Abstract: Apparatus, methods and computer programs enable carrying service insertion architecture data plane packets in IPv4 or IPv6 networks by packaging destination addresses using IPv6 mechanisms. For example, a data processing apparatus is configured for receiving, from a service broker, a service label and an Internet Protocol version 6 (IPv6) address of a first service node; receiving an IPv4 packet requesting a service associated with the first service node; creating an IPv6 packet comprising a service label in a Flow Label field of the IPv6 packet, the IPv6 address of the first service node in a destination address field of the IPv6 packet, and the IPv4 packet in a payload field of the IPv6 packet; forwarding the IPv6 packet to the first service node. Approaches allow service insertion architecture support for all-IPv6 traffic including tunneled and non-tunneled techniques for environments in which user applications place data in the flow label field.

Abstract: In an example embodiment, a method for selecting a communication path is provided. The method may comprise receiving data encapsulated in a transport protocol. In addition, a classification type and exit path information associated with the classification type may be received. The data is associated with the classification type and then is encapsulated in Stream Control Transmission Protocol (SCTP) based on the exit path information. This exit path information is associated with the classification type that is associated with the data.

Abstract: In one embodiment, a network device joins a first multicast tree to receive post-ad-inserted video content. The network device also joins a second multicast tree to receive the pre-ad-inserted video content. The content from the first multicast tree is forwarded by the network device to the receiver(s). The network device determines if it does not receive the content on the first multicast tree due to any failure, in which case, it delivers the content from the second multicast tree to the receiver(s). This enables the receiver to receive the original (pre-ad-inserted) content during the failure in first multicast tree. When the failure is resolved, the network device can go back to sending the content from the first multicast tree to the receiver(s).

Abstract: Apparatus, methods, and other embodiments associated with providing service insertion architecture (SIA) differentiated services in a virtual private network (VPN) environment are described. Embodiments may provision an authentication, authorization, and accounting (AAA) server with user-to-SIA service-context mapping information. With the AAA server provisioned, embodiments may acquire, in an IPSec VPN hub, during IPSec tunnel user authentication, from the AAA server, the user-to-SIA service-context mapping information. With the mapping information available, embodiments may dynamically map an SIA service to an IPSec VPN tunnel user based on the service information acquired from the Service Broker or Pseudo-Service Broker.

Abstract: Methods and apparatus for providing a mediation device infrastructure that allows a mobile node to be tapped while roaming among and within service providers are disclosed. In one embodiment, a method includes determining when a node that is tapped by a first mediation device has moved from a first domain associated with the first mediation device into a second domain associated with a second mediation device. A first packet is sent to the second mediation device if the node has moved. The first packet provides an indication that the second mediation device is to tap the node. The method also includes opening a call data channel to the second mediation device, and receiving information from the second mediation device on the call data channel that is obtained by the second mediation device from the node. Finally, the method includes providing the information to the first mediation device.

Abstract: A system and method directed to carrying out dynamic secured group communication is provided. The method includes: obtaining a first packet that includes a first header; forming a frame that includes the first header in encrypted form; combining the first header and the frame to form a second packet and forming a second header; encapsulating the second packet with the second header to form a third packet, and communicating the third packet into the second network from the second source node for termination to the second-destination node. The first header includes a first source address of a first source node of a first network, and a first destination address of a first destination node of the first network. The second header includes a second source address of a second source node of a second network, and a second destination address of a second destination node of the second network.

Abstract: Various embodiments of the disclosed subject matter provide methods and systems for improved efficiency in spoke-to-spoke network communication. Embodiments provide systems and methods for registering a spoke with a hub, updating at least one database with spoke registration information at the hub, and advertising the spoke registration information to other spokes using a single control plane that includes transport security, peer discovery, and unicast routing information.

Abstract: An example method includes receiving a request for a cloud capability set during an Internet Key Exchange negotiation associated with a virtual private network (VPN) tunnel between a subscriber and a cloud, wherein the cloud capability set comprises one or more cloud capabilities, mapping the request to one or more cryptographic modules that can support the cloud capability set, and offloading the VPN tunnel to the one or more cryptographic modules. The request can be an Internet Security Association and Key Management Protocol (ISAKMP) packet listing the one or more cloud capabilities in a private payload. The method may further include splitting the VPN tunnel between the cryptographic modules if no single cryptographic module can support substantially all the cloud capabilities in the cloud capability set. In some embodiments, the request is compared with a service catalog comprising authorized cloud capabilities.

Abstract: In one example, an Edge Quadrature Amplitude Modulation (EQAM) communicates EQAM information to a Modular Cable Modem Termination System (M-CMTS) core using a routing protocol that is configured on a packet switched network coupling the EQAM to the M-CMTS core. The EQAM generates a routing message according to the routing protocol and inserts EQAM information, such as a description of a modulated channel extending from the EQAM, the service-group information, etc., into the routing message. The EQAM then floods the EQAM information over at least portions of a routing domain by transmitting the routing message to an adjacent intermediary device.

