Abstract: In one embodiment, a first router determines whether an interface coupling the first router to one or more second routers is transit-only. When the interface is transit-only, the first router generates an Open Shortest Path First (OSPF) Link State Advertisement (LSA) that includes an address for the interface and a designated network mask. The designated network mask operates as a transit-only identification that indicates the address should not be installed in a Routing Information Base (RIB) upon receipt of the OSPF LSA at the one or more second routers. When the network is not transit-only, the first router generates an OSPF LSA that includes the address for the interface but does not include the designated network mask, to permit installation of the address in a RIB upon receipt of the OSPF LSA at the one or more second routers.

Abstract: Present disclosure relates to methods for preparing BGP update messages for transmission and processing received update messages. The methods are based on grouping path attributes common to a plurality of IP address prefixes into respective sets identified with respective set identifiers and, instead of duplicating path attributes in each BGP update message, including a respective identifier referring to a certain set of path attributes provided in an earlier BGP update message when sending subsequent update messages. Grouping of path attributes into individual sets associated with respective identifiers provides significant advantages by enabling re-use of the results of previous processing on both the sending and receiving sides associated with transmission of BGP update messages. In addition, such an approach limits the amount of information transmitted in the control plane because duplicate sets of path attributes may only be transmitted once and merely be referred to in subsequent update messages.

Abstract: Present disclosure relates to methods for preparing BGP update messages for transmission and processing received update messages. The methods are based on grouping path attributes common to a plurality of IP address prefixes into respective sets identified with respective set identifiers and, instead of duplicating path attributes in each BGP update message, including a respective identifier referring to a certain set of path attributes provided in an earlier BGP update message when sending subsequent update messages. Grouping of path attributes into individual sets associated with respective identifiers provides significant advantages by enabling re-use of the results of previous processing on both the sending and receiving sides associated with transmission of BGP update messages. In addition, such an approach limits the amount of information transmitted in the control plane because duplicate sets of path attributes may only be transmitted once and merely be referred to in subsequent update messages.

Abstract: In one embodiment, non-eligible distance vector protocol paths are used as backup paths. In one embodiment, the distance vector protocol is Enhanced Interior Gateway Protocol (EIGRP) and unless a path is a feasible successor for a destination, the path is not eligible as a backup path. Therefore, if there is no feasible successor, there is no eligible backup path. One embodiment avoids an initial delay in finding a replacement path for traffic by determining and installing a non-eligible backup path (e.g., a path that is not a feasible successor) in one or more forwarding tables. In this manner, the router can immediately forward packets over this non-eligible backup path until, for example, forwarding in the network can converge in light of the primary path being no longer available.

Abstract: In one embodiment, a router located at an exit edge of an autonomous system (AS) receives a data packet in a data plane, and determines a destination of the data packet and an associated AS-path information to the destination. The router may then insert the AS-path information into the data packet, and forwards the data packet with the AS-path information toward the destination, such that a receiving device in a destination AS can validate whether the data packet was routed through a path that was secure from a control plane perspective based on a collection of one or more insertions of AS-path information.

Abstract: A method for controlling transit of routing messages in a network comprising multiple autonomous systems (AS) is disclosed. The method includes receiving, at a first AS, a routing message of an inter-AS routing protocol and identifying that the routing message comprises transit domain control (TDC) information specifying one or more autonomous systems to which the routing message may be propagated and/or one or more autonomous systems to which the routing message may not be propagated. The method further includes propagating the routing message from the first AS to a second AS in accordance with the TDC information.

Abstract: In one embodiment, a validation server in a computer network determines that an edge router of the computer network has blocked access to a desired server address based on the edge router not having authentication information for the desired server address. In response, the server creates a white-listing policy to temporarily allow access to the desired server address at the edge router, and sends the white-listing policy to the edge router. The validation server may then proceed with performing server fetching operations to the desired server address from the validation server while the white-listing policy is in effect, and instructs the edge device to remove the white-listing policy once the server fetching operations are completed.

