Abstract: The present invention is notably directed to a method for synchronizing proprietary data in an external cloud provided by a cloud service provider with data of a private storage system. The method comprises, at a synchronization system: copying outward data from a flow of outward data sent from a private cloud to the external cloud, the outward data being proprietary data of an entity that owns data of the private cloud. Next, and in parallel to copying outward data: the synchronization system compares copied outward data with data stored on the private storage system, to determine whether the compared outward data are already replicated in the private storage system. Finally, if it is determined that the compared outward data are not yet replicated in the private storage system, it instructs to store the compared outward data on the private storage system. The present invention is further directed to related systems and computer program products.

Abstract: The present invention is notably directed to a method for synchronizing proprietary data in an external cloud provided by a cloud service provider with data of a private storage system. The method comprises, at a synchronization system: copying outward data from a flow of outward data sent from a private cloud to the external cloud, the outward data being proprietary data of an entity that owns data of the private cloud. Next, and in parallel to copying outward data: the synchronization system compares copied outward data with data stored on the private storage system, to determine whether the compared outward data are already replicated in the private storage system. Finally, if it is determined that the compared outward data are not yet replicated in the private storage system, it instructs to store the compared outward data on the private storage system. The present invention is further directed to related systems and computer program products.

Abstract: A computer-implemented system and method for protecting a memory are provided. The system includes a memory section with privileged and non-privileged sections, a host gateway (HG) to generate a capability credential, a device controller (DC) to append the credential to data transmitted to the memory, and at least one IO device enabled to do direct memory access (DMA) transactions with the memory.

Abstract: A computer-implemented system and method for protecting a memory are provided. The system includes a memory section with privileged and non-privileged sections, a host gateway (HG) to generate a capability credential, a device controller (DC) to append the credential to data transmitted to the memory, and at least one IO device enabled to do direct memory access (DMA) transactions with the memory.

Abstract: A computer-implemented system and method for protecting a memory are provided. The system includes a memory section with privileged and non-privileged sections, a host gateway (HG) to generate a capability credential, a device controller (DC) to append the credential to data transmitted to the memory, and at least one IO device enabled to do direct memory access (DMA) transactions with the memory.

Abstract: A method and system for protection and security of IO devices using credential are provided. The system may include at least one consumer arranged to initiate IO requests from the IO device, and the IO requests may include IO capability allocation and additional parameters. The system may also include an IO resource manager (IORM) arranged to translate the IO capability allocation and additional parameters included in said IO request to a set of capability tokens for the consumer or for a group of consumers, to generate a global key to protect the capability tokens, and further arranged to manage the IO device. The system may further include a channel component arranged to transfer and receive the IO request to and from the IO device.

Abstract: A computer-implemented system and method for protecting a memory are provided. The system includes a memory section with privileged and non-privileged sections, a host gateway (HG) to generate a capability credential, a device controller (DC) to append the credential to data transmitted to the memory, and at least one IO device enabled to do direct memory access (DMA) transactions with the memory.

Abstract: A computer-implemented method for protecting a memory is provided. The method includes responsive to a direct memory access (DMA) request received from a consumer for a transaction of data from an IO device to the memory, the request including an IO command and a capability (CAP), generating a cryptographically signed capability (CAPB), forming a credential from CAP and CAPB, appending the credential to the IO command, configuring the IO device according to the credential and the IO command, transmitting the data from the IO device to the memory and prior to allowing execution of the DMA, authenticating that the credential is valid, further includes regenerating CAPB from a key available to an authenticating entity and from the CAP (included in CAPB) and verifying that the memory region information described in the cryptographically signed capability is the same as the requested region that was originally created, and that the cryptographically signed capability encompasses the IO command.

Abstract: A computer-implemented system and method for protecting a memory are provided. The system includes a memory section with privileged and non-privileged sections, a host gateway (HG) to generate a capability credential, a device controller (DC) to append the credential to data transmitted to the memory, and at least one IO device enabled to do direct memory access (DMA) transactions with the memory.

Abstract: A method and system for protection and security of IO devices using credential are provided. The system may include at least one consumer arranged to initiate IO requests from the IO device, and the IO requests may include IO capability allocation and additional parameters. The system may also include an IO resource manager (IORM) arranged to translate the IO capability allocation and additional parameters included in said IO request to a set of capability tokens for the consumer or for a group of consumers, to generate a global key to protect the capability tokens, and further arranged to manage the IO device. The system may further include a channel component arranged to transfer and receive the IO request to and from the IO device.

Abstract: An interface module is provided for connecting a data communications link to a switching node, comprising a plurality of other interface modules, of a data communications network. The interface module has at least one external port for connection to a data communications link, and a plurality of internal ports for connection to respective internal ports of the switching node. A link interface is connected to the external port for processing inbound and outbound data. A switch circuit is connected between the link interface and the internal ports of the module for transmission of data between the internal ports and to the link interface. The module includes a controller for controlling routing of data via the internal ports in accordance with an intra-node routing protocol. Switching nodes comprising a plurality of interface modules, and optionally one or more switching modules, are provided.

Abstract: An interface module is provided for connecting a data communications link to a switching node, comprising a plurality of other such interface modules, of a data communications network. The interface module has at least one external port for connection to a data communications link, and a plurality of internal ports for connection to respective internal ports of said other interface modules of the switching node. A link interface is connected to the external port for processing inbound data for forwarding across the switching node and outbound data for transmission over the link. A switch circuit is connected between the link interface and the internal ports of the module for transmission of data between the internal ports of the module and between the internal ports and the link interface.

Abstract: For a system in which data packets are to be handled according to one of several rules, depending on two (or more) criteria present in each packet, such as source and destination addresses, a classification method is disclosed that allows to determine the applicable rule by a longest-matching-prefix search operation. Range tokens of non-uniform length are assigned to basic ranges of criterion values so that each combination of input values from a packet can be represented by a particular variable length combination of range tokens. A search tree containing stored rule identifiers is so designed that each particular range token combination, used as input for a longest-matching-prefix lookup operation, will provide the required identifier. Different range token combinations having the same prefix can use the same path to one stored rule identifier, so that this method reduces the storage and time requirements for the classification procedure and allows simple updating when rules change.