Abstract: A method for detecting unavailable network connections comprises, at a first data processing node that is hosting a transport protocol connection that uses a plurality of sequence values to identify messages sent to a peer node, wherein the first node is communicatively coupled to a second data processing node serving as a redundant backup, periodically sending a checkpoint sequence value to the second node; detecting that either the transport protocol connection or a process using the transport protocol connection is unavailable, without use of a timeout; and in response thereto, sending a notification to the peer node, wherein the notification includes the checkpoint sequence value. One embodiment provides for rapidly detecting and responding to failure of a TCP process without using long timeouts as conventionally provided in long-lived applications that run on top of TCP.

Abstract: A system and method supporting efficient, scalable stateful switchover of transport layer connections in a telecommunications network element. One method involves receiving, at a network element comprising an active transport protocol process coupled to a standby protocol process, a request to configure a first transport layer connection maintained at the active transport protocol process for stateful switchover; receiving an event associated with the first transport layer connection; creating a message containing replicated event information based on the received event; sending the message to the standby transport protocol process; and processing the message at the standby transport protocol process, wherein the standby transport protocol process replicates state information for the first connection.

Abstract: In an embodiment, an existing transport protocol connection though a mobile device is recognized as having entered a state of disconnect. A lowest received sequence number is determined from received messages to be transmitted over a disconnected transport protocol connection. A disconnect acknowledgement message with a receive window of zero and a sequence number of one less than the lowest received sequence number is transmitted. The disconnect acknowledge message with a receive window of zero and a sequence number of one less than the lowest received sequence number is continued to be transmitted until the transport protocol connection exits the disconnect state to a connect state.

Abstract: A system and method supporting synchronization of replicated transport layer connections in a redundant processor telecommunications network element. One method involves receiving, at a network element comprising an active transport protocol process coupled to a standby transport protocol process, information identifying a newly created transport layer connection maintained at the active transport protocol process; assigning a unique connection identifier to the transport layer connection; sending the unique connection identifier, in association with other, protocol-specific connection identifying information, to the standby protocol process; and sending, to the standby transport protocol process, one or more messages comprising one or more properties or statistics associated with the transport layer connection, wherein the messages identify the transport layer connection using the unique connection identifier.

Abstract: A system and method supporting efficient, scalable stateful switchover of transport layer connections in a telecommunications network element. One method involves receiving, at a network element comprising an active transport protocol process coupled to a standby protocol process, a request to configure a first transport layer connection maintained at the active transport protocol process for stateful switchover; receiving an event associated with the first transport layer connection; creating a message containing replicated event information based on the received event; sending the message to the standby transport protocol process; and processing the message at the standby transport protocol process, wherein the standby transport protocol process replicates state information for the first connection.

Abstract: Devices executing routing protocols can mark routing protocol messages as urgent so that peer devices are signaled to consume the messages on an expedited basis. Performance of routing protocols improves as a result; for example, Border Gateway Protocol convergence time is reduced. An example router comprises a network interface, a processor, a transport layer protocol module that implements a transport layer network protocol, a routing protocol module that implements a network packet routing protocol and sends peering session messages over transport layer connections, and instructions to perform providing a first routing protocol message to the transport layer protocol module that comprises urgent data at least in part; requesting the transport layer protocol module to mark, as urgent, one or more data segments that carry the first routing protocol message; marking, as urgent, one or more segments that carry the first routing protocol message; and sending the segments to peer devices over the connections.

Abstract: A method of preventing an attack on a network, the method comprising the computer-implemented steps of receiving an ICMP packet that includes a copy of a header associated with a connection in a connection-oriented transport protocol; obtaining a packet sequence value from the header; determining if the packet sequence value is valid; and updating a parameter value associated with the transport protocol connection only if the packet sequence value is determined to be valid. Use of the disclosed method enables authenticating ICMP packets so that responsive measures of a network element, such as adjusting an MTU value, are performed only when the ICMP packet is determined to be authentic.

Abstract: A method is disclosed for rapidly detecting a protocol failure. In one embodiment, the method includes receiving an indication that a first process has failed. The first process having been engaged in communications over one or more network connections with a second process. A packet is formed, such that the packet appears to have been formed by the first process. The packet includes one or more data values, which, when received and processed by the second process, will cause the second process to close the network connection. The packet is sent to the second process. When the second process receives the packet, the second process to closes the network connection.

Abstract: A method detects a change in TCP receive window size while preventing fragmentation of data. A TCP stack receives a segment that advertises a receive window size of zero. If data needs to be sent, and only if so, a timer is started. When the timer expires, a TCP segment that contains a first sequence number value equal to second sequence number representing sent but unacknowledged data minus one, and a segment length value of zero, is sent. Without sending a fragment of data, this triggers a peer TCP process to send an updated window size. A TCP ACK segment is received and contains an updated receive window size. If the updated receive window size is greater than a specified value, then the data is sent. Otherwise, a counter is incremented, and the steps are re-performed if the counter is less than a specified value.

Abstract: A method is disclosed for upgrading network protocol software, comprising receiving a new version of Border Gateway Protocol (BGP) software on a standby route processor that is coupled to an active route processor in a redundant arrangement; transferring, from the active route processor to the standby route processor, one or more transport protocol connections that are associated with one or more active BGP sessions of the active route processor; transferring, from the active route processor to the standby route processor, BGP session information representing the active BGP sessions; progressively shutting down an active BGP process of the active route processor; and switching control of BGP data processing to the standby route processor. The route processors may be placed in a stateful switchover mode of operation temporarily only during the transferring, shutting down, and switching. Thus a hitless BGP upgrade approach is provided.

