Abstract: A network device includes multiple packet processing engines implemented in parallel with one another. A spraying component distributes incoming packets to the packet processing engines using a spraying technique that load balances the packet processing engines. In particular, the spraying component distributes the incoming packets based on queue lengths associated with the packet processing engines and based on a random component. In one implementation, the random component is a random selection from all the candidate processing engines. In another implementation, the random component is a weighted random selection in which the weights are inversely proportional to the queue lengths.

Abstract: A group poll mechanism (GPM) that schedules upstream bandwidth for cable modems by pointing a request opportunity normally reserved for a single service flow to more than one service flow. Essentially, instead of using the seldom-used poll requests one per service flow, this same request opportunity is pointed to multiple service flows. In such kind of a scheme the GPM gives the same mini-slot to multiple service flows. The GPM implements the use of place-holder SIDs and novel mapping of information elements in MAP messages.

Abstract: Processing of numeric addresses is facilitated by using a user interface, rather than system modules, to handle name resolution. Processing the addresses at the user interface level avoids delays and packet blocking problems associated with using system modules to perform the task. Relieving the system modules from the responsibility of processing numeric addresses allows them to process other requests, improving overall system efficiency.

Abstract: A system establishes a virtual private network (VPN) tunnel to a destination and determines a next hop for the VPN tunnel. The system inserts the next hop, and an address associated with the destination, into an entry of a first table. The system inserts the next hop, and a tunnel identifier corresponding to the established VPN tunnel, into an entry of a second table. The system associates one or more security parameters, used to encrypt traffic sent via the VPN tunnel, with the tunnel identifier.

Abstract: A system delivers a media stream to a client using a delivery bandwidth. The system adjusts an amount of the bandwidth used to deliver the media stream based on a state of a buffer associated with the client that receives and buffers the delivered media stream.

Abstract: Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols.

Abstract: A network device may include logic configured to detect that an event has occurred in the network device, determine an XML document structure based on the detected event, and generate an XML document with the determined structure including information relating to the detected event.

Abstract: An improved firewall for providing network security is described. The improved firewall provides for dynamic rule generation, as well using conventional fixed rules. This improvement is provided without significant increase in the processing time required for most packets. Additionally, the improved firewall provides for translation of IP addresses between the firewall and the internal network.

Abstract: An MPOA system for establishing communication by using layer 3 protocol on an ATM network, in which data about the layer 3 address of a source of data packets is added to an address resolution request packet which is transmitted in order to establish a shortcut VCC toward a destination of the data packets in each communication node and hence transmitted to the destination, and in the case of accepting the address resolution request packets to be transmitted in order to establish the respective shortcut VCCs toward the destination of the data packets, as for the same communication, from a plurality of the communication nodes, a shortcut VCC is established only between the destination and the communication node remotest from the destination on the network.

Abstract: Improved approaches for providing secure access to resources maintained on private networks are disclosed. The secure access can be provided through a public network using a standard network browser. Multiple remote users are able to gain restricted and controlled access to at least portions of a private network through a common access point. The solution provided by the invention is not only easily set up and managed, but also able to support many remote users in a cost-effective manner.

Abstract: A network device and a method are provided. The network device may include a plurality of elements and a routing infrastructure. The routing infrastructure may be configured to route network traffic received at the network device, and transfer, among two or more of the elements, packets that include management information related to the routing of the network traffic.

Abstract: Traffic flow criteria are distributed between routing devices. More specifically, a routing protocol, such as the Border Gateway Protocol (BGP), may be extended in a manner that allows fine-grain criteria to be conveyed for application to network traffic. For example, a flow specification data type may be defined in accordance with BGP to allow a variable number of packet flow attributes to be specified, such as source information, destination information, port information, protocol or other flow criteria. In this manner, traffic flow criteria are specified in a way that cannot be expressed using destination address prefixes only. The flow specification data type may be defined as network layer reachability information (NLRI) that is associated with a route advertised in accordance with BGP.

