Abstract: Techniques and mechanisms for IPsec processing of IPsec packets for routing platforms where IPsec is just one or more features in the middle of data path features on the packet processing path and hence, the typical, simple inline IPsec scheme does not work well for such platforms. The techniques include using a hardware look-up table for packet classification and inbound security association (SA) lookup in one pass with IP 5-tuple plus SPI as a lookup key at hardware table. The techniques provide an entry match action format and mechanism for deriving inbound SA dram addresses that may be used by a hardware (HW)/firmware (FW) crypto/IPsec engine to process inbound packet traffic. A software SA look-up table is also provided to overcome hardware look-up table resource limitations and support more IPsec session scaling than the physical hardware look-up table can handle. Additional techniques are described.

Abstract: Techniques and mechanisms for IPsec processing of IPsec packets for routing platforms where IPsec is just one or more features in the middle of data path features on the packet processing path and hence, the typical, simple inline IPsec scheme does not work well for such platforms. The techniques include using a hardware look-up table for packet classification and inbound security association (SA) lookup in one pass with IP 5-tuple plus SPI as a lookup key at hardware table. The techniques provide an entry match action format and mechanism for deriving inbound SA dram addresses that may be used by a hardware (HW)/firmware (FW) crypto/IPsec engine to process inbound packet traffic. A software SA look-up table is also provided to overcome hardware look-up table resource limitations and support more IPsec session scaling than the physical hardware look-up table can handle. Additional techniques are described.

Abstract: A source virtual private network (VPN) gateway supports a local source subnet and communicates over a wide area network (WAN) with a destination VPN gateway that supports a local destination subnet. The source VPN gateway receives from the local source subnet an Internet Protocol (IP) packet destined for the local destination subnet, determines a security association (SA) based on a source IP address and a destination IP address of the IP packet, and encapsulates the IP packet with tunnel encapsulation including a tunnel protocol header and a tunnel outer IP header, to produce a clear-text tunnel packet. The source VPN gateway encrypts the IP packet and the tunnel protocol header but not the tunnel outer IP header using an encryption key and a security parameter index for the SA, to produce an encrypted tunnel packet, and tunnels it to the destination VPN gateway over the WAN.

Abstract: A source virtual private network (VPN) gateway supports a local source subnet and communicates over a wide area network (WAN) with a destination VPN gateway that supports a local destination subnet. The source VPN gateway receives from the local source subnet an Internet Protocol (IP) packet destined for the local destination subnet, determines a security association (SA) based on a source IP address and a destination IP address of the IP packet, and encapsulates the IP packet with tunnel encapsulation including a tunnel protocol header and a tunnel outer IP header, to produce a clear-text tunnel packet. The source VPN gateway encrypts the IP packet and the tunnel protocol header but not the tunnel outer IP header using an encryption key and a security parameter index for the SA, to produce an encrypted tunnel packet, and tunnels it to the destination VPN gateway over the WAN.

Abstract: Processes and systems to create a plurality of sequence number spaces in a security association at a transmission device. Each sequence number space corresponds to a respective class of traffic. Each sequence number space is identified by a unique selector value. For each sequence number space, a sequence number counter is created for counting a sequence of outbound packets of a class of traffic corresponding to the sequence number space. For an outbound packet of a particular class of traffic, a selector value of a sequence number space of the particular class of traffic is written into a first portion of a sequence number field in the outbound packet. Low-order bits of the current value of a sequence number counter, associated with the sequence number space of the particular class of traffic, is written into a second portion of the sequence number field. The sequence number counter is then incremented.

Abstract: Processes and systems to create a plurality of sequence number spaces in a security association at a transmission device. Each sequence number space corresponds to a respective class of traffic. Each sequence number space is identified by a unique selector value. For each sequence number space, a sequence number counter is created for counting a sequence of outbound packets of a class of traffic corresponding to the sequence number space. For an outbound packet of a particular class of traffic, a selector value of a sequence number space of the particular class of traffic is written into a first portion of a sequence number field in the outbound packet. Low-order bits of the current value of a sequence number counter, associated with the sequence number space of the particular class of traffic, is written into a second portion of the sequence number field. The sequence number counter is then incremented.

