Patent Grant
7817553
Cable modems provide customers with high-speed access to networks, such as the Internet. Generally, the typical cable modem user is a home user, desiring connection to the Internet. However, many small businesses are discovering that cable modems provide them with a reasonable solution for Internet access. Some small businesses have even begun to deploy voice data over cable modems as an alternative to dedicated telephone lines.
Cable modems connect to a network through a Cable Modem Termination Server (CMTS). This provides connection to the Internet, and switching and routing of data packets. For a small business that only has one office, a single cable modem may be able to provide service for the entire office, through one CMTS.
If a small business has more than one office, and each office has its own cable modem, there may be more than one CMTS involved in providing network services to the business. For small business desiring ‘layer 2’ local area network (LAN) services, this causes problems. The CMTS may be able to provide ‘layer 3’ services for the individual cable modems, but not layer 2 services. These may include, but are not limited to, support for non-Internet Protocol (IP) version 4 protocols (currently provided by layer 3 services), end-to-end encryption, higher levels of network control, and use of a private IP address space.
One embodiment is a network device having a network interface to allow the device to send and receive traffic across a network. The device also has a cable connection to allow the device to exchange data with at least one other device across a cable network. The device has a processor to receive traffic having a network identifier through the network interface and determine if the network identifier is associated with a virtual private network. If the network identifier is associated with a virtual private network, the device then routes the traffic to an appropriate receiving entity through the cable connection if the network identifier is associated with a local are network.
In one embodiment the network device is an aggregator.
In one embodiment the network device is a cable modem termination server.
Embodiments of the invention may be best understood by reading the disclosure with reference to the drawings, wherein:
An embodiment of a cable modem network having a hub-and-spoke architecture is shown in
As discussed above, there may be several users using one cable modem, several cable modems attached to on CMTS and several CMTSes attached to the hub. While it will generally be true that all of the users on a particular cable modem may be associated with one particular customer, there may be several different customers using one cable modem. A customer, as that term is used here, is any entity with which more than one person is associated. Of particular interest are those customers that have several different sites. No limitation is intended on any combination of customers on cable modems and CMTSes. The cable network may also have several hubs.
The hub or head-end 10 may belong to a multiple service operator (MSO) that provides voice, data and television service across the cable modem network. The CMTSes 12, 14 and 16 allow the cable modem users to access larger networks, such as the Internet. For ease of discussion, and with no intention of limiting application of the invention, it will be assumed that cable modems 120, 140 and 160 belong to Customer A, and cable modems 128, 148 and 168 belong to Customer B.
These customers now have three sites, each with their own cable modems, but no way to provide local area network (LAN) services, such as those to ensure security, between the users at the different sites. With application of embodiments of this invention, the users will have the ability to use LAN services. For example, users employing cable modem 120 will be able to send e-mail and data to users at cable modem 140 securely and with no concern that users at cable modem 148 or 128 can ‘see’ the data or access it.
In this embodiment, a network device 18 resides within the hub 10. This device may be referred to as an aggregator provider edge device or simply as an aggregator, with no intention of limiting the nature or composition of this device. When traffic from a CMTS enters the hub, the network device 18 will identify from what customer's cable modem/user that traffic originated and will forward it only to those cable modems belonging to that customer. In some ways, then, the network device 18 could be seen as performing bridging, where the users at cable modems 120, 140 and 160 could be viewed as one bridge group, and the users at cable modems 128, 148 and 168 could be viewed as another bridge group.
As mentioned before, it is possible to set up virtual private network (VPN) solutions using what is referred to as “layer 3’ switching. Layer 3 refers to the OSI (Open System Interconnection) reference model, in which Layer 3 is the network layer. In usage, this generally refers to the network switching layer. A VPN using layer 3 switching generally only supports Internet Protocol traffic, and requires the customers to share their network addressing information with the cable service provider or MSO.
A Layer 2 VPN can provide similar functionality without the drawbacks of a Layer 3 solution. Layer 2 is the data link layer, and may also be broken into a media access control (MAC) layer and a logical link layer. Examples of Layer 2 implementations include L2TP (Layer 2 Tunneling Protocol), currently on version 3 (L2TPv3), and AToM. AToM is Any Transport over MPLS, where MPLS is the Multiprotocol Label Switching, a protocol that uses labels to direct routers and other network devices how data traffic having a particular label is to be routed.