Abstract: In one embodiment, a rekey distribution process transmits, from a key server, a multicast probe message intended to be received by at least one group member device. The rekey distribution process also receives, at the key server, an acknowledgement message from each group member device that received the multicast probe message. In turn, the rekey distribution process transmits, from the key server, a multicast rekey data message intended to be received by each group member device from which the key server received an acknowledgment message. Furthermore, the rekey distribution process transmits, from the key server, a unicast rekey data message to each group member device from which the key server did not receive an acknowledgment message.

Abstract: In one embodiment, a QoS manager process that receives, at an EzVPN server device, connection speed data from an EzVPN client device. In addition, the QoS manager process processes, at the EzVPN server device, the connection speed data to determine a QoS policy for a communications session between the EzVPN client device and the EzVPN server device. Furthermore, the QoS manager process applies, at the EzVPN server device, the QoS policy to the communications session between the EzVPN client device and the EzVPN server device as determined by the processing of the connection speed data.

Abstract: In one example, an Edge Quadrature Amplitude Modulation (EQAM) communicates EQAM information to a Modular Cable Modem Termination System (M-CMTS) core using a routing protocol that is configured on a packet switched network coupling the EQAM to the M-CMTS core. The EQAM generates a routing message according to the routing protocol and inserts EQAM information, such as a description of a modulated channel extending from the EQAM, the service-group information, etc, into the routing message. The EQAM then floods the EQAM information over at least portions of a routing domain by transmitting the routing message to an adjacent intermediary device.

Abstract: In one embodiment, group member devices may be divided into at least one cluster, wherein each cluster includes a primary key server designated to synchronize with a master key server. Each cluster further includes at least one registration server configured to communicate with member devices in the group within the cluster and to synchronize with the primary key server.

Abstract: In one embodiment, a method can include: (i) sending a request to join a group to a service broker; (ii) receiving from the service broker a list of key servers servicing the group; and (iii) sending registration information to a selected one of the key servers in the list.

Abstract: In one embodiment, a Home Agent receives a Mobile IP registration request from a group member, where the group member is a Mobile Node. The Home Agent generates a mobility binding for the group member that associates the group member with a care-of address, wherein the group member is a member of one or more groups. The Home Agent generates a Mobile IP registration reply, where the Mobile IP registration reply identifies one or more key servers. Each of the one or more key servers serves at least one of the one or more groups and is adapted for distributing group cryptography material to members of each group that is served by the corresponding key server. The Home Agent sends the Mobile IP registration reply to the group member, thereby enabling the group member to obtain cryptography material for at least one of the one or more groups from at least one of the one or more key servers to enable the group member to use the cryptography group material to securely communicate with other group members.

Abstract: Systems and methods for using routing protocol extensions to improve spoke to spoke communication in a computer network are disclosed. Embodiments provide systems and methods to establish a tunnel between a first spoke and a hub, exchange routing information between the first spoke and the hub using a routing protocol, extend the routing protocol and an associated database to include next hop mapping information, and establish a tunnel between the first spoke and a second spoke according to information in the database.

Abstract: A method, apparatus and computer program product for preventing infection propagation in a DMVPN is presented. An infected spoke router site is isolated from the DMVPN network such that the spoke router may (bi-directionally) completely or partially limit communicating with any network devices (including the hub router, any other spoke routers etc.) within the DMVPN which prevents the DMVPN melt-down, isolates a worm-infected spoke router site from the rest of the DMVPN and restricts the spread of the worm within the DMVPN network.

Abstract: One embodiment provides a method to interconnect virtual network segments (VNETs) defined for a local-area network (LAN) infrastructure separated by a wide-area network infrastructure. The technique involves the routing device at the LAN-WAN interconnection points to impose or dispose the VNET-shim, which encodes the VNET-id information in a Layer 4 portion of the packet. In a data plane, a new IP protocol value may be used to signify the presence of the VNET-shim followed by cryptography specific information in an IP packet. In a control plane, the routing protocol is expanded to exchange the routing information along with the VNET information.

Abstract: Disclosed are, inter alia, methods, apparatus, computer-storage media, mechanisms, and means associated with automated discovery of network devices supporting particular transport layer protocols, such as, but not limited to Stream Control Transmission Protocol (SCTP). Packet switching devices automatically discover peer packet switching devices supporting a particular transport layer protocol, and then establish a session using the particular transport layer protocol between them for subsequent use in transporting packets.

Abstract: A system and method directed to carrying out dynamic secured group communication is provided. The method includes: obtaining a first packet that includes a first header; forming a frame that includes the first header in encrypted form; combining the first header and the frame to form a second packet and forming a second header; encapsulating the second packet with the second header to form a third packet, and communicating the third packet into the second network from the second source node for termination to the second-destination node. The first header includes a first source address of a first source node of a first network, and a first destination address of a first destination node of the first network. The second header includes a second source address of a second source node of a second network, and a second destination address of a second destination node of the second network.