
`
`Sheet 13 of 17
`
`US 2002/0010866 Al
`
`
`
`feaiskydyeIS
`
`ulNdAS|
`
`eBaJau]S|
`
`
`
`yurjeorskyd
`
`Zo|qeyrene
`
`édnApesure
`
`v6E
`
`JaAlasysy
`
`0}|10}
`
`0}198UU0D
`
`
`
`MAUJO}WEAK
`
`
`
`aqeliene4uI]
`
`86E
`
`0}eUuUNyH
`
`dj4810s
`
`ayeonusuiny
`
`uoljOoUUCO
`
`MauBea
`
`
`
`DAS)alpunq
`
`NdAaenoben
`
`
`
`‘dl)suajeuuesed
`
`
`
`SSoJppeYul[edo]
`
`d|49A/8S0}
`
`dmes
`
`WOMHONdnjes
`
`DAI42910
`
`vPP
`
`
`
`vOrcOV
`
`
`
`DAI48919)
`
`dnies
`
`JO}HONAnes
`
`ON
`
`
`
` OLViDAIsyeonuSUNy|90rA
`
`oONd|0}joouUNy
`
`
`
`VIP}Buysixsuior
`
`g|punq
`
`DIENdA10)Apeay
`
`CLDI
`
`Viptela, Inc. - Exhibit 1020
`Page 14
`
`Viptela, Inc. - Exhibit 1020
`Page 14
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`Jan. 24, 2002
`
`Sheet 14 of 17
`
`US 2002/0010866 Al
`
`9LVJE9OJOpenH
`
`8Sr||dinLesegot(s-y)[|]|snouosyoudse(g-p)clOW
`
` 967PS606ZLOESegolLGGXI/SJBAUDZEC-SH—_NHLYVN
`
`
`005rSp—_|o-|AL|98“SJOUJOJSUBI)|PBSeQOL
` Jeyeedai
`OSrNSP
`
`
`(eBe0jseyep(g-ze)d1d3woe
`
`
`ualndexeapod)savqVgt96S64WvdasXNIUIX|Leyeqvod
`
`
`eseMUI)kOWEOSIYdIWOZWG-zeZ0ES
`
`(e6e10}SsAJosseoo/dolol)peyes6ayu|
`
`spodyoweulySodjeues°
`ochAEajosu05
`Yod)}nw(9-r)
`
`JOWOWUAUYP|ODBOO
`
`
`
`jOUODpuree}eq‘ssoippyMee
`
`
`
`vorHSV14
`
`(uq-91)
`
`asfee
`
`
`
`S/VEL8eSoneUbis70S
`
`Viptela, Inc. - Exhibit 1020
`Page 15
`
`Viptela, Inc. - Exhibit 1020
`Page 15
`
`
`
`
`
`

`

`Patent Application Publication
`
`Jan. 24,2002 Sheet 15 of 17
`
`US 2002/0010866 Al
`
`564
`
`
`
`SmallNetworkGateway
`
`
`ISPConnections
`Multiple
`
`Ports550
`
`Serial
`
`ModemsorISDNTAs
`
`PCWork
`
`Stations
`
`FIG.14
`
`Viptela, Inc. - Exhibit 1020
`Page 16
`
`Viptela, Inc. - Exhibit 1020
`Page 16
`
`

`

`Patent Application Publication
`
`Jan. 24, 2002
`
`Sheet 16 of 17
`
`US 2002/0010866 Al
`
`Aemayes
`RaahA
`Oonc
`
`=a
`
`Rona)
`
`Co
`
`aad
`
`
`
`sjuSLUBeySessao0ld
`
`
`
`SdI}]JOS}OLWWS)OY
`
`SOO[2B4jUED
`
`AiiNi}iim!
`
`J0\noYSlOH
`
`
`
`eur]peseeqIL
`
`}OUJa}U]
`
`uonoauuo0D
`
`
`
`YIOMISN|TBWS
`
`Aemoyesy
`
`Viptela, Inc. - Exhibit 1020
`Page 17
`
`
`
`
`
`SdIHOs}OWDsY|]eUS
`
`
`
`syurydnyeiqdS]pejpung‘ajdyinyy
`
`
`
`
`
`Viptela, Inc. - Exhibit 1020
`Page 17
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`
`
`
`
`SUOOSUUODY8ZlNASIaidanpajpung
`
`swepowBoyeueadiinyw
`
`YIOMION[PEWS
`
`BUSO}OW9y
`Aemayeyy
`inLfov||NZ
`
`
`BUISNS|eUUN|Pandas
`
`
`
`
`siaydepeseul}NGS|vaca9dAyoedeyybiy
`Ol2
`
`98Sd]nartolasav
`
`sejpunq|[Lasav_[U]|
`
`Jan. 24, 2002
`
`Sheet 17 of 17
`
`US 2002/0010866 Al
`
`
`
`AemoyedOMEN[Jewsc6S
`
`|_40a_|ves
`
`
`
`elspeuoibay96¢ogs
`
`[7]
`
`LJCI91Old
`
`Viptela, Inc. - Exhibit 1020
`Page 18
`
`
`
`SHS|e4jUsD
`
`88S
`
`\/
`
`[\
`
`
`
`AemayeJOAIOS
`
`Otol
`
`Viptela, Inc. - Exhibit 1020
`Page 18
`
`
`

