Abstract: The subject disclosure is directed towards a background transfer service that provides platform-level support for third party applications to queue data transfers to run in the background, including when the application is not running in the foreground. Applications may thus perform downloading and uploading tasks in the background; however the background transfer service manages the data transfer requests so as to limit each background application's ability to interfere with foreground application operations, that is, by controlling resource usage according to one or more policies.

Abstract: Methods of tuning a receive window. A receiving device and a sending device may be in communication over a network. The receiving device may advertise a receive window to the sending device. The size of the receive window may be adjusted over time based on one or more connection parameters, application parameters and/or operating system parameters.

Abstract: A ticketing system adapted for use with a cloud-based services platform is provided by a ticket-based authorization model in which the authorization requirements for traversing one or more meshes of resources associated with a cloud service are annotated in links included in a resource that refer to other resources. The meshes are thus self-describing with respect to the association among the resources (i.e., the links) as well as the authorization required to access resources. Resource access requires a principal ticket which asserts that a caller at a client (e.g., a security principal representing a device or identity associated with a user) is authenticated, plus zero or more claim tickets. The claim tickets make additional assertions about the caller that the cloud service may use to check that the caller is authorized to access the resource.

Abstract: A networked computer system in which a gateway is selected for efficient transmission over a network using a layered protocol. When a transmission over the network fails, information at multiple protocol layers indicates the usability of the gateway through which the failed transmission was made. In a layered protocol with an application or connection layer, a path layer and a link layer, information at the link layer is used to determine whether retransmission through the same gateway should be attempted. Information at the path layer is used to determine whether the gateway is faulty. Information from the application or connection layer is used to determine whether responses are received to transmissions. These determinations are used in setting the status of the gateway, which in turn is used to prioritize gateways when selecting a gateway for future transmissions.

Abstract: A unified architecture for enabling remote access to a network is provided. The network may comprise, as examples, a virtual private network (VPN) and/or a peer-to-peer network. In one embodiment, the architecture includes components installed on a client device/node and a gateway/supernode. Components implemented on the client device may facilitate access in a manner similar to that of a traditional VPN, while components on the gateway may facilitate access in a manner similar to an application proxy. Communication between the client device and gateway may occur, as an example, via a Secure Sockets Layer (SSL) communication protocol.

Abstract: Methods of tuning a receive window. A receiving device and a sending device may be in communication over a network. The receiving device may advertise a receive window to the sending device. The size of the receive window may be adjusted over time based on one or more connection parameters, application parameters and/or operating system parameters.

Abstract: Techniques and tools for flexible authentication and authorization of services on a push framework. For example, a push notification framework allows services (social networking web services, etc.) to use either an authenticated access mode or an unauthenticated access mode, in order to push information to client devices (e.g., mobile devices). In the authenticated mode, the push framework requires registration of the service with the push framework before allowing the service to push notifications to client devices. Different authenticated modes are provided for third-party and first-party services. In the unauthenticated mode, registration is not required, but notifications are throttled, thereby limiting risk of abuse by unauthenticated services. This allows flexibility for services that use the push framework.

Abstract: The claimed subject matter relates to an architecture that can facilitate automatic backup and versioning of online content. Appreciably, the architecture can relate to a network-accessible, online data archival service with a central backup data store for archiving online content published to disparate online services for clients of the archival service who are also clients of the disparate online service(s). The architecture can maintain rich content versioning, and can further provide additional services with respect to archived data such as restoration (to the original site, a disparate site, or a user device); synchronization between various online sites or between one or more sites and the backup data store; and conversion. The conversion can be employed in connection with backup, restore, or synch procedures and can apply to either a file format of the content or to a scope of the source of the content versus the scope of the destination.

Abstract: Creating different congestion control modules (CCMs) that can be plugged into a network communications stack (e.g., a TCP/IP stack). Software abstractions defining transport control events, congestion control algorithms and other information may be exposed by an application programming interface, e.g., of an operating system, and these abstractions may be used to define a CCM. The network communications stack may be configured to select one of multiple available CCMs to control congestion for a given connection. This selection may be based on any of a variety of factors including, but not limited to: network environment; connection path characteristics; connection link characteristics; a value of a socket parameter of an application; other factors; and any suitable combination of the foregoing. Thus, CCMs may be selected and implemented on a per-connection basis.

Abstract: A deployable computing environment may facilitate interaction and data sharing between users and devices. Users, devices, and relationships between the users and devices may be represented within the deployable computing environment. A relationship between a user and a device may specify that the device is owned by the user and that the device is authorized to perform operations within the deployable computing environment on behalf of the user. Secure authentication of devices and users for interaction within the deployable computing environment is achieved by authenticating tickets corresponding to the user, the device, and the relationship. A device identification ticket and a user identification ticket are used to authenticate the device and user for interaction within the deployable computing environment. A device claim ticket allows the device to perform delegated operations (e.g., data synchronization, peer connectivity, etc.) on behalf of the user without the user's credentials (e.g.

Abstract: Clients may subscribe to resources for the purpose of receiving notifications of changes in the resource (e.g., a file is added to a shared folder). Storing subscriptions within persistent storage provides data security in the event of a service failure, at the cost of high latency in accessing subscription data. An efficient method for tracking a resource is provided herein. A subscription service creates subscriptions and monitors resources for a client. Upon a subscribed resource change, a notification service stores a notification of the change into a queue associated with the client. Efficient resource tracking is achieved because notification and subscription data is stored in low latency soft memory. The notification service is configured to detect a failure in the notification service and/or subscription service. In the event a service fails, the client provides a recovery mechanism by resubscribing to resources the client is interested in.

