Abstract: A network device has an input configured to receive a message relating to a given user attempting to forward one or more packets across a computer network. The message has given user information relating to the given user. In addition, the routing device also has a selector, operatively coupled with the input, configured to select (after receiving the message) a given group routing policy from a plurality of group routing policies. Preferably, the selector is configured to select the given group routing policy as a function of the given user information. The routing device also has an output operatively coupled with the selector. The output is configured to cause routing of user communication across the network using link-layer routes specified by the given group routing policy.

Abstract: A method routes packets from a source to a destination across an IP network having a plurality of nodes (including the source and destination), and a plurality of network segments interconnecting the plurality of nodes. The source and destination are configured to use a given service. To those ends, the method receives information relating to the given service, and forms a path between the source and the destination. The path includes a) at least one intermediate node between the source and the destination and b) a plurality of specific network segments extending from the source to the destination. The plurality of specific network segments are a sub-set of the plurality of network segments. To form the path, the method assigns the plurality of specific network segments to the network path between the source and the destination as a function of the information relating to the given service.

Abstract: A routing system for implementing a service and topology exchange protocol (STEP) includes a primary STEP server configured to maintain a STEP repository and a plurality of routers, with each router including a STEP client in communication with the primary STEP server. The STEP client of each router is configured to transmit, using STEP, STEP documents containing service and topology state information for at least one route or service available through the router to the primary STEP server for storage in the STEP repository. The primary STEP server is configured to transmit to the STEP client of each router, using STEP, service and topology state information from the STEP repository for at least one other router based on configured relationships between routers. Each router is configured to make routing decisions based at least in part on the service and topology state information from the at least one other router.

Abstract: A routing system for distributing multicast routing information for a multicast service includes a plurality of routers including a multicast source router and a plurality of multicast receiver routers, the plurality of routers providing a multicast service, wherein the routers are configured to exchange multicast information associated with the multicast service including identification of multicast sources and the multicast receivers.

Abstract: A method and apparatus form and/or define a network topology in a Layer 3 network with a plurality of nodes, where each node has at least one interface. To that end, the method defines a plurality of neighborhoods, and assigns at least one interface of each node to at least one of the neighborhoods. The method also assigns a communication role to each interface so that each communication role is effective relative to one of the plurality of neighborhoods. The method then enables communication between the interfaces of the plurality of nodes as a function of the neighborhoods and the communication roles.

Abstract: A first router generates session establishment metrics for use in network path selection. For example, a plurality of routers connect a client device to a network service instance hosted by a server. A first router is connected to the network service instance via first and second paths. The first router receives session performance requirements for a session between the client device and the network service instance. The first router forwards, along the first path, network traffic for the session by modifying a first packet of the session to include a session identifier for the session. The first router determines that session establishment metrics for the session do not satisfy the session performance requirements. In response, the first router forwards, along the second path, the network traffic for the session by modifying a second packet of the session to include the session identifier for the session.

Abstract: A router advertises an aggregated service or route that can be evaluated by other routers as a unitary segment rather than as a group of individual links/paths associated with the aggregated service or route. The aggregated service or route can be based on service and topology state information received from one or more other routers and can be advertised with the router as the nexthop for the aggregated service or route. The router can advertise an aggregated metric for the aggregated service or route for use in such evaluation. An aggregated route can be associated with different aggregated metrics for different services.

Abstract: A method and apparatus for routing a plurality of session packets across a network toward a destination modifies each packet to include a sequence number that is different from the sequence number of other packets in the plurality of packets. Accordingly, at this point, each of the plurality of packets is transformed into a corresponding plurality of processed packets. The method also duplicates the plurality of processed packets to produce a corresponding plurality of duplicated packets. Next, the method forwards the plurality of processed packets toward the destination using a first stateful path through the network, and correspondingly forwards the plurality of duplicated packets toward the destination using a second stateful path through the network. In preferred embodiments, the first stateful path is different from the second stateful path. For example, the two paths may be entirely distinct in that they share no common intermediary elements.

Abstract: A method and apparatus for routing a plurality of session packets across a network toward a destination modifies each packet to include a sequence number that is different from the sequence number of other packets in the plurality of packets. Accordingly, at this point, each of the plurality of packets is transformed into a corresponding plurality of processed packets. The method also duplicates the plurality of processed packets to produce a corresponding plurality of duplicated packets. Next, the method forwards the plurality of processed packets toward the destination using a first stateful path through the network, and correspondingly forwards the plurality of duplicated packets toward the destination using a second stateful path through the network. In preferred embodiments, the first stateful path is different from the second stateful path. For example, the two paths may be entirely distinct in that they share no common intermediary elements.

Abstract: A method and apparatus for routing a plurality of session packets across a network toward a destination modifies each packet to include a sequence number that is different from the sequence number of other packets in the plurality of packets. Accordingly, at this point, each of the plurality of packets is transformed into a corresponding plurality of processed packets. The method also duplicates the plurality of processed packets to produce a corresponding plurality of duplicated packets. Next, the method forwards the plurality of processed packets toward the destination using a first stateful path through the network, and correspondingly forwards the plurality of duplicated packets toward the destination using a second stateful path through the network. In preferred embodiments, the first stateful path is different from the second stateful path. For example, the two paths may be entirely distinct in that they share no common intermediary elements.