In one embodiment of this invention, the network identifier may be based on a ‘pseudo-wire’ or tunnel using L2TPv3 or AToM, as examples, which is established between each CMTS and the aggregator for each cable modem attached to the CMTS. If for example, CMTS 12 had 1000 cable modems requiring Layer 2 VPN services attached to it, there would be 1000 pseudo-wires established. The ‘width’ of the connection between CMTS 12 and aggregator 10 would have a width of n1=1000. This would be repeated for every CMTS attached to the aggregator. In an alternative embodiment, the hub is a network over which the pseudo wires traverse such as a Virtual Private LAN Services (VPLS) cloud. In this case the hub and spoke topology would be implementing Hierarchical VPLS or HVPLS.
An embodiment of a method to provide local area network services for transmitted data from a cable modem is shown in flowchart form in
The network identifier may be a VLAN tag, pseudo-wire tag, or other label that identifies the pseudo-wire through which the traffic is to be routed. One customer may have several different pseudo-wires, and therefore several different VLAN or other network identifiers, associated with their sites. A VLAN is a similar pseudo-wire to L2TPv2 and AToM. Network identifiers refer to the virtual private network with which that cable modem traffic is associated.
In one embodiment, where there is a hub, aggregator or other centralized entity, such as the network mentioned above, the received traffic may be processed as shown in
An embodiment of a method of processing received local area network traffic at a CMTS is shown in flowchart form in
The CMTS then performs a look-up to determine if that VLAN tag is then associated with a virtual private network, typically by determining if it is associated with a downstream service identifier (SID) at 44. In cable networks, generally, downstream refers to data coming from the hub or network towards the CMTS and the cable modem, and upstream is data coming from the cable modems or the CMTSes towards the hub or the network.
If the identifier does not match at 44, the traffic may be discarded or otherwise routed at 46. The network may employ different manners of correcting errors in transmission, either bad tags or incorrect routing. The nature and extensiveness of any error correction measures implemented upon the detection of an unmatchable tag are beyond the scope of this disclosure.
If the network identifier, such as the VLAN tag, matches the identifier of a cable modem on the cable connection of the CMTS at 44, the network identifier is removed at 48. A cable modem header or identifier is then attached at 50. This is similar to the outbound layer 2 network identifier for the aggregator example given previously. In some embodiments, this cable identifier may be a DOCSIS (Data Over Cable Services Interface Specification) header. DOCSIS is the current guiding specification for data over cable modem networks with which most cable equipment and network providers comply. The DOCSIS header will typically be generated with the appropriate SID and the traffic will be sent downstream to the appropriate cable modem at 52.
The processing of received local area network traffic at either the CMTS or the aggregator have some processes in common. The network device receives the traffic, discovers and/or examines the network identifier. The network device then determines if there is a virtual private network associated with that identifier, as either represented by an associated cable service identifier in the case of a CMTS, or by the VLAN or pseudo-wire tag in the case of the hub/aggregator. An outbound identifier, either an outbound layer 2 network identifier, or a service identifier, is then provided to the outbound traffic. The traffic is then routed to the appropriate receiving entity. The traffic may be altered as needed in the case of a CMTS, but both devices forward the data to the appropriate recipient.
As mentioned above, the bridging task, that of mapping from the network identifier to the appropriate CMTS, is performed at a centralized entity. In a fully-meshed architecture, where each CMTS has a pseudo-wire for every customer and every other CMTS, the CMTS may perform the bridging function directly. The traffic does not flow back to the hub, but is handled by each CMTS. Referring to
An embodiment of a network device is shown in
A processor 64 performs the tasks of converting the traffic from cable traffic to network traffic or the reverse and providing the traffic with the correct routing based upon the service identifier or the network identifier. The service identifier will be used in embodiments where the network device is a CMTS, ensuring that the data is routed to the correct cable modem on the pseudo-wire. The network identifier may be used in embodiments where the network device is an aggregator. The conversion may involve a look up process, where the database or table being queried resides in the memory 68.
The cable connection 66 allows the device to communicate with the cable modems or the CMTS, depending upon whether the network device is a CMTS, which communicates with cable modems, or an aggregator that communicates with the CMTSes.
In the case of the aggregator that communicates with the CMTSes, the cable connection may be the same as the network connection or interface. As the CMTS functions generally to connect cable modems to a larger network, such as the Internet, and may use network protocols, the cable connection used by the aggregator to communicate with the CMTS may be the same type of interface as the outbound interface on the aggregator.
