Abstract: Methods, apparatus, and other mechanisms are disclosed for merging lookup results, such as from one or more associative memory banks and/or memory devices. In one exemplary implementation, multiple associative memories or associative memory banks are configured to substantially simultaneously generate a plurality of lookup results based on a lookup value. Multiple memories are each configured to generate a corresponding result based on the lookup result generated by its corresponding associative memory or associative memory bank. A combiner is configured to receive and merge these corresponding results generated substantially simultaneously in order to identify the merged lookup result.

Abstract: Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, and mechanisms, for filling token buckets of schedule entries, such as those used in, but not limited to, a scheduling system used in a computer or communications system (e.g., for sending packets, allocating processing resources, etc.). A scheduling system includes multiple schedule entries with a number of tokens and a last filled slot value. A period of time allocated for periodically updating the number of tokens for all of the schedule entries is divided into the slots, and each schedule entry is associated with a particular fill slot. Each particular schedule entry is repeatedly sequence through and updated during is corresponding slot; while in parallel, a next schedule entry to service is repeatedly identified and updated, while in parallel, ineligible entries schedule to be woken up for the current time slot are made eligible.

Abstract: A hierarchical tree of deterministic finite automata (DFA) is traversed and/or generated based on a set of regular expressions. The hierarchical DFA includes a root DFA linked together with a set of leaf DFAs, and possibly a set of branch DFAs. The root DFA is always active and is responsive to an input string, as are any currently active branch and leaf DFAs. When a final state or arc is reached or traversed in any active DFA, a regular expression has been matched. The branch and leaf DFAs are activated in response to the root DFA or a branch DFA reaching or traversing an activation state or arc corresponding to the branch or leaf DFA. Active branch and leaf DFAs will become inactive when a termination state or arc is reached or traversed within the branch or leaf DFA. State explosion in the hierarchical DFA can typically be avoided by selectively grouping similar portions of the regular expressions together in branch and leaf DFAs.

Abstract: Mechanisms for programming and performing combined interface and non-interface specific associative memory lookup operations for processing of packets are disclosed. One system includes multiple interfaces, a content-addressable memory, multiple memory entries and a lookup mechanism. The content-addressable memory includes multiple interface independent entries, multiple first interface dependent entries corresponding to the first interface, and multiple second interface dependent entries corresponding to the second interface. At least some of the memory entries correspond to the interface independent entries, and are configure to produce an interface independent result corresponding to a result of a lookup operation on the interface independent entries.

Abstract: A method and apparatus for initiating a zeroization process in an electronic device is provided. Diagnostic information is provided by a plurality of sub-systems such that when one or more conditions are detected that are expected to cause the electronic device to experience a failure in the near future or if the electronic device appears to have been compromised, then the zeroization process is triggered.

Abstract: Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, and mechanisms, for matching items with resources, such as, but not limited to packet processing contexts, output links, memory, storage, specialized hardware or software, compute cycles, or any other entity. One implementation includes means for maintaining distribution groups of items, means for maintaining differently aged resources queues, and means for matching resources identified as being at the head of the plurality of differently aged resources queues and as being primarily and secondarily associated with said distribution groups based on a set of predetermined criteria.

Abstract: A system for local allocation or provisioning of resources in a network. Allocation rules are defined based on one or more factors of user identity, device identity and device location. A communication is given a priority level based on the rules. A device in the network performs local provisioning according to the rule definitions. Rule definitions can be set or changed via a user interface. Automated ways to obtain factor values can be used such as automatic identification of users, devices, and location. Other possible factors to use to determine resource allocation can be time of day, date, identity of an originating or target device, identity of a caller or callee, etc. Resources that can be allocated include bandwidth, processing cycles, network storage and power.

