Abstract: A multicast connection arrangement is provided by which a source node may establish multicast virtual circuits to a group of destination nodes of an arbitrary-topology network using a single procedure, and may subsequently modify those circuits, i.e., add or delete destination nodes, with a single, related procedure. The arrangement includes a multicast setup packet for opening the multicast virtual circuits, the packet containing a multicast identifier field, a virtual circuit field and a destination field identifying a list of desired destination node addresses. The multicast setup packet may be also used to add destination nodes to the circuits while a multicast delete packet is used to delete nodes from the circuits. When adding nodes to the multicast virtual circuits, a topology analysis process is provided to prevent the formation of an unstable network topology.

Abstract: An apparatus for forwarding a data packet from a first link to a second link is disclosed. The apparatus is coupled with a plurality of computer networks through ports on the apparatus. The apparatus maintains a spanning tree list indicating which of the apparatus ports are active. The apparatus receives a packet, and determines if the packet was received from a port that is active. If the packet was received from a port that is not active, the packet is discarded. If the packet is not discarded, the data link source address of the packet is stored in a database within the apparatus for the computer network coupled with the port from which the packet was received. The apparatus then decides, responsive to a contents of a data link destination address field in the packet, whether to forward the packet as a bridge or to forward the packet as a router.

Abstract: An encryption system employing a one-time key-pad uses a shared secret number and a one-way hash function with which both the originator and recipient of a message generate successive segments of a key-pad to encrypt and decrypt the message respectively. In one arrangement each key-pad segment is generated by applying the hash function to a combination of the secret number and the previous key-pad segment. In the other embodiment of the invention, each key-pad section is generated by applying the one-way hash function to a combination of the secret number and a corresponding segment of the ciphertext version of the message.

Abstract: A signature system, such as an El Gamal or DSS system, involving the use of a long-term secret number and a per-message secret number generates the per-message secret number without the use of a random number generator or non-volatile storage. The per-message secret number is generated by applying a one-way hash function to a combination of the long-term secret number and the message itself.

Abstract: A method and system for routing information packets among nodes interconnected by links to form a network, each information packet traversing a path of links and nodes from a source node to a destination node. Information indicating the relationships of nodes and links in the network is assembled in the source node. The entire route from the source node to the destination node is computed prior to sending each information packet and the information packet is routed through the network in accordance with the computed route.Information is assembled about the local topology of the network including the identities of the neighboring nodes which are connected via links to the local node. The local topology information of each local node is distributed to every other node in the network.Each node is assigned a unique identifier, a unique public key and an associated private key.

Abstract: A frame having a desired destination address written into the destination address field of the frame is transmitted onto a first communications system, the frame is received by the apparatus, the frame is transmitted by the apparatus onto a second communications system with a second destination address written into the destination address field of the second frame, and also the desired destination address is written into a predetermined field of the second frame along with an indicator. The indicator is capable if being interpreted by a receiving station to mean that the desired destination address is written into the predetermined field of the second frame.

Abstract: A novel mechanism prevents interleaving of packet cells from different source nodes on the same multicast port group at switches of a multicast virtual circuit in a cell-switched network: however, different cells bound for different multicast port groups may be interleaved. The mechanism comprises specific routing information that is stored in each multicast group port entry of a forwarding table located within each switch of the multicast virtual circuit. The forwarding table also stores information relating to each multicast port group including a virtual circuit value for each port of the multicast group. The specific routing information is provided for each multicast port group entry to notify the switch when data traffic for a particular packet is pending through a port of the multicast group and when that data traffic ceases, i.e., when the "end-of-packet" is reached. This ensures that the packets may be correctly reassembled at the destination nodes.

