Abstract: In general, the invention is directed to techniques of identifying an infected network device in a computer network where traffic to and from the infected network device is not necessarily routed through a single point on the computer network. For example, individual line cards in network devices count incoming network flows from network devices in host tables. The host tables of all line cards of all participating network devices are then correlated. It is then determined whether the number of flows from a network device outweighs the number of flows to the network device to a significant degree. If so, the network device may be considered suspicious. Packets from a suspicious network device may be rerouted to a network security device for more thorough inspection.

Abstract: Techniques for classifying and managing network flows associated with a network service using application classification information and active signaling relay are described. A network device, for example, includes a signaling interceptor and a network flow interface. The signaling interceptor monitors a communication between a customer device and an application server, and identifies a network flow associated with a network service provided to the customer device by the application server. The network flow interface applies a policy to the identified network flow. An active signaling relay module communicates with the application server using data injected within the signaling communications, and utilizes the injected data to further control the network flows and the delivery of the network service.

Abstract: A system receives data in multiple streams from an upstream device. The system temporarily stores the data in a first buffer and asserts a forward flow control signal when a capacity of the first buffer exceeds a first threshold value. The system reads the data from the first buffer and selectively processes the data based on the forward flow control signal. The system temporarily stores the selectively processed data in a number of second buffers, generates a backward flow control signal when a capacity of one of the second buffers exceeds a second threshold value, and sends the backward flow control signal to the upstream device.

Abstract: An intrusion detection and prevention (IDP) device includes a flow analysis module, an analysis engine, a plurality of protocol-specific decoders and a profiler. The flow analysis module processes packet flows in a network to identify network elements associated with the packet flows. The analysis engine forms application-layer communications from the packet flows. The plurality of protocol-specific decoders processes the application-layer communications to generate application-layer elements. The profiler correlates the application-layer elements of the application-layer communications with the network elements of the packet flows of the computer network.

Abstract: Systems and methods are provided for analyzing policy rules defined for a subscriber and determining packet treatment in a network. Definitions are retrieved pertaining to policy rules for a subscriber. At least one policy point in a network is determined based on the retrieved definitions. The packet treatment is determined at each of the at least one policy point. The packet treatment is shown for each of the at least one policy point. Packets may be injected into the network at injection points and statistics may be collected. The statistics may be compared with results of analyzing policy rules for the subscriber.

Abstract: In general, techniques are described for synchronizing resource bindings within computer networks. An intermediate network device comprising an interface card and a control unit may implement these techniques. The interface card receives a message from a server that allocates a network address for use by a client device identified by a unique identifier. The control unit stores data defining a binding between the unique identifier and the network address. The control unit includes a binding synchronization module that determines, based on a determination to release the binding, whether the binding release occurs in response to receiving a release message from the client device, and automatically generates a release message on behalf of the client device upon determining that the binding release did not occur in response to receiving a release message. The binding synchronization module outputs the automatically generated release message to the server that reserved the L3 network address.

Abstract: In general, techniques are described for efficiently implementing application identification within network devices. In particular, a network device includes a control unit that stores data defining a group Deterministic Finite Automata (DFA) and an individual DFA. The group DFA is formed by merging non-explosive DFAs generated from corresponding non-explosive regular expressions (regexs) and fingerprint DFAs (f-DFAs) generated from signature fingerprints extracted from explosive regexs. The non-explosive regexs comprise regexs determined not to cause state explosion during generation of the group DFA, the signature fingerprints comprise segments of explosive regexs that uniquely identifies the explosive regexs, and the explosive regexs comprise regexs determined to cause state explosion during generation of the group DFA.

Abstract: Ordering logic ensures that data items being processed by a number of parallel processing units are unloaded from the processing units in the original per-flow order that the data items were loaded into the parallel processing units. The ordering logic includes a pointer memory, a tail vector, and a head vector. Through these three elements, the ordering logic keeps track of a number of “virtual queues” corresponding to the data flows. A round robin arbiter unloads data items from the processing units only when a data item is at the head of its virtual queue.

Abstract: A network content service apparatus includes a set of compute elements adapted to perform a set of network services; and a switching fabric coupling compute elements in said set of compute elements. The set of network services includes firewall protection, Network Address Translation, Internet Protocol forwarding, bandwidth management, Secure Sockets Layer operations, Web caching, Web switching, and virtual private networking. Code operable on the compute elements enables the network services, and the compute elements are provided on blades which further include at least one input/output port.

Abstract: A system comprises a plurality of processing modules, one of which is designated to be the primary processing module and the others are designated to be secondary processing modules. During operation, state is maintained in the primary processing module and at least one of the secondary processing modules. A switchover controller causes outputs from the secondary modules to be discarded. When the switchover controller receives an indication that the primary processing module has failed, it designates one of the secondary processing modules to be the primary processing module. Because the newly designated primary processing module already has current state information at switchover, the module is able to operate with minimal delay.

