Abstract: A network device may implement packet scheduling with administrator-configurable packet scheduling policies. In one implementation, the network device includes a filter component configured to assign priority levels to data units, the priority levels defining traffic classes for the data units. The network device may also include a scheduler component configured to schedule transmission of the traffic classes based on an assignment of weights to the traffic classes using at least one bandwidth allocation policy that exhibits a bandwidth allocation profile that varies based on one or more parameters of the bandwidth allocation policy that are configurable by an administrator.

Abstract: A system determines a scheduling value based on a current length of a downstream queue in a network device. The system sends the scheduling value from the downstream queue to an upstream queue and schedules dequeuing of one or more data units, destined for the downstream queue, from the upstream queue based on the scheduling value.

Abstract: In general, the invention is directed to techniques of load balancing network traffic among paths on a point-to-multipoint overlay network. In load balancing the network traffic, the techniques take into consideration costs associated with paths through the overlay network and costs associated with paths beyond the egress points of the overlay network, even when such costs may be unequal.

Abstract: This disclosure describes techniques for determining whether network traffic contains one or more computer security threats. In order to determine whether a symbol stream conforms to the symbol pattern, a security device stores a full deterministic finite automaton (fDFA) that accepts streams of symbols that conform to the symbol pattern. The security device also creates a partial deterministic finite automaton (pDFA) that includes nodes that correspond to the nodes in the fDFA that have the highest visitation levels. The security device processes each symbol in the symbol stream using the pDFA until a symbol causes the pDFA to transition to a failure node or to an accepting node. If the symbol causes the pDFA to transition to the failure node, the security device processes the symbol and subsequent symbols in the symbol stream using the fDFA.

Abstract: A system determines a scheduling value based on a current length of a downstream queue in a network device. The system sends the scheduling value from the downstream queue to an upstream queue and schedules dequeuing of one or more data units, destined for the downstream queue, from the upstream queue based on the scheduling value.

Abstract: In general, techniques are described for reducing response times to retrieve content in an intermediate network device. In particular, the intermediate network device receives a packet from a client device of a first network that requests content from a remote network device of a second network, inspects the packet to determine whether the requested content has been previously cached to either of a first and a second memory of the device, issues a request to load the requested content from the second memory to the first memory based on the determination and queues the packet within in the queue. After queuing the packet, the intermediate network device then processes the packet to assemble a response that includes the content from the memory.

Abstract: In general, the invention is directed to techniques for improving memory utilization in a priority queuing system of a network device. More specifically, a priority queue memory management system is described in which memory pages are assigned to the various priority queues in order to implement an efficient first in, first out (FIFO) functionality. The dynamic memory techniques described herein allow the multiple priority queues to share a common memory space. As a result, each priority queue does not require a pre-allocated amount of memory that matches the aggregate size of the packets that must be buffered by the queue.

Abstract: A method includes receiving a data unit, determining whether a current state, associated with a deterministic finite automata (DFA) that includes a portion of states in a bitmap and a remaining portion of states in a DFA table, is a bitmap state or not, and determining whether a value corresponding to the data unit is greater than a threshold value, when it is determined that the current state is not a bitmap state. The method further includes determining whether the current state is insensitive, when it is determined that the value corresponding to the data unit is greater than the threshold value, where insensitive means that each next state is a same state for the current state, and selecting a default state, as a next state for the current, when it is determined that the current state is insensitive.

Abstract: In general, techniques are described for efficiently implementing application identification within network devices. In particular, a network device includes a control unit that stores data defining a group Deterministic Finite Automata (DFA) and an individual DFA. The group DFA is formed by merging non-explosive DFAs generated from corresponding non-explosive regular expressions (regexs) and fingerprint DFAs (f-DFAs) generated from signature fingerprints extracted from explosive regexs. The non-explosive regexs comprise regexs determined not to cause state explosion during generation of the group DFA, the signature fingerprints comprise segments of explosive regexs that uniquely identifies the explosive regexs, and the explosive regexs comprise regexs determined to cause state explosion during generation of the group DFA.

Abstract: A method is provided for queuing packets. A packet may be received and its flow identified. It may then be determined whether a flow queue has been assigned to the identified flow. The identified flow may be dynamically assigning to an available flow queue when it is determined that a flow queue has not been assigned to the identified flow. The packet may be enqueued into the available flow queue.

Abstract: A method is provided for queuing packets. A packet may be received and its flow identified. It may then be determined whether a flow queue has been assigned to the identified flow. The identified flow may be dynamically assigning to an available flow queue when it is determined that a flow queue has not been assigned to the identified flow. The packet may be enqueued into the available flow queue.

