Abstract: A packet header in a source routed network is augmented to include, with each hop identifier, at least one bit for indicating congestion at the particular hop. As the packet traverses from the source to the destination, when congestion is detected at a hop, a congestion bit associated with the hop is set in the header. At the destination, when another packet is forwarded from the destination to the source on the same path, the congestion bits are reflected back to the source. When the source receives the congestion bits, it has the option of re-routing subsequent communications between the source and destination nodes by generating a new hop list, which routes around one or more of the congested hops.

Abstract: CE devices of the present invention are enabled to make more judicious routing decisions in CE-based VPNs. In determining a next-hop in a path from a source CE to a destination subnet, CE-to-CE costs are associated with each next-hop CE in a plurality of next-hop CEs. Each CE-to-CE cost is a cost of a path from the source CE to the associated next-hop CE. CE-to-subnet costs are associated with each of the next-hop CEs. Each CE-to-subnet cost is a cost of a path from the associated next-hop CE to the destination subnet. Total-costs are associated with each of the next-hop CEs. Each total-cost is a sum of a CE-to-CE cost associated with a next-hop CE and a CE-to-subnet cost associated with the same next-hop CE. The next-hop in the path is set to be a next-hop CE associated with an associated total-cost.

Abstract: A packet header in a source routed network is augmented to include, with each hop identifier, at least one bit for indicating congestion at the particular hop. As the packet traverses from the source to the destination, when congestion is detected at a hop, a congestion bit associated with the hop is set in the header. At the destination, when another packet is forwarded from the destination to the source on the same path, the congestion bits are reflected back to the source. When the source receives the congestion bits, it has the option of re-routing subsequent communications between the source and destination nodes by generating a new hop list, which routes around one or more of the congested hops.

Abstract: Described are a method and system for establishing a secure communication session with third-party access at a later time. A first communication subsession is established between two original devices using a first key generated by a two-party key and security association protocol. At least one of the original devices is established as a group key server. A request from a joining device to join the secure communication session is received and a second communication subsession is established between the original devices using a second key generated by the two-party key and security association protocol. The second key is provided to the joining device to enable participation in the second communication subsession.

Abstract: A key selection process is provided which secures traffic between VPN end-points using a combination of SVPN group keys and pair-wise keys. The type of key used is based on the dynamic needs of traffic between the end-points, where the needs may include throughput and quality of service. SVPN group keys allow end-points in a group to initiate data communications while obtaining pair-wise keys in the background. Once pair wise keys are obtained, communications can be transferred using the obtained keys. As the throughput, quality of service, routing and other needs of the channel change, the type of keys used for data transfer may concomitantly change between SVPN group keys and pair-wise keys to appropriately utilize network resources. The key selection idea may be extended to allow communication through a hub using a group key while establishing pair-wise channels for group member communications in the background.

Abstract: Domain-wide unique node identifiers and domain-wide unique service identifiers are distributed within a MPLS domain using routing system LSAs. Nodes on the MPLS network compute shortest path trees for each destination and install unicast forwarding state based on the calculated trees. Nodes also install multicast connectivity between nodes advertising common interest in a common service identifier. Rather than distributing labels to be used in connection with unicast and multicast connectivity, the nodes deterministically calculate the labels. Any number of label contexts may be calculated. The labels may either be domain wide unique per unicast path or per multicast, or may be locally unique and deterministically calculated to provide forwarding context for the associated path. Multicast and unicast paths may be congruent, although this is not a requirement.

Abstract: Ethernet provider backbone transport (PBT) paths are controlled utilizing Generalized Multi-protocol Label Switching (GMPLS) signaling protocol. A path between edge nodes is identified by a combination of a VID and destination MAC address in a VID/MAC tuple populated in the forwarding tables of intermediary nodes. To establish the PBT path, a path calculation is performed from the originator node to the terminator node through the network. The originating node then sends a GMPLS label object with a suggested VID/MAC to identify the path to the terminator. The intermediary nodes or bridges forward the object to the terminating node. The terminating node then offers a VID/MAC tuple in a GMPLS label object in response. When the intermediary nodes forward the response from the terminating node to the originator, the appropriate forwarding labels are then installed in the forwarding tables of each node utilizing the associated VID/MAC tuples.

Abstract: Optical By-Pass (OBP) links may be created by adding wavelengths between nodes on the network. The OBP may extend between any pair of nodes on the network. Intermediate nodes on the OBP are transient nodes and simply forward traffic optically. An OBP extends between a pair of nodes and, unlike express links, is created in such a manner that it does not affect the previous allocation of resources on the network. This enables capacity to be added between pairs of nodes on the network to alleviate congestion at a portion of the network, without changing other traffic patterns on the network. This enables inclusion of an OBP to be deterministic and of linear impact on the network. The OBP links may be statically provisioned or created on demand. Optionally, the OBP links may be crated to coincide with PBB-TE tunnels on the network.

Abstract: A generalized virtual router is disclosed. A routing and switching apparatus includes a switching fabric and a matrix of switching and routing elements. At least some of the elements are interconnected by the switching fabric. A router control provides control for the switching fabric. The apparatus has both cross-connect and routing functionality.

Abstract: Source-implemented constraint-based routing with source routing enables traffic engineering to be performed and reservations to be made within a domain without requiring constraint information and reservation information to be disseminated to all nodes in the domain. In one embodiment, a focal node maintains a table containing metrics of links and connection reservations through the domain. When a connection is to be added, the focal node determines a path, given the constraints reflected in the table, and allocates resources on the links forming the path. The table is updated, and the path is used to generate headers for traffic associated with the connection. Traffic from the nodes toward the focal point follow the reverse path. If a node or link fails, connections carried through the failure are identified, reservations on links associated with the connections are released, and new reservations are made taking into account the new network topology.

