Abstract: Techniques for configuring network security include obtaining non-packet flow information, evaluating a policy rule based on the obtained information, and proposing a security arrangement based on the evaluation. The non-packet flow information can include, for example, authentication information obtained during an Internet Key Exchange protocol session or information obtained from a layered service provider. Therefore, policies such as Internet Protocol security (IPsec) policies can be defined and implemented so that they more accurately reflect the network's security requirements.

Abstract: Techniques for configuring network security include obtaining non-packet flow information, evaluating a policy rule based on the obtained information, and proposing a security arrangement based on the evaluation. The non-packet flow information can include, for example, authentication information obtained during an Internet Key Exchange protocol session or information obtained from a layered service provider. Therefore, policies such as Internet Protocol security (IPsec) policies can be defined and implemented so that they more accurately reflect the network's security requirements.

Abstract: A compiler transforms source code into intermediate code and provides the intermediate code to a profiler. The profiler executes the intermediate code. The profiler generates a performance profile that indicates the performance of the intermediate code, and annotates the intermediate code based, at least in part, on data from the performance profile. The compiler receives annotated intermediate code from the profiler and transforms the annotated intermediate code into machine code. Alternatively, the compiler transforms intermediate code to machine code and provides the machine code to a profiler. The profiler executes the machine code and generates a data file that indicates the performance of the machine code. The compiler receives the data file, and modifies the machine code based on the data file.

Abstract: Methods and apparatus for supporting agile run-time network systems via identification and execution of most efficient application binary code in view of changing network traffic conditions. Under one embodiment of the method, respective application binaries are compiled for each of a plurality of profiled system states for a network system, wherein each profiled system state corresponds to a respective workload scenario for the network system. During ongoing run-time operations, the current workload condition for the network system is monitored, and an application binary from amongst the multiple application binaries that is most efficient for the current workload condition is identified, loaded and executed.

Abstract: In general, in one aspect, the disclosure describes a method of determining if a first query for data related to a protocol data unit in a first table is a query to a table merged into a combination table formed from multiple tables. If so, the method can generate a second query for the first query for data stored by the combination table.

Abstract: Embodiments of the present invention relate to a method and system for automatically configuring network processing software to reduce memory latency associated with parallel processing using a plurality of processing elements.

Abstract: This specification describes technologies relating to classifying data packets based on general property ranges. An interval tree is constructed to represent the applicability of rules to non-overlapping ranges of a data classification property. The interval tree can be a binary tree such as a balanced binary tree or red-black tree. To determine which rules apply to a data packet, the data packet property is compared to the intervals in the tree to find a match. To balance the time and space complexity, a heuristics based approach is used for classifying data packets based on general property ranges of more than one data classification property.

Abstract: A method includes receiving a specification for translating a network policy from a first schema to a second, different schema and translating the network policy into the second different schema based on the specification. A network system is configured based on the translated policy.

Abstract: A method of determining a maximum packet size for data packets sent along a network path. A sending computer sends a packet to a receiving computer through a sending interface. The packet is fragmented during transfer to a receiving interface. The fragments are analyzed at the receiving interface and their size determined. The size of a fragment is compared to a pre-determined maximum packet size, and in response to the comparison, the maximum packet size is changed. The change is then reported to the sending interface and stored in a memory. Subsequent communications from the sending interface to the receiving interface are sent in packets of the size stored in the memory. Because the maximum packet size of a network path can change over time, test packets can be sent periodically to determine the maximum packet size.

Abstract: A method and apparatus to perform network path discovery are described.

Abstract: A method and apparatus to determine whether data flow is restricted by a sending node, a receiving node, or by a network. One embodiment of the invention comprises selectively reading a Sequence Number field (SN) and a Data Offset field (DO) from a Transmission Control Protocol (TCP) header in a data packet from a sender to a receiver. Selectively reading a Total Length field (TL) and an Internet Header Length field (IHL) from an Internet protocol (IP) header in the data packet from the sender to the receiver. Selectively reading an Acknowledgment Number field (AN) and a Window field (W) from a TCP header in a data packet from the receiver to the sender. And, using at least one of the SN, DO, TL, IHL, AN, and W from a network communication session to determine whether the sender, the receiver, or whether the network restricts data flow.

Abstract: Communicating over a network includes establishing a communication path between a mobile-device in a first communication area and a server through a home-agent, and maintaining the communication path through the home agent when the mobile-device moves to a second-communication-area.

Abstract: A communication system including a security system, and a method of controlling a communication system. The communication system includes a communication network having a plurality of nodes, a server connected to a first one of the nodes, and a client processor. A magnetic medium within the client processor stores the security system for connecting the client processor to the communication network for communication with the server. The security system includes a transmission control protocol for controlling communication between an application on the client processor and the communication network and a security classifier for coupling the transmission control protocol to the communication network and determining a security classification for the client processor. A security association negotiator is responsive to the client processor opening a socket at a node of the communication network, for correlating the socket with a security association based on the determined security classification.

Abstract: Communicating over a network includes establishing a communication path between a mobile-device in a first communication area and a server through a home-agent, and maintaining the communication path through the home agent when the mobile-device moves to a second-communication-area.

Abstract: The time taken for connection establishment is monitored to aid in selecting load distribution among nodes in a data delivery system, such as a server cluster. The failure of a node to respond to a connection request may be used to identify a crashed node. The number of connections being maintained and the amount of bandwidth being consumed may also be monitored for each node, and this information may be used to determine when a node should be removed from contention for new connection requests and when a node should be reinstated to receive new connection requests.

Abstract: Methods and apparatus for preventing packet retransmissions during Internet Protocol security (IPsec) security association establishment. Application socket requests are monitored. An application requests a Transmission Control Protocol (TCP) connection or transmission of User Datagram Protocol (UDP) data on a socket. A determination is made whether there is an active security association that exists to protect network flow associated with the request. The request is prevented from proceeding if no active security association exists to protect the network flow. A determination is made whether a security policy exists for the network flow if no active security association exists to protect the network flow. A security association negotiation component is alerted to initiate negotiation for a security association based on the security policy if the security policy exists for the network flow. The request is allowed to proceed, i.e.

Abstract: In general, in one aspect, the disclosure describes a method of determining if a first query for data related to a protocol data unit in a first table is a query to a table merged into a combination table formed from multiple tables. If so, the method can generate a second query for the first query for data stored by the combination table.

Abstract: A method and apparatus to determine whether data flow is restricted by a sending node, a receiving node, or by a network. One embodiment of the invention comprises selectively reading a Sequence Number field (SN) and a Data Offset field (DO) from a Transmission Control Protocol (TCP) header in a data packet from a sender to a receiver. Selectively reading a Total Length field (TL) and an Internet Header Length field (IHL) from an Internet protocol (IP) header in the data packet from the sender to the receiver. Selectively reading an Acknowledgment Number field (AN) and a Window field (W) from a TCP header in a data packet from the receiver to the sender. And, using at least one of the SN, DO, TL, IHL, AN, and W from a network communication session to determine whether the sender, the receiver, or whether the network restricts data flow.

Abstract: A method and apparatus to perform network path discovery are described.

Abstract: A method and a system for classifying a packet are disclosed. In one embodiment, at least one source address is grouped in a source group and at least one destination address is grouped in a destination group. In addition, at least one source port, one destination port, and one protocol are grouped in a protocol group. After grouping process, at least one rule is fetched according to the source group, destination group, or protocol group. After identifying the rule, specific treatment for the packet during the network transmission is identified in response to the rule or rules.