Abstract: A method is provided in one example and includes receiving a request to initiate a communication flow associated with a subscriber and identifying one or more parameters to be monitored for the communication flow. The method further includes extracting one or more bits from packets associated with the communication flow; the bits are used to determine an operating system associated with the communication flow. A policy decision can be executed for the communication flow based on the operating system associated with the communication flow. In more specific examples, the bits are sent to a next destination in response to a threshold being reached for at least one of the parameters. The parameters can be associated a volume parameter or a time parameter. The policy decision could include blocking traffic associated with the subscriber, initiating billing, redirecting the communication, managing a quality of service level for the communication flow, etc.

Abstract: Techniques for separately accounting for multiple transactions in the same data packets communicated over a network using Transport Control Protocol (TCP) include receiving an Internet Protocol (IP) data packet that includes Transport Control Protocol (TCP) payload data. The TCP payload is parsed to determine boundary data that indicates a byte location on a boundary between a first transaction and a second transaction. A byte count that indicates a number of bytes in the TCP payload associated with the first transaction is determined based on the boundary data. Accounting data for the first transaction is determined based at least in part on the byte count. These techniques allow a service gateway to bill separately for different requests and responses carried in TCP data packets, such as those for Hypertext Transfer Protocol (HTTP) and Real Time Streaming Protocol (RTSP).

Abstract: A method is provided in one example and includes maintaining a correlation between a domain name and a plurality of Internet protocol (IP) addresses included in a domain name system (“DNS”) response to a DNS request in connection with DNS exchange between a subscriber and a DNS server, wherein each of the IP addresses corresponds to one of a plurality of web servers associated with the domain name; receiving from the subscriber a packet associated with a flow; identifying an IP address within the packet as being one of the plurality of IP addresses included in the DNS response; and executing a policy decision for the subsequent flow without inspecting the contents of the subsequent flow at layer 7 based on an identity of the subscriber and the domain name correlated to the identified IP address, wherein the policy decision comprises charging a different rate for a particular flow.

Abstract: A method is provided in one example and includes maintaining a correlation between a domain name and a plurality of Internet protocol (IP) addresses included in a domain name system (“DNS”) response to a DNS request in connection with DNS exchange between a subscriber and a DNS server, wherein each of the IP addresses corresponds to one of a plurality of web servers associated with the domain name; receiving from the subscriber a packet associated with a flow; identifying an IP address within the packet as being one of the plurality of IP addresses included in the DNS response; and executing a policy decision for the subsequent flow without inspecting the contents of the subsequent flow at layer 7 based on an identity of the subscriber and the domain name correlated to the identified IP address, wherein the policy decision comprises charging a different rate for a particular flow.

Abstract: A method is provided in one example and includes receiving a request to initiate a communication flow associated with a subscriber and identifying one or more parameters to be monitored for the communication flow. The method further includes extracting one or more bits from packets associated with the communication flow; the bits are used to determine an operating system associated with the communication flow. A policy decision can be executed for the communication flow based on the operating system associated with the communication flow. In more specific examples, the bits are sent to a next destination in response to a threshold being reached for at least one of the parameters. The parameters can be associated a volume parameter or a time parameter. The policy decision could include blocking traffic associated with the subscriber, initiating billing, redirecting the communication, managing a quality of service level for the communication flow, etc.

Abstract: In one embodiment, a method for providing an ACK packet while queuing data is provided. One or more packets in a series of packets may be received from a client at a gateway. The gateway determines that a packet in the series of packets has not been received. The one or more packets are then queued. The queued packets may have included an ACK for one or more previously sent packets. Thus, if the gateway had forwarded the one or more packets that are queued, then the ACK would have been received by the server. However, the one or more packets are queued and thus the ACK included in the packets is not sent with the queued packets. Even though the plurality of packets are queued, an acknowledgement packet is generated and then sent for the previously sent packets. The acknowledgement packet acknowledges to the server that the one or more previously sent packets were received by the client.