Abstract: A method for connecting a first communications system with a second communications system is disclosed. A first frame is received at a first station. The first station is connected to both the first communication system and the second communication system. The first frame has a destination address field, and the destination address field contains a desired destination address. The first station forwards, in response to the desired destination address, the first frame onto the second communications system as a second frame, and the first station writes a second destination address into a destination address field of the second frame. The first station writes the desired destination address into a predetermined field of the second frame. The first station writes, an indicator into the second frame, the indicator is capable of being interpreted by a receiving station to mean that the desired destination address is written into the predetermined field of the second frame.

Abstract: A connection apparatus for connecting a first communication system with a second communication system and a third communication system. A first frame is received from the first communication system, where the first frame has a multicast address as a destination address, and where the destination address requires the first frame to be transmitted onto the second communication system. The multicast address is translated into a functional address, and the functional address is written into a second frame transmitted onto the second communication system. The second frame is received and is transmitted onto a third communication system, and the functional address is translated into a multicast address for the third communication system, and the multicast address is written into a destination field of the frame as it is transmitted onto the third communication system. The second communication system may be a token ring system based upon an IEEE 802.

Abstract: A communications system is disclosed, having a first communications link, a second communications link, a first end station attached to said first communications link, a first packet forwarding apparatus attached to the first communications link, a second end station attached to the second communications link, and a second packet forwarding apparatus attached to the second communications link. Each packet forwarding apparatus routes packets it receives having destination address equal to a data link destination address of the apparatus, and bridges all other received packets. When the first end station wishes to send a packet to the second end station, it first transmits an ARP request message to learn the data link address of the second end station. The first apparatus receives the ARP (Address Resolution Protocol) request message, and determines that the end station for which a data link address is requested is attached to a remote communications link.

Abstract: A novel switch architecture maintains the sequence of packet cells, received at one port of a multicast port group, during subsequent transfer of the cells to the remaining ports of the group. The novel architecture includes a 2-stage buffering arrangement whereby the first stage comprises a plurality of local buffers, each associated with a port of the switch, and the second stage comprises a single, global buffer. Each local buffer services its associated port of the multicast port group by temporarily storing incoming packet cells until a complete packet is received at that port, at which time the packet cells may be passed to the global buffer as outgoing cells. The global buffer services the remaining ports of the multicast port group by forwarding copies of the outgoing cells, in sequence, to those ports.

Abstract: Methods and apparatus for verifying--in a network comprised of LANs and bridges connected to LANs, in which the bridges associate the LANs with LAN numbers--that bridges connected to a given LAN have been configured with the same LAN number for that LAN. A first bridge encodes the LAN number configured for the given LAN into a LAN number verification message and transmits the message to a second bridge connected to the LAN. The second bridge then compares the LAN number encoded in the received LAN number verification message to the LAN number configured for the LAN at the second bridge. A bridge which performs this method includes storage for associating the LANs connected to the bridge with LAN numbers, an encoder for encoding the LAN number for a given LAN into a LAN number verification message, and a transmitter for transmitting the LAN number verification message onto the given LAN.

Abstract: Methods and apparatus for automatically assigning LAN numbers to LANs in a network comprised of LANs and bridges connected to LANs. The bridges associate the LANs with LAN numbers and each LAN is related to one of the bridges. A central database links each LAN (identified by LAN number) to the identity of its related bridge and the port of that bridge which is connected to the LAN. To obtain a LAN number for a given LAN, the bridge related to the given LAN transmits a request identifying the related bridge and the port of the related bridge which is connected to the given LAN. In response, a LAN number which has not been associated with any LAN other than the given LAN is selected and included in a response which is sent back to the requesting bridge. The requesting bridge then transmits LAN number identification messages incorporating the selected LAN number to the other bridges on the given LAN.

Abstract: A secure arrangement in which stations in a communications network are informed of the addresses of their neighbors by means of identifying messages transmitted by the stations. To prevent the insertion of illegitimate stations into the network, the system makes use of passwords included in the station-identifying messages. In networks where eavesdropping is possible, the passwords are encrypted versions of the identities of the stations transmitting the messages and in systems where stations can also be impersonated, the encrypted passwords also include time stamps.

