Abstract: A method for link layer authentication includes receiving, at an edge network access node, a link layer authentication packet from a client, seeking network access, using a remote NAS agent running on the edge network access node. The method transmits, using a tunneling connection, the link layer authentication packet to a remote NAS in a link layer authentication process. The link layer authentication process exchanges the link layer authentication packet with an authentication server to authenticate the client. The method includes receiving a link layer authentication packet from the remote NAS over the tunneling connection. The received link layer authentication packet includes a response from the authentication server regarding the transmitted link layer authentication packet.

Abstract: An apparatus includes a packet encryption circuit that uses an encryption keys to encrypt each of two or more portions of a data packet. Each portion is encrypted with a different encryption key and includes one or more layers of the data packet. A first portion includes a layer of the data packet with MAC information. The apparatus includes a packet transmitter that transmits, from a source router, an encrypted data packet to an intermediate router between the source router and a destination router. The encrypted data packet includes an encrypted version of the data packet encrypted using the encryption keys. The intermediate router has encryption keys sufficient for a service level agreement of the intermediate router and lacks a portion of the encryption keys. The source and destination routers use a MAC security standard for encryption and decryption of the data packet using the encryption keys.

Abstract: A method for authorization of internet of things (“IoT”) identity bootstrapping includes receiving from a device, at a network access server (“NAS”) of a user and in response to an attestation request sent to the device, a vendor network address of a vendor server of a vendor and a device identifier for the device. The method includes authenticating the vendor using the vendor network address and, in response to authenticating the vendor, sending the device identifier to the vendor server. The method includes communicating device attestation packets between the vendor server and the device. The device attestation packets validate the device to the vendor server. The method includes receiving device attestation from the vendor server. The device attestation indicating validity status of the device to the NAS. The method includes, in response to the device attestation indicating validity of the device, transmitting a new device identity to the device.

Abstract: An apparatus includes a message receiver circuit that receives, at a port of a network node, a message from a neighboring network node. The message includes a maximum transmission unit (“MTU”) of the neighboring network node. The network nodes communicate using a layer-2 protocol. The apparatus includes a comparison circuit that determines if the received MTU is larger than an MTU for the port, and an approval circuit that, after determining that the received MTU is larger than the port's MTU, determines if the received MTU is supported by the network node. The method includes an increase circuit that, after determining that the received MTU is supported, changes the MTU of the network node's ports to match the received MTU, and a message circuit that, after determining that the received MTU is supported, sends a message with the MTU to network nodes connected to ports of the network node.

Abstract: An apparatus includes a packet encryption circuit that uses an encryption keys to encrypt each of two or more portions of a data packet. Each portion is encrypted with a different encryption key and includes one or more layers of the data packet. A first portion includes a layer of the data packet with MAC information. The apparatus includes a packet transmitter that transmits, from a source router, an encrypted data packet to an intermediate router between the source router and a destination router. The encrypted data packet includes an encrypted version of the data packet encrypted using the encryption keys. The intermediate router has encryption keys sufficient for a service level agreement of the intermediate router and lacks a portion of the encryption keys. The source and destination routers use a MAC security standard for encryption and decryption of the data packet using the encryption keys.

Abstract: An apparatus for optimization for Spanning Tree Protocol (“STP”) data network includes an egress filter setting circuit in a first network node that sets an egress filter to discard data packets at an egress port of the first network node connected to a second network node in response to receiving an egress filter bridge protocol data unit (“BPDU”) message from the second network node indicating that a link between the first network node and the second network node is a redundant link. The network nodes are layer-2 STP bridges. The apparatus includes, in the first network node, an egress filter timeout circuit that resets a timer in response to receiving the egress filter BPDU message, and a filter clear circuit that clears the egress filter to allow data packets to be sent from the egress port to the second network node in response to the timer reaching a timeout.

Abstract: A method for link layer authentication includes receiving, at an edge network access node, a link layer authentication packet from a client, seeking network access, using a remote NAS agent running on the edge network access node. The method transmits, using a tunneling connection, the link layer authentication packet to a remote NAS in a link layer authentication process. The link layer authentication process exchanges the link layer authentication packet with an authentication server to authenticate the client. The method includes receiving a link layer authentication packet from the remote NAS over the tunneling connection. The received link layer authentication packet includes a response from the authentication server regarding the transmitted link layer authentication packet.

Abstract: An apparatus includes a message receiver circuit that receives, at a port of a network node, a message from a neighboring network node. The message includes a maximum transmission unit (“MTU”) of the neighboring network node. The network nodes communicate using a layer-2 protocol. The apparatus includes a comparison circuit that determines if the received MTU is larger than an MTU for the port, and an approval circuit that, after determining that the received MTU is larger than the port's MTU, determines if the received MTU is supported by the network node. The method includes an increase circuit that, after determining that the received MTU is supported, changes the MTU of the network node's ports to match the received MTU, and a message circuit that, after determining that the received MTU is supported, sends a message with the MTU to network nodes connected to ports of the network node.

Abstract: An apparatus for optimization for Spanning Tree Protocol (“STP”) data network includes an egress filter setting circuit in a first network node that sets an egress filter to discard data packets at an egress port of the first network node connected to a second network node in response to receiving an egress filter bridge protocol data unit (“BPDU”) message from the second network node indicating that a link between the first network node and the second network node is a redundant link. The network nodes are layer-2 STP bridges. The apparatus includes, in the first network node, an egress filter timeout circuit that resets a timer in response to receiving the egress filter BPDU message, and a filter clear circuit that clears the egress filter to allow data packets to be sent from the egress port to the second network node in response to the timer reaching a timeout.

Abstract: A method for authorization of internet of things (“IoT”) identity bootstrapping includes receiving from a device, at a network access server (“NAS”) of a user and in response to an attestation request sent to the device, a vendor network address of a vendor server of a vendor and a device identifier for the device. The method includes authenticating the vendor using the vendor network address and, in response to authenticating the vendor, sending the device identifier to the vendor server. The method includes communicating device attestation packets between the vendor server and the device. The device attestation packets validate the device to the vendor server. The method includes receiving device attestation from the vendor server. The device attestation indicating validity status of the device to the NAS. The method includes, in response to the device attestation indicating validity of the device, transmitting a new device identity to the device.