Abstract: In one embodiment, a network node automatically cycles among packet traffic flows and subjects the currently selected packet flows to varying drop probabilities in a packet network, such as, but not limited to in response to congestion in a device or network. Packets of a currently selected packet traffic flow are subjected to a drop or forward decision with a higher drop probability than packets of a currently non-selected flow. By cycling through all of these packet traffic flows, all of these packet flows are subjected to the drop or forward decision in the long term approximately uniformly, thus providing fairness to all packet traffic flows. In the short term, packets of a currently selected flow are targeted for possible dropping with a higher drop probability providing unfairness to the currently selected flows over the non-selected flows.

Abstract: In one embodiment, a service chain data packet is instrumented as it is communicated among network nodes in a network providing service-level and/or networking operations visibility. The service chain data packet includes a particular header identifying a service group defining one or more service functions, and is a data packet and not a probe packet. A network node adds networking and/or service-layer operations data to the particular service chain data packet, such as, but not limited to, in the particular header. Such networking operations data includes a performance metric or attribute related to the transport of the particular service chain packet in the network. Such service-layer operations data includes a performance metric or attribute related to the service-level processing of the particular service chain data packet in the network.

Abstract: In one embodiment, efficient content-addressable memory entry integrity checking is performed that protects the accuracy of lookup operations. Single-bit position lookup operations are performed resulting in match vectors that include a match result for each of the content-addressable memory entries at the single-bit position. An error detection value is determined for the match vector, and compared to a predetermined detection code for the single-bit position to identify whether an error is detected in at least one of the content-addressable memory entries. In one embodiment, a particular cumulative entry error detection vector storing entry error detection information for each of the content-addressable memory entries is updated based on the match vector. The particular cumulative entry error detection vector is compared to a predetermined entry error detection vector to determine which, if any, of the content-addressable memory entries has an identifiable error, which is then corrected.

Abstract: In one embodiment, content-addressable memory lookup result integrity checking and correcting operations are performed, such as, but not limited to protecting the accuracy of packet processing operations. A lookup operation is performed in the content-addressable memory entries based on a lookup word resulting in one or more match vectors. One or multiple result match vectors are produced, depending on whether each of the content-addressable memory entries and the lookup word have been partitioned into multiple portions. An error accuracy code (e.g., error detection, error correction) is acquired for each portion of the one or multiple portions based on a corresponding portion of the lookup word. An accurate result is generated by processing each of the result match vector(s) with their corresponding error accuracy code. When using multiple portions, the (possibly corrected) result match vectors are combined into a single accurate result match vector.

Abstract: In one embodiment, updating and searching of entries in a hardware content-addressable memory is coordinated to provide more searching bandwidth (e.g., for determining packet processing information), including, but not limited to, when vectors are moved among entries to free up desired entry positions for insertion of other vectors. A lookup operation in performed in content-addressable memory entries in a hardware content-addressable memory based on a lookup word to generate a content-addressable memory lookup result. Typically overlapping in time, a matching operation is performed in one or more transitory entries to generate a transitory matching result based on the lookup word. These transitory entries are populated with transitory vectors and have an associated index within the content-addressable memory, with these transitory vectors are subsequently inserted in the content-addressable memory at their associated index positions.

Abstract: In one embodiment, a Segment Routing network node provides efficiencies in processing and communicating Internet Protocol packets in a network. An Internet Protocol (IP) packet, possibly a Segment Routing packet, is received by a node in a network, which updates the packet according to a corresponding Segment Routing Policy, that includes an ordered list of Segment Identifiers comprising, in first-to-last order, a first Segment Identifier followed by one or more subsequent Segment Identifiers. The updating of the packet includes setting the Destination Address to the first Segment Identifier, and adding said one or more subsequent Segment Identifiers, but not the first Segment Identifier, in a first Segment Routing Header. The updated packet is sent into the network without the first Segment Identifier being added to a Segment Routing Header in response to the Segment Routing Policy.

Abstract: A network access server (NAS) determines the status of availability (e.g., how much more quota is unused) of an access resource, and sends a notification embedded in a point-to-point protocol (PPP) packet. The format of the packet is chosen such that definition/use of higher layers (e.g., HTTP) is not required to communicate the status to a client system. As a result, the user may be notified even if software such as web browser is not being executed on the client system.

Abstract: A network access server (NAS) determines the status of availability (e.g., how much more quota is unused) of an access resource, and sends a notification embedded in a point-to-point protocol (PPP) packet. The format of the packet is chosen such that definition/use of higher layers (e.g., HTTP) is not required to communicate the status to a client system. As a result, the user may be notified even if software such as web browser is not being executed on the client system.

Abstract: Disclosed, inter alia, is a Physical Layer Transceiver (PHY) with integrated time synchronization, such as, but not limited to, IEEE 1588 Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems. The PHY includes circuitry to maintain a current time, and to trigger the storage of timestamps corresponding to received frames. Typically, in response to a request from an external device, the timestamps are retrieved from storage and are communicated to the external device.