`

`US 2002/0010866 Al
`
`Jan. 24, 2002
`
`METHOD AND APPARATUS FOR IMPROVING
`PEER-TO-PEER BANDWIDTH BETWEEN
`REMOTE NETWORKSBY COMBINING
`MULTIPLE CONNECTIONS WHICH USE
`ARBITRARY DATA PATHS
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`[0001] This application claims priority to a U.S. provi-
`sional application entitled “METHOD AND APPARATUS
`FOR IMPROVING PEER-TO-PEER BANDWIDTH
`BETWEEN REMOTE NETWORKS BY COMBINING
`MULTIPLE CONNECTIONS WIIICII USE ARBITRARY
`DATA PATHS?”filed on Dec. 16, 1999, Ser. No. 60/172,369,
`which application is hereby incorporated by reference.
`
`FIELD OF THE INVENTION
`
`[0002] The present invention relates generally to intercon-
`necting private peer computer networks securely using a
`public computer network and aggregated multiple links
`between the private networks and the public computer
`network, where the aggregated multiple links improve the
`performance of the connection between the private peer
`computer networks.
`
`DESCRIPTION OF THE RELATED ART
`
`[0003] Businesses today are commonly multi-site opera-
`tions. Even within a given locale, it is very common for a
`business to have several buildings located some appreciable
`distance from each other. However, these businesses must
`stay in close communication not only through their tele-
`phone system but through their computer systems as well.
`Not only is there a requirement for communication among
`the multi-site operation but the communication mustbe fast,
`reliable, confidential, and, if possible, not too expensive.
`
`[0004] FIG. 1 shows a multi-site operation between Los
`Angeles 10, Chicago 12, New York 14 and Atlanta 16, in
`whichthe various sites communicate by meansof dedicated
`point-to-point links 18, 20, 22, 24, 26, 28 that comprise a
`wide-area network (WAN)30. Eachofthe sites typically has
`a private network, such as one or more LANs (not shown in
`FIG.1), on whichit relies for internal communications. The
`point-to-point
`links interconnect
`these private networks,
`with the goal being to have the system appearto the users as
`a single, integrated system. However, to achieve this goal,
`the point-to-point
`links must operate at high speed. The
`commonsolution is to use dedicated leased lines, such as T1
`lines, from the public telephone network. These dedicated
`leased lines are fast, reliable and confidential.
`
`
`
`[0005] However, a dedicated WAN 30, such as that shown
`in FIG. 1, employing point-to-point leased lines between
`their private networks incurs high telecommunicationstar-
`iffs and thus is a costly solution to the multi-site communi-
`cations problem.
`
`[0006] FIG. 2 shows an alternative approach to the prob-
`lem, in which eachsite 10, 12, 14, 16 is connected to a public
`computer network 32, such as the Internet. This approach
`appears to be a viable alternative, but, in fact, lacks several
`requirements which a solution must meet. First, while the
`cost is low, because only local connect charges are incurred,
`the communications between the sites are not confidential.
`
`Second,the reliability of the computer network is sometimes
`a problem and third, the speed of the interconnection is
`highly variable and often to low for most businesses.
`
`To solve the confidentiality problem, a virtual
