Abstract: A home agent assigns disjoint ranges of port numbers to mobile nodes that share a global IP address. In response to a registration request message from a mobile node, the home agent transmits to the mobile node its assigned range of port numbers, as an extension to a registration reply message. The home agent maintains data records for the mobile nodes that have registered with it, wherein a data record for a mobile node includes its global IP address, its assigned range of port numbers, and its current address. When the home agent receives data packets destined for one of these registered mobile nodes, as determined from the destination address and destination port number specified in the data packets, the home agent forwards the data packets to the current address listed in the mobile node's data record.

Abstract: A method and system for distributed network address translation with security features. The method and system allow Internet Protocol security protocol (“IPsec”) to be used with distributed network address translation. The distributed network address translation is accomplished with IPsec by mapping a local Internet Protocol (“IP”) address of a given local network device and a IPsec Security Parameter Index (“SPI”) associated with an inbound IPsec Security Association (“SA”) that terminates at the local network device. A router allocates locally unique security values that are used as the IPsec SPIs. A router used for distributed network address translation is used as a local certificate authority that may vouch for identities of local network devices, allowing local network devices to bind a public key to a security name space that combines a global IP address for the router with a set of locally unique port numbers used for distributed network address translation.

Abstract: A method and system for distributed network address translation with security for controlling and limiting the disruption caused by denial of service attacks. The method and system have a first network device and a second network device on a first network, and a third network device on a second network external to the first network, with an established security association between the first network device and the third network device. The first network device specifies an external address of the third network device for the security association to the second network device, which stores the external address in a table. The second network device then maps at least one of an internal address and a security value to the external address in the table. Any packets sent from the third network device to the first network device are intercepted by the second network device, which determines the external address and security value of the packet.

Abstract: The present invention provides a method to support the delivery of the IP address of a secondary address server to a dial-up remote access client. The secondary address server may be an RSIP server, with which the client may perform an RSIP negotiation resulting in the client being assigned an IP address associated with the RSIP server.

Abstract: A GRE tunnel initiator and a tunnel endpoint can exchange GRE Heartbeat messages to provide status information about the tunnel endpoint. The tunnel endpoint can send the tunnel initiator a GRE Heartbeat message through an established GRE tunnel. The GRE Heartbeat messages can be sent at different times while the GRE tunnel is active, and they can indicate to the GRE tunnel initiator that the tunnel endpoint remains active.

Abstract: A method and system for re-direction and handoff for pre-paid mobile services in third generation (“3G”) networks. A handoff marker is created and used for wireless mobile nodes such as Mobile Internet Protocol (“Mobile IP”) nodes. The handoff markers allow the wireless mobile nodes to use pre-paid mobile services, have active communications sessions suspended and re-directed to a registration server when purchased pre-paid mobile services run-out. The registration server allows the wireless mobile node to electronically purchase additional pre-paid mobile services and immediately resume a suspended communications session. The handoff markers also allows network devices in a mobile network to determine between initiation of a new communications session or a hard handoff of an existing communication session, without adversely affecting pre-paid billing services.

Abstract: A system and method for switching security associations between network devices. The system and method includes a first, a second, and a third network device, with a first secure communication being established between the first and second network devices, and a second secure communication being established between the first and third network devices. Both secure communications may have replay prevention enabled. In addition, the first secure communication has a security association and a pre-defined sequence number limit less than a maximum sequence number, while the second secure communication has the same security association as the first secure communication, but an initial sequence number greater than the pre-defined sequence number limit. The system and method may also have a fourth network device with security information corresponding to the security association. The fourth network device is capable of passing the security information from the first network device to the third network device.

Abstract: A method and system for network security includes a first network device having a first set of key material with a base key and a key extension, and a second network device also having the first set of key material and a second set of key material with a second base key. The second network device is capable of communicating with the first network device using security determined by the first set of key material. The method and system for network security may further include a third network device having the second set of key material. The third network device is capable of communicating with the second network device using security determined by the second set of key material. For the present method and system, security determined by the first set of key material is stronger than security determined by the second set of key material.

Abstract: A system and methods are shown for selecting a packet data serving node (PDSN) for a mobile node in a mobile Internet Protocol network. One method includes responsively to receiving on a first foreign agent control node (FACN) from a radio node a registration request message and determining that a mobile profile associated with a mobile node specified in the registration request is not available at the first FACN, sending from the first FACN to a second FACN a query request message including a request for the mobile profile. If the second FACN includes the requested mobile profile, the second FACN sends it to the first FACN using a query response message. When the first FACN receives the query response message, the first FACN makes a determination that the mobile profile includes a network address of the last serving PDSN.

Abstract: A telephony system and method having a switch for analog voice and data signals that is connected to a first network, and a router for routing Internet Protocol packets that is connected to a second network using Internet Protocol addressing. The telephony system and method also includes a telephony gateway that is connected to both the switch and the router for converting analog voice signals into Internet Protocol packets and for converting Internet Protocol packets into analog voice signals, the telephony gateway being connected, and a remote access server that is connected to both the switch and the router for converting analog data signals into Internet Protocol packets and for converting Internet Protocol packets into analog data signals. The switch may have a switch matrix capable of being connected to the Public Switched Telephone Network, a line rack with a plurality of line cards connected to the switch matrix, and a trunk rack with a plurality of trunk cards connected to the switch matrix.

Abstract: A method and system for distributed generation of unique random numbers. The unique random number can be used to create digital cookies or digital tokens. A first network device (e.g., a computer) on a computer network receives an x-bit bit mask template from a second network device on the computer network (e.g., a gateway). The first network device generates a first portion of an x-bit digital cookie. The first network device requests a second portion of the x-bit digital cookie from the second network device. The request includes the first portion of the x-bit digital cookie. The first network device generates a complete x-bit digital cookie using the first portion of the x-bit digital cookie generated by the first network device and the second portion of the x-bit digital cookie generated by the second network device.

