Abstract: A router includes multiple routing engines. If the active routing engine fails, a backup one of the routing engines detects the failure and assumes the role of active routing engine. A redundancy controller circuit, connected to the multiple routing engines, facilitates the selection and switching of the routing engines. Portions of the packet forwarding engine, in addition to the routing engine, may be redundantly implemented. The active routing engine controls the selection of the redundant portion of the packet forwarding engine.

Abstract: A system having components that collectively perform functions and services of the system. The components are managed as belonging to at least a first component collection and a second component collection. The components of the first component collection operate at a time scale that is substantially temporally independent of the components of the second component collection. The components of the first component collection have a first set of temporal requirements and the components of the second component collection have a second substantially different set of temporal requirements.

Abstract: A computing device may receive compressed data that includes a sequence of references corresponding to dictionary words used to compress the compressed data. The computing device may obtain the dictionary words used to compress the compressed data, and identify malicious content corresponding to one or more of the dictionary words. The computing device may also identify malicious content corresponding to the compressed data based on the one or more dictionary words and produce a notification of the malicious content corresponding to the compressed data.

Abstract: In general, techniques are described for decentralizing handling of subscriber sessions within a gateway device of a mobile network. A mobile network gateway comprises a data plane having a plurality of forwarding components to receive session requests from a mobile service provider network in which the mobile network gateway resides. A control plane comprises a plurality of distributed subscriber management service units coupled by a switch fabric to the data plane. Each of the subscriber management service units serve as anchors for communication sessions for mobile devices that are accessing one or more packet data network by the mobile service provider network. A request delegation module within each of the forwarding components directs the session requests to the subscriber management service units unit to provide management services for the sessions requested by the mobile device.

Abstract: A network device connects between a client and a server. The network device is configured to store information regarding an application operating on the server; receive a first message, from the client, intended for the server; generate a second message in response to the first message; send the second message to the client; receive a third message from the client; generate, based on the information regarding the application on the server, a fourth message, that includes the information regarding the application operating on the server; send the fourth message to the client; receive a service request from the client in response to the fourth message; and establish, based on the service request, a connection between the client and the server.

Abstract: A network device may act as a proxy for a client requesting video from a server and may control the quality of the video requested from the server. The network device may detect a negotiation for a video stream, the negotiation including at least a first message from the client indicating a requested video quality by the client; and determine a maximum allowed video quality for the client. The network device may additionally determine whether the requested video quality by the client is greater than the maximum allowed video quality and modifying, when the requested video quality by the client is greater than the maximum allowed video quality, a first message to change the requested video quality to be equal to the maximum allowed video quality.

Abstract: A network device includes a media gateway to receive and process a voice over digital subscriber line (VoDSL) communication to generate voice data in a predetermined format; a terminating unit to receive another type of voice communication and output voice data in the predetermined format; and a control unit to receive the generated voice data from the media gateway and the outputted voice data from the terminating unit, where the network device exchanges at least one of the VoDSL communication to the other type of voice communication or the other type of voice communication to the VoDSL communication.

Abstract: In one example, a serving gateway device includes one or more network interfaces configured to receive a packet fragment from a packet data network gateway (PGW) device, and a control unit configured to hash a source Internet protocol (IP) address, a destination IP address, and a fragment identifier value for the packet fragment to determine an entry of a hash table, wherein the entry of the hash table includes data defining a next expected offset, a next expected fragment identifier, and a reference to a fragment table comprising data for at least one previous packet fragment corresponding to the packet fragment, to compare a length of the packet fragment to the next expected offset and the fragment identifier value for the packet fragment to the next expected fragment identifier, and store the packet fragment using the fragment table based on the comparison.

Abstract: By using an extended bitmap window and arrival sequence numbers, a multiprocessor system may perform anti-replay checks on incoming packets in a similar order as a single processor system. In one implementation, a device may provide an anti-replay check window that includes an original window and an extension window, the original window being contiguous to the extension window. In addition, the device may receive a packet with an anti-replay sequence number and receive another packet whose anti-replay sequence number is within a range of the original window. In addition, the device may determine if the packet has arrived before the other packet by less than a threshold if the anti-replay sequence number of the packet falls within a range of the extension window. Further, the device may retain the packet if the packet has arrived before the other packet by less than the threshold.

Abstract: An endpoint integrity system controls access to resources of a protected network for endpoint devices attempting to access the protected network. The system may include a number of evaluation modules that communicate with an endpoint device. The evaluation modules generate policy results for the endpoint device, in which each of the policy results assume one of three or more states, called a multi-state policy result. The multi-state policy results are combined to produce a combined Boolean policy result.

Abstract: An integrated, multi-service virtual private network (VPN) network client for cellular mobile devices is described. The multi-service network client can be deployed as a single software package on cellular mobile network devices to provide integrated services including secure enterprise VPN connectivity, acceleration, security management including monitored and enforced endpoint compliance, and collaboration services. The multi-service client integrates with an operating system of the device to provide a VPN handler to establish a VPN connection with a remote VPN security device. The VPN network client includes to data acceleration module exchange network packets with the VPN handler and apply at least one acceleration service to the network packets, and a VPN control application that provides a unified user interface that allows a user to configure both the VPN handler and the data acceleration module.

