Abstract: A network access server (NAS) provides a connection to a user in a data communications network, where the NAS is capable of communicating with a home gateway server (HGS) maintaining a pool of IP addresses for allocation to authorized users associated with the NAS. The NAS includes a first memory for storing an identification of a user, an requester for asking the HGS for an IP address on behalf of the user; and a second memory associated with the first memory for storing the IP address of the user received from the HGS.

Abstract: Service requests, which are used to properly process a network access request received from a client, are processed by routing the service requests between at least two service component instances according to a load balancing algorithm. Load balancing includes: calculating a first ticket amount and a second ticket amount; assigning the first ticket amount to a first instance and the second ticket amount to a second instance; using a selection scheme to select an instance having a ticket amount greater than a threshold amount to process a service request; decrementing the ticket amount corresponding to the instance selected; and scheduling the instance selected to receive a service request. The present invention may further include distinguishing between operable and inoperable instances, providing ticket amounts that are not based on performance ratings to inoperable instances, and providing ticket amounts that are based on performance ratings to operable instances.

Abstract: A network access server (NAS) provides a connection to a user in a data communications network, where the NAS is capable of communicating with a home gateway server (HGS) maintaining a pool of IP addresses for allocation to authorized users associated with the NAS. The NAS includes a first memory for storing an identification of a user, a requester for asking the HGS for an IP address on behalf of the user; and a second memory associated with the first memory for storing the IP address of the user received from the HGS.

Abstract: A gateway routes a packet from a user to a connected network utilizing a per-user routing table. A source address is extracted from the packet; a per-user routing table corresponding to the source address is found, the per-user routing table contains entries corresponding to one or more currently accessible networks for the user and the range of network addresses corresponding to the currently accessible networks; a destination address is extracted from the packet; an entry in the matching per-user routing table with a range of network addresses containing the destination address is sought; the packet is routed to a matching network if the destination address is contained within one of the ranges of network addresses for the currently accessible networks (“ranges”); and the packet is routed to a default network if the destination address is not contained within one of the ranges. Different users may access a different set of networks and select a desired network for access.

Abstract: Multiple simultaneous network connections from a single PPP connection may be accomplished by utilizing a gateway in the following manner. A first network connection is established between the gateway and a first network. A first real network address for the user is then received, the first real network address assigned by the first network. Then, the gateway may establish a network session between the gateway and a second network and receive a second real network address for the user, the second real network address assigned by the second network. A virtual network address may be assigned to the user for network address translation purposes. Additional network connections may be added in a similar manner. Network address translation is then performed on packets traveling between the user and any of the network sessions. This allows each of the simultaneous network connections to gain the benefits of network address translation.

Abstract: A method for routing packets sent from a user to the internet is provided for systems in which the user is connected to a private network. The method includes: extracting a source network address from the packet; using said source network address to retrieve a user profile for the user; examining said user profile to determine whether to route the packet through the private network or to route the packet directly to the Internet; and routing said packet according to said profile. This allows a user or network provider to choose whether to route packets destined for the Internet directly to the Internet rather than through the private network, thus preventing excessive network traffic on the private network.

Abstract: A method for routing packets sent from a user to the internet is provided for systems in which the user is connected to a private network. The method includes: extracting a source network address from the packet; using said source network address to retrieve a user profile for the user; examining said user profile to determine whether to route the packet through the private network or to route the packet directly to the Internet; and routing said packet according to said profile. This allows a user or network provider to choose whether to route packets destined for the Internet directly to the Internet rather than through the private network, thus preventing excessive network traffic on the private network.

Abstract: Certain bits of a packet, such as bits in the IP header of an IP packet, are used to designate the type of service or Quality of Service (QoS) level to be afforded to the packet as it passes through a data communications network. A user entitled to a certain QoS level logs into a service selection gateway SSG. The SSG queries an authentication, authorization and accounting (AAA) server in response to a log-in attempt by the user. Upon authorization, the AAA server returns an access accept signal in addition to an indication from the user's service profile (user profile) as to the QoS level to be afforded the user. While the user is logged in, all packets are routed through the SSG. The SSG sets the certain bits of the packet in accordance with the user's assigned QoS level so that as the packets are routed through the data communications network, they are consistently afforded the assigned Quality of Service level.

Abstract: A method for preventing denial of service attacks against Hypertext Transfer Protocol (HTTP) servers includes receiving a HTTP request from a subscriber using a first communication network coupled to at least one other communication network, receiving a profile for the subscriber, filtering the request to determine whether the subscriber is authorized to make the request based upon the profile and forwarding the request to the other communication network when the subscriber is authorized to make the request. An apparatus capable of preventing denial of service attacks against HTTP servers includes a profile request generator capable of generating a profile request based upon a HTTP request received from a subscriber using a first communication network, a filter capable of determining whether the request is authorized based upon the requested profile and an authorizer capable of allowing the request to be forwarded on at least one other communication network coupled to the first communication network.

