Abstract: A method and apparatus for monitoring data traffic in a communication network are provided. A router connected to the communication network monitors information contained in the data traffic, and based on the information determines whether data in the traffic is indicative of a malicious threat to one or more resources connected to the network. Parameters which control monitoring of traffic at the router, such as the sampling rate and what information is to be extracted from the data is varied according to the condition of the network so that the monitoring can be adapted to focus on traffic which relates to a particular suspected or detected threat.

Abstract: Network services infrastructure systems and methods are disclosed. Policies for client access to a services network and network services available in the services network are enforced at client gateways. Once authenticated and authorized at a client gateway, a client of the services network may make its own network service(s) available in the services network, use network services provided by other clients of the services network, or both. The policies are centrally managed within a services network and distributed to the client gateways. Various registries which store policies, information associated with network services, and possibly other information may also be provided.

Abstract: A system and method of processing data, including identifying a first data processing criteria, communicating the first data processing criteria from a data processing application to a network element, receiving sensor data from a plurality of sensors at the network element, operating on the sensor data at the network element to process the data according to the identified first data processing criteria, resulting in a first processed data result, transmitting the first processed data result from the network element to the data processing application, and processing the first processed data result at the data processing application resulting in a second processed data result. The criteria can be dynamically updated.

Abstract: Network services infrastructure systems and methods are disclosed. Policies for client access to a services network and network services available in the services network are enforced at client gateways. Once authenticated and authorized at a client gateway, a client of the services network may make its own network service(s) available in the services network, use network services provided by other clients of the services network, or both. The policies are centrally managed within a services network and distributed to the client gateways. Various registries which store policies, information associated with network services, and possibly other information may also be provided.

Abstract: Instead of implementing per flow measurement at every interface of every IGMP Router or Snooping Proxy in the aggregation network, as in the prior art “per flow measurement” approaches, the present invention relates to a scheme where the IGMP Router or Snooping Proxy tracks the multicast subscription of each host (for IGMPv3) or subnet (for IGMPv1 and IGMPv2) and stores the information such as host id, the time the host joined a channel, the duration of the channel delivery, etc. in a database. This database (MIB) can then be pulled by a network management tool using SNMP or WSDM MUWS. According to the invention a mechanism for multicast host authorization is also provided.

Abstract: A system and method are provided for subscriber to content provider network access service management which is requested by and paid for by the content provider to the network access provider. In response to the request from the content provider the network access provider invokes changes in bandwidth and/or quality of service for network traffic traversing between the web service provided by the content provider and the subscriber, either automatically or in response to a run-time request. The changes made in bandwidth and/or quality of service for the network traffic enables more robust and timely content and applications to be delivered to the specific subscriber from the content provider.

Abstract: A method of router interface level 2 redundancy, and router implementing the method, including one or more of the following: starting redundant ports that are members of a level 2 redundancy group (L2RG) in a DOWN state; determining that none of the redundant ports are in an ACTIVE state; switching a first one of the redundant ports to an ACTIVE state; activating an Internet protocol interface for the L2RG; inserting an Internet protocol route for an interface subnet in an FIB of a router that contains the redundant ports; binding the Internet protocol route for the interface to the first one of the redundant ports; transitioning the first one of the redundant ports to a DOWN state; transitioning the Internet protocol interface to the DOWN state from an UP state; and removing the Internet protocol route for the interface from the FIB of the router.

Abstract: The present invention permits translation of SM addresses (*, G1) and (*, G2) to configurable SSM addresses (S0, G0). IGMPv2 group membership queries from the receiver subnet are translated to IGMPv3 membership queries for processing in a SSM network. In the preferred embodiment, packets travel via a connection to the multicast router (mrouter). The mrouter queries an IGMPv2 receiver. The IGMPv2 receiver generates a membership report and sends it back to the mrouter. The mrouter translates the membership report into a (S0, G0) as specified in a multicast address translation table and stores the translation in the Multicast Forward Information Base (MFIB) located in the mrouter. Multicast payload addressed (S0, G0) flowing towards the IGMPv2 receiver can be translated to (S0, G0). When media data is addressed to (S0, G0), the mrouter consults the MFIB for forwarding and can also translate the destination address to (S1, G1).

Abstract: A method and system for STP-aware subscriber management is disclosed for managing redundant access ports. The STP-aware system includes Access Loop Pairs which provide continuity of subscriber management information in the event of an access port failure. The STP-aware subscriber management system is particularly useful for overcoming the requirements for extra ports within Link Access Group configured access networks known in the art.

Abstract: Publish-subscribe XML multicast service within a VPN service is described. A backbone such as an IP/MPLS backbone connects multiple subscriber sites using VPN technology and VPN edge routers. XML publish-subscribe modules are addressable within the VPN and form an overlay network between the edge routers participating in the VPN. The XML publish-subscribe modules may perform either topic-based multicast or content-based multicast services. The multicast service is self-managed.

