Abstract: Systems, methods, and apparatuses for patching pages are described. For example, a method comprising: allocating a small size page and initializing the small size page; adding the allocated and initialized small size page to a small size page table to reflect usage of a patch of the huge size page; and setting an indication of usage of the patch in a page entry associated with the huge size page is described.

Abstract: Improved memory management is provided according to a Hierarchical Immutable Content Addressable Memory Processor (HICAMP) architecture. In HICAMP, physical memory is organized as two or more physical memory blocks, each physical memory block having a fixed storage capacity. An indication of which of the physical memory blocks is active at any point in time is provided. A memory controller provides a non-duplicating write capability, where data to be written to the physical memory is compared to contents of all active physical memory blocks at the time of writing, to ensure that no two active memory blocks have the same data after completion of the non-duplicating write.

Abstract: A network system which includes a plurality of separate processing entities, an input output bus, and a network interface unit shared among the plurality of separate processing entities is disclosed. The network interface unit is coupled to the plurality of separate processing entities via the input output bus. The network interface unit has a plurality of memory access channels and each memory access channel is assigned to one processing entity.

Abstract: A method and system for propagating filters to an upstream device. The method includes generating a filter at a first network device and sending information on the filter to a second network device located upstream from the first network device. The first network device then requests the second network device to install the filter.

Abstract: The present invention includes a scheduling mechanism that fairly allocates a resource to a number of schedulable elements of which some are latency-sensitive. The invention tracks each element's use of the resource by determining the element's virtual time. An active element is selected from the elements that are ready to use the resource by determining the element that has the smallest effective virtual time. The effective virtual time is the element's actual virtual time modified by a borrowed virtual time value. When an element has a short-term need for the resource, it can borrow the privilege to run by borrowing virtual time. As the element uses the resource, it consumes virtual time according to its weight. When the elements are scheduled for the resource, the ready element having the smallest virtual time is selected. The invention enforces long-term fairness to each element while allowing latency-sensitive elements to be preferably selected.

Abstract: A method and system for generating filters based on analyzed flow data are disclosed. A method generally comprises separating the data into different network flows, analyzing at least one of the network flows, and detecting potentially harmful network flows. A filter is generated to prevent packets corresponding to the detected potentially harmful network flows from passing through the network device.

Abstract: A system and method for efficiently searching long strings of data, such as network messages, is described. The system preferably includes an associative memory structure, having a plurality of content addressable memories (CAMs). The CAMs are hierarchically arranged such the output of at least one CAM is used as the input to a second CAM. Preferably, a top-level CAM receives only a selected portion of the data string or network message as its input. The output of the top-level CAM is then joined with some or all of the remaining portions of the data string to form a new output that is provided to the CAM at the next lower level. The top-level CAM is programmed such that its output is substantially smaller (e.g., has fewer bits) than the selected data string portion that is input to the top-level CAM. The system can thus search data strings that are on the whole far longer than the widths of the respective CAMs forming the memory structure.

Abstract: A method and apparatus for protecting digital content. A secure digital appliance is disclosed for receiving communications coupled over a communication network. A private key of a private key and public key pair is stored in the secure digital appliance in such a way that the stored private key cannot be obtained by tampering with the secure digital appliance. Upon receipt of a session initiation message that is encrypted using the public key (of the private key and public key pair) the secure digital appliance decrypts the session initiation message using the stored private key to obtain a session key. The session key is then used to decrypt communications that include encrypted digital content. The secure digital appliance includes a local output device (e.g., a TV screen and/or speakers) that is operable to provide protected output of the digital content. The secure digital appliance does not contain any provision for output other than the protected output of digital content.

Abstract: A method and system for propagating filters to an upstream device. The method includes generating a filter at a first network device and sending information on the filter to a second network device located upstream from the first network device. The first network device then requests the second network device to install the filter.

Abstract: Methods and apparatus are disclosed herein for classifying packets using ternary and binary content-addressable memory stages to classify packets. One such system uses a stage of one or more TCAMS followed by a second stage one or more CAMS (or alternatively some other binary associative memories such as hash tables or TRIEs) to classify a packet. One exemplary system includes TCAMs for handling input and output classification and a forwarding CAM to classify packets for Internet Protocol (IP) forwarding decisions on a flow label. This input and output classification may include, but is not limited to routing, access control lists (ACLs), quality of service (QoS), network address translation (NAT), encryption, etc. These IP forwarding decisions may include, but are not limited to IP source and destination addresses, protocol type, flags and layer 4 source and destination ports, a virtual local area network (VLAN) id and/or other fields.

Abstract: An extension to the conventional single rate microflow policer that provides dual rate policing with a minimum of extra resource utilization. Using the extended microflow policer, an aggressive TCP flow ramps up to exceed the policer rate, setting a burst drop flag. Once the flow rate exceeds the burst rate, a single packet is dropped and the burst drop flag is cleared. On seeing the single packet drop, the TCP sender is then expected to reduce its rate. Flows that do not back off will eventually exceed a higher, hard drop threshold and experience packet drop. An aggressive TCP rate thus oscillate around the burst rate, efficiently approaching the hard drop rate without exceeding it. The addition of only a single bit flag avoids the cost of a dual-rate policer and the tail drop behavior induced by a single rate policer.

Abstract: A method for providing security groups based on the use of tunneling is disclosed. The method includes assigning a security group identifier (SGI) to a packet and classifying the packet based on the packet's SGI.

Abstract: A method for using network address translation in switches and routers to define a virtual host as the source of a multicast channel within a single-source multicast model and to translate packet addresses from different multicast sources so that the packets appear to be originating from the virtual host. Address-translated packets are thus forwarded through a single-source multicast channel and received by the subscribing host(s)/clients as though the packets came from a single “virtual” source. This methodology can be used to map two or more sources simultaneously onto the same multicast channel. Such a mapping is useful, for example, to present multiple views of a sporting event video broadcast, provide advertisement insertion capability, or to support transparent fail-over to a backup video source in a critical multicast application. Subscribing client hosts in the multicast reception group simply subscribe to the single virtual host as the source of a multicast channel.

Abstract: A method and apparatus for determining if a packet is a duplicate packet are disclosed. The method includes determining if a field of a duplicate packet map (DPM) indicates the packet is the duplicate packet. The determination is made using a packet summary value (PSV) corresponding to the packet. The apparatus (a network device, for example) includes a duplicate packet map (DPM), which can be used to make the foregoing determination.