Abstract: In one embodiment, an apparatus comprises logic encoded in one or more tangible media for enhancing transmission reliability of monitored data. The logic is operable to receive a plurality of segments for transmission over a TCP connection to a network node, where the TCP connection is associated with a transmit queue and a retransmit queue. The logic is also operable to detect a transmission anomaly on the TCP connection to the network node, and in response to detecting the transmission anomaly, is operable to perform any one of: store segments into a persistent buffer prior to transferring the segments into the transmit queue; copy segments from the retransmit queue into the persistent buffer, where the segments have been transmitted but not yet acknowledged by the network node; and copy segments from the transmit queue into the persistent buffer, where the segments have not yet been transmitted to the network node.

Abstract: A system and method for performing stateful switchover with reduced data, such as only metadata about a TCP window state. The metadata comprises a size of TCP packets used to send BGP messages, and which of those have been acknowledged by a neighbor networking device. The networking device comprises a BGP module to establish a BGP session between the networking device and a neighbor networking device. An active transport module within the networking device synchronizes with a standby transport module within the networking device by sending the metadata. A fault detector within the networking device initiates a stateful switchover from the active transport module to the standby transport module responsive to detecting a failure of a process and/or processor. The standby transport module uses the metadata to determine stateful metadata for preserving current BGP and TCP sessions of the networking device.

Abstract: In an embodiment, an existing transport protocol connection though a mobile device is recognized as having entered a state of disconnect. A lowest received sequence number is determined from received messages to be transmitted over a disconnected transport protocol connection. A disconnect acknowledgement message with a receive window of zero and a sequence number of one less than the lowest received sequence number is transmitted. The disconnect acknowledge message with a receive window of zero and a sequence number of one less than the lowest received sequence number is continued to be transmitted until the transport protocol connection exits the disconnect state to a connect state.

Abstract: A method for improving resistance of network protocols running on transmission control protocol (TCP), such as BGP. For example, a method comprises receiving, from a TCP application, a request to ignore all TCP segments with an RST bit set, except for solicited RST segments; establishing a filter that blocks all but solicited TCP RST segments; receiving a TCP segment with a SYN bit set and a sequence number value within an allowed window for a TCP connection matching the received segment, and for a session of the TCP application; re-configuring the filter to allow TCP RST segments for the connection associated with the received segment; requesting the TCP application to initiate an event that will induce a legitimate sender of the received segment to send a valid TCP RST segment in response; and closing the connection only when a TCP RST segment is received in response.

Abstract: Approaches are disclosed for switching transport protocol connection keys. In a transport protocol module configured to use a first key for signing messages associated with a transport protocol connection, a second key is configured for the transport protocol connection. A first message that is associated with the transport protocol connection is received. The first message includes a first signature. A first and a second message digests are computed for the first message, where the first message digest is based on the first key and the second message digest is based on the second key. The first message is validated if the first signature in the first message matches any one of the first message digest and the second message digest.

Abstract: A system and method for performing stateful switchover with reduced data, such as only metadata about a TCP window state. The metadata comprises a size of TCP packets used to send BGP messages, and which of those have been acknowledged by a neighbor networking device. The networking device comprises a BGP module to establish a BGP session between the networking device and a neighbor networking device. An active transport module within the networking device synchronizes with a standby transport module within the networking device by sending the metadata. A fault detector within the networking device initiates a stateful switchover from the active transport module to the standby transport module responsive to detecting a failure of a process and/or processor. The standby transport module uses the metadata to determine stateful metadata for preserving current BGP and TCP sessions of the networking device with dummy TCP packets having the same size ad sent TCP packets and containing safe BGP message data.

Abstract: A system for filtering transport layer connections with application layer connection outcomes provides a connection database to store information about connection requests and associated application layer outcomes. The system further includes a throttle filter populated with data from the connection database. The throttle filter is a list of connection requestor identifier, such as IP addresses or port numbers, to be used to identify connection requests to be blocked based on previous connection requests from the connection requesters. The system provides attack and overload protection and load balancing in embedded systems.

Abstract: Approaches for preventing TCP RST attacks intended to cause denial of service in packet-switched networks are disclosed. In one approach, upon receiving a TCP RST packet, an endpoint node determines whether the TCP segment contains valid authentication information. The TCP RST segment is accepted and the TCP connection is closed only when the authentication information is valid. Authentication information may comprise a reset type values, and either initial sequence numbers of both endpoints, or a copy of a TCP header and options values previously sent by the endpoint node that is performing the authentication. Thus, attacks are thwarted because an attacker cannot know or reasonably guess the required authentication information.

Abstract: In one embodiment, an apparatus comprises logic for optimizing return traffic paths using network address translation (NAT). The logic is operable to receive outbound data from a source node in a source network, and to replace a source address in a source address field in the outbound data with a first address from a first address pool associated with a first connection. The logic is operable to determine that return traffic on the first connection needs to be switched over to a second connection, where a second address pool is associated with the second connection. The logic is operable to generate a mapping that associates the first address with a second address from the second address pool and, based on the mapping, to replace the first address in the source address field in the outbound data with the second address. The logic is also operable to send the outbound data to the destination node over the second connection.

Abstract: Approaches are disclosed for switching transport protocol connection keys. A method of automatically changing a message authentication key at each of two endpoints of a connection in a telecommunications network comprises testing a sequence value received in each of a plurality of data segments on the connection; and selecting a next message authentication key, from among a plurality of stored message authentication keys, for use in authenticating subsequently received data segments, when the sequence value matches a specified characteristic.