Abstract: A Session Admission Control (SAC) for negotiating admission control in a multi-services communications network including multicast services is described. The module distributes the admission process between a centralized decision function (SAC-PDP) and a distributed decision function (SAC-M) in a fashion that solves admission control scaling problems. The mechanism for interaction between the SAC-PDP and SAC-M is defined. Mechanisms are defined for the SAC-PDP to discover or learn the network capacity against which the admission control decisions will be made. Systems are also described for incorporating SAC-M in multicast replication points in the network, allowing multicast replication points to participate in the admission control process.

Abstract: A method and system for STP-aware subscriber management is disclosed for managing redundant access ports. The STP-aware system includes Access Loop Pairs which provide continuity of subscriber management information in the event of an access port failure. The STP-aware subscriber management system is particularly useful for overcoming the requirements for extra ports within Link Access Group configured access networks known in the art.

Abstract: A system for providing resilient multimedia broadcasting services over a VPLS network is described. A Network Management System (NMS) calculates disjoint minimum cost trees using the Steiner algorithm, executed with extra steps to result in disjoint trees. Destination PE routers in the VPLS network are connected to the disjoint trees so that they can be serviced by either tree in case of a fault. Each of the disjoint trees is provisioned with enough bandwidth to carry all of the services provided by the VPLS network. Under normal operation, however, the services are distributed evenly over the trees. In the event of a fault, the services on a faulty tree are switched to another tree using split horizon bridging. Each Steiner tree can also be realized using point-to-multipoint LSPs which is fully protected by a precomputed point-to-multipoint LSP.

Abstract: An XML matching engine and method are provided, where policy rules expressed using XPath/XQuery policies are matched to streaming XML documents. Two distinct data structures are used: a combined modified DFA data structure for storing simple XPath queries (no wildcards or descendents) and a modified AFilter structure for storing complex queries (with wildcards or/and descendents). As the matching engine receives XML tags from XML parser, matching is performed in both structures in parallel.

Abstract: A method of router interface level 2 redundancy, and router implementing the method, including one or more of the following: starting redundant ports that are members of a level 2 redundancy group (L2RG) in a DOWN state; determining that none of the redundant ports are in an ACTIVE state; switching a first one of the redundant ports to an ACTIVE state; activating an Internet protocol interface for the L2RG; inserting an Internet protocol route for an interface subnet in an FIB of a router that contains the redundant ports; binding the Internet protocol route for the interface to the first one of the redundant ports; transitioning the first one of the redundant ports to a DOWN state; transitioning the Internet protocol interface to the DOWN state from an UP state; and removing the Internet protocol route for the interface from the FIB of the router.

Abstract: The present invention permits translation of SM addresses (*, G1) and (*, G2) to configurable SSM addresses (S0, G0). IGMPv2 group membership queries from the receiver subnet are translated to IGMPv3 membership queries for processing in a SSM network. In the preferred embodiment, packets travel via a connection to the multicast router (mrouter). The mrouter queries an IGMPv2 receiver. The IGMPv2 receiver generates a membership report and sends it back to the mrouter. The mrouter translates the membership report into a (S0, G0) as specified in a multicast address translation table and stores the translation in the Multicast Forward Information Base (MFIB) located in the mrouter. Multicast payload addressed (S0, G0) flowing towards the IGMPv2 receiver can be translated to (S0, G0). When media data is addressed to (S0, G0), the mrouter consults the MFIB for forwarding and can also translate the destination address to (S1, G1).

Abstract: A selective, flow-based datapath architecture is described. A Flow Control Block Manager (FCBM) is located in a flow-based datapath for selectively and intelligently processing packets in the Flow Path. If, according to the FCBM, efficiency gains can be achieved by creating a flow control block and employing flow-based processing on a packet stream, the packets are processed accordingly. If, however, insufficient gains are anticipated the packets are processed in a flow-unaware manner. The FCBM determines the manner in which to process packets based on a set of criteria.

Abstract: An XML matching engine and method are provided, where policy rules expressed using XPath/XQuery policies are matched to streaming XML documents. Two distinct data structures are used: a combined modified DFA data structure for storing simple XPath queries (no wildcards or descendents) and a modified AFilter structure for storing complex queries (with wildcards or/and descendents). As the matching engine receives XML tags from XML parser, matching is performed in both structures in parallel.

Abstract: Systems and methods for managing network services between private networks are disclosed. Advertisement of network services which are available in a services network is controlled in accordance with a policy associated with each network service. Network service information is advertised to an external services network only for those network services which have associated policies permitting distribution of the network services through external networks. External network services may also or instead be advertised to a services network from one or more external services networks and subsequently made available in the services network.

Abstract: A system and method of processing data, including identifying a first data processing criteria, communicating the first data processing criteria from a data processing application to a network element, receiving sensor data from a plurality of sensors at the network element, operating on the sensor data at the network element to process the data according to the identified first data processing criteria, resulting in a first processed data result, transmitting the first processed data result from the network element to the data processing application, and processing the first processed data result at the data processing application resulting in a second processed data result. The criteria can be dynamically updated.