As discussed above, the network device providing the bridging function between the pseudo-wires may be the CMTS in the case of a fully meshed architecture. An embodiment of such an architecture is shown in
In
The CMTSes receive the cable modem to pseudo-wire mapping, or a cable modem to virtual private network mapping, where the pseudo-wires are associated with virtual private networks. This mapping is used to assign the network identifiers based upon the virtual private networks with which the cable modems are associated. This may be true for either the fully-meshed embodiment or the hub-and-spoke embodiment, upon registration of the cable modem with the CMTS through the CM configuration file, for example. Alternatively, the CMTS queries another server, such as a RADIUS (Remote Access Dial In User Services) server, using the cable modem MAC address. The pseudo-wire mapping for that CM can then be provided by the other server for download by the CMTS.
In either embodiment, the cable modem customers would receive LAN services across the cable network. This provides smaller entities with several sites the ability to use the cable network for connectivity, and still provides the features of having a LAN that would otherwise be unavailable for them. In order to ensure privacy of VPN traffic over the shared cable downstream we need to ensure that traffic cannot ‘leak’ into or out of the VPN.
To ensure that traffic does not leak out of the VPN, the CMTS must encrypt all downstream traffic belonging to the VPN. To ensure that traffic within the VPN does not leak out, the CMTS can use one encryption key per CM in the VPN for unicast traffic and a separate encryption key per VPN for non-unicast traffic based on the Baseline Privacy Interface (BPI) defined in DOCSIS. This ensures that unicast as well as multicast and broadcast traffic will not be visible to any CM that does not belong to that VPN.
The harder problem to solve is ensuring that non VPN traffic does not enter into the VPN. Today unencrypted non-VPN traffic can potentially be forwarded into the VPN network by a CM because the CM bases its forwarding decision on the downstream only on the destination mac address. If the destination mac address of the non-VPN traffic happens to overlap with a CPE device inside the VPN, the CM may incorrectly consider the traffic to be destined to that CPE and forward it into the VPN.
This incorrect forwarding can be avoided by adding a feature to the CM such that only encrypted packets are considered for forwarding by the CMs belonging to a VPN. Since all the traffic within the VPN is encrypted and the CMs have the decryption keys for that traffic, only that traffic would be forwarded by the CM. Unencrypted traffic that doesn't belong to any VPN or encrypted traffic (using a different key) that belong to a different VPN will be dropped by the CM.
Although there has been described to this point a particular embodiment for a method and apparatus for LAN services over a cable network, it is not intended that such specific references be considered as limitations upon the scope of this invention except in-so-far as set forth in the following claims.
This application is a continuation of, and claims priority to, the following provisional patent applications: 60/574,506, filed May 25, 2004; 60/574,876, filed May 26, 2004; 60/582,732, filed Jun. 22, 2004; 60/588,635, filed Jul. 16, 2004; and 60/590,509, filed Jul. 23, 2004.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4977593 | Ballance | Dec 1990 | A |
