US006055575A
`6,055,575
`(114) Patent Number:
`United States Patent 55
`Paulsen etal.
`[45] Date of Patent:
`Apr.25, 2000
`
`
`[54] VIRTUAL PRIVATE NETWORK SYSTEM 5,550,984—8/1996 Gelb oocceeccecsecscreneneeees 709/245
`
`
`. 709/229
`AND METHOD
`5,835,726
`11/1998 Shwedet al.
`we 380/23
`5,872,849
`2/1999 Sudia .........
`FOREIGN PATENT DOCUMENTS
`
`[75]
`
`Inventors: Gaige B. Paulsen, Great Falls;
`Amanda Walker, Reston, both of Va.
`
`[73] Assignee: Ascend Communications, Inc.,
`Alameda, Calif.
`
`[21] Appl. No.: 09/013,122
`
`[22]
`
`Filed:
`
`Jan. 26, 1998
`
`Related U.S. Application Data
`Provisional application No. 60/035,215, Jan. 10, 1997.
`[60]
`7
`[SL] Unt, Cdeecsccncseceeseesseseenenensaee GO06F 13/00
`[52] U.S. Che cies 709/229; 709/228; 709/226;
`709/245
`[58] Field of Search occ 709/245, 229,
`709/228, 226; 380/23, 30
`
`[56]
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`10/1996 European Pat. Off.
`0739106A1
`Primary Examiner—Abmad EF. Matar
`Assistant Examiner—Philip B. Tran
`Attorney, Agent, or Firm—Weingarten, Schurgin, Gagnebin
`& Hayes LLP
`
`.......... HO4L 9/08
`
`[57]
`
`ABSTRACT
`
`A system and method for remote users to access a private
`network havinga first communications protocol via a public
`network, such as any TCP/IP network having a second
`different communications protocol, in a secure manner so
`that the remote user appears to be connected directly to the
`private network and appears to be a node on that private
`network. A host connected to the private network may
`execute a host software application which establishes and
`provides a communications path for secure access of the
`remote client computer. An encrypted data stream may be
`communicated between the host and the client representing
`traffic and commandson the network.
`
`5,416,842
`5,548,646
`
`5/1995 AZIZ cevesccscccssssssssssssssssveeseseeeeeees 380/30
`8/1996 Aziz et al. eccccccceteeeeeee 380/23
`
`28 Claims, 2 Drawing Sheets
`
`
`
`104
`
`SESSION KEY NEGOTIATION
`
` PROTOCOL NEGOTIATION PHASE
`
`
`
`
`
`TEAR DOWN
`
`
`
`SAMSUNG 1040
`
`SAMSUNG 1040
`
`1
`
`

`

`U.S. Patent
`
`Apr. 25, 2000
`
`Sheet 1 of 2
`
`6,055,575
`
`PRIVATE NETWORK#1
`
`GATEWAY-*->--—--—— GATEWAY
`
`PUBLIC
`
`
`
`PRIVATE NETWORK #2 28
`NETWORK
`
` a
`
`FIG.1
`
`a
`
`PRIOR ART
`
`NODE N
`
`PRIVATE NETWORK
`
`\
`
`)
`
`|
`
`42
`
`2
`
`

`

`U.S. Patent
`
`Apr. 25, 2000
`
`Sheet 2 of 2
`
`6,055,575
`
`
`
`NMOQuVsL
`
`ObL
`
`BOTA
`
`801
`
`GSHSNaVLsa,NOILVOILNSHLAV
`on01
`
`
`ASVHdNOILVILODSN1O000L0ud
`}NOILVILODANAdyNOISSAS
` ISOH
`
`vOl
`
`N
`
`ALVAIdd
`
`3
`
`
`
`

