Abstract: A device may include an interface to send policy information to an evaluation module, where the policy information is related to a group of policies, and receive a group of results from the evaluation module, where the group of results indicates whether the status of a source device complies with the croup of policies. The interface may send an instruction to a destination device configured to implement at least a subset of the policies with respect to the source device based on the instruction.

Abstract: Techniques are described for distributing network traffic across parallel data paths. For example, a router may perform a hash on routing information of the packet to generate a hash value corresponding to the packet flow associated with the packet. The router may map the hash value of the packet to a forwarding element associated with a data path. The router may dynamically update the mapping of hash values to forwarding elements in accordance with traffic flow statistics. In this manner, the router may distribute the packet flows from data paths with high volumes of traffic to data paths with smaller volumes of traffic. The router may further prevent out of sequence delivery of packets by updating the mapping upon a gap in the packet flow exceeding a threshold gap. For example, the router may update the mapping when a packet for a packet flow associated with the particular hash value has not been received for at least a defined time interval.

Abstract: Techniques are described for managing timeouts of filter criteria in a packet flow capture applications. The techniques allow for handling large amounts of timeouts used when monitoring a high volume of packet flows, without placing extreme demands on the operating system for managing the timeouts. The timeout data structure may be a circular array having a plurality of elements. The timeout array represents a span of time and the elements represent sequential units of time. Each element contains one or more pointers. The pointer may point to an entry in the filter table, or may be a null pointer. A timer thread periodically checks the timeout array to determine whether any timeouts occur at the current time. The timer thread checks the element of the array corresponding to the current time by computing an index into the array based on the current time.

Abstract: A system harvests sessions in a network device. The system receives a first data unit associated with a session and installs the session in a first queue until expiration of a first time period. The system installs the session in a second queue until the occurrence of at least one of an expiration of a second time period and a receipt of a data unit associated with the session. The system harvests the session upon expiration of the second time period.

Abstract: Improved approaches for providing secure access to resources maintained on private networks are disclosed. The secure access can be provided through a public network using client software of client-server software and/or with file system software. Multiple remote users are able to gain restricted and controlled access to at least portions of a private network through a common access point, such as an intermediate server of the remote network.

Abstract: A system controls the transfer of data. The system receives a request to transfer data and determines whether a counter value equals or exceeds a threshold. The counter value represents an amount of time since a previous data transfer. When the counter value equals or exceeds the threshold, the system transmits the data. In another implementation, the system tracks the amount of data read from a buffer. The system reduces the speed at which data is read when the amount of data read from the buffer exceeds a threshold.

Abstract: Thermal management is provided for a device. The device may include a substrate having a mounting area on a first surface of the substrate. The device may also include first thermal vias extending from the mounting area to at least an interior of the substrate. The device may also include at least one thermal plane substantially parallel to the first surface of the substrate, the at least one thermal plane being in thermal contact with at least one of the first thermal vias. The device may also include a heat sink attachment area, and second thermal vias extending from the heat sink attachment area to the interior of the substrate, the at least one thermal plane being in thermal contact with the second thermal vias.

Abstract: A number of wireless networks are established by a network device, each wireless network having an identifier. Requests are received from client devices to establish wireless network sessions via the wireless networks using the identifiers. Network privileges of the client devices are segmented into discrete security interfaces based on the identifier used to establish each wireless network session.

Abstract: An access request is transmitted from a first device to a second device causing one or more security functions to be executed on the first device. Whether to grant the access request is based on a result of the executed one or more security functions.

Abstract: Secure tunneled multicast transmission and reception through a network is provided. A join request may be received from a second tunnel endpoint, the join request indicating a multicast group to be joined. Group keys may be transmitted to the second tunnel endpoint, where the group keys are based at least on the multicast group. A packet received at the first tunnel endpoint may be cryptographically processed to generate an encapsulated payload. A header may be appended to the encapsulated payload to form an encapsulated packet, wherein the header includes information associated with the second tunnel endpoint. A tunnel may be established between the first tunnel endpoint and the second tunnel endpoint based on the appended header. The encapsulated packet may be transmitted through the tunnel to the second tunnel endpoint. The second tunnel endpoint may receive the encapsulated packet. Cryptographic processing of the encapsulated packet may reveal the packet having a second header.

Abstract: In a cable modem system, increasing or decreasing the rate of an MPEG Transport Stream involves two separate, but related, tasks: 1) incorporating a sufficient number of additional packets (or discarding packets) to make up for the difference in data rates between input and output, and 2) altering timing information (for instance, PCR (Program Clock Reference) values) present in some incoming packets to reflect their altered positions in the output stream. Both of these tasks can be facilitated by the use of a FIFO (First-In, First-Out) structure, through which the data flows.

