Abstract: Techniques are described that allow a network device, such as a router, to dynamically build VLAN interfaces based on subscriber information strings included within packets. In particular, the network device comprises an interface controller and a forwarding controller, where the forwarding controller receives the packet over an Ethernet port and forwards the received packet to the interface controller. The packet includes both Ethernet tagging information and a subscriber information string. The interface controller comprises an Ethernet module that dynamically builds a primary virtual local area network (VLAN) sub-interface (PVS) based on the Ethernet tagging information. The Ethernet module also dynamically builds a subscriber VLAN sub-interface (SVS) based on the subscriber information string. The SVS allows the network device to distinguish between subscribers residing on the same VLAN, and, therefore, to provide subscriber specific services.

Abstract: A method, performed in a network element, for communicating packet multimedia data between a first endpoint and a second endpoint, the method comprising the machine-implemented steps of receiving an outbound multimedia data packet; determining if the outbound multimedia data packet originated from a first endpoint that is logically behind a security device; determining and storing information identifying a logical pinhole in the security device, wherein the logical pinhole is associated with expected inbound multimedia data packets directed to the first endpoint; performing an action that keeps the logical pinhole open during all of a communication session between the first endpoint and the second endpoint; and forwarding inbound multimedia data packets directed from the second endpoint to the first endpoint via the logical pinhole.

Abstract: A network device seamlessly handles multicast traffic flow between virtual private networks (VPNs) and content providers located external to the VPNs. For example, the network device, such as a router, comprises an interface card and a forwarding component. The forwarding component maintains forwarding data for a public network and forwarding data for the virtual private network. The interface card receives a multicast packet from a virtual private network destined for a multicast content provider external to the virtual private network. When forwarding the multicast packet, the forwarding component bypasses the forwarding data for the public network and forwards the multicast packet to the multicast content provider in accordance with the forwarding data for the public network.

Abstract: Graceful restart in routers having redundant routing facilities may be accomplished by replicating network (state/topology) information.

Abstract: Link failure messages are sent through a network to accelerate convergence of routing information after a network fault. The link failure messages reduce the oscillations in routing information stored by routers, which otherwise can cause significant problems, including intermittent loss of network connectivity as well as increased packet loss and latency. For example, the link failure messages reduce the time that a network using a path vector routing protocol, such as the Border Gateway Protocol (BGP), takes to converge to a stable state. More particularly, upon detecting a network fault, a router generates link failure information to identify the specific link that has failed. In some types of systems, the router communicates the link failure information to neighboring routers as well as a conventional update message withdrawing any unavailable routes. Once other routers receive the link failure information, the routers do not attempt to use routes that include the failed link.

Abstract: Techniques are described for dynamically configuring an interface in a network service provider. The techniques allow dynamic configuration of, for example, a dual stacked interface that includes both Internet Protocol version 6 (IPv6) and Internet Protocol version 4 (IPv4) on the same layer 2 link. In this way, a customer network having an existing IPv4 connection to a network service provider will be able to run both IPv4 and IPv6 over the same interface. A network device within the network service provider may receive a control packet from a subscriber device. The packet may be received on an ATM hybrid permanent virtual circuit (PVC) that supports multiple interface columns. The network device is capable of auto-sensing multiple packet protocols and may dynamically create multiple interface columns over the same ATM interface based on the encapsulation type of the received packets.

Abstract: In general, the invention is directed to techniques for establishing secure connections with devices residing behind a security device. In accordance with the techniques, a managed device initiates a transmission control protocol (TCP) session to establish a TCP session with a management device such that the management device acts as the TCP server and the managed device acts as a TCP client. Once established, the managed device sends a role reversal message specifying an identity of the managed device via the TCP session. Upon receiving the role reversal message, the management device initiates a secure connection over the TCP session in accordance with a secure protocol such that the management device acts as the secure protocol client and the managed device acts as the secure protocol server. By properly establishing the secure session, each of the devices assumes the proper roles and administrators may more easily configure the devices.

Abstract: A label switching router (LSR) is described that spoof checks Multi-protocol Label Switching (MPLS) packets to prevent malicious or inadvertent injection of MPLS packets within a label switched path (LSP). The LSR ensures that MPLS packets received from an upstream label switching router (LSR) contain labels that were advertised to that upstream LSR. A software module associated with a signaling protocol, such as the Resource Reservation Protocol (RSVP), the Label Distribution Protocol (LDP), or the Border Gateway Protocol (BGP), is extended to utilize an MPLS forwarding table, and MPLS interface table, and a remote autonomous system table. A set of interfaces for which the label was advertised may be checked to determine whether an interface on which a packet was received is contained in the set of interfaces. The MPLS forwarding table may contain a spoof-check field used to specify one of several different types of spoof checks and to specify the set of interfaces.

Abstract: A system and method that optimizes transmission control protocol (TCP) initial session establishment without intruding upon TCP's core algorithms. TCP's initially session establishment is accelerated by locally processing a source's initial TCP request within the source's local area network (LAN). A control module relatively near the source's local area network (LAN) and another control module relatively near a destination's LAN are utilized to complete the initial TCP session establishment within the source and the destination's respective LANs, thereby substantially eliminating the first round-trip time delay before the actual data flow begins. The first application-layer data packet thus can be transmitted at substantially the same time as the initial TCP request.

