Abstract: In general, techniques are described by which a path through a network may be selected based on service information. For example, a network device may include one or more interfaces, a control unit, and an integrated network acceleration device that provides a first set of services. The interfaces may receive service information that describes a second set of services provided by another network device. The control unit then determines, based on the service information, whether the other device shares any services in common with the integrated device. If so, the control unit selects a path through the network that includes the other device and causes the integrated device to apply the shared service to a portion of the traffic. The interfaces forward this portion along the determined path to the other device such that the other device applies the shared network acceleration services to the portion of the network traffic.

Abstract: Intermediate policy information is used to translate policy information between forwarding domains. For example, a network device may associate intermediate policy information, such as intermediate CoS information, with a packet. The network device utilizes the intermediate CoS information to indirectly map first class of service (CoS) information that conforms with a first protocol to second CoS information that conforms to a second protocol. The network device may, for example, apply a first policy to map the first CoS information to the intermediate CoS information and a second policy to map the intermediate CoS information to the second CoS information.

Abstract: A network analyzer includes a hardware-based accounting engine that generates accurate statistics for traffic within a computer network. As the network analyzer receives packets, the accounting engine associates the network packets with respective routing prefixes, and updates flow statistics for the routing prefixes. In this manner, the accounting engine maintains accurate flow statistics for all packets received by network analyzer. The network analyzer includes a control unit that generates prefix data to control the granularity of the traffic analysis. The control unit analyzes the flow statistics maintained by the accounting engine, and adaptively updates the set of prefixes to control the granularity of the statistics. The control unit may generate the prefix data as a forwarding tree having resolution nodes. Each node may associate a network prefix with forwarding next hop data, as well as respective analysis control data to enable or disable flow analysis for the prefix.

Abstract: A method performed by a first network device may include receiving a request for a resource from an end-point device and acknowledging the request for the resource to the end-point device. The method may also include receiving a resource coordination message from a second network device and transmitting a return resource coordination message to the second network device.

Abstract: A system processes packets in a network device and includes a memory for buffering the packets. The memory may store the packets in memory in data cells. To expedite packet processing, portions of the packet are extracted and placed in a notification, which is then used for packet processing operations, such as route lookup, policing, and accounting. The notification may also include address elements, such as address offsets, that define the locations of the data cells in memory. The address elements can be used to read the data cells from the memory when packet processing is done. If the notification cannot hold all the address elements, additional cells, indirect cells, are created for holding the remaining address elements. The indirect cells are formed in a linked list. The notification contains an address element. To prevent reading incorrect indirect cells, each indirect cell is written with a signature that is created based on the notification.

Abstract: A packet header processing engine includes a level 2 (L2) header generation unit and a level 3 (L3) header generation unit. The L2 and L3 header generation units are implemented in parallel with one another. The L2 generation unit writes L2 header information to a first buffer and the L3 generation unit writes L3 header information to a second buffer. When the L2 and L3 header generation units finish processing a packet, the packet may be unloaded from the first and second buffer while a new packet is simultaneously loaded to the packet header processing engine.

Abstract: The invention is directed towards techniques for forwarding subscriber frames through a Multi-Protocol Label Switching (MPLS) aggregation network using MPLS labels. Layer two (L2) network devices, such as access nodes, of a service provider (SP) network implement MPLS functionality in the data plane, but do not implement an MPLS signaling protocol in the control plane. The L2 network devices include a pool of labels applied in the data plane of the L2 network device to output MPLS communications to the MPLS network, and a protocol that allows a layer three (L3) device to control provision of L2 functionality by the L2 device. The pool of labels is dynamically configured by the L3 device via the protocol. The access nodes distribute the subscriber labels and MPLS labels as upstream assigned labels.

Abstract: A routing device may be connected to multiple spoke site networks, and may receive local routes from these spoke site networks. The routing device may include routing information and forwarding information. The routing device may update the routing information to include the local routes, and selectively generate the forwarding information to exclude the local routes. The routing device may associate labels with the local routes and advertise the labels and local routes to other routing devices. The labels may be associated with interfaces of the routing device or access links that connect the routing device to a spoke site network, and the associations of labels with interfaces or access links may be stored in the forwarding information. The routing device may forward received packets that include the labels according to the labels, and may forward other received packets according to the routes within the forwarding information.

Abstract: A wireless intrusion prevention system and method to prevent, detect, and stop malware attacks is presented. The wireless intrusion prevention system monitors network communications for events characteristic of a malware attack, correlates a plurality of events to detect a malware attack, and performs mitigating actions to stop the malware attack.