Abstract: A network device may include a packet header processing engine configured to receive a packet containing packet header information that includes a maximum transfer unit size and a packet length, and determine whether the packet length is greater than the maximum transfer unit size. The packet header processing engine may also be configured to generate and transmit new packet header information when the packet length is less than the maximum transfer unit size, and generate a first fragment header when the packet length is greater than the maximum transfer unit size. The packet header processing engine may further be configured to transmit the first fragment header for generation of a first packet fragment when the packet length is greater than the maximum transfer unit size.

Abstract: Techniques for controlling access to resources within a device are described. A device is described, for example, that includes a computer-readable medium and a management interface. The computer-readable medium stores configuration data and authorization data. The authorization data defines an access control attribute and an associated regular expression specifying a textual pattern. The management interface receives a text-based command to access the configuration data of the device, evaluates the command using the regular expression, and controls access to the configuration data based on the evaluation.

Abstract: The liveness of routing protocols can be determined using a mechanism to aggregate liveness information for the protocols. The ability of an interface to send and receive packets and the forwarding capability of an interface can also be determined using this mechanism. Since liveness information for multiple protocols, the liveness of interfaces, the forwarding capability of interfaces, or both, may be aggregated in a message, the message can be sent more often than could individual messages for each of the multiple protocols. This allows fast detection of failures, and sending connectivity messages for the individual protocols, such as neighbor “hellos,” to be sent less often.

Abstract: Techniques are described for dynamically inserting filters into a forwarding path of a router in response to a received filter description. For example, a first router may receive a generic filter description, and process the generic filter description to generate machine instructions executable by forwarding hardware. The forwarding hardware, which may be a forwarding engine or an interface card, executes the machine instructions to implement the dynamic filter. The router, for instance, may filter packet flows of a device sourcing a network disturbance, such as a denial of service (DoS) attack by applying the dynamic filter to the packet flows. The router may further forward the filter description to neighboring routers to filter the packet flows closer to the source.

Abstract: The present invention provides an efficient system and method for routing information through a dynamic network. The system includes at least one ingress point and one egress point. The ingress and egress point cooperate to form a virtual circuit for routing packets to destination subnets directly reachable by the egress point. The egress point automatically discovers which subnets are directly accessible via its local ports and summarizes this information for the ingress point. The ingress point receives this information, compiles it into a routing table, and verifies that those subnets are best accessed by the egress point. Verification is accomplished by sending probe packets to select addresses on the subnet. Additionally, the egress point may continue to monitor the local topology and incrementally update the information to the ingress to allow the ingress to adjust its compiled routing table.

Abstract: Techniques are described in which a network device waits differing amounts of time for different network sockets before beginning processes to determine whether respective network connections from the network sockets have failed. An intermediate device may create a network socket for a network connection having a keep-alive wait time option set to a keep-alive wait time associated with a class of the network connection. If an amount of time specified by the keep-alive option of the socket passes after a last successful communication on the network connection, the socket may begin a process to determine whether the network connection has failed. If the intermediate device determines that the network connection has failed, the intermediate device may terminate the connection to free resources on the intermediate device allocated to the network connection.

Abstract: Techniques for delivering and receiving multicast content across a unicast network are described. A system that supports delivery and reception of multicast content across a unicast network includes a first device and a second device. The first device may be a destination device or a multicast-enabled router. The second device is multicast-enabled, and may be a multicast-enabled router. The first device determines whether a route between a destination device and a source of multicast packets is multicast-enabled, sends a unicast request message that includes as a destination address an address associated with the source and is marked for interception by a second device based on the determination, and receives the multicast packets as unicast packets from the second device. The second device intercepts the unicast request message and delivers the multicast packets to the requesting device as unicast packets in response to the unicast request message.

Abstract: Techniques are described for detection of repeated video content to reduce an amount of high bandwidth traffic transmitted across a network from a video source device to remote subscriber devices. In particular, the invention relates to a first intermediate device capable of recognizing patterns of video content and sending a communication to a second intermediate device that transmits a cached version of the video content. In this way, the first intermediate device does not have to resend the high bandwidth video content over the network. The network may comprise any private or public network.