Abstract: In some embodiments, an apparatus includes a forwarding module that is configured to receive a group of first data packets. The forwarding module is configured to modify a data flow value in response to receiving each first data packet. The forwarding module is also configured to store each first data packet in a first output queue based on the data flow value not crossing a data flow threshold after being modified. Furthermore, the forwarding module is configured to receive a second data packet. The forwarding module is configured to modify the data flow value in response to receiving the second data packet, such that the data flow value crosses the data flow threshold. The forwarding module is configured to store the second data packet in a second output queue based on the data flow value having crossed the data flow threshold.

Abstract: In some embodiments, an apparatus comprises a core network node configured to be operatively coupled to a set of network nodes. The core network node is configured to receive a broadcast signal from a network node from the set of network nodes, which is originated from a host device operatively coupled to the network node. The broadcast signal is sent via a tunnel from the network node to the core network node, such that other network nodes that are not included in the tunnel do not receive the broadcast signal. The core network node is configured to retrieve control information associated with the broadcast signal without sending another broadcast signal, and then send the control information to the network node.

Abstract: A data read/write system includes a system clock, a single port memory, a cache memory that is separate from the single port memory, and a controller coupled to an instruction pipeline. The controller receives, via the instruction pipeline, first data to write to an address of the single port memory, and further receives, via the instruction pipeline, a request to read second data from the single port memory. The controller stores the first data in the cache memory, and retrieves the second data from either the cache memory or the single port memory during one or more first clock cycles of the system clock. The controller copies the first data from the cache memory and stores the first data at the address in the single port memory during a second clock cycle of the system clock that is different than the one or more first clock cycles.

Abstract: In some embodiments, an apparatus includes an optical transceiver system that includes a set of optical transmitters and a backup optical transmitter. In such embodiments, each optical transmitter from the set of optical transmitter can transmit at a unique wavelength from a set of wavelengths. The backup optical transmitter can transmit at a wavelength from the set of wavelengths when an optical transmitter from the set of optical transmitters associated with that wavelength fails. In other embodiments, an apparatus includes an optical transceiver system that includes a set of optical receivers and a backup optical receiver. The backup optical receiver can receive at a wavelength from the set of wavelengths when an optical receiver from the set of optical receivers associated with that wavelength fails.

Abstract: A retention-extraction device is provided for a removable card in a chassis. The device includes an actuation rod having a cam slot, the actuation rod configured to provide linear movement along the length of the actuation rod, and an extraction lever operatively connected to a proximal end of the actuation rod and pivotally secured to the chassis. The device also includes a bell crank with a cam follower that is configured to ride in the cam slot and a latch hook that pivots between an open and closed position based on the motion of the bell crank. The linear movement of the actuation rod causes the extraction lever to apply a force to a portion of the card and causes the latch hook to pivot to an open position to allow removal of the card.

Abstract: A node is configured to receive, from a second node, a request to establish a session; perform, in response to the request, a network address translation (NAT) operation to establish the session, the NAT operation causing a first port block to be allocated to the session, the first port block including a first set of ports via which traffic, associated with the session, is transported; determine that the set of ports are no longer available for the session; determine whether a quantity of times that the first port block has been allocated to the session is greater than a threshold; and retain the first port block, for the session, when the quantity of times that the first port block has been allocated to the session is not greater than the threshold.

Abstract: A server device receives, from a member device, a registration request for a group virtual private network (VPN) and provides an initial firewall security policy for the group VPN. The server device receives instructions for a policy configuration change and sends, to the member device, a push message that includes dynamic policies to implement the policy configuration change. The dynamic policies are implemented as a subset of a template policy. The member device receives the push message with the dynamic policies, associates the dynamic policies with the template policy, and applies the initial security policy data and the dynamic policies to incoming traffic without the need for a reboot of the member device.

Abstract: A method and an apparatus for rapidly resuming, at times of failures, network traffic in a connection-oriented network by using an alternative route pre-computed and stored locally in nodes along an initial route without requiring signaling of upstream nodes or a master server.

Abstract: A device is configured to receive a first request sent from a user device to a server. The first request may include a request to receive particular information from the server. The device receives a response to the first request sent from the server to the user device. The response includes the particular information. The device determines a potential request from the user device based on the particular information included in the response. The devices determines a policy associated with the potential request prior to a second request corresponding to the potential request being received. The device receives the second request from the user device. The device processes the second request based on the policy that was determined prior to the second request being received.

Abstract: A system provides congestion control and includes multiple queues that temporarily store data and a drop engine. The system associates a value with each of the queues, where each of the values relates to an amount of memory associated with the queue. The drop engine compares the value associated with a particular one of the queues to one or more programmable thresholds and selectively performs explicit congestion notification or packet dropping on data in the particular queue based on a result of the comparison.

