Abstract: A system receives data in multiple streams from an upstream device. The system temporarily stores the data in a first buffer and asserts a forward flow control signal when a capacity of the first buffer exceeds a first threshold value. The system reads the data from the first buffer and selectively processes the data based on the forward flow control signal. The system temporarily stores the selectively processed data in a number of second buffers, generates a backward flow control signal when a capacity of one of the second buffers exceeds a second threshold value, and sends the backward flow control signal to the upstream device.

Abstract: The present invention provides an efficient system and method for routing information through a dynamic network. The system includes at least one ingress point and one egress point. The ingress and egress point cooperate to form a virtual circuit for routing packets to destination subnets directly reachable by the egress point. The egress point automatically discovers which subnets are directly accessible via its local ports and summarizes this information for the ingress point. The ingress point receives this information, compiles it into a routing table, and verifies that those subnets are best accessed by the egress point. Verification is accomplished by sending probe packets to select addresses on the subnet. Additionally, the egress point may continue to monitor the local topology and incrementally update the information to the ingress to allow the ingress to adjust its compiled routing table.

Abstract: In general, the invention is directed to techniques of identifying an infected network device in a computer network where traffic to and from the infected network device is not necessarily routed through a single point on the computer network. For example, individual line cards in network devices count incoming network flows from network devices in host tables. The host tables of all line cards of all participating network devices are then correlated. It is then determined whether the number of flows from a network device outweighs the number of flows to the network device to a significant degree. If so, the network device may be considered suspicious. Packets from a suspicious network device may be rerouted to a network security device for more thorough inspection.

Abstract: Techniques are described for dynamically inserting filters into a forwarding path of a router in response to a received filter description. For example, a first router may receive a generic filter description, and process the generic filter description to generate machine instructions executable by forwarding hardware. The forwarding hardware, which may be a forwarding engine or an interface card, executes the machine instructions to implement the dynamic filter. The router, for instance, may filter packet flows of a device sourcing a network disturbance, such as a denial of service (DoS) attack by applying the dynamic filter to the packet flows. The router may further forward the filter description to neighboring routers to filter the packet flows closer to the source.

Abstract: Systems and methods are provided for analyzing policy rules defined for a subscriber and determining packet treatment in a network. Definitions are retrieved pertaining to policy rules for a subscriber. At least one policy point in a network is determined based on the retrieved definitions. The packet treatment is determined at each of the at least one policy point. The packet treatment is shown for each of the at least one policy point. Packets may be injected into the network at injection points and statistics may be collected. The statistics may be compared with results of analyzing policy rules for the subscriber.

Abstract: An intrusion detection and prevention (IDP) device includes a flow analysis module, an analysis engine, a plurality of protocol-specific decoders and a profiler. The flow analysis module processes packet flows in a network to identify network elements associated with the packet flows. The analysis engine forms application-layer communications from the packet flows. The plurality of protocol-specific decoders processes the application-layer communications to generate application-layer elements. The profiler correlates the application-layer elements of the application-layer communications with the network elements of the packet flows of the computer network.

Abstract: Techniques for delivering and receiving multicast content across a unicast network are described. A system that supports delivery and reception of multicast content across a unicast network includes a first device and a second device. The first device may be a destination device or a multicast-enabled router. The second device is multicast-enabled, and may be a multicast-enabled router. The first device determines whether a route between a destination device and a source of multicast packets is multicast-enabled, sends a unicast request message that includes as a destination address an address associated with the source and is marked for interception by a second device based on the determination, and receives the multicast packets as unicast packets from the second device. The second device intercepts the unicast request message and delivers the multicast packets to the requesting device as unicast packets in response to the unicast request message.

Abstract: Techniques are described in which a network device waits differing amounts of time for different network sockets before beginning processes to determine whether respective network connections from the network sockets have failed. An intermediate device may create a network socket for a network connection having a keep-alive wait time option set to a keep-alive wait time associated with a class of the network connection. If an amount of time specified by the keep-alive option of the socket passes after a last successful communication on the network connection, the socket may begin a process to determine whether the network connection has failed. If the intermediate device determines that the network connection has failed, the intermediate device may terminate the connection to free resources on the intermediate device allocated to the network connection.

Abstract: The liveness of routing protocols can be determined using a mechanism to aggregate liveness information for the protocols. The ability of an interface to send and receive packets and the forwarding capability of an interface can also be determined using this mechanism. Since liveness information for multiple protocols, the liveness of interfaces, the forwarding capability of interfaces, or both, may be aggregated in a message, the message can be sent more often than could individual messages for each of the multiple protocols. This allows fast detection of failures, and sending connectivity messages for the individual protocols, such as neighbor “hellos,” to be sent less often.