`

`6,055,575
`
`1
`VIRTUAL PRIVATE NETWORK SYSTEM
`AND METHOD
`
`This application claims benefit of provisional application
`Ser. No. 60/035,215 filed Jan. 10, 1997.
`
`BACKGROUND OF THE INVENTION
`
`This invention relates generally to apparatus and methods
`for accessing computer networksand in particular to estab-
`lishing a secure connection between a remote computer and
`a private computer network using a public computer net-
`work.
`
`10
`
`In the past, organizations and companies have used pri-
`vate (internal) computer data networks to connect its users
`to each other. These private networks are not accessible to
`the public and permit sensitive data to be transferred
`between users within the company. However, due to the
`increasing numbers of people whoneed accessto the private
`computer data network and the disparate locations of these
`people, there are several disadvantages of these conven-
`tional private computer networks.
`the
`As the number of people in a company grows,
`workforce becomes more dispersed among different loca-
`tions and there are more employees whoare mobile, such as
`salespeople whotravel around a region of the United States.
`For example, some employees may telecommute which
`requires dial-up access to the private computer data network.
`The dispersed workforce and the mobile workforce make a
`private computer data network unmanageable because this
`mobility requires at least two network connections for each
`user. In addition, since cellular telephone access has also
`become more available, additional connections to the net-
`work for this access is needed. In addition, full-time tele-
`commuters dramatically increase the number of permanent
`“remote offices” a company must interconnect which further
`complicates the private computer data network administra-
`tion and topology. In addition, as companies increasein size,
`due to acquisitions, mergers and expansion,
`the private
`computer data network must support more remote offices
`and more network nodes. Thus, as a organization expands,
`the private computer data network of the organization
`becomes unwieldy and unmanageable.
`Recently, it has become necessary and desirable to permit
`employees of the company to interact “on-line” with cus-
`tomers and suppliers. This function adds a new dimension of
`complexity to the private computer data network since
`multiple private computer data networks mustbe interfaced
`together in a delicate balance of integration while maintain-
`ing some isolation due to security concerns. The individual
`networks that are being integrated together typically use
`different data transfer protocols, different software
`applications, different data carriers and different network
`management systems. Thus, interfacing these private com-
`puter data networks is a major challenge.
`There is also a desire to consolidate and simplify the user
`interface to the computer network as well as to the software
`applications being executed by the computer network since
`it is often difficult to keep on top of each new software
`application. Thus, the costs of implementing and maintain-
`ing a private computer data network is high and is expected
`to increase in the future as the factors set forth above
`continue to drive up the costs of the private computer data
`networks. These high costs are compounded by the high
`costs for long distance telephone charges for leased lines and
`switched services. The number of support staff necessary to
`manage the complex topologies of these private computer
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`data networksalso further increases the costs to manage the
`private computer data networks. In addition, software appli-
`cations which execute over the private network require
`separate backup equipment which further complicates the
`topology andincreasesthe cost of the private computer data
`network. Thus, the costs and complexity of these private
`computer data networks are continuing to spiral upwards
`and there is no foreseeable end in sight.
`A typical private computer data network may be used by
`a organization for some of its communications needs and
`may carry exclusively data traffic or a mix of voice/video
`and datatraffic. The private computer data network may be
`constructed with a variety of wide area network (WAN)
`services that often use the public switched telephone net-
`work (PSTN) as a communications medium. A typical
`network may use high speed leased lines that carry voice,
`facsimile, video and data traffic between major facilities.
`These leased lines may include integrated services digital
`network (ISDN) lines or conventional T1 telephone lines.
`Because these leased lines are point-to-point connections, a
`mesh topology is necessary to interconnect multiple facili-
`ties. In addition, each leased line must be dedicated to a
`particular interconnection. A remote office may use switched
`services over the PSTN, such as ISDNor frame relay. For
`individual mobile employees, an analog modem may be the
`best solution for connection to the private computer data
`network. The private computer data network with all of
`these different connections, therefore, is very expensive to
`implement and maintain for the reasons set forth above.
`A virtual private network (VPN), on the other hand, may
`offer
`the same capabilities as a private computer data
`network, but at a fraction of the cost. A virtual private
`network is a private data network that uses a public data
`network, instead of leased lines, to carry all of the traffic.
`The most accessible and less expensive public data network
`currently is the Internet which can be accessed worldwide
`with a computer and a modem. An Internet-based virtual
`private network (VPN) is virtual because although the
`Internet
`is freely accessible to the public,
`the Internet
`appears to the organization to be a dedicated private net-
`work. In order to accomplish this, the data traffic for the
`organization may be encrypted at the sender’s end and then
`decrypted at the receiver’s end so that other users of the
`public network can intercept the datatraffic, but cannot read
`it due to the encryption.
`A VPN can replace an existing private data network,
`supplement a private data network by helping relieve the
`load on the private data network, handle new software
`applications without disturbing the existing private data
`network or permit new locations to be easily added to the
`network. A typical VPN connects one or more private
`networks together through the Internet in which the network
`on eachside of the Internet has a gateway and a leased line
`connecting the network to the Internet. In these typical
`VPNs, the same protocol for each private network, such as
`TCP/IP, is used which makesit easier to communicate data
`between the two networks. To create the VPN, a secure
`communications path between the two gateways is formed
`so that the two private networks may communicate with
`each other. In this configuration, however, each network is
`awarethat the other network is at some other location and is
`
`connected via a router. As an example, if a company has a
`central private network in California and a remote office in
`Hong Kong,these two private networks may be connected
`via the VPN which reduces long distance telephone call
`charges. However, if a single individualis traveling in Hong
`Kong and want
`to connect
`to the private network in
`4
`
`4
`
`