Abstract: A network device may include logic configured to receive a problem report from a second network device, store and analyze data included in the problem report, filter data in the problem report to determine when the problem report is to be transmitted to a third network device, and transmit the problem report to the third network device when the filtering determines that the problem report is to be transmitted.

Abstract: In general, techniques are described for automatically releasing network resources reserved for use by network devices within a network. In particular, a network device, such as a router, may include an interface card that receives a first and a second message from respective first and second client devices requesting reservation of network resources. The first message may include a first identifier, while the second message may include a second identifier. Both messages however may also include the same additional context information that identifies the same context in which the first client device operates. The router may include a control unit that determines whether the additional context information included within the first and second messages is the same. Based on a determination that this information is the same, the control unit may automatically release resources reserved for use by the first client device within the network.

Abstract: A memory controller may implement variable delay elements, on a per-bit basis, in both the read and write paths. The memory controller may include multiple adjustable delay circuits associated with data lines and a strobe line, each of the adjustable delay circuits inserting an adjustable amount of delay into a signal destined to or received from one of the data lines or the strobe line. The memory controller may additionally include control logic to determine the delay amount for each of the adjustable delay circuits, the delay amount being determined to reduce static skew between each of the data lines and the strobe line.

Abstract: In general, techniques are described for performing session layer pinhole management within a network security device. In accordance with the techniques, the network device includes a resource manager module and a Session Initiation Protocol (SIP) module. The SIP module receives a SIP message from a private server, the SIP message requesting a SIP session. In response to the SIP message, the SIP module via the resource manager module opens a pinhole to permit the SIP session and assigns via the resource manager module resources included within the resource pool to monitor each call occurring over the SIP session. The SIP module further determines whether each of the calls has completed based on an session layer characteristic of a subsequent SIP message associated with each call and based on the determination, returns via the resource manager module the resources assigned to monitor each completed call to the resource pool.

Abstract: A packet scheduler may include logic configured to receive packet information. The packet scheduler may include logic to receive an operating parameter associated with a downstream device that operates with cell-based traffic. The packet scheduler may include logic perform a packet to cell transformation to produce an output based on the operating parameter. The packet scheduler may include logic to use the output to compensate for the downstream device.

Abstract: A controller may include a measurement circuit configured to generate a proxy signal representing delay variations in the controller. The measurement circuit may also generate a measurement value from the proxy signal. A control circuit may be configured to convert the measurement value into a control value. A delay circuit may be adjusted by the control value to alter an amount of delay of a signal.

Abstract: A system facilitates the configuring of a set of devices. The system stores templates, where each template includes configuration data that applies to one or more of the devices. The system configures the devices based on the configuration data in the templates.

Abstract: A bandwidth divider and method for allocating bandwidth between a plurality of packet processors. The bandwidth divider includes a plurality of counters for measuring the bandwidth of data packets transferred from the bandwidth divider to a respective packet processor; and a controller for analyzing the plurality of counters and transferring a data packet to a selected packet processor based on the contents of the counters. The method monitors the bandwidth consumed by the packet processors; determines, based on the bandwidth consumed by the packet processors, which packet processor has consumed the least amount of bandwidth; and allocates a next data packet to the packet processor which has consumed the least amount of bandwidth.

Abstract: A network device may manage communication sessions with clients so that attempts at the client to automatically keep the session alive can be ignored for purposes of timing out the session. The device may examine resource requests received from the client as uniform resource locators (URLs) and determine whether the URLs include a context variable. The device may determine whether to reset a timeout period for the communication session based on a presence of the context variable in the URL. At the client side, the context variable may be attached to URLs that are part of functions configured to automatically access the network device.

Abstract: A network device constructs an outgoing resource reservation message and determines an authentication value, using, for example, a cryptographic algorithm and at least a portion of the outgoing message. The network device identifies a destination node for the message and inserts the authentication value in the message. The network device sends the message across a network to the destination node for authentication at the destination node using the authentication value.

Abstract: A software module operating within a router, such as an operating system, manages state information within a hierarchically ordered and temporally-linked data structure. The software module sends state change messages to other software modules within the router, referred to as consumers, in an order that corresponds to the hierarchical order and the temporal linking. The data structure may comprise a plurality of objects to store state information. The operating system may receive event messages that indicate a change to the state information. The objects may be hierarchically linked in accordance with a hierarchy representing relationships of event messages. The objects may be temporally linked in accordance with the order in which the operating system receives event messages. The operating system may traverse the data structure according to the temporal and hierarchical links to select state change messages to send to a consumer.