Abstract: A system and method are provided for creating an XML network. As each XML router is added to the XML network, the new XML router registers with a group of existing XML routers in the network, and thereafter regularly exchanges hello messages with other XML routers in order to announce its initial and continued presence. Once an XML router is added to the group of routers forming the network, the adjacency of the new XML router is determined. The new XML router selects its adjacency based on a prioritized set of metrics, including TCP hops, IP cost, and fanout, along with specific parameters relating to fanout and IP cost. The order of priority of the metrics and the specific parameters can be set by an operator, allowing flexibility in creating an optimum XML network topology.

Abstract: Publish-subscribe XML multicast service within a VPN service is described. A backbone such as an IP/MPLS backbone connects multiple subscriber sites using VPN technology and VPN edge routers. XML publish-subscribe modules are addressable within the VPN and form an overlay network between the edge routers participating in the VPN. The XML publish-subscribe modules may perform either topic-based multicast or content-based multicast services. The multicast service is self-managed.

Abstract: A method and apparatus for monitoring data traffic in a communication network are provided. A router connected to the communication network monitors information contained in the data traffic, and based on the information determines whether data in the traffic is indicative of a malicious threat to one or more resources connected to the network. Parameters which control monitoring of traffic at the router, such as the sampling rate and what information is to be extracted from the data is varied according to the condition of the network so that the monitoring can be adapted to focus on traffic which relates to a particular suspected or detected threat.

Abstract: A Session Admission Control (SAC) for negotiating admission control in a multi-services communications network including multicast services is described. The module distributes the admission process between a centralized decision function (SAC-PDP) and a distributed decision function (SAC-M) in a fashion that solves admission control scaling problems. The mechanism for interaction between the SAC-PDP and SAC-M is defined. Mechanisms are defined for the SAC-PDP to discover or learn the network capacity against which the admission control decisions will be made. Systems are also described for incorporating SAC-M in multicast replication points in the network, allowing multicast replication points to participate in the admission control process.

Abstract: Instead of implementing per flow measurement at every interface of every IGMP Router or Snooping Proxy in the aggregation network, as in the prior art “per flow measurement” approaches, the present invention relates to a scheme where the IGMP Router or Snooping Proxy tracks the multicast subscription of each host (for IGMPv3) or subnet (for IGMPv1 and IGMPv2) and stores the information such as host id, the time the host joined a channel, the duration of the channel delivery, etc. in a database. This database (MIB) can then be pulled by a network management tool using SNMP or WSDM MUWS. According to the invention a mechanism for multicast host authorization is also provided.

Abstract: A system for providing resilient multimedia broadcasting services over a VPLS network is described. A network Management System (NMS) calculates disjoint minimum cost trees using the Steiner algorithm executed with extra steps to result in the disjoint trees. Destination PE routers in the VPLS network are connected to the disjoint trees so that they can be serviced by either tree in the case of a fault. Each of the disjoint trees is provisioned with enough bandwidth to carry all of the services provided by the VPLS network. Under normal operation, however, the services are distributed evenly over the trees. In the event of a fault, the services on the faulty tree are switched to the other tree using split horizon bridging. Each Steiner tree can also be realized using poin-to-multipoint LSPs which is fully protected by a precomputed point-to-mulltipoint LSP.

Abstract: Network services infrastructure systems and methods are disclosed. Policies for client access to a services network and network services available in the services network are enforced at client gateways. Once authenticated and authorized at a client gateway, a client of the services network may make its own network service(s) available in the services network, use network services provided by other clients of the services network, or both. The policies are centrally managed within a services network and distributed to the client gateways. Various registries which store policies, information associated with network services, and possibly other information may also be provided.

Abstract: Public and private network service management systems and methods are disclosed. Rules for accessing a private services network in which network services are available are enforced so as to restrict access to the services network through a public network in accordance with policies of the services network. Use of network services by a client of the private services network through the public network is controlled according to network service access policies associated with the network services. Network services provided by clients of the services network which access the services network through a public network may also be offered to other clients of the services network through the services network and the public network.

Abstract: Systems and methods for managing network services between private networks are disclosed. Advertisement of network services which are available in a services network is controlled in accordance with a policy associated with each network service. Network service information is advertised to an external services network only for those network services which have associated policies permitting distribution of the network services through external networks. External network services may also or instead be advertised to a services network from one or more external services networks and subsequently made available in the services network.

Abstract: Methods, tools, and a multicast connectivity architecture are provided for provisioning bundled high bandwidth multi-channel multimedia broadcast services over a packet switched communications network. Multicast group membership join/prune requests generated by the destination network nodes are processed on edge. Multicast tree connectivity in the core of the communications network is static and centrally provisioned based on multicast group member edge network nodes associated with subscribers, while dynamic multicasting techniques are employed over the distribution portion of the service provider's communications network to deliver requested content to each destination network node. The methods and tools compute multicast trees, configure on-tree branching network nodes, and establish Virtual Private LAN network overlays for channel bundles to convey multi-channel content in the core of the managed communications network between edge network nodes.

Abstract: A selective, flow-based datapath architecture is described. A Flow Control Block Manager (FCBM) is located in a flow-based datapath for selectively and intelligently processing packets in the Flow Path. If, according to the FCBM, efficiency gains can be achieved by creating a flow control block and employing flow-based processing on a packet stream, the packets are processed accordingly. If, however, insufficient gains are anticipated the packets are processed in a flow-unaware manner. The FCBM determines the manner in which to process packets based on a set of criteria.

Abstract: Methods directed to longest prefix matching and systems directed to IP address lookups are presented. The methods and systems relate in particular to IPv6 and comprise finding the longest prefix match (LPM) for an IP address. The method of the invention results in the use of filters to perform LPM. In embodiments of the invention, partial address filtering is used to further reduce filtering requirements. Reducing the number of filtering operations has the advantage of making the LPM algorithm faster and less costly to implement than prior art approaches. Also described is an “ideal offset filter” that extracts a fixed sized sliding window of bits from the IP address being processed.

Abstract: A disjoint graph structure for packet classification in communication systems is presented. The disjoint graph is comprised of two types of data structures; an elementary interval tree (EIT) and a disjoint interval tree (DIT). The disjoint graph is constructed based on a range-specified rule set finding particular application in the classification of data packets. Each rule in the rule set has an equal number of fields and each field specifies a range referred to as an integer interval having a lower and an upper bound. The disjoint graph has the same number of layers as there are fields in each rule. The layers are comprised of nodes, and each node has an associated rule set selected from the range-specified rule set. The disjoint graph enables packet classification in only one pass through the tree. The EIT and DIT structures are also presented in detail.