Abstract: A network testing environment includes a control server and a testing cluster composed of one or more load generating devices. The load generating devices output network communications in a non-deterministic manner to model real-world network users and test a network system. The load generating devices operate in accordance with probabilistic state machines distributed by the control server. The probabilistic state machines model patterns of interaction between users and the network system.

Abstract: A first network client requests initiation of a data transfer with a second network client. An admission control facility (ACF) responds to the initiation request by performing admission analysis to determine whether to initiate the data transfer. The ACF sends one or more packets to the second network client. In response, the second network client sends acknowledgment packets back to the ACF. The ACF performs admission analysis based on the packets sent and the acknowledgment packets, and determines whether the data transfer should be initiated based on the analysis. The admission analysis may be based on a variety of factors, such as the average time to receive an acknowledgment for each packet, the variance of the time to receive an acknowledgment for each packet, a combination of these factors, or a combination of these and other factors.

Abstract: Identifiers are assigned to devices communicating via a number of virtual channels. If additional identifiers are needed, one or more new virtual channels are created and the identifiers are reused for the new virtual channel.

Abstract: A data compression system and method for that is capable of detecting and eliminating repeated phrases of variable length within a window of virtually unlimited size.

Abstract: Methods for optimizing the media path between multimedia endpoints in a network are described. One embodiment allows avoiding having to relay the media traffic through a central device, such as a border controller's media controller element, and lets endpoints communicate directly under various conditions.

Abstract: In general, the invention facilitates diagnosing fault conditions, such as flapping, by permitting users to request information for specific components in a network device such as a router. The invention also facilitates the diagnosis of other fault conditions, including, but not limited to, excessive numbers of dropped packets, hard drive crashes, high temperature readings, and inactive interface cards. A user may obtain a targeted log containing information relating to selected fault conditions or other network device events, rather than a system log containing information relating to all network device events, some of which may not be of interest to the user. The targeted log may be parsed and analyzed with greater ease than the system log.

Abstract: An arbiter performs arbitration over a plurality of queues and provides data to a plurality of mutually exclusive destinations using combination logic that logically combines a plurality of mutually exclusive vectors into a combination vector. Each of the mutually exclusive vectors corresponds to one of the plurality of mutually exclusive destinations. A number of vector arbiters perform arbitration on each mutually exclusive vector to select a position within the mutually exclusive vector. A combination arbiter performs arbitration on the combination vector to determine a position within the combination vector, which corresponds to the next queue to be serviced. A comparison element compares the position within a mutually exclusive vector and the position within the combination vector to determine the destination of the data within the next queue to be serviced.

Abstract: A transmission source bridge collects packets sent from nodes connected to a serial bus in accordance the IEEE1394 Standards, into one packet in an order they are to be transmitted and then sends them onto an ATM network, so that a transmission destination bridge receives this packet and divides it into a plurality of smaller packets and transfers them, in the order they were sent, to nodes connected to the serial bus in accordance with the IEEE1394 Standards.

Abstract: A new architecture provides network-based mobility in cellular networks that is built on Internet Protocol (IP)/Multiprotocol Label Switching (MPLS) technologies, such as Virtual Private Local Area Network (LAN) Service (VPLS), the Border Gateway Protocol (BGP) and BGP MPLS Layer 3 Virtual Private Networks (VPNs). The architecture consists of several building blocks that provide functionality for different aspects of cellular network mobility. One building block is network-based macro mobility in IP/MPLS networks. The macro mobility techniques described herein are built on extensions to a routing protocol such as BGP. Another building block relates to transferring subscriber context between network devices while preserving the IP address of the subscriber. The techniques described herein provide a subscriber context transfer mechanism for mobile subscriber management that is built on extensions to a routing protocol such as BGP.

Abstract: A new architecture provides network-based mobility in cellular networks that is built on Internet Protocol (IP)/Multiprotocol Label Switching (MPLS) technologies, such as Virtual Private Local Area Network (LAN) Service (VPLS), the Border Gateway Protocol (BGP) and BGP MPLS Layer 3 Virtual Private Networks (VPNs). The architecture consists of several building blocks that provide functionality for different aspects of cellular network mobility. One building block is network-based macro mobility in IP/MPLS networks. The macro mobility techniques described herein are built on extensions to a routing protocol such as BGP. Another building block relates to transferring subscriber context between network devices while preserving the IP address of the subscriber. The techniques described herein provide a subscriber context transfer mechanism for mobile subscriber management that is built on extensions to a routing protocol such as BGP.