Abstract: An apparatus and/or method secures session communications between a first network (having a first encryption device configured to encrypt at least some session communications from the first network to the second network) and a second network. The apparatus and/or method receive, at the first network, given session packets of a given session between the first and second networks, and determine that at least one of the received given session packets is encrypted (“encrypted given session packet”). The given session involves a Layer 7 application that encrypted the at least one encrypted given session packet. Next, the apparatus and/or method controls, in response to determining that the given session packet is encrypted, the first encryption device to permit communication of the given session with the second network without further encrypting a plurality of the encrypted given session packets. Preferably, the first encryption device encrypts none of the given session packets.

Abstract: A packet routing method and apparatus for managing packets of a bi-directional session between a first node and a second node in an IP network receives a mid-stream packet at an intermediate node. The intermediate node is not part of the bi-directional session. Next, the method identifies the bi-directional session (“identified session”) from which the mid-stream packet originated. The identified session includes a bi-directional path between the first node and the second node, while the bi-directional path includes a plurality of nodes for bi-directionally forwarding packets between the first node and the second node. The method then directs that one or more packets of the identified session be routed to at least one of the plurality of nodes of the identified session.

Abstract: A method of routing data across a network receives a session request from a client node to access at least one node in a local network having a plurality of nodes. The method also receives a client certificate (e.g., a digital certificate at least partially specified by known standards, such as the “X509 Standard”) from the client node. The client certificate has client information specifying at least one node to receive packets from the client node. Next, the method uses the client certificate to execute an authentication process. If the authentication process authenticates the client node, then the method routes data packets from the client node to at least one node in the local network as specified by the client information in the client certificate.

Abstract: A method and apparatus for routing a plurality of session packets across a network toward a destination modifies each packet to include a sequence number that is different from the sequence number of other packets in the plurality of packets. Accordingly, at this point, each of the plurality of packets is transformed into a corresponding plurality of processed packets. The method also duplicates the plurality of processed packets to produce a corresponding plurality of duplicated packets. Next, the method forwards the plurality of processed packets toward the destination using a first stateful path through the network, and correspondingly forwards the plurality of duplicated packets toward the destination using a second stateful path through the network. In preferred embodiments, the first stateful path is different from the second stateful path. For example, the two paths may be entirely distinct in that they share no common intermediary elements.

Abstract: A router is configured to be part of an administrative domain having two or more networks that each have at least one router. The router has a configuration interface permitting programming of a given configuration parameter to a local configuration setting, and an input configured to receive, from a configuration manager remote from the router, global configuration settings for a plurality of configuration parameters. For the given configuration parameter, the plurality of global configuration settings includes a different setting that is different from the local configuration setting. The configuration interface has a local configuration mode that disregards received global configuration setting changes to the given configuration parameter after programming the given configuration parameter to the local configuration setting.

Abstract: A method processes a session having a first session packet received by a current node in an IP network having a plurality of nodes. The plurality of nodes includes a next node, and the current node that communicates with the next node using a Layer 3 protocol. The method receives the first session packet, which has a digital signature, payload data, and meta-data, at the current node. The method uses the payload data and meta-data to produce validation information, and uses the digital signature to produce a comparator digital signature. Next, the method compares the validation information with the comparator digital signature. If the validation information does not match the comparator digital signature, then the method discards the first session packet. If there is a match, then the method digitally signs the first session packet, and routes the first session packet to the next node via the IP network.

Abstract: An advanced routing system and protocol (referred to herein as “Route Exchange” or “REX”) hides familiar IPv4 and IPv6 addresses and replaces traditional routing logic with words and relationships between named elements. Among other things, this makes IP routing tables significantly easier to understand. In addition, a single routing scheme can be used for any combination of private networks, public networks, IPv4 addressing models, and IPv6 addressing models. Underneath the words lie real IP addresses that move the packets from place to place. These routing addresses abstract away the underlying network.

