Abstract: A system and method directed to carrying out dynamic secured group communication is provided. The method includes: obtaining a first packet that includes a first header; forming a frame that includes the first header in encrypted form; combining the first header and the frame to form a second packet and forming a second header; encapsulating the second packet with the second header to form a third packet, and communicating the third packet into the second network from the second source node for termination to the second-destination node. The first header includes a first source address of a first source node of a first network, and a first destination address of a first destination node of the first network. The second header includes a second source address of a second source node of a second network, and a second destination address of a second destination node of the second network.

Abstract: In one embodiment, a method for receiving a request from a first interface to establish a session with at least a second interface in a communication network is provided. The request is transmitted to an application layer signaling device via an application layer signaling protocol dialog, wherein the application layer signaling protocol dialog is configured to facilitate communication between the first interface and the application layer signaling device. The method further includes communicating parameters for establishing a session tunnel to a first edge router via the application layer signaling protocol dialog, wherein the first edge router is configured to dynamically establish the session tunnel between the first edge router and at least a second edge router, wherein the second edge router is positioned proximate to the at least second interface in the communication network.

Abstract: A slave resource router may receive a client request. The slave resource router may be the nearest representation of an Anycast IP address in a network to a client sending the client request in the network. The slave resource router may then determine that the slave resource router has been authorized to cache content for a delivery service corresponding to the client request. Next, the slave resource router may determine that content corresponding to the client request is cached locally in a blind cache. Then the slave resource router may provide the client with the content from the blind cache.

Abstract: A method comprises, in a network comprising VPN gateway devices configured only for plaintext data communication, configuring a policy server with a security policy including DO NOT ENCRYPT statements temporarily overriding PERMIT statements defining which packets should be encrypted; selecting one sub-group of the VPN gateway devices in which tunnel-less encryption is not configured; configuring of the VPN gateway devices in the sub-group for tunnel-less encryption by: configuring each device in a passive mode of operation in which the device is configured to receive either encrypted packets or plaintext packets matching encryption policy; configuring local DO NOT ENCRYPT statements matching traffic that is currently being converted to ciphertext; removing, from the access control list of the policy server, DO NOT ENCRYPT statements referring to protected LAN CIDR blocks behind the VPN gateway devices in the selected sub-group; configuring the sub-group to send encrypted packets by removing, from each of the

Abstract: Consistent with embodiments of the present invention, a system may be provided to provide per-subscriber stream management comprising: a client capable of receiving a playlist containing a subset of segments associated with a video asset; a video application server to request subscriber state information and to build state representations in a subscriber database on a per-subscriber basis; a media segmenter capable of providing the video asset in multiple bit rates; a subscriber state manager capable of managing the current state of one or more subscribers in a subscriber database; and a stream manager capable of requesting the assignment of bandwidth from a wireless infrastructure on a per-subscriber basis.

Abstract: A technique dynamically activates a secondary Traffic Engineering Label Switched Path (TE-LSP) at a secondary head-end node upon failure of a primary TE-LSP in a computer network. According to the novel technique, a primary head-end node establishes the primary TE-LSP having a primary bandwidth (BW) amount to a primary tail-end node. Also, the secondary head-end node establishes the secondary TE-LSP having zero BW to a secondary tail-end node (e.g., the same as the primary tail-end node). The secondary head-end node monitors the state of the primary TE-LSP, and in response to a failure (e.g., or other state change) substantially immediately adjusts the BW of the secondary TE-LSP to the primary BW amount (“activating” the TE-LSP). A “prior-hop” node to the primary and secondary head-end nodes originally forwarding traffic to the primary head-end node, may then begin forwarding traffic to the secondary head-end node, and thus onto the adjusted secondary TE-LSP.

Abstract: One embodiment provides a method to interconnect virtual network segments (VNETs) defined for a local-area network (LAN) infrastructure separated by a wide-area network infrastructure. The technique involves the routing device at the LAN-WAN interconnection points to impose or dispose the VNET-shim, which encodes the VNET-id information in a Layer 4 portion of the packet. In a data plane, a new IP protocol value may be used to signify the presence of the VNET-shim followed by cryptography specific information in an IP packet. In a control plane, the routing protocol is expanded to exchange the routing information along with the VNET information.

Abstract: Techniques for secure communication in a tunnel-less VPN are provided. A key server generates and provides, to each VPN gateway, different, yet mathematically-related keying material. A VPN gateway receives distinct keying material for each designated address block (e.g., subnet) behind the VPN gateway. In response to receiving a packet from one a source host whose address falls within one of the designated address blocks, the VPN gateway identifies the appropriate keying material. The VPN gateway determines an identifier for the address block that includes the destination address. The identifier and the identified keying material are used to generate a key. The VPN gateway encrypts the packet with the key and forwards the encrypted packet to the destination host.

Abstract: A system and method directed to carrying out dynamic secured group communication is provided. The method includes: obtaining a first packet that includes a first header; forming a frame that includes the first header in encrypted form; combining the first header and the frame to form a second packet and forming a second header; encapsulating the second packet with the second header to form a third packet, and communicating the third packet into the second network from the second source node for termination to the second-destination node. The first header includes a first source address of a first source node of a first network, and a first destination address of a first destination node of the first network. The second header includes a second source address of a second source node of a second network, and a second destination address of a second destination node of the second network.

Abstract: A system and method directed to carrying out dynamic secured group communication is provided. The method includes obtaining a first packet that includes a first header. The first header includes a first source address of a first source node of a first network, and a first destination address of a first destination node of the first network. The method also includes forming a frame that includes the first header in encrypted form, combining the first header and the frame to form a second packet, and forming a second header. This second header includes a second source address of a second source node of a second network, and a second destination address of a second destination node of the second network. The method further includes encapsulating the second packet with the second header to form a third packet, and communicating the third packet into the second network from the second source node for termination to the second-destination node.