Abstract: Enhanced Cable Modem Termination System (CMTS) functionality, including programmable digital domain modulators and demodulators for dynamic channel assignment, is incorporated into Fiber Nodes (FNs) or mini Fiber Nodes (mFNs), yielding enhanced Fiber Nodes (eFNs). These eFns distribute CMTS functionality deep into Hybrid-Fiber-Coax Networks (HFCN) rather than centralizing the CMTS functions within a single location. Moving the cable modem terminations closer to the subscribers shortens the analog RF paths required to support cable modems. Communication of both subscriber data and CMTS control data is performed over Ethernet-compatible packet networks between the field-based CMTSs and an upstream facility (e.g., the Head End), which includes an Internet gateway. Packet data for multiple subscriber cable modems is easily compressed and merged over common network paths, reducing cabling plant complexity and increasing bandwidth utilization.

Abstract: A network device and system are provided. The network device may include a chassis configured to receive a line card and an input/output (I/O) card that operatively connects to a network via cabling. The chassis may include a bus structure. The bus structure may include an I/O interface to couple to a chassis interface of the I/O card, and a line card interface to couple to a chassis interface of the line card using a connector away that includes at least one RF conductor which may be associated with a set of connectors configured to shield the at least one RF conductor.

Abstract: Improved approaches for providing secure remote access to resources maintained on private networks are disclosed. According to one aspect, predetermined elements, such as applets, can be modified to redirect all communications to and from an application server through an intermediate server. The intermediate server in turn communicates with the application servers. According to another aspect, a communication framework can be provided to funnel communication between an applet and a server through a communication layer so as to provide managed and/or secured communications there between.

Abstract: A layer 2 transport network, and components thereof, supporting virtual network functionality among customer edge devices. Virtual private network configuration can be accomplished with merely local intervention by preprovisioning extra channel (or circuit) identifiers at each customer edge device and by advertising label base and range information corresponding to a list of channel (or circuit) identifiers.

Abstract: A network controls provision of access functionality by an access node to provide a network service to a subscriber device. For example, the network device may control the queuing and forwarding of packets by the access node to facilitate packet transmission according to, for example, a Quality of Service class. The network device may send control messages to the access node to dynamically configure a control object stored by the access node, such as a Quality of Service profile. The network device may be a router, and the access node may be a base station that wireless communicates with a subscriber device, e.g., a cellular phone. The access node may then delivery the packets in accordance with the dynamically configured control object.

Abstract: A packet header processing engine receives a header of a packet. The received header includes a size of the packet. A maximum transfer unit size of a destination interface of the packet may be determined. The packet header processing engine determines whether the size of the packet exceeds the maximum transfer unit size of the destination interface. If the size of the packet does not exceed the maximum transfer unit size of the destination interface, the packet header processing engine generates a new header from the received header. If the size of the packet exceeds the maximum transfer unit size of the destination interface, the packet header processing engine generates a fragment header from the received header. The packet header processing engine may recycle the fragment header for further processing in addition to forming a first fragment packet from the fragment header.

Abstract: A method may include receiving input information related to communication over a network; performing processing to include setting an objective function associated with a link load in the network, setting a first constraint expression for determining the link load, generating a second constraint expression for determining path candidates for data traffic received at the network, generating a third constraint expression for determining a link band for the links based on the received data traffic, and generating a fourth constraint expression to determine a link capacity limit associated with the links, where the generating the second constraint expression and generating at least one of the first, third, or fourth constraint expressions are performed in parallel; and determining, based on the objective function and the first, second, third, and fourth constraint expressions, a path within the network for multiple point communication service from the path candidates.

Abstract: A network device includes a group of interfaces. Each interface is associated with at least one other interface of the group of interfaces and a group of network addresses. Each interface is configured to monitor at least one of the group of network addresses with which the each interface is associated or the at least one other interface with which the each interface is associated, and determine whether to logically shut down based on the monitoring.

Abstract: A system for determining the burst start timing of a signal includes logic configured to receive the signal, generate correlation moduli and generate a first timing output based on the correlation moduli. The logic may also be configured to receive operating mode information and timing information and generate search controls. The logic may further be configured to identify a maximum of the correlation moduli using the search controls and determine a second timing output associated with the maximum correlation modulus. The second timing output represents a more accurate approximation of a burst start time than the first timing output.