Note: Descriptions are shown in the official language in which they were submitted.
CA 02308261 2000-OS-12
VLAN Implementation System and On-demand Routable IP Address Service
The present application relates to an Internet access server such as described
in U. S.
Provisional Application 60/171,644, filed December27, 1999, the contents of
which are
incorporated herein by reference. The preferred embodiment of the Internet
access server
described in the U. S. Provisional Application 60/171,644 will be referred
herein as the
SolutionIP server.
Background of the Invention
Without the use of VLANs it is possible for users on the system to see network
traffic
from other users. This presents a potential security problem for the system
and its users;
When VLANs are used for security and group collaboration, but generally, they
are manually
configured ahead of time, on switching hardware. Additionally, there is a
finite number of
VLANs that the switching hierarchy can support and this physical limitation on
the number of
VLANs supported may be an issue.
In addition, some network protocols require fully mutable IP addresses to
function (e.g.
tunnelling protocols including VPNs). Typically a user requesting a dynamic IP
address can be
given either a routable or non-routable IP address depending upon the
configuration of the DHCP
server on that network. Since dynamic switching from non-routable to routable
IP addresses is
not generally handled by the server, users are left to their own devices if
they required a routable
IP address but were served a non-routable IP address.
There is a need in the art for a system that overcomes the above difficulties.
Summary of the Invention
It is an object of the invention to provide a VLAN Implementation System and
On-
demand Routable IP Address Service.
1
CA 02308261 2000-OS-12
The systems of the present invention attempt to extend the SolutionIP VBN
server's
capabilities in the following two areas:
1. VLAN enabling of the server to interpret and process VLAN tags coupled with
server communication with the switching infrastructure for VLAN management.
This attempts to ensure user-to-server security and facilitatessecure group
collaboration.
2. Issuing mutable IP addresses to requesting users on-demand. This feature
deals
primarily with enabling virtual private networks (VPN) on the server. This and
other technologies sometimes require a fully routable IP address to function.
According to one aspect of the invention, there is provided a VLAN
implementation
system for use with an Internet access server such as SolutionIP VBN server.
The VLAN
implementation system provides user-to-server security using VLANs whose
management is
automated by the server. The system also aims at enabling the server to
facilitate user initiated
group collaboration by placing users requesting the service in the same ULAN.
Additionally,
the system aims at overcoming the VLAN limit through creative use of the
filtering policies on
the switching infrastructure.
The VLAN implementation system provides user-to-server security by placing
each
individual user into separate VLANs. The server's automation and management of
VLAN
creation/deletion facilitate this process, which allows us to control
groupings of users into
common VLANs (i.e. group collaboration). Additionally, the filtering policies
implemented on
the switches allow us to utilize more VLANs than typically possible.
According to a second aspect of the invention, there is provided a dynamic
switching
system that offers users the choice of a mutable IP address on-demand. Through
this system, the
SolutionIP VBN server dynamically handles the management and facilitation of
the requests. The
dynamic switching system of the present invention offers users transparent re-
assignment of IP
addresses from non-routable to routable. This allows users the ability to run
a broader range of
protocols.
2
CA 02308261 2000-OS-12
Detailed Description of the Invention
VLAN implementation system
VLAN enabling of the server allows the processing of ULAN tags and various
VLAN
services such as: create VLAN, show VLAN and delete VLAN. The ULAN
implementation
system is further described in Figures 1 to 4.
Features of the VLAN implementation system comprise:
~ processing of VLAN tags by the SolutionIP VBN server.
~ switch filtering policies that enable us to effectively bypass the physical
limit on
the number of VLANs capable of being deployed on the switching infrastructure.
Interactive Virtual Local Area Network (IVLAN)
A preferred embodiment of the first aspect of the invention will be referred
herein as an
Interactive Virtual Local Area network (1VLAN).
IVLAN is a communications technology that enables devices communicating with
the
TCP/IP protocol (the communications protocol of the Internet) to gain secure
private and group
access to any foreign TCP/IP network that has IVLAN installed. A foreign
TCP/IP network
which allows access on a temporary basis is often termed a Visitor Based
Network (VBN), and
is typically composed of core and leaf switches which route messages to and
from client devices.