Abstract: System and method for distributed network address translation in a network telephony system. A first network phone with a first protocol, requests at least one locally unique port from a first network device. The first network phone and the first network device are located on a first network. The first network phone receives, with the first protocol, the at least one locally unique port from the first network device. At least one default or ephemeral port on the first network phone is replaced with the at least one locally unique port. A combination network address is created for the first network phone with the at least one locally unique port and a common external network address, thereby identifying the first network phone for communications with a second network device located on a second network. The second network device may, for example, be a second network phone. In a preferred embodiment, the first protocol is a Port Allocation Protocol, such as the Realm Specific Internet Protocol.

Abstract: A method and system for establishing and using a unidirectional virtual tunnel with foreign service applications (e.g., Session Initiation Protocol (“SIP”), H.323, etc.) on a foreign network for a mobile node (e.g., a Mobile Internet Protocol (“IP”) node) that has roamed from a home network to the foreign network. The unidirectional virtual tunnel overrides a default communications path from foreign service applications on a foreign network to a home agent on home network and to a mobile network device on the foreign network and creates a new communications path from the foreign service applications to a tunnel server on the foreign network, to the foreign agent and to the mobile network device on the foreign network. The method and system may help reduce the round-time trip delays encountered when trying to establish a voice, video or data call (e.g.

Abstract: A mechanism for recovering data associated with lost packets, suitable for use in a VoIP network. The telecommunications network is preferably a packet switched network having IP telephony gateways serving as interfaces between a telephone device and the IP network. The IP telephony gateway receives a conversation signal from the telephone device, and implements an improved forward error correction method. The method includes generating payload information defined by at least two packet sequences from the same audio information, and transmitting those two packet sequences on the IP network for receipt by a remote network device. The packet sequences are transmitted using RTP with two independent data streams or, alternatively, using a single data stream. The first and second data streams are data packet streams each defining a sequence of data packets. The first data stream is preferably formed using a G.711 vocoder, and the second data stream is preferably formed using a G.723.1 vocoder.

Abstract: A method and system for allocating persistent private network addresses between private networks. An Internet Protocol (“IP”) address of a multimedia device (e.g., a Voice-over-IP (“VoIP”) device) is publicly available and the device, the device's location or the device's user may be identified and become the target of a hacker. Persistent private IP addresses may be used for such multimedia devices. Persistent private IP addresses are unique and persistent for a duration of a multimedia session between two private networks. The persistent private IP addresses are not routable on a public network like the Internet. The persistent private IP addresses allow a first network device on a first private network to establish a data session with a second network device on a second private network over a public network such as the Internet.

Abstract: A system and methods are shown for selecting a packet data serving node (PDSN) for a mobile node in an Internet Protocol network. A network node receives a message associated with a mobile node. The message includes a service request parameter corresponding to a requested service. The network node uses the service request parameter to select the address of a packet data serving node (PDSN) offering the service. The network node then sends a response message directing a connection with the selected PDSN. The service request parameter may be an international mobile subscriber identifier (IMSI) that identifies a subscriber requesting a static IP address, in which case the network node directs a connection with a PDSN that offers an. Internet connection with the static IP address.

Abstract: A mechanism for forward error correction (FEC) coding, suitable for use where multiple payload streams are simultaneously transmitted from end-to-end. Instead of deriving parity information based on payload information carried within a given stream, the invention involves FEC encoding across multiple parallel streams and thereby deriving parallel parity information. The parallel parity information may then be transmitted to the receiving end in parallel with the underlying payload information. Beneficially, the invention can substantially reduce the time it takes for the transmitting end to derive parity information or for the receiving end to receive the information necessary to recover from data loss. The invention is especially suitable for use in IP telephony and particularly for implementation in an IP telephony gateway.

Abstract: A method and system for address server redirection for multiple address networks. A primary network address and an address of a secondary network address server are requested by a network device from a primary network address server. The address of the secondary network address server is requested in an option field in a request message sent to the primary network address server to request a primary network address. The request message may be sent through one or more routers. The primary network address is used by a network device to communicate with other network devices on a first network. The secondary network address is used by the network device to communicate with other network devices on a second network. For example, the primary network address may be a private Internet Protocol address or an Internet Protocol version-6 address and the secondary network address may be a public Internet Protocol address or an Internet Protocol version-4 address.

Abstract: A system and methods are shown for providing packet data serving node (PDSN) redundancy. One exemplary method includes providing an access node with a plurality of packet data serving nodes and at least one system manager, establishing an N to 1 redundancy of active to standby PDSNs. Upon establishing a communications session with a mobile node, each active PDSN provides state updates to the standby PDSN including only non-recoverable data. Upon failure of any active PDSN, the standby PDSN reassigned as an active PDSN replacing the failed unit and assuming the communications session with the mobile node. The remaining active PDSNs are notified of the reassignment and transmission of updated state data is discontinued.

Abstract: A system and method for Internet telephony between a caller station and a callee station are described. The caller station is connected to a first edge network via a first telephony interface, and the callee station is connected to a second edge network via a second telephony interface. An intermediate network is connected to the first edge network via a first router and is connected to the second edge network via a second router. The callee station is associated with a callee station number. The first router initiates the call in response to a setup message that includes the callee station number. A first gatekeeper, controlling the first router, and a second gatekeeper, controlling the second router, together mediate the process of setting up the call. A back end server, in communication with the first and second gatekeepers, stores the addresses and station numbers needed to set up the call.