Abstract: A network device may receive first qualification indicators, for a first signal, from all line cards of the network device. The network device may, in response to the first qualification indicators, transmit instructions to all of the line cards to use the first signal. The network device may further receive second qualification indicators, for a second signal, from all of the line cards. In response to the second qualification indicators, the network device may store information for the second signal in order to use the second signal as a backup signal.

Abstract: A method is provided that transmits network packets through a network security device. The method receives a request to send a network packet from a first computing device to a second computing device over a network that includes the network security device. The network packet includes a first network interface identifier for identifying the first computing device and a second network interface identifier for identifying the second computing device. The method identifies third and fourth network interface identifiers that cause the network packet to be transmitted through the network security device when the network packet is transmitted using the third and fourth network interface identifiers. The method transmits the network packet over the network through the network security device using the third and fourth network interface identifiers. The method transmits the network packet to the second computing device using the first and second network interface identifiers.

Abstract: A chassis may include a front section that contains a first electronic circuit board oriented in a first plane, a rear section that contains a second electronic circuit board oriented in a second plane, where the first plane and the second plane are substantially orthogonal, a midplane dividing the front and the rear sections, and a fan tray assembly including a plurality of fans to cool both the first electronic circuit board of the front section and the second electronic circuit board of the rear section.

Abstract: In one example, a backup intrusion detection and prevention (IDP) device includes one or more network interfaces to receive a state update message from a primary IDP device, wherein the state update message indicates a network session being inspected by the primary IDP device and an identified application-layer protocol for the device, to receive an indication that the primary device has switched over or failed over to the backup device, and to receive a plurality of packets of the network session after receiving the indication, each of the plurality of packets comprising a respective payload including application-layer data, a protocol decoder to detect a beginning of a new transaction from the application-layer data of one of the plurality of packets, and a control unit to statefully process only the application-layer data of the network session that include and follow the beginning of the new transaction.

Abstract: Systems and methods for detecting and preventing network security breaches are described. The systems and methods present a gateway-based packet-forwarding network security solution to not only detect security breaches but also prevent them by directly dropping suspicious packets and connections. The systems and methods employ multiple techniques to detect and prevent network security breaches, including stateful signature detection, traffic signature detection, and protocol anomaly detection.

Abstract: In general, techniques are described for aggregating, within a network device, internal forwarding routes for multiple control protocols and allocating next hops for the routes among individual service units of a decentralized control plane for the network device. The techniques may also include aggregating internal forwarding routes for data protocols and allocating next hops for the routes among individual forwarding units of a decentralized data plane for the network device. In one example, a mobile gateway includes a plurality of subscriber management service units that present a uniform interface to nodes within a mobile service provider network. An allocation manager apportions a control protocol session identifier namespace into a plurality of contiguous, non-overlapping protocol session identifier ranges and allocates the ranges among the service units.

Abstract: In general, techniques are described for providing extended administrative groups in networks. A network device comprising an interface and a control unit may implement the techniques. The interface receives a routing protocol message that advertises a link. This message includes a field for storing first data associated with the link in accordance with the routing protocol. The field is defined by the routing protocol as a field having a different function from an administrative group field defined by the same routing protocol. The control unit determines that this field has been repurposed to store second data, wherein this second data specifies an extended administrative group for the link different from those that may be specified by the administrative group field. The control unit then updates routing information to associate the advertised link with the extended administrative group and performs path selection to select paths based on the updated routing information.

Abstract: A server device initiates a traffic encapsulation key (TEK) re-key sequence for a group virtual private network (VPN), based on an upcoming expiration time for an existing TEK. The server device sends, via a push message during a first time period immediately after the initiating, a new TEK to members of the group VPN. The server device receives, during a second time period that immediately follows the first time period, a pull request, for the new TEK, from one of the members of the group VPN, and sends, to the one of the members, the new TEK, where the re-key sequence transitions all the members of the group VPN from the existing TEK key to the new TEK key before the expiration time for the existing TEK.

Abstract: Techniques are described for providing QoS guarantees when coupling layer two (L2) networks via an intermediate Multi-protocol Label Switching (MPLS) network. A network device, such as a router, receives a request to transport data from an L2 connection. The request specifies one of more characteristics of the L2 connection, such as bandwidth, color, end-to-end delay, jitter, a security requirement, or a classification of traffic for the L2 connection. The network device selects a label switched path (LSP) through the MPLS network based on the characteristics of the L2 connection, and forwards the data from the L2 connection via the selected LSP. In this manner, an LSP and, in particular, one or more forwarding next hops for the LSP, is selected that provides a “virtual” L2 connection, or pseudo-wire, that more closely emulates a direct L2 connection between the L2 networks.