Abstract: An intermediate node obtains a lead packet of a plurality of packets in a session having a unique session identifier, modifies the lead packet to identify at least the intermediate node, and then forwards the lead packet toward the destination node though an intermediate node electronic output interface to the IP network. The intermediate node also receives, through an intermediate node electronic input interface in communication with the IP network, a backward message from a next node having a next node identifier. The backward message includes the next node identifier and the session identifier. The intermediate node forms an association between the next node identifier and the session identifier, stores the association in memory to maintain state information for the session, and obtains (e.g., receives) additional packets of the session. Substantially all of the additional packets in the session are forwarded toward the next node using the stored association.

Abstract: A method has provides a router having an input, an output, and a shared memory. The router also has a forwarding path to forward a plurality of packets from the input to the output, and a service path to manage statistical data relating to packets forwarded through the forwarding path. The forwarding path has a counter to count aggregate packet information relating to the plurality of packets it forwards. Next, the method counts, using the counter(s), aggregate packet information relating to the packets forwarded through the forwarding path to produce count information. After producing the count information, the method uses the forwarding path to store the count information in the shared memory of the router, and then causes the service path to retrieve the count information from the shared memory. The service path ultimately produces statistical information using the count information retrieved from the shared memory.

Abstract: An intermediate node obtains a lead packet of a plurality of packets in a session having a unique session identifier, modifies the lead packet to identify at least the intermediate node and also to identify source and destination port numbers assigned by the intermediate node for a possible forward association, and then forwards the lead packet toward the destination node though an intermediate node electronic output interface to the IP network. The intermediate node also may receive, through an intermediate node electronic input interface in communication with the IP network, a backward message from a next node having a next node identifier. Both the intermediate node and the next node form an association between the intermediate node identifier, the next node identifier, and the source and destination port numbers assigned by the intermediate node. This association is part of a forward association for the intermediate node and is part of a return associate for the next node.

Abstract: A method processes a session having a first session packet received by a current node in an IP network having a plurality of nodes. The plurality of nodes includes a next node, and the current node that communicates with the next node using a Layer 3 protocol. The method receives the first session packet, which has a digital signature, payload data, and meta-data, at the current node. The method uses the payload data and meta-data to produce validation information, and uses the digital signature to produce a comparator digital signature. Next, the method compares the validation information with the comparator digital signature. If the validation information does not match the comparator digital signature, then the method discards the first session packet. If there is a match, then the method digitally signs the first session packet, and routes the first session packet to the next node via the IP network.

Abstract: An apparatus and/or method secures session communications between a first network (having a first encryption device configured to encrypt at least some session communications from the first network to the second network) and a second network. The apparatus and/or method receive, at the first network, given session packets of a given session between the first and second networks, and determine that at least one of the received given session packets is encrypted (“encrypted given session packet”). The given session involves a Layer 7 application that encrypted the at least one encrypted given session packet. Next, the apparatus and/or method controls, in response to determining that the given session packet is encrypted, the first encryption device to permit communication of the given session with the second network without further encrypting a plurality of the encrypted given session packets. Preferably, the first encryption device encrypts none of the given session packets.

Abstract: An intermediate node obtains a lead packet of a plurality of packets in a session having a unique session identifier, modifies the lead packet to identify at least the intermediate node, and then forwards the lead packet toward the destination node though an intermediate node electronic output interface to the IP network. The intermediate node also receives, through an intermediate node electronic input interface in communication with the IP network, a backward message from a next node having a next node identifier. The backward message includes the next node identifier and the session identifier. The intermediate node forms an association between the next node identifier and the session identifier, stores the association in memory to maintain state information for the session, and obtains (e.g., receives) additional packets of the session. Substantially all of the additional packets in the session are forwarded toward the next node using the stored association.