`[0007]
`private network (VPN) can be established between the
`multiple sites. A VPN simulates some of the properties of a
`private network in the setting of a public network, such as
`the Internet, by sending data from one private networkto the
`other through a tunnel (a secure private path) through the
`public network. A VPN arrangement means that each site
`only needs one network connection so there is a large cost
`saving compared with multiple dedicated circuits. More-
`over, a VPN can connectsites located virtually anywhere in
`the world as long as there is access to the public network.
`
`[0008] However, one problem thatstill remains even with
`the use of VPNsis the speed of the connection and in many
`cases this speed is limited not by the speed of the public
`network on which the VPN is established but the speed of
`the interconnection between the private site and the public
`network, which is typically not satisfactory for today’s
`businesses.
`
`[0009] A commoninterconnection between a private site
`and a public network, such as the Internet, is a PSTN dial-up
`connection on which the Point-to-Point Protocol (PPP) is
`run. PPPis a data link protocol that has been designed as the
`Internet standard for connecting (and disconnecting) a pri-
`vate host
`to the Internet Service Provider (ISP). Other
`physical links, such as ADSL and ISDN,can also be used,
`but the protocol remains PPP. These physical linksstill do
`not solve the speed problem sufficiently. It is highly desir-
`able to have a facility for aggregating the physical links
`between the private host (via a router possibly) and the
`Internet so that high speed and selectable speed connections
`are possible using, the commontypes of physical links that
`are available, the PSTN dial-up link being the most avail-
`able.
`
`[0010] A protocol that attempts to fill the need to aggre-
`gate physical
`links for a high speed connection is the
`Multi-Link Point-to-Point Protocol
`(ML-PPP). FIG. 3
`shows ML-PPPbeing employed primarily by users desiring
`a high-speed dial-up Internet connections using ISDN. Io
`this figure,
`there are two 64 Kbyte per second, ISDN
`B-channels 34, 36 which are aggregated into one 128 Kbyte
`per second channel. These connections couple the private
`network 38 via a router 40 to the public network 32, the
`Internet. For this arrangement to work, the customer pre-
`mises equipment and the ISP PoP 42 dial-in equipment must
`both support ML-PPP.
`
`(0011] However, this aggregation solution, while perhaps
`providing somerelief to the speed problem, re-introduces
`the confidentiality problem. The protocol does not allow
`users to configure the bundled, dial-up Internet connections
`to securely tunnel private data through the Internet 32
`between a local private network 38 and a remote private
`network 46, which is a requirement for a Virtual Private
`Network (VPN). In other words the confidentiality problem
`now exists between the private local and remote hosts and
`the Internet.
`
`(0012] The Multi-Link PPP schemecreates a further prob-
`lem. This problem, called the “Multi-link hunt group split-
`ting problem,” occurs because the ML-PPP was not
`
`Viptela, Inc. - Exhibit 1020
`Page 19
`
`Viptela, Inc. - Exhibit 1020
`Page 19
`
`

