Abstract: A network device coordinates with other devices in a network to create a distributed filtering system. The device detects an attack in the network, such as a distributed denial of service attack, and forwards attack information to the other devices. The devices may categorize data into one or more groups and rate limit the amount of data being forwarded based on rate limits for the particular categories. The rate limits may also be updated based on the network conditions. The rate limits may further be used to guarantee bandwidth for certain categories of data.

Abstract: A first field of a data unit is analyzed to determine whether the data unit is marked as a particular type of data unit. If the data unit is marked as a particular type of data unit, a second field of the data unit is analyzed to determine whether characteristics of the second data field correspond to the particular type of the data unit. Determining whether the characteristics of the second field correspond to the type of data unit ensures that the data unit is properly marked with respect to type. The first field may indicate a particular priority or that the data unit is carrying voice data. The second field may carry voice data. The analysis of the fields may be done on a data unit by data unit basis, or on a stream basis.

Abstract: Techniques are described for automatically setting source address filters within a network device. For example, an apparatus, such as a router, comprises a network interface card to receive routing information from a network device. The routing information specifies at least one unselected network route to a network destination, and includes a tag associated with the unselected route to indicate that the network device does not forward outbound data along the unselected route. The apparatus further comprises a control unit to automatically set a filter to receive inbound data from the network destination specified by the non-selected route. The control unit may automatically set, for example, a source address filter.

Abstract: Techniques are described for distributing network traffic across parallel data paths. For example, a router may perform a hash on routing information of the packet to generate a hash value corresponding to the packet flow associated with the packet. The router may map the hash value of the packet to a forwarding element associated with a data path. The router may dynamically update the mapping of hash values to forwarding elements in accordance with traffic flow statistics. In this manner, the router may distribute the packet flows from data paths with high volumes of traffic to data paths with smaller volumes of traffic. The router may further prevent out of sequence delivery of packets by updating the mapping upon a gap in the packet flow exceeding a threshold gap. For example, the router may update the mapping when a packet for a packet flow associated with the particular hash value has not been received for at least a defined time interval.

Abstract: A network device coordinates with other devices in a network to create a distributed filtering system. The device detects an attack in the network, such as a distributed denial of service attack, and forwards attack information to the other devices. The devices may categorize data into one or more groups and rate limit the amount of data being forwarded based on rate limits for the particular categories. The rate limits may also be updated based on the network conditions. The rate limits may further be used to guarantee bandwidth for certain categories of data.

Abstract: A network device coordinates with other devices in a network to create a distributed filtering system. The device detects an attack in the network, such as a distributed denial of service attack, and forwards attack information to the other devices. The devices may categorize data into one or more groups and rate limit the amount of data being forwarded based on rate limits for the particular categories. The rate limits may also be updated based on the network conditions. The rate limits may further be used to guarantee bandwidth for certain categories of data.

Abstract: Link failure messages are sent through a network to accelerate convergence of routing information after a network fault. The link failure messages reduce the oscillations in routing information stored by routers, which otherwise can cause significant problems, including intermittent loss of network connectivity as well as increased packet loss and latency. For example, the link failure messages reduce the time that a network using a path vector routing protocol, such as the Border Gateway Protocol (BGP), takes to converge to a stable state. More particularly, upon detecting a network fault, a router generates link failure information to identify the specific link that has failed. In some types of systems, the router communicates the link failure information to neighboring routers as well as a conventional update message withdrawing any unavailable routes. Once other routers receive the link failure information, the routers do not attempt to use routes that include the failed link.

Abstract: Techniques are described for distributing network traffic across parallel data paths. For example, a router may perform a hash on routing information of the packet to generate a hash value corresponding to the packet flow associated with the packet. The router may map the hash value of the packet to a forwarding element associated with a data path. The router may dynamically update the mapping of hash values to forwarding elements in accordance with traffic flow statistics. In this manner, the router may distribute the packet flows from data paths with high volumes of traffic to data paths with smaller volumes of traffic. The router may further prevent out of sequence delivery of packets by updating the mapping upon a gap in the packet flow exceeding a threshold gap. For example, the router may update the mapping when a packet for a packet flow associated with the particular hash value has not been received for at least a defined time interval.

Abstract: Link failure messages are sent through a network to accelerate convergence of routing information after a network fault. The link failure messages reduce the oscillations in routing information stored by routers, which otherwise can cause significant problems, including intermittent loss of network connectivity as well as increased packet loss and latency. For example, the link failure messages reduce the time that a network using a path vector routing protocol, such as the Border Gateway Protocol (BGP), takes to converge to a stable state. More particularly, upon detecting a network fault, a router generates link failure information to identify the specific link that has failed. In some types of systems, the router communicates the link failure information to neighboring routers as well as a conventional update message withdrawing any unavailable routes. Once other routers receive the link failure information, the routers do not attempt to use routes that include the failed link.

Abstract: An apparatus and method for encapsulating and forwarding packets on a network are disclosed. The network can include a first subnetwork such as a virtual private network connected to a larger public network such as the Internet. An encapsulating header is attached to a packet to be transferred across the public network from a source node on the private network to a destination node on the private network, such that the packet can be transferred across the public network. The encapsulating header includes a value which is derived from the private header on the packet used to transfer the packet along the private network. The value is therefore associated with a source/destination pair within the private network. The value can be derived by performing a hash operation on the private network header. After the public network header containing the value derived from the private network header is attached to the packet, it can be forwarded across the public network.

