Abstract: Methods for establishing a stateless extranet in a secure communication network include transmitting a consumer NHOP to a provider CPE from a consumer CPE in a control plane. The consumer NHOP is associated with at least one attribute of an NHOP, including an encryption key available with the consumer CPE, to establish a secure communication tunnel in a data plane. The consumer CPE receives a service definition over the control plane associated with a service available with the provider CPE. A service anchor point is created based on an identifier of the service definition. A network address translation (NAT) IP request is transmitted to the provider CPE. The consumer CPE receives a NAT IP from the provider CPE in response to the NAT IP request. The NAT IP is associated with the service anchor point of the consumer CPE. A stateless service is thereby instantiated on the consumer CPE.

Abstract: Embodiments of a secure communication network are disclosed. For secure communication of data packets, a method implemented in a core node, is presented. The method includes receiving a double encapsulated data packet associated with a first layer and a second layer of encapsulation/encryption. The method further includes decapsulating/decrypting a second layer of encapsulation/encryption to access a portion of the data packet and re-encapsulating/re-encrypting at least the accessed portion with another second layer of encapsulation/encryption. The method further includes transmitting the re-encapsulated/re-encrypted data packet to a subsequent node based on the accessed portion.

Abstract: Embodiments of a method of communicating a packet by a network address translation (NAT) enabled router, are described. In an embodiment, the method includes receiving a return packet to be communicated to a destination. The destination is associated with a first source address in the context of a forward packet. The method further includes determining a return path to transmit the return packet to the destination based on security association data. The security association data is pre-recorded in a routing table of the NAT enabled router when the forward packet is received, prior to receiving the return packet, over a forward path established between the NAT enabled router and an enterprise node. The security association data uniquely identifies the forward path as the return path.