`

`US 2002/0010866 Al
`
`Jan. 24, 2002
`
`designed to handle an intervening network, such as the
`Internet, between the local private network and the remote
`private network. It was developed primarily to interconnect
`two or more networks directly by multiple point-to-point
`links to improve bandwidth.
`
`[0013] Briefly stated, the problemis that PPP links within
`a bundle become dissociated by terminating at multiple
`intervening nodesrather than at a single node. Usually these
`nodes are Network Access Servers (NAS) that receive the
`dial-up calls. ISPs that offer MT.-PPP allow dial-ins to the
`Point-of-Presence (PoP, a switching office of an ISP) using
`the same phone numberforall of the links in the bundle. A
`rollover or hunt group of analog lines is commonly used for
`example to route all incoming calls to the available modem
`pools, NASsand routers. The primary and secondary con-
`nections in the Multi-link bundle thus may get established to
`different NAS or remote access concentrators on the internal
`network inside each PoP. The effect is that network nodes
`
`within the public network lose a needed association between
`the links in the bundle.
`
`[0014] An existing protocol has been proposedto fix this
`splitting problem. One of these is the Layer 2 Tunneling
`Protocol (L2TP). LT2P extends the PPP model by allowing
`the link layer (layer 2) and PPP endpoints to reside in
`different devices interconnected by a packet-switched net-
`work. Using L2TP,
`the user has an L2 connection to an
`access concentrator (e.g., modem bank, ADSL, DSLAM)
`and the concentrator tunnels individual PPP frames(frag-
`ments) to a single Network Access Server (NAS). This
`allows the actual processing of PPP packets to be separated
`from the termination of the L2 circuit. The association
`
`between links in the bundle is preserved because the PPP
`fragments are recombined, by meansof the tunneling, at a
`single device, the NASorrouter.
`
`the Point-to-Point Tunneling
`{0015] Another protocol,
`Protocol (PPTP) has also adopted this approach. However,
`despite these improvements problems still remain. Both
`solutions (L2TP and PPTP) require that the ISPs update their
`NASsoftware or router firmware in every device and in each
`of their PoPs, in effect placing the burden of aggregating
`PPP fragments on the PoP LAN backbonethat interconnects
`the L2 access device and the NAS. This result is simply
`unworkable for several reasons.
`
`[0016] First, placing the burden of aggregating PPP frag-
`ments onto the PoP LAN introduces additional latency and
`possibly performance bottlenecks. Second, all of the ISPs
`PoPs must support ML-PPP with fragment recovery. The
`likclihood ofthe latter being met, especially where there are
`international tunnel connections and different ISPs, each
`with potentially different equipment,
`is very low. Third,
`ML-PPP configurations and connection types are limited,
`inconsistent or totally non-existent at locations serviced by
`ISPs. Some ISPs offer ML-PPP connections over ISDN
`
`using the Basic Rate Interface (BRI). Some ISPsthat offer
`higher speed ISDN connections require that each site have
`a router that
`includes proprietary multi-chassis ML-PPP
`extensions that are consistent with the equipmentat their
`PoPs. Sometimes ISDN is not even available to the private
`host or network that needs to connect to the Internet.
`
`[0017] This leaves the operator of the private site or
`network without a guaranteed solution that can easily
`improve bandwidth between remote locations regardless of
`whether they are using analog, digital or a combination of
`connections to the Internet.
`
`[0018] Thus, there is a need a low-cost, high-speed, scal-
`able-speed, confidential connections between the private
`networks of multiple, geographically dispersed sites that
`have the approximately the same characteristics as private,
`high-speed point-to-point
`links
`interconnected between
`those sites.
`
`BRIEF SUMMARY OF THE INVENTION
`
`[0019] The present invention is directed towards such a
`need.
`
`[0020] The present invention establishes a virtual private
`network (VPN) between two edges of a public computer
`network and connects each of these edges to a private
`network to permit communication between the private net-
`works.
`
`[0021] One advantage of the present invention is that it
`provides high speed and scalable bandwidth to businesses
`requiring site-to-site connections between their private
`Local Area Networks.
`
`[0022] Another advantage of the present inventionis that
`IP datagramscan besplit, recombined and sequenced across
`an arbitrary numberof dial-up Internet connections regard-
`less of how the IP packets traverse the Internet and without
`being limited by the equipment at the PoP or any other
`Internet nodes. This makes the present invention indepen-
`dent of the particular ISP’s access equipment so that links
`can be spread across multiple ISPs for increased reliability
`should a PoP fail.
`
`[0023] A further advantage of the present inventionis that
`data can be transferred between private networks using a
`variety of connection types between the private network and
`the Internet Service Providers at each location. These con-
`nection types include analog modem (PSTN), ISDN, ADSL
`or leased-line T-1 links.
`
`‘Yet another advantage of the present invention is
`[0024]
`that a high level of resilience can be maintained because a
`droppedor failed connection can be re-established while the
`VPNis operating.
`
`‘Yet another advantage of the present invention is
`[0025]
`that bandwidth is configurable by setting connection
`throughput thresholds and can be tuned for the best perfor-
`mance and the lowest ISP charges.
`
`[0026] Yet another advantageis that the present invention
`can combine multiple Internet connections from a site or
`spread them across a variety of PoPs.
`
`[0027] Yet another advantagesis that the present invention
`can operate in a “many to one” scenario in which a large
`numberof sites use multiple connections to improve band-
`width between them and a central site that employs one or
`more high-speed connections.
`
`[0028] Yet a further advantage is that the present invention
`can ensure that the tuoneled data can traverse the majority of
`routers and firewalls within the Internet successfully, even if
`they restrictive and only allow a set numberof protocols to
`pass.
`
`Viptela, Inc. - Exhibit 1020
`Page 20
`
`Viptela, Inc. - Exhibit 1020
`Page 20
`
`