Abstract: A security device may receive, from a client device, a request associated with a server device. The security device may determine a communication channel and contact information for validating the request. The security device may provide validation information via the communication channel using the contact information. The security device may receive a validation response from the client device, and may determine whether the validation response is valid. The security device may selectively perform a first action or a second action based on determining whether the validation response is valid. The first action may be performed based on determining that the validation response is valid, and may include providing a validation indicator, with the request, to the server device. The second action may be performed based on determining that the validation response is not valid, and may include providing an invalidation indicator, with the request, to the server device.

Abstract: A device is configured to receive first data of a media file. The first data is in a first type of format. The device is further configured to extract media data and metadata from the first data, to store the media data in a first cache, and to store the metadata in a second cache. The device is also configured to determine a second type of format that is supported by a client device. The second type of format is different from the first type of format. The device is configured to retrieve the media data from the first cache, to retrieve the metadata from the second cache, to construct second data that is in the second type of format based on the media data and the metadata, and to provide the second data to the client device.

Abstract: In general, techniques are described for ensuring the distribution of Virtual Private Network (VPN) routes in a service provider network configured with multiple VPN services. In some examples, a network device receives configuration data that defines a VPN service associated with a route target. The network device, responsive to receiving the configuration data, sends a request for routes that match a type of the VPN service to a routing protocol speaker. The network device receives routes that match the type of the VPN service and are associated with the route target, installs the routes that match the type of the VPN service and are associated with the route target to the routing information base. The network device forwards traffic for the VPN service in accordance with the installed routes.

Abstract: A system selectively drops data from queues. The system includes a drop table that stores drop probabilities. The system selects one of the queues to examine and generates an index into the drop table to identify one of the drop probabilities for the examined queue. The system then determines whether to drop data from the examined queue based on the identified drop probability.

Abstract: In one embodiment, an apparatus includes a network management module configured to execute at a network device operatively coupled to a switch fabric. The network management module is configured to receive a first set of configuration information associated with a subset of network resources from a set of network resources, the set of network resources being included in a virtual local area network from a plurality of virtual local area networks, the plurality of virtual local area networks being defined within the switch fabric. The first set of configuration information dynamically includes at least a second set of configuration information associated with the set of network resources.

Abstract: This disclosure describes a global attacker database that utilizes device fingerprinting to uniquely identify devices. For example, a device includes one or more processors and network interface cards to receive network traffic directed to one or more computing devices protected by the device, send, to the remote device, a request for data points of the remote device, wherein the data points include characteristics associated with the remote device, and receive at least a portion of the requested data points. The device also includes a fingerprint module to compare the received portion of the data points to sets of data points associated with known attacker devices, and determine, based on the comparison, whether a first set of data points of a first known attacker device satisfies a similarity threshold. The device also includes an security module to selectively manage, based on the determination, additional network traffic directed to the computing devices.

Abstract: A system and method for detecting malware optimized for mobile platforms. The system and method compares hashed portions of one or more malware signatures to hashes hashed from a suspect application, to determine whether the suspect application is malware-free. A second stage robust hash and splatter set of pseudorandomly selected blocks of the malware signatures reduce false positives allowing for improved detection of malware.

Abstract: First in, first out (FIFO) queues may be used to transfer data between a producer clock domain and a number of consumer clock domains. In one implementation, a control component for the FIFO queues may include a number of counters, corresponding to each of the consumer clock domains, each of the counters maintaining a count value relating to an amount of data read by the corresponding consumer clock domain. The control component may additionally include a credit deduction component coupled to the count values of the counters, the credit deduction component determining whether any of the count values is above a threshold, and in response to the determination that any of the count values is above the threshold, reducing the count value of each of the counters and issuing a write pulse signal to the producer clock domain, the write pulse signal causing the producer clock domain to perform a write operation to the FIFO queues.

Abstract: An apparatus may include a receiver configured to receive chunks of data on a downstream channel from a cable modem termination system. The receiver may be further configured to enter a low power state in which the chunks of data cannot be received. Wake up circuitry may be configured to monitor data in the downstream channel for a wake up signal when the receiver is in the low power state.

Abstract: A router receives a packet at an ingress interface. The router classifies the received packet based on at least a first field value contained in the header of the packet. According to the classification of the received packet, the router associates one of the plurality of forwarding tables to the packet. The router then performs a lookup operation in the associated forwarding table according to at least a second field value contained in the header of the packet. Based on the lookup operation, the router determines an egress interface and transmits the received packet from the determined egress interface.