Abstract: Embodiments provide techniques for device-level traffic shaping in a communications network. Embodiments operate in communication networks providing connectivity to large numbers of user-side network nodes via shared communications links. For example, customer premises equipment (CPE) devices behind one of the user-side network nodes are classified into device types according to a predetermined rate-relevant characteristic of the CPE device. Upon receiving a forward-link (FL) traffic flow destined for one of the CPE devices, the device type of the CPE device is identified, and the FL traffic flow is shaped in accordance with a traffic shaping policy that corresponds to CPE device type. Various embodiments are tailored to support architectures having device-level shapers and/or network address translators (NAT) in user-side network nodes and/or in a provider-side network node.

Abstract: Embodiments provide techniques for device-level traffic shaping in a communications network. Embodiments operate in communication networks providing connectivity to large numbers of user-side network nodes via shared communications links. For example, customer premises equipment (CPE) devices behind one of the user-side network nodes are classified into device types according to a predetermined rate-relevant characteristic of the CPE device. Upon receiving a forward-link (FL) traffic flow destined for one of the CPE devices, the device type of the CPE device is identified, and the FL traffic flow is shaped in accordance with a traffic shaping policy that corresponds to CPE device type. Various embodiments are tailored to support architectures having device-level shapers and/or network address translators (NAT) in user-side network nodes and/or in a provider-side network node.

Abstract: Embodiments provide techniques for device-level traffic shaping in a communications network. Embodiments operate in communication networks providing connectivity to large numbers of user-side network nodes via shared communications links. For example, customer premises equipment (CPE) devices behind one of the user-side network nodes are classified into device types according to a predetermined rate-relevant characteristic of the CPE device. Upon receiving a forward-link (FL) traffic flow destined for one of the CPE devices, the device type of the CPE device is identified, and the FL traffic flow is shaped in accordance with a traffic shaping policy that corresponds to CPE device type. Various embodiments are tailored to support architectures having device-level shapers and/or network address translators (NAT) in user-side network nodes and/or in a provider-side network node.

Abstract: Embodiments provide techniques for device-level traffic shaping in a communications network. Embodiments operate in communication networks providing connectivity to large numbers of user-side network nodes via shared communications links. For example, customer premises equipment (CPE) devices behind one of the user-side network nodes are classified into device types according to a predetermined rate-relevant characteristic of the CPE device. Upon receiving a forward-link (FL) traffic flow destined for one of the CPE devices, the device type of the CPE device is identified, and the FL traffic flow is shaped in accordance with a traffic shaping policy that corresponds to CPE device type. Various embodiments are tailored to support architectures having device-level shapers and/or network address translators (NAT) in user-side network nodes and/or in a provider-side network node.

Abstract: A flow based routing method and apparatus selects a path from a plurality of different paths for assignment to a flow. The path is selected based on traffic performance measurements which identify relative congestion and performance of the different paths, so that traffic flows can be diverted away from network congestion points, thereby allowing network resources to be load balanced at a flow granularity. The present invention may be configured on physical or virtual links on an NE to enhance the forwarding of packets using the primary link and one or more alternate links to any given destination.

Abstract: A flow based routing method and apparatus selects a path from a plurality of different paths for assignment to a flow. The path is selected based on traffic performance measurements which identify relative congestion and performance of the different paths, so that traffic flows can be diverted away from network congestion points, thereby allowing network resources to be load balanced at a flow granularity. The present invention may be configured on physical or virtual links on an NE to enhance the forwarding of packets using the primary link and one or more alternate links to any given destination.

Abstract: A flow based routing method and apparatus selects a path from a plurality of different paths for assignment to a flow. The path is selected based on a traffic performance measurements which identify relative congestion and performance of the different paths, so that traffic flows can be diverted away from network congestion points, thereby allowing network resources to be load balanced at a flow granularity. The present invention may be configured on physical or virtual links on an NE to enhance the forwarding of packets using the primary link and one or more alternate links to any given destination.