`

`US 2002/0010866 Al
`
`Jan. 24, 2002
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0029] These and other features, aspects and advantages of
`the present invention will become better understood with
`regard to the following description, appended claims, and
`accompanying drawings where:
`
`[0030] FIG. 1 shows a multi-site operation between Los
`Angeles, Chicago, New York and Atlanta,
`in which the
`various sites communicate by means of dedicated point-to-
`point links that comprise a wide-area network (WAN),
`
`[0031] FIG. 2 shows an alternative approach to the prob-
`lem, in which each site is connected to a public computer
`network, such as the Internet;
`
`[0032] FIG. 3 shows ML-PPP being employed primarily
`by users desiring a high-speed dial-up Internet connection
`using ISDN;
`
`[0033] FIG. 4 is a simplified diagram of a system in
`accordance with the present invention;
`
`[0034] FIG.5 illustrates an IP packet that is secured by the
`IPSec Protocol using ESP services in tunnel mode;
`
`[0035] FIG. 6 showsthe fields of a standard IP Packet
`Header. Standard IP fragmentation is used in the present
`invention;
`
`[0036] FIG. 7Aillustrates the several blocks that cooper-
`ate to carryout important functions of the present invention;
`
`[0037] FIG. 7B showsthe protocol stack for SVC and the
`IVCs that comprise the SVC;
`
`[0038] FIG. 8 showsa fragmented tunnel data packet with
`TCP encapsulation;
`
`[0039] FIGS. 9A and 9B showa flow chartof the process
`for transferring packets from a private LAN, through the
`gateway to the Public Network;
`
`[0040] FIGS. 10A and 10B show a flow chart that illus-
`trates the process of receiving a packet over the VPN;
`
`[0041] FIG. 11 shows a flow chart of the TCP encapsu-
`lation sequence;
`
`[0042] FIG. 12 shows a flow chart of the process for
`negotiating additional IVCs for a SVC;
`
`[0043] FIG. 13 shows a block diagram of a gateway
`system, in accordance with the present invention;
`
`[0044] FIG. 14 shows a typical system that can be sup-
`ported by the Small Network Gateway;
`
`[0045] FIG. 15 shows anothertypical installation that can
`supported by the SNG; and
`
`[0046] FIG. 16 an alternative embodiment of the present
`invention which includes a standard or industrial server PC
`
`computer for high capacity implementations.
`
`DETAILED DESCRIPTION OF THE
`INVENTION
`
`referred to as a gateway) 60 is connected to one edgeofthe
`public network 32 by meansof one or more links, [Link 1-N
`62, 64, 66, of a first set of links. Each link 62-66 of the first
`set terminates at a one of the PoPs 50, 56 within the public
`network 32. A Responder device (also referred to as a
`gateway) 70 connects at another edge to the public network
`32 by means of one or more links, RL1-N 72, 74, 76, of a
`secondset of links. Each link 72-76 of the secondsetof links
`terminates at one of the PoPs 52, 58 within the public
`network 32. One link that interconnects the Responder and
`the public network must have a static Public IP address, but
`the other links of the second set can use dynamic IP
`addresses. A Virtual Private Network 80 is established
`between the Initiator 60 and the Responder 70 and includes
`one of the first set of links, the public network and oneofthe
`secondset of links. The VPN connects a private network 82
`connected to the Initiator 60 to the a private network 84
`connected to the Responder 70.
`
`[0048] The Virtual Private Network is a tunnel between
`the Initiator and Responderthat is implemented using IPSec,
`the Layer 3 security protocol for the Internet, operating in
`tunnel mode. Informationis available regarding the Internet
`Security Protocol (IPSec) from IETF(the Internet Engineer-
`ing Task Force, a standards setting body for the Internet).
`However, a brief description of the protocol follows.
`
`[0049] The IPSec Protocolis a protocol to provide security
`services on IP networks. The protocol operates at Level 3,
`the network layer. IPSec provides a choice of two kinds of
`security services, an authentication service and a confiden-
`tiality (security) service. It also provides for an Internet Key
`Exchange that allows parties to negotiate methods of secure
`communication through special exchanges, known as secu-
`rity associations (SA). The parties of the security association
`agree on encryption methods, lock and unlock keys and the
`useful lite of the key.
`
`[0050] The authentication service attempts to guarantee
`that the senderis actually the sender named in the transac-
`tion. This service is directed towards preventing imposters
`from intruding in a communication process between other
`parties. The IPSec protocol implements the authentication
`service by means of an Authentication Header (AH). When
`a packet is sent out a hash function is performed over the
`entire packet based on the contents of the packet and a
`known key. The result of the hash is included in the
`Authentication Header. The hash will fail if the contents of
`
`the packet have been altered when the packet is checked by
`the receiver.
`
`[0051] The confidentiality or security service of IPSec
`attempts to ensure that only the two ends involved in the
`communication will be able to decipher the contents of a
`message that has been encrypted for security purposes. The
`IPSec Protocol implements the security service by means of
`the Encapsulating Security Payload (ESP) header. In this
`case, a packet is encrypted using an agreed upon encryption
`algorithm with keys that are known to both the sender and
`the receiver.
`
`[0047] FIG. 4 is a simplified diagram of a system in
`accordance with the present invention. A public computer
`network, such as the Internet 32,
`is represented by the
`cloud-shaped figure. The public network includes one or
`more Points of Presence (PoP) 50, 52, 54, 56, 58 for one or
`more Internet Service Providers. An Initiator device (also
`
`[0052] The [IPSec Protocol has two major modesof opera-
`tion, the transport mode and the tunnel mode. The transport
`mode is used to add security to packets traveling between
`two IP systems. The tunnel mode provides security services
`between two IP systemsthat act as Security Gateways (SG).
`In the tunnel mode an original IP packet is encapsulated in
`
`Viptela, Inc. - Exhibit 1020
`Page 21
`
`Viptela, Inc. - Exhibit 1020
`Page 21
`
`

