Abstract: Techniques are presented herein for attesting the trustworthiness of devices in a secure network during run-time operation. A security management device is configured to perform network trust attestation operations in order to generate an access control policy that defines access rights for a device in a network. The access control policy is assured by creating a hash value for the access control policy and then signing the hash value to generate a signed hash value. The signed hash value is integrated with the access control policy, and the access control policy is sent with the signed hash value to the operator device for verification.

Abstract: Techniques are presented herein for attesting the trustworthiness of devices in a secure network during run-time operation. A security management device is configured to perform network trust attestation operations in order to generate an access control policy that defines access rights for a device in a network. The access control policy is assured by creating a hash value for the access control policy and then signing the hash value to generate a signed hash value. The signed hash value is integrated with the access control policy, and the access control policy is sent with the signed hash value to the operator device for verification.

Abstract: An improved technique for distributing routing information that allows routes to be prioritized such that information associated with higher priority routes is sent in update messages ahead of information associated with lower priority routes, thereby enabling the higher priority routes to converge faster than the lower priority routes. In the preferred embodiment of the invention a route policy map that associates routes with priorities is defined. The policy map is then applied to the routes to prioritize the routes. Update messages are then generated using the priority information and the route information contained in the update messages is organized such that route information associated with higher priority routes is placed ahead of route information associated with lower priority routes.

Abstract: A given router in the core of a label-switching network identifies a group of routers to receive common label binding information for later routing packets along respective paths through the label-switching network. One way to identify which of multiple routers to include as a member of the group to receive the same label information is to analyze egress policies associated with downstream routers in the label-switching network. Based on this analysis, the given router identifies group members as routers having a substantially same egress policy as each other. The given router then allocates memory resources to store a common set of label information to be distributed to each member in the group of routers having the same egress policy. After populating the memory resources with label information, the given router distributes a common set of label information to each router in the group of routers.

Abstract: Conventional methods of addressing a Distributed Denial of Service attack include taking the target node offline, and routing all traffic to an alternate countermeasure, or “sinkhole” router, therefore requiring substantial lag time to reconfigure the target router into the network. In a network, a system operator monitors a network for undesirable message traffic. Upon a notification of such undesirable message traffic, traffic is rerouted to a filter complex to separate undesirable traffic. The filter complex establishes an alternate route using a second communications protocol, and uses the alternate route to redirect the desirable message traffic to the target node. The use of the second protocol avoids conflict between the redirected desirable traffic and the original, or first, protocol which now performs the reroute.