Abstract: A Dynamic Hierarchical Address Resource Management Architecture (DHARMA) coordinates a logical hierarchy of address spaces with a virtual topology of network elements using a manageable database environment. Address spaces are apportioned into hierarchical levels in accordance with a network policy. Network elements may be represented as objects, coupled via the logical address space. Both address space hierarchy definition and virtual topology modelling may occur independent from actual network deployment. As a result, multiple address space hierarchy definitions and virtual topologies can be pre-generated and stored for selective use during network deployment. With such an arrangement, a flexible addressing architecture is provided which may advantageously be used in any network that desires dynamic network configuration.

Abstract: A method, system and apparatus for allowing media context sensitive SIP signaling exchange and call establishment while denying or challenging any other session description protocol extension dialogs which might not be desired by a user. User client media policy preferences are defined, the user media policy preferences establishing the parameters for evaluating a media session request received by a user client. The user client media policy preferences are provided to a policy enforcement point device, the policy enforcement point device evaluating the media session request received by the user client and applying the user client media policy preferences to the media session request. A user client portal is utilized to gain access to a media policy database, the media policy database providing storage for user client media policy preferences.

Abstract: This invention provides a method, system and apparatus for allowing media context sensitive SIP signaling exchange (such as voice) and call establishment while denying or challenging any other session description protocol (“SDP”) extension dialogs which might not be desired (such as instant messaging, video, Web broadcasting or pushing, data and/or application sharing and the like) by a user. The method and apparatus may further include defining user client media policy preferences, the user media policy preferences establishing the parameters for evaluating a media session request received by a user client, and providing the user client media policy preferences to a policy enforcement point device, the policy enforcement point device evaluating the media session request received by the user client and applying the user client media policy preferences to the media session request.

Abstract: The present invention advantageously provides a method, system and apparatus for allocating addresses to secure unique local networks by providing a brokered federated policy and identity management system, the brokered federated policy and identity management system having an address domain manager that allocates network addresses, the address domain manager arranged to interoperate with a network identity management module, the network identity management module providing management of identity at an application level, receiving an authorization from the brokered federated policy and identity management system, and assigning a network address to a unique local network based on the authorization from the brokered federated policy and identity management system. The method, system and apparatus may further include authenticating a user, wherein authenticating a user includes passing an assertion token to a device of the user.

Abstract: End-to-end security is established automatically for network communications. In one embodiment a first host is associated with a policy manager that determines, for the first host, whether a secure session is permissible. If the secure session is determined to be permissible then the policy manager signals to intermediate devices in order to prompt establishment of SA/DA pinholes. In an alternative embodiment a neutral policy broker determines, for both first and second hosts, whether the secure session is permissible and signals to the intermediate devices to establish the pinholes if the secure session is permissible. In another embodiment the end-to-end session includes back-to-back tunnel mode sessions linked by at least one intermediate device. The intermediate device is operative to decrypt and re-encrypt traffic in the session, and may be configured by a policy manager or policy broker.

Abstract: A method and system for transmitting packets having a first address length on a core network supporting a second address length, where the second address length is larger than the first address length by determining a length of the first address and establishing an offset to the first address such that a combined length of the offset, length of a network prefix for the second address and length of the first address equals the length of the second address. The method and system of the present invention can be implemented as an enhancement to existing network protocols such as IPv4, IPv6 and the like.