Abstract: A gateway apparatus supports differentiated secure communications among heterogeneous electronic devices. A communication port communicates via communication networks of different types with two or more associated devices having diverse secure communication capabilities. The gateway logic selectively authenticates the associated devices for group membership into a Secure Communication Group (SCG), and selectively communicates Secure Communication Group Keys (SCGKs) to the devices having the diverse secure communication capabilities for selectively generating session keys locally by the associated devices for mutual secure communication in accordance with the group membership of the associated devices in the SCG.

Abstract: A gateway apparatus supports differentiated secure communications among heterogeneous electronic devices. A communication port communicates via communication networks of different types with two or more associated devices having diverse secure communication capabilities. The gateway logic selectively authenticates the associated devices for group membership into a Secure Communication Group (SCG), and selectively communicates Secure Communication Group Keys (SCGKs) to the devices having the diverse secure communication capabilities for selectively generating session keys locally by the associated devices for mutual secure communication in accordance with the group membership of the associated devices in the SCG.

Abstract: A system authenticates in-vehicle electronic devices having unequal capabilities such as having varying different communication and processing capabilities. A Connected Vehicle Gateway portion of a selected in-vehicle device acts as an onboard authentication proxy and onboard key server functionality for other in-vehicle devices, and serves as an interface between an in-vehicle network and one or more associated external networks, thereby eliminating the need for explicit peer discovery protocol and the requirement of devices to perform key establishment with each individual communication peer. Instead, each in-vehicle device establishes the group keys as a result of its authentication with the onboard key server and uses the group keys to locally generate and update its session keys. The onboard key server selectively obtains the keys from one or more off-board authentication servers and distributes them to selected in-vehicle devices.

Abstract: A system authenticates in-vehicle electronic devices having unequal capabilities such as having varying different communication and processing capabilities. A Connected Vehicle Gateway portion of a selected in-vehicle device acts as an onboard authentication proxy and onboard key server functionality for other in-vehicle devices, and serves as an interface between an in-vehicle network and one or more associated external networks, thereby eliminating the need for explicit peer discovery protocol and the requirement of devices to perform key establishment with each individual communication peer. Instead, each in-vehicle device establishes the group keys as a result of its authentication with the onboard key server and uses the group keys to locally generate and update its session keys. The onboard key server selectively obtains the keys from one or more off-board authentication servers and distributes them to selected in-vehicle devices.

Abstract: In one embodiment, a plurality of spoke-to-hub virtual private network (VPN) tunnels are established from a spoke router located at an edge of a spoke network to a hub network. The spoke router is configured as an optimized edge routing (OER) node. The spoke router monitors a network statistic for each of a plurality of prefixes on each of the plurality of spoke-to-hub VPN tunnels. The monitored network statistic is analyzed to determine whether a distribution of traffic between the spoke network and the hub network can be optimized. In the event the distribution of traffic between the spoke network and the hub network can be optimized, traffic is redistributed on a per-prefix basis among the plurality of spoke-to-hub VPN tunnels based on the monitored network statistic, such that at least a portion of the traffic is routed over each of the plurality of spoke-to-hub VPN tunnels.

Abstract: In one embodiment, a plurality of spoke-to-hub virtual private network (VPN) tunnels are established from a spoke router located at an edge of a spoke network to a hub network. The spoke router is configured as an optimized edge routing (OER) node. The spoke router monitors a network statistic for each of a plurality of prefixes on each of the plurality of spoke-to-hub VPN tunnels. The monitored network statistic is analyzed to determine whether a distribution of traffic between the spoke network and the hub network can be optimized. In the event the distribution of traffic between the spoke network and the hub network can be optimized, traffic is redistributed on a per-prefix basis among the plurality of spoke-to-hub VPN tunnels based on the monitored network statistic, such that at least a portion of the traffic is routed over each of the plurality of spoke-to-hub VPN tunnels.

Abstract: A technique dynamically utilizes a plurality of multi-homed Virtual Private Network (VPN) tunnels from a client node to one or more enterprise networks in a computer network. According to the technique, a VPN client node, e.g., a “spoke,” creates a plurality of multi-homed VPN tunnels with one or more servers/enterprise networks, e.g., “hubs.” The spoke designates (e.g., for a prefix) one of the tunnels as a primary tunnel and the other tunnels as secondary (backup) tunnels, and monitors the quality (e.g., loss, delay, reachability, etc.) of all of the tunnels, such as, e.g., by an Optimized Edge Routing (OER) process. The spoke may then dynamically re-designate any one of the secondary tunnels as the primary tunnel for a prefix based on the quality of the tunnels to the enterprise. Notably, the spoke may also dynamically load balance traffic to the enterprise among the primary and secondary tunnels based on the quality of those tunnels.

Abstract: A technique dynamically creates and utilizes a plurality of multi-homed Virtual Private Network (VPN) tunnels from a client node of one spoke network to a client node of another spoke network in a computer network. According to the technique, a VPN client node, e.g., a “spoke,” creates at least one VPN tunnel with an enterprise network, e.g., a “hub.” Once the spoke-to-hub tunnel is established, the spoke may dynamically create a plurality of VPN tunnels with a peer spoke network, e.g., a “peer spoke.” The spoke designates (e.g., for a prefix) one of the tunnels as a primary tunnel and the other tunnels as secondary tunnels, and monitors the quality (e.g., loss, delay, reachability, etc.) of all of the dynamic tunnels, such as, e.g., by an Optimized Edge Routing (OER) process. The spoke may then dynamically re-designate any one of the secondary tunnels as the primary tunnel for a prefix based on the quality of the tunnels to the peer spoke.