Abstract: In one embodiment, to determine what tasks may be offloaded to a peripheral hardware device (e.g., to be performed in hardware on the peripheral device, rather than on the CPU(s) of the host computer), an indication from the at least one peripheral hardware device may be provided, without the peripheral hardware device first being queried to determine the task offload capabilities provided by the peripheral hardware device. In one embodiment, a large packet that includes a plurality of extension headers may be offloaded to the peripheral hardware device for segmentation. An indication of the offset where the extension headers end may be provided in connection with the large packet. In another embodiment, a packet with extension headers that come before an encryption header in the packet are not offloaded to peripheral hardware device for encryption, while packets with no extension headers before the encryption header may be offloaded.

Abstract: In one embodiment, to determine what tasks may be offloaded to a peripheral hardware device (e.g., to be performed in hardware on the peripheral device, rather than on the CPU(s) of the host computer), an indication from the at least one peripheral hardware device may be provided, without the peripheral hardware device first being queried to determine the task offload capabilities provided by the peripheral hardware device. In one embodiment, a large packet that includes a plurality of extension headers may be offloaded to the peripheral hardware device for segmentation. An indication of the offset where the extension headers end may be provided in connection with the large packet. In another embodiment, a packet with extension headers that come before an encryption header in the packet are not offloaded to peripheral hardware device for encryption, while packets with no extension headers before the encryption header may be offloaded.

Abstract: In one embodiment, to determine what tasks may be offloaded to a peripheral hardware device (e.g., to be performed in hardware on the peripheral device, rather than on the CPU(s) of the host computer), an indication from the at least one peripheral hardware device may be provided, without the peripheral hardware device first being queried to determine the task offload capabilities provided by the peripheral hardware device. In one embodiment, a large packet that includes a plurality of extension headers may be offloaded to the peripheral hardware device for segmentation. An indication of the offset where the extension headers end may be provided in connection with the large packet. In another embodiment, a packet with extension headers that come before an encryption header in the packet are not offloaded to peripheral hardware device for encryption, while packets with no extension headers before the encryption header may be offloaded.

Abstract: The present invention protects against denial of service attacks on lookup or hash tables used to store state information for data transfer protocols used to transfer data between two host computers. Two hash tables are provided for holding state information, one for verified remote entities (i.e., those where the remote local address can be traced to a host), and one for unverified entities. A cryptographically secure hash is applied to packets from unverified remote entities, since these are the most likely to attempt attacks on the hash tables. The performance of the local server for packets from verified remote entities, however, is maintained.

Abstract: A method to offload a network stack connection is presented. A request, which includes a list of resource requirements from each software layer in the stack, to offload the network stack connection is sent through the stack to the peripheral device. The peripheral device is a second processor that processes the offloaded network stack connection in software, in hardware, or a mixture of hardware and software. The device allocates resources for the list and sends a handle to each of the software layers for communication with the device. The state for each layer is sent to the device that includes state variables that are classified as a constant, a cached variable handled by the CPU, or a delegated variable handled by the device.

Abstract: An initial sequence number generator is provided that prevents the local server from being attacked while maintaining reliable data transfer. A random intermediate value is created that is unique to each connection identifier and is combined with a random value created from a global counter to generate the initial sequence number. The counter capable of monotonically increasing by both a fixed and variable amount for ensuring that the same connection identifier does not have data collisions from competing sequence numbers within a predetermined period of time, and also to ensures randomness of the initial sequence number on a per connection basis for preventing attacks on the local server.

Abstract: Offloading specific processing tasks that would otherwise be performed in a computer system's processor and memory, to a peripheral device. The computing task is then performed by the peripheral, thereby saving computer system resources for other computing tasks. In one preferred embodiment, the disclosed method is utilized in a layered network model, wherein computing tasks that are typically performed in network applications are instead offloaded to the network interface card (NIC) peripheral.

Abstract: Offloading specific processing tasks that would otherwise be performed in a computer system's processor and memory, to a peripheral device. The computing task is then performed by the peripheral, thereby saving computer system resources for other computing tasks. In one preferred embodiment, the disclosed method is utilized in a layered network model, wherein computing tasks that are typically performed in network applications are instead offloaded to the network interface card (NIC) peripheral.

Abstract: A computer system with black hole management. The black hole management system shares black hole status information among connections that employ the same path. The black hole status information may indicate either that a black hole exists on the path or that communications have been performed successfully on the path, indicating that no black hole exists. By sharing this information, delays in transmission caused by black hole probing may be reduced. Additionally, status information for a connection is reset when information indicates that the connection has been altered. By resetting the status information, delays in transmission associated with sending reduced sized packets over connections for which black holes were previously detected but may have been eliminated by changes in the connection, are avoided.

Abstract: Offloading specific processing tasks that would otherwise be performed in a computer system's processor and memory, to a peripheral device. The computing task is then performed by the peripheral, thereby saving computer system resources for other computing tasks. In one preferred embodiment, the disclosed method is utilized in a layered network model, wherein computing tasks that are typically performed in network applications are instead offloaded to the network interface card (NIC) peripheral.