Abstract: Service requests, which are used to properly process a network access request received from a client, are processed by routing the service requests between at least two service component instances according to a load balancing algorithm. Load balancing includes: calculating a first ticket amount and a second ticket amount; assigning the first ticket amount to a first instance and the second ticket amount to a second instance; using a selection scheme to select an instance having a ticket amount greater than a threshold amount to process a service request; decrementing the ticket amount corresponding to the instance selected; and scheduling the instance selected to receive a service request. The present invention may further include distinguishing between operable and inoperable instances, providing ticket amounts that are not based on performance ratings to inoperable instances, and providing ticket amounts that are based on performance ratings to operable instances.

Abstract: A gateway routes a packet from a user to a connected network utilizing a per-user routing table. A source address is extracted from the packet; a per-user routing table corresponding to the source address is found, the per-user routing table contains entries corresponding to one or more currently accessible networks for the user and the range of network addresses corresponding to the currently accessible networks; a destination address is extracted from the packet; an entry in the matching per-user routing table with a range of network addresses containing the destination address is sought; the packet is routed to a matching network if the destination address is contained within one of the ranges of network addresses for the currently accessible networks (“ranges”); and the packet is routed to a default network if the destination address is not contained within one of the ranges. Different users may access a different set of networks and select a desired network for access.

Abstract: Multiple simultaneous network connections from a single PPP connection may be accomplished by utilizing a gateway in the following manner. A first network connection is established between the gateway and a first network. A first real network address for the user is then received, the first real network address assigned by the first network. Then, the gateway may establish a network session between the gateway and a second network and receive a second real network address for the user, the second real network address assigned by the second network. A virtual network address may be assigned to the user for network address translation purposes. Additional network connections may be added in a similar manner. Network address translation is then performed on packets traveling between the user and any of the network sessions. This allows each of the simultaneous network connections to gain the benefits of network address translation.

Abstract: Certain bits of a packet, such as bits in the IP header of an IP packet, are used to designate the type of service or Quality of Service (QoS) level to be afforded to the packet as it passes through a data communications network. A user entitled to a certain QoS level logs into a service selection gateway SSG. The SSG queries an authentication, authorization and accounting (AAA) server in response to a log-in attempt by the user. Upon authorization, the AAA server returns an access accept signal in addition to an indication from the user's service profile (user profile) as to the QoS level to be afforded the user. While the user is logged in, all packets are routed through the SSG. The SSG sets the certain bits of the packet in accordance with the user's assigned QoS level so that as the packets are routed through the data communications network, they are consistently afforded the assigned Quality of Service level.

Abstract: A method for preventing denial of service attacks against Hypertext Transfer Protocol (HTTP) servers includes receiving a HTTP request from a subscriber using a first communication network coupled to at least one other communication network, receiving a profile for the subscriber, filtering the request to determine whether the subscriber is authorized to make the request based upon the profile and forwarding the request to the other communication network when the subscriber is authorized to make the request. An apparatus capable of preventing denial of service attacks against HTTP servers includes a profile request generator capable of generating a profile request based upon a HTTP request received from a subscriber using a first communication network, a filter capable of determining whether the request is authorized based upon the requested profile and an authorizer capable of allowing the request to be forwarded on at least one other communication network coupled to the first communication network.

Abstract: A method for maintaining Quality of Service for communication network subscribers regardless of their log-on location is disclosed. For one embodiment the communications network has a first access point having a first router and a local memory containing at least one user profile containing a subscriber's pool identifier, and a second access point having a second router configured to provide a forwarding rate based on a source address from each of said packets. A service type for a subscriber is defined. A pool identifier corresponding to a service level agreement is assigned to the subscriber. If the subscriber attempts to log-on to the second access point, the subscriber's pool identifier is obtained from a global memory available to the second access point. The pool identifier is used to select a source address. A packet sent by the subscriber is forwarded using the second router, each packet containing the source address.

Abstract: A method and apparatus for providing computer network access points the capability for multiple-level accounting. A gateway device located at the access point is capable of generating Internet protocol accounting start and stop requests based on various events that need to be accounted for when a user accesses a network. These events include the user account logon, the service establishments and the Point to Point protocol (PPP) connections between the gateway device and public and private domains within the network. The counter is capable of tracking the duration of sessions and connections and the byte-count associated with the specified session or connection. The gateway device communicates with an accounting server which stores the accounting requests and matches start requests with subsequent stop requests.

