Abstract: Systems and methods of managing access records of user access to a secure data network include an access record gateway and an access record datastore; the access record gateway being in communication with an access server of the secure data network; and the access record datastore being in communication with the access record gateway. The access record gateway acquires user access information, such as time information; records the user access information in at least one access record; and stores the at least one access record in the access record datastore. The access record gateway also acquires user access activity information, such as user access termination information, and updates previously recorded user access information with the user access activity information. The at least one access record includes a plurality of sub-records, selected from a list including a user information sub-record, a network information sub-record, and a time information sub-record.

Abstract: In a computer communication network including a firewall which protects a secured host against attack from outside computers, the host communicating with an outside computer, through the firewall, via data packets which include byte sequence numbers. In a communication between the host and computer in which one of them acts as a source and the other as a destination for the communication, a sequence number offset is derived by the firewall which characterizes the byte sequence number received from the source and the byte sequence number the firewall will provide to the destination for that communication. In a communication received from the source, the firewall adds the offset to byte sequence numbers in a packet passing between the source and destination, in order to determine the byte sequence numbers it will provide to the destination. Thus, proper sequence numbers can be provided to both locations, without the firewall having to restructure packets.

Abstract: Systems and methods of authenticating user access based on an access point to a secure data network include a secure data network having a plurality of a network access points serving as entry points for a user to access the secure data network using a user device. The user is associated with a user identity, each network access point with a network access point identity. The user uses a user device to send an access request, requesting access to the secure data network, to the network access point, which then sends an authentication request to an identity server. The identity server processes the authentication request, by validating the combination of the user identity and the network access point identity, and responds with an authentication response, granting or denying access, as communicated to the user device via an access response. The secure data network may comprise an application level secure data network, in which the user uses the user device to request access to a network application.

Abstract: A system and method for operating on data within a network device is described. Between two data operations in a network device is a FIFO queue, which is used to separate the clock domains of the data operations. Data from the first operation is stored in the FIFO queue, which signals an indication to the second operation that there is data in the queue. When the second operation is signaled that there is data in the FIFO queue, it immediately begins reading data from the queue, and begins performing its prescribed operations on the data once it has read enough data from the queue for it to begin operating.

Abstract: A high-speed router and method for operation of the core of such a router are disclosed. The disclosure describes switching packet data through a router core serving core ingress and egress ports. The router maintains at least one always-up ingress serial link from each core ingress port to the router core, and at least one always-up egress serial link from the router core to each core egress port. For each core ingress port, packet data is serialized prior to introduction to the router core and then transmitted to the core over that port's ingress serial link. Each core egress port receives a serialized data stream from the router core, which is then deserialized. Within the router core, the serialized data received on each ingress serial link is deserialized into a clocked digital data stream. The digital data streams are switched through a reconfigurable digital switch, reserialized, and transmitted over the egress serial links.

Abstract: A high-speed router and method for operation of the core of such a router are disclosed. The disclosure describes routing packets from core input ports to core output ports by aggregating or queuing packets at router core ingress ports in queues designated for common router core egress ports. A scheduler selects a set of queues, up to one per ingress port, for switching through the router core at each epoch (an epoch is a time slice). When the epoch for a given set of queues arrives, data from each queue is stranded, with one strand sent to each of multiple switch fabric cards. The switch fabric cards operate in parallel to switch the strands from that queue to a common egress port (as configured by the scheduler), where the strands are recombined to reconstruct the original queue data. This architecture can be made fault tolerant, can be made to degrade gracefully when one or more switch fabric cards goes down, and can support increased traffic simply by expanding the number of switch fabric cards.

Abstract: For electrical backplanes and the like, a power plane adaptation to improve the propagation of high-speed signals through clearances in an embedded power plane is disclosed. In exemplary embodiments, the power plane is segmented in a high-speed connector region, such that a portion of the metal layer that forms the power plane is retained in the high-speed connector region—but isolated from the power-delivery portion of the power plane. The isolated portion is connected to digital ground, and clearances are formed therein where high-speed signaling throughholes will pass through the region. In some embodiments, various attainable advantages include better manufacturability, better matching and control of high-speed signaling throughhole impedance, and improved noise isolation. Other embodiments are described and claimed.

