Abstract: A method routes packets from a source to a destination across an IP network having a plurality of nodes (including the source and destination), and a plurality of network segments interconnecting the plurality of nodes. The source and destination are configured to use a given service. To those ends, the method receives information relating to the given service, and forms a path between the source and the destination. The path includes a) at least one intermediate node between the source and the destination and b) a plurality of specific network segments extending from the source to the destination. The plurality of specific network segments are a sub-set of the plurality of network segments. To form the path, the method assigns the plurality of specific network segments to the network path between the source and the destination as a function of the information relating to the given service.

Abstract: A packet routing method for directing packets of a session in an IP network causes an intermediate node to obtain a lead packet of a plurality of packets in a given session. The intermediate node has an electronic interface in communication with the IP network and obtains the lead packet through that same interface. The method maintains, in a routing database, state information relating to a plurality of sessions in the IP network. Each session includes a single stateful session path formed by an ordered plurality of nodes in the IP network, and the state information includes information about the ordered plurality of nodes in the sessions. The method further accesses the routing database to determine the state of a plurality of sessions, and forms a stateful given path for packets of the given session across the IP network as a function of the state information in the routing database.

Abstract: An apparatus and/or method secures session communications between a first network (having a first encryption device configured to encrypt at least some session communications from the first network to the second network) and a second network. The apparatus and/or method receive, at the first network, given session packets of a given session between the first and second networks, and determine that at least one of the received given session packets is encrypted (“encrypted given session packet”). The given session involves a Layer 7 application that encrypted the at least one encrypted given session packet. Next, the apparatus and/or method controls, in response to determining that the given session packet is encrypted, the first encryption device to permit communication of the given session with the second network without further encrypting a plurality of the encrypted given session packets. Preferably, the first encryption device encrypts none of the given session packets.

Abstract: A packet routing method for directing packets of a session in an IP network causes an intermediate node to obtain a lead packet of a plurality of packets in a given session. The intermediate node has an electronic interface in communication with the IP network and obtains the lead packet through that same interface. The method maintains, in a routing database, state information relating to a plurality of sessions in the IP network. Each session includes a single stateful session path formed by an ordered plurality of nodes in the IP network, and the state information includes information about the ordered plurality of nodes in the sessions. The method further accesses the routing database to determine the state of a plurality of sessions, and forms a stateful given path for packets of the given session across the IP network as a function of the state information in the routing database.

Abstract: In exemplary embodiments of the present invention, special metadata is added to link monitoring protocol messages exchanged by pairs of adjacent nodes to allow such nodes to detect communication link failures and determine whether the failure affects an incoming communication link or an outgoing communication link. The link monitoring protocol messages may be augmented BFD messages.

Abstract: A packet routing method and apparatus for managing packets of a bi-directional session between a first node and a second node in an IP network receives a mid-stream packet at an intermediate node. The intermediate node is not part of the bi-directional session. Next, the method identifies the bi-directional session (“identified session”) from which the mid-stream packet originated. The identified session includes a bi-directional path between the first node and the second node, while the bi-directional path includes a plurality of nodes for bi-directionally forwarding packets between the first node and the second node. The method then directs that one or more packets of the identified session be routed to at least one of the plurality of nodes of the identified session.

Abstract: A method of routing data across a network receives a session request from a client node to access at least one node in a local network having a plurality of nodes. The method also receives a client certificate (e.g., a digital certificate at least partially specified by known standards, such as the “X509 Standard”) from the client node. The client certificate has client information specifying at least one node to receive packets from the client node. Next, the method uses the client certificate to execute an authentication process. If the authentication process authenticates the client node, then the method routes data packets from the client node to at least one node in the local network as specified by the client information in the client certificate.

Abstract: A method and apparatus for routing a plurality of session packets across a network toward a destination modifies each packet to include a sequence number that is different from the sequence number of other packets in the plurality of packets. Accordingly, at this point, each of the plurality of packets is transformed into a corresponding plurality of processed packets. The method also duplicates the plurality of processed packets to produce a corresponding plurality of duplicated packets. Next, the method forwards the plurality of processed packets toward the destination using a first stateful path through the network, and correspondingly forwards the plurality of duplicated packets toward the destination using a second stateful path through the network. In preferred embodiments, the first stateful path is different from the second stateful path. For example, the two paths may be entirely distinct in that they share no common intermediary elements.

Abstract: A method processes a session having a first session packet received by a current node in an IP network having a plurality of nodes. The plurality of nodes includes a next node, and the current node that communicates with the next node using a Layer 3 protocol. The method receives the first session packet, which has a digital signature, payload data, and meta-data, at the current node. The method uses the payload data and meta-data to produce validation information, and uses the digital signature to produce a comparator digital signature. Next, the method compares the validation information with the comparator digital signature. If the validation information does not match the comparator digital signature, then the method discards the first session packet. If there is a match, then the method digitally signs the first session packet, and routes the first session packet to the next node via the IP network.

Abstract: A router is specially configured to implement a bilateral TCP state machine to monitor the status of TCP sessions based on TCP sequence numbers in both forward session packets and return session packets received by the router for a TCP bi-flow session. Among other things, the router may determine the status of a TCP session, for example, based on statistical information such as the number or rate of errors detected (e.g., the number of dropped packets, duplicated packets, out-of-sequence packets, and/or out-of-window packets). Each router is typically configured to collect and store status information and optionally also to use the status information in making intelligent routing decisions, such as, for example, deciding whether or not to forward a particular packet, deciding whether to reconfigure a bi-flow routing session, or updating routing table information used for routing packets.

