Abstract: A system, method, and interface for segregating a network controller and a security gateway is provided. A security gateway-network controller interface is established between a security gateway and a network controller. One or more application interfaces are carried over the security gateway-network controller interface. An admission policy interface may be maintained on the security gateway-network controller interface that allows establishment of dynamic access control lists for admission policies applied on specific secure tunnels. Additionally, a security association-international mobile subscriber identity interface may be maintained on the security gateway-network controller interface that facilitates ensuring an IMSI used during a registration process matches an identity used to establish a tunnel. Thus, a subscriber validation mechanism is provided over the security gateway-network controller interface that couples the network controller and the security gateway.

Abstract: A system and method include a device connectable to a private network and designed to access to a public network, the device used to control identity associations for end user devices in the private network, wherein the device has an associated device key and is operable to receive additional keys associated with service providers, and a conditional access system associated with the device, the conditional access system operated by a key authority to manage the device key and to authenticate the service provider keys thereby allowing identity associations between the private network and the service providers.

Abstract: A system and method for pre-placing content from a provider on an end user storage device is described. The system includes a device connected to an end user network and a public network and used to interface with one or more digital keys, where each digital key is able to control one or more identity associations. A storage device attached to the end user network and is able to receive content from the provider using the identity association with the provider. The content is encrypted on the storage device using a keys established by the provider, such that the end user can only decrypt and access the content by agreeing to terms established by the provider using the digital key and identity association with the provider.

Abstract: A system and method for providing a identity association between a subscriber in a private network and a provider over a public network is described. The system and method include a subscriber security gateway in the private network, the subscriber security gateway providing policy enforcement and signaling between the private network and the provider over the public network and at least one digital key associated with the provider and readable by the subscriber security gateway and operable to provide a identity association with the provider.

Abstract: A system, method, and interface for segregating a network controller and a security gateway is provided. A security gateway-network controller interface is established between a security gateway and a network controller. One or more application interfaces are carried over the security gateway-network controller interface. An admission policy interface may be maintained on the security gateway-network controller interface that allows establishment of dynamic access control lists for admission policies applied on specific secure tunnels. Additionally, a security association-international mobile subscriber identity interface may be maintained on the security gateway-network controller interface that facilitates ensuring an IMSI used during a registration process matches an identity used to establish a tunnel. Thus, a subscriber validation mechanism is provided over the security gateway-network controller interface that couples the network controller and the security gateway.

Abstract: A method and apparatus is described that allow the creation of virtual routing domains in an IP network. These virtual routing domains allow individual networks to be configures so that it appears that its routing domain covers the entire IP address space. A network processing system is used to implement the virtual routing domains and to allow network traffic to cross the individual routing domains. The network processing system is able to use application layer information to allow the crossing of virtual routing domain boundaries. By examining application layer information the network processing system is able to look up customer/user information and use that information to determine destination virtual routing domains and route otherwise unroutable addresses between domains.

Abstract: An apparatus and method for traversing a network address translation/firewall device to maintain a registration between first and second devices separated by the firewall device are provided. In one example, the method includes intercepting a registration message from the first device to the second device. A determination is made based on a first timeout period defined by the second device as to whether it is time to renew the first device's registration. If it is time to renew the first device's registration, the registration message is forwarded to the second device. A response message that includes the first timeout period is intercepted, and the first timeout period is replaced with a second timeout period based on a binding lifetime of the firewall device before forwarding the response message to the first device.

Abstract: A method and system are described for resolving problems created by implementing multiple networks using private IP addresses and layer two tunneling protocols is described. A network processing system is operable to map flows from private IP addresses and ports on layer two tunneling protocol networks to public IP addresses and ports using the private IP addresses and ports and identifiers for the layer two tunneling protocol network. The network processing system uses its own public IP addresses and ports to anchor the traffic from the private network and performs the required mapping to pass traffic between the public and private networks.

Abstract: A system and method of expediting bit scan instructions in a microprocessor is disclosed which employs an execution unit having zero detectors organized along predetermined boundaries for detecting in parallel, the number of leading or trailing zeros in a source operand and for writing a destination index to indicate the first non-zero bit position.