Abstract: A data rate controller controls a rate that data is transferred over a backplane in a network processing device. A bandwidth allocator allocates bandwidth to an input port for transmitting data over the backplane to an output port. A bandwidth limiter identifies a maximum allowable bandwidth the input port is allocated on the backplane. A bandwidth tracker identifies an amount of bandwidth currently allocated to the input port for transmitting data over the backplane to the output port. When the current allocated bandwidth is used up, the data rate controller prevents that input port from connecting to output ports through the backplane until more bandwidth is allocated.

Abstract: A network-processor device comprises a packet-processor for an ingress port that is operative to distribute data flows to a plurality of equal-cost paths for transfer of data toward a given destination. The packet-processor also includes further distribution circuitry for designating a link of a link aggregation by which to channel the data between routers within a part of a selected path. Accordingly, each of the layer distributions—i.e., amongst the higher-level equal-cost-paths and amongst the lower-level link aggregation—are capable of being coordinated by a common, generic packet-processor.

Abstract: A high-speed router and method for operation of the core of such a router are disclosed. A switch fabric serves a plurality of ingress and egress ports. Packets are sorted into queues at each ingress port, each queue corresponding to one of the egress ports. Queue status information for each ingress port is communicated to a central scheduler. The scheduler reconfigures the switch fabric to a new port mapping once per epoch, where an epoch is long enough to allow each ingress port to transmit a large plurality of queued packets. The scheduler also sends port mapping information to the ingress ports, so that those ports can match one of their queues with the egress port mapping for each epoch. The switch fabric can achieve extremely high throughput since it doesn't recognize and switch packets per se, but deals with large multi-packet blocks that can be efficiently scheduled by the central scheduler.

Abstract: The disclosed board fabrication techniques and design features enable the construction of a reliable, high-layer-count, and economical backplane for routers and the like that require a large number of signaling paths across the backplane at speeds of 2.5 Gbps or greater, as well as distribution of significant amounts of power to router components. The disclosed techniques and features allow relatively thick (e.g., three- or four-ounce copper) power distribution planes to be combined with large numbers of high-speed signaling layers in a common backplane. Using traditional techniques, such a construction would not be possible because of the number of layers required and the thickness of the power distribution layers. The disclosed embodiments use novel layer arrangements, material selection, processing techniques, and panel features to produce the desired high-speed layers and low-noise high-power distribution layers in a single mechanically stable board.

Abstract: A network processing device includes multiple control processors or applications. One or more of the multiple processors generates an address resolution request. A network interface is adapted to detect a reply to the address resolution request and broadcast the detected address resolution reply to the multiple control processors in the network processing device.

Abstract: A high-speed, high-power modular router is disclosed. As opposed to conventional designs using optical backplane signaling and/or bus bars for power distribution, the disclosed embodiments combine high-power, low-noise power distribution with high-speed signal routing in a common backplane. Disclosed backplane features allow backplane signaling at 2.5 Gbps or greater on electrical differential pairs distributed on multiple high-speed signaling layers. Relatively thick power distribution layers are embedded within the backplane, shielded from the high-speed signaling layers by digital ground layers and other shielding features. A router using such a backplane provides a level of performance and economy that is believed to be unattainable by the prior art.

Abstract: Methods and apparatus for interleaved weighted fair data packet queue sequencing are disclosed. An interleaving table specifies a queue sequence. A queue sequencer follows the table order on an epoch-by-epoch basis, selecting a queue for each epoch based on the table order. If the selected queue does not have enough data to fill its epoch, the sequencer can step to the next queue in the table order. Because the table is interleaved, higher-priority queues can be visited frequently, improving jitter and latency for packets associated with these queues. The table structure allows all queues at least some portion of the available output bandwidth, and can be organized to afford some queues a much larger portion without having those queues monopolize the output stream for inordinate amounts of time. In some embodiments, each table entry has a programmable epoch value associated with it. The epoch value can be used to weight each table entry respective to the other entries.

