Abstract: Method, apparatus, and system for isolating potentially vulnerable nodes of a network. In one embodiment a network is partitioned into subnets of varying levels of security. A client device may be assigned a network access assignment through one of the subnets based on a level of vulnerability assessed for the client device. The level of vulnerability may be determined based on compliance of the client device with available upgrades and/or patches.

Abstract: A method and apparatus for sorting packets by packet schedulers using a connected trie data structure is described. According to one embodiment of the invention, the packet scheduler receives a packet on a network and assigns the packet a time stamp value. The packet is inserted into a trie data structure that represents a scheduling horizon and includes a plurality of packets. The packet scheduler transmits the packet over the network based on its sorted order within the trie data structure.

Abstract: A technique for self-isolation of a network device that has been identified as potentially harmful. The network device may be isolated from the network except for an out-of-band communication channel that can be used for management purposes to restore or repair the device prior to the network connection being re-established.

Abstract: Method and Apparatuses for determining integrity of a platform and notifying a remote system. In one embodiment a verification agent accesses a portion of a memory on the platform at initialization of the platform to determine if the data has been compromised or corrupted. The verification agent causes the information to be transmitted to a remote system. The verification agent may be local to the platform for which integrity is determined, and transmit the information to a remote administrator. Alternatively, the agent may access the platform over a bus or private channel, or a network connection and indicate information regarding the verification process to an entity remote to the tested platform.

Abstract: A method and apparatus for cross validation of data using multiple subsystems are described. According to one embodiment of the invention, a computer comprises a first subsystem and a second subsystem; and a memory, the memory comprising a first memory region and a second memory region, the first memory region being associated with the first subsystem and a second memory region being associated with the second subsystem; upon start up of the computer, the first subsystem to validate the second memory region and the second subsystem to validate the first memory region.

Abstract: Techniques for self-isolation of a network device that has been identified as potentially harmful. The network device may be isolated from the network except for an out-of-band communication channel that can be used for management purposes to restore or repair the device prior to the network connection being re-established.

Abstract: A method and apparatus for two-stage packet classification. In the first stage, which may be implemented in software, a packet is classified on the basis of the packet's network path and, perhaps, its protocol. In the second stage, which may be implemented in hardware, the packet is classified on the basis of one or more transport level fields of the packet. An apparatus of two-stage packet classification may include a processing system for first stage code execution, a classification circuit for performing the second stage of classification, and a memory to store a number of bins, each bin including one or more rules.

Abstract: Cooperative embedded agents as well as manageability and security operations that can be performed on a host system having cooperative embedded agents are disclosed.

Abstract: Methods and apparatuses associated with sharing cryptographic keys in a network domain. An embedded agent on a network endpoint participates in the distribution of cryptographic keys. In one embodiment the embedded agent receives and stores a shared symmetric key, as do embedded agents on other network endpoints in the same network domain. The embedded agent causes the shared key to be stored in a secure storage not directly accessible by the host. When the host wants to transmit enciphered data, the embedded agent may provide access to cryptographic services. The embedded agent provides isolation of the shared key from parts of the host that are subject to compromise by attack or infection.

Abstract: A method and apparatus for two-stage packet classification, the two-stage packet classification scheme including a first stage and a second stage. In the first classification stage, a packet is classified on the basis of the packet's network path. In the second stage of classification, the packet is classified on the basis of one or more transport (or other) fields of the packet. Also disclosed are embodiments of most specific filter matching and transport level sharing, and either one or both of these techniques may be implemented in the two-stage classification method.

Abstract: A method and system for maintenance of packet order using caching is described. Packets that are part of a sequence are received at a receive element. The packets are processed by one or more processing modules. A re-ordering element then sorts the packets of the sequence to ensure that the packets are transmitted in the same order as they were received. When a packet of a sequence is received at the re-ordering element, the re-ordering element determines if the received packet is the next packet in the sequence to be transmitted. If so, the packet is transmitted. If not, the re-ordering element stores the packet in a local memory if the packet fits into the local memory. Otherwise, the packet is stored in the non-local memory. The stored packet is retrieved and transmitted when the stored packet is the next packet in the sequence to be transmitted.

Abstract: A method and system for maintaining partial order of packets in packet processing modules is described. The system includes a memory and a plurality of packet processing modules to process packets that are part of a sequence in order. The memory stores a plurality of indicators, each indicator associated with one of the plurality of packet processing modules to identify which packets in the sequence are to be processed by the packet processing module and which packets in the sequence are to be skipped. The next packet in the sequence to be processed by the packet processing module is determined based on the stored indicators. A packet received at the packet processing module is processed if the packet is the next packet in the sequence to be processed.

Abstract: A packet classifier having a forest of hash tables data structure. The forest of hash tables data structure includes a number of hash tables, each hash table having a bit mask corresponding to an equivalent set of rules. Each hash table includes a number of entries, wherein an entry of a hash table may correspond to a rule. One or more of the hash tables may include a marker in one entry, wherein the marker identifies another one of the hash tables. The hash table identified by the marker is a descendant of the hash table in which the marker is placed.

Abstract: A method and apparatus for use with a computer system are disclosed. A packet is received that includes a header. The header indicates at least one characteristic that is associated with a layer of a protocol stack, and the layer is hierarchically no lower than a network layer. The packet is parsed in hardware to extract the characteristic(s), and the packet is processed based on the parsing. The computer system may be capable of executing software of a protocol stack to extract the characteristic(s) of the packet, and the apparatus may include an interface and a circuit. The interface may be adapted to receive the packet, and the circuit may be adapted to parse the header to extract the characteristic(s) without causing the computer to execute the software and process the packet based on the extracted characteristic(s).

Abstract: According to some embodiments, routing information for an information packet is determined in accordance with a destination address and a device address.