`

`6,055,575
`
`3
`California,the individual must incur long distance telephone
`chargesor, if there is a remote office in Hong Kong,then the
`entire private network must be connected via the VPNto the
`California private network to communicate data. In addition,
`with the conventional VPN described,
`the individual
`in
`Hong Kongis aware that he is connected to the Hong Kong
`network whichis in turn connected, via the gateway and the
`VPN,to the network in California so that the person in Hong
`Kong cannot, for example, easily use the network resources
`of the California network, such as a printer.
`The invention is particularly applicable to a system and
`Thus, a conventional VPN requires the expense of a
`method for providing a virtual private network which per-
`leased line and a gateway at each end of the VPN and cannot
`mits remote users to access a private network, such as an
`adequately address the needs of a individual who needs
`AppleTalk network, via a public TCP/IP network, such as
`access to the private network. In addition, these conven-
`the Internet, in a secure manneras if the remote user was one
`tional VPNs cannot easily connect networks which have
`of the nodes onthat private network.It is in this context that
`different networking protocols. In addition, these conven-
`the invention will be described.
`It will be appreciated,
`tional VPNs cannot be easily used for connecting an indi-
`however, that the system and method in accordance with the
`vidual who needs remote access to the private network since
`invention has greater utility. Before describing the invention,
`the entire network with a gateway is needed.
`a brief description of a conventional virtual private network
`Thus,
`the invention provides a virtual private network
`(VPN)will be provided.
`(VPN) which avoids these and other problems with conven-
`FIG. 1 is a block diagram illustrating a conventional
`tional VPNs and it
`is to this end that
`the invention is
`virtual private network (VPN) 20. The VPN includesafirst
`directed.
`private network 22 and a second private network 24 con-
`nected together through a public computer network 26, such
`as the Internet. The communications protocols for the first
`and second private networks as well as the public network
`may be the standard Transmission Control Protocol/Internet
`Protocol (TCP/IP). Thus, the communications protocols for
`the private networks are the same as the public network.
`Each private network 22, 24 includes a gateway 28, 30
`whichinterfaces between the respective private network and
`the public network. Each gateway encrypts datatraffic from
`the private network which is going to enter the public
`network and decrypts encrypted data received from the
`public network. In normal operation, a secure communica-
`tions path 32, referred to as a tunnel, is formed over the
`public network that connects the first and second private
`networks through the respective gateways. The combination
`of the two private networks and the tunnel over the public
`network formsthe virtual private network (VPN). The VPN
`is virtual since it is actually using a public network for the
`connection, but due to the encryption both private networks
`believe that they have a private network over which data
`may be sent. For example, a node 34 of the first private
`network 22 may send data which is encrypted by the
`gateway 28 through the tunnel 32, and the data is received
`by the second gateway 30 which decrypts the data and routes
`it to the appropriate node in the second private network. This
`conventional VPN, however, does not adequately provide an
`individual remote user with a system for remotely accessing
`the private network because the conventional VPN connects
`two networks with a tunnel and would require the individual
`to be connected to one of the private networksto utilize the
`VPN.In addition, this conventional VPN does not connect
`a remote individual directly to the private network so that a
`remote user with a VPN connection cannot directly access
`resources, such as a printer, connected to the private net-
`work. This conventional system also does not handle com-
`puter networks which have different communications pro-
`tocols. Now,
`the virtual private network system in
`accordance with the invention will be described which
`overcomes these problems with a conventional VPN.
`FIG. 2 is a block diagram illustrating a virtual private
`network (VPN) 40 in accordance with the invention. The
`VPN mayincludea private network 42 which communicates
`data using a first communications protocol, a public network
`5
`
`In accordance with the invention, a virtual private net-
`work system is provided which connects a private data
`network and a remote client which does not require expen-
`sive leased lines or gateways to establish a secure commu-
`nications path. The system also permits an individual to
`access the private data network without incurring any long
`distance telephone charges. In addition, the system permits
`a private data network and remote client
`that use one
`communications protocol to communicate with each other
`over a public data network that uses a different communi-
`cations protocol. The system also permits an individual to
`easily connect to the private date network without a remote
`private network and the individual appears to be a node on
`the private network, once connected, so that the individual
`may access any resources on the private data network.
`In accordance with the invention, a system and method for
`forming a communications path between a public access
`network and a private access network where the two net-
`works have substantially incompatible transmission proto-
`cols is provided. The method comprises establishing a
`secure communications path over the public access network
`between a host computer connected to the private network
`and a remote client computer, encrypting data and com-
`mands of the host computer and the client computer, and
`formatting the encrypted data and commandsinto a format
`compatible for transmission over the public access network.
`The formatted data and commandsare then transmitted over
`
`SUMMARYOF THE INVENTION
`
`the public access network. Once the formatted data and
`commands has reached its destination,
`it is decrypted to
`establish the client computer as a virtual node onthe private
`network. In accordance with another aspect of the invention,
`a data structure for communicating data for a private data
`network having a first communications protocol over a
`public access network having a second communications
`protocol is provided.
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a block diagram illustrating a conventional
`virtual private network;
`FIG. 2 is a block diagram illustrating a virtual private
`network in accordance with the invention;
`
`4
`FIG. 3 is a block diagram illustrating more details of the
`host computer of FIG. 1; and
`FIG. 4 is a flowchart illustrating a method for establishing
`a virtual private network and communicating secure data
`over the virtual private network in accordance with the
`invention.
`
`DETAILED DESCRIPTION OF A PREFERRED
`EMBODIMENT
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`5
`
`

