Abstract: In one embodiment, an optical module cage includes a first opening for slidably receiving an optical module, a second opening positioned adjacent to the first opening for slidably receiving a riding heatsink separate from the optical module or an integrated heatsink connected to the optical module, and a guide rail interposed between the first opening and the second opening, wherein the guide rail is configured to support the riding heatsink and not interfere with insertion of the integrated heatsink.

Abstract: In one embodiment, an optical module cage includes a first opening for slidably receiving an optical module, a second opening positioned adjacent to the first opening for slidably receiving a riding heatsink separate from the optical module or an integrated heatsink connected to the optical module, and a guide rail interposed between the first opening and the second opening, wherein the guide rail is configured to support the riding heatsink and not interfere with insertion of the integrated heatsink.

Abstract: In one embodiment, a network communications device includes a chassis, a plurality of modules removably inserted into a plurality of slots in the chassis, at least a portion of the modules each comprising a connector for receiving coolant for cooling components on the module, a controller for controlling coolant distribution to the modules, and a leak detection system for identifying a leak of the coolant and transmitting an indication of the leak to the controller.

Abstract: In one embodiment, a computing device receives an image that has been signed with a first key, wherein the image includes a first computational value associated with it. A second computational value associated with the image is determined and the image is signed with a second key to produce a signed image that includes both the first and second computational values. Prior to loading the dual-signed image, the computing device attempts to authenticate the dual-signed image using both the first and second computational values, and, if successful, loads and installs the dual-signed image.

Abstract: In one embodiment, an apparatus includes a chassis comprising a plurality of slots for receiving a plurality of modules, a first group of the modules received in a first orientation and a second group of the modules received in a second orientation orthogonal to said first orientation, and a coolant distribution module inserted into one of the slots in the first orientation for distributing coolant to at least one of the modules in the second group of modules. A method for distributing coolant to the modules is also disclosed herein.

Abstract: In one embodiment, an apparatus includes a chassis comprising a plurality of slots for receiving a plurality of modules, a first group of the modules received in a first orientation and a second group of the modules received in a second orientation orthogonal to said first orientation, and a coolant distribution module inserted into one of the slots in the first orientation for distributing coolant to at least one of the modules in the second group of modules. A method for distributing coolant to the modules is also disclosed herein.

Abstract: An egress frame processing method, an Ethernet frame is received. Information defining an Internet Protocol (IP) tunnel between the network device and a peer network device over a public wide area network is determined. A media access control security (MACsec) policy that defines how to protect the Ethernet frame is determined based on the information defining the IP tunnel. The Ethernet frame is protected according to the MACsec policy. The following fields are appended to the protected Ethernet frame: (i) an unprotected layer 3 (L3) encapsulation identifying a layer 2 (L2)-over-L3 tunnel protocol; (ii) an unprotected IP header corresponding to the IP tunnel; and (iii) an unprotected outer Ethernet header, to produce a partly protected egress frame. The partly protected egress frame is transmitted to the peer network device over the IP tunnel of the public wide area network.

Abstract: In an egress processing method, an egress frame is received. The egress frame includes an outer Ethernet frame, an Internet Protocol (IP) header, a layer 3 (L3) encapsulation identifying a layer 2 (L2)-over-L3 tunnel protocol, and an inner Ethernet frame with a payload. The outer Ethernet frame, the IP header, and the inner Ethernet frame, and the L3 encapsulation are parsed. Based on results of the parsing, a media access control security (MACsec) policy that defines how to protect the inner Ethernet frame is determined, and the inner Ethernet frame is protected according to the MACsec policy, while leaving unprotected the outer Ethernet frame, the IP header, and the L3 encapsulation, to produce a partly protected output egress frame. The partly protected output egress frame is transmitted to the peer network device over a public wide area network.

Abstract: In one embodiment, a computing device receives an image that has been signed with a first key, wherein the image includes a first computational value associated with it. A second computational value associated with the image is determined and the image is signed with a second key to produce a signed image that includes both the first and second computational values. Prior to loading the dual-signed image, the computing device attempts to authenticate the dual-signed image using both the first and second computational values, and, if successful, loads and installs the dual-signed image.

Abstract: In an egress processing method, an egress frame is received. The egress frame includes an outer Ethernet frame, an Internet Protocol (IP) header, a layer 3 (L3) encapsulation identifying a layer 2 (L2)-over-L3 tunnel protocol, and an inner Ethernet frame with a payload. The outer Ethernet frame, the IP header, and the inner Ethernet frame, and the L3 encapsulation are parsed. Based on results of the parsing, a media access control security (MACsec) policy that defines how to protect the inner Ethernet frame is determined, and the inner Ethernet frame is protected according to the MACsec policy, while leaving unprotected the outer Ethernet frame, the IP header, and the L3 encapsulation, to produce a partly protected output egress frame. The partly protected output egress frame is transmitted to the peer network device over a public wide area network.