Abstract: A method, apparatus and computer program product for routing data within a packet-switched network using a PW wherein the PW is terminated directly on the layer-3 routing device such that certain services and applications can be utilized is presented. The method, apparatus and computer program product receives an encapsulated layer-2 Protocol Data Unit (PDU) from a pseudowire emulating a service. The encapsulation is removed from the encapsulated layer-2 PDU and a layer-2 circuit associated with the pseudowire is terminated. The circuit is treated as an interface and the PDU is forwarded based on upper layer protocol information within the PDU.

Abstract: Various techniques that allow group members to detect the use of stale encryption policy by other group members are disclosed. One method involves receiving a message from a first group member via a network. The message is received by a second group member. The method then detects that the first group member is not using a most recent policy update supplied by a key server, in response to information in the message. In response, a notification message can be sent from the second group member. The notification message indicates that at least one group member is not using the most recently policy update. The notification message can be sent to the key server or towards the first group member.

Abstract: A system allows a device to communicate using a virtual network the method by assigning a network address to the device. The network address is selected from a plurality of network addresses that can be assigned to any of a plurality of virtual networks. The system receives a request to authenticate the device, and then determines a virtual network on which to assign the device. The virtual network is selected from the plurality of virtual networks. The system identifies the device as authenticated based on the assigning of the network address and the virtual network.

Abstract: A method comprises, in a network comprising VPN gateway devices configured only for plaintext data communication, configuring a policy server with a security policy including DO NOT ENCRYPT statements temporarily overriding PERMIT statements defining which packets should be encrypted; selecting one sub-group of the VPN gateway devices in which tunnel-less encryption is not configured; configuring of the VPN gateway devices in the sub-group for tunnel-less encryption by: configuring each device in a passive mode of operation in which the device is configured to receive either encrypted packets or plaintext packets matching encryption policy; configuring local DO NOT ENCRYPT statements matching traffic that is currently being converted to ciphertext; removing, from the access control list of the policy server, DO NOT ENCRYPT statements referring to protected LAN CIDR blocks behind the VPN gateway devices in the selected sub-group; configuring the sub-group to send encrypted packets by removing, from each of the

Abstract: A method, apparatus and computer program product for providing secure multipoint Internet Protocol Virtual Private Networks (IPVPNs) is presented. A packet lookup is performed in order to determine a next hop. A VPN label is pushed on the packet, as is an IP tunnel header. Group encryption through the use of DGVPN is further utilized. In such a manner secure connectivity and network partitioning are provided in a single solution.

Abstract: In a host within a group, a method for ensuring secure communications is provided. The method involves (a) determining if a group security policy is in place for secure communication between hosts within the group, (b) if the group security policy is in place, advertising routing information to another host within the group, and (c) if the group security policy is not in place, refraining from advertising routing information to the other host. Corresponding apparatus and computer program product embodiments are also provided.

Abstract: A routing mechanism provides network segmentation preservation by route distribution with segment identification, policy distribution for a given VPN segment, and encapsulation/decapsulation for each segment using an Ethernet VLAN_ID, indicative of the VPN segment (subnetwork). Encapsulated segmentation information in a message packet identifies which routing and forwarding table is employed for the next hop. A common routing instance receives the message packets from the common interface, and indexes a corresponding VRF table from the VLAN ID, or segment identifier, indicative of the subnetwork (e.g. segment). In this manner, the routing instance receives the incoming message packet, decapsulates the VLAN ID in the incoming message packet, and indexes the corresponding VRF and policy ID from the VLAN ID, therefore employing a common routing instance over a common subinterface for a plurality of segments (subnetworks) coupled to a particular forwarding device (e.g. VPN router).

Abstract: Techniques for secure communication in a tunnel-less VPN are provided. A key server generates and provides, to each VPN gateway, different, yet mathematically-related keying material. A VPN gateway receives distinct keying material for each designated address block (e.g., subnet) behind the VPN gateway. In response to receiving a packet from one a source host whose address falls within one of the designated address blocks, the VPN gateway identifies the appropriate keying material. The VPN gateway determines an identifier for the address block that includes the destination address. The identifier and the identified keying material are used to generate a key. The VPN gateway encrypts the packet with the key and forwards the encrypted packet to the destination host.

Abstract: In one embodiment, a method for receiving a request from a first interface to establish a session with at least a second interface in a communication network is provided. The request is transmitted to an application layer signaling device via an application layer signaling protocol dialog, wherein the application layer signaling protocol dialog is configured to facilitate communication between the first interface and the application layer signaling device. The method further includes communicating parameters for establishing a session tunnel to a first edge router via the application layer signaling protocol dialog, wherein the first edge router is configured to dynamically establish the session tunnel between the first edge router and at least a second edge router, wherein the second edge router is positioned proximate to the at least second interface in the communication network.

Abstract: A method and apparatus for providing routing protocol support for distributing encryption information is presented. Subnet prefixes reachable on a first customer site in an encrypted manner are identified, as are security groups the subnet prefixes belong to. An advertisement is received at a first Customer Edge (CE) device in the first customer site, the advertisement originating from a Customer (C) device in the first customer site. The advertisement indicates links, subnets to be encrypted, and security group identifiers. The prefixes and the security group identifiers are then propagated across a service provider network to a second CE device located in a second customer site. In such a manner, encryption and authentication is expanded further into a customer site, as customer devices are able to indicate to a service provider network infrastructure and other customer devices in other customer sites which local destinations require encryption/authentication.