Abstract: An application programming interface for translation of transport-layer sessions is presented. The system includes kernel-mode support for application-controlled network address translation and user-mode implementation of the redirect API routines. An application process may request that a network gateway modify the source and/or destination of a given network session in a manner transparent to the original source host and/or the replacement destination host. With the generalized NAT (gNAT) of the instant invention and its associated API, both the source and the destination addresses of message packets may be changed. The address changes are mapped in the gNAT, and may result in apparent sessions between different clients and servers. Depending on the protocol in use (e.g. TCP or UDP), the address translation may be made dynamically by the gNAT, under the command of the application, and take place at the kernel level.

Abstract: In an exemplary device implementation, a device includes: a connection migrator that is configured to migrate connections away from the device; the connection migrator capable of precipitating a compilation of protocol state for a connection across a protocol stack; the connection migrator adapted to aggregate the compiled protocol state with data for the connection into an aggregated connection state; the connection migrator further capable of causing the aggregated connection state to be sent toward a target device. In an exemplary media implementation, processor-executable instructions direct a device to perform actions including: obtaining at least a portion of a source/destination pair from a packet; accessing an encapsulation mapping table using the at least a portion of the source/destination pair to locate an encapsulation mapping entry; extracting a flow identifier from the encapsulation mapping entry; and replacing part of the packet with the flow identifier to produce an encapsulated packet.

Abstract: A method to offload a network stack connection is presented. A request, which includes a list of resource requirements from each software layer in the stack, to offload the network stack connection is sent through the stack to the peripheral device. The peripheral device is a second processor that processes the offloaded network stack connection in software, in hardware, or a mixture of hardware and software. The device allocates resources for the list and sends a handle to each of the software layers for communication with the device. The state for each layer is sent to the device that includes state variables that are classified as a constant, a cached variable handled by the CPU, or a delegated variable handled by the device.

Abstract: A representational state transfer-based model for a computing environment uses models resources with links between them. Security principals are resources which can be independently authenticated. Each resource may be associated with an authorization policy that determines level of access, protocol supported. Successfully presenting security credentials at a security principal allows use of an instance of the security principal (i.e. application) as well as generation of an authentication token that can be presented across the computing environment to resources subscribing to the same authorization policy. As security principals with different security policies are authenticated, the appropriate tokens may be combined to allow broader access without undue re-authentication for resources subscribing to the same security policy.

Abstract: A ticketing system adapted for use with a cloud-based services platform is provided by a ticket-based authorization model in which the authorization requirements for traversing one or more meshes of resources associated with a cloud service are annotated in links included in a resource that refer to other resources. The meshes are thus self-describing with respect to the association among the resources (i.e., the links) as well as the authorization required to access resources. Resource access requires a principal ticket which asserts that a caller at a client (e.g., a security principal representing a device or identity associated with a user) is authenticated, plus zero or more claim tickets. The claim tickets make additional assertions about the caller that the cloud service may use to check that the caller is authorized to access the resource.

Abstract: For a method and system for managing concurrent access to multiple resources, resources are assigned to sets in such a way that it is safe to concurrently access any combination of resources in a resource set. For each resource set, a virtual machine is defined and associated with the resource set. An application is assigned to a virtual machine. When an application requests access to a resource not in the application's virtual machine, access control lists are consulted to determine whether the access should be allowed, given the other resources already accessed by the application.

Abstract: Systems and methods of distributed storage are disclosed herein. A request to store data in a client computer is received. A request is sent from the client computer to a storage service to create a core object such that the core object can be created with a member entry to a member feed in the core object. The member feed can be indicative of one or more entities that are permitted to access to the core object. A message is received at the client computer with the core object. A replica of the core object on the client computer is created. The client computer can add the data as a data entry to a data feed in the core object. An updating message is sent to the storage service. The message can include a copy of the replica of the core object including the data entry.

Abstract: An application programming interface for translation of transport-layer sessions is presented. The system includes kernel-mode support for application-controlled network address translation and user-mode implementation of the redirect API routines. An application process may request that a network gateway modify the source and/or destination of a given network session in a manner transparent to the original source host and/or the replacement destination host. With the generalized NAT (gNAT) of the instant invention and its associated API, both the source and the destination addresses of message packets may be changed. The address changes are mapped in the gNAT, and may result in apparent sessions between different clients and servers. Depending on the protocol in use (e.g. TCP or UDP), the address translation may be made dynamically by the gNAT, under the command of the application, and take place at the kernel level.

Abstract: A port reservation API for an intelligent transparent gateway is provided. The API creates one or more port pools that contain port numbers reserved from the gateway's TCP and UDP port numbers. The API then allows the proxy to reserve and release port numbers from the created pools. The API may create and destroy a port reservation, and acquire and release a port number. The creation of a port reservation returns a handle to the network application that can be used for requesting port numbers. The destroying of a port reservation destroys a handle supplied by the previous operation, returning all outstanding port numbers to the network gateway. The acquiring of a port number from a reservation requests one or more port numbers from the network gateway. Finally, the releasing of a port number to a reservation returns one or more previously acquired port numbers to the network gateway.