Abstract: Offering vertical services to subscribers and service providers is an avenue to immediately improve the competitiveness of digital subscriber line access service, for example of the type offered by a local exchange carrier. To deliver high-quality vertical services, however, the underlying ADSL Data Network (ADN) or the like needs to establish Quality of Service (QoS) as a core characteristic and offer an efficient mechanism for insertion of the vertical services. The inventive network architecture introduces QoS into the ADN, in a manner that enables the delivery of sophisticated and demanding IP-based services to subscribers, does not affect existing Internet tiers of service, and is cost-effective in terms of initial costs, build-out, and ongoing operations.

Abstract: Information applied to a packet at an ingress port of a network may be used for enhancing security. The information applied to a packet may be “context information” which replaces at least some bits of layer 2 information (e.g., a header). Users or customers may define security policies. They may define different security policies for different types of transactions. They may also define security policies based on the location from which the transaction originated. If the customer is an organization with different classes of users, it may define different security policies. The class of user may be identified based on at least a part of the “context information”. At least a part of the context information may also be used to monitor a location from which a transaction originated, thereby permitting fraudulent uses to be traced.

Abstract: For purposes of servicing emergency calls, such as 911 calls, a telephone number is associated with each edge router port used to provide IP service to a customer premise location. A telephone number is associated with the edge router port and the corresponding customer location. The telephone number and location information are stored in a database used for providing emergency calling party location information. When a switch used for routing IP calls detects a telephone call to an emergency call center it determines the edge router port from which the call was placed and the telephone number associated with the port for emergency call purposes. The call is then forwarded to the emergency call service center with the determined telephone number being supplied as the calling party number. Performing a lookup operation using the supplied telephone number the emergency service operator determines the location from which the call was placed.

Abstract: Methods and apparatus for determining, in a reliable manner, a port, physical location and/or device identifier, such as a MAC address, associated with a device using an IP address and for using such information, e.g., to support one or more security applications is described. Supported security applications include restricting access to services based on the location of a device seeking access to a service, determining the location of stolen devices, and verifying the location of the source of a message or other IP signal, e.g., to determine if a prisoner is contacting a monitoring service from a predetermined location.

Abstract: Limiting or controlling access to various services thereby performing a firewall function. An access router may permit or deny a packet based on at least a portion of a unique bit string (or context information) which replaced layer 2 header information (e.g., the layer 2 (e.g., MAC) address). Further, a particular quality of service may be indicated by at least a part of the unique bit string (or context information). The service provided to a group of customers, that group of customers being defined by at least a portion of the unique bit string (or context information), may be monitored. Multicast groups may be supported by checking at least a part of the unique bit string (or context information) to determine whether or not a customer associated with that port is permitted to join the multicast group.

Abstract: Supporting virtual private networks by using a new layer 3 address to encapsulate a network-bound packet so that its context information, from which a layer 2 (e.g., MAC) address can be derived, is preserved. If this encapsulation was not done, the layer 2 address would change over each segment of the network. Thus, the encapsulation preserves the concept of group identification, using at least a part of the context, over the entire network and not just at the edge of the network. If a packet is received from the network (to be forwarded to a customer), the layer 3 address that was added in the encapsulation is stripped off. The original layer 3 destination address may be used with a client device addressing table to determine a new context information, and a layer 2 (e.g., MAC) address of a destination client device.

Abstract: Information applied to a packet at an ingress port of a network may be used for enhancing security. The information applied to a packet may be “context information” which replaces at least some bits of layer 2 information (e.g., a header). Users or customers may define security policies. They may define different security policies for different types of transactions. They may also define security policies based on the location from which the transaction originated. If the customer is an organization with different classes of users, it may define different security policies. The class of user may be identified based on at least a part of the “context information”. At least a part of the context information may also be used to monitor a location from which a transaction originated, thereby permitting fraudulent uses to be traced.

Abstract: Using information applied to a packet at an ingress port of a network for enhancing security such as user authentication for example. Such authentication may be applied in addition to (i.e., as an extension of) other authentication measures. The information applied to a packet may be “context information” which replaces at least some bits of layer 2 information (e.g., a header). Users or customers may define security policies. They may define different security policies for different types of transactions. They may also define security policies based on the location from which the transaction originated. If the customer is an organization with different classes of users, it may define different security policies based on the type of transaction, the location from which the transaction originated, and/or the class of user. The class of user may be identified based on at least a part of the “context information”.

Abstract: Offering vertical services to subscribers and service providers is an avenue to immediately improve the competitiveness of digital subscriber line access service, for example of the type offered by a local exchange carrier. To deliver high-quality vertical services, however, the underlying ADSL Data Network (ADN) or the like needs to establish Quality of Service (QoS) as a core characteristic and offer an efficient mechanism for insertion of the vertical services. The inventive network architecture introduces QoS into the ADN, in a manner that enables the delivery of sophisticated and demanding IP-based services to subscribers, does not affect existing Internet tiers of service, and is cost-effective in terms of initial costs, build-out, and ongoing operations.

Abstract: Methods and apparatus for determining, in a reliable manner, a port, physical location and/or device identifier, such as a MAC address, associated with a device using an IP address and for using such information, e.g., to support one or more security applications is described. Supported security applications include restricting access to services based on the location of a device seeking access to a service, determining the location of stolen devices, and verifying the location of the source of a message or other IP signal, e.g., to determine if a prisoner is contacting a monitoring service from a predetermined location.

Abstract: Methods and apparatus for determining, in a reliable manner, a port, physical location and/or device identifier, such as a MAC address, associated with a device using an IP address and for using such information, e.g., to support one or more security applications is described. Supported security applications include restricting access to services based on the location of a device seeking access to a service, determining the location of stolen devices, and verifying the location of the source of a message or other IP signal, e.g., to determine if a prisoner is contacting a monitoring service from a predetermined location.

