Abstract: Techniques for securing control and user plane separation in mobile networks (e.g., service provider networks for mobile subscribers, such as for 4G/5G networks) are disclosed. In some embodiments, a system/process/computer program product for securing control and user plane separation in mobile networks in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify an Packet Forwarding Control Protocol (PFCP) message associated with a new session, in which the mobile network includes a 4G network or a 5G network; extracting a plurality of parameters from the PFCP message at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network.

Abstract: Techniques for securing control and user plane separation in mobile networks (e.g., service provider networks for mobile subscribers, such as for 4G/5G networks) are disclosed. In some embodiments, a system/process/computer program product for securing control and user plane separation in mobile networks in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify an Packet Forwarding Control Protocol (PFCP) message associated with a new session, in which the mobile network includes a 4G network or a 5G network; extracting a plurality of parameters from the PFCP message at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network.

Abstract: Techniques for securing control and user plane separation in mobile networks (e.g., service provider networks for mobile subscribers, such as for 4G/5G networks) are disclosed. In some embodiments, a system/process/computer program product for securing control and user plane separation in mobile networks in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify an Packet Forwarding Control Protocol (PFCP) message associated with a new session, in which the mobile network includes a 4G network or a 5G network; extracting a plurality of parameters from the PFCP message at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network.

Abstract: Techniques for securing control and user plane separation in mobile networks (e.g., service provider networks for mobile subscribers, such as for 4G/5G networks) are disclosed. In some embodiments, a system/process/computer program product for securing control and user plane separation in mobile networks in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify an Packet Forwarding Control Protocol (PFCP) message associated with a new session, in which the mobile network includes a 4G network or a 5G network; extracting a plurality of parameters from the PFCP message at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network.

Abstract: A LPM search engine includes a plurality of exact match (EXM) engines and a moderately sized TCAM. Each EXM engine uses a prefix bitmap scheme that allows the EXM engine to cover multiple consecutive prefix lengths. Thus, instead of covering one prefix length L per EXM engine, the prefix bitmap scheme enables each EXM engine to cover entries having prefix lengths of L, L+1, L+2 and L+3, for example. As a result, fewer EXM engines are potentially underutilized, which effectively reduces quantization loss. Each EXM engine provides a search result with a determined fixed latency when using the prefix bitmap scheme. The results of multiple EXM engines and the moderately sized TCAM are combined to provide a single search result, representative of the longest prefix match. In one embodiment, the LPM search engine supports 32-bit IPv4 (or 128-bit IPv6) search keys, each having associated 15-bit level 3 VPN identification values.

Abstract: The present invention provides a system, apparatus and method for providing point-to-point inter-chassis connections within chassis systems and/or network nodes. Multi-chassis systems within a network employ a protocol wherein a peer discovery process is initiated and the discovered neighbors are authentically verified before establishing an active state between point-to-point inter-chassis links.

Abstract: A LPM search engine includes a plurality of exact match (EXM) engines and a moderately sized TCAM. Each EXM engine uses a prefix bitmap scheme that allows the EXM engine to cover multiple consecutive prefix lengths. Thus, instead of covering one prefix length L per EXM engine, the prefix bitmap scheme enables each EXM engine to cover entries having prefix lengths of L, L+1, L+2 and L+3, for example. As a result, fewer EXM engines are potentially underutilized, which effectively reduces quantization loss. Each EXM engine provides a search result with a determined fixed latency when using the prefix bitmap scheme. The results of multiple EXM engines and the moderately sized TCAM are combined to provide a single search result, representative of the longest prefix match. In one embodiment, the LPM search engine supports 32-bit IPv4 (or 128-bit IPv6) search keys, each having associated 15-bit level 3 VPN identification values.

Abstract: A system, apparatus and method are described for displaying multiple attributes relative to objects in a network management program. In one embodiment, multiple attributes from a plurality of different standards are coalesced together and the coalesced attributes are displayed by a user interface. These coalesced attributes may be shown in such a manner so that inconsistencies between attributes of objects from different standards are reduced or obviated.

Abstract: A system, apparatus, and method for providing a plurality of internal VLANs within a networking element/node are described. Internal VLAN topologies are provisioned so that a particular VLAN(S) communicate traffic to corresponding applications. This segregation of internal traffic across a VLAN topology reduces the amount of interference between the traffic. Redundancy across the VLAN topology is provided so that traffic may be switched to another path in the event of a failure.

Abstract: A system, apparatus and a method are described that synchronizes multiple element management systems with a network element. The synchronization between the management entities within the element is maintained by employing special attributes, such as sentry identification for managed objects and guard attributes for managed object tables. Using these attributes, resynchronization between the management systems is improved by reducing the amount of data retrieved by the systems and reducing the processing load caused by the resynchronization process.

Abstract: A system, apparatus and a method are described that synchronizes multiple element management systems with a network element. The synchronization between the management entities within the element is maintained by employing special attributes, such as sentry identification for managed objects and guard attributes for managed object tables. Using these attributes, resynchronization between the management systems is improved by reducing the amount of data retrieved by the systems and reducing the processing load caused by the resynchronization process.

Abstract: A system, apparatus and method are described for displaying multiple attributes relative to objects in a network management program. In one embodiment, multiple attributes from a plurality of different standards are coalesced together and the coalesced attributes are displayed by a user interface. These coalesced attributes may be shown in such a manner so that inconsistencies between attributes of objects from different standards are reduced or obviated.

Abstract: A system, apparatus, and method for providing a plurality of internal VLANs within a networking element/node are described. Internal VLAN topologies are provisioned so that a particular VLAN(S) communicate traffic to corresponding applications. This segregation of internal traffic across a VLAN topology reduces the amount of interference between the traffic. Redundancy across the VLAN topology is provided so that traffic may be switched to another path in the event of a failure.

Abstract: The present invention provides a system, apparatus and method for providing point-to-point inter-chassis connections within chassis systems and/or network nodes. Multi-chassis systems within a network employ a protocol wherein a peer discovery process is initiated and the discovered neighbors are authentically verified before establishing an active state between point-to-point inter-chassis links.