Abstract: A system receives a set of datagrams and forms frames based on the datagrams, where at least one of the frames includes data associated with multiple ones of the datagrams. The system writes the frames to memory to form superframes in the memory, where each of the superframes includes multiple ones of frames. The system reads the superframes from the memory, recreates the datagrams based on the superframes, and outputs the datagrams.

Abstract: A network security device performs a three-stage analysis of traffic to identify malicious clients. In one example, a device includes an attack detection module to, during a first stage, monitor network connections to a protected network device, during a second stage, to monitor a plurality of types of transactions for the plurality of network sessions when a parameter for the connections exceeds a connection threshold, and during a third stage, to monitor communications associated with network addresses from which transactions of the at least one of type of transactions originate when a parameter associated with the at least one type of transactions exceeds a transaction-type threshold. The device executes a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a client-transaction threshold.

Abstract: A key engine that performs route lookups for a plurality of keys may include a data processing portion configured to process one data item at a time and to request data when needed. A buffer may be configured to store a partial result from the data processing portion. A controller may be configured to load the partial result from the data processing portion into the buffer. The controller also may be configured to input another data item into the data processing portion for processing while requested data is obtained for a prior data item. A number of these key engines may be used by a routing unit to perform a large number of route lookups at the same time.

Abstract: A system aggregates connections to multiple customer devices. The system receives data, performs switching functions on the data when the data is to be transmitted in a first direction, performs routing functions on the data when the data is to be transmitted in a second direction, and transmits the data in the first or second direction.

Abstract: A system determines a scheduling value based on a current length of a downstream queue in a network device. The system sends the scheduling value from the downstream queue to an upstream queue and schedules dequeuing of one or more data units, destined for the downstream queue, from the upstream queue based on the scheduling value.

Abstract: Plural arbiters arbitrate over a set of queues. The arbiters are constructed as a series of pipelined stages. Conflict detection logic detects conflicts among the arbiters in arbitrating across the queues, and, when a conflict is detected, the conflict detection logic alters processing related to conflicting queues in one arbiter when another arbiter has not passed a predetermined commit point in processing the queue.

Abstract: A network device includes a memory, a routing engine and a forwarding engine. The memory stores a forwarding table and the routing engine constructs a first composite next hop that includes multiple next hops, where each of the multiple next hops represents an action to be taken on a data unit as it transits the network device or represents another composite next hop, and where the first composite next hop specifies a function to be performed on the plurality of next hops. The routing engine further stores the composite next hop in an entry of the forwarding table. The forwarding engine retrieves the composite next hop from the forwarding table, and forwards a data unit towards one or more network destinations based on the composite next hop.

Abstract: A router detects a network attack and forwards traffic associated with the network attack to a discard interface. The router applies one or more filters to calculate traffic flow statistics for the traffic forwarded to the discard interface. The router may exchange routing communications with one or more other routers to alert the routers of the network attack. For example, the router may generate a routing communication in accordance with a routing protocol that advertises a route to the targeted device, and includes a policy tag that indicates the existence of a network attack. The other routers update forwarding information in accordance with the advertised route, and automatically forward traffic to respective discard interfaces based on the policy tag, thereby diffusing the network attack.

Abstract: A standalone router is integrated into a multi-chassis router. Integrating the standalone router into a multi-chassis router requires replacing switch cards in the standalone router with multi-chassis switch cards. The multi-chassis switch cards forward packets to a central switch card chassis for routing within the multi-chassis router. By incrementally replacing standalone switch cards with multi-chassis switch cards in the standalone router, packet forwarding performance is maintained during the integration.

Abstract: A controller may include a measurement circuit configured to generate a proxy signal representing delay variations in the controller. The measurement circuit may also generate a measurement value from the proxy signal. A control circuit may be configured to convert the measurement value into a control value. A delay circuit may be adjusted by the control value to alter an amount of delay of a signal.

Abstract: A system protects database operations performed on a shared resource. The system may chunk memory to form a set of memory chunks which have memory blocks, at least some of the memory blocks including database objects. The system may configure at least one binary search tree using the memory chunks as nodes and buffer a set of pointers corresponding to the memory blocks. The system may further validate the buffered pointers and dereference validated buffered pointers.

