Abstract: A server array controller that includes a Data Flow Segment (DFS) and at least one Control Segment (CS). The DFS includes the hardware-optimized portion of the controller, while the CS includes the software-optimized portions. The DFS performs most of the repetitive chores including statistics gathering and per-packet policy enforcement (e.g. packet switching). The DFS also performs tasks such as that of a router, a switch, or a routing switch. The CS determines the translation to be performed on each flow of packets, and thus performs high-level control functions and per-flow policy enforcement. Network address translation (NAT) is performed by the combined operation of the CS and DFS. The CS and DFS may be incorporated into one or more separate blocks. The CS and DFS are independently scalable. Additionally, the functionality of either the DFS or the CS may be separately implemented in software and/or hardware.

Abstract: A system, apparatus, and method for managing the flow of data on a network. A plurality of processors are used to implement a virtual queue, for controlling a rate of flow of data on the network. Each of the processors has a member queue, the combination of member queues combining to form the virtual queue. Aspects of the invention use messages to communicate among the processors, to properly control the rate of flow.

Abstract: A method and system is directed to routing a flow of packets over a network to multiple traffic management devices. An apparatus receives each packet from a network and forwards the packet to one of a group of traffic management devices. The apparatus also may receive packets from servers for which the traffic management devices are managing communications. When forwarding packets, a traffic management device is selected from the group of traffic management devices by employing a hash of an IP address and port number. The IP address and port number are selected from source or destination information in the packet that has a greater port number. When the traffic management device performs a network address translation, further actions may be performed so that packets that are part of a flow between two network devices are delivered to the same traffic management device.

Abstract: A system and method for performing asynchronous cryptographic operations. A cryptographic toolkit receives requests for cryptographic operations, and initiates the cryptographic operations within a thread of execution. The toolkit detects when the cryptographic operations are complete, retrieves the results, and returns the results to a calling program. The cryptographic operations are performed in an asynchronous manner, without blocking a calling program. The calling program can specify whether the requested operations are to be performed without blocking.

Abstract: A method and system for creating and maintaining an allocation table that associates allocation buckets with corresponding target identifiers. Each target identifier has a corresponding weighting value. The allocation table has a number of allocation buckets, each associated with a target identifier. When one or more weighting values change, one or more buckets are reassigned to different target identifiers. A number of factors are considered in determining whether to delay modification of the allocation table, in order to further reduce disruption. The allocation table may be used to distribute packets among network devices, or more generally, to route packets along paths in a network.

Abstract: A system is described having a network, a bus and an interface coupling the network to the bus. A host is coupled to the network and executes software to generate packets for communication on the network. A bus device is coupled to the bus. The interface and host coordinate to transport bus device packets between the host and the bus device via tunneling over the network.

Abstract: A method and apparatus for inserting and examining Cookies in the data streams of HTTP connections for the purpose of persistently directing HTTP connections to the same destination. A network device directs subsequent HTTP connections from the same client to the same server (destination) for accessing the requested resources. There are four modes for employing the Cookie to persistently direct HTTP connections. The associated mode inserts a Cookie that uniquely identifies the client into an HTTP response. The passive mode inserts Cookie information that uniquely identifies a previously selected destination into an HTTP response. In the rewrite mode, a network device manages the destination information that is rewritten over blank Cookie information generated by the destination producing the HTTP response. The insert mode inserts and removes Cookie information in the data packets for HTTP requests and response prior to processing by the destination.

Abstract: A server array controller that includes a Data Flow Segment (DFS) and at least one Control Segment (CS). The DFS includes the hardware-optimized portion of the controller, while the CS includes the software-optimized portions. The DFS performs most of the repetitive chores including statistics gathering and per-packet policy enforcement (e.g. packet switching). The DFS also performs tasks such as that of a router, a switch, or a routing switch. The CS determines the translation to be performed on each flow of packets, and thus performs high-level control functions and per-flow policy enforcement. Network address translation (NAT) is performed by the combined operation of the CS and DFS. The CS and DFS may be incorporated into one or more separate blocks. The CS and DFS are independently scalable. Additionally, the functionality of either the DFS or the CS may be separately implemented in software and/or hardware.

Abstract: A method and system for accessing network services. A client sends a request for a service. The request includes an address of the client. One or more resolvers receive the request for a service. The one or more resolvers determine at least one service location to return to the client based at least partially on the service requested and the address of the client. The at least one service location is then returned to the client. The service locations returned to the client may also be based on a policy, user preferences, client preferences, or client characteristics.

Abstract: A system and method for conducting secure distributed network communications without using Secure Socket Layer. A frame having an embedded security applet is forwarded by the device to an external node on the network. The security applet prompts a user at the external node for login data. Once valid, login data is established, subsequent frames sent between the device and external node includes a blank form with an appended string of tagged and concatenated secure field values encrypted using a key derived from the login data.