`

`6,055,575
`
`5
`44 which communicates data using a second communica-
`tions protocol, and a client node 46 that is connected for
`secure communications to the private network 42 through
`the public network 44 as described below. The private
`network 42 may be any type of computer network, such as
`an AppleTalk network. The public network maybe any type
`of publicly accessible computer network such as the Inter-
`net.
`
`The private network 42 may include a host computer 48,
`and a plurality of network nodes, such as a first node
`(NODE_1) 50, a second node (NODE_2) 52, and an nth
`node (NODE_N) 54 which are all connected to the host
`computer.
`In normal operation any node of the private
`network may share resources with any other node on the
`network. For example, any node of the private network may
`share a printer whichis attached to the private network. The
`host computer 48 establishes a secure communications path
`56, referred to as a tunnel, through the public network 44
`with the remote client 46 by negotiating the communications
`protocol with the client 46 and authenticating the identity of
`the client. Once the secure tunnel has been established
`
`between the private network 42 through the host computer
`48 and the public network 44 with the remote client 46, the
`remote client is treated as a node of the private network and
`uses the communications protocol of the private network
`even though the public network uses a different protocol.
`Thus, the remote client 46 may access resources connected
`to the private network, such as a printer, as if the remote
`client were directly connected to the private network.
`Therefore, with the VPN in accordance with the invention,
`the various connections between the remote client and the
`private network are transparent to the user of the remote
`client since the user can use the private network in any
`mannerthat a user directly connected to the private network
`can.
`
`With the VPN in accordance with the invention, a gate-
`way at each end of the virtual private network is not
`required. In addition, data traffic for the private network
`which has a first data communications protocol may be
`communicated over a public computer network which has a
`different communicationsprotocol. In particular, the system
`encapsulates the data destined for the private data network
`having a first protocol in a data packet that may be sent over
`the public network, as described in more detail below. Thus,
`once the secure virtual private network connection has been
`established, the remote client may interact with the private
`networkas if the remote client was directly connected to the
`private network. The virtual private network in accordance
`with the invention also permits an individual remote user to
`easily establish a connection with a distant private network
`without the need for a remote private network and a leased
`line or long distance telephone charges. Now, more details
`about the host computer 48 and the remote client 46 in
`accordance with the invention will be described.
`
`FIG. 3 illustrates more details of the host computer 48 and
`the remote client 46 in accordance with the invention. The
`
`host computer 48 may include a central processing unit
`(CPU) 60, a memory 62 and a host 64 stored in the memory
`62. The host may be a software application which is
`executed by the CPU 60 of the host computer. When a
`remote client contacts the private network 42 to establish a
`secure connection, the host 64 may negotiate and establish
`the secure virtual connection to the remote client 46, as
`described below. Once the secure connection has been
`
`established, the host 64 accepts unencrypted data from the
`private network, combinesthe data with a header containing
`information about the protocol of the private data network,
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`encrypts the data and the header, and communicates the