Abstract: To route a flow of elastic traffic, plural candidate paths are identified for the flow of elastic traffic. A particular path from among the plural candidate paths is selected to route the flow of elastic traffic according to criteria including numbers of flows on respective candidate paths and measured performances of the respective candidate paths.

Abstract: An embodiment of the present invention includes a technique to provide anti-replay protection with QoS queues. A single global anti-replay window is maintained to have global lowest and highest sequence numbers for an Internet protocol security (IPSec) security association (SA). The single global anti-replay window is associated with individual differentiated services code point (DSCP) or DSCP group, the individual DSCP or DSCP group corresponding to individual per-DSCP anti-replay windows. A received packet having a sequence number is pre-processed before packet processing using the single global anti-replay window. The received packet is post-processed after packet processing using the individual per-DSCP anti-replay windows.

Abstract: A Point to Point Protocol (“PPP”) link running PPP Multilink Protocol with multi-class extensions (“Multilink-Extension”) having both peers on the PPP link support a number of egress priority queues negotiated during the Multilink-Extension negotiation. Each peer also establishes a number of classes equal to the negotiated number of egress priority queues. Thus, communication devices that have a different default number, or different maximum number, of egress priority queues can interoperate in a manner that ensures packets have the same per-hop behavior (“PHB”). The present invention is both memory efficient and processing time efficient because only the minimum number of egress priority queues necessary are instantiated.

Abstract: Described are a method and system for seamless roaming of a mobile node during a VPN session. A VPN session between the mobile node and a current VPN server in a network is established and synchronized with at least one fail-over VPN server in the network. An address change message is sent to the current VPN server and the fail-over VPN servers upon roaming of the mobile node. A fail-over VPN server responds with a reply message and is registered as a current VPN server for continuation of the VPN session. To load balance, a load query message is sent to the current VPN server and the fail-over VPN servers. Reply messages include server performance characteristics of the VPN servers. The VPN session can be transferred from the current VPN server to a fail-over VPN server in response to the server performance characteristics.

Abstract: Customer Edge (CE) network elements can automatically learn IPSec tunnel endpoints for other CEs connected to sites in a Virtual Private Network (VPN) so that manual configuration of IPSec tunnel endpoints is not required and so that a centralized database of IPSec tunnel endpoints is not required to be separately maintained. According to an embodiment of the invention, a BGP export route policy is set on all CEs, so that when they announce their VPN routes in the standard format, the application of this export route policy changes the announcement to replace the BGP peering point address that would ordinarily be advertised with the IPSec tunnel endpoint address. When any given site receives a VPN route update formatted in this manner, it processes the VPN route update and learns from the update the IPSec tunnel endpoint as well as the associated VPN routes.

Abstract: Efficient interface scheduling that maintains fairness among the scheduled interfaces and remains efficient even when scheduling large numbers of interfaces and even when implemented in software. Systems for scheduling interfaces through a physical port are provided that utilize a bit-mask. Each bit-mask has a bit-mask-level-1 having a plurality of bits, each bit in the bit-mask-level-1 represents a unit of bandwidth with the total number of bits in the bit-mask-level-1 representing the port's line speed, each bit in a bit-mask-level-1 is associated with an interface, and the number of bits associated with each interface determines the bandwidth for that interface. Methods of scheduling interfaces are provided that utilize one or more bit-masks to determine an order in which interfaces are scheduled. The present invention can efficiently implement versions of the dual-token-bucket algorithm.

Abstract: Multicast route leaking between VRFs in different VPNs enables receivers in different VPNs to subscribe to the same IP multicast so that an efficient IP multicast distribution tree can be built to include subscribers in multiple VPNs. VRFs are administratively configured to implement multicast route leaking and each such configured VRF brings up an internal connectionless IP interface. The VRFs then enable the multicast routing protocol (e.g. PIM) on the internal IP interface to establish PIM neighborships with each other. When a VRF receives an IGMP join from a receiver, it uses PIM to join the receiver to the multicast over the internal IP interface. This enables receivers outside of a VPN but associated with VRFs that are co-located on the same PE to join multicasts established within the VPN so that separate multicast distribution trees are not required for each VPN.

