Abstract: An interposer is provided that is configured to interpose into an application security protocol exchange by obtaining application session security state. The interposer does this without holding any private keying material of client or server. An out-of-band Security Assistant Key Escrow service (SAS/SAKE) is also provided. The SAKE resides in the secure physical network perimeter and holds the private keying material required to derive session keys for interposing into application security protocol. During a security protocol handshake, the interposer sends SAKE security protocol handshake messages and in return receives from the SAKE session security state that allows it to participate in application security protocol.

Abstract: An interposer is provided that is configured to interpose into an application security protocol exchange by obtaining application session security state. The interposer does this without holding any private keying material of client or server. An out-of-band Security Assistant Key Escrow service (SAS/SAKE) is also provided. The SAKE resides in the secure physical network perimeter and holds the private keying material required to derive session keys for interposing into application security protocol. During a security protocol handshake, the interposer sends SAKE security protocol handshake messages and in return receives from the SAKE session security state that allows it to participate in application security protocol.

Abstract: Consistent with embodiments of the present invention, a method may be provided comprising sending a first bind request with an association group ID of zero. A first association group with a first association group ID may then be created. The first association group ID may be switched to a second association group ID in an acknowledgement message. A second bind request may then be sent with the second association group ID. The second association group ID may be switched to the first association group ID in the second bind request after the bind request has been sent. After receiving the second bind request, it may be determined whether the association group ID in the second bind request is the same as the first association group ID. A failure message may be sent if the association group ID in the second bind request is not the same as the first association group ID.

Abstract: Controlling congestion in a networking device having a plurality of input interface queues comprises estimating, in each of one or more sampling states, a data arrival rate for each of the plurality of input interface queues with respect to incoming data packets received on corresponding input interfaces, obtaining a set of estimated arrival rates for the plurality of the input interface queues, determining, for each polling state associated with a respective sampling state, the sequence in which the plurality of input interface queues should be polled using the set of estimated data arrival rates of the plurality of input interface queues, and polling the plurality of interface queues in accordance with the determined sequence. The sequence indicates when, during a single polling cycle, each of the input interface queues should be polled in relation to every other of the input interface queues.

Abstract: A system for filtering transport layer connections with application layer connection outcomes provides a connection database to store information about connection requests and associated application layer outcomes. The system further includes a throttle filter populated with data from the connection database. The throttle filter is a list of connection requestor identifier, such as IP addresses or port numbers, to be used to identify connection requests to be blocked based on previous connection requests from the connection requesters. The system provides attack and overload protection and load balancing in embedded systems.

Abstract: A method includes a step of (A) determining which of multiple network interfaces indicates readiness to transmit a data element to a network and which of the multiple network interfaces indicates receipt of a data element from the network. The method further includes a step of (B) running, for each network interface indicating readiness to transmit a data element to the network, a transmit interrupt handler to load that network interface with a data element for transmission if such a data element is available for transmission within the data communications device, in response to giving higher priority to handling transmit interrupts relative to handling receive interrupts. The method further includes a step of (C) after step B, running, for at least one network interface which indicates receipt of a data element from the network, a receive interrupt handler to process that data element.

Abstract: A rate-based congestion control technique for internetworking devices having a plurality of input interface queues is disclosed. Rate-based polling comprises estimating the data arrival on each input interface queue while in a first sampling state, and separately, while in a second polling state, using the estimated data arrival rate on each input interface queue to determine both the sequence in which the input interface queues should be polled and the number of packets to be processed from each input interface queue. While in the polling state, data packet delay is averaged across the input interface queues so as to process the packets in their approximate arrival order irrespective of the input interface queue on which they arrive, thus enabling Quality of Service policies to be more effective. This is achieved by processing data from each input interface at a rate that is proportional to the data arrival rate at each input interface.

Abstract: The congestion control in a networking device having a plurality of input interface queues includes (a) estimating the data arrival rate on each of the plurality of input interface queues, and (b) determining, for each polling round, the sequence in which the plurality of input interface queues should be polled and the quantity of data to be processed from each of the plurality of input interface queues each time the input interface queue is polled, using the estimated data arrival rate on each of the plurality of input interface queues.

Abstract: A method includes a step of (A) determining which of multiple network interfaces indicates readiness to transmit a data element to a network and which of the multiple network interfaces indicates receipt of a data element from the network. The method further includes a step of (B) running, for each network interface indicating readiness to transmit a data element to the network, a transmit interrupt handler to load that network interface with a data element for transmission if such a data element is available for transmission within the data communications device, in response to giving higher priority to handling transmit interrupts relative to handling receive interrupts. The method further includes a step of (C) after step B, running, for at least one network interface which indicates receipt of a data element from the network, a receive interrupt handler to process that data element.

Abstract: The invention is directed to techniques for moving data elements within a data communications device which prioritizes handling transmit interrupts over handling receive interrupts. Preferably, while attending to transmit interrupts, the device gives priority to the “hungriest” interfaces. In one arrangement, the device includes multiple network interfaces which are capable of transmitting and receiving data elements with a network, and a controller, coupled to the interfaces.

Abstract: A two-phase packet processing technique is provided for routing traffic in a packet-switched, integrated services network which supports a plurality of different service classes. During Phase I, packets are retrieved from the router input interface and classified in order to identify the associated priority level of each packet and/or to determine whether a particular packet is delay-sensitive. If it is determined that a particular packet is delay-sensitive, the packet is immediately and fully processed. If, however, it is determined that the packet is not delay-sensitive, full processing of the packet is deferred and the packet is stored in an intermediate data structure. During Phase II, packets stored within the intermediate data structure are retrieved and fully processes. The technique of the present invention significantly reduces packet processing latency, particularly with respect to high priority or delay-sensitive packets.

Abstract: The invention provides unique mechanisms and techniques for a computing device to perform various tasks in a multi-tasking or time sliced environment. A general task scheduling algorithm can select various time slices or priorities for task performance. However, in a dedicated device such as a data communications device, a primary task such as a data transfer task may be so heavily favored by the general task scheduling algorithm, such as in heavy network traffic conditions, that other tasks may be starved of processor time. As such, the system of the invention allows the primary task, to track a first time period Y, and upon expiration of this time period Y, to generate a yield signal to a yielding scheduler. The yielding scheduler can then disable performance of the primary task(s) and track a second time period X during which other tasks may be performed.

Abstract: The invention is directed to techniques for transferring data using a device driver that is arranged to prevent improper operation of a non-primary routine (e.g., an administrative operation) from causing improper operation of a primary routine (e.g., a data transfer operation). Accordingly, the primary routine can continue to operate properly after a failure of the non-primary routine. In one arrangement, a data communications device transfers data. The data communications device includes a port that couples to a network, and a processor coupled to the port. The data communications device further includes memory, coupled to the processor, that stores a device driver. The device driver has a first set of instructions that directs the processor to perform a data transfer routine that moves data between memory and the port, and a second set of instructions that directs the processor to perform an administrative routine.