Abstract: A given router in the core of a label-switching network identifies a group of routers to receive common label binding information for later routing packets along respective paths through the label-switching network. One way to identify which of multiple routers to include as a member of the group to receive the same label information is to analyze egress policies associated with downstream routers in the label-switching network. Based on this analysis, the given router identifies group members as routers having a substantially same egress policy as each other. The given router then allocates memory resources to store a common set of label information to be distributed to each member in the group of routers having the same egress policy. After populating the memory resources with label information, the given router distributes a common set of label information to each router in the group of routers.

Abstract: A system allows a device to communicate using a virtual network the method by assigning a network address to the device. The network address is selected from a plurality of network addresses that can be assigned to any of a plurality of virtual networks. The system receives a request to authenticate the device, and then determines a virtual network on which to assign the device. The virtual network is selected from the plurality of virtual networks. The system identifies the device as authenticated based on the assigning of the network address and the virtual network.

Abstract: A computer system includes functionality enabling a provider edge router to determine whether network data such as VRF information is properly associated with a corresponding virtual private network. A first node through which the network data is transmitted generates a signature value uniquely associated with the virtual private network. The first node forwards the signature value along with the network data to a second node of the physical network. The second node, in turn, verifies that the network data (such as VRF information) is properly associated with the second node (and virtual network) based on its own generation of a signature value, which is compared with the signature value received from the first node.

Abstract: A method, apparatus and computer program product for providing Outbound Route Filtering (ORF) is presented. An ORF list is produced and an ORF filter is built from the ORF list. The ORF list is built from received ORF entries. The ORF list is advertised to client and non-client peers. The ORF filter is built from a received ORF list and is directed toward the advertiser of the ORF list.

Abstract: A method, apparatus and computer program product each provides interconnectivity between autonomous systems. A control plane and a data plane are included in a network device. A single interface is included in the control plane for all customers. An interface is included in the data plane for each respective one of the customers.

Abstract: A method, apparatus and computer program product for providing secure multipoint Internet Protocol Virtual Private Networks (IPVPNs) is presented. A packet lookup is performed in order to determine a next hop. A VPN label is pushed on the packet, as is an IP tunnel header. Group encryption through the use of DGVPN is further utilized. In such a manner secure connectivity and network partitioning are provided in a single solution.

Abstract: In a host within a group, a method for ensuring secure communications is provided. The method involves (a) determining if a group security policy is in place for secure communication between hosts within the group, (b) if the group security policy is in place, advertising routing information to another host within the group, and (c) if the group security policy is not in place, refraining from advertising routing information to the other host. Corresponding apparatus and computer program product embodiments are also provided.

Abstract: A first network node maintains separate routing policy information to forward network traffic depending on a direction of the network traffic. Upstream routing policy information at the first node identifies a second node to forward upstream traffic received from at least a first client communicating through the first node. Downstream routing policy information at the first node identifies how to forward downstream network traffic received from another node to the first client. By preventing use of the downstream policy routing information by the first client to route upstream network traffic, the first node is able to forward traffic along a path that the network traffic otherwise would have not traveled. For example, network traffic communicated through the first node can be forced to travel through another network node through which it would have not otherwise have passed if the downstream policy information was available to route the network traffic.

Abstract: A routing mechanism provides network segmentation preservation by route distribution with segment identification, policy distribution for a given VPN segment, and encapsulation/decapsulation for each segment using an Ethernet VLAN_ID, indicative of the VPN segment (subnetwork). Encapsulated segmentation information in a message packet identifies which routing and forwarding table is employed for the next hop. A common routing instance receives the message packets from the common interface, and indexes a corresponding VRF table from the VLAN ID, or segment identifier, indicative of the subnetwork (e.g. segment). In this manner, the routing instance receives the incoming message packet, decapsulates the VLAN ID in the incoming message packet, and indexes the corresponding VRF and policy ID from the VLAN ID, therefore employing a common routing instance over a common subinterface for a plurality of segments (subnetworks) coupled to a particular forwarding device (e.g. VPN router).

Abstract: A method and apparatus for providing routing protocol support for distributing encryption information is presented. Subnet prefixes reachable on a first customer site in an encrypted manner are identified, as are security groups the subnet prefixes belong to. An advertisement is received at a first Customer Edge (CE) device in the first customer site, the advertisement originating from a Customer (C) device in the first customer site. The advertisement indicates links, subnets to be encrypted, and security group identifiers. The prefixes and the security group identifiers are then propagated across a service provider network to a second CE device located in a second customer site. In such a manner, encryption and authentication is expanded further into a customer site, as customer devices are able to indicate to a service provider network infrastructure and other customer devices in other customer sites which local destinations require encryption/authentication.