Abstract: A method is provided in one example and includes receiving a first packet associated with a domain name system (DNS) exchange between a subscriber and a DNS server. A correlation is maintained between a domain name and an Internet protocol (IP) address included in a DNS response. A subsequent packet associated with a subsequent flow is received and the IP address is identified within the subsequent packet. The method further includes executing a policy decision for the subsequent flow based on the correlation between the IP address and the domain name. In more specific embodiments, the correlation is stored in a table that includes a time to live (TTL) parameter associated with the IP address. The IP address within the subsequent packet can be mapped to the domain name in order to apply the policy decision for the subsequent flow.

Abstract: A method is provided in one example and includes receiving a request to initiate a communication flow associated with a subscriber and identifying one or more parameters to be monitored for the communication flow. The method further includes extracting one or more bits from packets associated with the communication flow; the bits are used to determine an operating system associated with the communication flow. A policy decision can be executed for the communication flow based on the operating system associated with the communication flow. In more specific examples, the bits are sent to a next destination in response to a threshold being reached for at least one of the parameters. The parameters can be associated a volume parameter or a time parameter. The policy decision could include blocking traffic associated with the subscriber, initiating billing, redirecting the communication, managing a quality of service level for the communication flow, etc.

Abstract: Techniques for responding to intrusions on a packet switched network include receiving user data at a subscriber-aware gateway server between a network access server and a content server. The user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, and suspicious activity data. The suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity. It is determined whether an intrusion condition is satisfied based on the suspicious activity data. If the intrusion condition is satisfied, then the gateway responds based at least in part on user data other than the network address data.

Abstract: Techniques for separately accounting for multiple transactions in the same data packets communicated over a network using Transport Control Protocol (TCP) include receiving an Internet Protocol (IP) data packet that includes Transport Control Protocol (TCP) payload data. The TCP payload is parsed to determine boundary data that indicates a byte location on a boundary between a first transaction and a second transaction. A byte count that indicates a number of bytes in the TCP payload associated with the first transaction is determined based on the boundary data. Accounting data for the first transaction is determined based at least in part on the byte count. These techniques allow a service gateway to bill separately for different requests and responses carried in TCP data packets, such as those for Hypertext Transfer Protocol (HTTP) and Real Time Streaming Protocol (RTSP).

Abstract: Techniques for separately accounting for multiple transactions in the same data packets communicated over a network using Transport Control Protocol (TCP) include receiving an Internet Protocol (IP) data packet that includes Transport Control Protocol (TCP) payload data. The TCP payload is parsed to determine boundary data that indicates a byte location on a boundary between a first transaction and a second transaction. A byte count that indicates a number of bytes in the TCP payload associated with the first transaction is determined based on the boundary data. Accounting data for the first transaction is determined based at least in part on the byte count. These techniques allow a service gateway to bill separately for different requests and responses carried in TCP data packets, such as those for Hypertext Transfer Protocol (HTTP) and Real Time Streaming Protocol (RTSP).

Abstract: Techniques for responding to intrusions on a packet switched network include receiving user data at a subscriber-aware gateway server between a network access server and a content server. The user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, and suspicious activity data. The suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity. It is determined whether an intrusion condition is satisfied based on the suspicious activity data. If the intrusion condition is satisfied, then the gateway responds based at least in part on user data other than the network address data.

Abstract: In one embodiment, a method includes receiving, at a local node of a network, a sequenced data packet of a flow made up of multiple sequenced data packets from a source node directed toward a destination node. The flow is to be parsed by the local node to describe the flow for administration of the network. Based on sequence data in the sequenced data packet, it is determined whether the sequenced data packet is out of order in the flow. If it is determined that the sequenced data packet is out of order, then the sequenced data packet is forwarded toward the destination node before parsing the sequenced data packet. The out of order sequenced data packet is also stored for subsequent parsing at the local node.

