Abstract: A network device that includes a first memory to store packets in segments; a second memory to store pointers associated with the first memory; a third memory to store summary bits and allocation bits, where the allocation bits correspond to the segments. The network device also includes a processor to receive a request for memory resources; determine whether a pointer is stored in the second memory, where the pointer corresponds to a segment that is available to store a packet; and send the pointer when the pointer is stored in the second memory. The processor is further to perform a search to identify other pointers when the pointer is not stored in the second memory, where performing the search includes identifying a set of allocation bits, based on an unallocated summary bit, that corresponds to the other pointers; identify another pointer, of the other pointers, based on an unallocated allocation bit of the set of allocation bits; and send the other pointer in response to the request.

Abstract: Systems, methods, and apparatus, including computer program products for receiving a content transfer request that includes a first set of provisioning attributes that characterizes one or more operational objectives of a first item of content; and processing the content transfer request to allocate resources of a storage environment to store the first item of content.

Abstract: In general, techniques are described for performing load balancing across resources of a network device. In one example, upon receiving an initial packet, a load balancer module of the network device is configured to perform a lookup in a routing table based on a subscriber identifier associated with the initial packet, and determine whether a line card is pre-assigned to process the initial packet based at least in part on the lookup result. A packet forwarding engine is configured to when one of the line cards is pre-assigned, direct the initial packet to the pre-assigned line card, and, when one of the line cards is not pre-assigned, dynamically identify one of the line cards to process the initial packet based at least in part on header information of the initial packet, and direct the initial packet to the dynamically identified line card.

Abstract: In general, techniques of the present disclosure relate to synchronizing concurrent access to multiple portions of a data structure. In one example, a method includes, sequentially selecting a plurality of requests from a request queue, wherein at least one of the requests specifies a plurality of requested synchronization objects for corresponding candidate portions of a data structure to which to apply an operation associated with a data element. The method also includes querying one or more sets of identifiers to determine whether one or more of the requested synchronizations objects specified by the selected request are acquirable. The method also includes acquiring each of the requested synchronization objects that are acquirable. The method includes, responsive to acquiring all of the one or more requested synchronization objects, selecting a subset of the candidate portions of the data structure and applying the operation only to the selected subset of the candidate portions.

Abstract: A device creates a pool of available licenses for secure network resources, and receives an unused license from a network device. The device also provides the unused license in the pool of available licenses, and receives a request for a license from another network device. The device further provides, to the other network device, the unused license from the pool of available licenses.

Abstract: In one example, a platform device includes a control unit configured to receive a first software package signed by a first software development entity with a first certificate of a first certificate hierarchy associated with the first software development entity, execute the first software package only after determining that a root of the first certificate hierarchy corresponds to a certificate authority of a developer of the platform device, receive a second software package signed by a second software development entity with a second certificate of a second certificate hierarchy associated with the second software development entity, wherein the second certificate hierarchy is different than the first certificate hierarchy, and execute the second software package only after determining that a root of the second certificate hierarchy corresponds to the certificate authority of the developer of the platform device.

Abstract: In general, techniques are for providing a direct forwarding path between virtual routers within a single virtualized routing system. In one example, a method includes combining forwarding information from a plurality of virtual routers into collapsed forwarding information that comprises one or more direct forwarding paths between the respective virtual routers. The method also includes determining a direct forwarding path to an egress interface of the second virtual router, in response to receiving a network packet at an ingress interface of a first virtual router. The method also includes forwarding the network packet from the ingress interface of the first virtual router to the egress interface of the second virtual router using the direct forwarding path, wherein the network packet traverses a switch fabric directly from the ingress interface of the first virtual router to the egress interface of the second virtual router.

Abstract: A method of sending data to a switch fabric includes assigning a destination port of an output module to a data packet based on at least one field in a first header of the data packet. A module associated with a first stage of the switch fabric is selected based on at least one field in the first header. A second header is appended to the data packet. The second header includes an identifier associated with the destination port of the output module. The data packet is sent to the module associated with the first stage. The module associated with the first stage is configured to send the data packet to a module associated with a second stage of the switch fabric based on the second header.

Abstract: Techniques are described for establishing a point-to-multipoint (P2MP) label switched path (LSP) using a branch node-initiated signaling model in which branch node to leaf (B2L) sub-LSPs are signaled and utilized to form a P2MP LSP. The techniques described herein provides a scalable solution in which the number of sub-LSPs for which the source node or any given branch node need maintain state is equal to the number of physical data flows output from that node to downstream nodes, i.e., the number of output interfaces used for the P2MP LSP by that node to output data flows to downstream nodes. As such, unlike the conventional source node-initiated model in which each node maintains state for sub-LSPs that service each of the leaf nodes downstream from the device, the size and scalability of a P2MP LSP is no longer bound to the number of leaves that are downstream from that node.

Abstract: A network device receives a join request on a downstream interface, wherein the join request specifies a source device and multicast group, wherein the network device is positioned within a core network of a multicast virtual private network (MVPN) that transmits multicast traffic between the source device and a plurality of receivers associated with customer sites. The network device selects an upstream router to which to send the join request from among a plurality of upstream routers on paths leading to the source device, so as to avoid creating a join request loop in the core network. At least one of the upstream routers is positioned on an Exterior Border Gateway Protocol (EBGP) path toward the source device, and at least one of the upstream routers is positioned on an Interior BGP (IBGP) path toward the source device. The network device sends the join request to the selected upstream device.

