Abstract: A system processes data units in a network. The system receives a data unit that includes a group of headers and suppresses one or more of the headers to form a reduced data unit. The system suppresses one or more other headers of the reduced data unit to form a further reduced data unit and transmits the further reduced data unit to one or more destination devices using the program identifier (PID) field in the MPEG header as an index to suppressed headers.

Abstract: A network device includes multiple packet processing engines implemented in parallel with one another. A spraying component distributes incoming packets to the packet processing engines using a spraying technique that load balances the packet processing engines. In particular, the spraying component distributes the incoming packets based on queue lengths associated with the packet processing engines and based on a random component. In one implementation, the random component is a random selection from all the candidate processing engines. In another implementation, the random component is a weighted random selection in which the weights are inversely proportional to the queue lengths.

Abstract: Techniques are described for preventing network attacks. More specifically, the techniques involve classification of routes based on the network protocol from which the routes were learned, and filtering of packets based on the classification. A network device, for example, is described that includes interface cards to receive routing information via one or more routing protocols, wherein the routing information defines network routes. The network device further includes a control unit to classify the routes based the routing protocol by which the routes were received, and selectively forward packets associated with the routes based on the classification of the routes. Edge routers within a server provider network, for example, may classify routes as either “internal” or “external” based on the protocols from which the routes were learned, and automatically filter packets to prevent network attacks using the techniques.

Abstract: A system comprises a plurality of processing modules, one of which is designated to be the primary processing module and the others are designated to be secondary processing modules. During operation, state is maintained in the primary processing module and at least one of the secondary processing modules. A switchover controller causes outputs from the secondary modules to be discarded. When the switchover controller receives an indication that the primary processing module has failed, it designates one of the secondary processing modules to be the primary processing module. Because the newly designated primary processing module already has current state information at switchover, the module is able to operate with minimal delay.

Abstract: The invention provides a device for reducing ingress noise in a digital signal, comprising a noise predictor for predicting an amount of ingress noise in the digital signal based on past samples of the ingress noise, and a subtractor for subtracting the predicted amount of ingress noise from the digital signal. Channel distortion is compensated for by a noise-independent equalizer, such as a ZF equalizer, placed upstream of the noise predictor. The device may be incorporated, for example, in a cable modem termination system (CMTS) of an hybrid fiber/coax (HFC) network.

Abstract: A system determines bandwidth use by queues in a network device. To do this, the system determines an instantaneous amount of bandwidth used by each of the queues and an average amount of bandwidth used by each of the queues. The system then identifies bandwidth use by each of the queues based on the instantaneous bandwidth used and the average bandwidth used by each of the queues.

Abstract: In a gateway, a packet received from a first network contains first address data conforming to the first network in the packet header and second address data conforming to a second network in an auxiliary header. The first address data of the packet is then rewritten with the second address data of the packet and transmitted from the gateway to the second network.

Abstract: A network testing environment includes a control server and a testing cluster composed of one or more load generating devices. The load generating devices output network communications in a non-deterministic manner to model real-world network users and test a network system. The load generating devices operate in accordance with probabilistic state machines distributed by the control server. The probabilistic state machines model patterns of interaction between users and the network system.

Abstract: A router synchronizes state information between a plurality of control units. The router includes a primary control unit and a standby control unit. To ensure proper operation of the router, the primary control unit maintains router resources by receiving state information from the router resources and maintaining the state information for consumers. The primary control unit performs this maintenance process by transmitting update operation messages to consumers and the standby control unit. The consumers respond with an acknowledgement message to both the primary control unit and the standby control unit. The control units use the sequence of these messages to keep all components within the router in sync. Upon assuming control, the standby control unit resumes updating the consumers with state information without having to “relearn” state information, e.g., by way of power cycling the router resources to a known state.

Abstract: A method for phase-locking a voltage controlled oscillator is disclosed. The method comprises receiving, at a phase detector, a phase input signal and a phase feedback signal from the voltage controlled oscillator; measuring a pulse width property of an error signal output from the phase detector to obtain a pulse width property measurement; storing the pulse width property measurement in a memory; and generating a new signal from the stored pulse width property measurement to phase-lock the voltage controlled oscillator. The method of the present invention may be used to calibrate a clock, in clock holdover and in qualification of clock sources.

