Abstract: According to one aspect, a provisioning server comprises a configuration module that configures a network device and an identification certification module that certifies the identity of the network device. With use of the provisioning server, the network device does not require configuration with network connectivity in order to obtain its certified identity. In one embodiment, configuration module configures the device for operation at the device's point of deployment in a network. In one embodiment, the identity certification module is configured to generate a digital certificate for the network device and the configuration module is configured to automatically configure the network device based on its digital certificate. The provisioning server is coupled to the network device with a secure communication link. As a result, a more trusted network device is ultimately deployed into its network of operation.

Abstract: According to one aspect, a provisioning server comprises a configuration module that configures a network device and an identification certification module that certifies the identity of the network device. With use of the provisioning server, the network device does not require configuration with network connectivity in order to obtain its certified identity. In one embodiment, configuration module configures the device for operation at the device's point of deployment in a network. In one embodiment, the identity certification module is configured to generate a digital certificate for the network device and the configuration module is configured to automatically configure the network device based on its digital certificate. The provisioning server is coupled to the network device with a secure communication link. As a result, a more trusted network device is ultimately deployed into its network of operation.

Abstract: A method and apparatus for using a service provider network that supports point-to-point channels is disclosed. One or more encryption parameters are associated with a channel from among a set of one or more predefined point-to-point channels provided by the service provider to connect customer points for a customer different than the service provider. Payloads for a particular flow of one or more data packets directed through the channel are encrypted at a first customer point, using the set of encryption parameters associated with the particular channel, to generate a set of one or more encrypted payloads. The encrypted payloads are inserted in the particular flow sent through the channel of the service provider network. The encrypted payloads are decrypted at a second customer point connected to the first customer point by the channel.

Abstract: A request is received for secure network traffic from a device having a private network address at a source node. The private network address of a requested destination device is obtained at a destination node from a route server based on signaling information associated with the request. The public network address of the destination node associated with the private network address is obtained. In response to the request, a virtual circuit is created between the source node and the destination node based on the public network address of the destination node. Network traffic is encrypted for transport at least from the source node to the destination node through the virtual circuit. Creating the virtual circuit dynamically in response to the request functions like a fully meshed network but requires less provisioning and maintenance. The process is readily scalable, as with a hub and spoke network but with less delay.

Abstract: Techniques for validating a first device are provided. A second device receives a first device public key and first device identification information from the first device. Validation of the first device identification information is required for a security process using a security protocol. The second device sends the first device public key and the first device identification information to an AAA server for validation. The AAA server is separate from the second device. The second device receives a response from the AAA server, the response including an indication whether the received first device identification information is validated with stored first device identification information for the first device public key. If the first device identification information is validated, an action for the security process is performed using the security protocol.

Abstract: Group key management techniques are applied to generating pair-wise keys for point-to-point secure communication applications. Nodes participating in a secure communication group each receive a group key and associated policy information. When a first node wishes to establish a secure point-to-point connection to a second node, the first node derives a pairwise key from the group key and policy information, for example, by hashing the group key and information identifying the two nodes. As a result, a pairwise key is generated without exchanging negotiation messages among the two nodes and without expensive asymmetric cryptographic computation approaches.

Abstract: Group key management techniques are applied to generating pair-wise keys for point-to-point secure communication applications. Nodes participating in a secure communication group each receive a group key and associated policy information. When a first node wishes to establish a secure point-to-point connection to a second node, the first node derives a pairwise key from the group key and policy information, for example, by hashing the group key and information identifying the two nodes. As a result, a pairwise key is generated without exchanging negotiation messages among the two nodes and without expensive asymmetric cryptographic computation approaches.

Abstract: A technique is disclosed for generating control messages to be transmitted from a first network device to a second network device in a data network. A first control message to be generated at the first network device is determined. Reason information relating to at least one reason for generating the first control message is identified. The first control message is then generated at the first network device, and included the identified reason information. The first control message may be transmitted to at least one other network device in the network, including the second network device. When the first control message is received at the second network device, the reason information included in the first control message is identified. An appropriate response, based, at least in part, upon the reason information provided in the first control message, may then be determined and implemented at the second network device.

Abstract: An information service provider network includes a content gateway to process requests for information from a client terminal. The content gateway includes a router for receiving a request for information from the client terminal. The request includes a domain name and additional content. The router forwards the request according to the domain name to a selected one of a plurality of processors to further process the request. The selected one of the plurality of processors identifies an information source to satisfy the request in response to the additional content of the request.

Abstract: An information service provider network includes a content gateway to process requests for information from a client terminal. The content gateway includes a router for receiving a domain name server query from an originator associated with a request for information. The router including a database defining a relationship between domain names and addresses associated with accelerated servicing of requests. The router determines whether the domain name of the domain name server query is indexed in the database. The domain name is qualified in response to the domain name being in the database. If qualified, the router sends an address to the originator of the query corresponding in the database to the domain name. The address is to a processor associated with the router that performs accelerated services on the request.

Abstract: A mechanism for authenticating multiple connections to a network server is disclosed. A client establishes a first connection to the server. In establishing the first connection, the client provides authentication information and authorization information, and in response the server assigns first access privileges to the client. When the client requests a second connection, the server receives authentication information from the client, and assigns limited access privileges to the client. The server associates the first connection with the second connection and the client. The server automatically associates the first access privileges with the second connection, without requiring the client to provide authorization information for the second connection.

Abstract: A mechanism for authenticating multiple connections to a network server is disclosed. A client establishes a first connection to the server. In establishing the first connection, the client provides authentication information and authorization information, and in response the server assigns first access privileges to the client. When the client requests a second connection, the server receives authentication information from the client, and assigns limited access privileges to the client. The server associates the first connection with the second connection and the client. The server automatically associates the first access privileges with the second connection, without requiring the client to provide authorization information for the second connection.