Abstract: In one embodiment, to determine what tasks may be offloaded to a peripheral hardware device (e.g., to be performed in hardware on the peripheral device, rather than on the CPU(s) of the host computer), an indication from the at least one peripheral hardware device may be provided, without the peripheral hardware device first being queried to determine the task offload capabilities provided by the peripheral hardware device. In one embodiment, a large packet that includes a plurality of extension headers may be offloaded to the peripheral hardware device for segmentation. An indication of the offset where the extension headers end may be provided in connection with the large packet. In another embodiment, a packet with extension headers that come before an encryption header in the packet are not offloaded to peripheral hardware device for encryption, while packets with no extension headers before the encryption header may be offloaded.

Abstract: A method for the synchronization of network neighbor reachability between a host networking stack and a peripheral device, which offloads one or more network protocols is provided. The network neighbor reachability represents the reachability of another computer on the network. This invention enables conventional neighbor reachability to be extended to seamlessly support some network connections to a specific remote host to be offloaded to a peripheral device, while other network connections are not.

Abstract: Methods of tuning a receive window. A receiving device and a sending device may be in communication over a network. The receiving device may advertise a receive window to the sending device. The size of the receive window may be adjusted over time based on one or more connection parameters, application parameters and/or operating system parameters.

Abstract: A method to synchronize and upload an offloaded network stack connection between a host network stack and peripheral device is presented. A state object for each layer in the stack is sent to the device that includes state variables that are classified as a constant, a cached variable handled by the host, or a delegated variable handled by the device. State that must be updated by the network stack and the peripheral device is cleanly divided. For example, statistics are tracked by the host, the device, or the host and the device. A statistic tracked by both the host and peripheral device is divided into non-overlapping portions and combined to produce the statistic. Once an upload is initiated, the device achieves a consistent state and hands delegated states to the stack. Each layer in the stack takes control of its delegated state and resources at the device are freed.

Abstract: A method to synchronize and upload an offloaded network stack connection between a host network stack and processing device is presented. A state object for each layer in the stack is sent to the device that includes state variables that are classified as a constant, a cached variable handled by the host, or a delegated variable handled by the device. State that must be updated by the network stack and the processing device is cleanly divided. For example, statistics are tracked by the host, the device, or the host and the device. A statistic tracked by both the host and processing device is divided into non-overlapping portions and combined to produce the statistic. Once an upload is initiated, the device achieves a consistent state and hands delegated states to the stack. Each layer in the stack takes control of its delegated state and resources at the device are freed.

Abstract: A new method and framework for scheduling receive-side processing of data streams received from a remote requesting client by a multiprocessor system computer is disclosed. The method receives data packets from the remote requesting client via a network and, for each data packet, applies a cryptographically secure hashing function to portions of the received data packet yielding a hash value. The method further applies the hash value to a processor selection policy to identify a processor in the multiprocessor system as a selected processor to perform receive-side processing of the data packet. The method queues the received data packet for processing by the selected processor and invokes a procedure call to initiate processing of the data packet.

Abstract: Malicious network node activity and, in particular, denial of service attacks, may be mitigated by one or more practical mitigation mechanisms and mitigation mechanism combinations. Suitable protocol messages may be challenged with a challenge probe. A response to the challenge probe may be utilized to determine if received protocol messages are illegitimate, that is, originated by a malicious network node. Received protocol messages may be classified as questionable protocol messages. For efficiency, protocol message challenges may be limited to protocol message classified as questionable. A sequence number limit may be calculated as a function of receive window size. Transmission control protocol messages may be determined to be illegitimate by comparing the acknowledgement number field with the calculated sequence number limit.

Abstract: The invention provides mechanisms for transferring processor control of secure Internet Protocol (IPSec) security association (SA) functions between a host and a target processing devices of a computerized system, such as processors in a host CPU and a NIC. In one aspect of the invention, the computation associated with authentication and/or encryption is offloaded while the host maintains control of when SA functions are offloaded, uploaded, invalidated, and re-keyed. The devices coordinate to maintain metrics for the SA, including support for both soft and hard limits on SA expiration. Timer requirements are minimized for the target. The offloaded SA function may be embedded in other offloaded state objects of intermediate software layers of a network stack.

Abstract: Disclosed is a method for slowing down the spread of viruses by limiting the number of Transmission Control Protocol (“TCP”) connection attempts to arbitrary Internet Protocol (“IP”) addresses that can be in progress at any given time—a common method employed by viruses to spread to other hosts from an infected host. This is achieved by setting a small limit on the number of connection attempt requests that can be in progress at any given time and can be implemented regardless of whether anti-virus software is installed on the system.

Abstract: Offloading specific processing tasks that would otherwise be performed in a computer system's processor and memory, to a peripheral device. The computing task is then performed by the peripheral, thereby saving computer system resources for other computing tasks. In one preferred embodiment, the disclosed method is utilized in a layered network model, wherein computing tasks that are typically performed in network applications are instead offloaded to the network interface card (NIC) peripheral.