Handover of mobility management entity for load balancing
US-2016029278-A1 · Jan 28, 2016 · US
Decoupled control and data plane synchronization for IPSEC geographic redundancy
US11032378B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11032378-B2 |
| Application number | US-201815994224-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 31, 2018 |
| Priority date | May 31, 2017 |
| Publication date | Jun 8, 2021 |
| Grant date | Jun 8, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments disclosed herein relate to systems and methods for separately managing control and data plan contexts for a secure connection during a standby node switchover scenario. Primary and standby nodes for a secure connection can both maintain a data plane context for a secure connection such as IPSec. In the event that the primary node becomes inactive, the standby node can immediately begin processing data plane traffic using the data plane context for the secure connection maintained at the standby node. Control plane information necessary for programming and activating a control plane context can be stored until needed. During a switchover, the standby node can retrieve the control plane information and activate the control plane context after it has begun processing the data plane traffic.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method for separately managing control and data context for a secure connection comprising: receiving, by a second node, information regarding an active secure connection, wherein the active secure connection is routed through a first node and comprises a secure control plane connection based on control plane parameters associated with the active secure connection and a secure data plane connection based on data plane parameters associated with the active secure connection, wherein the information includes at least the data plane parameters, wherein the secure control plane connection and the secure data plane connection are decoupled in accordance with a split architecture; programming, by the second node, a standby secure data plane connection using the data plane parameters such that a data plane of the second node is in an active state while the first node is active, wherein a control plane of the second node is in a standby state while the first node is active; and in response to a determination that the first node is inactive: routing, by the second node, data plane traffic associated with the active secure connection through the standby secure data plane connection; transitioning the control plane of the second node to a state recovery state; retrieving, by the second node, the control plane parameters from an external database that is accessible to the first node and the second node, the control plane parameters being stored in the external database by the first node; programming, by the second node, a new control plane connection based on the retrieved control plane parameters; and routing, by the second node, control plane traffic associated with the active secure connection through the new control plane connection after the control plane of the second node has transitioned from the state recovery state to the active state. 2. The method of claim 1 , wherein the determination is made by the second node in response to receiving data traffic associated with the active secure connection. 3. The method of claim 1 , where the determination is made by the second node in response to receiving a notification that the first node is inactive. 4. The method of claim 1 , wherein the active secure connection comprises an Internet Protocol Security (IPSec) connection. 5. The method of claim 1 , wherein the first and second nodes comprise virtual Evolved Packet Data Gateways, System Architecture Evolution (SAE) Gateways, Packet Data Network (“PDN”) Gateways, Global Data Synchronization Network (GDSN), or N3IWF nodes. 6. The method of claim 1 , wherein the control plane parameters comprise at least one of: an IP address; an identifier for the active secure connection; an identifier for an authentication algorithm associated with the secure control plane connection; an identifier for an encryption algorithm associated with the secure control plane connection; at least one authentication key associated with the secure control plane connection; or at least one encryption key associated with the secure control plane connection. 7. The method of claim 1 , wherein the data plane parameters comprise at least one of: an IP address; an identifier for the active secure connection; an identifier for an authentication algorithm associated with the secure control plane connection; an identifier for an encryption algorithm associated with the secure control plane connection; at least one authentication key associated with the secure control plane connection; or at least one encryption key associated with the secure control plane connection. 8. The method of claim 1 , wherein the active secure connection comprises a connection between a user and the first node. 9. The method of claim 1 , wherein the active secure connection comprises a connection between the first node and an IP based server. 10. A computer system for separately managing control and data context for a secure connection comprising: a processor in the computer system; a memory in communication with the processor, the memory including instructions configured to cause the processor to: receive, at a second node, information regarding an active secure connection, wherein the active secure connection is routed through a first node and comprises a secure control plane connection based on control plane parameters associated with the active secure connection and a secure data plane connection based on data plane parameters associated with the active secure connection, wherein the information includes at least the data plane parameters, wherein the secure control plane connection and the secure data plane connection are decoupled in accordance with a split architecture; program a standby secure data plane connection using the data plane parameters such that a data plane of the second node is in an active state while the first node is active, wherein a control plane of the second node is in a standby state while the first node is active; and in response to a determination that the first node is inactive: route data plane traffic associated with the active secure connection through the standby secure data plane connection; transition the control plane of the second node to a state recovery state; retrieve the control plane parameters from an external database that is accessible to the first node and the second node, the control plane parameters being stored in the external database by the first node; program a new control plane connection based on the retrieved control plane parameters; and route control plane traffic associated with the active secure connection through the new control plane connection after the control plane of the second node has transitioned from the state recovery state to the active state. 11. The system of claim 10 , wherein the determination is made in response to receiving traffic associated with the secure connection. 12. The system of claim 10 , where the determination is made in response to receiving a notification that the first node is inactive. 13. The system of claim 10 , wherein the secure connection comprises an Internet Protocol Security (IPSec) connection. 14. The system of claim 10 , wherein the first node and the second nodes comprise virtual Evolved Packet Data Gateways, System Architecture Evolution (SAE) Gateways, Packet Data Network (“PDN”) Gateways, Global Data Synchronization Network (GDSN), or N3IWF nodes. 15. The system of claim 10 , wherein the control plane parameters comprise at least one of: an IP address; an identifier for the active secure connection; an identifier for an authentication algorithm associated with the secure control plane connection; an identifier for an encryption algorithm associated with the secure control plane connection; at least one authentication key associated with the secure control plane connection; or at least one encryption key associated with the secure control plane connection. 16. The system of claim 10 , wherein the data plane parameters comprise at least one of: an IP address; an identifier for the active secure connection; an identifier for an authentication algorithm associated with the secure control plane connection; an identifier for an encryption algorithm associated with the secure control plane connection; at least one authentication key associated with the secure control plane connection; or at least one encryption key associated with the secure control plane connection. 17. The system of claim 10 , wherein the active secure connection comprises a connection
Assignees
Inventors
Classifications
using virtualisation of network functions or resources, e.g. SDN or NFV entities · CPC title
at the network layer · CPC title
for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection (management of faults, events, alarms or notifications in data switching networks H04L41/06) · CPC title
- H04L67/145Primary
avoiding end of session, e.g. keep-alive, heartbeats, resumption message or wake-up for inactive or interrupted session · CPC title
by checking connectivity · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11032378B2 cover?
- Embodiments disclosed herein relate to systems and methods for separately managing control and data plan contexts for a secure connection during a standby node switchover scenario. Primary and standby nodes for a secure connection can both maintain a data plane context for a secure connection such as IPSec. In the event that the primary node becomes inactive, the standby node can immediately be…
- Who is the assignee on this patent?
- Microsoft Technolgy Licensing Llc, Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L67/145. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jun 08 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).