Abstract: Methods and apparatus for selecting a parallel bridge number for a bridge connecting a first and second LAN in a network comprised of LANs and bridges connected between the LANs. The parallel bridge numbers are used to distinguish two or more bridges which are connected between the same LANs. The designated bridge for the LAN stores a database associating the identifiers of multiple bridges connected between the first and second LANs to the parallel bridge numbers which are assigned to those bridges. To obtain a parallel bridge number, a bridge between the first and second LANs transmits a request message identifying itself and the second LAN to the designated bridge. In response, the designated bridge selects a parallel bridge number which has not been associated with any bridge connected to the second LAN (other than the requesting bridge), and transmits this parallel bridge number to the requesting bridge.

Abstract: To avoid exponential proliferation of explorer packets through a LAN/Bridge network, each bridge gathers information sufficient to compute routes through the network by sharing routing messages with other bridges. Then, to find a route from a particular source end system to a particular destination end system, a broadcast message identifying the desired source and destination is sent to the bridges. In response, the bridges compute the optimal route to each attached LAN, convert the broadcast message into one or more counterfeit explorer messages by incorporating these routes, and then transmit the counterfeit explorer messages to the LANs for which the incorporated route was computed. The destination end system then receives one or more of the counterfeit explorer messages and responds to the source end system as if the counterfeit explorer message was genuine.

Abstract: Use of a multicast address in a LAN, where the LAN does not support an adequate multicast address space, is implemented. An apparatus is provided for delivering a multicast address to a station on a local area network, where the local area network does not support the multicast address. The frame is transmitted onto the local area network, where the frame has: a predetermined field containing a reference to the multicast address; an indicator, the indicator capable of being interpreted by a receiving station to mean that the multicast address may be recovered from the frame by parsing the frame; and an applications program may be executed in response to the multicast address. Also, the apparatus may have a receiving station capable of receiving the frame, and an applications program may be executed in the receiving station in response to the multicast address.

Abstract: A method of merging networks across a common backbone network in which destinations are grouped into domains based on needs of network users to communicate with one another. Domain information is added to the level one routing control packets transmitted by the grouped destinations to identify the logical address (destination number coupled with domain number) of a specific destination. Additionally, routers in the network are configured with mapping information that relates the destination number of each associated destination with its logical address. Filtering information may be included in the configuration of the level one and level two routers. Filtering information identifies domains that associated destinations may transmit information to or receive information from. With filtering information, system routers can be configured to announce the reachability of specific destinations in selected domains based on overall system considerations.

Abstract: A device and related method for coupling segments of an extended local area network (LAN) in such a way that message traffic employing inter-network protocols such as TCP/IP will be handled without the difficulties usually associated with bridges, and without the complexity and expense of full IP router capability. The device operates like a bridge for non-TCP/IP traffic. For TCP/IP traffic it operates in a bridge-like manner but maintains a database associating extended LAN segment addresses with port numbers in the device, so that packets can be automatically forwarded over a spanning tree connecting the network segments. A host computer in any network segment can address others in different network segments of the extended LAN as though all were in a single LAN. The device of the invention functions to block the flow of ARP messages and to generate ARP replies that render the device of the invention transparent to hosts within the extended LAN.

Abstract: A technique for issuing and revoking user certificates of authenticity in a public key cryptography system, wherein certificates do not need expiration dates, and the inconvenience and overhead associated with routine certificate renewals are minimized or avoided entirely. A Certification Authority issues certificates as required, and issues a blacklist having a start date, an expiration date, and an entry for every invalid certificate issued after the start date. Users assume that every certificate issued prior to the blacklist start date is invalid, and that invalid certificates issued after the start date will be included in the current blacklist. A new blacklist is issued prior to expiration of the current one, and the blacklist start date is changed only when the blacklist becomes unmanageably long.