Abstract: In one embodiment, a plurality of packets is sent from an origin device along a communication path toward a destination device. Each packet includes a lifespan indicator which is incrementally increased for each subsequently sent packet. A plurality of response messages are received at the origin device from a plurality of intermediate devices, respectively. A plurality of secure path objects included in the plurality of response messages, respectively, is determined. Additionally, the plurality of secure path objects are validated based on validation information accessible by the origin device. Validation results of the plurality of secure path objects are checked to determine whether a packet that is sent from the origin device and received by the destination device travels along a particular communication path as dictated by control plane information.

Abstract: Present disclosure relates to methods for preparing BGP update messages for transmission and processing received update messages. The methods are based on grouping path attributes common to a plurality of IP address prefixes into respective sets identified with respective set identifiers and, instead of duplicating path attributes in each BGP update message, including a respective identifier referring to a certain set of path attributes provided in an earlier BGP update message when sending subsequent update messages. Grouping of path attributes into individual sets associated with respective identifiers provides significant advantages by enabling re-use of the results of previous processing on both the sending and receiving sides associated with transmission of BGP update messages. In addition, such an approach limits the amount of information transmitted in the control plane because duplicate sets of path attributes may only be transmitted once and merely be referred to in subsequent update messages.

Abstract: Present disclosure relates to methods for preparing BGP update messages for transmission and processing received update messages. The methods are based on grouping path attributes common to a plurality of IP address prefixes into respective sets identified with respective set identifiers and, instead of duplicating path attributes in each BGP update message, including a respective identifier referring to a certain set of path attributes provided in an earlier BGP update message when sending subsequent update messages. Grouping of path attributes into individual sets associated with respective identifiers provides significant advantages by enabling re-use of the results of previous processing on both the sending and receiving sides associated with transmission of BGP update messages. In addition, such an approach limits the amount of information transmitted in the control plane because duplicate sets of path attributes may only be transmitted once and merely be referred to in subsequent update messages.

Abstract: A method for controlling transit of routing messages in a network comprising multiple autonomous systems (AS) is disclosed. The method includes receiving, at a first AS, a routing message of an inter-AS routing protocol and identifying that the routing message comprises transit domain control (TDC) information specifying one or more autonomous systems to which the routing message may be propagated and/or one or more autonomous systems to which the routing message may not be propagated. The method further includes propagating the routing message from the first AS to a second AS in accordance with the TDC information.

Abstract: In one embodiment, a first router determines whether an interface coupling the first router to one or more second routers is transit-only. When the interface is transit-only, the first router generates an Open Shortest Path First (OSPF) Link State Advertisement (LSA) that includes an address for the interface and a designated network mask. The designated network mask operates as a transit-only identification that indicates the address should not be installed in a Routing Information Base (RIB) upon receipt of the OSPF LSA at the one or more second routers. When the network is not transit-only, the first router generates an OSPF LSA that includes the address for the interface but does not include the designated network mask, to permit installation of the address in a RIB upon receipt of the OSPF LSA at the one or more second routers.

Abstract: One embodiment identifies all one-hop neighbor nodes and two-hop neighbor nodes of a node; determines an active set of one-hop neighbor nodes for the node, comprising: includes in the active set each one-hop neighbor node that is either an edge node or connected with at least one two-hop neighbor node with which no other one-hop neighbor nodes are connected; and if the active set is not yet complete, then: determine all combinations of one-hop neighbor nodes that are not already in the active set; and tests each combination in order of each combination's total-energy value to determine whether a specific combination is able to complete the active set; if no combination is able to complete the active set, then including all one-hop neighbor nodes in the active set; and communicates a message to each one-hop neighbor node in the active set indicating that it is in the active set.

