Abstract: Methods and apparatus for enhanced overlay state maintenance in a peer-to-peer overlay network. A first method includes inferring that a first node is leaving the overlay network, and transmitting a decrement message to decrement a size counter value. A second method includes identifying a set of nodes associated with a first node of an overlay network, obtaining a segment length associated with each node of the set of nodes, and determining a size of the overlay network by dividing the total number of nodes in the set of nodes by the sum of the segment lengths. A third method includes identifying a set of nodes associated with a first node of an overlay network, obtaining a size estimate associated with the first node and with each node of the set of nodes, and determining a size of the overlay network by averaging the size estimates.

Abstract: A device for use in a system with multiple receiving units, and multiple intermediate units each configured to communicate with the device and at least some of the multiple receiving units, includes a communication module configured to send information toward and receive information from the receiving units and the intermediate units, a memory, and a processor coupled to the memory and the communication module.

Abstract: Entropy obtained from a series of key generation exchanges may be combined with entropy from a strong entropy source to allow the strong entropy to be stretched to generate a larger number of keys for use on a communication network, without requiring additional information from the group members and without requiring the entropy source to be increased in size or in number. In one embodiment, nonces exchanged during an initial key exchange are used to generate additional key material that is then fed, together with a fresh random secret, to another pseudo-random function to generate an additional key stream. The methods are particularly useful for group key management where a large number of keys are required to be generated in a short time frame.

Abstract: A method and apparatus is disclosed which enables detection of undesired packets received at a device in a network, where the device is a member of a group of devices in the network. A registration table stores transform identifiers for each member of a group and controls the forwarding of the transform identifiers to the members of the group as members are added and deleted. A transform identifier indicates a format or transformation of a packet transmitted by an associated member. The transform identifier can therefore be used at a receiving device to distinguish between transmissions by different members of the group, thereby enabling the receiving device to extract sequence information associated with the member from the packet. The sequence information can be compared against an expected sequence number for the member to determine whether the packet is an undesirable or rogue packet.

Abstract: A method and apparatus is disclosed which enables detection of undesired packets received at a device in a network, where the device is a member of a group of devices in the network. A registration table stores transform identifiers for each member of a group and controls the forwarding of the transform identifiers to the members of the group as members are added and deleted. A transform identifier indicates a format or transformation of a packet transmitted by an associated member. The transform identifier can therefore be used at a receiving device to distinguish between transmissions by different members of the group, thereby enabling the receiving device to extract sequence information associated with the member from the packet. The sequence information can be compared against an expected sequence number for the member to determine whether the packet is an undesirable or rogue packet.

Abstract: Entropy obtained from a series of key generation exchanges may be combined with entropy from a strong entropy source to allow the strong entropy to be stretched to generate a larger number of keys for use on a communication network, without requiring additional information from the group members and without requiring the entropy source to be increased in size or in number. In one embodiment, nonces exchanged during an initial key exchange are used to generate additional key material that is then fed, together with a fresh random secret, to another pseudo-random function to generate an additional key stream. The fresh ransom secret may be generated at the GCKS from a physical entropy source or other entropy source, and may be changed at will by the GCKS to further increase the strength of the keys. The methods are particularly useful for group key management where a large number of keys are required to be generated in a short time frame.

Abstract: A device for use in a system with multiple receiving units, and multiple intermediate units each configured to communicate with the device and at least some of the multiple receiving units, includes a communication module configured to send information toward and receive information from the receiving units and the intermediate units, a memory, and a processor coupled to the memory and the communication module.

Abstract: A device for use in a system with multiple receiving units, and multiple intermediate units each configured to communicate with the device and at least some of the multiple receiving units, includes a communication module configured to send information toward and receive information from the receiving units and the intermediate units, a memory, and a processor coupled to the memory and the communication module.

Abstract: CE devices of the present invention are enabled to make more judicious routing decisions in CE-based VPNs. In determining a next-hop in a path from a source CE to a destination subnet, CE-to-CE costs are associated with each next-hop CE in a plurality of next-hop CEs. Each CE-to-CE cost is a cost of a path from the source CE to the associated next-hop CE. CE-to-subnet costs are associated with each of the next-hop CEs. Each CE-to-subnet cost is a cost of a path from the associated next-hop CE to the destination subnet. Total-costs are associated with each of the next-hop CEs. Each total-cost is a sum of a CE-to-CE cost associated with a next-hop CE and a CE-to-subnet cost associated with the same next-hop CE. The next-hop in the path is set to be a next-hop CE associated with an associated total-cost.

Abstract: Described are a method and system for establishing a secure communication session with third-party access at a later time. A first communication subsession is established between two original devices using a first key generated by a two-party key and security association protocol. At least one of the original devices is established as a group key server. A request from a joining device to join the secure communication session is received and a second communication subsession is established between the original devices using a second key generated by the two-party key and security association protocol. The second key is provided to the joining device to enable participation in the second communication subsession.

