Abstract: A system transmits, to a hub from a first spoke, first routing information associated with the first spoke. The system receives, at the first spoke, from the hub, second routing information associated with a plurality of spokes in communication with the hub. The plurality of spokes includes a second spoke. The system resolves, at the first spoke, a next hop determination for the packet based on the second routing information received from the hub. The system routes the packet from the first spoke to the second spoke using the next hop determination.

Abstract: A method, apparatus and computer program product for providing an encrypted multipoint Virtual Private Network (VPN) service is presented. A first packet of a plurality of packets is received at an ingress provider edge (PE) the plurality of packets destined for a remote server in communication with said egress PE router. A lookup for a destination prefix of a first packet is preformed, and a determination made that a next-hop for the first packet is reachable through a mGRE tunnel. A resolution request is sent to a hub to acquire a routable IP address. The packets sent to the hub are encapsulated, and encrypting until a resolution reply is received and until security associations (SAs) have been exchanged. Then a VPN is established between the ingress and egress PEs and is used for all subsequent packets.

Abstract: A method for IP Security within Multi-Topology Routing is disclosed. Disclosed methods may also include IKE extensions. A route eligible for IPSec protection is injected into a topology routing table. Network traffic can then be protected in accordance with a security session, such as an IPSec session, between a first network node and a second network node and forwarded through a selected topology to take advantage of the service-differentiation capabilities of MTR.

Abstract: Systems and methods for using routing protocol extensions to improve spoke to spoke communication in a computer network are disclosed. Embodiments provide systems and methods to establish a tunnel between a first spoke and a hub, exchange routing information between the first spoke and the hub using a routing protocol, extend the routing protocol and an associated database to include next hop mapping information, and establish a tunnel between the first spoke and a second spoke according to information in the database.

Abstract: In one embodiment, a Home Agent receives a Mobile IP registration request from a group member, where the group member is a Mobile Node. The Home Agent generates a mobility binding for the group member that associates the group member with a care-of address, wherein the group member is a member of one or more groups. The Home Agent generates a Mobile IP registration reply, where the Mobile IP registration reply identifies one or more key servers. Each of the one or more key servers serves at least one of the one or more groups and is adapted for distributing group cryptography material to members of each group that is served by the corresponding key server. The Home Agent sends the Mobile IP registration reply to the group member, thereby enabling the group member to obtain cryptography material for at least one of the one or more groups from at least one of the one or more key servers to enable the group member to use the cryptography group material to securely communicate with other group members.

Abstract: Various embodiments of the disclosed subject matter provide methods and systems for improved efficiency in spoke-to-spoke network communication. Embodiments provide systems and methods for registering a spoke with a hub, updating at least one database with spoke registration information at the hub, and advertising the spoke registration information to other spokes using a single control plane that includes transport security, peer discovery, and unicast routing information.

Abstract: In one embodiment, group member devices may be divided into at least one cluster, wherein each cluster includes a primary key server designated to synchronize with a master key server. Each cluster further includes at least one registration server configured to communicate with member devices in the group within the cluster and to synchronize with the primary key server.

Abstract: One embodiment provides a method to interconnect virtual network segments (VNETs) defined for a local-area network (LAN) infrastructure separated by a wide-area network infrastructure. The technique involves the routing device at the LAN-WAN interconnection points to impose or dispose the VNET-shim, which encodes the VNET-id information in a Layer 4 portion of the packet. In a data plane, a new IP protocol value may be used to signify the presence of the VNET-shim followed by cryptography specific information in an IP packet. In a control plane, the routing protocol is expanded to exchange the routing information along with the VNET information.

Abstract: In an example embodiment, a method for selecting a communication path is provided. The method may comprise receiving data encapsulated in a transport protocol. In addition, a classification type and exit path information associated with the classification type may be received. The data is associated with the classification type and then is encapsulated in Stream Control Transmission Protocol (SCTP) based on the exit path information. This exit path information is associated with the classification type that is associated with the data.

Abstract: A system and method directed to carrying out dynamic secured group communication is provided. The method includes obtaining a first packet that includes a first header. The first header includes a first source address of a first source node of a first network, and a first destination address of a first destination node of the first network. The method also includes forming a frame that includes the first header in encrypted form, combining the first header and the frame to form a second packet, and forming a second header. This second header includes a second source address of a second source node of a second network, and a second destination address of a second destination node of the second network. The method further includes encapsulating the second packet with the second header to form a third packet, and communicating the third packet into the second network from the second source node for termination to the second-destination node.