`encrypted data and header, over the secure communications
`path, to the remote client. The host also receives encrypted
`data with a header from the remote client, decrypts the data
`and the header, and passes the data traffic onto the appro-
`priate node in the private network based on the header
`information, as described below.
`Similarly, at the remote client 46, a client software appli-
`cation 66 stored in a memory 68 in the client computer 46
`is executed by a central processing unit (CPU) 70 in the
`client computer 46. The client 66 negotiates and establishes
`the secure communications path with the host computer,
`combines the data with an appropriate header, encrypt the
`data traffic and the header destined for the client computer,
`and communicate the encrypted data to the host computer.
`The client also receives encrypted data traffic from the host
`computer, decrypts it, and passes the data traffic onto other
`software application which are being executed by the CPU
`70. Thus, the virtual private network in accordance with the
`invention is software application based so that expensive
`hardware, such as a gateway and leased lines, are not
`necessary. The software applications also permit the data
`between the client and host, which have a first communi-
`cations protocol, to be communicated over a public com-
`puter network which has a second different communications
`protocol. Now, a method for establishing and communicat-
`ing data traffic over the virtual private network in accordance
`with the invention will be described.
`
`illustrating a method 100 for
`FIG. 4 is a flowchart
`establishing and communicating data overthe virtual private
`network in accordance with the invention. An exampleof the
`phases and data formats for the communications between an
`AppleTalk network host and an AppleTalk remote client
`over the Internet will be described below, but the invention
`is not limited to that example and may be used to commu-
`nicate data between any hosts and remote clients having a
`different communications protocol
`than the public data
`network. To begin the method, the remote client may request
`a connection to the host by any conventional method.
`In step 102, once the initial unsecure connection has been
`established between the host and the client, a protocol
`negotiation phase occurs in which the host and the client
`negotiate the parameters that will govern the subsequent
`communications between the host and the client. The nego-
`tiated parameters may include the protocol version,
`the
`compression level, and the encryption technique. Each of
`these parameters has a default setting that must be available
`for either the host or the remote client to request so that there
`is a minimum set of functionality which may be imple-
`mented. To ensure backwards compatibility of any host or
`remote client, each host or client will implementat least a
`first protocol version so that there is backwards compatibil-
`ity for future versions. These parameters will be described in
`moredetail below. In addition, for the encryption parameter,
`each host and remote client must be able to support both data
`encryption standard (DES) type encryption as well as some
`form of non-DES encryption to permit communications
`between hosts and clients that are licensed for use within the
`United States as well as outside of the United States. The
`
`invention may usea plurality of different well-known non-
`DESencryption methods and these encryption methods will
`not be described here. The protocol negotiation phase is
`started when the connectionis established and is initiated by
`the remote client sending the host a Protocol Request in
`which it communicates which protocol version it would like
`to use and any options, such as the encryption,that it would
`like to use. The host then sends the remote client a Protocol
`
`6
`
`6
`
`

