Abstract: A system and method for chaining one or more services in a service provider network. A service chaining policy and associated Service Path Identifier (SPID) are determined at an ingress node with respect to a particular data packet flow. If the service chaining policy involves one or more service nodes to be traversed by the data packet flow, each service node's EIDs and RLOCs are determined. A sequential data exchange process with the service nodes is effectuated using encapsulation of data packets based on the EIDs and RLOCs for obtaining services in accordance with the order of services set forth in the chaining policy.

Abstract: A method, arrangement, and first access router in a packet-switched communication network for determining that a first endpoint originating a communication session with a second endpoint is not initiating a malicious man-in-the-middle attack. The first access router provides access for the first endpoint to the network and a second access router provides access for the second endpoint. The first and second access routers facilitate conducting a secure key exchange between the first and second endpoints, wherein a shared secret key is generated. The first access router utilizes a Prefix Reachability Detection (PRD) protocol to determine the first endpoint is topologically legitimate due to being topologically located behind the first access router, and then sends a Prefix Request Test Initialization (PRTI) message to the second access router indicating the first endpoint is topologically legitimate.

Abstract: A network, a method and devices (i.e., mobile node, access router, home agent, destination home agent) are described herein for enabling an efficient hybrid route optimization between two mobile endpoints so they can re-direct their data traffic to an optimal path without exchanging any mobility signaling messages.

Abstract: A method and apparatus to establish trust between two nodes in a communications network. A first node receives from a network node authentication data unique to the first node, which can be used to derive a compact representation of verification data for the first node. The first node also receives a certified compact representation of verification data of all nodes in the network. The first node derives trust information from the authentication data for the node, and sends to a second node a message that includes the trust information and part of the authentication data. The second node has its own copy of the certified compact representation of verification data of all nodes in the network, and verifies the authenticity of the message from the first node using the compact representation of verification data of all nodes in the network and the received trust information and authentication data.

Abstract: Systems are provided including at least one identifier locator network protocol (ILNP) enabled mobile node running Internet protocol version 6 (IPv6). The mobile node is attached to an IPv6 network in an IPv6 domain. The system includes a virtual root server configured to receive a binding identifiers create (BIC) message from a domain name system 64 (DNS64) server associated with the IPv6 network. The BIC message includes an ILNP address of the mobile node running IPv6, a fake ILNP address of a destination device running IPv4 assigned by the DNS64 server and an ILNP address of the DNS64 server. The fake ILNP address includes a full real address of the destination device. The virtual root server is further configures to create a binding between the ILNP address of the mobile node and the fake ILNP address of the destination device; store the binding; and send a binding identifier acknowledgement (BIA) message to the DNS64 server.

Abstract: Aspects describe enabling two peers that have already paired together under some circumstances to re-identify themselves under different circumstances so that the peers can bypass performing another pairing only to discover that they are already paired. A Bloom filter is constructed from an available pool of locally selected identifiers and is sent to a peer node in a first message. Upon receiving the message with the Bloom filter, peer node checks all its known identifiers. If peer node finds that one of its identifiers is a member of the Bloom filter, peer node sends a reply in order to achieve a mutual identification.

Abstract: A method performed by a slave network edge node (e.g., a Broadband Network Gateway BNG2) for enhancing a Long Term Evolution (LTE) backup channel in the event of a failure of a master network edge node (e.g., BNG1) in a wireline network. When BNG2 detects the failure of BNG1, BNG2 sends a failure update message to a Packet Data Network Gateway (PDN GW) of an LTE network. The PDN GW provides a backup channel for the CPE to reach the wide area network over a mobile tunnel. Before the failure the mobile tunnel has an end point at BNG1, and the failure update message notifies the PDN GW that the end point of the mobile tunnel has changed from BNG1 to BNG2. After BNG2 receives a failure acknowledgement message from the PDN GW, BNG2 routes the traffic from the PDN GW over the mobile tunnel to the wide area network.

Abstract: A method implemented by a network element of an Internet service provider to provide network access through a visited network associated with a visited network owner to a device of a visiting user connecting to the visited network. The visited network owner is a customer of the Internet service provider. The network element configures the visited network to provide access to resources of a remote home network to the device of the visiting user. The remote home network is in communication with the visited network over a wide area network. Connecting to a virtual gateway controller of the remote home network to obtain configuration information to establish a connection between the device and the remote home network. Establishing a connection between the device of the visiting user and a second access point. Providing access to the resource of the remote home network through the second access point.

Abstract: A method for maintaining connectivity between a mobile node and a corresponding node when the mobile node connects to a foreign network, where the foreign network and the home network are Internet protocol version 6 (IPv6) networks but the corresponding node is an Internet protocol version 4 (IPv4) node. The method includes receiving at the home agent node an IPv6 care-of address, determining that the IPv6 care-of address belongs to the foreign network and that the foreign NAT64 node has a prefix to generate virtual IPv6 addresses and sending a prefix binding request message to a home NAT64 node to bind the prefix to the home address of the mobile node for translation between IPv6 and IPv4.

Abstract: A method is implemented by a nano-box for providing processing resources to support application execution to a set of devices connected to a network of the nano-box. The method includes receiving application data for an application for a mobile or fixed device. The application is executed using the application data of the mobile or fixed device to generate an output. A handoff notification is received indicating that the root controller has reassigned the application to another nano-box in the set of nano-boxes based on best resource availability and minimum latency. In response, the nano-box updates the application data with a current state of the application and transmits the updated application data over the network to be provided to the other nano-box.

