Abstract: In a PPP terminating equipment 100 connected with a switch fabric and terminating PPP link, the PPP terminating equipment 100 has an LCP echo requirement detecting section 20 detecting whether or not a received packet is the LCP echo requirement packet, and an LCP echo response producing section 40 producing a response packet to the LCP echo requirement by rewriting the LCP header of the received LCP echo requirement packet. The PPP terminating equipment 100 thereby produces and returns the response packet to the LCP echo requirement.

Abstract: Techniques are described for mitigating adverse effects of port scanning within a network device. For example, an apparatus, such as a router, responds to all network connection request packets received from a client for all ports on an attached server as if all of the server's ports are open. Once a network connection is established between the router and the client, a network connection request is transmitted to the server for a requested port. Using the router to establish a full network connection with the client eliminates a unscrupulous client from sending numerous decoy network connection request messages in an effort to hide the identity of the client. By responding to all network connection requests by establishing a TCP full connection before a network connection request is forwarded to a server, a client receives no useful information regarding the state of a port on the server before providing a valid and detectable IP address. Stealth port scanning is rendered ineffective.

Abstract: Samples from an addressed data forwarding devices, such as a router, are forwarded to a specified next hop address and/or out a specified next hop interface. However, the sampling and/or next hop forwarding is suppressed if the specified next hop address is unstable or unresolved.

Abstract: A method may include receiving a packet including a destination address, identifying a destination address entry based on the destination address, the destination address entry including an address identifier, comparing the address identifier to an event identifier, determining whether an event occurred based on the comparison, and forwarding the packet on an alternate path if it is determined that the event occurred.

Abstract: The invention is directed to techniques for initiating lawful intercept of packets associated with subscriber sessions on a network device of a service provider network based on identification triggers. A law enforcement agency may send an intercept request for a subscriber to an administration device of the service provider network. The administration device may then configure one or more identification triggers for the subscriber based on the intercept request. The techniques described herein initiate lawful intercept when one or more subscriber sessions on a network device match the one or more identification triggers. The techniques described herein include configuring trigger rules that include identification triggers for subscribers on a network device via a command line interface (CLI) of the network device. In addition, the techniques described herein include configuring identification triggers in a subscriber profile on an authentication device connected to a network device.

Abstract: A communication node contains intelligence for directing both internet protocol (IP) packets and Asychronous Transfer Mode (ATM) cells toward their destinations. The ATM cells and IP packets may be received within a common data stream. The respective devices process the ATM cells and IP packets to direct the cells and packets to the proper output ports towards their destinations. The device is capable of performing policing and quality of service (QOS) processing on both the ATM cells and the IP packets.

Abstract: A network system includes a first device and a second device separated by a network having asymmetric routes in which traffic forwarded in a first direction from the first device to the second device may travel a different route than traffic forwarded in a second direction from the second device to the first device. At least three intermediate processing devices are located between the first device and the second device, wherein at least two of the intermediate processing devices are located along different asymmetric routes. The intermediate processing devices intercept a communication flow between the first device and the second device, and encapsulate the communication flow within network tunnels so that communications associated with the communication flow in the first direction and the second direction are forwarded between a same set of at least two of the intermediate processing devices.

Abstract: A method of scheduling upstream bandwidth. This method comprises: 1) anticipating the need for the upstream bandwidth in advance of any specific request for said upstream bandwidth; and 2) scheduling the upstream bandwidth in accordance with such need.

Abstract: The principles of the invention allow a network device, such as a router, to maintain a high level of services during a failure without substantially utilizing redundant hardware components. During execution, the network device stores a subset of state information associated with applications executing on the network device. In the event of a failure, the network device reconstructs data structures associated with at least one of the applications based on the stored subset of state information. Next, the network device restarts at least one of the applications to resolve the failure. While restarting, the network device may continue to receive and forward information, such as packets, and, therefore, may continue to provide a high level of access to client devices previously connected to the network device.

Abstract: In general, this disclosure describes techniques of selecting routes for network packets through a computer network based, at least in part, on electrical power procurement arrangements of devices in the computer network. As described herein, there may be a plurality of routes through a computer network from a first device to a second device. Each of these routes may include one or more devices that consume electrical power. A route selection device may make a determination regarding how network packets are to be routed among these routes based, at least in part, on arrangements made to procure the electrical power consumed by the devices along the routes. After the route selection device makes this determination, the route selection device may cause network packets to be routed among these routes in accordance with this determination.

Abstract: Methods, computer program products and apparatus for processing data packets are described. Methods include receiving the data packet, examining the data packet, determining a single flow record associated with the packet and extracting flow instructions for two or more devices from the single flow record.

