Abstract: A method of establishing one or more secure channels between network devices comprises exchanging a base key pair between a first network device and a second network device, and for each of a plurality of policies, providing a nonce corresponding to that policy to the first and second devices. The method further comprises generating, for each of the plurality of policies, a session key that is a function of the base key pair and the policy nonce. The method comprises determining, at the first device, that a data packet matches a rule associated with a policy, encrypting the data with a session key that corresponds to the policy to produce an encrypted packet, and conveying the encrypted packet to the second device. At the second device, determining that the encrypted packet matches the rule associated with the policy, and decrypting the encrypted packet with the session key.

Abstract: In many secure communication systems, group keys are updated on a regular basis in order to maintain high security level. Decryption and encryption keys are typically updated simultaneously in policy enforcement points (PEPs). Such approach makes the respective communication system prone to dropping of network traffic. According to at least one embodiment, re-keying is performed by installing, at a first phase, a new decryption key at the PEPs without removing an old decryption key previously installed in the PEPs. At a second phase, a new encryption corresponding to the new decryption key is installed and an old encryption key corresponding to the old decryption is removed. At a third stage, the old decryption key and any other old decryption keys are removed from the PEPs.

Abstract: A buffer to buffer credit recovery mechanism is disclosed in which the ports involved in the credit recovery operation are synchronized while credit recovery is being enabled and during a credit recovery operation when credit recovery parameters are being reset. Buffer to buffer credit recovery involves exchanging primitive control signals and parameters during the login sequence to enable credit recovery. Once credit is lost; there may be a need for resetting a link to reset the credit recovery counters and BB credits. Both of these processes require synchronization between the ports involved in the credit recovery mechanism. This synchronization is achieved by enabling credit recovery during the Link Reset protocol negotiation and ensuring that no frames or R_RDYs are exchanged during the procedure.

Abstract: Multi-protocol label switching (MPLS) data is typically sent non-encrypted over MPLS-based networks. If encryption is applied to MPLS data frames and MPLS labels are encrypted, each node receiving any of the MPLS data frame would have to perform decryption in order to direct the data frames to a next node, therefore resulting in extra processing and data latency. According to an example embodiment, encryption and decryption mechanisms for MPLS data include encrypting/decrypting payload data while keeping the MPLS labels in the clear (i.e., unencrypted). A MPLS encryption label is also employed within the MPLS label stack to indicate that encryption is applied. The MPLS encryption label is inserted in the MPLS label stack when encrypting the payload and is removed when decrypting the payload.

Abstract: A buffer to buffer credit recovery mechanism is disclosed in which the ports involved in the credit recovery operation are synchronized while credit recovery is being enabled and during a credit recovery operation when credit recovery parameters are being reset. Buffer to buffer credit recovery involves exchanging primitive control signals and parameters during the login sequence to enable credit recovery. Once credit is lost; there may be a need for resetting a link to reset the credit recovery counters and BB credits. Both of these processes require synchronization between the ports involved in the credit recovery mechanism. This synchronization is achieved by enabling credit recovery during the Link Reset protocol negotiation and ensuring that no frames or R_RDYs are exchanged during the procedure.

Abstract: A method, system and computer program for providing multilevel security to a computer network. The method comprises the step of receiving a first communication packet on at least one network interface port from an outside network. The method further includes the steps of filtering the first packet in one of at least two levels of security comprising a first level of security which examines the content information of the packet and a second level of security which examines the first packet excluding the content information of the packet. The system includes a first packet filter configured to filter its input packets by examining content information of its packets and a second packet filter configured to filter its input packets by examining the header information without examining the content information of its packets. The system further includes a third filter which is configured to forward a number of packets to one of the first and second filters, thereby providing security to the computer network.

Abstract: A method, system and computer program for providing multilevel security to a computer network. The method comprises the step of receiving a first communication packet on at least one network interface port from an outside network. The method further includes the steps of filtering the first packet in one of at least two levels of security comprising a first level of security which examines the content information of the packet and a second level of security which examines the first packet excluding the content information of the packet. The system includes a first packet filter configured to filter its input packets by examining content information of its packets and a second packet filter configured to filter its input packets by examining the header information without examining the content information of its packets. The system further includes a third filter which is configured to forward a number of packets to one of the first and second filters, thereby providing security to the computer network.

Abstract: A method, system and computer program for providing multilevel security to a computer network. The method comprises the step of receiving a first communication packet on at least one network interface port from an outside network. The method further includes the steps of filtering the first packet in one of at least two levels of security comprising a first level of security which examines the content information of the packet and a second level of security which examines the first packet excluding the content information of the packet. The system includes a first packet filter configured to filter its input packets by examining content information of its packets and a second packet filter configured to filter its input packets by examining the header information without examining the content information of its packets. The system further includes a third filter which is configured to forward a number of packets to one of the first and second filters, thereby providing security to the computer network.

Abstract: A method, system and computer program for providing multilevel security to a computer network. The method comprises the step of receiving a first communication packet on at least one network interface port from an outside network. The method further includes the steps of filtering the first packet in one of at least two levels of security comprising a first level of security which examines the content information of the packet and a second level of security which examines the first packet excluding the content information of the packet. The system includes a first packet filter configured to filter its input packets by examining content information of its packets and a second packet filter configured to filter its input packets by examining the header information without examining the content information of its packets. The system further includes a third filter which is configured to forward a number of packets to one of the first and second filters, thereby providing security to the computer network.