Abstract: A technique for managing session setup for video on demand sessions involves caching information related to session setup for a session manager and then utilizing the cached information to setup a video on demand session for a client in response to a session setup request that is received from the client. Because information related to session setup is cached for the session manager, the session manager can utilize the information to establish a session without having to exchange messages with other video on demand elements, in particular other servers in the video on demand network. Reducing or eliminating the number of messages exchanged between video on demand elements enables video on demand sessions to be quickly and efficiently setup.

Abstract: A technique for managing the streaming of digital video content involves providing a unicast stream to a client in response to the playout status of the unicast stream at the client. In particular, a unicast stream is provided to a client based on whether or not the unicast stream is intended for real-time playout at the client. In order to preserve valuable network resources, if the client does not intend the unicast stream for real-time playout, the unicast stream is not provided to the client. Network resources can also be conserved by utilizing one session between a stream server and a client to support more than one active unicast stream between the stream server and the client in the case where at least one of the active unicast streams is not intended for real-time playout at the client.

Abstract: A method and system for using a key lease in a secondary authentication protocol after a primary authentication protocol has been performed is described. In one embodiment, the primary authentication protocol comprises a strong, secure, computationally complex authentication protocol. Moreover, the secondary authentication protocol comprises a less complex (compared to the primary authentication protocol) and less secure (compared to the primary authentication protocol) authentication protocol which can be performed in a length of time that is shorter than a length of time required to perform the primary authentication protocol. In an embodiment, the key lease includes context information.

Abstract: In a computer network, a method of mutually authenticating a client device and a network interface, authenticating a user to the network and exchanging encryption keys. In one embodiment, the method comprises authenticating the client device at the local network device point, with which the client device exchanges an encryption key and then the user is authenticated by a central authentication server. In another embodiment, the method comprises authenticating the client device at the central authentication server, with which the client device exchanges a key which is passed to the network device with a secret shared between the central authentication server and the network device. In this embodiment, the user is also authenticated at the central authentication server.

Abstract: In a network access point, a method of processing encrypted communication. In one embodiment, the method comprises receiving from a wireless client a first message comprising first values for a first random number and information identifying the wireless client and the access point. In one embodiment, the method further comprises generating a second message comprising second values for a second random number and information identifying the access point and the wireless client. In one embodiment, the method further comprises sending the first values and the second values to an access point server, and subsequently the access point server generates a session key using the first and second values and third values provided by the access point server, such that the processes are shared by the access point and the access point server. The method further comprises distributing the session key to the wireless client and the access point.

Abstract: A method and system for distributed network address translation with security features. The method and system allow Internet Protocol security protocol (“IPsec”) to be used with distributed network address translation. The distributed network address translation is accomplished with IPsec by mapping a local Internet Protocol (“IP”) address of a given local network device and a IPsec Security Parameter Index (“SPI”) associated with an inbound IPsec Security Association (“SA”) that terminates at the local network device. A router allocates locally unique security values that are used as the IPsec SPIs. A router used for distributed network address translation is used as a local certificate authority that may vouch for identities of local network devices, allowing local network devices to bind a public key to a security name space that combines a global IP address for the router with a set of locally unique port numbers used for distributed network address translation.

Abstract: A method and system for distributed network address translation with security for controlling and limiting the disruption caused by denial of service attacks. The method and system have a first network device and a second network device on a first network, and a third network device on a second network external to the first network, with an established security association between the first network device and the third network device. The first network device specifies an external address of the third network device for the security association to the second network device, which stores the external address in a table. The second network device then maps at least one of an internal address and a security value to the external address in the table. Any packets sent from the third network device to the first network device are intercepted by the second network device, which determines the external address and security value of the packet.

Abstract: A process for mutual authentication of users and networks over an unsecured wireless communication channel. In one embodiment, sensitive information (e.g., passwords) is not communicated over the unsecured channel. Rather, hashed representations of user identifiers, passwords, etc., and randomly generated numbers are communicated between the client and the network during the log-in process. The representations may be encrypted with a one-way hash function such that it is not computationally feasible for an eavesdropper to decrypt. In one embodiment, the representation may be generated based on the user identifier, password and/or MAC address of a wireless LAN card.

Abstract: The present invention provides a method and system for using a key lease in a secondary authentication protocol after a primary authentication protocol has been performed. In one embodiment, the primary authentication protocol comprises a strong, secure, computationally complex authentication protocol. Moreover, the secondary authentication protocol comprises a less complex (compared to the primary authentication protocol) and less secure (compared to the primary authentication protocol) authentication protocol which can be performed in a length of time that is shorter than a length of time required to perform the primary authentication protocol. In one embodiment, a wireless client electronic system (WC) completes the primary authentication protocol with a wireless network access point electronic system of a wireless network (AP). When the WC is required to authenticate with another AP, the WC authenticates itself with another AP by using the secondary authentication protocol.

Abstract: A method of installing a network device in a packet-based data communication network and checking the authenticity of the installation includes: (a) communicating identification information of the device to a management system; (b) installing the device; (c) obtaining from a protocol address administrator a protocol address for the device; (d) sending a communication from the device to the management system; (e) conducting a key agreement protocol exchange between the device and the management system to establish a set of encryption keys; (f) using the set of encryption keys to provide mutual authentication by the device and the management system; (g) associating, within the management system, the time of the communication in step (d) with the identification information and the protocol address of the device; and (h) communicating from the management system to the administrator a message including the identification information, the protocol address and the time.