Abstract: A forwarding component of a routing node floods copies of a packet to a plurality of next hops associated with the same layer two (L2) network as an interface on which the packet was received. The plurality of next hops excludes a next hop that corresponds to the interface that received the packet. The forwarding component requires that forwarding information installed by a control unit specify the plurality of next hops to which to flood the copies of the packet, and the forwarding component is not capable of deriving the plurality of next hops to which to flood the copies of the packet from a single flooding next hop identifier after the packet is received. Prior to receiving the packet, a flooding next hop control module derives the plurality of next hops based on the flooding next hop and installs the derived next hops into the forwarding information.

Abstract: Techniques for controlling access to resources within a device are described. A device is described, for example, that includes a computer-readable medium and a management interface. The computer-readable medium stores configuration data and authorization data. The authorization data defines an access control attribute and an associated regular expression specifying a textual pattern. The management interface receives a text-based command to access the configuration data of the device, evaluates the command using the regular expression, and controls access to the configuration data based on the evaluation.

Abstract: A front-to-back cooling system allows cooling of an apparatus containing two orthogonal sets of modules. Each set of modules is independently cooled. A vertical set of modules is cooled with vertical air flow across the modules that enters from a front of the apparatus and exhausts from a back of the apparatus. A horizontal set of modules is cooled with horizontal front-to-back air flow. When the horizontal set of modules is at the front of the apparatus, a plenum extending exterior to the vertical set of modules allows exhausting horizontally flowing air to the rear of the apparatus. When the horizontal set of modules is at the rear of the apparatus, a plenum extending exterior to the vertical set of modules allows moving air from the front of the apparatus to a chamber holding the horizontal modules.

Abstract: A network acceleration device simultaneously caches and intelligently serves different historical versions of stored network content. For example, the network acceleration device may receive one or more requests for original content; however, subsequent updates to the content may create varying versions of the content, e.g., a pre-update version and one or more post-update versions. Client devices that requested the content prior to the update receive the pre-update version from the network acceleration device. Client devices that requested content after the update receive the post-update version from the network device. Moreover, the network acceleration device facilitates the simultaneous delivery of the pre-update version and the post-update version without waiting for delivery of the pre-update version to be complete. Thus, the network acceleration device may facilitate decreased download times by seamlessly and transparently providing both versions of the content simultaneously.

Abstract: The invention is directed to techniques for dynamic policy provisioning. A network security device may comprise a memory that stores a first policy that identifies a first set of patterns that correspond to a first set of network attacks and a second policy, and a control unit that applies the first policy to the network traffic to detect the first set of network attacks. The control unit, while applying the first policy, monitors parameters corresponding to one or more resources and dynamically determines whether to apply a second policy to the network traffic based on the parameters. The control unit, based on the dynamic determination, applies the second policy to the network traffic to detect a second set of network attacks and forwards the network traffic based on the application of the second policy. In this manner, the network security device may implement the dynamic policy provisioning techniques.

Abstract: A networking system, device, and method are provided. The networking device typically includes a user-defined ruleset including HTTP request rules and HTTP response rules. The networking device may further include a request processor configured to receive an incoming HTTP request from the client, apply HTTP request rules to the incoming HTTP request, to thereby produce a modified HTTP request, and send the modified HTTP request to the server. The networking device may further include a response processor configured to receive an HTTP response to the modified HTTP request from the server, apply the HTTP response rules to the HTTP response, to thereby produce a modified HTTP response, and send the modified HTTP response to the client.

Abstract: A scheduler allowing high-speed scheduling scalable with the number of input and output ports of a crosspoint switch and suppressed unfairness among inputs is disclosed. The scheduler includes an M×M matrix of scheduling modules, each of which schedules packet forwarding connections from a corresponding input group of input ports to selected ones of a corresponding output group of output ports based on reservation information. A diagonal modulo pattern is used to determine a set of M scheduling modules to avoid coming into collision with each other. Each determined scheduling module performs reservation of packet forwarding connections based on current reservation information and transfers updated reservation information in row and column directions of the M×M matrix.

Abstract: A mobile radio system comprises first through N-th radio base stations, where N represents a positive integer which is greater than one. On a start-up sequence of an n-th radio base station, a base station control apparatus transmits an n-th individual identifier as a station identifier to the n-th radio base station to allocate the n-th individual identifier to the n-th radio base station, where n is a variable between one and N, both inclusive. The base station control apparatus transmits a transmission message signal having the n-th individual identifier as a transmission individual identifier to the n-th radio base station to carry out a link connection between the base station control apparatus and the n-th radio base station. In the n-th radio base station, an ATM reception section compares the transmission individual identifier with the n-th station identifier to abandon the transmission message signal when the transmission individual identifier is not coincident with the n-th station identifier.

Abstract: A system includes a gateway node that contains modular cards that separately implement control and data planes of a network protocol. The separate data and control cards provide for improved system reliability and improved flexibility in managing bandwidth. Control or data cards can be added to the gateway node as needed based on system load.