`

`6,055,575
`
`7
`Response verifying the protocol version number and any
`options. An example of the data formats of the Protocol
`Request and Protocol Response in the context of an Apple-
`Talk network are provided below.
`Oncethe protocol has been negotiated, it is determined,in
`step 103, if an optional session key negotiation phase 104 is
`going to occur. In the first protocol version, the session key
`negotiation phase is optional, but
`later versions of the
`protocol will require the session key negotiation phase. The
`session key negotiation phaseis thus entered if a session key
`bit in the Protocol Request is set during the protocol nego-
`tiation phase. During the session key negotiation phase, data
`is exchanged between the host and remote client for the
`purpose of setting up an encryption key that is used for the
`remainder of the communication.
`In a preferred
`embodiment, a well known Diffie-Hellman key exchange
`method is used, but any other conventional key exchange
`method may be used. If the session key phase and the
`Diffie-Hellman key exchange methodare not being used,the
`encryption key is chosen during an authentication phase
`106, as described below. The data communicated during the
`session key negotiation phase may include a length word
`indicating the length of the data and the data. The data flow
`is bi-directional and is completed when the host and the
`remote client have agreed on a session key. If the system
`determines,
`in step 105,
`that a session key has been
`established, an authentication phase 106 is entered. In the
`event that a session Key is not successfully negotiated during
`the session key negotiation phase, the method proceedsto a
`teardown phase 110 in which the communications between
`the host and the remote client is terminated and the methods
`ends.
`
`During the authentication phase 106, the remote client
`and the host negotiate what type of authentication is used for
`the communications and then provides challenges and
`responses to authenticate the identity of the remote client.
`Due to the wide variety of security requirements and
`methods, the host must, at a minimum, send a request with
`at least one default authentication type identifier and an
`associated challenge. However, if the host has the ability to
`use more than one authentication method, then the host may
`send the remote client, in a Authentication Request, more
`than one authentication type identifier and their associated
`challenges as described below. Thus, to start the authenti-
`cation phase, the host may communicate an authentication
`request, as described below,
`to the remote client. The
`authentication request may include one or more authentica-
`tion type/authentication challenge data pairs. In response to
`the authentication request, the remote client communicates
`an authentication response back to the host which includes
`exactly one authentication type/response data pair. If the
`host sends more than one authentication type/challengepair,
`the remote client selects a particular authentication type and
`responds with the authentication type/response pair for only
`that particular authentication type. An example of the types
`of authentication methodsis set forth below.
`
`If the session key negotiation phase is not used, then,
`during a successful authentication phase, an implicit session
`key may be generated by the remote client. In a preferred
`embodiment,
`the session key may be generated by the
`following steps. First, a Unicode string containing the pass-
`word from the client is concatenated with the challenge from
`the authentication request. Next, a SHA-1 hash value over
`the resultant concatenated data is calculated and the initial
`
`bytes of the hash value maythen be used as the session key
`which may be communicated back to the host.
`In response to the authentication response, the host deter-
`minesif the response was successful ornot in step 107. If the
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`8
`response was successful(i.e., an appropriate responseto the
`challenge was received which verifies the identity of the
`remote client), a success data structure is sent to the remote