Abstract: A network device constructs an outgoing resource reservation message and determines an authentication value, using, for example, a cryptographic algorithm and at least a portion of the outgoing message. The network device identifies a destination node for the message and inserts the authentication value in the message. The network device sends the message across a network to the destination node for authentication at the destination node using the authentication value.

Abstract: A method and apparatus for scheduling virtual upstream channels within one physical upstream channel is disclosed. A different MAP message is received by a receiver for each virtual upstream channel from that sent downstream. Where multiple upstream receivers are used, separate MAP messages can be sent for each receiver and consequently, each virtual upstream channel. The use of multiple upstream receivers is not necessary if the upstream receiver can change the upstream channel descriptors it is using per burst.

Abstract: The invention performs frequency estimation over both the burst preamble, during which known symbols are transmitted, and also during the burst's data packet, which is subsequent to the preamble and extracted by the local detector. During the preamble, an initial frequency estimate is obtained. This estimate is based on a time average of either phase or correlation samples. Atypical phase or correlation samples, attributable to detector symbol errors during the data packet, are detected and filtered, so as to avoid including the atypical samples in a time-averages used to provide the frequency estimate. In a first embodiment correlation samples are time averaged, and atypical correlation samples are suppressed prior to correlation time averaging. In a second embodiment, phase slope values are time averaged, and atypical values of phase slope are suppressed prior to phase slope time averaging.

Abstract: A router detects a network attack and forwards traffic associated with the network attack to a discard interface. The router applies one or more filters to calculate traffic flow statistics for the traffic forwarded to the discard interface. The router may exchange routing communications with one or more other routers to alert the routers of the network attack. For example, the router may generate a routing communication in accordance with a routing protocol that advertises a route to the targeted device, and includes a policy tag that indicates the existence of a network attack. The other routers update forwarding information in accordance with the advertised route, and automatically forward traffic to respective discard interfaces based on the policy tag, thereby diffusing the network attack.

Abstract: A compression device recognizes patterns of data and compressing the data, and sends the compressed data to a decompression device that identifies a cached version of the data to decompress the data. In this way, the compression device need not resend high bandwidth traffic over the network. Both the compression device and the decompression device cache the data in packets they receive. Each device has a disk, on which each device writes the data in the same order. The compression device looks for repetitions of any block of data between multiple packets or datagrams that are transmitted across the network. The compression device encodes the repeated blocks of data by replacing them with a pointer to a location on disk. The decompression device receives the pointer and replaces the pointer with the contents of the data block that it reads from its disk.

Abstract: Principles of the invention are described for providing multicast virtual private networks (MVPNs) across a public network that are capable of carrying high-bandwidth multicast traffic with increased scalability. In particular, the MVPNs may transport layer three (L3) multicast traffic, such as Internet Protocol (IP) packets, between remote sites via the public network. The principles described herein may reduce the overhead of protocol independent multicast (PIM) neighbor adjacencies and customer control information maintained for MVPNs. The principles may also reduce the state and the overhead of maintaining the state in the network by removing the need to maintain at least one dedicated multicast tree per each MVPN.

Abstract: Principles of the invention are described for providing multicast virtual private networks (MVPNs) across a public network that are capable of carrying high-bandwidth multicast traffic with increased scalability. In particular, the MVPNs may transport layer three (L3) multicast traffic, such as Internet Protocol (IP) packets, between remote sites via the public network. The principles described herein may reduce the overhead of protocol independent multicast (PIM) neighbor adjacencies and customer control information maintained for MVPNs. The principles may also reduce the state and the overhead of maintaining the state in the network by removing the need to maintain at least one dedicated multicast tree per each MVPN.

Abstract: A voice relaying apparatus includes a receiving a cell from a network, a plurality of cell assembling/disassembling units for assembling and disassembling the cells, and a transmitting section for transmitting the cells assembled by each of the plurality of cell assembling/disassembling units. Each of the plurality of cell assembling/disassembling units is composed of a cell disassembling section for disassembling for cell received by the receiving section, a detecting section for detecting whether the voice relaying apparatus is carrying out a relay switch operation, and a cell assembling the cell disassembled by the cell disassembling section and for sending the cell to the transmitting section if the detecting section detects that the voice relaying apparatus is carrying out the relay switch operation.

Abstract: Techniques are described for reliable restoration of archived configuration. For example, a device, such as a router, comprises a first memory to store operational configuration data and a second memory to store candidate configuration data. The candidate configuration data represents a working copy of the operational configuration data. The device further includes a control unit to lock the candidate configuration data, load archived configuration data to replace the locked candidate configuration data and commit the candidate configuration data to restore the archived configuration data as the operational configuration data of the device. In locking the candidate configuration, the device ensures reliable restoration of the candidate configuration by helping prevent the device from becoming both unreachable and inoperable.

Abstract: A system improves bandwidth used by a data stream. The system receives data from the data stream and partitions the data into bursts. At least one of the bursts includes one or more idles. The system selectively removes the idles from the at least one burst and transmits the bursts, including the at least one burst.

Abstract: A network router employs a single board architecture that includes both a forwarding engine and an interface card concentrator. All of the circuits involved in routing are incorporated into a single board, reducing the system cost of the router. A single processor performs various functions in connection with these circuits, such as management of interface cards and the forwarding engine. In addition to lowering the system cost, the compact architecture allows higher density installation of interface cards.