A Virtual Local Area Network (ULAN) is typically established on the network of
switches to facilitate message traffic. This technology allows for all clients
of the VBN to
communicate with each other and any services available via the VBN Gateway.
The capability
for clients to communicate with each other is often suppressed on VBNs due to
security
considerations; for example, while guests at a hotel may wish to share data
with some other
guests, it would be considered unacceptable to share that data with every
hotel guest registered
3
CA 02308261 2000-OS-12
with the hotel VBN. Since VLAN creation and maintenance must typically be
performed
manually by a network administrator, most VBN systems will include at most one
VLAN.
The IVLAN technology allows for the dynamic creation of secure VLANs
interactively
by registered users of a VBN. The user may create a group ULAN and grant
access to other
registered users on a user name/password basis. IVLAN also allows for
registered users to access
VBN Gateway services via a secure private VLAN in which no other user may
participate.
IVLAN executes on the Linux operating system and comprises the following
components:
1. IEEE 802.1 Q Compliant core switch;
2. IEEE 802.1Q Compliant leaf switches;
3. Custom built Simple Network Manager (SNM);
4. Common Gateway Interface (CGI) Components accessed via HTML pages;
Registration Driver incorporated into the Linux kernel; and
6. Modified Linux kernel Packet Driver.
The following paragraphs describe in more detail the technology encapsulated
by IVLAN
in the creation, maintenance, and use of VLANs.
IVLAN client registration is performed via a Hypertext Meta-Language (HTML)
interface, where a client may interactively select to create a private VLAN, a
group VLAN, or
to join an existing group VLAN. If a VBN client registers for access to
services available
from the VBN Gateway, a private VLAN is established using the core - leaf
switch
mechanism for the use of the client user.
Alternatively, the client may register to administer a Group VLAN, supplying a
VLAN username and password that other clients may use to gain access to the
Group VLAN.
The username, password and the selected number of allowed users are recorded
by the
Common Gateway Interface (CGI) components that underlie the IVLAN VBN
registration
4
CA 02308261 2000-OS-12
HTML pages. Other clients may indicate upon registration of VBN services that
they wish to
join a Group VLAN, providing the user name and password for authentication. An
example
of a VBN utilizing IVLAN is shown in Figure 6.
During the registration process, the CGI components communicate with a custom
built Simple Network Manager (SNM) process which executes on the VBN Server.
The SNM
issues SNMP commands to create both private and group VLANs on the core - leaf
switch
system. Communication ports of the core - leaf switch system are assigned as
necessary to
the created VLANs as clients register for access.
Private and Group VLANs may co-exist within the VBN due to the ability to tag
message packets as they flow through the routing system. The IEEE 802.1Q
standard
provides for the capability to include a Q-Tag as part of the Ethernet frame
of a message
packet. The VBN Server manages the addition and removal of Q-Tags for the
message traffic
of the clients, which need not necessarily contain 802.1 Q compliant NIC
hardware. The CGI
components obtain the Q-Tag generation ID from the VBN Server Registration
Driver during
the registration process for the purpose of VLAN creation. The VLAN is created
as a final
activity of the registration process.
For a private ULAN, utilized for VBN Gateway access, Ethernet frames will be
tagged and untagged as part of the packet routing through the core - leaf
switch system.
When a message is transmitted by a client, it is untagged. The leaf switch to
which the client
is connected will insert a Q-Tag in the Ethernet frame before it is routed to
the core switch.
The message packet is routed through the core switch to the VBN Server, where
the Q-Tag is
stripped from the Ethernet frame by the Packet Driver which executes as part
of the VBN
Server kernel. The VBN Server Packet Driver also inserts Q-Tags into the
Ethernet frames of
incoming message packets destined for the client. The mapping between client
and Q-Tags is
based on the private VLAN ID and upon the IP Address assigned by the VBN
Server DHCP
process, both of which are assigned during the registration process.
CA 02308261 2000-OS-12
For a Group VLAN, Ethernet frames may or may not be tagged as part of the
routing
of the packet through the system. If all clients belonging to the VLAN are
physically
connected to the same leaf switch, no Q-Tags are inserted in the Ethernet
frame of the
packets. However, if clients are connected to different leaf switches within
the system, the
packets must be routed through the core switch connected to each leaf. In this
instance, the
Ethernet frames will be tagged before leaving the source leaf switch, and
untagged before
leaving the destination leaf switch.
