Abstract: Ingress filtering has been adopted by the IETF as a methodology for preventing denial of service congestive attacks that spoof the source address in packets that are addressed to host server victims. Unless universally adopted by all ISPs on the Internet, however, a packet's source address cannot be totally trusted to be its actual source address. To take advantage of benefits of ingress filtering as it is gradually deployed by ISPs around the Internet, differentiated classes of service are used to transport packets whose source address can be trusted and packets whose source address cannot be trusted. A packet received by an access or edge router at an ISP that supports ingress filtering and has a source address that is properly associated with port on which it is received is forwarded in a privileged class of service and are dropped otherwise.

Abstract: Ingress filtering has been adopted by the IETF as a methodology for preventing denial of service congestive attacks that spoof the source address in packets that are addressed to host server victims. Unless universally adopted by all ISPs on the Internet, however, a packet's source address cannot be totally trusted to be its actual source address. To take advantage of benefits of ingress filtering as it is gradually deployed by ISPs around the Internet, differentiated classes of service are used to transport packets whose source address can be trusted and packets whose source address cannot be trusted. A packet received by an access or edge router at an ISP that supports ingress filtering and has a source address that is properly associated with port on which it is received is forwarded in a privileged class of service and are dropped otherwise.

Abstract: Ingress filtering has been adopted by the IETF as a methodology for preventing denial of service congestive attacks that spoof the source address in packets that are addressed to host server victims. Unless universally adopted by all ISPs on the Internet, however, a packet's source address cannot be totally trusted to be its actual source address. To take advantage of benefits of ingress filtering as it is gradually deployed by ISPs around the Internet, differentiated classes of service are used to transport packets whose source address can be trusted and packets whose source address cannot be trusted. A packet received by an access or edge router at an ISP that supports ingress filtering and has a source address that is properly associated with port on which it is received is forwarded in a privileged class of service and are dropped otherwise.

Abstract: An Internet Service Provider (ISP), in consideration of being remunerated in some manner by an e-merchant, carries the packets of a designated subset of that e-merchant's clients, designated as VIPs, in a privileged class of service as compared to an unprivileged class of service that is used to carry the packets of the e-merchant's other regular clients. In this way, the adverse effects on performance due to congestion in the unprivileged class of service, whether due to an ongoing denial-of-service attack or not, will not affect the performance of packets sent by and to VIPs using the privileged class of service. An e-merchant may select its VIPs from among those clients that bring in a majority of the e-merchant's revenues. An e-merchant turns a regular client into a VIP by granting it a VIP right.

Abstract: An Internet Service Provider (ISP), in consideration of being remunerated in some manner by a site, determines whether packets destined to that site conform to a profile provided to the ISP by that site. The profile, indicates, for example, what protocols are allowed by the server, and, for each such protocol, what destination port numbers or message types are allowed, a maximum transmission rate, the maximum number of allowed connections a client may have, and whether to enforce congestion-avoidance. This server profile enforcement (SPE) automatically thwarts denial of service attacks from attackers that send packets to the subscribing server from that ISP using connections or having packet characteristics that do not conform to the acceptable characteristics specified in the profile. SPE is generally performed by an SPE unit, which can be incorporated in the access gateways of an ISP that supports the service.

Abstract: Linux's NAT (Network Address Translator) implementation, IP Masquerade, includes a VPN Masquerade feature that provides interoperation of NAT with IKE and ESP tunnel mode within the IPSec security protocol suite. VPN Masquerade uses heuristics to route packets from a server on the Internet to a client on a local network that shares access to the Internet with other clients over a common access link through a router running NAT. VPN Masquerade, however, is susceptible to crashes, collisions and race conditions that can disable IPSec communication. These are prevented, or recovery from such is automatically effected, by sending over a tunnel a control packet, a “ping”, from the client at one end of the tunnel to the server at the other end of the tunnel, and then waiting to send any packets other than a control packet over the tunnel until a responsive control packet is received from the server.

Abstract: Clients that are connected on a private network and which are assigned a private IP address that is not routable on the Internet can connect to the Internet through a router/server that includes a network address translator (NAT). For outgoing packets, the NAT translates the client's private source IP address and generalized port number (GPN) to the NAT's global IP address and GPN. For incoming packets sent to the NAT's global IP address and GPN, the NAT translates the global destination IP address and GPN to the client's private IP address and GPN. For protocols which cannot be directly supported by the NAT, such as those in the IPSec security protocol suite, the NAT is extended by creating in the NAT's translation table an entry that associates, for a specific unsupported protocol, a client's private IP address and GPN, the NAT's global IP address and GPN, and a foreign address on the Internet, that is valid until a specified or default expiration time.

Abstract: Clients that are connected on a private network and which are assigned a private IP address that is not routable on the Internet can connect to the Internet through a router/server that includes a network address translator (NAT). For outgoing packets, the NAT translates the client's private source IP address and generalized port number (GPN) to the NAT's global IP address and GPN. For incoming packets sent to the NAT's global IP address and GPN, the NAT translates the global destination IP address and GPN to the client's private IP address and GPN. For protocols which cannot be directly supported by the NAT, such as those in the IPSec security protocol suite, the NAT is extended by creating in the NAT's translation table an entry that associates, for a specific unsupported protocol, a client's private IP address and GPN, the NAT's global IP address and GPN, and a foreign address on the Internet, that is valid until a specified or default expiration time.

Abstract: An Internet Service Provider (ISP), in consideration of being remunerated in some manner by an e-merchant, carries the packets of a designated subset of that e-merchant's clients, designated as VIPs, in a privileged class of service as compared to an unprivileged class of service that is used to carry the packets of the e-merchant's other regular clients. In this way, the adverse effects on performance due to congestion in the unprivileged class of service, whether due to an ongoing denial-of-service attack or not, will not affect the performance of packets sent by and to VIPs using the privileged class of service. An e-merchant may select its VIPs from among those clients that bring in a majority of the e-merchant's revenues. An e-merchant turns a regular client into a VIP by granting it a VIP right.

Abstract: A method and associated apparatus for providing access to the Internet or other network is described, where clients may connect their own computers to a LAN supplied by the access provider, who may charge for such access and may use security protocols for denying access to unauthorized or nonpaying users, and where the contract between client and access provider may be established at the point of access, independently of a previous relationship between both parties, and may have term as short as the client desires. in one aspect, the access provider may use the access services of another access provider and may use Network Address Translation (NAT) to reduce access costs. The client may select the desired level of security, usage metrics, usage limits, and payment options, and may monitor and control his or her usage. In one aspect, the client does not need to reveal his or her identity to the access provider.