Abstract: In general, techniques are described for performing a graceful restart for a computing network utilizing downstream on demand (DOD) label distribution. In one example, a method is provided that includes establishing a communication session for Label Distribution Protocol (LDP) that uses a downstream on demand label distribution mechanism for distributing labels. A first label mapping message is exchanged between two routers that defines at least a first label to be applied by an upstream router when forwarding one or more of the data packets to a destination. When the communication session fails, a forwarding state comprising the first label is preserved, and one or more data packets are forwarded based on the first label. The communication session is gracefully restarted. Once the communication session is reestablished, a second label mapping message is exchanged between the routers.

Abstract: In general, the invention is directed to techniques for identifying memory overruns. For example, as described herein, a device includes a main memory that enables an addressable memory space for the device. A plurality of memory pages each comprises a separate, contiguous block of addressable memory locations within the addressable memory space. The device also includes a memory manager comprising a secure pool allocator that assigns a secure pool size value to a first one of the plurality of memory pages. The secure pool size value defines a plurality of protected memory spaces in the first memory page that partition the first memory page into a plurality of secure objects. The device also includes a memory management unit comprising secure pool logic that determines, based on the secure pool size value, whether a memory address is an address of one of the protected memory spaces in the first memory page.

Abstract: An apparatus for clamping and relieving strain in a set of optical fiber ribbon. The strain relief clamp includes a first attachment portion and second attachment portion configured to secure the strain relief clamp to a system component and a set of optical fiber ribbons to the strain relief clamp. When secured the strain relief clamp is configured to relieve strain in the set of optical fiber ribbons.

Abstract: A router maintains routing information including (i) route data representing destinations within a computer network, (ii) next hop data representing interfaces to neighboring network devices, and (iii) indirect next hop data that maps a subset of the routes represented by the route data to a common one of the next hop data elements. In this manner, routing information is structured such that routes having the same next hop use indirect next hop data structures to reference common next hop data. In particular, in response to a change in network topology, the router need not change all of the affected routes, but only the common next hop data referenced by the intermediate data structures. This provides for increased efficiency in updating routing information after a change in network topology, such as link failure.

Abstract: In general, techniques of this disclosure relate to measuring scheduling performance of monitored threads in an operating system with improved precision. In one example, a method includes inserting, by an operating system kernel, a monitored thread into a queue comprising one or more threads and recording an insertion time that the monitored thread is inserted into the run queue; receiving, by the kernel, an event to remove the monitored thread from the run queue; responsive to receiving the event, determining, by the kernel, an amount of time that the monitored thread is stored on the run queue based on the insertion time and a removal time at which the monitored thread was removed from the run queue; and when the amount of time the monitored thread is stored on the run queue is greater than or equal to a specified threshold, sending a notification to a notification listener.

Abstract: A network service administration system including a plurality of service objects, a plurality of address objects; and a service configuration application for a multifunction appliance running on a client computer coupled to the appliance via a network. The service configuration application includes an interface allowing subscribers to configure at least a subset of application content services provided by the appliance and including a rule set implementing rules in ones of said application content services in said subset based on changes to configurations of any other of said application content services. Each of said service objects may comprise an individual network service definition.

Abstract: An optical network device re-routes traffic from a path to a backup path in response to determining that a downstream segment of the primary path is not operational. The optical network device receives traffic on a slot of an optical fiber. For each data unit in the traffic, the optical network device determines, based on receiving the data unit on the slot and based on a flow identifier specified in the data unit, that a given path is associated with the data unit. If a downstream segment of the given path is not operational, the optical network device routes the data unit onto a backup path instead of routing the data unit along the given path. Bandwidth is not reserved for the backup path.

Abstract: In some embodiments, an apparatus comprises a first switch configured to define an initialization packet that has a header value associated with a port from a set of ports associated with a link aggregation group. The first switch is configured to send the initialization packet to a second switch via the port based on the header value. The first switch is configured to receive an acknowledgement packet including the header value from the second switch in response to the second switch receiving the initialization packet. The first switch is configured to retrieve the header value from the acknowledgement packet such that the first switch defines, in response to the first switch receiving the acknowledgement packet, a response packet having the header value. The first switch is configured to send the response packet to the second switch via the port based on the header value.

Abstract: In general, techniques are described for informing services nodes of private network address information in order to apply subscriber-aware services with the services node. In some examples, a services node includes an Authentication, Authorization, and Accounting (AAA) interface to receive a AAA message, wherein the AAA message has been extended from a AAA protocol to specify a private network address of a subscriber device authenticated to an access network by the AAA server and assigned the private network address that is not routable external to the access network. A mapping module associates the public network address of subscriber data traffic with the private network address received by the AAA message. One or more service modules select one or more of a plurality of subscriber policies using the associated private network address and apply services to the subscriber data traffic in accordance with the selected subscriber policies.

Abstract: A switch fabric for a modular router may be tested without connecting the switch fabric portion of the router to the other modular portions of the router. The switch fabric may generate test data units and insert the test data units into one or more elements of the switch fabric. The switch fabric may operate with the inserted test data units. A control component may receive data units from the switch fabric after operation of the switch fabric and analyze the received data units to determine whether the received data units correspond to the inserted test data units.