Abstract: A system provides a request for a policy from a policy server, and receives the policy from the policy server. The policy indicates processing to be applied to a traffic partition passing through the device. The system configures the policy within a routing structure associated with the traffic partition for the policy in the device, and routes a stream of traffic for the routing structure in accordance with the policy for that routing structure.

Abstract: An MPLS router operable for labeled switch path (LSP) operation defines a compression index for identifying a decompression context between other MPLS LSP routers. The compression index allows a multipoint-to-point link between MPLS routers, thereby avoiding an exhaustive mesh of point-to-point links between each of the MPLS routers. The originator ID identifies each of the multipoint originating endpoints at a common destination, and maintains the context of each compressed header to match incoming compressed headers to the corresponding header values. The originator ID, typically the IP address of the originator, operates as the compression index on the multipoint-to-point connection, operable to distinguish multiple originators of the multipoint-to-point connection and provide header compression for each.

Abstract: A method for scaling hierarchical route reflectors (RRs) using automated Outbound Route Filtering (ORF) is presented. A first route reflector identifies other route reflectors configured as Route reflector clients within a route reflector hierarchy. The first route reflector then builds a common set of route target filters received from the client route reflectors and sends the common set of route target filters to client route reflectors.

Abstract: A path verification protocol (PVP) which enumerates a series of messages sent to a set of nodes, or routers, along a suspected path identifies forwarding plane problems for effecting changes at the control plane level. The messages include a command requesting interrogation of a further remote node for obtaining information about the path between the node receiving the PVP message and the further remote node. The node receiving the PVP message replies with a command response indicative of the outcome of attempts to reach the further remote node. The series of messages collectively covers a set of important routing points along a path from the originator to the recipient. The aggregate command responses to the series of PVP messages is analyzed to identify not only whether the entire path is operational, but also the location and nature of the problem.

Abstract: A method, apparatus and computer program product for routing data within a packet-switched network using a PW wherein the PW is terminated directly on the layer-3 routing device such that certain services and applications can be utilized is presented. The method, apparatus and computer program product receives an encapsulated layer-2 Protocol Data Unit (PDU) from a pseudowire emulating a service. The encapsulation is removed from the encapsulated layer-2 PDU and a layer-2 circuit associated with the pseudowire is terminated. The circuit is treated as an interface and the PDU is forwarded based on upper layer protocol information within the PDU.

Abstract: A method, apparatus and computer program product for routing data within a packet-switched network using a PW wherein the PW is terminated directly on the layer-3 routing device such that certain services and applications can be utilized is presented. The method, apparatus and computer program product receives an encapsulated layer-2 Protocol Data Unit (PDU) from a pseudowire emulating a service. The encapsulation is removed from the encapsulated layer-2 PDU and a layer-2 circuit associated with the pseudowire is terminated. The circuit is treated as an interface and the PDU is forwarded based on upper layer protocol information within the PDU.

Abstract: Conventional mechanisms exist for denoting such a communications group (group) and for establishing point-to-point, or unicast, secure connections between members of the communications group. In a particular arrangement, group members employ a group key operable for multicast security for unicast communication, thus avoiding establishing additional unicast keys for each communication between group members. Since the recipient of such a unicast message may not know the source, however, the use of the group key assures the recipient that the sender is a member of the same group. Accordingly, a system which enumerates a set of subranges (subnets) included in a particular group, such as a VPN, and establishing a group key corresponding to the group applies the group key to communications from the group members in the subnet.

Abstract: A method, apparatus and computer program product for providing convergence for a dual-homed site in a network is presented. An occurrence of a failure between a first Provider Edge (PE) device and a first Customer Edge (CE) device in communication with a dual-homed site is detected. A determination is made whether an alternate route exists for the dual-homed site in a routing table associated with the first PE device. When an alternate route exists then a routing entry associated with the first CE device in a routing table of said first PE device is kept from being deleted for a predetermined amount of time, the routing table is modified to reference the alternate route, the routing entry is rewritten to perform a POP and lookup in a VRF table of the first PE device, and the routing entry is deleted after the predetermined amount of time has elapsed.

Abstract: A data communication device (e.g., a router) originates a network configuration message in response to a network topology change or so as to refresh a configuration message. The data communication device encodes a timestamp in the network configuration message. The timestamp indicates a time of originating the network configuration message. Further, the data communication device transmits the network configuration message over the network to other network devices that, in turn, initiate further broadcast of at least a portion of contents of the network configuration message. Based on the timestamp of the network configuration message, the data communication devices receiving the network configuration message identify transmission time value indicating how long the network configuration message takes to be conveyed over the network to the other network devices.

Abstract: In a host within a group, a method for ensuring secure communications is provided. The method involves (a) determining if a group security policy is in place for secure communication between hosts within the group, (b) if the group security policy is in place, advertising routing information to another host within the group, and (c) if the group security policy is not in place, refraining from advertising routing information to the other host. Corresponding apparatus and computer program product embodiments are also provided.