Abstract: Methods and apparatus for providing a mediation device infrastructure that allows a mobile node to be tapped while roaming among and within service providers are disclosed. In one embodiment, a method includes determining when a node that is tapped by a first mediation device has moved from a first domain associated with the first mediation device into a second domain associated with a second mediation device. A first packet is sent to the second mediation device if the node has moved. The first packet provides an indication that the second mediation device is to tap the node. The method also includes opening a call data channel to the second mediation device, and receiving information from the second mediation device on the call data channel that is obtained by the second mediation device from the node. Finally, the method includes providing the information to the first mediation device.

Abstract: In one embodiment, a method can include: selecting an operation, administration, and maintenance (OAM) type for a destination, where the destination is enabled for a service insertion architecture (SIA); encapsulating an OAM packet with the OAM type indicated in a service header therein; and sending the OAM packet to the destination.

Abstract: In an embodiment, a care-of address associated with a first node coupled to a communications network via an access node is received. The care-of address may be contained in a notification message sent by a home agent associated with the first node or by a binding update message sent by the first agent. The access node is identified using the care-of address. A request to tap communications associated with the first node at the access node is generated and the request is forwarded to the access node to cause communications associated with the first node to be tapped at the access node.

Abstract: In one embodiment, a method can include: (i) sending a request to join a group to a service broker; (ii) receiving from the service broker a list of key servers servicing the group; and (iii) sending registration information to a selected one of the key servers in the list.

Abstract: In one embodiment, a technique for updating an address associated with a first entity in a communications network with a second entity in the communications network wherein the address is used to forward information to the first entity from the second entity. The first entity registers a first address associated with the first entity with the second entity. The first entity determines that a second address associated with the first entity is to be used instead of the first address to communicate with the first entity. The first entity generates an update message containing the second address, the update message obviating having to register the second address with the second entity. The first entity forwards the update message to the second entity to cause the second entity to use the second address instead of the first address to forward information to the first entity.

Abstract: In one embodiment, a QoS manager process that receives, at an EzVPN server device, connection speed data from an EzVPN client device. In addition, the QoS manager process processes, at the EzVPN server device, the connection speed data to determine a QoS policy for a communications session between the EzVPN client device and the EzVPN server device. Furthermore, the QoS manager process applies, at the EzVPN server device, the QoS policy to the communications session between the EzVPN client device and the EzVPN server device as determined by the processing of the connection speed data.

Abstract: A method, apparatus and computer program product for preventing infection propagation in a DMVPN is presented. An infected spoke router site is isolated from the DMVPN network such that the spoke router may (bi-directionally) completely or partially limit communicating with any network devices (including the hub router, any other spoke routers etc.) within the DMVPN which prevents the DMVPN melt-down, isolates a worm-infected spoke router site from the rest of the DMVPN and restricts the spread of the worm within the DMVPN network.

Abstract: An edge router (disposed between a packet-switched network and a label-switching network) is configured to receive an IKE message originating from a client on the Internet (e.g., packet-switched network) attempting to set up a tunnel. Upon receipt of the IKE message, the edge router utilizes a unique identifier in the IKE message to identify a virtual private network in the label-switching network. In lieu of terminating an IPSec tunnel at the edge router and performing a respective key exchange with the client, the edge router identifies a corresponding forwarding table associated with the virtual private network (identified by the unique identifier in the IKE message) and, based on the corresponding forwarding table, forwards the IKE message to a destination reachable via the label-switching network. The destination (e.g., a key server in a corresponding VPN) communicates with the client through the edge router to set up the tunnel.

Abstract: A system transmits, to a hub from a first spoke, first routing information associated with the first spoke. The system receives, at the first spoke, from the hub, second routing information associated with a plurality of spokes in communication with the hub. The plurality of spokes includes a second spoke. The system resolves, at the first spoke, a next hop determination for the packet based on the second routing information received from the hub. The system routes the packet from the first spoke to the second spoke using the next hop determination.

Abstract: A system provides a request for a policy from a policy server, and receives the policy from the policy server. The policy indicates processing to be applied to a traffic partition passing through the device. The system configures the policy within a routing structure associated with the traffic partition for the policy in the device, and routes a stream of traffic for the routing structure in accordance with the policy for that routing structure.