Abstract: Customer Traffic may be segregated using customer provisioned IPSec VPNs implemented using group security association for IPSec tunnels, by causing the CE network element to implement multiple VRFs for the several VPNs, each of which may be used for a different segment of the customer's traffic. The CE network element may implement a single MPBGP peering session with the GCKS/RR for all VPNs, and may establish secure data channels for each of the VPNs based on the group security associations for each of the VPNs. Although a common MPBGP peering session may be used, routing information for the several VRFs may be separated by applying per-VRF import policies at the CE, so that each VPN only has access to routes intended to be advertised to that VPN.

Abstract: An embodiment of the present invention includes a technique to provide anti-replay protection with QoS queues. A single global anti-replay window is maintained to have global lowest and highest sequence numbers for an Internet protocol security (IPSec) security association (SA). The single global anti-replay window is associated with individual differentiated services code point (DSCP) or DSCP group, the individual DSCP or DSCP group corresponding to individual per-DSCP anti-replay windows. A received packet having a sequence number is pre-processed before packet processing using the single global anti-replay window. The received packet is post-processed after packet processing using the individual per-DSCP anti-replay windows.

Abstract: Customer Traffic may be segregated using customer provisioned IPSec VPNs implemented using group security association for IPSec tunnels, by causing the CE network element to implement multiple VRFs for the several VPNs, each of which may be used for a different segment of the customer's traffic. The CE network element may implement a single MPBGP peering session with the GCKS/RR for all VPNs, and may establish secure data channels for each of the VPNs based on the group security associations for each of the VPNs.

Abstract: Customer Edge (CE) network elements can automatically learn IPSec tunnel endpoints for other CEs connected to sites in a Virtual Private Network (VPN) so that manual configuration of IPSec tunnel endpoints is not required and so that a centralized database of IPSec tunnel endpoints is not required to be separately maintained. According to an embodiment of the invention, a BGP export route policy is set on all CEs, so that when they announce their VPN routes in the standard format, the application of this export route policy changes the announcement to replace the BGP peering point address that would ordinarily be advertised with the IPSec tunnel endpoint address. When any given site receives a VPN route update formatted in this manner, it processes the VPN route update and learns from the update the IPSec tunnel endpoint as well as the associated VPN routes.

Abstract: Efficient interface scheduling that maintains fairness among the scheduled interfaces and remains efficient even when scheduling large numbers of interfaces and even when implemented in software. Systems for scheduling interfaces through a physical port are provided that utilize a bit-mask. Each bit-mask has a bit-mask-level-1 having a plurality of bits, each bit in the bit-mask-level-1 represents a unit of bandwidth with the total number of bits in the bit-mask-level-1 representing the port's line speed, each bit in a bit-mask-level-1 is associated with an interface, and the number of bits associated with each interface determines the bandwidth for that interface. Methods of scheduling interfaces are provided that utilize one or more bit-masks to determine an order in which interfaces are scheduled. The present invention can efficiently implement versions of the dual-token-bucket algorithm.

Abstract: A Point to Point Protocol (“PPP”) link running PPP Multilink Protocol with multi-class extensions (“Multilink-Extension”) having both peers on the PPP link support a number of egress priority queues negotiated during the Multilink-Extension negotiation. Each peer also establishes a number of classes equal to the negotiated number of egress priority queues. Thus, communication devices that have a different default number, or different maximum number, of egress priority queues can interoperate in a manner that ensures packets have the same per-hop behavior (“PHB”). The present invention is both memory efficient and processing time efficient because only the minimum number of egress priority queues necessary are instantiated.