Abstract: An application programming interface (API) supporting server and key based networking is described. In an embodiment, the API receives either a key or a server address from a service running on a server in a direct-connect topology and returns data which identifies suitable next hops for transmission of a packet of data which has a destination of the received server address or of a server address which is encoded within the received key. In another embodiment, the key also encodes information specifying alternative server addresses for use in the event that the original server is unreachable. This information may also be used to define servers for replication of the key. A further embodiment describes a method of queuing packets for transmission against multiple links, where the packet is transmitted on the first available link and at this time is removed from the queues for the other links.

Abstract: Resource control for virtual datacenters is described, for example, where a plurality of virtual datacenters are implemented in a physical datacenter to meet guarantees. In examples, each virtual datacenter specifies a plurality of different types of resources having throughput guarantees which are met by computing, for individual flows of the virtual data centers implemented in the physical datacenter, a flow allocation. For example, a flow allocation has, for each of a plurality of different types of physical resources of the datacenter used by the flow, an amount of the physical resource that the flow can use. A flow is a path between endpoints of the datacenter along which messages are sent to implement a service. In examples, the flow allocations are sent to enforcers in the datacenter, which use the flow allocations to control the rate of traffic in the flows.

Abstract: Controlling data storage input/output requests is described, for example, to apply a policy to an end-to-end flow of data input/output requests between at least one computing entity and at least one store. In various examples a plurality of queues are configured at one or more stages of the end-to-end flow and controlled to adhere to a policy. In examples, each stage has a control interface enabling it to receive and execute control instructions from a controller which may be centralized or distributed. For example, the control instructions comprise queuing rules and/or queue configurations. In various examples queues and queuing rules are dynamically created and revised according to feedback about any of: flow behavior, changes in policy, changes in infrastructure or other factors. In examples, high level identifiers of the flow endpoints are resolved, on a per stage basis, to low level identifiers suitable for use by the stage.

Abstract: An application programming interface (API) supporting server and key based networking is described. In an embodiment, the API receives either a key or a server address from a service running on a server in a direct-connect topology and returns data which identifies suitable next hops for transmission of a packet of data which has a destination of the received server address or of a server address which is encoded within the received key. In another embodiment, the key also encodes information specifying alternative server addresses for use in the event that the original server is unreachable. This information may also be used to define servers for replication of the key. A further embodiment describes a method of queuing packets for transmission against multiple links, where the packet is transmitted on the first available link and at this time is removed from the queues for the other links.

Abstract: An application programming interface (API) supporting server and key based networking is described. In an embodiment, the API receives either a key or a server address from a service running on a server in a direct-connect topology and returns data which identifies suitable next hops for transmission of a packet of data which has a destination of the received server address or of a server address which is encoded within the received key. In another embodiment, the key also encodes information specifying alternative server addresses for use in the event that the original server is unreachable. This information may also be used to define servers for replication of the key. A further embodiment describes a method of queuing packets for transmission against multiple links, where the packet is transmitted on the first available link and at this time is removed from the queues for the other links.

Abstract: Controlling data storage input/output requests is described, for example, to apply a policy to an end-to-end flow of data input/output requests between at least one computing entity and at least one store. In various examples a plurality of queues are configured at one or more stages of the end-to-end flow and controlled to adhere to a policy. In examples, each stage has a control interface enabling it to receive and execute control instructions from a controller which may be centralized or distributed. For example, the control instructions comprise queuing rules and/or queue configurations. In various examples queues and queuing rules are dynamically created and revised according to feedback about any of: flow behavior, changes in policy, changes in infrastructure or other factors. In examples, high level identifiers of the flow endpoints are resolved, on a per stage basis, to low level identifiers suitable for use by the stage.

Abstract: Methods of classifying a storage traffic stream in a shared storage network are described. In an embodiment, an identifier for the entity generating the stream is generated, where this entity may, for example, indicate a virtual machine, program, session, physical machine, user or process. The identifier is then shared with at least one processing layer along a path of the storage traffic stream between the generating entity and the storage device which stores the file to which the traffic stream relates. In various embodiments, the identifier may then be used by any processing layers which receive it, to selectively handle traffic streams based on the generating entity. The identifier may be shared when the traffic stream is created or subsequently and in various embodiments, the identifier is shared in a second exchange of messages, following the creation of the traffic stream and prior to any other traffic.

Abstract: Disclosed is an authentication mechanism that enables an information recipient to ascertain that the information comes from the sender it purports to be from. This mechanism integrates a private/public key pair with selection by the sender of a portion of its address. The sender derives its address from its public key, for example, by using a hash of the key. The recipient verifies the association between the address and the sender's private key. The recipient may retrieve the key from an insecure resource and know that it has the correct key because only that key can produce the sender's address in the message. The hash may be made larger than the sender-selectable portion of the address. The recipient may cache public key/address pairs and use the cache to detect brute force attacks and to survive denial of service attacks. The mechanism may be used to optimize security negotiation algorithms.

