Abstract: Disclosed are methods and apparatus for handling requests for data from a private network. In general terms, a client who wishes access to secure data, such as a secure web page, from a private network establishes a secure connection with a secure server, such as a secure socket layer (SSL) server, of the private network. The secure server then downloads a software program for handling data requests (made by the client for data located within the private network) to the client. This software program is downloaded automatically by the secure server to the client when the client initiates a secure connection with such secure server. The downloaded software program is generally configured to modify data requests (e.g., by performing a URL substitution) sent from the client to an internal server of the private network such that the data requests are redirected to the secure server. The secure server then processes the data request (e.g., by retrieving the data from the appropriate internal server).

Abstract: A method of preventing network denial of service attacks by early discard of out-of-order segments comprises creating a reassembly queue for a connection between a first network node and a second network node, wherein the connection has been established based on a transport-layer network protocol, the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated. As out-of-order data segments arrive on the connection, and before other processing of the segments, whether the reassembly queue is full is determined, and the out-of-order segments are discarded if the reassembly queue is full. The size of the reassembly queue is automatically changed in response to one or more changes in any of network conditions and device resources.

Abstract: Disclosed are methods and apparatus for handling data containing embedded addresses. In general terms, prior to transmission of data having an embedded address or port, an initiating host sends a NAT Probe to an end-host with which the initiating host wishes to communicate. The NAT Probe includes the embedded address or port and a type indicating that translation of the address and/or port is requested if needed. As the NAT Probe traverses through one or more NAT devices as it is transmitted to the end-host, each NAT device is enabled to recognize the NAT Probe type and translate the embedded address and/or port, depending upon the individual NAT device's configuration. When the NAT Probe reaches the final hop NAT device or end-host, a NAT Probe Reply is sent back to the initiating host. The NAT Probe Reply contains a translated embedded address and/or port which is compatible with the end-host's network. The NAT Probe Reply also contains a type which differs from the type of the NAT Probe.

Abstract: A method of modifying network identifiers at data servers is disclosed. A virtual private network (VPN) gateway server generates a Hypertext Transfer Protocol (HTTP) request. The HTTP request not only requests data from a data server that is within a VPN, but also instructs the data server to modify (“mangle”) URLs that are contained within the requested data so that the URLs refer to the VPN gateway server. The VPN gateway server sends the HTTP request toward the data server. As a result, the data server modifies the URLs so that the VPN gateway server does not need to. When such a modified URLs is selected in a web browser, the web browser generates an HTTP request that is directed to the VPN gateway server's URL, which, unlike the unmodified URLs, can be resolved by domain name servers that are outside of the VPN.

Abstract: Method and system for providing improved uniform resource locator (URL) mangling performance using fast re-write including scanning a web page, detecting an absolute URL in the web page, and modifying the detected absolute URL to a corresponding relative URL in the web page, is disclosed.

Abstract: Disclosed are methods and apparatus for handling data sent from a first public network to a second or same public network via a private network. In general terms, network translation address mechanisms are provided within the edge routers of the private network. When a first processing node sends a request to an edge router to access another processing node which resides in a public network, the edge router forms a binding based on two addresses associated with the first processing node. A first private address is initially associated with the first processing node, and the first processing node uses this private address to communicate with the private network. A second public address is also allocated to the first processing node based on the first processing node's request to communicate with a public node. The first processing node uses the allocated second public address to communicate with the requested public node.

Abstract: Methods and apparatus for performing NAT are disclosed. Specifically, NAT is performed at a service provider network device associated with an interface of a service provider network. When a packet is sent from a VPN to a node outside the service provider network (e.g., to access a shared service), the packet includes a VPN identifier (or VRF identifier) In accordance with various embodiments, each packet includes an MPLS tag that includes the VPN identifier. The VPN identifier is stored in a translation table entry. The storing of the VPN identifier will enable a reply packet from the shared service network to the customer VPN to be routed using a routing table identified by the VPN identifier.

Abstract: Disclosed are methods and apparatus for managing a registration state of an endpoint node in a network address port translation environment. A registration message is received from a first endpoint node located within a local network. The registration message is sent from the first endpoint node to a gatekeeper node, and the registration message includes a local source address of the first endpoint node, a local source port of the first endpoint node, and local call signaling information to be used by another endpoint node to initiate a data connection with the first endpoint node. The local source address of the first endpoint node is translated into a first global address. A first binding that associates the local source address with the global source address is created. The local call signaling information is translated into global call signaling information. A registration state of the first endpoint node is maintained, and the first binding is maintained based on the registration state (e.g.