Abstract: A data communication system is provided that allows for the efficient management of data communication sessions requested from a plurality of packet data servicing nodes organized in a cluster, each member of the cluster managing a cluster session table which contains data identifying mobile units and packet data servicing nodes which are servicing data sessions with the mobile unit. As a mobile unit moves from one portion of the system to another, a network element will request a data session from a packet data servicing node, the packet data servicing node is then able to access the cluster session table to determine if the data session is already being served by another member of the cluster. If the data session is already in existence, the base station controller will be directed to request a data session from the packet data servicing node which is already servicing that session.

Abstract: In general, the invention is directed to techniques of load balancing network traffic among paths on a point-to-multipoint overlay network. In load balancing the network traffic, the techniques take into consideration costs associated with paths through the overlay network and costs associated with paths beyond the egress points of the overlay network, even when such costs may be unequal.

Abstract: In general, the invention is directed to techniques of dynamically balancing network traffic load among multiple paths through a computer network. The techniques distribute and redistribute flows of network packets between different paths based on dynamically measured path bandwidth and loads of each flow. In distributing the flows, Quality of Service (QoS) bandwidth requirements of the flows may be maintained.

Abstract: Controlling congestion in a networking device having a plurality of input interface queues comprises estimating, in each of one or more sampling states, a data arrival rate for each of the plurality of input interface queues with respect to incoming data packets received on corresponding input interfaces, obtaining a set of estimated arrival rates for the plurality of the input interface queues, determining, for each polling state associated with a respective sampling state, the sequence in which the plurality of input interface queues should be polled using the set of estimated data arrival rates of the plurality of input interface queues, and polling the plurality of interface queues in accordance with the determined sequence. The sequence indicates when, during a single polling cycle, each of the input interface queues should be polled in relation to every other of the input interface queues.

Abstract: A resource manager 20 receives and compiles data from a plurality of base transceiver station 14 to enable an admission control decision before beginning a communication session with a mobile unit 12. The historic usage patterns of the mobile unit 12 and the historic and present bandwidth availability for cells likely to be impacted are taken into account to make the admission control decision.

Abstract: A global path identifier is assigned to each explicit route through a data communication network. The global path identifier is inserted into each packet as the packet enters a network and is used in selecting the next hop. When encountering a new selected path, an ingress router sends an explicit object to downstream nodes of the path to set up explicit routes by caching the next hop in an Explicit Forwarding Information Base (“EFIB”) table. Ingress routers maintain an Explicit Route Table (“ERT”) that tracks the global path identifier associated with each flow through the network. Multiple flows using the same path can be implemented by sharing the same global path identifier. In case of sudden network load changes, rerouting can be performed by changing the global path identifier associated with those flows that need to be rerouted and by then transmitting a new path object to downstream nodes.

Abstract: This disclosure describes techniques for determining whether network traffic contains one or more computer security threats. In order to determine whether a symbol stream conforms to the symbol pattern, a security device stores a full deterministic finite automaton (fDFA) that accepts streams of symbols that conform to the symbol pattern. The security device also creates a partial deterministic finite automaton (pDFA) that includes nodes that correspond to the nodes in the fDFA that have the highest visitation levels. The security device processes each symbol in the symbol stream using the pDFA until a symbol causes the pDFA to transition to a failure node or to an accepting node. If the symbol causes the pDFA to transition to the failure node, the security device processes the symbol and subsequent symbols in the symbol stream using the fDFA.

Abstract: A method includes a step of (A) determining which of multiple network interfaces indicates readiness to transmit a data element to a network and which of the multiple network interfaces indicates receipt of a data element from the network. The method further includes a step of (B) running, for each network interface indicating readiness to transmit a data element to the network, a transmit interrupt handler to load that network interface with a data element for transmission if such a data element is available for transmission within the data communications device, in response to giving higher priority to handling transmit interrupts relative to handling receive interrupts. The method further includes a step of (C) after step B, running, for at least one network interface which indicates receipt of a data element from the network, a receive interrupt handler to process that data element.

Abstract: A global path identifier is assigned to each explicit route through a data communication network. The global path identifier is inserted into each packet as the packet enters a network and is used in selecting the next hop. When encountering a new selected path, an ingress router sends an explicit object to downstream nodes of the path to set up explicit routes by caching the next hop in an Explicit Forwarding Information Base (“EFIB”) table. Ingress routers maintain an Explicit Route Table (“ERT”) that tracks the global path identifier associated with each flow through the network. Multiple flows using the same path can be implemented by sharing the same global path identifier. In case of sudden network load changes, rerouting can be performed by changing the global path identifier associated with those flows that need to be rerouted and by then transmitting a new path object to downstream nodes.