Abstract: A network device receives packets for one or more traffic flows to be sent into a network. The network device computes a flow identifier for each of the one or more traffic flows based on information contained in one or more headers of the packets for each of the one or more traffic flows and based on at least one value that is changed on an ongoing basis. The packets for each of the one or more traffic flows are encrypted to produce encrypted packets for each of the one or more traffic flows. An encapsulation is added to the encrypted packets for the one or more traffic flows. The flow identifier is included in a field of the encapsulation for a corresponding traffic flow.

Abstract: Presented herein are techniques in which one or more network devices can use information provided by a special purpose network connected device to retrieve a usage profile (i.e., configuration file) associated with the special purpose network connected device. The retrieved usage profile, which includes/describes preselected (predetermined) usage descriptions associated with the special purpose network connected device, can then be used to configure one or more network devices. For example, the predetermined usage descriptions associated with the special purpose network connected device can be instantiated and enforced at a network device or the predetermined usage descriptions can be used for auditing the special purpose network connected device (e.g., monitoring of traffic within the network).

Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.

Abstract: Techniques are described herein for optimizing communications in a network. At a router in a virtual private network, a packet is received from a device in a subnetwork protected by the router. The router examines the packet to determine a source address that identifies the device and a destination address that identifies a destination network device for the packet. The router also analyzes the packet to determine a size of the packet and determines whether or not the size of the packet is larger than a maximum transmission unit size. If the size of the packet is larger than the maximum transmission unit size, the router encapsulates the packet with a header that includes the destination address and a new source address that identifies the router.

Abstract: Techniques are presented for optimizing secure communications in a network. As disclosed herein, a key server is configured to provision a plurality of routers that are part of a virtual private network. The key server selects a counter value that is part of a security association and calculates a key value. The key server sends the key value, together with the security association, to the plurality of routers that are part of the virtual private network to enable them to exchange encrypted packets with each other in the virtual private network using the key value and the security association. The key server then increments the counter value to a value within a range of counter values capable of being predicted by the plurality of routers that received the key value.

Abstract: A network device receives packets for one or more traffic flows to be sent into a network. The network device computes a flow identifier for each of the one or more traffic flows based on information contained in one or more headers of the packets for each of the one or more traffic flows and based on at least one value that is changed on an ongoing basis. The packets for each of the one or more traffic flows are encrypted to produce encrypted packets for each of the one or more traffic flows. An encapsulation is added to the encrypted packets for the one or more traffic flows. The flow identifier is included in a field of the encapsulation for a corresponding traffic flow.

Abstract: Techniques are described herein for optimizing communications in a network. At a router in a virtual private network, a packet is received from a device in a subnetwork protected by the router. The router examines the packet to determine a source address that identifies the device and a destination address that identifies a destination network device for the packet. The router also analyzes the packet to determine a size of the packet and determines whether or not the size of the packet is larger than a maximum transmission unit size. If the size of the packet is larger than the maximum transmission unit size, the router encapsulates the packet with a header that includes the destination address and a new source address that identifies the router.

Abstract: Techniques are presented for optimizing secure communications in a network. A first router receives from a second router an encrypted packet with an unknown security association. The first router examines the packet to determine whether the counter value is in a range of predicted counter values. Additionally, a key server is configured to provision routers that are part of a virtual private network. The key server selects a counter value that is part of a security association and calculates a key value. The key server sends the key value together with the security association to enable routers to exchange encrypted packets with each other in the virtual private network using the key value and the security association. The key server increments the counter value to a value within a range of counter values capable of being predicted by the routers.

Abstract: First and second nested virtual private networks share a common rekey service. A first key server generates first cryptographic keys and policies for use by gateways of the VPN to encrypt and decrypt data packets. The key server establishes a connection with a second key server to generate second cryptographic keys and policies independently of the first key server for use by encryption units of a second VPN that is nested with and operates independently of the first VPN. The first key server refreshes the first cryptographic keys in the first VPN gateways using a common rekey service, and cooperates with the second key server to refresh the second cryptographic keys in the second VPN encryption units using the common rekey service.

Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.

Abstract: In an embodiment, a method comprises establishing a first data communications session with a first router. In response to receiving a first request to establish a second data communications session, a probe message that is configured to test whether the first data communications session or the first router is responsive is sent to the first router. In response to determining that the first router has not acknowledged the probe message before a probe timer has expired, and receiving a second request to establish the second data communications session, the second data communications session with the first router is established and a state for the first data communications session is deleted.

Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.

Abstract: First and second nested virtual private networks share a common rekey service. A first key server generates first cryptographic keys and policies for use by gateways of the VPN to encrypt and decrypt data packets. The key server establishes a connection with a second key server to generate second cryptographic keys and policies independently of the first key server for use by encryption units of a second VPN that is nested with and operates independently of the first VPN. The first key server refreshes the first cryptographic keys in the first VPN gateways using a common rekey service, and cooperates with the second key server to refresh the second cryptographic keys in the second VPN encryption units using the common rekey service.

Abstract: Techniques are presented for optimizing secure communications in a network. A first router receives from a second router an encrypted packet with an unknown security association. The first router examines the packet to determine whether the counter value is in a range of predicted counter values. Additionally, a key server is configured to provision routers that are part of a virtual private network. The key server selects a counter value that is part of a security association and calculates a key value. The key server sends the key value together with the security association to enable routers to exchange encrypted packets with each other in the virtual private network using the key value and the security association. The key server increments the counter value to a value within a range of counter values capable of being predicted by the routers.

Abstract: Techniques are described herein for optimizing communications in a network. At a router in a virtual private network, a packet is received from a device in a subnetwork protected by the router. The router examines the packet to determine a source address that identifies the device and a destination address that identifies a destination network device for the packet. The router also analyzes the packet to determine a size of the packet and determines whether or not the size of the packet is larger than a maximum transmission unit size. If the size of the packet is larger than the maximum transmission unit size, the router encapsulates the packet with a header that includes the destination address and a new source address that identifies the router.

Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.

Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.

Abstract: In an example embodiment, a key generation system (KGS) is used to generate private pairwise keys between peers belonging to a group. Each member of the group is provisioned with a set of parameters which allows each member to generate a key with any other member of the group; however, no group member can derive a key for pairings involving other group members. The private pairwise keys may be used to derive session keys between peers belonging to the group. Optionally, an epoch value may be employed to derive the private pairwise keys.

Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.

Abstract: In an embodiment, a method is performed by one or more processors and comprises obtaining a hiatus declaration that indicates that a network device will be incommunicable; suspending communication with the network device until expiration of a hiatus time period during which the network device is expected to be incommunicable; resuming communication with the network device in response to any of: determining that the hiatus time period has expired; obtaining a keep-alive message from the network device; or obtaining other indication that the network device can communicate.