Abstract: A hash table data structure is provided that reduces the number of DMA operations, and if possible, the number of key comparisons, needed to traverse the table entries to find an entry that matches a key, especially with a bucket having several collisions. A new hash table entry called a “cumulative node” is introduced, which stores keys into a “key table” within the entry and includes pointers to metadata associated with the keys. The number of entries stored in the cumulative node depends on the size of the cumulative node, key size, and the size of the pointer type.

Abstract: A secure communication between computer systems over a network, such as the Internet, is performed utilizing an enhancement to the IKEv2 key exchange protocol that provides more security by exchanging the IKE_SA_INIT messages in a secure and protected manner. Cryptographic suites are utilized to encrypt and authenticate the IKE_SA_INIT exchange messages in order to prevent cyberattacks against such a messaging protocol.

Abstract: A secure communication between computer systems over a network, such as the Internet, is performed utilizing an enhancement to the IKEv2 key exchange protocol that provides more security by exchanging the IKE_SA_INIT messages in a secure and protected manner. Cryptographic suites are utilized to encrypt and authenticate the IKE_SA_INIT exchange messages in order to prevent cyberattacks against such a messaging protocol.

Abstract: A system for processing data packets includes memories with cache buffers that store flow tables and a flow index table, and a processor in communication with the memories. When the processor receives a data packet, it determines whether the flow index table includes a flow index table entry corresponding to the data packet. If the flow index table includes the required flow index table entry, the processor fetches cached instructions corresponding to the data packet from the flow index table and processes the data packet using the fetched instructions. If the flow index table does not include a flow index table entry for the data packet, then the processor fetches the instructions from the flow tables and stores these instructions in the cache buffers, thereby caching the instructions in the flow index table.

Abstract: A security enhancement to IPSec processing is achieved by changing the algorithms used at each re-key after expiration or termination of a Security Association session between two peer nodes. The solution enables an Internet Key Exchange to negotiate multiple algorithms to ensure that every renewed IPSec Security Association has a different algorithm combination, thereby making attempts at decryption by an attacker more difficult.

Abstract: A decentralized method for IPSec processing in virtual environments includes assigning a unique identifier to each of a set of compute nodes. Each compute node can emulate one or more virtual machines that generate IP packets for forwarding over a network (e.g., the Internet). An IP packet, received from a trusted source at a compute node, is encrypted and a trailer is appended to the encrypted packet. The trailer includes the unique identifier of the compute node. The encrypted packet with appended trailer is forwarded to a secure gateway that can perform an anti-replay check using stored parameters corresponding to the unique identifier in the trailer. In inbound processing, the unique identifier is inserted into a trailer appended to an encrypted packet by the security gateway and a VPN server directs the incoming encrypted packet to the appropriate compute node for forwarding to the virtual machine.

Abstract: A security enhancement to IPSec processing is achieved by changing the algorithms used at each re-key after expiration or termination of a Security Association session between two peer nodes. The solution enables an Internet Key Exchange to negotiate multiple algorithms to ensure that every renewed IPSec Security Association has a different algorithm combination, thereby making attempts at decryption by an attacker more difficult.

Abstract: A decentralized method for IPSec processing in virtual environments includes assigning a unique identifier to each of a set of compute nodes. Each compute node can emulate one or more virtual machines that generate IP packets for forwarding over a network (e.g., the Internet). An IP packet, received from a trusted source at a compute node, is encrypted and a trailer is appended to the encrypted packet. The trailer includes the unique identifier of the compute node. The encrypted packet with appended trailer is forwarded to a secure gateway that can perform an anti-replay check using stored parameters corresponding to the unique identifier in the trailer. In inbound processing, the unique identifier is inserted into a trailer appended to an encrypted packet by the security gateway and a VPN server directs the incoming encrypted packet to the appropriate compute node for forwarding to the virtual machine.

Abstract: A method for storing information in a memory using an IP address having numerical fields, where penultimate and ultimate memory banks for the IP address are allocated from the memory. A penultimate pointer is stored in a location of the penultimate memory bank indexed by the value of a penultimate numerical field in the IP address. The penultimate pointer points to the ultimate memory bank. The information is stored in a location of the ultimate memory bank indexed by the value of an ultimate numerical field in the IP address.

Abstract: A method and system for resolving a conflict between private internet protocol addresses assigned in a network between an internet protocol security remote access server (IRAS) and an internet protocol security remote access client (IRAC) arranged behind a network address translator (NAT) router in the network. By modifying internet key exchange version2 (IKEv2) and internet key exchange (IKE) protocol negotiations between IRAC and IRAS to include a private attribute used by IRAC to send all its internet protocol (IP) subnet addresses to IRAS, IRAS dynamically resolves any conflict of the IP addresses with that of its internal networks by mapping and assigning non-conflicting virtual IP addresses and network subnet addresses to IRAC for IRAC to access the internal networks of IRAS.

Abstract: A method and system for resolving a conflict between private internet protocol addresses assigned in a network between an internet protocol security remote access server (IRAS) and an internet protocol security remote access client (IRAC) arranged behind a network address translator (NAT) router in the network. By modifying internet key exchange version2 (IKEv2) and internet key exchange (IKE) protocol negotiations between IRAC and IRAS to include a private attribute used by IRAC to send all its internet protocol (IP) subnet addresses to IRAS, IRAS dynamically resolves any conflict of the IP addresses with that of its internal networks by mapping and assigning non-conflicting virtual IP addresses and network subnet addresses to IRAC for IRAC to access the internal networks of IRAS.