Abstract: Methods and systems for managing a service provider switch are provided. According to one embodiment, a network operating system (NOS) is provided on each processor element (PE) of the switch. The NOS includes an object manager (OM) responsible for managing global software object groups, managing software object configurations, managing local software objects and groups and routing control information between address spaces based on locations of software objects. The OM performs management plane communications among software objects by way of system calls. The OM performs data plane communications among software objects by way of object-to-object channels. The switch is provisioned with a network-based managed IP service for a particular customer of the service provider by pushing the service onto an object-to-object channel that has been established between a first software object and a second software object of the software objects.

Abstract: A flexible, scalable hardware and software platform that allows a service provider to easily provide internet services, virtual private network services, firewall services, etc., to a plurality of customers. One aspect provides a method and system for delivering security services. This includes connecting a plurality of processors in a ring configuration within a first processing system, establishing a secure connection between the processors in the ring configuration across an internet protocol (IP) connection to a second processing system to form a tunnel, and providing both router services and host services for a customer using the plurality of processors in the ring configuration and using the second processing system. A secure communications tunnel is formed by routing all packets for the tunnel through an encrypting router at the sending end to obtain encrypted packets, and routing the encrypted packets through a decrypting router at the receiving end of an IP connection.

Abstract: Methods and systems for managing a service provider switch are provided. According to one embodiment, a network operating system (NOS) is provided on each processor element (PE) of the switch. The NOS includes an object manager (OM) responsible for managing global software object groups, managing software object configurations, managing local software objects and groups and routing control information between address spaces based on locations of software objects. The OM performs management plane communications among software objects by way of system calls. The OM performs data plane communications among software objects by way of object-to-object channels. The switch is provisioned with a network-based managed IP service for a particular customer of the service provider by pushing the service onto an object-to-object channel that has been established between a first software object and a second software object of the software objects.

Abstract: A system and method of managing a switch includes installing a switch having a plurality of processor elements, installing an operating system on each processor element, creating a system virtual router and configuring the processor elements from the system virtual router.

Abstract: Methods and systems for processing complex flows are provided. According to one embodiment, a packet associated with a complex flow is received. A first flow-based packet classification is performed based on a first set of attributes of the packet. A first flow processing operation is identified by performing a first flow cache lookup based on the first flow-based packet classification and the first flow processing operation is performed on the packet. After performing the first flow processing operation on the packet, a second flow-based packet classification of the packet is performed based on a second set of attributes of the packet. A second flow processing operation is identified by performing a second flow cache lookup based on the second flow-based packet classification and the second flow processing operation is performed on the packet. Finally, the packet is sent to an egress interface.

Abstract: Systems and methods are provided for maintaining redundant master control blade management information in switch. According to one embodiment, a network operating system (NOS) is executed on processor elements of a switch. A distributed messaging layer channel is created among a dynamic set of control blades intercommunicating within the switch. Master control blade management information is maintained on a master control blade. Redundant master control blade management information is maintained on one or more standby control blades by performing bulk updates and flash updates to the redundant master control blade management information and the standby control blades periodically performing a consistency check against the redundant information. The bulk updates are triggered by dynamic events. The flash updates are triggered by individual changes to a global database. If the consistency check fails, then the standby control blade requests a bulk update from the master control blade.

Abstract: Systems and methods are provided for delivering security services. According to one embodiment, multiple virtual routers are established within a service processing switch, which is operable to be logically interposed between a public communications network and multiple subscriber sites. Each of the virtual routers has associated therewith a subset of processing and storage resources of the service processing switch. Subscribers are provided with respective sets of customized application layer services. Subscriber resource isolation is provided by partitioning the virtual routers between the subscribers including allocating and configuring partitions, having subsets of the virtual routers, to the subscribers. Changeable provisioning of processing capacity between the subscribers is provided by dynamically reallocating resources of the service processing switch between the partitions based on comparative processing demands of the customized application layer services.

Abstract: A system and method of managing a switch includes installing a switch having a plurality of processor elements, installing an operating system on each processor element, creating a system virtual router and configuring the processor elements from the system virtual router.

Abstract: A flexible, scalable hardware and software platform that allows a service provider to easily provide internet services, virtual private network services, firewall services, etc., to a plurality of customers. One aspect provides a method and system for delivering security services. This includes connecting a plurality of processors in a ring configuration within a first processing system, establishing a secure connection between the processors in the ring configuration across an internet protocol (IP) connection to a second processing system to form a tunnel, and providing both router services and host services for a customer using the plurality of processors in the ring configuration and using the second processing system.

