Abstract: Processing of data packets within a network element cluster having a plurality of network element nodes is described. The network element cluster has a cluster network address common to said plurality of nodes. Distribution decisions are determined for first data packets, a first data packet being a data packet initiating opening of a packet data connection to said cluster network address, according to predetermined criteria. For each node of the network element cluster those first data packets, which are to be processed in said particular node, are selected according to the distribution decisions. Node-specific lists about opened packet data connections for which a node is responsible are maintained, and using these node-specific lists second data packets, which are data packets relating to any opened packet data connection specified in a node-specific list, are processed.

Abstract: A method for handling data packets in a network element, such as a gateway, said data packets belonging to a set of data packets. Data packets are captured, and captured data packets are processed. Captured data packets are accepted for processing or declined from processing based on said captured data packet and data packets captured prior to said data packet. When at least one captured data packet is processed, a modification command affecting at least said at least one captured data packet is determined, and a list of modification commands is maintained, said list enabling modification of captured data packets. Captured data packets are modified based on said list of modification commands, and data packets are released. It is also possible to process the captured data packets without determining modification commands, and release the data packets without modifying them.

Abstract: A method (400, 610) for handling information about packet data connections arriving at a security gateway element, in order to have in a connection data structure information about packet data connections in accordance with current screening information is presented. In the method, data packet header information about packet data connections in accordance with first screening information is stored (401) in said connection data structure, and updated screening information, said updated screening information forming either by itself or in connection with said first screening information second screening information, is being received (402).

Abstract: The invention relates to methods for controlling of transmission of data in IP networks. According to the invention, the sequence numbers and sending times of transmitted IPSec packets are stored, acknowledgement is sent for every N:th received IPSec packet or after any IPSec packet if T seconds have elapsed after sending a previous acknowledgement packet, the acknowledgement comprising the sequence number of the particular IPSec packet after the reception of which the acknowledgement is sent and the counter values indicating the number of packets and bytes received, and at least the round trip time, packet success rate and throughput value are determined from the reception time of the acknowledgement and the stored sending time associated with the sequence number in the acknowledgement and the counter values indicating the number of packets and bytes received.

Abstract: A method for processing data packets in a gateway element comprises the steps of: comparing a data packet to screening information comprising a set of rules, and processing a data packet according to a rule belonging to the set of rules, the header information of said data packet matching the header information of said rule. The method is characterized in that said screening information is hierarchically structured so that it comprises a first rule, which specifies first header information, and a subset of rules relating to said first rule, and in that in said step of comparing a data packet, said data packet is compared to said subset of rules only if the header information of the data packet matches the header information of the first rule. A gateway element, an arrangement, and a data structure comprising screening information are also presented.

Abstract: The invention relates to methods for selection of packet transmission routes between two network sites in a case, in which the sites are connected to the rest of the network via a plurality of connections each. According to the invention, the source network site is arranged to select which connection is used at the source end and which connection is used at the destination end, and base the selections at least partly on the basis of a round trip time value and a packet success rate value. The selection criteria can advantageously be time dependent.

Abstract: The invention is related to structures used for providing fault tolerance in computer data networks. According to the invention, fault tolerance is achieved by redundancy, i.e. by using at least two network nodes in parallel. The network nodes have at least two physical network interface to a network, only one of which is active during normal operation. In the case of two network nodes being used, both of these have two physical network interfaces to the same network. A first network interfaces on the first node has the same IP and MAC address as one interface on the second node, and the second network interface on the first node has the same IP and MAC address as the other interface on the second node. The IP and MAC addresses of the two interfaces of each node are different, whereby the two nodes provide a first IP address and a corresponding first MAC address, and a second IP address and a corresponding second MAC address.

Abstract: The invention relates to methods for transmission of data, more particularly for transmission of data in clustered structures in IP networks. According to the invention, the cluster units are configured to be members of an IP multicast group specific to the cluster. The switch or switches directly connected to the cluster units are arranged to monitor multicast group membership reports from the cluster units, and therefore obtain knowledge about which ports of the switch or switches are connected to cluster units. Advantageously, the switch or switches may also send membership queries to find out, which ports are connected to members of the cluster multicast group. Consequently, when the switch receives a packet with a multicast MAC address and the IP address of the cluster, the switch sends the packet to only those ports to which cluster units are connected, and not to all ports of the switch as according to the prior art.

Abstract: In a device having data communication capability, a security method dynamically detecting a control connection, which originates from the device, and detecting a negotiation of a related connection within the control connection. The negotiation comprises at least defining a port of the device for said related connection. The method further checks if relationship between said port of the device and the control connection fulfills predefined criteria, and conditionally blocks said related connection, if said port of the device does not fulfill said predefined criteria. The method can be used for suppressing a vulnerability related to applets.

Abstract: The invention concerns handling in a firewall data communication protocols comprising at least one parent connection and at least one related connection, wherein at least one attribute of the related connection is negotiated within the parent connection. Whether to allow a related connection is decided on the basis of information about the related connection as well as information about the parent connection. The method of the invention comprises allowing a parent connection, storing information about the parent connection, monitoring contents of the parent connection, detecting within the parent connection negotiation of at least one attribute of a related connection, and using said at least one negotiated attribute of the related connection and said information about the parent connection for deciding, whether said related connection is allowable.

Abstract: The invention relates to distribution of IP traffic between more than one route between a node and an IP network. The invention is concerned with a new method for distribution of connections between a plurality of possible routes for transmission of IP packet traffic between a source node and end nodes, each of the routes being associated with a plurality of IP addresse. According to the invention, a route is selected for a new connection to be established between the source node and an end node for transmission of packet traffic, the selected route is taken into use by translating source IP addresses of packets transmitted from the source node to said end node to an IP address associated with the selected route, and said selection of a route is performed on the basis of predefined criteria. Preferably, the selection of the route is performed on the basis of round trip times measured by a new method using packet replication.