Abstract: In mobile IP networks, when a mobile node (MN) moves from one cell to another, handover occurs. The result of the handover is that the MN connects to the network through a new access router (AR). The handover may occur between access routers of the same or different administrative domains. In all cases, the information related to the mobile node has to be transferred from the old AR to the new AR in order to minimize the effect of the change of access routers.

Abstract: A method and system for adding and monitoring a server to an existing server pool are disclosed. A joining server registers with a server within the server pool. The joining server is authenticated by a server within the server pool. When the joining server receives the list of all active servers within the server pool, the joining server computes a new identification for itself, assigns that identification to itself, and then determines a caretaker server to monitor the joining server. Once the registration is successful, the newly joined server can communicate within the server pool and keep current of all events and changing conditions of the server pool.

Abstract: In mobile IP networks, when a mobile node (MN) moves from one cell to another, handover occurs. The result of the handover is that the MN connects to the network through a new access router (AR). The handover may occur between access routers of the same or different administrative domains. In all cases, the information related to the mobile node has to be transferred from the old AR to the new AR in order to minimize the effect of the change of access routers.

Abstract: In mobile IP networks, when a mobile node (MN) 101 moves from one cell to another, handover occurs. The result of the handover is that the MN 101 connects to the network through a new access router (AR) 162. The handover may occur between access routers of the same or different administrative domains. In all cases, the information related to the MN 101 has to be transferred from the old AR 185 to the new AR 162 in order to minimize the effect of the change of access routers.

Abstract: An access-point node to a first network cell of a radio access network, to an access-center node and to a radio access network enable local service providers in rural areas to provide mobile telecommunication at low cost for end users. The access-point node of the invention is configured to establish, maintain, and release a local user-data radio channel, which consists of a first local channel section having as endpoints a first terminal device located in the network cell and the access-point node, and of a second local channel section having as endpoints the access-point node and a second terminal device located in the network cell. The access-point node is configured to exchange packetized user data and control data with an assigned superordinate access-center node for establishing, maintaining and releasing communication between the first terminal device and a third terminal device located outside the network cell. Link cost between the radio access network and the core network may be strongly reduced.

Abstract: Systems and methods are provided for managing and distributing keys between routers using protocol exchange messages between routers as key distribution vehicles. According to one embodiment of the invention, a router of an autonomous system uses its private key to send cryptographic information associated with another router to a peer router as part of its protocol exchange messages. The peer router is able to extract the cryptographic information and store it in a look-up table. Such protocol exchange messages may occur as part of an Interior Gateway Protocol or an Exterior Gateway Protocol. According to another embodiment of the invention, a chain authentication system is created as boundary routers of autonomous systems having a trust relationship share cryptographic information for other autonomous systems as part of protocol exchange messages for the exterior gateway protocol.

Abstract: A communications system and method for dynamically creating at least one pinhole in a firewall are provided. The communications system includes a protected node capable of initiating a communication session with an outside node. In this regard, the protected node is capable of receiving flow parameters regarding the communication session as the communication session is setup. The system also includes a firewall disposed along a communications path between the protected node and the outside node. The protected node is capable of sending at least a portion of the flow parameters to a firewall-controlled proxy, which in turn, is capable of forwarding the portion of the flow parameters to the firewall. Thereafter, the firewall is capable of creating at least one pinhole based upon the portion of the flow parameters to thereby permit the transmission of information between the outside node and the protected node during the communication session.

Abstract: Disclosed is a method for routing data packets, as is a data packet router (10) that operates in accordance with the invention. The method includes establishing an ingress filter (20) in individual ones of a plurality of line cards (14) installed within a router and automatically maintaining a content of an ingress filter table (20A) of each ingress filter in each line card at least partially in accordance with data packets passing through individual ones of the line cards, where the content includes an identification of source addresses of hosts (16) coupled to the router. The method further compares a source address of an incoming packet to a line card to the content of the ingress filter table of that line card, and is thus enabled to detect the presence of an IP packet containing a spoofed IP host address. For a first occurrence of a packet having an IP source address that is not found in the ingress filter table, the packet is forwarded to a route processor (12) for analysis.

Abstract: A method for designing an electronic component includes receiving a device criteria (e.g., a parametric value, procurement value, etc.) from a designer, querying a database for devices corresponding to the device criteria, querying the database for procurement data and/or engineering data associated with the corresponding devices, presenting the devices to the designer based on the procurement data, and receiving input from the designer identifying one of the presented devices as a selected device. In a particular method, the returned devices are sorted based on one or more procurement values (e.g., manufacturer, price, availability, manufacturer status, etc.), and presented to the designer in a ranked list. Objects representative of the selected devices are then entered into a design file, and the objects are associated with the device's engineering and/or procurement data. In a particular embodiment, the objects are associated with the engineering data by embedding the engineering data in the file object.

Abstract: A method and system for preventing stack buffer overflow attacks in a computer system are disclosed. A computer system can prevent stack buffer overflow attacks by encrypting return addresses prior to pushing them onto the runtime stack. When an encrypted return address is popped off the runtime stack, the computer system decrypts the encrypted return address to determine the actual return address. A random encryption key can be used, which can be generated from the CPU's clock cycle counter. Multitasking environments can add a seed register to the task state so that each task can use a unique seed to encrypt the return addresses.