Abstract: Techniques for responding to intrusions on a packet switched network include receiving user data at a subscriber-aware gateway server between a network access server and a content server. The user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, and suspicious activity data. The suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity. It is determined whether an intrusion condition is satisfied based on the suspicious activity data. If the intrusion condition is satisfied, then the gateway responds based at least in part on user data other than the network address data.

Abstract: A method is provided in one example and includes receiving a request to initiate a communication flow associated with a subscriber and identifying one or more parameters to be monitored for the communication flow. The method further includes extracting one or more bits from packets associated with the communication flow; the bits are used to determine an operating system associated with the communication flow. A policy decision can be executed for the communication flow based on the operating system associated with the communication flow. In more specific examples, the bits are sent to a next destination in response to a threshold being reached for at least one of the parameters. The parameters can be associated a volume parameter or a time parameter. The policy decision could include blocking traffic associated with the subscriber, initiating billing, redirecting the communication, managing a quality of service level for the communication flow, etc.

Abstract: In one embodiment, a method includes receiving, at a local node of a network, a sequenced data packet of a flow made up of multiple sequenced data packets from a source node directed toward a destination node. The flow is to be parsed by the local node to describe the flow for administration of the network. Based on sequence data in the sequenced data packet, it is determined whether the sequenced data packet is out of order in the flow. If it is determined that the sequenced data packet is out of order, then the sequenced data packet is forwarded toward the destination node before parsing the sequenced data packet. The out of order sequenced data packet is also stored for subsequent parsing at the local node.

Abstract: In one embodiment, a method includes receiving, at a local node of a network, a sequenced data packet of a flow made up of multiple sequenced data packets from a source node directed toward a destination node. The flow is to be parsed by the local node to describe the flow for administration of the network. Based on sequence data in the sequenced data packet, it is determined whether the sequenced data packet is out of order in the flow. If it is determined that the sequenced data packet is out of order, then the sequenced data packet is forwarded toward the destination node before parsing the sequenced data packet. The out of order sequenced data packet is also stored for subsequent parsing at the local node.

Abstract: Techniques for distributing network traffic from an access server to a service gateway include receiving, at a load balancer, sticky table data that indicates an association between a particular subscriber IP address and a particular subscriber-aware service gateway in a gateway cluster. An input data packet is received with an input source address and an input transport-layer destination. If it is determined that the input transport-layer destination indicates a type of payload that uses a service gateway, then the particular service gateway associated with the particular subscriber is determined based on the sticky table and IP address in the input source address. An output data packet is directed to the particular service gateway using a link-layer or networking-layer destination address. These techniques allow a load balancer to be located anywhere on the network and to bypass a subscriber-aware service gateway for some data traffic.

Abstract: Techniques for distributing control plane traffic, from an end node in a packet switched network to a cluster of service gateway nodes that host subscriber-aware application servers, include receiving a control plane message for supporting data plane traffic from a particular subscriber. A particular service gateway node is determined among the cluster of service gateway nodes based on policy-based routing (PBR) for the data plane traffic from the particular subscriber. A message based on the control plane message is sent to a control plane process on the particular service gateway node. Thereby, data plane traffic and control plane traffic from the same subscriber are directed to the same gateway node, or otherwise related gateway nodes, of the cluster of service gateway nodes. This approach allows currently-available, hardware-accelerated PBR to be used with clusters of subscriber-aware service gateways that must also monitor control plane traffic from the same subscriber.

Abstract: Techniques and systems for server farm load balancing and resource allocation are disclosed. In one embodiment, a method of load balancing can include: arranging servers into service groups; receiving an access request with information related to a differentiation between the service groups; selecting one of the service groups based on a mapping comparison to the information; and selecting one of the servers within the selected service group based on a hardware utilization comparison. The servers can include GPRS (General Packet Radio Service) Gateway Support Node (GGSN) or Remote Authentication Dial In User Service (RADIUS) servers, for example. The information can include an Access Point Name (APN) or Calling Station ID, for example.