Abstract: A method and apparatus for providing computer network access points the capability for multiple-level accounting. A gateway device located at the access point is capable of generating Internet protocol accounting start and stop requests based on various events that need to be accounted for when a user accesses a network. These events include the user account logon, the service establishments and the Point to Point protocol (PPP) connections between the gateway device and public and private domains within the network. The counter is capable of tracking the duration of sessions and connections and the byte-count associated with the specified session or connection. The gateway device communicates with an accounting server which stores the accounting requests and matches start requests with subsequent stop requests.

Abstract: A host object representing a user, a service object representing a service, and a connection object linking the two may be utilized in order to provide Quality of Service (QoS). The host object and/or connection object may contain a provisioning scheme defining a limit on traffic, which can be provided through either a local or remote programming mechanism. When traffic flows through the host object and/or connection object, the appropriate provisioning scheme is utilized to determine which packets to discard.

Abstract: A system for identifying a subscriber includes an access server coupled to a number of subscribers using a first communication network and further coupled to a second communication network, a memory coupled to the access server, and a processor coupled to the memory. The access server receives a communication from a particular subscriber using a particular one of a number of virtual circuits associated with the first communication network. The memory stores path information that identifies a virtual circuit assigned to the particular subscriber. The processor identifies the particular subscriber for connection to the second communication network based upon the path information and the particular virtual circuit used to receive the communication from the particular subscriber.

Abstract: A system for identifying a subscriber includes an access server coupled to a number of subscribers using a first communication network and further coupled to a second communication network, a memory coupled to the access server, and a processor coupled to the memory. The access server receives a communication from a particular subscriber using a particular one of a number of virtual circuits associated with the first communication network. The memory stores path information that identifies a virtual circuit assigned to the particular subscriber. The processor identifies the particular subscriber for connection to the second communication network based upon the path information and the particular virtual circuit used to receive the communication from the particular subscriber.

Abstract: A system for determining subscriber information includes an access server coupled to a number of subscribers using a communication network, a memory coupled to the access server, and a processor coupled to the memory. The access server receives a communication from a particular subscriber using a particular one of a number of virtual circuits associated with the communication network. The memory stores subscriber information for the subscribers, wherein the subscriber information is indexed by path information that identifies a virtual circuit assigned to the particular subscriber. The processor determines subscriber information for communication to the particular subscriber based upon the path information and the particular virtual circuit used to receive communication from the particular subscriber.

Abstract: A host object representing a user, a service object representing a service, and a connection object linking the two may be utilized in order to provide Quality of Service (QoS). The host object and/or connection object may contain a provisioning scheme defining a limit on traffic, which can be provided through either a local or remote programming mechanism. When traffic flows through the host object and/or connection object, the appropriate provisioning scheme is utilized to determine which packets to discard.

Abstract: A host object representing a user, a service object representing a service, and a connection object linking the two may be utilized in order to provide Quality of Service (QoS). The host object and/or connection object may contain a provisioning scheme defining a limit on traffic, which can be provided through either a local or remote programming mechanism. When traffic flows through the host object and/or connection object, the appropriate provisioning scheme is utilized to determine which packets to discard.

Abstract: A method and apparatus for providing single-step logon access for a subscriber to a differentiated computer network having more than one separate access area. In a method for single-step logon a network gateway interface grants a subscriber access to both one or more public network domains, such as the Internet, and one or more private domains, such as community of interest domains or intra-network domains, without requiring the subscriber to launch a separate logon application. Once the subscriber has completed a single step logon to the network interface, the service provider is able to provide the subscriber with simultaneous secure channel access to both public areas and secured private areas.

Abstract: A system provides computer network access to PPP clients.

Abstract: A gateway is provided which routes a packet sent from a user to a connected network utilizing a per-user routing table. This is accomplished by extracting a source address from the packet; finding a per-user routing table corresponding to the source address, the per-user routing table containing entries corresponding to one or more currently accessible networks for the user and the range of network addresses corresponding to the currently accessible networks; extracting a destination address from the packet; seeking an entry in the matching per-user routing table with a range of network addresses containing the destination address; routing the packet to a matching network if the destination address is contained within one of the ranges of network addresses for the currently accessible networks; and routing the packet to a default network if the destination address is not contained within one of the ranges of network addresses for the currently accessible networks.

Abstract: A method for providing single step log-on access for a subscriber to a computer network. The computer network is differentiated into public and private areas. Secure access to the private areas is provided by a Service Selection Gateway (SSG) Server, introduced between a conventional Network Access Server (NAS) and an Authentication Authorization and Accounting (AAA) Server. The SSG Server intercepts and manipulates packets of data exchanged between the NAS and the AAA Server to obtain all the information it needs to automatically log the user on when the user logs on to the NAS. An authorized user is thus spared the task of having to re-enter username and password data or launch a separate application in order to gain secure access to private areas of the network.