Abstract: Systems and methods for encryption in optical transport networks may include generating, at a first transponder, multiple encryption keys, each usable to encrypt a data payload in an OTN frame transmitted from the first transponder to a second transponder and storing the keys locally on the first and second transponders. The first transponder may randomly select one of the keys for encrypting a data payload of a given frame and set overhead encryption bits in a preceding frame indicating that the given frame is encrypted and identifying the randomly selected key. The first transponder may encrypt the data payload of the given frame using the randomly selected key prior to transmission. Based on the overhead bits in the preceding frame, the second transponder may decrypt the data payload of the given frame using the randomly selected key. A new key may be randomly selected for each encrypted frame.

Abstract: Systems and methods for encryption in optical transport networks may include generating, at a first transponder, multiple encryption keys, each usable to encrypt a data payload in an OTN frame transmitted from the first transponder to a second transponder and storing the keys locally on the first and second transponders. The first transponder may randomly select one of the keys for encrypting a data payload of a given frame and set overhead encryption bits in a preceding frame indicating that the given frame is encrypted and identifying the randomly selected key. The first transponder may encrypt the data payload of the given frame using the randomly selected key prior to transmission. Based on the overhead bits in the preceding frame, the second transponder may decrypt the data payload of the given frame using the randomly selected key. A new key may be randomly selected for each encrypted frame.

Abstract: Methods and systems for encryption control in optical networks without data loss enable various transitions related to encryption of an ODU data payload. A transition from unencrypted data payload to encrypted data payload is performed without data loss or dropping of OTN frames. A transition from encrypted data payload to unencrypted data payload is performed without data loss or dropping of OTN frames. A rotation of the encryption key to another encryption key is also performed without data loss or dropping of OTN frames.

Abstract: Methods and systems for simplified encryption key generation in optical networks use a Transport Layer Security (TLS) protocol to securely generate an encryption key at both endpoints of an optical path provisioned in an optical transport network. Instead of generating yet another key for payload data transmission, the encryption key from TLS is used for encrypting payload data transmission without using the TLS protocol.

Abstract: Methods and systems may use optical transport network overhead data for encryption. In particular, specific overhead encryption bits and other encryption data may be stored in an OTN header and used for signaling between a transmitter and a receiver for encrypted transmission without lost data frames.

Abstract: Methods and systems for simplified encryption key generation in optical networks use a Transport Layer Security (TLS) protocol to securely generate an encryption key at both endpoints of an optical path provisioned in an optical transport network. Instead of generating yet another key for payload data transmission, the encryption key from TLS is used for encrypting payload data transmission without using the TLS protocol.

Abstract: Methods and systems for encryption control in optical networks without data loss enable various transitions related to encryption of an ODU data payload. A transition from unencrypted data payload to encrypted data payload is performed without data loss or dropping of OTN frames. A transition from encrypted data payload to unencrypted data payload is performed without data loss or dropping of OTN frames. A rotation of the encryption key to another encryption key is also performed without data loss or dropping of OTN frames.

Abstract: Methods and systems may use optical transport network overhead data for encryption. In particular, specific overhead encryption bits and other encryption data may be stored in an OTN header and used for signaling between a transmitter and a receiver for encrypted transmission without lost data frames.

Abstract: A method may include monitoring available aggregate bandwidth of a network element and determining if the available aggregate bandwidth is sufficient to communicate traffic at a rate equal to an aggregate sum of committed information rates for a plurality of classes of traffic. If the available aggregate bandwidth is sufficient to communicate traffic at the rate equal to the aggregate sum of committed information rates for a plurality of classes of traffic, traffic may be communicated for each of the plurality of classes in accordance with the respective committed information rate for each class. Otherwise, traffic may be communicated for each of the plurality of classes in an amount proportional to the respective committed information rate for a particular class and the available aggregate bandwidth.

Abstract: A method may include: (i) provisioning a first network-side interface of a first plug-in unit and a second network-side interface of a second plug-in unit as members of a network-side protection group, the first plug-in unit and the second plug-in unit integral to an adaptation layer network element; (ii) provisioning a first client-side interface of the first plug-in unit and a second client-side interface of the second plug-in unit as members of a client-side protection group; (iii) designating one of the first and second network-side interface as an active network-side interface of the network-side protection group; and (iv) designating one of the first second client-side interface as an active client-side interface of the client-side protection group, such that traffic ingressing on the active network-side interface may egress on the active client-side interface and traffic ingressing on the active client-side interface may egress on the active network-side interface.

Abstract: According to one embodiment, a method may include receiving a frame via an ingress port of a network element. The method may also include assigning a virtual destination address to the frame of the traffic. The method may further include internally switching the frame within the network element based on the virtual destination address. The method may additionally include modifying the virtual destination address one or more times such that the virtual destination address is translated to an actual destination address identifying an actual egress port of the network element. Moreover, the method may include routing the frame to an egress port of the network element based on the actual destination address.