Abstract: A device for use in a system with multiple receiving units, and multiple intermediate units each configured to communicate with the device and at least some of the multiple receiving units, includes a communication module configured to send information toward and receive information from the receiving units and the intermediate units, a memory, and a processor coupled to the memory and the communication module.

Abstract: A device for use in a system with multiple receiving units, and multiple intermediate units each configured to communicate with the device and at least some of the multiple receiving units, includes a communication module configured to send information toward and receive information from the receiving units and the intermediate units, a memory, and a processor coupled to the memory and the communication module.

Abstract: Routing information may be provided to VPN sites on demand to allow smaller VPN sites with smaller routing tables to communicate directly with other VPN sites. This allows the meshed VPN architecture to scale to a size larger than where each VPN site is required to store routing information for all other VPN sites. A route server is instantiated on the network, optionally in connection with a Group Controller Key Server, to manage distribution of routes on the network and to provide routes to VPN sites on demand. As routes are learned by the VPN sites they are advertised to the route server, which selectively advertises the routes to other VPN sites depending on the per-site preferences. When a VPN site needs routing information to communicate with another VPN site, the network element will check its routing table for the route, and if the route is not available, will obtain the route on-demand from the route server.

Abstract: Method and apparatus that enable secure transmission of data in a scalable private network are described. Each station that is to be part of a private network registers with a key table. A group security association associated with the private network is forwarded to each trusted ingress and egress point that communicates with each member of the private network. When a member of the private network seeks to communicate with another member, it simply forwards the communication to the trusted ingress point. The trusted ingress point uses the security association associated with the private network to transform the communication and forwards the transformed communication through other intermediate stations in the network until it reaches a trusted egress point. The trusted egress point uses the stored security association to decode the transformed communication and forwards the communication to the appropriate destination.

Abstract: Each member of a group registers with the Security/Routing (S/R) device 30 and receives a Group Security Association (GSA) associated with the group. The member may register as part of a group by identifying the group and the other members. Alternatively, Routing Functionality auto-discovers the other members of the group. AS members are identified, Routing functionality reflects the routes of all members in the group to all other members of the group. The forwarding of the routes to the respective group members may be secured via the GSA associated with the group. Each member can forward communication directly to the group members, securing the communication using the group SA and standard tunneling techniques (such as IPsec, GRE, MPLS, etc.). Thus the S/R provides a mechanism for private networks to be built on top of an existing network without modification of any existing network components and much more scalable in operation and configuration than individual IP sec tunnels.

Abstract: A method for managing encryption keys in a communication system having a plurality of communication devices includes establishing a set of cryptographic keys for secure communication. Each of the cryptographic keys is associated with a geographic region. A geographic region is determined for a communication device and at least one cryptographic key is distributed to the communication device based on the geographic region of the communication device. At least one cryptographic key may be used to derive further cryptographic keys associated with a set of sub-regions of the geographic region associated with the communication device.

Abstract: Method and apparatus that enable secure transmission of data in a scalable private network are described. Each station that is to be part of a private network registers with a key table. A group security association associated with the private network is forwarded to each trusted ingress and egress point that communicates with each member of the private network. When a member of the private network seeks to communicate with another member, it simply forwards the communication to the trusted ingress point. The trusted ingress point uses the security association associated with the private network to transform the communication and forwards the transformed communication through other intermediate stations in the network until it reaches a trusted egress point. The trusted egress point uses the stored security association to decode the transformed communication and forwards the communication to the appropriate destination.

Abstract: Method and apparatus that enable secure transmission of data in a scalable private network are described. Each station that is to be part of a private network registers with a key table. A group security association associated with the private network is forwarded to each trusted ingress and egress point that communicates with each member of the private network. When a member of the private network seeks to communicate with another member, it simply forwards the communication to the trusted ingress point. The trusted ingress point uses the security association associated with the private network to transform the communication and forwards the transformed communication through other intermediate stations in the network until it reaches a trusted egress point. The trusted egress point uses the stored security association to decode the transformed communication and forwards the communication to the appropriate destination.

Abstract: A method for preserving security associations between at least two entities includes the steps of maintaining a security association relating to communication between the at least two entities in a table, and periodically storing the security association in non-volatile storage. With such an arrangement, in the event that data within the table become corrupted, it can be retrieved from storage. Because the key data is stored, performance losses due to re-establishing the secure group are minimized. In one embodiment, the security association is advantageously encrypted prior to storage to further secure the security associations for each member.

Abstract: Disclosed are apparatus and methods operable to distribute targeted content. Additionally, disclosed are corresponding apparatus and methods operable to selectively choose and cache selected ones from among the distributed targeted content, and to further choose ones from among the cached content to present on a device. In some aspects, selective caching of content may be based upon a match between predetermined content attribute information and predetermined profile information. Further, in some aspects, an indicator is operable to trigger the selective inclusion of one or more of the cached content in a presentation of other content, which may be based on a match between a desired content attribute associated with the indicator and the respective predetermined content attribute information of the cached content.