Abstract: Control of background data transfers is described. In an embodiment, a background data transfer is controlled at a receiver node by measuring a time period taken to receive from a sender node a data sequence of the same size as a receive window. The time period is used to evaluate available network capacity, and the network capacity used to calculate a new window size. The new window size is applied and communicated to the sender node. In another embodiment, a background data transfer is controlled at a receiver node by measuring a quantity of data received from a sender node during a first control interval. The measured quantity is used to evaluate available network capacity, and the network capacity used to calculate a new receive window size and a second control interval duration. The new window size is applied for the second control interval, and communicated to the sender node.

Abstract: An application programming interface (API) supporting server and key based networking is described. In an embodiment, the API receives either a key or a server address from a service running on a server in a direct-connect topology and returns data which identifies suitable next hops for transmission of a packet of data which has a destination of the received server address or of a server address which is encoded within the received key. In another embodiment, the key also encodes information specifying alternative server addresses for use in the event that the original server is unreachable. This information may also be used to define servers for replication of the key. A further embodiment describes a method of queuing packets for transmission against multiple links, where the packet is transmitted on the first available link and at this time is removed from the queues for the other links.

Abstract: Control of background data transfers is described. In an embodiment, a background data transfer is controlled at a receiver node by measuring a time period taken to receive from a sender node a data sequence of the same size as a receive window. The time period is used to evaluate available network capacity, and the network capacity used to calculate a new window size. The new window size is applied and communicated to the sender node. In another embodiment, a background data transfer is controlled at a receiver node by measuring a quantity of data received from a sender node during a first control interval. The measured quantity is used to evaluate available network capacity, and the network capacity used to calculate a new receive window size and a second control interval duration. The new window size is applied for the second control interval, and communicated to the sender node.

Abstract: Methods of enabling user-mode prototypes in kernel-mode protocol stacks are described. A protocol stack comprises a set of kernel-mode modules. The protocol stack defines a data path for packets. At least one interception point is defined in a kernel-mode module at which a packet can be intercepted and/or inserted. In an embodiment, each packet intercepted at the interception point, or a copy of said packet, is sent to a user-mode module. The user-mode module processes the packet in some way and then returns the packet to the same, or a different, interception point in the data path. In this way, a user-mode module (which is easier to program) can be used to prototype functionality of a kernel-mode module without requiring kernel-mode code to be written.

Abstract: A system and method for authentication verifies the address of an information sender based on the sender's address, public key, and a digital signature. A portion of the sender's address is derived from the public key, such as by incorporating a portion of a hash of the public key with or without a modifier. The sender provides information including content data, the public key, the address, and the digital signature generated using the private key corresponding to the public key. Upon reception, the recipient verifies the address by recreating it from the public key. The signature is verified using the network address and public key. The recipient accepts the content data when both the address and signature are verified. The content data may include a communications parameter of the sender, such as a care-of address where the sender is a mobile device and the recipient is the sender's home agent.

Abstract: Disclosed is an authentication mechanism that enables an information recipient to ascertain that the information comes from the sender it purports to be from. This mechanism integrates a private/public key pair with selection by the sender of a portion of its address. The sender derives its address from its public key, for example, by using a hash of the key. The recipient verifies the association between the address and the sender's private key. The recipient may retrieve the key from an insecure resource and know that it has the correct key because only that key can produce the sender's address in the message. The hash may be made larger than the sender-selectable portion of the address. The recipient may cache public key/address pairs and use the cache to detect brute force attacks and to survive denial of service attacks. The mechanism may be used to optimize security negotiation algorithms.

Abstract: Disclosed is an authentication mechanism that enables an information recipient to ascertain that the information comes from the sender it purports to be from. This mechanism integrates a private/public key pair with selection by the sender of a portion of its address. The sender derives its address from its public key, for example, by using a hash of the key. The recipient verifies the association between the address and the sender's private key. The recipient may retrieve the key from an insecure resource and know that it has the correct key because only that key can produce the sender's address in the message. The hash may be made larger than the sender-selectable portion of the address. The recipient may cache public key/address pairs and use the cache to detect brute force attacks and to survive denial of service attacks. The mechanism may be used to optimize security negotiation algorithms.

Abstract: Disclosed is an authentication mechanism that enables an information recipient to ascertain that the information comes from the sender it purports to be from. This mechanism integrates a private/public key pair with selection by the sender of a portion of its address. The sender derives its address from its public key, for example, by using a hash of the key. The recipient verifies the association between the address and the sender's private key. The recipient may retrieve the key from an insecure resource and know that it has the correct key because only that key can produce the sender's address in the message. The hash may be made larger than the sender-selectable portion of the address. The recipient may cache public key/address pairs and use the cache to detect brute force attacks and to survive denial of service attacks. The mechanism may be used to optimize security negotiation algorithms.

Abstract: A system and method for authentication verifies the address of an information sender based on the sender's address, public key, and a digital signature. A portion of the sender's address is derived from the public key, such as by incorporating a portion of a hash of the public key with or without a modifier. The sender provides information including content data, the public key, the address, and the digital signature generated using the private key corresponding to the public key. Upon reception, the recipient verifies the address by recreating it from the public key. The signature is verified using the network address and public key. The recipient accepts the content data when both the address and signature are verified. The content data may include a communications parameter of the sender, such as a care-of address where the sender is a mobile device and the recipient is the sender's home agent.