Abstract: Preventing duplicate sources in a network that uses network address port translation on an established connection. In response to receiving an inbound packet at a destination host, input values are obtained therefrom and used to consult a mapping. If no match is found, a translation is performed, whereby a determination is made as to whether or not a port number is available within a range of port numbers that comply with a security association governing the connection. If so, an available port number is assigned to the connection, thereby avoiding a possibility of a duplicate source. If a port number is not available, the packet is rejected.

Abstract: Preventing duplicate sources on a protocol connection that uses network addresses, protocols and port numbers to identify connections that include port number translation. In response to an inbound IPsec packet from a remote source client, a determination is made as to whether or not a port number is available within a range of port numbers that comply with a security association governing the connection. If so, an available port number is assigned to the connection, thereby avoiding a possibility of a duplicate source. If a port number is not available, the packet is rejected.

Abstract: Preventing duplicate sources on a protocol connection that uses network addresses, protocols and port numbers to identify connections that include port number translation. In response to an inbound IPsec packet from a remote source client, a determination is made as to whether or not a port number is available within a range of port numbers that comply with a security association governing the connection. If so, an available port number is assigned to the connection, thereby avoiding a possibility of a duplicate source. If a port number is not available, the packet is rejected.

Abstract: The invention determines if a security association (SA) extends end-to-end between a source node originating a connection and a destination node. In such a case, there will be no ambiguities in routing due to network address translation, and the SA is allowed. In the preferred embodiment, both end nodes of a security connection test themselves and the remote node for gateway status to determine if any ambiguities might exist in network routing due to the presence of a network address translator.

Abstract: Preventing duplicate sources on a protocol connection that uses network addresses, protocols and port numbers to identify source applications that are served by a NAPT. If an arriving packet encapsulates an encrypted packet and has passed through an NAPT en route to the destination host, the encapsulated packet is decrypted to obtain an original source port number and original packet protocol from the decrypted packet. A source port mapping table (SPMT) is searched for an association between the NAPT source address, the original source port, and the original packet protocol associated with the NAPT source address and port number. If an incorrect association is found, the packet is rejected as representing an illegal duplicate source; that is, a second packet from a different host served by a NAPT that is USING the same SOURCE port and protocol.

Abstract: Ipsec rules are searched in order from rules containing the most specificity to those containing the least specificity of attributes. The static rules include placeholders for sets of dynamic rules. Dynamic rules are searched only if a placeholder is the first matching rule in the static table. Sets of dynamic rules are partitioned into separate groups. Within each group there is no rule order dependence. Each such group is searched with an enhanced search mechanism, such as a search tree. For connection oriented protocols, security rule binding information is stored in association with the connection. This allows the searching of the rules to be performed only when a connection is first established. If a static or dynamic rule is changed during a connection, a search is repeated. For selected connectionless protocols, packets are treated as if they were part of a simulated connection.

Abstract: Ipsec rules are searched in order from rules containing the most specificity of attributes to those containing the least specificity of attributes. The static rules include placeholders for sets of dynamic rules. The placeholders in the static table immediately precede and point to an associated set of dynamic rules. Dynamic rules are searched only if a placeholder is found to be the first matching rule in the static table. Sets of dynamic rules are partitioned into separate groups. Within each group there is no rule order dependence. Each such group is searched with an enhanced search mechanism, such as a search tree. Searching is further improved by searching at layers higher than the IP layer.

Abstract: A shared file computer system has multiple users, and two or more transactions established by the users may contend for the same resource. Such contention may result in a deadlock condition. To search for such deadlocks, the system maintains a lock wait matrix which lists which transactions are waiting on which other transactions. The matrix represents a hierarchical wait tree. A deadlock is present when the top node transaction in the tree also occurs lower in the tree. In such a case, either the top node transaction or any other transaction in the path or branch between the two occurrences of the top node transaction is cancelled to resolve the deadlock represented by this path. However if the intermediary node is cancelled to resolve this deadlock, a similar deadlock can occur in another path and must be resolved also.