Abstract: Techniques are described for application of implementation-specific configuration policies within a network device to generate configuration data. For example, a device, such as a router, may comprise memory to store operational configuration data and candidate configuration data. The device further includes a control unit to apply an implementation-specific configuration policy to alter changes to the candidate configuration data, and commit the altered candidate configuration data to the operational configuration data. In applying the implementation-specific configuration policy, the control unit may insert additional configuration data or replace portions of the candidate configuration data with additional configuration data. In this manner, the device may detect misconfiguration and make changes to the candidate configuration data, thereby performing proactive error correction.

Abstract: A network content service apparatus includes a set of compute elements adapted to perform a set of network services; and a switching fabric coupling compute elements in said set of compute elements. The set of network services includes firewall protection, Network Address Translation, Internet Protocol forwarding, bandwidth management, Secure Sockets Layer operations, Web caching, Web switching, and virtual private networking. Code operable on the compute elements enables the network services, and the compute elements are provided on blades which further include at least one input/output port.

Abstract: A unicast/multicast system has an internal cell generating section that generates an internal cell to include its output index information based on user data, and an output port conversion table that stores the relation of output index information and output port number for the internal cell in the form of one-to-one for the unicast and one-to-multiple for the multicast.

Abstract: A method and a network device for sharing bandwidth among a group of classes of traffic for an interface are provided. Bandwidth may be allocated to at least one traffic class of a first priority for the interface. At least some unused bandwidth of the at least one traffic class may be allocated to at least one other traffic class of a second priority for the interface. In some implementations, weighted constituents may be allocated unused interface bandwidth based on an assigned weight of each of the weighted constituents of the interface.

Abstract: A buffer memory may be configured to temporarily store data in a number of queues. A processor may be configured to measure a fullness of the buffer memory. The processor may also be configured to assign sizes to the number of queues based on the fullness of the buffer memory. The processor may also adjust thresholds of drop profiles associated with the number of queues based on the sizes assigned to the number of queues.

Abstract: In general, the invention is directed to techniques of identifying an infected network device in a computer network where traffic to and from the infected network device is not necessarily routed through a single point on the computer network. For example, individual line cards in network devices count incoming network flows from network devices in host tables. The host tables of all line cards of all participating network devices are then correlated. It is then determined whether the number of flows from a network device outweighs the number of flows to the network device to a significant degree. If so, the network device may be considered suspicious. Packets from a suspicious network device may be rerouted to a network security device for more thorough inspection.

Abstract: Routing techniques are described that separate network topology information and management from network protocol addressing information, e.g., network prefixes, that network routers typically use during the packet forwarding process. The techniques provide separate topological identifiers to identify individual topological elements of the network, referred to as aggregates. A router within a network exchanges topological information with other routers that specifies routes for reaching destinations within a set of aggregates that represent topological elements of a network. In accordance with the topological information, the router generates forwarding information that associates the destinations with respective next hops within the network, and forwarding packets in accordance with the forwarding information.

Abstract: An architecture for controlling a multiprocessing system to provide at least one network service to subscriber data packets transmitted in the system using a plurality of compute elements, comprising a management compute element including service set-up information for at least one service and at least one processing compute element applying said at least one network service to said data packets and communicating service set-up information with the management compute element in order to perform service specific operations on data packets. In a further embodiment, a method of controlling a processing system including a plurality of processors is disclosed.

Abstract: A network router management interface for use in configuring a router and obtaining operational information provides an application programming interface (API) that permits clients to formulate requests and receive replies according to an extensible markup language such as XML. The router may transform a login stream at a router command line interface (CLI) to implement the XML-based API. For example, the management server accepts input from the CLI and, upon receipt of a particular command from the client, transforms the CLI into a programmatic interface for exchange of XML-tagged requests and XML-tagged replies according to the XML-based API. Providing access to the XML-based API via the CLI login shell enables the use of standard login, security, authentication and authorization techniques.

Abstract: Systems and methods for preventing a Man-in-the-Middle attack on a communications network, without combining encryption keys of an inner authentication protocol and a tunneling protocol encapsulating the inner authentication protocol. The performance of a hash function may be split between two network devices on the communications network. For example, in response to a challenge issued by a tunnel server, a client may initiate performance of a hash function using only a first part only of the challenge and generate an intermediate result of the hash function (i.e., a preliminary hash). The client then may transmit the preliminary hash to the tunnel server as part of a response to the challenge. The tunnel server then may complete the hash function using the preliminary hash and the remaining part of the challenge to produce a final hash. The final hash then may be used to authenticate a user.