Abstract: A processing engine for processing header data includes a level 2 (L2) header generation unit and a level 3 (L3) header generation unit. The L2 and L3 header generation units are implemented in parallel with one another. The L2 generation unit writes L2 header information to a first buffer and the L3 generation unit writes L3 header information to a second buffer. When the L2 and L3 header generation units finish processing a data unit, the data unit may be unloaded from the first and second buffer while a new data unit is simultaneously loaded to the header processing engine.

Abstract: A first network client requests initiation of a data transfer with a second network client. An admission control facility (ACF) responds to the initiation request by performing admission analysis to determine whether to initiate the data transfer. The ACF sends one or more packets to the second network client. In response, the second network client sends acknowledgment packets back to the ACF. The ACF performs admission analysis based on the packets sent and the acknowledgment packets, and determines whether the data transfer should be initiated based on the analysis. The admission analysis may be based on a variety of factors, such as the average time to receive an acknowledgment for each packet, the variance of the time to receive an acknowledgment for each packet, a combination of these factors, or a combination of these and other factors.

Abstract: A method may include receiving a packet associated with a flow of packets, the packet including a destination address; selecting one of a plurality of memory banks, the selected memory bank being associated with the flow of packets, wherein each of the plurality of memory banks stores the same next-hop information for forwarding the packet to the destination address; accessing, in the selected memory bank, the next-hop information for forwarding the packet to the destination address; and forwarding the packet to the destination address based on the next-hop information.

Abstract: A scheduler and method for scheduling packet forwarding operations is provided. Packet forwarding request information associated with a first set of input port/output port combinations is received. Packet forwarding request information associated with a second set of input port/output port combinations different from the first set of input port/output port combinations is received, where the first set of input port/output port combinations and the second set of input port/output port combinations are selected to not conflict with each other. Packet forwarding for both the first set of input port/output port combinations at a first future time slot and the second set of input port/output port combinations at a second future time slot are simultaneously scheduling at a first scheduler and a second scheduler, respectively, based on the received packet forwarding request information.

Abstract: A mobile radio system comprises first through N-th radio base stations, where N represents a positive integer which is greater than one. On a start-up sequence of an n-th radio base station, a base station control apparatus transmits an n-th individual identifier as a station identifier, to the n-th radio base station to allocate the n-th individual identifier to the n-th radio base station, where n is a variable between one and N, both inclusive. The base station control apparatus transmits a transmission message signal having the n-th individual identifier as a transmission individual identifier to the n-th radio base station to carry out a link connection between the base station control apparatus and the n-th radio base station. In the n-th radio base station, an ATM reception section compares the transmission individual identifier with the n-th station identifier to abandon the transmission message signal when the transmission individual identifier is not coincident with the n-th station identifier.

Abstract: A network acceleration device includes a persistent, in-memory cache of network content. For example, the cache may store content in a manner that allows a software process to map virtual memory to specific, known regions of an underlying physical memory. Upon detecting a failure of a process executing within the network device, the network acceleration device may restart the software process and remap data structures of the cache to the known regions of the physical memory without necessarily requiring that the cache content be reloaded from a non-volatile memory, such as a hard drive. In this manner, the network acceleration device may accelerate download speeds by avoiding timely cache content restoration in the event of a software process failure.

Abstract: A system includes a gateway node that contains modular cards that separately implement control and data planes of a network protocol. The separate data and control cards provide for improved system reliability and improved flexibility in managing bandwidth. Control or data cards can be added to the gateway node as needed based on system load.

Abstract: Improved approaches for providing secure access to resources maintained on private networks are disclosed. The secure access can be provided through a public network using client software of client-server software and/or with file system software. Multiple remote users are able to gain restricted and controlled access to at least portions of a private network through a common access point, such as an intermediate server of the remote network.

Abstract: A number of wireless networks are established by a network device, each wireless network having an identifier. Requests are received from client devices to establish wireless network sessions via the wireless networks using the identifiers. Network privileges of the client devices are segmented into discrete security interfaces based on the identifier used to establish each wireless network session.

Abstract: Improved approaches for providing secure remote access to resources maintained on private networks are disclosed. According to one aspect, predetermined elements, such as applets, can be modified to redirect all communications to and from an application server through an intermediate server. The intermediate server in turn communicates with the application servers. According to another aspect, a communication framework can be provided to funnel communication between an applet and a server through a communication layer so as to provide managed and/or secured communications there between.