Abstract: The present invention provides a method and system for performing operations on data using XML streams. An XML schema defines a limited set of operations that may be performed on data. These operations include addition, subtraction, multiplication and division. The operations are placed in an XML stream that conforms to the XML schema. The XML stream may perform one or more of the defined operations on the data. The limited set of operations allows data to be validated and processed without excessive overhead.

Abstract: An architecture for optimizing network communications that utilizes a device positioned at two edges of a constrained Wide Area Network (WAN) link. The device intercepts outgoing network packets and reroutes them to a proxy application. The proxy application uses multiple, preferably persistent connections with a network accelerator device at the other end of the persistent connection. The proxy applications transmit the intercepted data. Packet mangling may involve spoofing the connection request at each end node; a proxy-to-proxy communication protocol specifies a way to forward an original address, port, and original transport protocol information end to end. The packet mangling and proxy-to-proxy communication protocol assure network layer transparency.

Abstract: A method and system for inserting and examining encrypted identification information in the data streams of application level connections for the purpose of persistently directing application connections to the same destination. The invention enables a network device to direct subsequent application level connections from the same client to the same server (destination) for accessing the requested resources. There are four modes for employing the encrypted information to persistently direct application level connections. The associative mode inserts information that uniquely identifies the client into a response. The passive mode inserts information that uniquely identifies a previously selected destination into a response. In the rewrite mode, a network device manages the destination information that is rewritten over blank information generated by the destination producing the response.

Abstract: A method and apparatus for allocating access to a scarce resource. A load of each flow on the resource is calculated. The aggregate load is compared to a maximum steady state load. A drop policy is established responsive to the comparison. The drop policy is applied to the flows at an input interface of the device.

Abstract: Methods and systems are directed to dynamically mirroring a connection between network devices. Mirroring is managed by forwarding a packet between a first network device and a second network device. In one method, the first network device receives the packet from a client and communicates the packet to the second network device. A forwarding device, pre-determined from the first and second network devices, forwards the packet to a server. The first network device receives a response from the server, and communicates it to the second network device. The forwarding device forwards the response packet to the client. In one configuration, the first network device and forwarding device is an active device, and the second network device is a standby device. In another configuration, the first network device is a standby device, and the second network device and forwarding device is an active device.

Abstract: A system for distributing network traffic to multiple traffic management devices. A distributor receives each packet from a network and may act as a layer 2 switch, a router, or distribute the packet to one of a group of traffic management devices. The distributor may receive packets from servers that the traffic management devices are managing communications to. When distributing packets to traffic management devices, information such as source and destination addresses may be used to determine which traffic management device each packet should be sent to. The distributor causes packets that are part of a flow to be delivered to the same traffic management device.

Abstract: The invention provides for employing a complex data structure to optimize the retrieval of data from a data store over a network. The complex data structure includes two separate sub-data structures (Trie and List) that separately reference the same data objects in a data store. The complex data structure employs a functional interface to determine which data structure matches a particular function request for data. A Trie sub-data structure is used to fulfill a single data object request. The List sub-data structure is employed with function requests related to several data objects. Each data object is associated with a parent object that includes a list of every reference to the data object in both the Trie and List sub-data structures. When a data object is subsequently deleted, the parent object list is employed to automatically delete every reference to the deleted data object in both the Trie and List sub-data structures.

Abstract: An architecture for optimizing network communications that utilizes a device positioned at two edges of a constrained Wide Area Network (WAN) link. The device intercepts outgoing network packets and reroutes them to a proxy application. The proxy application uses persistent connections with a network accelerator device at the other end of the persistent connection. The proxy applications transmit the intercepted data after compressing it using a dictionary-based compression algorithm. Packet mangling may involve spoofing the connection request at each end node; a proxy-to-proxy communication protocol specifies a way to forward an original address, port, and original transport protocol information end to end. The packet mangling and proxy-to-proxy communication protocol assure network transparency.

Abstract: A system and computer implementable method for updating content on servers coupled to a network. The method includes updating an origin server with a version of files used to provide content, retrieving data that indicates an action to be performed on one or more cache servers in conjunction with updating the origin server, and performing the action to update entries in the one or more cache servers. Each entry in each cache server is associated with a subset of the content on the origin server and may include an expiration field and/or a time to live field. An example of a subset of content to which a cache entry may be associated is a Web page. Cache servers are not required to poll origin servers to determine whether new content is available. Cache servers may be pre-populated using push or pull techniques.

Abstract: A method and system for authenticating and authorizing requesters interacting with content servers. A message including a request is forwarded from an upstream device and received by an intermediate device. The intermediate device authenticates the upstream device. Then, if the intermediate device is authorized to make decisions as to which sender may access the content server, the intermediate device determines whether the sender of the message has authority to access the content server as requested in the request. Otherwise, the message is forwarded towards the content server with an indication that the intermediate device authenticated the upstream device.