Abstract: A data processing architecture includes multiple processors connected in series between a load balancer and reorder logic. The load balancer is configured to receive data and distribute the data across the processors. Appropriate ones of the processors are configured to process the data. The reorder logic is configured to receive the data processed by the processors, reorder the data, and output the reordered data.

Abstract: Computer program products and methods of inspecting a log of security records in a computer network are provided. The method includes retrieving a log record, processing the log record including deriving a key to a table, determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique. One or more entries of the table are evaluated based on predetermined criteria to detect attempted security breaches.

Abstract: In an asynchronous transfer mode switch, a plurality of queues is provided for accumulating transfer cells, and a queue assignment processing section, receives a message for establishing a connection and assigns to the connection one of the queues having a forwarding rate close to a declared rate included in the message and not exceeding the declared rate.

Abstract: A key engine that performs route lookups for a plurality of keys may include a data processing portion configured to process one data item at a time and to request data when needed. A buffer may be configured to store a partial result from the data processing portion. A controller may be configured to load the partial result from the data processing portion into the buffer. The controller also may be configured to input another data item into the data processing portion for processing while requested data is obtained for a prior data item. A number of these key engines may be used by a routing unit to perform a large number of route lookups at the same time.

Abstract: A network device coordinates with other devices in a network to create a distributed filtering system. The device detects an attack in the network, such as a distributed denial of service attack, and forwards attack information to the other devices. The devices may categorize data into one or more groups and rate limit the amount of data being forwarded based on rate limits for the particular categories. The rate limits may also be updated based on the network conditions. The rate limits may further be used to guarantee bandwidth for certain categories of data.

Abstract: An apparatus may include a receiver configured to receive chunks of data on a downstream channel from a cable modem termination system. The receiver may be further configured to enter a low power state in which the chunks of data cannot be received. Wake up circuitry may be configured to monitor data in the downstream channel for a wake up signal when the receiver is in the low power state.

Abstract: A system processes data units in a network. The system receives a data unit that includes a group of headers and suppresses one or more of the headers to form a reduced data unit. The system suppresses one or more other headers of the reduced data unit to form a further reduced data unit and transmits the further reduced data unit to one or more destination devices using the program identifier (PID) field in the MPEG header as an index to suppressed headers.

Abstract: A system includes a group of devices and a shared memory that is partitioned into blocks that are capable of being allocated to the group of devices using linked lists. The system also includes check logic configured to store a group of bits, where each bit corresponds to one of the blocks, and counter logic configured to count for a predetermined period of time. The system further includes logic configured to clear the group of bits stored in the check logic, cause the counter logic to count for the predetermined period of time, monitor a de-allocation of the blocks in the shared memory, set, for each of the blocks that is de-allocated during the predetermined period of time, the corresponding bit in the check logic, identify, after the predetermined period of time, one or more bits that have not been set, and mark the blocks corresponding to the one or more bits as available for allocation.

Abstract: A network device includes multiple packet processing engines implemented in parallel with one another. A spraying component distributes incoming packets to the packet processing engines using a spraying technique that load balances the packet processing engines. In particular, the spraying component distributes the incoming packets based on queue lengths associated with the packet processing engines and based on a random component. In one implementation, the random component is a random selection from all the candidate processing engines. In another implementation, the random component is a weighted random selection in which the weights are inversely proportional to the queue lengths.

Abstract: A system comprises a plurality of processing modules, one of which is designated to be the primary processing module and the others are designated to be secondary processing modules. During operation, state is maintained in the primary processing module and at least one of the secondary processing modules. A switchover controller causes outputs from the secondary modules to be discarded. When the switchover controller receives an indication that the primary processing module has failed, it designates one of the secondary processing modules to be the primary processing module. Because the newly designated primary processing module already has current state information at switchover, the module is able to operate with minimal delay.