Abstract: An egress frame processing method, an Ethernet frame is received. Information defining an Internet Protocol (IP) tunnel between the network device and a peer network device over a public wide area network is determined. A media access control security (MACsec) policy that defines how to protect the Ethernet frame is determined based on the information defining the IP tunnel. The Ethernet frame is protected according to the MACsec policy. The following fields are appended to the protected Ethernet frame: (i) an unprotected layer 3 (L3) encapsulation identifying a layer 2 (L2)-over-L3 tunnel protocol; (ii) an unprotected IP header corresponding to the IP tunnel; and (iii) an unprotected outer Ethernet header, to produce a partly protected egress frame. The partly protected egress frame is transmitted to the peer network device over the IP tunnel of the public wide area network.

Abstract: Techniques are provided to append packet handling information “in the clear” ahead of security related information in a packet to be routed over a network to optimize wide area network deployments of security-configured equipment. In one form, at a network device that performs connectionless secure communication and network routing of packets, data is received from a source device to be sent through a network to a destination device. Packet handling information is inserted in a packet that is to be used to transport the data. The packet handling information is configured to enable controlled handling of the packet in the network and is inserted in an unprotected portion of the packet. Encrypted payload data is generated from the data received from the source device. The encrypted payload data and security information are inserted in a protected portion of the packet and the packet is sent to the network.

Abstract: An accurate non-Data Over Cable Service Interface Specification (non-DOCSIS) clock signal is generated at the downstream output of a DOCSIS network. In one example method, a downstream DOCSIS Timing Protocol (DTP) client in the DOCSIS network is frequency synchronized to an upstream DTP server in the DOCSIS network. DOCSIS timing information, along with one or more timing correction factors received at the DTP client, is used to time synchronize the DTP client to the DTP server. Based on the time and frequency synchronization between the DTP server and the DTP client, the clock signal is generated at the output of the DTP client in accordance with the non-DOCSIS timing protocol.

Abstract: An accurate non-Data Over Cable Service Interface Specification (non-DOCSIS) clock signal is generated at the downstream output of a DOCSIS network. In one example method, a downstream DOCSIS Timing Protocol (DTP) client in the DOCSIS network is frequency synchronized to an upstream DTP server in the DOCSIS network. DOCSIS timing information, along with one or more timing correction factors received at the DTP client, is used to time synchronize the DTP client to the DTP server. Based on the time and frequency synchronization between the DTP server and the DTP client, the clock signal is generated at the output of the DTP client in accordance with the non-DOCSIS timing protocol.

Abstract: Techniques are provided to append packet handling information “in the clear” ahead of security related information in a packet to be routed over a network to optimize wide area network deployments of security-configured equipment. In one form, at a network device that performs connectionless secure communication and network routing of packets, data is received from a source device to be sent through a network to a destination device. Packet handling information is inserted in a packet that is to be used to transport the data. The packet handling information is configured to enable controlled handling of the packet in the network and is inserted in an unprotected portion of the packet. Encrypted payload data is generated from the data received from the source device. The encrypted payload data and security information are inserted in a protected portion of the packet and the packet is sent to the network.

Abstract: An accurate non-Data Over Cable Service Interface Specification (non-DOCSIS) clock signal is generated at the downstream output of a DOCSIS network. In one example method, a downstream DOCSIS Timing Protocol (DTP) client in the DOCSIS network is frequency synchronized to an upstream DTP server in the DOCSIS network. DOCSIS timing information, along with one or more timing correction factors received at the DTP client, is used to time synchronize the DTP client to the DTP server. Based on the time and frequency synchronization between the DTP server and the DTP client, the clock signal is generated at the output of the DTP client in accordance with the non-DOCSIS timing protocol.

Abstract: Techniques are provided to append packet handling information “in the clear” ahead of security related information in a packet to be routed over a network to optimize wide area network deployments of security-configured equipment. In one form, at a network device that performs connectionless secure communication and network routing of packets, data is received from a source device to be sent through a network to a destination device. Packet handling information is inserted in a packet that is to be used to transport the data. The packet handling information is configured to enable controlled handling of the packet in the network and is inserted in an unprotected portion of the packet. Encrypted payload data is generated from the data received from the source device. The encrypted payload data and security information are inserted in a protected portion of the packet and the packet is sent to the network.

Abstract: Techniques are provided to append packet handling information “in the clear” ahead of security related information in a packet to be routed over a network to optimize wide area network deployments of security-configured equipment. In one form, at a network device that performs connectionless secure communication and network routing of packets, data is received from a source device to be sent through a network to a destination device. Packet handling information is inserted in a packet that is to be used to transport the data. The packet handling information is configured to enable controlled handling of the packet in the network and is inserted in an unprotected portion of the packet. Encrypted payload data is generated from the data received from the source device. The encrypted payload data and security information are inserted in a protected portion of the packet and the packet is sent to the network.

Abstract: An accurate non-Data Over Cable Service Interface Specification (non-DOCSIS) clock signal is generated at the downstream output of a DOCSIS network. In one example method, a downstream DOCSIS Timing Protocol (DTP) client in the DOCSIS network is frequency synchronized to an upstream DTP server in the DOCSIS network. DOCSIS timing information, along with one or more timing correction factors received at the DTP client, is used to time synchronize the DTP client to the DTP server. Based on the time and frequency synchronization between the DTP server and the DTP client, the clock signal is generated at the output of the DTP client in accordance with the non-DOCSIS timing protocol.