Abstract: A service policy manager may be used to enable a first subscriber in a community to administer rules on another subscriber in the same community. A service selection gateway (SSG) may then be configured according to the rules to provides services according to the rules. As a result, the services provided to a subscriber depend not just on the individual profile of the subscriber, but also potentially on the rules administered by other members of the communities the subscriber is a part of.

Abstract: A gateway device providing a search utility to determine both NAT information and forwarding information (“both pieces of information”) in a single search operation. The single search operation may be implemented using a single table storing both pieces of information necessary for processing a packet. As a result, both pieces of information can be potentially retrieved in a single memory access. Due to the single (or few) memory access, the throughput performance of a gateway may be enhanced. In an embodiment, the gateway is implemented as a service selection gateway which provides connectivity between multiple remote systems and service domains. The NAT/forwarding information is partitioned according to service domains such that the information needed to process packets from/to the same service domain is contained in the same table.

Abstract: In one embodiment, a scheduler for a queue hierarchy only accesses sub-groups of bucket nodes in order to determine the best eligible queue bucket to transmit next. Etherchannel address hashing is performed after scheduling so that an Etherchannel queue including a single queue in the hierarchy is implemented to guarantee quality of service.

Abstract: In one embodiment, a method for providing voice quality assurance is provided. The method determines voice information for an end point in a voice communication system. The voice information may be from an ingress microphone. The method determines if the voice quality is considered degraded based on an analysis of the voice information. For example, the voice information may indicate that it is distorted, too loud, too soft, is subject to an external noise, etc. Feedback information is determined if the voice quality is considered degraded where the feedback information designed to improve voice quality at an ingress point for a user speaking. The feedback information is then outputted at the end point to the user using the end point.

Abstract: In one embodiment, a method for using credentials for a mobile node to protect the transfer of posture data is provided. A network access device receives a message from a mobile node for access to a network. The message includes posture data encrypted using credentials for the mobile node. The credentials may be found in a storage card that is used to identify the mobile node. The network access device determines decryption information for the mobile node. For example, the credentials for the mobile node may be stored in a home location register (HLR) and are retrieved. The posture data is then decrypted using the credentials. The posture data is processed in a network admission control procedure for allowing access to the network. For example, a policy for access to the network may be installed based on the posture data.

Abstract: In one embodiment, a method for providing secure communications using a proxy is provided. The proxy negotiates with a client and a server to determine a session key to use with communications between the client and the proxy and between the proxy and the server. Encrypted data may then be received from the client at the proxy. The proxy can decrypt the encrypted data for processing using the session key. In one embodiment, the decrypted data is not altered. The proxy then sends the encrypted data that was received from the client to the server without re-encrypting the data that was decrypted. Because the proxy did not alter the data in its processing of the decrypted data and the same session key is used between communications for the proxy and the server, the encrypted data stream that was received from the client can be forwarded to the server.

Abstract: A switching device (e.g., router, bridge) provides time-based authorization of multicast services. When a message is received to request the delivery of a multicast service or a first message is sent to a multicast group, a subscription policy for the IP multicast subscription service is retrieved. This subscription policy includes one or more limitations which allow the IP multicast subscription service during some predefined time of day/week or duration but prevent the IP multicast subscription service during some predefined time of day/week or duration. The switching device is configured to enforce these time-based authorization of multicast services policies.

Abstract: In one embodiment, a method can include: (i) receiving a packet in a switch, where the packet includes a plurality of fields that forms a binding; (ii) performing a first lookup of a first table using a first lookup key, where the first lookup key includes a first subset of the plurality of fields; (iii) performing a second lookup of a second table using a second lookup key, where the second lookup key includes a result of the first lookup and a second subset of the plurality of fields; and (iv) indicating a check of the binding by using a result of the second lookup. The plurality of fields can include a media access control (MAC) source address, an internet protocol (IP) address, a receive port, and a receive virtual local area network (VLAN), while the result of the first lookup can include a layer-2 source index, for example.

Abstract: In one embodiment, a method for ensuring quality of a media message is provided. The method includes receiving information for a media message. At least a portion of the media is analyzed to determine a media quality for the media message. The method then determines if the media quality is acceptable. If the media quality is not acceptable, then an alert may be sent regarding the media quality of the media message. For example, a caller may be prompted to re-record a media message.

Abstract: Time delays from content servers to network devices on paths to a client are measured such as for, but not limited to, their use in selecting a content server based on a common network device. After identifying multiple context servers for possibly providing content to a client, time delays to multiple network devices along the path from each candidate content server to the client are measured, such as by the servers and/or probe agents associated therewith. The time delays to one or more network devices common to multiple content servers are analyzed to select one of the content servers, typically by selecting a smallest delay to a common network device. The operations involved in identifying delays to multiple network devices, as well as the operations involved in making a selection based on a delay to a common network device may be used in an extensible number of applications.

Abstract: In one embodiment, a solution is provided wherein multiple virtual devices may be configured on the same physical port of a network device. For example, a first virtual device and a second virtual device may be configured to use the same physical port. A single internal spanning tree instance may be configured for both the first virtual device and the second virtual device.