Abstract: For purposes of servicing emergency calls, such as 911 calls, a telephone number is associated with each edge router port used to provide IP service to a customer premise location. A telephone number is associated with the edge router port and the corresponding customer location. The telephone number and location information are stored in a database used for providing emergency calling party location information. When a switch used for routing IP calls detects a telephone call to an emergency call center it determines the edge router port from which the call was placed and the telephone number associated with the port for emergency call purposes. The call is then forwarded to the emergency call service center with the determined telephone number being supplied as the calling party number. Performing a lookup operation using the supplied telephone number the emergency service operator determines the location from which the call was placed.

Abstract: Methods and apparatus detecting attempts to obtain IP addresses by faking a MAC address in a data portion of an IP address request message are described. In accordance with the present invention, rather than use standard address allocation protocols, e.g., ARP, the DNS DCHP contacts the requesting edge router via a private secure network. The MAC address received in the address request is compared to the MAC addresses stored in the edge routers port/MAC address resolution table. If the MAC address received in the request message cannot be found in the edge router's table which was created from the MAC address included in the message's header, a fraudulent attempt to obtain a MAC address is declared. The fraudulent attempt to obtain an IP address can be reported and steps taken to identify the perpetrator of the fraud.

Abstract: Methods and apparatus for providing location and other customer information corresponding to an IP addresses, including dynamically assigned IP address, are described. A port of an edge router is assigned to serve as a customer's point of access to an IP based network. Customer information including the location of the customer premises from which the IP network is accessed through the assigned edge router port is stored in a database associating edge router and port information with customer information. When information about a customer using an IP address is desired a database associating IP addresses with edge routers, e.g., edge which acted as proxies to facilitate IP address leasing is consulted. The edge router corresponding to the IP address of interest is then contacted to determine the port number associated with the IP address. Recovered edge router and port number information is then used to access the customer information database.

Abstract: Limiting or controlling access to various services thereby performing a firewall function. An access router may permit or deny a packet based on at least a portion of a unique bit string (or context information) which replaced layer 2 header information (e.g., the layer 2 (e.g., MAC) address). Further, a particular quality of service may be indicated by at least a part of the unique bit string (or context information). The service provided to a group of customers, that group of customers being defined by at least a portion of the unique bit string (or context information), may be monitored. Multicast groups may be supported by checking at least a part of the unique bit string (or context information) to determine whether or not a customer associated with that port is permitted to join the multicast group.

Abstract: Methods and apparatus for wiretapping IP telephone calls are described. At the time an IP telephone registers its current IP address and telephone number with a soft switch responsible for routing calls to the IP telephony device a list of telephone numbers to be monitored is checked. If the number being registered is to be monitored, information identifying the edge router through which the IP telephony device connects to the IP network is obtained. The edge router is then sent a monitor message with the IP address corresponding to the telephone number to be monitored. IP packets including the specified IP address are then forwarded by the identified edge router to a monitoring station. Packet forwarding may involve packet duplication with the original packets being allowed to continue on to their original destination and the duplicated packets being forwarded or, alternatively, a simple packet redirection operation.

Abstract: For purposes of servicing emergency calls, such as 911 calls, a telephone number is associated with each edge router port used to provide IP service to a customer premise location. A telephone number is associated with the edge router port and the corresponding customer location. The telephone number and location information are stored in a database used for providing emergency calling party location information. When a switch used for routing IP calls detects a telephone call to an emergency call center it determines the edge router port from which the call was placed and the telephone number associated with the port for emergency call purposes. The call is then forwarded to the emergency call service center with the determined telephone number being supplied as the calling party number. Performing a lookup operation using the supplied telephone number the emergency service operator determines the location from which the call was placed.

Abstract: Offering vertical services to subscribers and service providers is an avenue to immediately improve the competitiveness of digital subscriber line access service, for example of the type offered by a local exchange carrier. To deliver high-quality vertical services, however, the underlying ADSL Data Network (ADN) or the like needs to establish Quality of Service (QoS) as a core characteristic and offer an efficient mechanism for insertion of the vertical services. The inventive network architecture introduces QoS into the ADN, in a manner that enables the delivery of sophisticated and demanding IP-based services to subscribers, does not affect existing Internet tiers of service, and is cost-effective in terms of initial costs, build-out, and ongoing operations.

Abstract: Limiting or controlling access to various services thereby performing a firewall function. An access router may permit or deny a packet based on at least a portion of a unique bit string (or context information) which replaced layer 2 header information (e.g., the layer 2 (e.g., MAC) address). Further, a particular quality of service may be indicated by at least a part of the unique bit string (or context information). The service provided to a group of customers, that group of customers being defined by at least a portion of the unique bit string (or context information), may be monitored. Multicast groups may be supported by checking at least a part of the unique bit string (or context information) to determine whether or not a customer associated with that port is permitted to join the multicast group.

Abstract: Supporting virtual private networks by using a new layer 3 address to encapsulate a network-bound packet so that its context information, from which a layer 2 (e.g., MAC) address can be derived, is preserved. If this encapsulation was not done, the layer 2 address would change over each segment of the network. Thus, the encapsulation preserves the concept of group identification, using at least a part of the context, over the entire network and not just at the edge of the network. If a packet is received from the network (to be forwarded to a customer), the layer 3 address that was added in the encapsulation is stripped off. The original layer 3 destination address may be used with a client device addressing table to determine a new context information, and a layer 2 (e.g., MAC) address of a destination client device.