Abstract: An address is allocated to a host device which is selected to obtain network access from any access point within a given communications system, while maintaining a network bandwidth management scheme that is consistently applied to a user's network bandwidth usage regardless of the access point used by the user. This is accomplished using a communications network having a at least one access point coupled to a first router which is configured to forward packets at a forwarding rate based on a source address contained in each of the packets. A user profile is assigned to each subscriber belonging to an access point. Each user profile includes a pool identifier which corresponds to a forwarding rate used by the router for packets corresponding to the subscriber.

Abstract: An address is allocated to a host device which is selected to obtain network access from any access point within a given communications system, while maintaining a network bandwidth management scheme that is consistently applied to a user's network bandwidth usage regardless of the access point used by the user. This is accomplished using a communications network having a at least one access point coupled to a first router which is configured to forward packets at a forwarding rate based on a source address contained in each of the packets. A user profile is assigned to each subscriber belonging to an access point. Each user profile includes a pool identifier which corresponds to a forwarding rate used by the router for packets corresponding to the subscriber.

Abstract: A method and apparatus for providing single-step logon access for a subscriber to a differentiated computer network having more than one separate access area. In a method for single-step logon a network gateway interface grants a subscriber access to both one or more public network domains, such as the Internet, and one or more private domains, such as community of interest domains or intra-network domains, without requiring the subscriber to launch a separate logon application. Once the subscriber has completed a single step logon to the network interface, the service provider is able to provide the subscriber with simultaneous secure channel access to both public areas and secured private areas.

Abstract: A gateway is provided which routes a packet sent from a user to a connected network utilizing a per-user routing table. This is accomplished by extracting a source address from the packet; finding a per-user routing table corresponding to the source address, the per-user routing table containing entries corresponding to one or more currently accessible networks for the user and the range of network addresses corresponding to the currently accessible networks; extracting a destination address from the packet; seeking an entry in the matching per-user routing table with a range of network addresses containing the destination address; routing the packet to a matching network if the destination address is contained within one of the ranges of network addresses for the currently accessible networks; and routing the packet to a default network if the destination address is not contained within one of the ranges of network addresses for the currently accessible networks.

Abstract: This invention provides for an apparatus and method to associate a subscriber with one of many port bundles in an aggregation device. The method reserves one of the port bundles for the subscriber if the subscriber was not assigned a port bundle, changes the original source port number in a data packet to a port bundle number, modifies the subscriber address to an assigned aggregation address, and issues a request to a remote management device for authentication of the subscriber. Once a response is received from the management device including the authentication or unauthentication of the subscriber, the subscriber is mapped with the reserved port bundle in a port bundle object and the reserved port bundle is then assigned to the subscriber.

Abstract: A method for providing single step log-on access for a subscriber to a computer network. The computer network is differentiated into public and private areas. Secure access to the private areas is provided by a Service Selection Gateway (SSG) Server, introduced between a conventional Network Access Server (NAS) and an Authentication Authorization and Accounting (AAA) Server. The SSG Server intercepts and manipulates packets of data exchanged between the NAS and the AAA Server to obtain all the information it needs to automatically log the user on when the user logs on to the NAS. An authorized user is thus spared the task of having to re-enter username and password data or launch a separate application in order to gain secure access to private areas of the network.

Abstract: Certain bits of a packet, such as bits in the IP header of an IP packet, are used to designate the type of service or Quality of Service (QoS) level to be afforded to the packet as it passes through a data communications network. A user entitled to a certain QoS level logs into a service selection gateway SSG. The SSG queries an authentication, authorization and accounting (AAA) server in response to a log-in attempt by the user. Upon authorization, the AAA server returns an access accept signal in addition to an indication from the user's service profile (user profile) as to the QoS level to be afforded the user. While the user is logged in, all packets are routed through the SSG. The SSG sets the certain bits of the packet in accordance with the user's assigned QoS level so that as the packets are routed through the data communications network, they are consistently afforded the assigned Quality of Service level.