Abstract: An advanced routing system and protocol (referred to herein as “Route Exchange” or “REX”) hides familiar IPv4 and IPv6 addresses and replaces traditional routing logic with words and relationships between named elements. Among other things, this makes IP routing tables significantly easier to understand. In addition, a single routing scheme can be used for any combination of private networks, public networks, IPv4 addressing models, and IPv6 addressing models. Underneath the words lie real IP addresses that move the packets from place to place. These routing addresses abstract away the underlying network.

Abstract: A router is specially configured to implement a bilateral TCP state machine to monitor the status of TCP sessions based on TCP sequence numbers in both forward session packets and return session packets received by the router for a TCP bi-flow session. Among other things, the router may determine the status of a TCP session, for example, based on statistical information such as the number or rate of errors detected (e.g., the number of dropped packets, duplicated packets, out-of-sequence packets, and/or out-of-window packets). Each router is typically configured to collect and store status information and optionally also to use the status information in making intelligent routing decisions, such as, for example, deciding whether or not to forward a particular packet, deciding whether to reconfigure a bi-flow routing session, or updating routing table information used for routing packets.

Abstract: An intermediate node obtains a lead packet of a plurality of packets in a session having a unique session identifier, modifies the lead packet to identify at least the intermediate node, and then forwards the lead packet toward the destination node though an intermediate node electronic output interface to the IP network. The intermediate node also receives, through an intermediate node electronic input interface in communication with the IP network, a backward message from a next node having a next node identifier. The backward message includes the next node identifier and the session identifier. The intermediate node forms an association between the next node identifier and the session identifier, stores the association in memory to maintain state information for the session, and obtains (e.g., receives) additional packets of the session. Substantially all of the additional packets in the session are forwarded toward the next node using the stored association.

Abstract: An intermediate node obtains a lead packet of a plurality of packets in a session having a unique session identifier, modifies the lead packet to identify at least the intermediate node and also to identify source and destination port numbers assigned by the intermediate node for a possible forward association, and then forwards the lead packet toward the destination node though an intermediate node electronic output interface to the IP network. The intermediate node also may receive, through an intermediate node electronic input interface in communication with the IP network, a backward message from a next node having a next node identifier. Both the intermediate node and the next node form an association between the intermediate node identifier, the next node identifier, and the source and destination port numbers assigned by the intermediate node. This association is part of a forward association for the intermediate node and is part of a return associate for the next node.

Abstract: A method processes a session having a first session packet received by a current node in an IP network having a plurality of nodes. The plurality of nodes includes a next node, and the current node that communicates with the next node using a Layer 3 protocol. The method receives the first session packet, which has a digital signature, payload data, and meta-data, at the current node. The method uses the payload data and meta-data to produce validation information, and uses the digital signature to produce a comparator digital signature. Next, the method compares the validation information with the comparator digital signature. If the validation information does not match the comparator digital signature, then the method discards the first session packet. If there is a match, then the method digitally signs the first session packet, and routes the first session packet to the next node via the IP network.

Abstract: An apparatus and/or method secures session communications between a first network (having a first encryption device configured to encrypt at least some session communications from the first network to the second network) and a second network. The apparatus and/or method receive, at the first network, given session packets of a given session between the first and second networks, and determine that at least one of the received given session packets is encrypted (“encrypted given session packet”). The given session involves a Layer 7 application that encrypted the at least one encrypted given session packet. Next, the apparatus and/or method controls, in response to determining that the given session packet is encrypted, the first encryption device to permit communication of the given session with the second network without further encrypting a plurality of the encrypted given session packets. Preferably, the first encryption device encrypts none of the given session packets.

Abstract: In exemplary embodiments of the present invention, special metadata is added to link monitoring protocol messages exchanged by pairs of adjacent nodes to allow such nodes to detect communication link failures and determine whether the failure affects an incoming communication link or an outgoing communication link. The link monitoring protocol messages may be augmented BFD messages.

Abstract: A method of routing data across a network receives a session request from a client node to access at least one node in a local network having a plurality of nodes. The method also receives a client certificate (e.g., a digital certificate at least partially specified by known standards, such as the “X509 Standard”) from the client node. The client certificate has client information specifying at least one node to receive packets from the client node. Next, the method uses the client certificate to execute an authentication process. If the authentication process authenticates the client node, then the method routes data packets from the client node to at least one node in the local network as specified by the client information in the client certificate.

Abstract: An intermediate node obtains a lead packet of a plurality of packets in a session having a unique session identifier, modifies the lead packet to identify at least the intermediate node, and then forwards the lead packet toward the destination node though an intermediate node electronic output interface to the IP network. The intermediate node also receives, through an intermediate node electronic input interface in communication with the IP network, a backward message from a next node having a next node identifier. The backward message includes the next node identifier and the session identifier. The intermediate node forms an association between the next node identifier and the session identifier, stores the association in memory to maintain state information for the session, and obtains (e.g., receives) additional packets of the session. Substantially all of the additional packets in the session are forwarded toward the next node using the stored association.

Abstract: An intermediate node obtains a lead packet of a plurality of packets in a session having a unique session identifier, modifies the lead packet to identify at least the intermediate node and also to identify source and destination port numbers assigned by the intermediate node for a possible forward association, and then forwards the lead packet toward the destination node though an intermediate node electronic output interface to the IP network. The intermediate node also may receive, through an intermediate node electronic input interface in communication with the IP network, a backward message from a next node having a next node identifier. Both the intermediate node and the next node form an association between the intermediate node identifier, the next node identifier, and the source and destination port numbers assigned by the intermediate node. This association is part of a forward association for the intermediate node and is part of a return associate for the next node.