Abstract: Detecting if a label-switched path (LSP) is functioning properly. To test that packets that belong to a particular Forwarding Equivalence Class (FEC) actually end their MPLS LSP on an label switching router (LSR) that is an egress for that FEC, a request message carrying information about the FEC whose LSP is being verified may be used. The request message may be forwarded like any other packet belonging to that FEC. A basic connectivity test as well as a fault isolation test are supported. In a basic connectivity test mode, the packet should reach the end of the LSP, at which point it is sent to the control plane of the egress LSR. The LSR then verifies that it is indeed an egress for the FEC. In a fault isolation test mode, the packet is sent to the control plane of each transit LSR, which performs various checks that it is indeed a transit LSR for the LSP. The transit LSR may also return further information that helps check the control plane against the data plane, i.e.

Abstract: In one embodiment, a method includes accessing a condition test vector, selecting a key from a plurality of keys, and determining whether the key selected and a condition value satisfy a condition relation. The accessing being based on an index value. The condition test vector including a first plurality of bit values defining the condition relation, a second plurality of bit values defining a key selector, and a third plurality of bit values defining the condition value. The selecting being based on the second plurality of bit values. Each key from the plurality of keys including a combination of bit values representing a portion of a data packet. A result is defined based on the determining.

Abstract: A system distributes extended traffic accounting information of bandwidth availability on links throughout a network. For example, routers within the network utilize an extended reservation protocol to calculate bandwidth availability information for links. In calculating the bandwidth availability information, the extended reservation protocol accounts for not only the amount of bandwidth reserved on each of links via the resource reservation protocol itself, but also for the bandwidth usage by other traffic on the links, such as Label Distribution Protocol (LDP) traffic or Internet Protocol (IP) traffic. The routers exchange bandwidth availability information using a routing protocol to gain network-wide knowledge of bandwidth availability.

Abstract: Filters are selectively applied to packets depending on forwarding equivalence classes (FECs) of the packets. A FEC filter is defined within the network device and qualified by incoming interface information that identifies source sites of the packets. A label distribution protocol (LDP) FEC is configured such that packets of the given FEC are associated with the FEC filter. The FEC identifies a destination site of the packets received by the router and is automatically combined with incoming interface information. In this way, packet flows may be filtered based on FECs of the packets. FEC filters may be further refined to operate at forwarding class granularity. The techniques allow accurate billing of packets traveling between specific source and destination sites regardless of the number of interfaces of the network device the packets utilize. In addition, the filtering can be used to provide anti-spoofing capabilities.

Abstract: This disclosure relates to a secure network device for multi-homed devices. An example network device includes a state table, an association establishment module, and an inspection module. The state table is configured to store information for communication associations between devices. The association establishment module is configured to process a request to establish a communication association between a first device and a second device and to store state information for the communication association in the state table. The first device and the second device each comprise a multi-homed device associated with a plurality of Internet Protocol (IP) addresses, and the state information includes the IP addresses associated with the first device and the IP addresses associated with the second device. The inspection module is configured to secure the communication association between the first device and the second device by using the state information that is stored in the state table.

Abstract: A system measures traffic in a device. The system tracks an amount of data and the data units and predicts the amount of padding associated with the data units. The system determines the amount of traffic in the device based on the predicted padding, the amount of data, and the number of data units.

Abstract: A network device includes an interface (105), a TCP/IP protocol fast processing path (115), and a TCP/IP protocol slow processing path (110). The interface (105) receives a packet and parses the packets to determine a characteristic of the packet. The TCP/IP protocol fast processing path (115) processes the packet if the characteristic of the packet includes a first characteristic. The TCP/IP protocol slow processing path (110) processes the packet if the characteristic of the packet includes a second characteristic.

Abstract: A network device may include logic configured to receive a problem report from a second network device, where the problem report includes event data, determine at least one of an action to perform or whether reconfiguration information is associated with the event data in the received problem report and add information to the received problem report to provide a reformatted problem report and transmit the reformatted problem report to a third network device when it is determined that reconfiguration information is not associated with the event data in the problem report.

Abstract: Requests from a client to a network device are authenticated based on a session ID obtained by the network device. Requests may be authenticated by obtaining a session ID value when a session is initiated and transmitting a document to the client that embeds the session ID in such a manner that additional requests to the network device based on the document include the session ID in the request. The additional requests are authenticated based on a determination of whether the session ID is included in the additional requests.