Abstract: The present invention permits translation of SM addresses (*, G1) and (*, G2) to configurable SSM addresses (S0, G0). IGMPv2 group membership queries from the receiver subnet are translated to IGMPv3 membership queries for processing in a SSM network. In the preferred embodiment, packets travel via a connection to the multicast router (mrouter). The mrouter queries an IGMPv2 receiver. The IGMPv2 receiver generates a membership report and sends it back to the mrouter. The mrouter translates the membership report into a (S0, G0) as specified in a multicast address translation table and stores the translation in the Multicast Forward Information Base (MFIB) located in the mrouter. Multicast payload addressed (S0, G0) flowing towards the IGMPv2 receiver can be translated to (S0, G0). When media data is addressed to (S0, G0), the mrouter consults the MFIB for forwarding and can also translate the destination address to (S1, G1).

Abstract: This invention provides a tool for generating ACLs in an environment where a set of network elements or servers (e.g. web servers, IPTV servers, application servers . . . ) need to be secure. The tool also performs ACL validation to ensure that the filtering rules are correct before they are deployed in a network. The system enables a central view of the security configuration concerning the filtering rules in the network. Furthermore, it allows end-to-end configuration of the ACL rules, from the definition of the flows between the servers to the deployment of the rules on the network elements.

Abstract: Systems and methods of providing secure signaling for voice communications over a public switched voice network (PSTN) are described. The call signaling is received at a first secure voice signaling gateway (SVSG) in which it is encrypted utilizing a security key. The encrypted payload is tunneled from the first SVSG to a second SVSG at a destination network element. The destination SVSG decrypts the payload and passes it on to the destination. According to the invention the communication can be either masqueraded in which the address of the first SVSG is given as the origin or non-masqueraded in which the actual original of the voice communication is retained.

Abstract: A distributed authentication framework is presented. The framework includes an authentication stack that is created by an authentication server. The server receives an authentication request from an end-user, the request including an authentication domain ID that distinguishes the end-user. The authentication stack has entries that trigger local or remote specific authentication actions providing respective results. When the results are consolidated the authentication status of the end-user is determined.

Abstract: The present invention permits translation of SM addresses (*, G1) and (*, G2) to configurable SSM addresses (S0, G0). IGMPv2 group membership queries from the receiver subnet are translated to IGMPv3 membership queries for processing in a SSM network. In the preferred embodiment, packets travel via a connection to the multicast router (mrouter). The mrouter queries an IGMPv2 receiver. The IGMPv2 receiver generates a membership report and sends it back to the mrouter. The mrouter translates the membership report into a (S0, G0) as specified in a multicast address translation table and stores the translation in the Multicast Forward Information Base (MFIB) located in the mrouter. Multicast payload addressed (S0, G0) flowing towards the IGMPv2 receiver can be translated to (S0, G0). When media data is addressed to (S0, G0), the mrouter consults the MFIB for forwarding and can also translate the destination address to (S1, G1).

Abstract: The present invention provides adequate service virtualization and compartmentalization in Network Management Systems for heterogeneous Network Elements to provide interoperability. It introduces a generic mediation layer that can be added to each Network Element that does not provide a network compartmentalization model that is compatible with the one used by the Network Management System. The mediation layer acts as a reverse proxy for the Network Management System to provide an operator with transparent access to an appropriate Management Service. The present invention is also instrumental in providing a high level of security in such hybrid networks.

Abstract: This invention provides a tool for generating ACLs in an environment where a set of network elements or servers (e.g. web servers, IPTV servers, application servers . . . ) need to be secure. The tool also performs ACL validation to ensure that the filtering rules are correct before they are deployed in a network. The system enables a central view of the security configuration concerning the filtering rules in the network. Furthermore, it allows end-to-end configuration of the ACL rules, from the definition of the flows between the servers to the deployment of the rules on the network elements.

Abstract: The Time to Live (TTL) field in an IP header is used as a covert channel in a communication system. More particularly the TTL field can be used to selectively mark packets with unique identifiers as they pass through an upstream station on their way to a downstream station. In this way the source of a traffic flow at least within a particular domain can be absolutely identified. This method of performing a traceback operation doesn't utilize additional resources as it relies on functionality which already exists in the system.

Abstract: The invention concerns a method for operating a packet communication network node, in particular an IP router, comprising the following steps: a) reception by the node of a packet (10) from the network; b) reception by the node of an information (13) independent of the protocols of the OSI layers 5 through 7 even of the OSI layers 4 through 7 of the packet and concerning at least one of the following characteristics: the type of data transported in the packet, the transmission source of the data transported in the packet other than the network address of the transmission source of the packet, and the recipient of the data transported in the packet other than the network address of the transmission source of the packet; c) processing by the node of the packet (10) on the basis of said description. It is advantageous that said information is contained in the packet itself.

Abstract: Systems and methods of providing secure signaling for voice communications over a public switched voice network (PSTN) are described. The call signaling is received at a first secure voice signaling gateway (SVSG) in which it is encrypted utilizing a security key. The encrypted payload is tunneled from the first SVSG to a second SVSG at a destination network element. The destination SVSG decrypts the payload and passes it on to the destination. According to the invention the communication can be either masqueraded in which the address of the first SVSG is given as the origin or non-masqueraded in which the actual original of the voice communication is retained.

Abstract: A distributed authentication framework is presented. The framework includes an authentication stack that is created by an authentication server. The server receives an authentication request from an end-user, the request including an authentication domain ID that distinguishes the end-user. The authentication stack has entries that trigger local or remote specific authentication actions providing respective results. When the results are consolidated the authentication status of the end-user is determined.

Abstract: The Time to Live (TTL) field in an IP header is used as a covert channel in a communication system. More particularly the TTL field can be used to selectively mark packets with unique identifiers as they pass through an upstream station on their way to a downstream station. In this way the source of a traffic flow at least within a particular domain can be absolutely identified. This method of performing a traceback operation doesn't utilize additional resources as it relies on functionality which already exists in the system.

Abstract: The operating process for an active node (1) of a packet-switched communication network, and in particular of an active IP router, includes the following successive steps: a) receipt of an active packet sent by a terminal (2); b) execution of a request contained in the active packet, this request being intended to configure packet processing functions; c) and then execution of a program contained or identified in the active packet, this program being intended to control packet processing functions. The active packet can also be sent by the router to a recipient terminal (3). The invention also proposes an active node, in particular an IP router, implementing the process. The invention also proposes a data packet which includes a request and a program or an identifier for a program, the request and the program being intended for execution by an active node.

Abstract: The present invention provides adequate service virtualization and compartmentalization in Network Management Systems for heterogeneous Network Elements to provide interoperability. It introduces a generic mediation layer that can be added to each Network Element that does not provide a network compartmentalization model that is compatible with the one used by the Network Management System. The mediation layer acts as a reverse proxy for the Network Management System to provide an operator with transparent access to an appropriate Management Service. The present invention is also instrumental in providing a high level of security in such hybrid networks.

Abstract: The invention relates to network equipment (E1, E2, E3) for transmitting data packets, some of which contain requests for a service implemented by a plurality of servers (S1, S2, S3), which network equipment is characterized in that it includes means for receiving data packets containing or referring to executable code adapted to distribute said service requests among said plurality of servers and means for deciding to transmit said data packets to another network equipment or to execute said executable code.