Abstract: According to one embodiment, a method may include assigning a virtual local area network (VLAN) ingress connection identifier (iXid) to a frame upon ingress. The method may also include classifying a traffic flow for which the frame is a part through ingress engines of the network element based on the iXid. The method may further include swapping the iXid for an egress connection identifier (eXid) in the frame. The method may additionally include policing or shaping the traffic flow based on at least one of the iXid and the eXid. Moreover, the method may include classifying the traffic flow through egress engines of the network element based on the eXid.

Abstract: A method may include provisioning: a first flow from a client-side port to a network-side port of the plug-in unit; a second flow from the network-side port to the client-side port; a third flow from the network-side port to a mate link configured to interface with a fourth flow from the mate link to a second client-side port of the second plug-in unit; a fifth flow from the mate link to the network-side port configured to interface with a sixth flow from the second client-side port to the mate link; a seventh flow from the client-side port to the mate link configured to interface with an eighth flow from the mate link to a second network-side port of the second plug-in unit; and a ninth flow from the mate link to the client-side port configured to interface with a tenth flow from the second network-side port to the mate link.

Abstract: A method for configuring admission control of service instances in a network element may include: (i) reading a pre-determined maximum service-idle utilization of a processor approximately equal to maximum utilization of the processor in the absence of services executing on the processor; (ii) reading, for each particular service instance of a desired configuration of service instances, a pre-determined maximum utilization of the processor associated with the particular service instance; (iii) calculating an aggregate maximum utilization for the desired configuration, based on the pre-determined maximum service-idle utilization and the pre-determined maximum utilizations for each of the particular service instances; (iv) determining whether the aggregate maximum utilization is greater than a threshold maximum utilization for the processor; (v) allowing or denying the desired configuration based on the determination.

Abstract: According to one embodiment, methods and systems may be configured to support client-to-network, network-to-client, and network-to-network flows in a network element including multiple plug-in units. Such support may include policing and shaping flows as aggregates across plug-in units, combining outputs of two upstream traffic managers to network ports on two plug-in units, combining network flows that ingress two plug-in units, and shaping traffic to client ports.

Abstract: A method may include: (i) provisioning a first network-side interface of a first plug-in unit and a second network-side interface of a second plug-in unit as members of a network-side protection group, the first plug-in unit and the second plug-in unit integral to an adaptation layer network element; (ii) provisioning a first client-side interface of the first plug-in unit and a second client-side interface of the second plug-in unit as members of a client-side protection group; (iii) designating one of the first and second network-side interface as an active network-side interface of the network-side protection group; and (iv) designating one of the first second client-side interface as an active client-side interface of the client-side protection group, such that traffic ingressing on the active network-side interface may egress on the active client-side interface and traffic ingressing on the active client-side interface may egress on the active network-side interface.

Abstract: A method for configuring admission control of service instances in a network element may include: (i) reading a pre-determined maximum service-idle utilization of a processor approximately equal to maximum utilization of the processor in the absence of services executing on the processor; (ii) reading, for each particular service instance of a desired configuration of service instances, a pre-determined maximum utilization of the processor associated with the particular service instance; (iii) calculating an aggregate maximum utilization for the desired configuration, based on the pre-determined maximum service-idle utilization and the pre-determined maximum utilizations for each of the particular service instances; (iv) determining whether the aggregate maximum utilization is greater than a threshold maximum utilization for the processor; (v) allowing or denying the desired configuration based on the determination.

Abstract: A method may include provisioning: a first flow from a client-side port to a network-side port of the plug-in unit; a second flow from the network-side port to the client-side port; a third flow from the network-side port to a mate link configured to interface with a fourth flow from the mate link to a second client-side port of the second plug-in unit; a fifth flow from the mate link to the network-side port configured to interface with a sixth flow from the second client-side port to the mate link; a seventh flow from the client-side port to the mate link configured to interface with an eighth flow from the mate link to a second network-side port of the second plug-in unit; and a ninth flow from the mate link to the client-side port configured to interface with a tenth flow from the second network-side port to the mate link.

Abstract: A method may include monitoring available aggregate bandwidth of a network element and determining if the available aggregate bandwidth is sufficient to communicate traffic at a rate equal to an aggregate sum of committed information rates for a plurality of classes of traffic. If the available aggregate bandwidth is sufficient to communicate traffic at the rate equal to the aggregate sum of committed information rates for a plurality of classes of traffic, traffic may be communicated for each of the plurality of classes in accordance with the respective committed information rate for each class. Otherwise, traffic may be communicated for each of the plurality of classes in an amount proportional to the respective committed information rate for a particular class and the available aggregate bandwidth.

Abstract: According to one embodiment, a method may include receiving a frame via an ingress port of a network element. The method may also include assigning a virtual destination address to the frame of the traffic. The method may further include internally switching the frame within the network element based on the virtual destination address. The method may additionally include modifying the virtual destination address one or more times such that the virtual destination address is translated to an actual destination address identifying an actual egress port of the network element. Moreover, the method may include routing the frame to an egress port of the network element based on the actual destination address.