Abstract: A terminal for validating a software application includes a processor capable of operating an operating system (OS) platform (e.g., Symbian™ OS platform), and capable of operating at least one software application above the OS platform. The software application(s) are associated with a permission record that includes permissions identifying services the software application is authorized to receive from the OS platform. The OS platform is capable of receiving a request, from a software application, for a service of the OS platform. The OS platform can determine if the software application is authorized to receive the requested service based upon the associated permission record. And if the software application is authorized, the OS platform is capable of providing the requested service to the software application.

Abstract: The invention provides a method and system for a network which includes a plurality of nodes, preferably routers, a shared network segment for communication between the nodes, and several multicast channels in the shared network segment on which the nodes, preferably routers, can send multicast messages to the other nodes. A specific multicast channel is provided on which the nodes can send specific start multicast messages to other nodes, wherein a node which starts a protocol application, preferably a routing protocol application such as Open Shortest Path First (OSPF) protocol, is adapted to send a multicast start message on the specific multicast channel. Another node, preferably a router, receiving this start message is adapted to validate the authenticity of the start message and to send a response message.

Abstract: A mechanism for trading cache capacity among network nodes, or equivalently, Network Service Providers and Internet Service Providers (collectively XSPs). The mechanism includes determining an arbitrage-free path in a network including at least one node having an excess of cache capacity and at least one node having an excess cache demand. The excess cache capacity on the arbitrage-free path is allocated to a node of the at least one node having an excess cache demand. A trading price is established for the excess cache capacity allocated.

Abstract: A system, method, security gateway and computer program product are provided for creating and maintaining a centralized key store. The system includes a first security gateway and a second security gateway. The first security gateway is capable of applying a security service associated with an application instance identifier to at least one packet of data to thereby transform the at least one packet of data. In this regard, the first security gateway can apply the security service to the packet based upon at least one security policy and at least one security association. The second security gateway, in turn, is capable of applying the security service associated with the application instance identifier to the transformed packet of data to thereby generate a representation of the packet of data.

Abstract: According to one embodiment of the invention, a distributed routing device for routing subscriber traffic flow between at least two wireless access networks and an IP network is described. The distributed routing device includes at least one instance for executing a security function on the subscriber traffic flow, so that physically one security instance for subscribers of the at least two wireless access networks is present and logically each of the at least two wireless access networks has its own security instance.

Abstract: A communications system and method for dynamically creating at least one pinhole in a firewall are provided. The communications system includes a protected node capable of initiating a communication session with an outside node. In this regard, the protected node is capable of receiving flow parameters regarding the communication session as the communication session is setup. The system also includes a firewall disposed along a communications path between the protected node and the outside node. The protected node is capable of sending at least a portion of the flow parameters to a firewall-controlled proxy, which in turn, is capable of forwarding the portion of the flow parameters to the firewall. Thereafter, the firewall is capable of creating at least one pinhole based upon the portion of the flow parameters to thereby permit the transmission of information between the outside node and the protected node during the communication session.

Abstract: A method and system for transferring contexts from a previous access router (PR) to a new access router (NR) that is subsequently associated with a Mobile Node (MN). For example, transferred contexts may include, but are not limited to, Security, Quality of Service (QOS), Header Compression, and Buffers. A context is transferred from the PR to the NR. Any change in an element of the context is conveyed by the NR to the MN in a secure fashion, even though a Security Association does not yet exist between the NR and MN. The NR provides an authenticated security context update to the MN, e.g., advising when the type of encryption has changed from Triple Data Encryption Standard (DES) to DES. The NR utilizes the Security Association between the PR and the MN, to provide such an authenticated security context update to the MN over a RAN or a wireless LAN.

Abstract: A method for establishing a secure communications tunnel between a first node and a second node in a communication system includes a plurality of networks each having a respective tunnel control entity for controlling establishment of secure communications tunnels in the respective network. The first node operates in a first one of the networks and the second node operates in a second one of the networks. The method includes determining a route for the communications tunnel from the first network to the second network by way of one or more of the other networks. A request message digitally signed by the first node is formed and the identities of the tunnel control entity of the first network and the tunnel control entities of the other networks are included. The request message from the first node to the tunnel control entity of the second network is transmitted.

Abstract: In mobile IP networks, when a mobile node (MN) 101 moves from one cell to another, handover occurs. The result of the handover is that the MN 101 connects to the network through a new access router (AR) 162. The handover may occur between access routers of the same or different administrative domains. In all cases, the information related to the MN 101 has to be transferred from the old AR 185 to the new AR 162 in order to minimize the effect of the change of access routers.

Abstract: Systems and methods are provided for managing and distributing keys between routers using protocol exchange messages between routers as key distribution vehicles. According to one embodiment of the invention, a router of an autonomous system uses its private key to send cryptographic information associated with another router to a peer router as part of its protocol exchange messages. The peer router is able to extract the cryptographic information and store it in a look-up table. Such protocol exchange messages may occur as part of an Interior Gateway Protocol or an Exterior Gateway Protocol. According to another embodiment of the invention, a chain authentication system is created as boundary routers of autonomous systems having a trust relationship share cryptographic information for other autonomous systems as part of protocol exchange messages for the exterior gateway protocol.