Abstract: Methods and systems are provided for allocating network resources of a distributed virtual system to support managed, network-based services. According to one embodiment, a VR-based switch having multiple processing elements is configured for operation at an Internet POP. An NOS is provided on each of the processing elements. Resources of the VR-based switch are segmented between a first and second subscriber by mapping VRs assigned to the first and second subscriber onto appropriate processing elements. Then, a first and second set of customized services are configured, each including two or more of firewalling, virtual private networking, encryption, traffic shaping, routing and network address translation (NAT), to be provided by the VR-based switch. Customized services are configured by allocating appropriate service object groups to the VRs, which can be dynamically distributed by the NOS to customized processors of the processing elements to achieve desired computational support.

Abstract: Methods and systems for allocating network resources are provided. According to one embodiment, a VR-based switch is configured for operation at a POP of a service provider. A NOS is provided on each processing element of the switch. Resources of the switch are segmented among multiple subscribers by associating sets of VRs with a first and second subscriber, mapping the sets of VRs onto sets of the processing elements, and configuring a first and second set of customized services, each including two or more of firewalling, virtual private networking, encryption, traffic shaping, routing and NAT, to be provided by the switch on behalf of the first and second subscribers, respectively, by allocating first and second service object groups within sets of VRs. Each service object can be dynamically distributed by the NOS to customized processors of the first or second set of processing elements to achieve desired computational support.

Abstract: The present invention provides a system, protocol and method for communications over the Internet. The system includes at least one router connectable to a first user or subscriber location. An Internet protocol service processing switch (IPSX) is connected to the at least one router to format or encapsulate the message for secure transmission over the Internet. The message is then preferably transmitted over the Internet via an Internet Protocol Security (IPSec) tunnel for secure transmission to the addressed destination.

Abstract: A flexible, scalable hardware and software platform that allows a service provider to easily provide internet services, virtual private network services, firewall services, etc., to a plurality of customers. One aspect provides a method and system for delivering security services. This includes connecting a plurality of processors in a ring configuration within a first processing system, establishing a secure connection between the processors in the ring configuration across an internet protocol (IP) connection to a second processing system to form a tunnel, and providing both router services and host services for a customer using the plurality of processors in the ring configuration and using the second processing system. a packet routing system and method is described that includes a processor identifier in each packet to route the packets to a physical processor, and a logical queue identifier to route the packets to the destination object within that processor.

Abstract: The present invention provides a system, protocol and method for communications over the Internet. The system includes at least one router connectable to a first user or subscriber location. An Internet protocol service processing switch (IPSX) is connected to the at least one router to format or encapsulate the message for secure transmission over the Internet. The message is then preferably transmitted over the Internet via an Internet Protocol Security (IPSec) tunnel for secure transmission to the addressed destination.

Abstract: The present invention provides methods and systems for balancing the load on a plurality of servers using a load balancing algorithm which continuously examines the loads on the plurality of servers and makes adjustments in the loads accordingly. Among the factors considered in the load balancing are the power of each server relative to other servers, the load on each server relative to the other servers, and a “credit” for each server based on their power and load.

Abstract: A flexible, scalable hardware and software platform that allows a service provider to easily provide internet services, virtual private network services, firewall services, etc., to a plurality of customers. One aspect provides a method and system for delivering security services. This includes connecting a plurality of processors in a ring configuration within a first processing system, establishing a secure connection between the processors in the ring configuration across an internet protocol (IP) connection to a second processing system to form a tunnel, and providing both router services and host services for a customer using the plurality of processors in the ring configuration and using the second processing system. A secure communications tunnel is formed by routing all packets for the tunnel through an encrypting router at the sending end to obtain encrypted packets, and routing the encrypted packets through a decrypting router at the receiving end of an IP connection.

Abstract: In a wide-area computer network system providing bandwidth based on network demand, throughput, and delay requirements, distribution of network load over multiple, parallel connections from the originating node to a distinction node, an apparatus and method of enabling efficient exchange of packet data routing information for information protocol and information protocol exchange routers by providing different routing table information maintenance modes which a user can select, such as a default mode, a forced mode, and a periodic mode. In addition, the system provides, a virtual interface as a logical network interface for providing circuit switched connectivity, such as a connection between a host/application and a remote network where a particular path between a host and a remote network is dynamically assigned based on the network traffic demand at that time.