`client and the method goesto an established phase 108, as
`described below.If the response was not successful (i.e., an
`appropriate response to the challenge was not received so
`that the identity of the remote client can not beverified), then
`an error code is sent to the remote client and the teardown
`phase 110 is entered.
`During a typical successful secure communications
`session, most of the time is spent in the established phase
`108 in which encrypted data including the header is com-
`municated between the remote client and the host. The
`
`header, as described below, contains information required by
`the communications protocol of the private network(i.e., the
`host and the remote client) to appropriately route data. Thus,
`the communications protocol information for the private
`network is embeddedin the encrypted data packet so that the
`data destined for the private data network may be commu-
`nicated over the public network having a different commu-
`nications protocol. For each piece of encrypted data sent
`during the established phase, the data may be preceded by a
`length and flag word which contains the length of the data
`in bytes and six bits of flags. Since the data is typically sent
`over a TCP/IP based public network, a PUSH bit in the flag
`bits must be set to accelerate the processing of the transac-
`tions once a complete unit of data has been received.
`If an unsuccessful session key negotiation, an unsuccess-
`ful authentication,or the end of the established phase occurs,
`then the tear down phase 110 is begun. During the tear down
`phase,there is no datatraffic between the remote client and
`the host and the communications channelis forcibly closed
`by either the remote client or the host. During the teardown
`phase, when one side shuts down the communications
`channel, an acknowledgment from the other side may con-
`sist of shutting down the connection from that side as well
`so nothing remains of the communications path. After the
`teardown phase,
`the method has been completed. The
`method,
`therefore sets up a communication session as
`needed and then tears down the communications path once
`the communications have been completed.
`Now, an example of the data formats for a system and
`method in accordance with the invention for communicating
`AppleTalk data between a remote client and a host over a
`TCPAP public network, such as the Internet, will be
`described. As described above, the virtual private network in
`accordance with the invention may connect any private
`network having a first communications protocol to a public
`network having a second different communications protocol
`securely to permit remote users to access the private network
`in a secure manner wherein the remote user appears to be
`one of the nodesin the private network.In this example, the
`data formats for each of the communications phasesare set
`forth and explained. For each different private data network
`with a different communications protocol, these data formats
`will vary slightly. The bytes of these data formats are sent
`across the network connection path over the Internet using
`a Network Byte Order protocol in which the mostsignificant
`byte is communicatedfirst.
`To better understand the utility of the invention in the
`context of a connection between an AppleTalk private
`network and a AppleTalk remote client over the TCP/IP-
`based Internet, the differences between the protocol for the
`AppleTalk network and the Internet will be described before
`describing the data formats for this example. AppleTalk is a
`proprietary suite of networking protocols which is designed
`for plug-and-play operation whereas TCP/IP is designed to
`7
`
`7
`
`

`

`6,055,575
`
`9
`the Internet or any other
`be administered. In particular,
`TCP/IP network has been designed such that each node on
`the Internet is permanently assigned a unique IP address by
`a quasi-governmental entity. AppleTalk, on the other hand,
`assigns a node or device numberto a node or device when
`the nodes or devices are actually placed on the network to
`provide the plug-and-play functionality. Therefore,