Abstract: In one embodiment, a first router determines whether a network coupling the first router to one or more second routers is transit-only, wherein transit-only indicates connecting only routers to provide for transmission of data from router to router. When the network is transit-only, the first router generates an Open Shortest Path First (OSPF) Link State Advertisement (LSA) that includes an address for the network and a designated network mask. The designated network mast operates as a transit-only identification that indicates the address should not be installed in a Routing Information Base (RIB) upon receipt of the OSPF LSA at the one or more second routers. When the network is not transit-only, the first router generates an OSPF LSA that includes the address for the network but does not include the designated network mask, to permit installation of the address in a RIB upon receipt of the OSPF LSA at the one or more second routers.

Abstract: In one embodiment, an autonomous system (AS) policy-adaptive confederation selectively manipulates the ordered list of traversed AS's using AS's of members of the policy-adaptive confederation and/or the AS of the policy-adaptive confederation itself when advertising to routers of AS's outside the policy-adaptive confederation. In one embodiment, a first member router of a first autonomous system (AS) within a policy-adaptive confederation identified by a confederation AS receives from a second member router of a second AS within the policy-adaptive confederation a route advertisement for a first route associated with a first ordered AS list identifying one or more AS's within the policy-adaptive confederation. The first member advertises the first route associated with the first ordered AS list not including the confederation AS to a first external router external to the policy-adaptive confederation.

Abstract: In one embodiment, non-eligible distance vector protocol paths are used as backup paths. In one embodiment, the distance vector protocol is Enhanced Interior Gateway Protocol (EIGRP) and unless a path is a feasible successor for a destination, the path is not eligible as a backup path. Therefore, if there is no feasible successor, there is no eligible backup path. One embodiment avoids an initial delay in finding a replacement path for traffic by determining and installing a non-eligible backup path (e.g., a path that is not a feasible successor) in one or more forwarding tables. In this manner, the router can immediately forward packets over this non-eligible backup path until, for example, forwarding in the network can converge in light of the primary path being no longer available.

Abstract: In one embodiment, a validation server in a computer network determines that an edge router of the computer network has blocked access to a desired server address based on the edge router not having authentication information for the desired server address. In response, the server creates a white-listing policy to temporarily allow access to the desired server address at the edge router, and sends the white-listing policy to the edge router. The validation server may then proceed with performing server fetching operations to the desired server address from the validation server while the white-listing policy is in effect, and instructs the edge device to remove the white-listing policy once the server fetching operations are completed.

Abstract: In one embodiment, a plurality of packets is sent from an origin device along a communication path toward a destination device. Each packet includes a lifespan indicator which is incrementally increased for each subsequently sent packet. A plurality of response messages are received at the origin device from a plurality of intermediate devices, respectively. A plurality of secure path objects included in the plurality of response messages, respectively, is determined. Additionally, the plurality of secure path objects are validated based on validation information accessible by the origin device. Validation results of the plurality of secure path objects are checked to determine whether a packet that is sent from the origin device and received by the destination device travels along a particular communication path as dictated by control plane information.

Abstract: In one embodiment, a router located at an exit edge of an autonomous system (AS) receives a data packet in a data plane, and determines a destination of the data packet and an associated AS-path information to the destination. The router may then insert the AS-path information into the data packet, and forwards the data packet with the AS-path information toward the destination, such that a receiving device in a destination AS can validate whether the data packet was routed through a path that was secure from a control plane perspective based on a collection of one or more insertions of AS-path information.

Abstract: A technique dynamically configures and verifies routing information of broadcast networks using link state protocols in a computer network. According to the novel technique, a router within the broadcast network receives a link state protocol routing information advertisement from an advertising router, e.g., a designated router or other adjacent neighbor. The router learns of a next-hop router (“next-hop”) to reach a particular destination from the advertisement, and determines whether the next-hop is located within the same broadcast network (e.g., subnet) as the designated router. If so, the router further determines whether the next-hop is directly addressable (i.e., reachable), such as, e.g., by checking for link adjacencies to the next-hop or by sending request/reply messages (e.g., echo messages or “ping” messages) to the next-hop. In the event the next-hop for the destination is not directly addressable by the router (e.g.