Abstract: A virtual address storage system, which may be of particular used in generating fragmented packets, is implemented using a linked list of data segments. Multiple storage segments linked together in a linked list data structure are maintained to represent a virtual contiguous block of storage to be accessed based on a virtual address. Virtual address to corresponding data segment pointer associations are maintained for identifying a data segment corresponding to a particular address within the address space. In response to an identified address in the address space, a particular closest dynamic recently used association is identified and used to traverse to the desired data segment (e.g. rather than traversing from the beginning of the linked list), and one of the dynamic recently used associations is updated. A packet can be stored in this address space along with newly generated packet headers and tails for the multiple fragmented packets.

Abstract: A system for storing information in a network. The system includes one or more network elements and a message adapted for transfer between the one or more network elements. A mechanism selectively augments the message with information pertaining to a state associated with the one or more network elements. In one embodiment, the system includes space within the message for accommodating one or more state vias containing the state information. One or more computers associated with the one or more network elements are adapted to update the message with state information pertaining to each of the one or more network elements that receives the message via the network.

Abstract: Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, and mechanisms, for use in protecting groups of data words. One embodiment manipulates these data words to generate a resultant data word and an error correction code thereon for use in identifying a position of a bit error, with error detection codes used to identify which data word actually has the bit error. One embodiment retrieves a stored particular data word and its error detection code from memory or other storage. If an error is detected, the other data words in the group corresponding to the error correction code are acquired and are manipulated to produce a new resultant data word. The error correction code and the new resultant data word are used to identify the position of the bit error, with a corresponding bit position corrected in the particular data word.

Abstract: Eligible entries are scheduled using an approximated finish delay identified for an entry based on an associated speed group. One implementation maintains schedule entries, each respectively associated with a start time and a speed group. Each speed group is associated with an approximated finish delay. An approximated earliest finishing entry from the eligible schedule entries is determined that has an earliest approximated finish time, with the approximated finish time of an entry being determined based on the entry's start time and the approximated finish delay of the associated speed group. The scheduled action corresponding to the approximated earliest finishing entry is then typically performed. The action performed may, for example, correspond to the forwarding of one or more packets, an amount of processing associated with a process or thread, or any activity associated with an item.

Abstract: Methods and apparatus are disclosed herein for classifying packets using ternary and binary content-addressable memory stages to classify packets. One such system uses a stage of one or more TCAMS followed by a second stage one or more CAMS (or alternatively some other binary associative memories such as hash tables or TRIEs) to classify a packet. One exemplary system includes TCAMs for handling input and output classification and a forwarding CAM to classify packets for Internet Protocol (IP) forwarding decisions on a flow label. This input and output classification may include, but is not limited to routing, access control lists (ACLs), quality of service (QoS), network address translation (NAT), encryption, etc. These IP forwarding decisions may include, but are not limited to IP source and destination addresses, protocol type, flags and layer 4 source and destination ports, a virtual local area network (VLAN) id and/or other fields.

Abstract: Methods and apparatus are disclosed for performing lookup operations using associative memories, including, but not limited to modifying search keys within an associative memory based on modification mappings, forcing a no-hit condition in response to a highest-priority matching entry including a force no-hit indication, selecting among various sets or banks of associative memory entries in determining a lookup result, and detecting and propagating error conditions. In one implementation, each block retrieves a modification mapping from a local memory and modifies a received search key based on the mapping and received modification data. In one implementation, each of the associative memory entries includes a field for indicating that a successful match on the entry should or should not force a no-hit result. In one implementation, an indication of which associative memory blocks or sets of entries to use in a particular lookup operation is retrieved from a memory.

Abstract: Different mechanisms are disclosed for translating native Media Access Control (MAC) addresses to and from corresponding hierarchical MAC addresses, and the use of such MAC addresses. A packet switch typically maintains a data structure relating native MAC addresses of certain devices with external MAC addresses, wherein each of the external MAC addresses is typically hierarchical in nature with a portion of the translated address identifying a switch local to the destination device and through which the destination device is to be reached. Other network elements can then readily determine where to route a packet with a destination identified by such a hierarchical MAC address without having to maintain such a large or complete database of MAC addresses as the packet can be routed to the switch based on a portion of the hierarchical address (e.g., typically without regard to the portion of the address identifying the actual destination device).