| 5153763 | Pidgeon | Oct 1992 | A |
| 5457678 | Goeldner | Oct 1995 | A |
| 5604735 | Levinson et al. | Feb 1997 | A |
| 5724510 | Arndt et al. | Mar 1998 | A |
| 5784597 | Chiu et al. | Jul 1998 | A |
| 5805602 | Cloutier et al. | Sep 1998 | A |
| 5918019 | Valencia | Jun 1999 | A |
| 5931954 | Hoshina et al. | Aug 1999 | A |
| 5933420 | Jaszewski et al. | Aug 1999 | A |
| 5963557 | Eng | Oct 1999 | A |
| 6023769 | Gonzalez | Feb 2000 | A |
| 6078595 | Jones et al. | Jun 2000 | A |
| 6101180 | Donahue et al. | Aug 2000 | A |
| 6137793 | Gorman et al. | Oct 2000 | A |
| 6233235 | Burke et al. | May 2001 | B1 |
| 6233246 | Hareski et al. | May 2001 | B1 |
| 6275990 | Dapper et al. | Aug 2001 | B1 |
| 6381214 | Prasad | Apr 2002 | B1 |
| 6418324 | Doviak et al. | Jul 2002 | B1 |
| 6434141 | Oz et al. | Aug 2002 | B1 |
| 6438123 | Chapman | Aug 2002 | B1 |
| 6490727 | Nazarathy et al. | Dec 2002 | B1 |
| 6510162 | Fijolek et al. | Jan 2003 | B1 |
| 6516345 | Kracht | Feb 2003 | B1 |
| 6546017 | Khaunte | Apr 2003 | B1 |
| 6556591 | Bernath et al. | Apr 2003 | B2 |
| 6640248 | Jorgensen | Oct 2003 | B1 |
| 6693878 | Daruwalla et al. | Feb 2004 | B1 |
| 6697970 | Chisholm | Feb 2004 | B1 |
| 6698022 | Wu | Feb 2004 | B1 |
| 6763019 | Mehta et al. | Jul 2004 | B2 |
| 6763032 | Rabenko et al. | Jul 2004 | B1 |
| 6771606 | Kuan | Aug 2004 | B1 |
| 6804251 | Limb et al. | Oct 2004 | B1 |
| 6819682 | Rabenko et al. | Nov 2004 | B1 |
| 6847635 | Beser | Jan 2005 | B1 |
| 6853680 | Nikolich | Feb 2005 | B1 |
| 6857132 | Rakib et al. | Feb 2005 | B1 |
| 6901079 | Phadnis et al. | May 2005 | B1 |
| 6950399 | Bushmitch et al. | Sep 2005 | B1 |
| 6959042 | Liu et al. | Oct 2005 | B1 |
| 6993016 | Liva et al. | Jan 2006 | B1 |
| 6993353 | Desai et al. | Jan 2006 | B2 |
| 6996129 | Krause et al. | Feb 2006 | B2 |
| 7006500 | Pedersen et al. | Feb 2006 | B1 |
| 7007296 | Rakib et al. | Feb 2006 | B2 |
| 7023882 | Woodward, Jr. et al. | Apr 2006 | B2 |
| 7039049 | Akgun et al. | May 2006 | B1 |
| 7065779 | Crocker et al. | Jun 2006 | B1 |
| 7067734 | Abe et al. | Jun 2006 | B2 |
| 7110398 | Grand et al. | Sep 2006 | B2 |
| 7113484 | Chapman et al. | Sep 2006 | B1 |
| 7116643 | Huang et al. | Oct 2006 | B2 |
| 7117526 | Short | Oct 2006 | B1 |
| 7139923 | Chapman et al. | Nov 2006 | B1 |
| 7145887 | Akgun | Dec 2006 | B1 |
| 7149223 | Liva et al. | Dec 2006 | B2 |
| 7161945 | Cummings | Jan 2007 | B1 |
| 7164690 | Limb et al. | Jan 2007 | B2 |
| 7197052 | Crocker | Mar 2007 | B1 |
| 7206321 | Bansal et al. | Apr 2007 | B1 |
| 7209442 | Chapman | Apr 2007 | B1 |
| 7269159 | Lai | Sep 2007 | B1 |
| 7290046 | Kumar | Oct 2007 | B1 |
| 7359332 | Kolze et al. | Apr 2008 | B2 |
| 7363629 | Springer et al. | Apr 2008 | B2 |
| 7548558 | Rakib et al. | Jun 2009 | B2 |
| 20010010096 | Horton et al. | Jul 2001 | A1 |
| 20010055319 | Quigley et al. | Dec 2001 | A1 |
| 20010055469 | Shida et al. | Dec 2001 | A1 |
| 20020009974 | Kuwahara et al. | Jan 2002 | A1 |
| 20020010750 | Baretzki | Jan 2002 | A1 |
| 20020023174 | Garret et al. | Feb 2002 | A1 |
| 20020052927 | Park | May 2002 | A1 |
| 20020067721 | Kye | Jun 2002 | A1 |
| 20020073432 | Kolze | Jun 2002 | A1 |
