Abstract: A controller may fulfill hardware address requests that are sent by source end hosts in a network to discover hardware addresses of destination end hosts. The controller may use network topology information to determine how to process the hardware address requests. The controller may retrieve a requested hardware address from a database of end hosts. If the controller is able to retrieve the hardware address of a destination end host from the database of end hosts, the controller may provide the source end host with a reply packet that contains the requested hardware address. If the controller is unable to retrieve the requested hardware address, the controller may form request packets to discover the address of the second end host and/or to discover a packet forwarding path between the source end host and the destination end host.

Abstract: A system that supports cryptographic web services is provided. A program running on program computing equipment may call a local cryptographic function. A web services interface such as a simple object access protocol interface on the program computing equipment makes a corresponding remote cryptographic function call to a web services interface such as a simple object access protocol interface at a cryptographic web service over a communications network such as the internet. At the cryptographic web service, a cryptographic engine implements cryptographic operations such as encryption and decryption operations. After successful authentication of the calling program, the cryptographic engine produces results for the remotely cryptographic function and returns the results to the program over the communications network.

Abstract: A controller may control client switches in a network including client and non-client switches. The controller may maintain a link discovery table including entries that identify links between client switches. The controller may classify the links as direct or broadcast links. To classify links of the link discovery cable, the controller may direct client switches to send broadcast and directed discovery packets from switch ports. Client switches that receive the discovery packets from other client switches may forward the discovery packets to the controller. The controller may use the discovery packets to classify the links of the link discovery table. The controller may classify ports as broadcast or regular ports based on the classified links. Non-client broadcast domains of the network topology may be identified from the broadcast ports using the broadcast and direct links of the link discovery table.

Abstract: A controller may control client switches in a network including client and non-client switches. The controller may maintain a link discovery table including entries that identify links between client switches. The controller may classify the links as direct or broadcast links. To classify links of the link discovery table, the controller may direct client switches to send broadcast and directed discovery packets from switch ports. Client switches that receive the discovery packets from other client switches may forward the discovery packets to the controller. The controller may use the discovery packets to classify the links of the link discovery table. The controller may classify ports as broadcast or regular ports based on the classified links. Non-client broadcast domains of the network topology may be identified from the broadcast ports using the broadcast and direct links of the link discovery table.

Abstract: A controller may control client switches in a network including client and non-client switches. The controller may maintain a link discovery table including entries that identify links between client switches. The controller may classify the links as direct or broadcast links. To classify links of the link discovery table, the controller may direct client switches to send broadcast and directed discovery packets from switch ports. Client switches that receive the discovery packets from other client switches may forward the discovery packets to the controller. The controller may use the discovery packets to classify the links of the link discovery table. The controller may classify ports as broadcast or regular ports based on the classified links. Non-client broadcast domains of the network topology may be identified from the broadcast ports using the broadcast and direct links of the link discovery table.

Abstract: A system that supports cryptographic web services is provided. A program running on program computing equipment may call a local cryptographic function. A web services interface such as a simple object access protocol interface on the program computing equipment makes a corresponding remote cryptographic function call to a web services interface such as a simple object access protocol interface at a cryptographic web service over a communications network such as the internet. At the cryptographic web service, a cryptographic engine implements cryptographic operations such as encryption and decryption operations. After successful authentication of the calling program, the cryptographic engine produces results for the remotely cryptographic function and returns the results to the program over the communications network.

Abstract: A network may include network switches with network switch ports that may be coupled to end hosts. The network switches may be controlled by a controller such as a controller server. Virtual switches may be formed using the controller from groups of the network switch ports and the end hosts. Each virtual switch may include virtual interfaces associated with end hosts or network switches. Virtual links may be formed that define network connections between the virtual interfaces and end hosts or between two virtual interfaces. Virtual network policies such as selective packet forwarding, packet dropping, packet redirection, packet modification, or packet logging may be implemented at selected virtual interfaces to control traffic through the communications network. The controller may translate the virtual network policies into network switch forwarding paths that satisfy the virtual network policies.

Abstract: A network may include switches that have controller clients that are controlled from one or more controller servers. Clusters of the switches that have the controller clients may be isolated from other clusters by switches without the controller clients. The controller server may use graph searches to identify the clusters. The controller server may use information on the cluster topology of switches containing controller clients along with information in per-switch forwarding databases to generate per-cluster forwarding databases. The controller server may use the per-cluster forwarding databases in generating flow tables for the network switches that direct the switches to forward packets along desired paths through the network.

Abstract: Network switches may be configured using flow tables. Flow table entries may contain header fields and associated actions. When a packet is received by a network switch, the network switch can compare fields in the packet to fields in the flow table entries and can take corresponding actions when matches are detected. A controller server can determine the topology of a network and can gather information on the capacities of network switches and other network switch capabilities. Based on this information and network configuration rules, the controller server can generate flow tables for the network switches that direct the switches to forward packets along desired paths through the network. The flow table entries for switches that are nearer the network core can be provided with more wildcarding than switches nearer the network edge. Traffic can be forwarded through encapsulation and deencapsulation engines to allow tunneling between isolated network domains.