Abstract: Mechanisms for storing and searching a hierarchy of policies and associations thereof are disclosed which may be particularly useful for implementing security protocols, such as, but not limited to Internet Protocol security (IPsec). For example, a hierarchy of policies is stored in a search priority order in an associative memory, with each association of a particular policy stored higher in the search priority than its associated policy and after any other policy. Therefore, a lookup operation on the associative memory will identify a matching association, if one, else its matching policy. A match of a policy instead of an association may result in a corresponding association being added in the appropriate location. For IPsec implementations, the lookup word is typically derived from the packet, with this packet being typically processed based on the identified policy or association.

Abstract: Token buckets are used in a computer or communications system for controlling rates at which corresponding items are processed. The number of tokens in a token bucket identifies the amount of processing that is available for the corresponding item. Instead of storing the value of a token bucket as a single value in a single memory location as traditionally done, the value of a token bucket is stored across multiple storage locations, such as in on-chip storage and in off-chip storage (e.g., in a memory device). An indication (e.g., one or more bits) can also be stored on chip to identify whether or not the off-chip stored value is zero and/or of at least of a certain magnitude such that it may be readily determined whether there are sufficient tokens to process an item without accessing the off-chip storage.

Abstract: Schedules may use burst tolerance values to adjust the scheduling in a time-based schedule, such as, but not limited to, adjusting for accumulated but not used bandwidth, and/or adjusting eligibility of schedule entries. A best schedule item associated with an eligible schedule entry of a schedule is identified. Whether or not a particular schedule entry is eligible is typically determined based on the relationship of an associated timestamp with a current scheduling time, such as its timestamp being less than or equal to the current time. A burst tolerance time bound might also be used to allow certain priorities and/or types of items to be considered eligible if even its timestamp exceeds the current time by an amount, but less than or equal to the burst tolerance time bound.

Abstract: Disclosed is a hierarchy of individual schedulers with multiple scheduling lanes for scheduling items, such as, but not limited to packets or indications thereof, such that different classes of priority items can be propagated through the hierarchy of schedulers accordingly. A pipeline scheduler typically includes a root scheduler and one or more layers of schedulers with each of these layers including at least one scheduler. Each scheduler is configured to maintain items of different scheduling categories received from each of the particular scheduler's immediate children schedulers within the pipeline scheduler if any and from each immediate external source coupled to the particular scheduler if any, and to schedule the sending of the items of the different scheduling categories currently maintained to its parent schedule or external scheduler client. The items may correspond to packets, indications of packets, or any other entity.

Abstract: Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, mechanisms, and means for maintaining and using a data structure identifying for multiple addresses the reverse path forwarding information for a common intermediate node. A data structure includes an address lookup data structure for identifying leaf nodes of multiple leaf nodes corresponding to matching addresses. Each of the multiple leaf nodes includes a reverse path forwarding indirection link to a corresponding sub-data structure indicating reverse path forwarding information. Each of a particular set of leaf nodes having a same intermediate reachability node in a network includes a particular indirection link to a same particular sub-data structure indicating reverse path forwarding information. The intermediate reachability node may or may not be a gateway node to a different intranet.

Abstract: Weighted random scheduling is preformed, which may be particularly applicable to packet switching systems. For each particular input of multiple switch inputs, a request to send a packet to one of the outputs of the switch is generated by weighted randomly selecting one of the outputs to which the particular input has one or more packets to send. One of the requests is granted for each different one of the outputs for which one or more requests were generated. Packets are sent between the inputs and the output corresponding to the granted requests. The weighted random selection is typically weighted based on the number of packets or bytes to send to each of the outputs by a corresponding input of the inputs, the last times packets were sent from a corresponding input of the inputs to each of the outputs, and/classes of service associated with packets to send to each of the outputs by a corresponding input of the inputs.