Abstract: A method and apparatus for monitoring data traffic in a communication network are provided. A router connected to the communication network monitors information contained in the data traffic, and based on the information determines whether data in the traffic is indicative of a malicious threat to one or more resources connected to the network. Parameters which control monitoring of traffic at the router, such as the sampling rate and what information is to be extracted from the data is varied according to the condition of the network so that the monitoring can be adapted to focus on traffic which relates to a particular suspected or detected threat.

Abstract: Communication session admission control systems and methods are disclosed. A state of a communication system is monitored, and admission of a communication session into the communication system is controlled based on a random admission control procedure and a current state of the communication system. Monitoring of the current state of equipment in the communication system, connections in the communication system, communication sessions in progress in the communication system, special monitoring sessions established in the communication system, and/or an overall state of the communication system can have several benefits. These benefits may include improving utilization of resources in the system, and providing a session admission control scheme that is capable of reacting to actual observed conditions and adapting to changing system topologies following a fault, for instance.

Abstract: A system and method are provided for sorting IP routing table entries in a TCAM for longest IP prefix matching LPM of destination IP addresses. The IP routing table is divided into logical blocks, for each block an associated routing entry IP prefix length. Each block is of a respective size whose proportion of the total size of the routing table is determined by the associated IP prefix length. The blocks are ordered so that the TCAM returns an LPM when queried. Starting block sizes can be initialized to proportions which reflect actual expected numbers by proportion of routing entries by IP prefix length. The blocks also grow and shrink as entries are added and deleted so as to more closely mirror real-world populations of expected entries having the IP prefix length in question.

Abstract: Network service operational status monitoring methods and apparatus are disclosed. Responsive to a service status request associated with a network service, an operational status of the network service is determined by an intermediary between a service status requester and the network service. The operational status is a service-specific operational status of the network service in some embodiments. Operational status may be determined through a multi-level procedure in which subsequent levels after a first level of the multi-level procedure are or are not performed depending on a result of a preceding level of the procedure. A multi-level procedure may involve a service connectivity check and a service operational check, for instance.

Abstract: A method and apparatus for handling, maintaining, and controlling network synchronization information emanating from a plurality of line card circuits is described. The technique described may be applied to a redundant pair of line card circuits, where one line card circuit is active, while the other is inactive. Line card activity latches are managed by means of hardware logic that may be configured at the time of line card commissioning. The activity latches are coupled to a logic element. An incoming clock signal is applied to the logic element. If an activity latch indicates that a line card circuit is active, the logic element provides the incoming clock signal as an outgoing clock signal to a control card circuit. If the activity latch indicates that the line card circuit is inactive, the logic element blocks the incoming clock signal from being passed and provides a static output level as the outgoing clock signal to the control card circuit.

Abstract: A method and packet filtering system that accelerates the packet classification problem is made. Using spectral analysis of rules and using real time spectral analysis of packets, it is possible to determine very quickly that a packet does not match any of the possible rules that have been defined. That is to say, using the packet filtering of the invention, there is no possibility of a false negative decision; when a packet is determined not to match any rule, the work of a packet classifier is complete. This method and system are also capable, with a high degree of accuracy, of determining that the packet has matched one of the defined rules, so that the packet may be then directed to a packet classifier to determine the specific rule it matches.

Abstract: A system and method are provided for sorting IP routing table entries in a TCAM for longest IP prefix matching LPM of destination IP addresses. The IP routing table is divided into logical blocks, for each block an associated routing entry IP prefix length. Each block is of a respective size whose proportion of the total size of the routing table is determined by the associated IP prefix length. The blocks are ordered so that the TCAM returns an LPM when queried. Starting block sizes can be initialized to proportions which reflect actual expected numbers by proportion of routing entries by IP prefix length. The blocks also grow and shrink as entries are added and deleted so as to more closely mirror real-world populations of expected entries having the IP prefix length in question.

Abstract: A system and method are provided for sorting IP routing table entries in a TCAM for longest IP prefix matching LPM of destination IP addresses. The IP routing table is divided into logical blocks, for each block an associated routing entry IP prefix length. Each block is of a respective size whose proportion of the total size of the routing table is determined by the associated IP prefix length. The blocks are ordered so that the TCAM returns an LPM when queried. Starting block sizes can be initialized to proportions which reflect actual expected numbers by proportion of routing entries by IP prefix length. The blocks also grow and shrink as entries are added and deleted so as to more closely mirror real-world populations of expected entries having the IP prefix length in question.

Abstract: A method and apparatus for handling, maintaining, and controlling network synchronization information emanating from a plurality of line card circuits is described. The technique described may be applied to a redundant pair of line card circuits, where one line card circuit is active, while the other is inactive. Line card activity latches are managed by means of hardware logic that may be configured at the time of line card commissioning. The activity latches are coupled to a logic element. An incoming clock signal is applied to the logic element. If an activity latch indicates that a line card circuit is active, the logic element provides the incoming clock signal as an outgoing clock signal to a control card circuit. If the activity latch indicates that the line card circuit is inactive, the logic element blocks the incoming clock signal from being passed and provides a static output level as the outgoing clock signal to the control card circuit.

Abstract: The packet rate limiting method and system is used for detecting and blocking the effects of DoS attacks on IP networks. The method uses an ACL counter that stores an action parameter in the first 3 most significant bits and uses 13 bits as a packet counter. A rate limit is enforced by setting the packet counter to an initial value, and resetting this value at given intervals of time. The action parameter enables the ACL to accept or deny packets based on this rate limit. If the number of packets in the incoming flow saturates the packet counter before the reset time, the packets are denied access to the network until the counter is next reset. The denied packets may be just discarded or may be extracted for further examination.