Abstract: The present invention provides a method and system for performing an authenticated Diffie-Hellman key agreement protocol over a network where the communicating parties share a secret key with a third party. In one embodiment, the network is a wireless network, wherein a wireless client electronic system (WC) and a network access point electronic system (AP) are the parties executing the authenticated Diffie-Hellman key agreement protocol. In this embodiment, the WC and the AP exchange a shared secret key for encrypting wireless communications between the wireless client electronic system and the network access point electronic system. In one embodiment, the WC shares a first secret key with a RADIUS server of the network. Similarly, the AP shares a second secret key with the RADIUS server of the network. The first and second secret keys are utilized for performing an authentication protocol.

Abstract: A security feature is added to the Wake On LAN packet protocol, and an extensible mechanism is provided allowing for other commands and options to be specified within the Wake On LAN packet. The protocol allows for signaling power management circuits in a host computer in response to messages received through a network interface. Logic coupled to the network interface detects a received network packet carrying a message from a source to the management circuits in the host computer. The logic includes security logic that is responsive to data in the packet to authenticate the source of the message, to accept the message and generate a signal to the management circuit in the host computer when the message passes authentication, and to discard the message when the message fails authentication.

Abstract: Active networking techniques enable intermediate systems to determine whether data in a packet which is traversing the system is compressed, encrypted or otherwise dynamically processed. Based on this determination, the dynamic processing resources at the intermediate system are invoked or not. Thus, dynamic processing resources can be conserved. Active networking data is placed in packets flowing between end systems. The end system sending these packets may not know whether there are intermediate systems between it and the other end system that require knowledge about compressed data in the packet. It places the active networking data in packets so that any intermediate systems that can use knowledge of which packets contain compressed data may use the active networking data to make the determination.

Abstract: A system for providing policy management in a network that includes nodes operating in multiple protocol layers and having enforcement functions. Multiple network devices, such as routers, remote access equipment, switches, repeaters and network cards, and end system processes having security functions are configured to contribute to implementation of policy enforcement in the network. By distributing policy enforcement functionality to a variety of network devices and end systems, a pervasive policy management system is implemented. The policy management system includes a policy implementation component that accepts policy, i.e. instructions or rules, that define how the network device should behave when confronted with a particular situation.

Abstract: A security feature is added to the Wake On LAN packet protocol, and an extensible mechanism is provided allowing for other commands and options to be specified within the Wake On LAN packet. The protocol allows for signaling power management circuits in a host computer in response to messages received through a network interface. Logic coupled to the network interface detects a received network packet carrying a message from a source to the management circuits in the host computer. The logic includes security logic that is responsive to data in the packet to authenticate the source of the message, to accept the message and generate a signal to the management circuit in the host computer when the message passes authentication, and to discard the message when the message fails authentication. The message includes a message authentication code timestamp indicating a time at which the source produced the message and/or a random value token.

Abstract: An intermediate system authenticates using cryptography. The authentication routine requires a user to supply a secret known only to the user before allowing data to be transmitted. The secret is never transmitted. The invention may be incorporated into an intermediate system, into intermediate system software, or into application specific integrated circuits designed for use in an intermediate system. The invention may include components that interact specifically with installed components in an end system or elsewhere in a network.

Abstract: Active networking techniques enable intermediate systems to determine whether data in a packet which is traversing the system is compressed, encrypted or otherwise dynamically processed. Based on this determination, the dynamic processing resources at the intermediate system are invoked or not. Thus, dynamic processing resources can be conserved. Active networking data is placed in packets flowing between end systems. The end system sending these packets may not know whether there are intermediate systems between it and the other end system that require knowledge about compressed data in the packet. It places the active networking data in packets so that any intermediate systems that can use knowledge of which packets contain compressed data may use the active networking data to make the determination.

Abstract: A method for improving network security in a network that includes a star configured interconnection device such as a repeater, a bridge or a switch, that has a plurality of ports adapted for connection to respective MAC layer devices includes storing authentication data in the star configured interconnection device that maps MAC addresses of end stations in the network to particular ports on the star configured interconnection device. Upon receiving a packet on a particular port, the process involves determining whether the packet carries a source address which the authentication data maps to the particular port. If the packet carries a source address which the authentication data maps to the particular port, then the packet is accepted. If the packet does not carry a source MAC address which the authentication maps to the port, then an authentication protocol is executed on the port to determine whether the MAC address originates from an authorized sender according to the authentication protocol.

Abstract: Methods and system for locating network services with distributed network address translation. Digital certificates are created that allow an external network device on an external network, such as the Internet, to request a service from an internal network device on an internal distributed network address translation network, such as a stub local area network. The digital certificates include information obtained with a Port Allocation Protocol used for distributed network address translation. The digital certificates are published on the internal network so they are accessible to external network devices. An external network device retrieves a digital certificate, extracts appropriate information, and sends a service request packet to an internal network device on an internal distributed network address translation network. The external network device is able to locate and request a service from an internal network device.

Abstract: A network intermediate system authenticates end systems attached to ports of the intermediate system. An authentication routine is called on a port each time an intermediate system detects any interruption in the physical connection with the port, including reboot of the end system connected to the port. Network data is not fully transmitted or received to any port that has not been authenticated. The invention distributes a user authentication to the point where an end system initially connects to a network, to prevent an authorized reception or transmission of network data that is not prevented under existing network login systems. The invention may be incorporated into an intermediate system, into intermediate system software, or into applications specific integrated circuits designed for use in an intermediate system. The invention may include components that interact specifically with installed components in an end system or elsewhere in a network.