Abstract: A packet routing method and apparatus for managing packets of a bi-directional session between a first node and a second node in an IP network receives a mid-stream packet at an intermediate node. The intermediate node is not part of the bi-directional session. Next, the method identifies the bi-directional session (“identified session”) from which the mid-stream packet originated. The identified session includes a bi-directional path between the first node and the second node, while the bi-directional path includes a plurality of nodes for bi-directionally forwarding packets between the first node and the second node. The method then directs that one or more packets of the identified session be routed to at least one of the plurality of nodes of the identified session.

Abstract: An intermediate node obtains a lead packet of a plurality of packets in a session having a unique session identifier, modifies the lead packet to identify at least the intermediate node and also to identify source and destination port numbers assigned by the intermediate node for a possible forward association, and then forwards the lead packet toward the destination node though an intermediate node electronic output interface to the IP network. The intermediate node also may receive, through an intermediate node electronic input interface in communication with the IP network, a backward message from a next node having a next node identifier. Both the intermediate node and the next node form an association between the intermediate node identifier, the next node identifier, and the source and destination port numbers assigned by the intermediate node. This association is part of a forward association for the intermediate node and is part of a return associate for the next node.

Abstract: A method routes packets from a source to a destination across an IP network having a plurality of nodes (including the source and destination), and a plurality of network segments interconnecting the plurality of nodes. The source and destination are configured to use a given service. To those ends, the method receives information relating to the given service, and forms a path between the source and the destination. The path includes a) at least one intermediate node between the source and the destination and b) a plurality of specific network segments extending from the source to the destination. The plurality of specific network segments are a sub-set of the plurality of network segments. To form the path, the method assigns the plurality of specific network segments to the network path between the source and the destination as a function of the information relating to the given service.

Abstract: An apparatus and/or method secures session communications between a first network (having a first encryption device configured to encrypt at least some session communications from the first network to the second network) and a second network. The apparatus and/or method receive, at the first network, given session packets of a given session between the first and second networks, and determine that at least one of the received given session packets is encrypted (“encrypted given session packet”). The given session involves a Layer 7 application that encrypted the at least one encrypted given session packet. Next, the apparatus and/or method controls, in response to determining that the given session packet is encrypted, the first encryption device to permit communication of the given session with the second network without further encrypting a plurality of the encrypted given session packets. Preferably, the first encryption device encrypts none of the given session packets.

Abstract: A packet routing method and apparatus for managing packets of a bi-directional session between a first node and a second node in an IP network receives a mid-stream packet at an intermediate node. The intermediate node is not part of the bi-directional session. Next, the method identifies the bi-directional session (“identified session”) from which the mid-stream packet originated. The identified session includes a bi-directional path between the first node and the second node, while the bi-directional path includes a plurality of nodes for bi-directionally forwarding packets between the first node and the second node. The method then directs that one or more packets of the identified session be routed to at least one of the plurality of nodes of the identified session.

Abstract: A method of routing data across a network receives a session request from a client node to access at least one node in a local network having a plurality of nodes. The method also receives a client certificate (e.g., a digital certificate at least partially specified by known standards, such as the “X509 Standard”) from the client node. The client certificate has client information specifying at least one node to receive packets from the client node. Next, the method uses the client certificate to execute an authentication process. If the authentication process authenticates the client node, then the method routes data packets from the client node to at least one node in the local network as specified by the client information in the client certificate.

Abstract: A method and apparatus for routing a plurality of session packets across a network toward a destination modifies each packet to include a sequence number that is different from the sequence number of other packets in the plurality of packets. Accordingly, at this point, each of the plurality of packets is transformed into a corresponding plurality of processed packets. The method also duplicates the plurality of processed packets to produce a corresponding plurality of duplicated packets. Next, the method forwards the plurality of processed packets toward the destination using a first stateful path through the network, and correspondingly forwards the plurality of duplicated packets toward the destination using a second stateful path through the network. In preferred embodiments, the first stateful path is different from the second stateful path. For example, the two paths may be entirely distinct in that they share no common intermediary elements.

Abstract: A router is configured to be part of an administrative domain having two or more networks that each have at least one router. The router has a configuration interface permitting programming of a given configuration parameter to a local configuration setting, and an input configured to receive, from a configuration manager remote from the router, global configuration settings for a plurality of configuration parameters. For the given configuration parameter, the plurality of global configuration settings includes a different setting that is different from the local configuration setting. The configuration interface has a local configuration mode that disregards received global configuration setting changes to the given configuration parameter after programming the given configuration parameter to the local configuration setting.

Abstract: A method processes a session having a first session packet received by a current node in an IP network having a plurality of nodes. The plurality of nodes includes a next node, and the current node that communicates with the next node using a Layer 3 protocol. The method receives the first session packet, which has a digital signature, payload data, and meta-data, at the current node. The method uses the payload data and meta-data to produce validation information, and uses the digital signature to produce a comparator digital signature. Next, the method compares the validation information with the comparator digital signature. If the validation information does not match the comparator digital signature, then the method discards the first session packet. If there is a match, then the method digitally signs the first session packet, and routes the first session packet to the next node via the IP network.

Abstract: An advanced routing system and protocol (referred to herein as “Route Exchange” or “REX”) hides familiar IPv4 and IPv6 addresses and replaces traditional routing logic with words and relationships between named elements. Among other things, this makes IP routing tables significantly easier to understand. In addition, a single routing scheme can be used for any combination of private networks, public networks, IPv4 addressing models, and IPv6 addressing models. Underneath the words lie real IP addresses that move the packets from place to place. These routing addresses abstract away the underlying network.