`

`US 2002/0010866 Al
`
`Jan. 24, 2002
`
`an IPSec headerand then sent from one security gateway to
`the other gateway which uponreceipt of the packet, uses the
`IPSec headerfor security purposes and recovers the original
`IP packet. Thus IPSec provideslevel 3 tunneling because the
`payload of the IPSec packet is IPtraffic.
`
`becomes its own smaller packet with its own IP header and
`is routed independently of any other packets. This means
`that fragments can arrive out of order. However, there is
`appropriate information in the IP header to reassemble the
`fragments at the destination.
`
`[0053] FIG.5 illustrates an IP packetthat is secured by the
`IPSec Protocol using ESP services in tunnel mode. The
`diagram showsthe portion of the packet 94, 96, 98 that is
`encrypted and the portion of the packet 92, 94, 96, 98 that
`is hashed for authentication. The components of the secured
`IP packet include a NewIP header 90, an ESP header, 92 an
`original IP header 94, the IP payload 96, and ESPtrailer 98,
`and ESP Authentication trailer 100. This IPSec packet 102
`then can be used to carry IP addresses used on private site
`LANsfrom onesite to another, through the public network,
`in effect, hiding the private source and destination addresses
`of the LAN from users on the public network.
`
`[0054] Thus, the IPSec ESP tunnel mode providessite-to-
`site security between two gatewaysthat are separated by the
`public network. However, the IPSec ESP Tunnel mode does
`not provide a way to treat multiple tunnels between an
`Initiator and the Responder as a unified channel or bundle
`having a bandwidth that is the aggregate of the bandwidth of
`the individual tunnels.
`
`[0055] The present invention providesthe facilities to, in
`fact,
`treat multiple tunnels between the Initiator and
`Responder as a unified channel. Such a unified channel is
`called a superior virtual circuit (SVC) and the individual
`tunnels are called inferior virtual circuits IVCs). An IVCis
`a peer-to-peer connection betweenaninitiator and responder
`that includes a PPP link between the initiator and the public
`network, a connections through the public network, and an
`equivalent PPP link between the responder and the public
`network.
`
`[0056] A necessary condition for treating the IVCs as a
`unified channel is that the packet load must be distributed
`approximately equally over each the IVCs. If this condition
`were not met, some of the IVCs would take most of the load
`causing saturation of those [VCs while other [VCs would
`stand idle. This unbalanced condition would not lead to a
`
`SVC whosebandwidth ts approximately the aggregate of the
`individual bandwidths of the IVCs, nor one that would have
`scalable bandwidth.
`
`[0057] One way to balance the packet load over the IVCs
`is to fragment a tunnel source packet and to distribute the
`smaller packets across av