Abstract: Techniques are described for preventing network attacks. More specifically, the techniques involve classification of routes based on the network protocol from which the routes were learned, and filtering of packets based on the classification. A network device, for example, is described that includes interface cards to receive routing information via one or more routing protocols, wherein the routing information defines network routes. The network device further includes a control unit to classify the routes based the routing protocol by which the routes were received, and selectively forward packets associated with the routes based on the classification of the routes. Edge routers within a server provider network, for example, may classify routes as either “internal” or “external” based on the protocols from which the routes were learned, and automatically filter packets to prevent network attacks using the techniques.

Abstract: The invention provides a device for reducing ingress noise in a digital signal, comprising a noise predictor for predicting an amount of ingress noise in the digital signal based on past samples of the ingress noise, and a subtractor for subtracting the predicted amount of ingress noise from the digital signal. Channel distortion is compensated for by a noise-independent equalizer, such as a ZF equalizer, placed upstream of the noise predictor. The device may be incorporated, for example, in a cable modem termination system (CMTS) of an hybrid fiber/coax (HFC) network.

Abstract: A system determines bandwidth use by queues in a network device. To do this, the system determines an instantaneous amount of bandwidth used by each of the queues and an average amount of bandwidth used by each of the queues. The system then identifies bandwidth use by each of the queues based on the instantaneous bandwidth used and the average bandwidth used by each of the queues.

Abstract: A method of scheduling upstream bandwidth. This method comprises: 1) anticipating the need for the upstream bandwidth in advance of any specific request for said upstream bandwidth; and 2) scheduling the upstream bandwidth in accordance with such need.

Abstract: In a gateway, a packet received from a first network contains first address data conforming to the first network in the packet header and second address data conforming to a second network in an auxiliary header. The first address data of the packet is then rewritten with the second address data of the packet and transmitted from the gateway to the second network.

Abstract: A network testing environment includes a control server and a testing cluster composed of one or more load generating devices. The load generating devices output network communications in a non-deterministic manner to model real-world network users and test a network system. The load generating devices operate in accordance with probabilistic state machines distributed by the control server. The probabilistic state machines model patterns of interaction between users and the network system.

Abstract: A router synchronizes state information between a plurality of control units. The router includes a primary control unit and a standby control unit. To ensure proper operation of the router, the primary control unit maintains router resources by receiving state information from the router resources and maintaining the state information for consumers. The primary control unit performs this maintenance process by transmitting update operation messages to consumers and the standby control unit. The consumers respond with an acknowledgement message to both the primary control unit and the standby control unit. The control units use the sequence of these messages to keep all components within the router in sync. Upon assuming control, the standby control unit resumes updating the consumers with state information without having to “relearn” state information, e.g., by way of power cycling the router resources to a known state.

Abstract: A method for phase-locking a voltage controlled oscillator is disclosed. The method comprises receiving, at a phase detector, a phase input signal and a phase feedback signal from the voltage controlled oscillator; measuring a pulse width property of an error signal output from the phase detector to obtain a pulse width property measurement; storing the pulse width property measurement in a memory; and generating a new signal from the stored pulse width property measurement to phase-lock the voltage controlled oscillator. The method of the present invention may be used to calibrate a clock, in clock holdover and in qualification of clock sources.

Abstract: Techniques are described for application of implementation-specific configuration policies within a network device to generate configuration data. For example, a device, such as a router, may comprise memory to store operational configuration data and candidate configuration data. The device further includes a control unit to apply an implementation-specific configuration policy to alter changes to the candidate configuration data, and commit the altered candidate configuration data to the operational configuration data. In applying the implementation-specific configuration policy, the control unit may insert additional configuration data or replace portions of the candidate configuration data with additional configuration data. In this manner, the device may detect misconfiguration and make changes to the candidate configuration data, thereby performing proactive error correction.

Abstract: A network content service apparatus includes a set of compute elements adapted to perform a set of network services; and a switching fabric coupling compute elements in said set of compute elements. The set of network services includes firewall protection, Network Address Translation, Internet Protocol forwarding, bandwidth management, Secure Sockets Layer operations, Web caching, Web switching, and virtual private networking. Code operable on the compute elements enables the network services, and the compute elements are provided on blades which further include at least one input/output port.