Abstract: Network service operational status monitoring methods and apparatus are disclosed. Responsive to a service status request associated with a network service, an operational status of the network service is determined by an intermediary between a service status requester and the network service. The operational status is a service-specific operational status of the network service in some embodiments. Operational status may be determined through a multi-level procedure in which subsequent levels after a first level of the multi-level procedure are or are not performed depending on a result of a preceding level of the procedure. A multi-level procedure may involve a service connectivity check and a service operational check, for instance.

Abstract: A method and apparatus for handling, maintaining, and controlling network synchronization information emanating from a plurality of line card circuits is described. The technique described may be applied to a redundant pair of line card circuits, where one line card circuit is active, while the other is inactive. Line card activity latches are managed by means of hardware logic that may be configured at the time of line card commissioning. The activity latches are coupled to a logic element. An incoming clock signal is applied to the logic element. If an activity latch indicates that a line card circuit is active, the logic element provides the incoming clock signal as an outgoing clock signal to a control card circuit. If the activity latch indicates that the line card circuit is inactive, the logic element blocks the incoming clock signal from being passed and provides a static output level as the outgoing clock signal to the control card circuit.

Abstract: Systems and methods of reducing service jitter in WFQ scheduling schemes used in packet traffic management are described. Service jitter is the variance in time between when a queue should have been selected for servicing and when it was actually serviced. The service jitter is generally not a problem in lower speed applications but in a high speed implementation such as a OC192 device latency can lead to downstream service contract violations. According to the invention jitter is controlled by applying a dampening factor to a difference amount that is used by the WFQ process to adjust its timing of queue selection. The difference amount is queue-specific and is a running difference between calculated and actual queue servicing times.

Abstract: A system and method are provided for sorting IP routing table entries in a TCAM for longest IP prefix matching LPM of destination IP addresses. The IP routing table is divided into logical blocks, for each block an associated routing entry IP prefix length. Each block is of a respective size whose proportion of the total size of the routing table is determined by the associated IP prefix length. The blocks are ordered so that the TCAM returns an LPM when queried. Starting block sizes can be initialized to proportions which reflect actual expected numbers by proportion of routing entries by IP prefix length. The blocks also grow and shrink as entries are added and deleted so as to more closely mirror real-world populations of expected entries having the IP prefix length in question.

Abstract: Communication network application activity monitoring and control apparatus, methods, and data structures are disclosed. A communication network user that initiates access to an application provided in a communication network is identified. Records are dynamically created and maintained to reflect accesses by the user to the application and other applications that are provided in the communication network. The records track application activity by the user. Policies may be established and enforced to control application activity that the user may conduct in the communication network. Conformance with application access restrictions and regulations may be verified or demonstrated by reporting the records, and ensured through policy enforcement.

Abstract: A method and apparatus for monitoring data traffic in a communication network are provided. A router connected to the communication network monitors information contained in the data traffic, and based on the information determines whether data in the traffic is indicative of a malicious threat to one or more resources connected to the network. Parameters which control monitoring of traffic at the router, such as the sampling rate and what information is to be extracted from the data is varied according to the condition of the network so that the monitoring can be adapted to focus on traffic which relates to a particular suspected or detected threat.

Abstract: Communication session admission control systems and methods are disclosed. A state of a communication system is monitored, and admission of a communication session into the communication system is controlled based on a random admission control procedure and a current state of the communication system. Monitoring of the current state of equipment in the communication system, connections in the communication system, communication sessions in progress in the communication system, special monitoring sessions established in the communication system, and/or an overall state of the communication system can have several benefits. These benefits may include improving utilization of resources in the system, and providing a session admission control scheme that is capable of reacting to actual observed conditions and adapting to changing system topologies following a fault, for instance.

Abstract: A method and packet filtering system that accelerates the packet classification problem is made. Using spectral analysis of rules and using real time spectral analysis of packets, it is possible to determine very quickly that a packet does not match any of the possible rules that have been defined. That is to say, using the packet filtering of the invention, there is no possibility of a false negative decision; when a packet is determined not to match any rule, the work of a packet classifier is complete. This method and system are also capable, with a high degree of accuracy, of determining that the packet has matched one of the defined rules, so that the packet may be then directed to a packet classifier to determine the specific rule it matches.

Abstract: Systems and methods of reducing service jitter in WFQ scheduling schemes used in packet traffic management are described. Service jitter is the variance in time between when a queue should have been selected for servicing and when it was actually serviced. The service jitter is generally not a problem in lower speed applications but in a high speed implementation such as a OC192 device latency can lead to downstream service contract violations. According to the invention jitter is controlled by applying a dampening factor to a difference amount that is used by the WFQ process to adjust its timing of queue selection. The difference amount is queue-specific and is a running difference between calculated and actual queue servicing times.

Abstract: The packet rate limiting method and system is used for detecting and blocking the effects of DoS attacks on IP networks. The method uses an ACL counter that stores an action parameter in the first 3 most significant bits and uses 13 bits as a packet counter. A rate limit is enforced by setting the packet counter to an initial value, and resetting this value at given intervals of time. The action parameter enables the ACL to accept or deny packets based on this rate limit. If the number of packets in the incoming flow saturates the packet counter before the reset time, the packets are denied access to the network until the counter is next reset. The denied packets may be just discarded or may be extracted for further examination.