Abstract: Techniques are provided to facilitate faster live migration of a virtual server from one physical server to another physical server by pausing IO activity of the virtual server and slowing memory state changes for CPU-bound activity of the virtual server during the live migration.

Abstract: Disclosed are methods and apparatus for handling requests for data from a private network. In general terms, a client who wishes access to secure data, such as a secure web page, from a private network establishes a secure connection with a secure server, such as a secure socket layer (SSL) server, of the private network. The secure server then downloads a software program for handling data requests (made by the client for data located within the private network) to the client. This software program is downloaded automatically by the secure server to the client when the client initiates a secure connection with such secure server. The downloaded software program is generally configured to modify data requests (e.g., by performing a URL substitution) sent from the client to an internal server of the private network such that the data requests are redirected to the secure server. The secure server then processes the data request (e.g., by retrieving the data from the appropriate internal server).

Abstract: A method of preventing network denial of service attacks by early discard of out-of-order segments comprises creating a reassembly queue for a connection between a first network node and a second network node, wherein the connection has been established based on a transport-layer network protocol, the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated. As out-of-order data segments arrive on the connection, and before other processing of the segments, whether the reassembly queue is full is determined, and the out-of-order segments are discarded if the reassembly queue is full. The size of the reassembly queue is automatically changed in response to one or more changes in any of network conditions and device resources.

Abstract: Techniques are provided to facilitate faster live migration of a virtual server from one physical server to another physical server by pausing TO activity of the virtual server and slowing memory state changes for CPU-bound activity of the virtual server during the live migration.

Abstract: Disclosed are methods and apparatus for handling data containing embedded addresses. In general terms, prior to transmission of data having an embedded address or port, an initiating host sends a NAT Probe to an end-host with which the initiating host wishes to communicate. The NAT Probe includes the embedded address or port and a type indicating that translation of the address and/or port is requested if needed. As the NAT Probe traverses through one or more NAT devices as it is transmitted to the end-host, each NAT device is enabled to recognize the NAT Probe type and translate the embedded address and/or port, depending upon the individual NAT device's configuration. When the NAT Probe reaches the final hop NAT device or end-host, a NAT Probe Reply is sent back to the initiating host. The NAT Probe Reply contains a translated embedded address and/or port which is compatible with the end-host's network. The NAT Probe Reply also contains a type which differs from the type of the NAT Probe.

Abstract: Methods and apparatuses for distributing network address translation. By having a gateway inform inside devices of global addresses, the gateway can avoid performing many functions of a traditional NAT box. Specifically, an inside device is informed of a global address shared by all devices on the inside device's network segment. Each device on that segment would be assigned a range of ports to distinguish messages from separate devices that use the same global address.

Abstract: Methods and apparatuses for distributing network address translation. By having a gateway inform inside devices of global addresses, the gateway can avoid performing many functions of a traditional NAT box. Specifically, an inside device is informed of a global address shared by all devices on the inside device's network segment. Each device on that segment would be assigned a range of ports to distinguish messages from separate devices that use the same global address.

Abstract: Approaches to recover from faults associated with multi-homed clients having transport protocol connections that pass through network address translators are disclosed. In one approach, context information for a connection, between a first host and a second host, referencing one of several multi-homed network addresses of the first host, is automatically re-used when the second host switches to a different address of the first host, for example, when the first host becomes unavailable at the original address. Embodiments support seamless switchover of SCTP connections over NAT devices.

Abstract: A method of preventing network denial of service attacks by early discard of out-of-order segments comprises creating a reassembly queue for a connection between a first network node and a second network node, wherein the connection has been established based on a transport-layer network protocol, the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated. As out-of-order data segments arrive on the connection, and before other processing of the segments, whether the reassembly queue is full is determined, and the out-of-order segments are discarded if the reassembly queue is full. The size of the reassembly queue is automatically changed in response to one or more changes in any of network conditions and device resources.

Abstract: Disclosed are methods and apparatus for facilitating reliable session based communication with a local host via a subnet of redundant network devices that also implement network address translation (NAT) or the like. In general, embodiments of the present invention include mechanisms for reestablishing access to a local host after the local host's active network device has failed and been replaced by a new active network device with an address space that differs from the failed network device. In this invention, the network devices associated with the same local host also implement NAT, or the like. In brief, for each of its associated local hosts, the new active network device causes an address server to be updated with a new public address that is assigned from its address space to the local host. This update allows other remote hosts access to the local hosts by obtaining the updated address information from the address server.

Abstract: Disclosed are methods and apparatus for handling data containing embedded addresses. In general terms, prior to transmission of data having an embedded address or port, an initiating host sends a NAT Probe to an end-host with which the initiating host wishes to communicate. The NAT Probe includes the embedded address or port and a type indicating that translation of the address and/or port is requested if needed. As the NAT Probe traverses through one or more NAT devices as it is transmitted to the end-host, each NAT device is enabled to recognize the NAT Probe type and translate the embedded address and/or port, depending upon the individual NAT device's configuration. When the NAT Probe reaches the final hop NAT device or end-host, a NAT Probe Reply is sent back to the initiating host. The NAT Probe Reply contains a translated embedded address and/or port which is compatible with the end-host's network. The NAT Probe Reply also contains a type which differs from the type of the NAT Probe.

Abstract: A method and apparatus for reducing flooding in a bridged network. The invention generally allows broadcast flooding for a predefined limited time period to permit mapping of a MAC address to a port by the bridge and disallows broadcast flooding for a second predefined time period. After the second time period expires, the process is repeated to allow the bridge to flood the networks for the predefined limited time period again. The bridge allows or disallows broadcasts flooding independently based on the destination MAC address.

Abstract: Approaches to recover from faults associated with multi-homed clients having transport protocol connections that pass through network address translators are disclosed. In one approach, context information for a connection, between a first host and a second host, referencing one of several multi-homed network addresses of the first host, is automatically re-used when the second host switches to a different address of the first host, for example, when the first host becomes unavailable at the original address. Embodiments support seamless switchover of SCTP connections over NAT devices.

Abstract: Disclosed are methods and apparatus for facilitating translation of packet addresses (or ports) by one or more translation devices (e.g., NAT devices) using a specialized protocol to handle an address (or port) that is used to form part of a payload. In one implementation, this specialized protocol is referred to as Network Layer Signaling (NLS). As a packet traverses along a path containing one or more translation devices, each translation device is configured to translate an address (or port) of such packet's IP header if the packet is traversing between different domains (e.g., traversing between a private and public domain or between two different private domains). One or more of these translation devices may also be configured to implement the specialized protocol which includes translation device traversal mechanisms for detecting whether the traversal path contains a translation device that fails to implement such specialized protocol.

Abstract: Communicating packets along a control channel and a media channel includes receiving at a network address translator a first message having a first internal address from a first communication device. The first internal address is translated to a first external control address operable to route a control packet along a control channel. A second message having a first embedded media address is received from the first communication device. The first embedded media address is translated to a first external media address operable to route a media packet along a media channel.