| 20020073433 | Furuta et al. | Jun 2002 | A1 |
| 20020088003 | Salee | Jul 2002 | A1 |
| 20020093935 | Denney et al. | Jul 2002 | A1 |
| 20020093955 | Grand et al. | Jul 2002 | A1 |
| 20020131403 | Desai et al. | Sep 2002 | A1 |
| 20020131426 | Amit et al. | Sep 2002 | A1 |
| 20020133618 | Desai et al. | Sep 2002 | A1 |
| 20020136203 | Liva et al. | Sep 2002 | A1 |
| 20020141585 | Carr | Oct 2002 | A1 |
| 20020144284 | Burroughs et al. | Oct 2002 | A1 |
| 20020146010 | Shenoi et al. | Oct 2002 | A1 |
| 20020147978 | Dolgonos et al. | Oct 2002 | A1 |
| 20020154655 | Gummalla et al. | Oct 2002 | A1 |
| 20020161924 | Perrin et al. | Oct 2002 | A1 |
| 20020198967 | Iwanojko et al. | Dec 2002 | A1 |
| 20030014762 | Conover et al. | Jan 2003 | A1 |
| 20030058794 | Pantelias et al. | Mar 2003 | A1 |
| 20030061415 | Horton et al. | Mar 2003 | A1 |
| 20030066087 | Sawyer et al. | Apr 2003 | A1 |
| 20030067944 | Sala et al. | Apr 2003 | A1 |
| 20030101463 | Greene et al. | May 2003 | A1 |
| 20030140131 | Chandrashekhar et al. | Jul 2003 | A1 |
| 20030163341 | Banerjee et al. | Aug 2003 | A1 |
| 20030214943 | Engstrom et al. | Nov 2003 | A1 |
| 20030214982 | Lorek et al. | Nov 2003 | A1 |
| 20040039466 | Lilly et al. | Feb 2004 | A1 |
| 20040045037 | Cummings et al. | Mar 2004 | A1 |
| 20040073902 | Kao et al. | Apr 2004 | A1 |
| 20040101077 | Miller et al. | May 2004 | A1 |
| 20040105403 | Lin et al. | Jun 2004 | A1 |
| 20040105406 | Kayama et al. | Jun 2004 | A1 |
| 20040143593 | Le Maut et al. | Jul 2004 | A1 |
| 20040160945 | Dong et al. | Aug 2004 | A1 |
| 20040163129 | Chapman et al. | Aug 2004 | A1 |
| 20040181800 | Rakib et al. | Sep 2004 | A1 |
| 20040244043 | Lind et al. | Dec 2004 | A1 |
| 20040248530 | Rakib et al. | Dec 2004 | A1 |
| 20050018697 | Enns et al. | Jan 2005 | A1 |
| 20050122976 | Poli et al. | Jun 2005 | A1 |
| 20050138669 | Baran | Jun 2005 | A1 |
| 20050198684 | Stone et al. | Sep 2005 | A1 |
| 20050201399 | Woodward, Jr. et al. | Sep 2005 | A1 |
| 20050220126 | Gervais et al. | Oct 2005 | A1 |
| 20050226257 | Mirzabegian et al. | Oct 2005 | A1 |
| 20050232294 | Quigley et al. | Oct 2005 | A1 |
| 20050259645 | Chen et al. | Nov 2005 | A1 |
| 20050265261 | Droms et al. | Dec 2005 | A1 |
| 20050265309 | Parandekar | Dec 2005 | A1 |
| 20050265338 | Chapman et al. | Dec 2005 | A1 |
| 20050265376 | Chapman et al. | Dec 2005 | A1 |
| 20050265392 | Chapman et al. | Dec 2005 | A1 |
| 20050265394 | Chapman et al. | Dec 2005 | A1 |
| 20050265397 | Chapman et al. | Dec 2005 | A1 |
| 20050265398 | Chapman et al. | Dec 2005 | A1 |
| 20050289623 | Midani et al. | Dec 2005 | A1 |
| 20060002294 | Chapman et al. | Jan 2006 | A1 |
| 20060098669 | Enns et al. | May 2006 | A1 |
| 20060126660 | Denney et al. | Jun 2006 | A1 |
| 20060159100 | Droms et al. | Jul 2006 | A1 |
| 20060168612 | Chapman et al. | Jul 2006 | A1 |
| 20070274345 | Taylor et al. | Nov 2007 | A1 |
| 20080037545 | Lansing et al. | Feb 2008 | A1 |
| Number | Date | Country |
|---|---|---|
| 0072509 | Nov 2000 | WO |
| 2005117310 | Dec 2005 | WO |
| 2005117358 | Dec 2005 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20050265309 A1 | Dec 2005 | US |
| Number | Date | Country | |
|---|---|---|---|
| 60574506 | May 2004 | US | |
| 60574876 | May 2004 | US | |
| 60582732 | Jun 2004 | US | |
| 60588635 | Jul 2004 | US | |
| 60590509 | Jul 2004 | US |