Abstract: A network device coordinates with other devices in a network to create a distributed filtering system. The device detects an attack in the network, such as a distributed denial of service attack, and forwards attack information to the other devices. The devices may categorize data into one or more groups and rate limit the amount of data being forwarded based on rate limits for the particular categories. The rate limits may also be updated based on the network conditions. The rate limits may further be used to guarantee bandwidth for certain categories of data.

Abstract: Techniques are described for distributing network traffic across parallel data paths. For example, a router may perform a hash on routing information of the packet to generate a hash value corresponding to the packet flow associated with the packet. The router may map the hash value of the packet to a forwarding element associated with a data path. The router may dynamically update the mapping of hash values to forwarding elements in accordance with traffic flow statistics. In this manner, the router may distribute the packet flows from data paths with high volumes of traffic to data paths with smaller volumes of traffic. The router may further prevent out of sequence delivery of packets by updating the mapping upon a gap in the packet flow exceeding a threshold gap. For example, the router may update the mapping when a packet for a packet flow associated with the particular hash value has not been received for at least a defined time interval.

Abstract: Network address translation (NAT) translates between globally unique addresses used within a global network and a local network. A method, for example, includes mapping a first set of globally non-routable global addresses to a second set of globally routable global addresses, and forwarding packets in accordance with the mapping. The method may further include assigning the first set of addresses to devices of a local network, and forwarding packets between the devices of the local network and a global network. These techniques may significantly reduce the demand placed on routing devices in a global network.

Abstract: An apparatus and method for forwarding data on a network are described. A label-switching subnetwork within the network includes an ingress node and an egress node coupled to source and destination nodes, respectively, on the network. The ingress node sends a signal along a route within the subnetwork through a plurality of subnetwork nodes to the egress node. In response, the subnetwork nodes transmit response signals back along the route toward the ingress node which define the route through the subnetwork and simultaneously allocate a plurality of paths within the route. A single path can be selected for forwarding of data packets associated with a source/destination pair, ensuring that data packets arriving at the destination are not misaligned.

Abstract: A network comprises a plurality of switching nodes interconnected by communication links for transferring digital packets. At least one switching node in the network pre-establishes a bypass virtual circuit through the network to bypass an element of the network, such as a switching node or a communication link, in the network. The bypass virtual circuit defines a path to another switching node in the network. The first switching node uses the bypass virtual circuit so constructed in forwarding of a packet in the event of a failure or other malfunction of the element if the first switching node would otherwise transfer the packet over that element.

Abstract: An apparatus and method for efficient hashing uses both an identifying portion of a data packet, e.g., source and destination ID, and an identifying value of the node, e.g., the IP address of the node, to generate a hash result. By inserting a unique value into the hash operation at each node, the invention effectively provides for a different hash implementation at each node. As a result, in situations where multiple paths or multiple links within a path are available to forward packets, traffic can be split over the multiple paths and links. Inefficient utilization of network links found in prior systems which use the same hash operation at each node are eliminated.

Abstract: An apparatus and method for encapsulating and forwarding packets on a network are disclosed. The network can include a first subnetwork such as a virtual private network connected to a larger public network such as the Internet. An encapsulating header is attached to a packet to be transferred across the public network from a source node on the private network to a destination node on the private network, such that the packet can be transferred across the public network. The encapsulating header includes a value which is derived from the private header on the packet used to transfer the packet along the private network. The value is therefore associated with a source/destination pair within the private network. The value can be derived by performing a hash operation on the private network header. After the public network header containing the value derived from the private network header is attached to the packet, it can be forwarded across the public network.

Abstract: An apparatus and method for encapsulating and forwarding packets on a network are disclosed. The network can include a first subnetwork such as a virtual private network connected to a larger public network such as the Internet. An encapsulating header is attached to a packet to be transferred across the public network from a source node on the private network to a destination node on the private network, such that the packet can be transferred across the public network. The encapsulating header includes a value which is derived from the private header on the packet used to transfer the packet along the private network. The value is therefore associated with a source/destination pair within the private network. The value can be derived by performing a hash operation on the private network header. After the public network header containing the value derived from the private network header is attached to the packet, it can be forwarded across the public network.

Abstract: A system is provided for determining a plurality of minimally-overlapping paths between a source node and a destination node in a network. The system determines a first path between the source node and the destination node. Additionally, a second path between the source node and the destination node is determined. If the first path and the second path overlap, the system modifies at least one path to minimize the overlap of the paths. Both the first path and the second path contain a plurality of path elements in which the path elements including nodes and links between nodes such that a cost is assigned to both nodes and links. After the paths are identified, a first circuit is established between the source and destination nodes along the first path and a second circuit is established between the source and destination nodes along the second path.

Abstract: A method for synchronizing a first database with a second database in which the first database contains a plurality of database records. The first database is divided into a plurality of segments. Each of the segments contains at least one database record. The segments are transmitted sequentially from the first database to the second database until all segments have been transmitted to the second database.