Abstract: Disclosed are methods and apparatus for performing network address translation (NAT) in a fully connected mesh with NAT virtual interface (NVI). In general terms, mechanisms (e.g., within a combination router/NAT device) are provided for translating network addresses of traffic going between two private domains or realms. These mechanisms may also be used to translate traffic going between a private and public domain. When a particular private address is translated into a public address, a binding is formed between the pre-translation address, the post-translation address, and the interface associated with the private or public address (e.g., an interface of the router/NAT device). Since bindings of different interfaces are tracked, a private address and its associated particular interface may be associated with a particular public address.

Abstract: Method and system for providing improved uniform resource locator (URL) mangling performance using fast re-write including scanning a web page, detecting an absolute URL in the web page, and modifying the detected absolute URL to a corresponding relative URL in the web page, is disclosed.

Abstract: Various techniques are described which may be used for improving traffic flows between private networks and public networks. According to one aspect of the present invention, a technique is described for implementing asymmetric routing in a NAT routing environment. Another aspect of the present invention provides a technique for implementing load balancing and resource allocation assignments among peers in a redundant, multiple NAT router environment.

Abstract: Disclosed are methods and apparatus for handling data sent from a first public network to a second or same public network via a private network. In general terms, network translation address mechanisms are provided within the edge routers of the private network. When a first processing node sends a request to an edge router to access another processing node which resides in a public network, the edge router forms a binding based on two addresses associated with the first processing node. A first private address is initially associated with the first processing node, and the first processing node uses this private address to communicate with the private network. A second public address is also allocated to the first processing node based on the first processing node's request to communicate with a public node. The first processing node uses the allocated second public address to communicate with the requested public node.

Abstract: A method of preventing network denial of service attacks by early discard of out-of-order segments comprises creating a reassembly queue for a connection between a first network node and a second network node, wherein the connection has been established based on a transport-layer network protocol, the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated. As out-of-order data segments arrive on the connection, and before other processing of the segments, whether the reassembly queue is full is determined, and the out-of-order segments are discarded if the reassembly queue is full. The size of the reassembly queue is automatically changed in response to one or more changes in any of network conditions and device resources.

Abstract: Various techniques are described which may be used for improving traffic flows between private networks and public networks. According to one aspect of the present invention, a technique is described for implementing asymmetric routing in a NAT routing environment. Another aspect of the present invention provides a technique for implementing load balancing and resource allocation assignments among peers in a redundant, multiple NAT router environment.

Abstract: Disclosed are methods and apparatus for handling data containing embedded addresses. In general terms, prior to transmission of data having an embedded address or port, an initiating host sends a NAT Probe to an end-host with which the initiating host wishes to communicate. The NAT Probe includes the embedded address or port and a type indicating that translation of the address and/or port is requested if needed. As the NAT Probe traverses through one or more NAT devices as it is transmitted to the end-host, each NAT device is enabled to recognize the NAT Probe type and translate the embedded address and/or port, depending upon the individual NAT device's configuration. When the NAT Probe reaches the final hop NAT device or end-host, a NAT Probe Reply is sent back to the initiating host. The NAT Probe Reply contains a translated embedded address and/or port which is compatible with the end-host's network. The NAT Probe Reply also contains a type which differs from the type of the NAT Probe.

Abstract: A method of modifying network identifiers at data servers is disclosed. A virtual private network (VPN) gateway server generates a Hypertext Transfer Protocol (HTTP) request. The HTTP request not only requests data from a data server that is within a VPN, but also instructs the data server to modify (“mangle”) URLs that are contained within the requested data so that the URLs refer to the VPN gateway server. The VPN gateway server sends the HTTP request toward the data server. As a result, the data server modifies the URLs so that the VPN gateway server does not need to. When such a modified URLs is selected in a web browser, the web browser generates an HTTP request that is directed to the VPN gateway server's URL, which, unlike the unmodified URLs, can be resolved by domain name servers that are outside of the VPN.

Abstract: Methods and apparatus for performing NAT are disclosed. Specifically, NAT is performed at a service provider network device associated with an interface of a service provider network. When a packet is sent from a VPN to a node outside the service provider network (e.g., to access a shared service), the packet includes a VPN identifier (or VRF identifier) In accordance with various embodiments, each packet includes an MPLS tag that includes the VPN identifier. The VPN identifier is stored in a translation table entry. The storing of the VPN identifier will enable a reply packet from the shared service network to the customer VPN to be routed using a routing table identified by the VPN identifier.