Abstract: A method of routing data across a network receives a session request from a client node to access at least one node in a local network having a plurality of nodes. The method also receives a client certificate (e.g., a digital certificate at least partially specified by known standards, such as the “X509 Standard”) from the client node. The client certificate has client information specifying at least one node to receive packets from the client node. Next, the method uses the client certificate to execute an authentication process. If the authentication process authenticates the client node, then the method routes data packets from the client node to at least one node in the local network as specified by the client information in the client certificate.

Abstract: An intermediate node obtains a lead packet of a plurality of packets in a session having a unique session identifier, modifies the lead packet to identify at least the intermediate node and also to identify source and destination port numbers assigned by the intermediate node for a possible forward association, and then forwards the lead packet toward the destination node though an intermediate node electronic output interface to the IP network. The intermediate node also may receive, through an intermediate node electronic input interface in communication with the IP network, a backward message from a next node having a next node identifier. Both the intermediate node and the next node form an association between the intermediate node identifier, the next node identifier, and the source and destination port numbers assigned by the intermediate node. This association is part of a forward association for the intermediate node and is part of a return associate for the next node.

Abstract: An advanced routing system and protocol (referred to herein as “Route Exchange” or “REX”) hides familiar IPv4 and IPv6 addresses and replaces traditional routing logic with words and relationships between named elements. Among other things, this makes IP routing tables significantly easier to understand. In addition, a single routing scheme can be used for any combination of private networks, public networks, IPv4 addressing models, and IPv6 addressing models. Underneath the words lie real IP addresses that move the packets from place to place. These routing addresses abstract away the underlying network.

Abstract: A method processes a session having a first session packet received by a current node in an IP network having a plurality of nodes. The plurality of nodes includes a next node, and the current node that communicates with the next node using a Layer 3 protocol. The method receives the first session packet, which has a digital signature, payload data, and meta-data, at the current node. The method uses the payload data and meta-data to produce validation information, and uses the digital signature to produce a comparator digital signature. Next, the method compares the validation information with the comparator digital signature. If the validation information does not match the comparator digital signature, then the method discards the first session packet. If there is a match, then the method digitally signs the first session packet, and routes the first session packet to the next node via the IP network.

Abstract: An intermediate node obtains a lead packet of a plurality of packets in a session having a unique session identifier, modifies the lead packet to identify at least the intermediate node, and then forwards the lead packet toward the destination node though an intermediate node electronic output interface to the IP network. The intermediate node also receives, through an intermediate node electronic input interface in communication with the IP network, a backward message from a next node having a next node identifier. The backward message includes the next node identifier and the session identifier. The intermediate node forms an association between the next node identifier and the session identifier, stores the association in memory to maintain state information for the session, and obtains (e.g., receives) additional packets of the session. Substantially all of the additional packets in the session are forwarded toward the next node using the stored association.

Abstract: A method has provides a router having an input, an output, and a shared memory. The router also has a forwarding path to forward a plurality of packets from the input to the output, and a service path to manage statistical data relating to packets forwarded through the forwarding path. The forwarding path has a counter to count aggregate packet information relating to the plurality of packets it forwards. Next, the method counts, using the counter(s), aggregate packet information relating to the packets forwarded through the forwarding path to produce count information. After producing the count information, the method uses the forwarding path to store the count information in the shared memory of the router, and then causes the service path to retrieve the count information from the shared memory. The service path ultimately produces statistical information using the count information retrieved from the shared memory.

Abstract: An intermediate node obtains a lead packet of a plurality of packets in a session having a unique session identifier, modifies the lead packet to identify at least the intermediate node and also to identify source and destination port numbers assigned by the intermediate node for a possible forward association, and then forwards the lead packet toward the destination node though an intermediate node electronic output interface to the IP network. The intermediate node also may receive, through an intermediate node electronic input interface in communication with the IP network, a backward message from a next node having a next node identifier. Both the intermediate node and the next node form an association between the intermediate node identifier, the next node identifier, and the source and destination port numbers assigned by the intermediate node. This association is part of a forward association for the intermediate node and is part of a return associate for the next node.