Abstract: An arbitration scheme is used for scheduling connections between input ports and output ports. Input ports request connections to the output ports for a next time slot. Arbitration parameters, such as priority and weight, are identified for the buffer requests. Output port arbitrations are conducted for each one of the output ports according to the arbitration parameters. If there are more than two input buffers with the same priority and weight, a round robin arbitration is used. Grants are issued to the input port buffers winning the output port arbitrations. Input port arbitrations are conducted using the same arbitration parameters for input ports receiving multiple grants. The grants are accepted by the input port buffers winning the input port arbitrations. The input port buffers accepting the grants are connected to the requested output ports.

Abstract: The disclosed board fabrication techniques and design features enable the construction of a reliable, high-layer-count, and economical backplane for routers and the like that require a large number of signaling paths across the backplane at speeds of 2.5 Gbps or greater, as well as distribution of significant amounts of power to router components. The disclosed techniques and features allow relatively thick (e.g., three- or four-ounce copper) power distribution planes to be combined with large numbers of high-speed signaling layers in a common backplane. Using traditional techniques, such a construction would not be possible because of the number of layers required and the thickness of the power distribution layers. The disclosed embodiments use novel layer arrangements, material selection, processing techniques, and panel features to produce the desired high-speed layers and low-noise high-power distribution layers in a single mechanically stable board.

Abstract: Transparent point-to-point connectivity is provided between an incoming interface on an ingress node and an outgoing interface on an egress node in a network. An address associated with the egress node is circulated to the nodes in the network and a next hop address toward the egress node address is determined at each node. A label value is circulated along with the egress node address to the nodes. Examples of label values can include VLAN Ids or Multi-protocol Label Switching (MPLS) labels. If data is received having the label value, the node receiving the data identifies the next hop address associated with that label value and transfers the data to the next hop associated with the identified next hop address.

Abstract: Methods and apparatus for an improvement on Random Early Detection (RED) router congestion avoidance are disclosed. A traffic conditioner stores a drop probability profile as a collection of configurable profile segments. A multi-stage comparator compares an average queue size (AQS) for a packet queue to the segments, and determines which segment the AQS lies within. This segment is keyed to a corresponding drop probability, which is used to make a packet discard/admit decision for a packet. In a preferred implementation, this computational core is surrounded by a set of registers, allowing it to serve multiple packet queues and packets with different discard priorities. Each queue and discard priority can be keyed to a drop probability profile selected from a pool of such profiles. This provides a highly-configurable, inexpensive, and fast RED solution for a high-performance router.

Abstract: The disclosed board fabrication techniques and design features enable the construction of a reliable, high-layer-count, and economical backplane for routers and the like that require a large number of signaling paths across the backplane at speeds of 2.5 Gbps or greater, as well as distribution of significant amounts of power to router components. The disclosed techniques and features allow relatively thick (e.g., three- or four-ounce copper) power distribution planes to be combined with large numbers of high-speed signaling layers in a common backplane. Using traditional techniques, such a construction would not be possible because of the number of layers required and the thickness of the power distribution layers. The disclosed embodiments use novel layer arrangements, material selection, processing techniques, and panel features to produce the desired high-speed layers and low-noise high-power distribution layers in a single mechanically stable board.

Abstract: A high-speed router backplane is disclosed. Because of the large number of high-speed conductive traces present in such a backplane, electromagnetic interference (EMI) can be a serious issue. And because such a router consumes significant amounts of power, some provision must exist (e.g., bus bars in the prior art) within the router for distributing power to the router components. In preferred embodiments, power distribution is accomplished using relatively thick (e.g., three- or four-ounce copper) power distribution planes within the same backplane used for high-speed signaling. To shield these planes from EMI, they are preferably placed near the center of the material stack, shielded from the signaling layers by adjacent digital ground planes. Also, where two power supply planes exist, the power supply planes are placed adjacent, further shielded by their respective power return planes.