Abstract: A system provides a request for a policy from a policy server, and receives the policy from the policy server. The policy indicates processing to be applied to a traffic partition passing through the device. The system configures the policy within a routing structure associated with the traffic partition for the policy in the device, and routes a stream of traffic for the routing structure in accordance with the policy for that routing structure.

Abstract: A method and apparatus for performing Layer 2 (L2) interworking is presented. A L2 Protocol Data Unit (PDU) is received at an L2 Switching Entity (SE). The L2 PDU is converted to a normalized Pseudowire (PW) PDU. The normalized PW PDU is then forwarded to a Layer 3 (L3) Routing Entity (RE). The normalized PDU may be in the form of a predetermined L2 protocol or a L2 agnostic protocol.

Abstract: A method, apparatus and computer program product for routing data within a packet-switched network using a PW wherein the PW is terminated directly on the layer-3 routing device such that certain services and applications can be utilized is presented. The method, apparatus and computer program product receives an encapsulated layer-2 Protocol Data Unit (PDU) from a pseudowire emulating a service. The encapsulation is removed from the encapsulated layer-2 PDU and a layer-2 circuit associated with the pseudowire is terminated. The circuit is treated as an interface and the PDU is forwarded based on upper layer protocol information within the PDU.

Abstract: Packets are communicated between forwarding contexts (e.g., virtual routers, logical routers, and/or private networks) using virtual interfaces in communications and computing systems, especially routers, packet switching systems, and other devices. A virtual interface refers to the interface infrastructure (e.g., buffers, memory locations, other data structures), but does not connect to an external cable or other communications mechanism such as is a physical interface. Packets are moved between forwarding contexts by automatically moving a packet placed in a first virtual interface associated with a first forwarding context to a second virtual interface associated with a second forwarding context (assuming the packet is not dropped by a feature applied to the packet at the first virtual interface).

Abstract: A method, apparatus and computer program product for routing data within a packet-switched network using a PW wherein the PW is terminated directly on the layer-3 routing device such that certain services and applications can be utilized is presented. The method, apparatus and computer program product receives an encapsulated layer-2 Protocol Data Unit (PDU) from a pseudowire emulating a service. The encapsulation is removed from the encapsulated layer-2 PDU and a layer-2 circuit associated with the pseudowire is terminated. The circuit is treated as an interface and the PDU is forwarded based on upper layer protocol information within the PDU.

Abstract: Conventional mechanisms exist for denoting such a communications group (group) and for establishing point-to-point, or unicast, secure connections between members of the communications group. In a particular arrangement, group members employ a group key operable for multicast security for unicast communication, thus avoiding establishing additional unicast keys for each communication between group members. Since the recipient of such a unicast message may not know the source, however, the use of the group key assures the recipient that the sender is a member of the same group. Accordingly, a system which enumerates a set of subranges (subnets) included in a particular group, such as a VPN, and establishing a group key corresponding to the group applies the group key to communications from the group members in the subnet.

Abstract: One embodiment provides a method to interconnect virtual network segments (VNETs) defined for a local-area network (LAN) infrastructure separated by a wide-area network infrastructure. The technique involves the routing device at the LAN-WAN interconnection points to impose or dispose the VNET-shim, which encodes the VNET-id information in a Layer 4 portion of the packet. In a data plane, a new IP protocol value may be used to signify the presence of the VNET-shim followed by cryptography specific information in an IP packet. In a control plane, the routing protocol is expanded to exchange the routing information along with the VNET information.

Abstract: A system and method directed to carrying out dynamic secured group communication is provided. The method includes obtaining a first packet that includes a first header. The first header includes a first source address of a first source node of a first network, and a first destination address of a first destination node of the first network. The method also includes forming a frame that includes the first header in encrypted form, combining the first header and the frame to form a second packet, and forming a second header. This second header includes a second source address of a second source node of a second network, and a second destination address of a second destination node of the second network. The method further includes encapsulating the second packet with the second header to form a third packet, and communicating the third packet into the second network from the second source node for termination to the second-destination node.

Abstract: In a host within a group, a method for ensuring secure communications is provided. The method involves (a) determining if a group security policy is in place for secure communication between hosts within the group, (b) if the group security policy is in place, advertising routing information to another host within the group, and (c) if the group security policy is not in place, refraining from advertising routing information to the other host. Corresponding apparatus and computer program product embodiments are also provided.

Abstract: Systems and/or methods of secure communication of information between multi-domain virtual private networks (VPNs) are presented. A dynamic group VPN (DGVPN) can reside in one domain and a disparate DGVPN can reside in a disparate domain. An administrative security authority (ASA) can be employed in each domain. Each ASA can generate and exchange respective keying material and crypto-policy information to be used for inter-domain communications when routing data from a member in one DGVPN to a member(s) in the disparate DGVPN, such that an ASA in one domain can facilitate encryption of data in accordance with the policy of the other domain before the data is sent to the other domain. Each ASA can establish a key server to generate the keying material and crypto-policy information associated with its local DGVPN, and such material and information can be propagated to intra-domain members.

Abstract: A first node generates and transmits a notification message including routing policy attributes such as network address information and a corresponding gateway identifier. The gateway identifier identifies a gateway in a physical network through which future generated data messages shall be forwarded to at least one host computer (e.g., any computer having an associated network address) as indicated by the network address information. A second node receiving the notification message utilizes the routing policy attributes to dynamically update its database identifying how to forward data packets. In this way, nodes (e.g., CE routers) of a network can be dynamically configured to support routing of messages based on the network address information and gateway identifier disseminated along with the notification message.

Abstract: Packets are communicated between forwarding contexts (e.g., virtual routers, logical routers, and/or private networks) using virtual interfaces in communications and computing systems, especially routers, packet switching systems, and other devices. A virtual interface refers to the interface infrastructure (e.g., buffers, memory locations, other data structures), but does not connect to an external cable or other communications mechanism such as is a physical interface. Packets are moved between forwarding contexts by automatically moving a packet placed in a first virtual interface associated with a first forwarding context to a second virtual interface associated with a second forwarding context (assuming the packet is not dropped by a feature applied to the packet at the first virtual interface).

Abstract: A technique dynamically activates a secondary Traffic Engineering Label Switched Path (TE-LPs) at a secondary head-end node upon failure of a primary TE-LPs in a computer network. According to the novel technique, a primary head-end node establishes the primary TE-LPs having a primary bandwidth (BW) amount to a primary tail-end node. Also, the secondary head-end node establishes the secondary TE-LPS having zero BW to a secondary tail-end node (e.g., the same as the primary tail-end node). The secondary head-end node monitors the state of the primary TE-LPS, and in response to a failure (e.g., or other state change) substantially immediately adjusts the BW of the secondary TE-LPS to the primary BW amount (“activating” the TE-LPS). A “prior-hop” node to the primary and secondary head-end nodes originally forwarding traffic to the primary head-end node, may then begin forwarding traffic to the secondary head-end node, and thus onto the adjusted secondary TE-LPS.