Abstract: Link failure messages are sent through a network to accelerate convergence of routing information after a network fault. The link failure messages reduce the oscillations in routing information stored by routers, which otherwise can cause significant problems, including intermittent loss of network connectivity as well as increased packet loss and latency. For example, the link failure messages reduce the time that a network using a path vector routing protocol, such as the Border Gateway Protocol (BGP), takes to converge to a stable state. More particularly, upon detecting a network fault, a router generates link failure information to identify the specific link that has failed. In some types of systems, the router communicates the link failure information to neighboring routers as well as a conventional update message withdrawing any unavailable routes. Once other routers receive the link failure information, the routers do not attempt to use routes that include the failed link.

Abstract: A method performed by a network device may include generating and storing a first public key and a first private key in a first device, transmitting a serial number and the first public key from the first device to a second device, generating, by the second device, a second public key and a second private key, transmitting the second public key from the second device to the first device and transmitting the serial number, the first public key, the second public key and the second private key to a third device, establishing and authenticating a connection between the first device and the third device using the first public key and the second public key and transmitting encrypted configuration information with the two key pairs from the third device to the first device.

Abstract: A multicast-capable firewall allows firewall security policies to be applied to multicast traffic. The multicast-capable firewall may be integrated within a routing device, thus allowing a single device to provide both routing functionality, including multicast support, as well as firewall services. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to multicast packets. The user interface supports a syntax that allows the user to define subsets of the plurality of interfaces associated with the zones, and define a single multicast policy to be applied to multicast sessions associated with a multicast group. The multicast policy identifies common services to be applied pre-replication, and exceptions specifying additional services to be applied post-replication to copies of the multicast packets for the one or more zones.

Abstract: An MPLS-aware firewall allows firewall security policies to be applied to MPLS traffic. The firewall, which may be integrated within a routing device, can be configured into multiple virtual security systems. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to the packets. The user interface allows the user to define different zones and policies for different ones of the virtual security systems. In addition, the user interface supports a syntax that allows the user to define the zones for the firewall by specifying the customer VPNs as interfaces associated with the zones. The routing device generates mapping information for the integrated firewall to map the customer VPNs to specific MPLS labels for the MPLS tunnels carrying the customer's traffic.

Abstract: Thermal management is provided for a device. The device may include a substrate having a mounting area on a first surface of the substrate. The device may also include first thermal vias extending from the mounting area to at least an interior of the substrate. The device may also include at least one thermal plane substantially parallel to the first surface of the substrate, the at least one thermal plane being in thermal contact with at least one of the first thermal vias. The device may also include a heat sink attachment area, and second thermal vias extending from the heat sink attachment area to the interior of the substrate, the at least one thermal plane being in thermal contact with the second thermal vias.

Abstract: Methods and apparatus for allowing routers in an autonomous system to implement LDP and RSVP at the same time. RSVP can be used in the network core with LDP being used in network regions surrounding the core. LDP LSPs are tunneled through the RSVP network core using RSVP LSPs and label stacking techniques. During route selection LDP LSPs which use an RSVP LSP tunnel are preferred over alternative LDP LSPs having an equal cost associated with them to create a preference for traffic engineered routes.

Abstract: In a PPP terminating equipment 100 connected with a switch fabric and terminating PPP link, the PPP terminating equipment 100 has an LCP echo requirement detecting section 20 detecting whether or not a received packet is the LCP echo requirement packet, and an LCP echo response producing section 40 producing a response packet to the LCP echo requirement by rewriting the LCP header of the received LCP echo requirement packet. The PPP terminating equipment 100 thereby produces and returns the response packet to the LCP echo requirement.

Abstract: Samples from an addressed data forwarding devices, such as a router, are associated with path-centric information. Information from the samples is used to update corresponding path-centric traffic information, such as flow information for example. The aggregated path-centric traffic information can then be used by traffic analysis operations.

Abstract: Techniques are described for mitigating adverse effects of port scanning within a network device. For example, an apparatus, such as a router, responds to all network connection request packets received from a client for all ports on an attached server as if all of the server's ports are open. Once a network connection is established between the router and the client, a network connection request is transmitted to the server for a requested port. Using the router to establish a full network connection with the client eliminates a unscrupulous client from sending numerous decoy network connection request messages in an effort to hide the identity of the client. By responding to all network connection requests by establishing a TCP full connection before a network connection request is forwarded to a server, a client receives no useful information regarding the state of a port on the server before providing a valid and detectable IP address. Stealth port scanning is rendered ineffective.

Abstract: Samples from an addressed data forwarding devices, such as a router, are forwarded to a specified next hop address and/or out a specified next hop interface. However, the sampling and/or next hop forwarding is suppressed if the specified next hop address is unstable or unresolved.