Both private and group VLANs are de-assigned from the communication ports of
the
switching system at the expiry of the user registration lease.
It will be understood by those skilled in the art that KLAN may execute on
UNIX
type operating systems other than Linux.
On-demand routable IP address service
The on-demand mutable IP address service includes both the tracking and
management of IP addresses by the server. The transparent reassignment is
handled using
DHCP. The service is further described in Figure 5.
Features of the on-demand routable IP address service comprises:
control of IP assignment by the SolutionIP VBN server such that it can
dynamically reassign IP addresses on demand.
ReaIIP
A preferred embodiment of the second aspect of the invention will be referred
herein
as ReaIIP.
6
CA 02308261 2000-OS-12
ReaIIP is an Internet Protocol (IP) Address allocation technology that enables
a
Dynamic Host Configuration (DHCP) Server to allocate both routable and non-
routable IP
addresses.
IP addresses are utilized by devices communicating with the TCP/IP protocol
(the
communications protocol of the Internet) to determine the routing of network
traffic to and
from clients. Typically, network clients are configured either with a static
IP address, or to
request the allocation of an IP address from a DHCP server.
When a client configured for DHCP is initially connected to a TCP/Tf network,
it
issues a broadcast message requesting an IP address. Typically, the DHCP
server will
respond with an IP address allocated from a pool of addresses that it
maintains. T'he DHCP
server can maintain a pool of either routable or non-routable addresses.
Routable and non-mutable addresses differ fundamentally in that devices with
non-
routable addresses must initiate any communication. Devices with routable
addresses may be
contacted by other devices without first initiating the communications flow.
The difference is
of interest in the use of Visitor Based Networks (VBNs). A Visitor Based
Network is one in
which clients connect for temporary access to network or Internet services.
A common implementation of a VBN is a hotel service in which guests may
connect
to a hotel gateway server for Internet access. Since the number of available
routable IP
addresses in this situation is typically smaller than the number of
connections available to
guests, a pool of non-routable IP addresses is generally utilized by the VBN
DHCP server.
However, this practice limits the capabilities that a guest has available from
such a VBN
connection. For example, a common use of digital communications is net-
meeting, in which
a number of participants may interact electronically through a net meeting
server hosted by
one of the participants. Without a routable IP address, the hotel guest is
unable to host such
a meeting for others who are participating via the Internet.
7
CA 02308261 2000-OS-12
The ReaIIP system allows a network client to request either a routable or non-
routable
IP Address depending on the client need. ReaIIP executes on the Linux
operating system and
comprises the following:
1. Common Gateway Interface (CGI) components accessed via Hypertext Meta-
Language (HTML) pages;
2. Registration Driver incorporated into the VBN kernel; and
3. Custom built DHCP Server.
The following paragraphs describe in more detail the technology encapsulated
by
ReaIIP.
When the DHCP server is contacted upon client connection, it receives a non-
mutable
IP address from the Registration Driver which is incorporated into the VBN
Operating
System (OS) kernel. The Registration Driver maintains the pool of IP addresses
rather than
the DHCP server and maintains a mapping of registered clients and assigned
addresses. In
this manner, the Registration Driver may maintain both a pool of non-routable
addresses and
a pool of routable addresses. This process is illustrated in Figure 7.
The client may interactively request the use of a routable IP address through
HTML
pages which reside on the VBN server. CGI components that underlie the
functionality of the
HTML pages will communicate the request to the Registration Driver. The
Registration
Driver will respond with an IP address allocated from the pool of routable
addresses, and
release the temporary non-routable IP address previously assigned.
Since the Registration Driver maintains the mapping of VBN clients to
allocated IP
addresses, both routable and non-routable addresses may be assigned on
request.
CA 02308261 2000-OS-12
It will be understood by those skilled in the art that ReaIIP may execute on
UNIX
type operating systems other than Linux:
In a further embodiment, the invention also comprises: Switch/VLAN management
using SNMP.
Numerous modifications, variations and adaptations may be made to the
particular
embodiments of the invention described in the documents attached herein,
without departing
from the scope of the invention, which is defined in the claims.
9