Abstract: A user who is browsing the web may use a web site verification service to ascertain whether a web site that appears to be associated with a trusted entity is actually associated with that entity. The web site verification service retains the URL of an unauthenticated web site. The user types a text string naming the entity that the user believes should be associated with the web site into a text box. A database such as an internet search engine database or a database containing a list of trusted entities and their URLs may be queried using the user-supplied text string. The retained URL may be compared to the resulting list of URLs. If the retained URL does not match one of the URLs in the query results, the user may be warned that the web site does not appear to be associated with the trusted entity.

Abstract: Systems and methods are provided for using digital signatures to help distinguish legitimate email from known or trusted organizations from unsolicited email or forged email. Digital signatures may be used in an email body, mail header, or embedded links. The signatures may be verified by a recipient or internet service provider and may be used in conjunction with spam filtering applications.

Abstract: A system is provided that uses cryptographic techniques to support secure messaging between senders and recipients. A sender may encrypt a message for a recipient using the recipient's public key. The sender may send the encrypted message to the message address of a given recipient. A server may be used to decrypt the encrypted message for the recipient, so that the recipient need not install a decryption engine on the recipient's equipment.

Abstract: Systems and methods are provided for using digital signatures to help distinguish legitimate email from known or trusted organizations from unsolicited email or forged email. Digital signatures may be used in an email body, mail header, or embedded links. The signatures may be verified by a recipient or internet service provider and may be used in conjunction with spam filtering applications.

Abstract: Network switches that are controlled by a controller server may contain ports through which network packets are received and forwarded. An architect may configure the controller server to create virtual switches. Each virtual switch may be formed from a subset of the ports of the network switches. The architect may assign administrators to the virtual switches. The administrators may configure the virtual switches. An administrator may use a command line interface to configure a virtual switch. The administrator may use commands such as a show port command, an access list command, a show access list command, and a membership rule command to manage the virtual switch. The controller server may prevent the administrator from logging on to virtual switches that have been assigned to other administrators.

Abstract: A network may include network switches with network switch ports that may be coupled to end hosts. The network switches may be controlled by a controller such as a controller server. Virtual switches may be formed using the controller from groups of the network switch ports and the end hosts. Each virtual switch may include virtual interfaces associated with end hosts or network switches. Virtual links may be formed that define network connections between the virtual interfaces and end hosts or between two virtual interfaces. Virtual network policies such as selective packet forwarding, packet dropping, packet redirection, packet modification, or packet logging may be implemented at selected virtual interfaces to control traffic through the communications network. The controller may translate the virtual network policies into network switch forwarding paths that satisfy the virtual network policies.

Abstract: Systems and methods for managing email are provided. Some of the email may be encrypted using identity-based-encryption (IBE) techniques. When an incoming IBE-encrypted message for a recipient in an organization is received by a gateway at the organization, the gateway may request an IBE private key from an IBE private key generator. The IBE private key generator may generate the requested IBE private key for the gateway. The gateway may use an IBE decryption engine to decrypt the incoming message. The decrypted message can be scanned for viruses and spam and delivered to the recipient. Outgoing email messages can also be processed. If indicated by message attributes or information provided by a message sender, an outgoing message can be encrypted using an IBE encryption engine and the IBE public key of a desired recipient.

Abstract: Network switches that are controlled by a controller server may contain ports through which network packets are received and forwarded. An architect may configure the controller server to create virtual switches. Each virtual switch may be formed from a subset of the ports of the network switches. The architect may assign administrators to the virtual switches. The administrators may configure the virtual switches. An administrator may use a command line interface to configure a virtual switch. The administrator may use commands such as a show port command, an access list command, a show access list command, and a membership rule command to manage the virtual switch. The controller server may prevent the administrator from logging on to virtual switches that have been assigned to other administrators.

Abstract: A system is provided that uses cryptographic techniques to support secure messaging between senders and recipients. A sender may encrypt a message for a recipient using the recipient's public key. The sender may send the encrypted message to the message address of a given recipient. A server may be used to decrypt the encrypted message for the recipient, so that the recipient need not install a decryption engine on the recipient's equipment.

Abstract: Network switches may be configured using flow tables. Flow table entries may contain header fields and associated actions. When a packet is received by a network switch, the network switch can compare fields in the packet to fields in the flow table entries and can take corresponding actions when matches are detected. A controller server can determine the topology of a network and can gather information on the capacities of network switches and other network switch capabilities. Based on this information and network configuration rules, the controller server can generate flow tables for the network switches that direct the switches to forward packets along desired paths through the network. The flow table entries for switches that are nearer the network core can be provided with more wildcarding than switches nearer the network edge. Traffic can be forwarded through encapsulation and deencapsulation engines to allow tunneling between isolated network domains.

Abstract: Systems and methods for secure messaging are provided. A sender may encrypt content and send the encrypted content to a recipient over a communications network. The encrypted content may be decrypted for the recipient using a remote decryption service. Encrypted message content may be placed into a markup language form. Encrypted content may be incorporated into the form as a hidden form element. Form elements for collecting recipient credential information such as username and password information may also be incorporated into the form. At the recipient, the recipient may use the form to provide recipient credential information to the remote decryption service. The recipient may also use the form to upload the encrypted content from the form to the decryption service. The decryption service may provide the recipient with access to a decrypted version of the uploaded content over the communications network.