Abstract: The present application relates to network mobility (e.g., mobility in an IPv6 network). More specifically, the present application discloses systems and methods for enabling mobile nodes to switch to a routing optimization mode using a minimum of mobility messages.

Abstract: A scheme for virtualizing a remote physical device, e.g., customer premises equipment (CPE), at a cloud-based data center connected to a network. In one embodiment, a virtual switch operating at the CPE is operative to monitor device events at the CPE. When a device is connected to a CPE port, a virtual device port is created that is operative with a Software Defined Network (SDN) architecture. Responsive to an indication that a new SDN-compliant virtual device port is created, an SDN controller is operative to facilitate creation of a data tunnel between the CPE's virtual switch and a virtual switch of the data center.

Abstract: A method implemented by a Broadband Network Gateway (BNG) of an Internet service provider to provide accessibility to a wide area network for a Residential Gateway (RG) upon a failure of a wireline connectivity between the BNG and the RG, the method including receiving a failure detect message indicating a connectivity failure at the BNG from the RG, deciding whether to re-route traffic by the BNG, sending a failure acknowledge message by the BNG to the RG notifying the RG that re-routing has been initiated, sending a traffic re-route request message by the BNG to a Packet Data Network Gateway (PDN GW) of a Long-Term Evolution (LTE) network requesting the PDN GW to re-route traffic, receiving a traffic re-route acknowledgement by the BNG from the PDN GW, and re-routing traffic between the RG and the BNG through the PDN GW by the BNG.

Abstract: In response to a Mobile Access Router (MAR) initially attaching to a Multi-Protocol Label Switching (MPLS) domain through a first Access Router (AR) in the domain, a Mobility Anchor Point (MAP) in the MPLS domain establishes a plurality of Label Switched Paths (LSPs) for the MAR. For example, the MAP establishes an active LSP to the MAR through the AR to which the MAR has initially attached, and further establishes an inactive LSP for the MAR to each of one or more other ARs in the MPLS domain. An inactive LSP established at a given AR for a given MAR is activated when/if that MAR attaches to the AR. Correspondingly, the present invention includes method and apparatus teachings related to the MAP, ARs and the MAR, as regards establishing inactive LSPs, activating inactive LSPs, and extending an activated LSP to the MAR.

Abstract: A method is implemented in a host node for communicating with a corresponding node. The host node has connections to a plurality of networks, where each of the plurality of networks includes a network address translation 64 (NAT64) node, each NAT64 node utilizes a distinct prefix to generate virtual Internet Protocol version 6 (IPv6) addresses, each of the plurality of networks is an IPv6 network, but the corresponding node is an Internet protocol version 4 (IPv4) node. The host node implementing this method is able to maintain connectivity with the corresponding node despite having connections to the plurality of networks that each have NAT64 nodes that utilize distinct prefixes for virtual IPv6 addresses.

Abstract: A method and apparatus to establish trust between two nodes in a communications network. A first node receives from a network node authentication data unique to the first node, which can be used to derive a compact representation of verification data for the first node. The first node also receives a certified compact representation of verification data of all nodes in the network. The first node derives trust information from the authentication data for the node, and sends to a second node a message that includes the trust information and part of the authentication data. The second node has its own copy of the certified compact representation of verification data of all nodes in the network, and verifies the authenticity of the message from the first node using the compact representation of verification data of all nodes in the network and the received trust information and authentication data.

Abstract: A method, arrangement, and first access router in a packet-switched communication network for determining that a first endpoint originating a communication session with a second endpoint is not initiating a malicious man-in-the-middle attack. The first access router provides access for the first endpoint to the network and a second access router provides access for the second endpoint. The first and second access routers facilitate conducting a secure key exchange between the first and second endpoints, wherein a shared secret key is generated. The first access router utilizes a Prefix Reachability Detection (PRD) protocol to determine the first endpoint is topologically legitimate due to being topologically located behind the first access router, and then sends a Prefix Request Test Initialization (PRTI) message to the second access router indicating the first endpoint is topologically legitimate.

Abstract: A method and apparatus to establish trust between two nodes in a communications network. A first node receives from a network node authentication data unique to the first node, which can be used to derive a compact representation of verification data for the first node. The first node also receives a certified compact representation of verification data of all nodes in the network. The first node derives trust information from the authentication data for the node, and sends to a second node a message that includes the trust information and part of the authentication data. The second node has its own copy of the certified compact representation of verification data of all nodes in the network, and verifies the authenticity of the message from the first node using the compact representation of verification data of all nodes in the network and the received trust information and authentication data.

Abstract: A system, method, and node for protecting a telecommunication system against a mobile and multi-homed attacker, MMA (10). The telecommunication system includes one or more correspondent nodes, CN, (102, 104) for transferring data packets. A mobile and multi-homed network node, MMN, (108) associated with the MMA communicates and receives data packets with the CN. An access router, AR, (106) transferring data between the MMN and the CN performs a reachability test with the MMN to determine if the MMN is still reachable. The AR sends a message to the CN to flush cached information associated with the MMN if the MMN is not reachable by the AR. The CN, upon receiving the message to flush cached information, flushes binding cache entries associated with the MMN from the CN.

Abstract: Methods and apparatus for facilitating access to public wireless access points in a fixed-mobile convergence system. A mobile terminal is pre-provisioned with one or more security parameters corresponding to one or more WLAN access points that the mobile terminal might need to access should a current WLAN access point fail or otherwise become unreachable. The WLAN access points are similarly pre-provisioned with a security parameter corresponding to the mobile terminal. With these pro-provisioned security parameters, the mobile terminal and any one of the potential target WLAN access points conduct an abbreviated authentication process in the event that a switch-over becomes necessary.