Abstract: Routing information may be provided to VPN sites on demand to allow smaller VPN sites with smaller routing tables to communicate directly with other VPN sites. This allows the meshed VPN architecture to scale to a size larger than where each VPN site is required to store routing information for all other VPN sites. A route server is instantiated on the network, optionally in connection with a Group Controller Key Server, to manage distribution of routes on the network and to provide routes to VPN sites on demand. As routes are learned by the VPN sites they are advertised to the route server, which selectively advertises the routes to other VPN sites depending on the per-site preferences. When a VPN site needs routing information to communicate with another VPN site, the network element will check its routing table for the route, and if the route is not available, will obtain the route on-demand from the route server.

Abstract: Method and apparatus that enable secure transmission of data in a scalable private network are described. Each station that is to be part of a private network registers with a key table. A group security association associated with the private network is forwarded to each trusted ingress and egress point that communicates with each member of the private network. When a member of the private network seeks to communicate with another member, it simply forwards the communication to the trusted ingress point. The trusted ingress point uses the security association associated with the private network to transform the communication and forwards the transformed communication through other intermediate stations in the network until it reaches a trusted egress point. The trusted egress point uses the stored security association to decode the transformed communication and forwards the communication to the appropriate destination.

Abstract: Each member of a group registers with the Security/Routing (S/R) device 30 and receives a Group Security Association (GSA) associated with the group. The member may register as part of a group by identifying the group and the other members. Alternatively, Routing Functionality auto-discovers the other members of the group. AS members are identified, Routing functionality reflects the routes of all members in the group to all other members of the group. The forwarding of the routes to the respective group members may be secured via the GSA associated with the group. Each member can forward communication directly to the group members, securing the communication using the group SA and standard tunneling techniques (such as IPsec, GRE, MPLS, etc.). Thus the S/R provides a mechanism for private networks to be built on top of an existing network without modification of any existing network components and much more scalable in operation and configuration than individual IP sec tunnels.

Abstract: Method and apparatus that enable secure transmission of data in a scalable private network are described. Each station that is to be part of a private network registers with a key table. A group security association associated with the private network is forwarded to each trusted ingress and egress point that communicates with each member of the private network. When a member of the private network seeks to communicate with another member, it simply forwards the communication to the trusted ingress point. The trusted ingress point uses the security association associated with the private network to transform the communication and forwards the transformed communication through other intermediate stations in the network until it reaches a trusted egress point. The trusted egress point uses the stored security association to decode the transformed communication and forwards the communication to the appropriate destination.

Abstract: Method and apparatus that enable secure transmission of data in a scalable private network are described. Each station that is to be part of a private network registers with a key table. A group security association associated with the private network is forwarded to each trusted ingress and egress point that communicates with each member of the private network. When a member of the private network seeks to communicate with another member, it simply forwards the communication to the trusted ingress point. The trusted ingress point uses the security association associated with the private network to transform the communication and forwards the transformed communication through other intermediate stations in the network until it reaches a trusted egress point. The trusted egress point uses the stored security association to decode the transformed communication and forwards the communication to the appropriate destination.

Abstract: A technique for resource distribution using an auto-discovery mechanism for Provider-Provisioned Layer-2 and Layer-3 Virtual Private Networks. In one particular exemplary embodiment, the technique may be realized by a method for establishing a Virtual Private Network (VPN) tunnel between a first provider edge (PE) device and a second (PE) device of a provider-provisioned VPN. The method may comprise advertising at least one tunnel-based parameter to one or more PE devices over a network backbone using an auto-discovery mechanism, the one or more PE devices including at least one of the first and second PE devices. The method further may comprise configuring a VPN tunnel between the first and second PE devices based at least in part on the at least one tunnel-based parameter.

Abstract: Sensor network routing uses distance information of sensors relative to a collector node, optionally along with non-unique key information, to route broadcasts from addressless sensors to a selected addressless collector. Distance calculation messages (DCMs) are used to set distance values on sensors relative to collectors. The distance values enable messages to propagate toward collectors to reduce the number of broadcasts. Self-assigned key information may be added to DCMs propagating in the network to enable routes to be determined through the network without assigning addresses to the participants. By storing the key information associated with the route, and causing sensors to only rebroadcast a message if the message contains a matching key at the matching distance position, broadcast paths may be created on the network. Optionally, diverse collectors and paths may be selected on the network by exchanging traffic condition indications and preferentially selecting paths with better traffic conditions.

Abstract: Refresh and filtering mechanisms for LDP based VPLS and L2VPN solutions are disclosed. A method for improving information communication in a network is achieved by these refresh and filtering mechanisms. The network includes provider edge devices which can communicate with each other. The provider edge devices run a communications protocol. The method includes a step of using the communications protocol in providing a first of the provider edge devices with a list of layer-2 virtual private network instances to which a second of the provider edge devices belongs. Another step in the method is filtering layer-2 virtual private network information to be communicated to the second provider edge device from the first provider edge device by reference to the layer-2 virtual private network instances to which the second provider edge device belongs.

Abstract: A method and apparatus for summarizing port viability information in a communication network. A port viability summarization in the form of a table or matrix is established for ports in the communication network in which the port viability summarization is used to establish links to use along a routing path. A routing path is determined using the port viability summarization. A failed route establishment for the routing path is detected. The amount of summarization is decreased for at least one port determined to have a non-viable link.

Abstract: A network resource is allocated to a data path by determining if a sufficient amount of the network resource is available in a network path to accommodate the data path, and obtaining a cost associated with using the network resource available in the network path for the data path. It is decided whether to allocate the network resource in the network path to the data path based on the amount of the network resource and the cost associated with using the network resource. One representative example of the data path is a label switched path (LSP) on a multiprotocol label switching (MPLS) network.