Abstract: Techniques are described for detection of repeated video content to reduce an amount of high bandwidth traffic transmitted across a network from a video source device to remote subscriber devices. In particular, the invention relates to a first intermediate device capable of recognizing patterns of video content and sending a communication to a second intermediate device that transmits a cached version of the video content. In this way, the first intermediate device does not have to resend the high bandwidth video content over the network. The network may comprise any private or public network.

Abstract: In general, techniques are described for synchronizing resource bindings within computer networks. An intermediate network device comprising an interface card and a control unit may implement these techniques. The interface card receives a message from a server that allocates a network address for use by a client device identified by a unique identifier. The control unit stores data defining a binding between the unique identifier and the network address. The control unit includes a binding synchronization module that determines, based on a determination to release the binding, whether the binding release occurs in response to receiving a release message from the client device, and automatically generates a release message on behalf of the client device upon determining that the binding release did not occur in response to receiving a release message. The binding synchronization module outputs the automatically generated release message to the server that reserved the L3 network address.

Abstract: In general, techniques are described for efficiently implementing application identification within network devices. In particular, a network device includes a control unit that stores data defining a group Deterministic Finite Automata (DFA) and an individual DFA. The group DFA is formed by merging non-explosive DFAs generated from corresponding non-explosive regular expressions (regexs) and fingerprint DFAs (f-DFAs) generated from signature fingerprints extracted from explosive regexs. The non-explosive regexs comprise regexs determined not to cause state explosion during generation of the group DFA, the signature fingerprints comprise segments of explosive regexs that uniquely identifies the explosive regexs, and the explosive regexs comprise regexs determined to cause state explosion during generation of the group DFA.

Abstract: A system includes a first device and a second device. The first device is configured to transmit a discover message on a first upstream channel, where the discover message includes information representing capabilities of the first device. The second device is configured to receive the discover message from the first device and determine whether to switch the first device to a second upstream channel based on the capabilities information in the discover message. The second device makes the determination before a registration of the first device. The second device transmits a message to the first device instructing the first device to switch to the second upstream channel based on a result of the determination.

Abstract: Ordering logic ensures that data items being processed by a number of parallel processing units are unloaded from the processing units in the original per-flow order that the data items were loaded into the parallel processing units. The ordering logic includes a pointer memory, a tail vector, and a head vector. Through these three elements, the ordering logic keeps track of a number of “virtual queues” corresponding to the data flows. A round robin arbiter unloads data items from the processing units only when a data item is at the head of its virtual queue.

Abstract: A network content service apparatus includes a set of compute elements adapted to perform a set of network services; and a switching fabric coupling compute elements in said set of compute elements. The set of network services includes firewall protection, Network Address Translation, Internet Protocol forwarding, bandwidth management, Secure Sockets Layer operations, Web caching, Web switching, and virtual private networking. Code operable on the compute elements enables the network services, and the compute elements are provided on blades which further include at least one input/output port.

Abstract: A system comprises a plurality of processing modules, one of which is designated to be the primary processing module and the others are designated to be secondary processing modules. During operation, state is maintained in the primary processing module and at least one of the secondary processing modules. A switchover controller causes outputs from the secondary modules to be discarded. When the switchover controller receives an indication that the primary processing module has failed, it designates one of the secondary processing modules to be the primary processing module. Because the newly designated primary processing module already has current state information at switchover, the module is able to operate with minimal delay.

Abstract: A network testing environment includes a control server and a testing cluster composed of one or more load generating devices. The load generating devices output network communications in a non-deterministic manner to model real-world network users and test a network system. The load generating devices operate in accordance with probabilistic state machines distributed by the control server. The probabilistic state machines model patterns of interaction between users and the network system.

Abstract: A device stores forwarding information associated with fragments of a first data unit, stores information common to the fragments of the first data unit, receives fragments of a second data unit, and forwards the fragments of the second data unit based on the forwarding information of the first data unit and the information common to the first data unit.

Abstract: A system for managing a circular buffer memory includes a number of data writers, a number of data readers, a circular buffer memory; and logic configured to form a number of counters, form a number of temporary variables from the counters, and allow the data writers and the data readers to simultaneously access locations in the circular buffer memory determined by the temporary variables.

Abstract: A first network client requests initiation of a data transfer with a second network client. An admission control facility (ACF) responds to the initiation request by performing admission analysis to determine whether to initiate the data transfer. The ACF sends one or more packets to the second network client. In response, the second network client sends acknowledgment packets back to the ACF. The ACF performs admission analysis based on the packets sent and the acknowledgment packets, and determines whether the data transfer should be initiated based on the analysis. The admission analysis may be based on a variety of factors, such as the average time to receive an acknowledgment for each packet, the variance of the time to receive an acknowledgment for each packet, a combination of these factors, or a combination of these and other factors.