Dan Wing

An approach for an adaptive, performance-oriented, and compression-assisted encryption scheme implemented on a host computer to adaptively improve utilization of CPU resources is provided. The method comprises queueing a new data packet and determining a size of the new data packet. Based on historical data, a plurality of already encrypted data packets is determined. Based on information stored for the plurality of already encrypted data packets, an average ratio of compression for the… Show more

An approach for an adaptive, performance-oriented, and compression-assisted encryption scheme implemented on a host computer to adaptively improve utilization of CPU resources is provided. The method comprises queueing a new data packet and determining a size of the new data packet. Based on historical data, a plurality of already encrypted data packets is determined. Based on information stored for the plurality of already encrypted data packets, an average ratio of compression for the plurality of already encrypted data packets is determined. Based on the average ratio of compression, a throughput of compression value and a throughput of encryption value, a prediction whether compressing the new data packet will reduce a CPU load is derived. If it is determined that compressing the new data packet will improve utilization of the CPU resources, then a compressed new data packet is generated by compressing the new data packet.
Show less

A media distribution network device connects to an online collaborative session between a first participant network device, a second participant network device, and a security participant network device. The security participant network device is configured to decrypt packets of the online collaborative session to apply security polices to the packets. An encrypted packet is received at the media distribution network device. The encrypted packet is received from the first participant network… Show more

A media distribution network device connects to an online collaborative session between a first participant network device, a second participant network device, and a security participant network device. The security participant network device is configured to decrypt packets of the online collaborative session to apply security polices to the packets. An encrypted packet is received at the media distribution network device. The encrypted packet is received from the first participant network device containing data to be distributed as part of the online collaborative session. The encrypted packet is distributed to the security participant network device prior to distributing the encrypted packet to the second participant network device. Show less

Aspects of the embodiments are directed to a service classifier configured for steering cloned traffic through a service function chain. The service classifier is configured to create a cloned data packet by creating a copy of a data packet; activate a mirror bit in a network service header (NSH) of the cloned data packet, the mirror bit identifying the cloned packet to a service function forwarder network element as a cloned packet; and transmit the cloned packet to the service function… Show more

Aspects of the embodiments are directed to a service classifier configured for steering cloned traffic through a service function chain. The service classifier is configured to create a cloned data packet by creating a copy of a data packet; activate a mirror bit in a network service header (NSH) of the cloned data packet, the mirror bit identifying the cloned packet to a service function forwarder network element as a cloned packet; and transmit the cloned packet to the service function forwarder network element.
Show less

An interposer is provided that is configured to interpose into an application security protocol exchange by obtaining application session security state. The interposer does this without holding any private keying material of client or server. An out-of-band Security Assistant Key Escrow service (SAS/SAKE) is also provided. The SAKE resides in the secure physical network perimeter and holds the private keying material required to derive session keys for interposing into application security… Show more

An interposer is provided that is configured to interpose into an application security protocol exchange by obtaining application session security state. The interposer does this without holding any private keying material of client or server. An out-of-band Security Assistant Key Escrow service (SAS/SAKE) is also provided. The SAKE resides in the secure physical network perimeter and holds the private keying material required to derive session keys for interposing into application security protocol. During a security protocol handshake, the interposer sends SAKE security protocol handshake messages and in return receives from the SAKE session security state that allows it to participate in application security protocol.
Show less

A method of leveraging security-as-a-service for cloud-based file sharing includes receiving, at a cloud-based file sharing server external to an enterprise network and having connectivity to the enterprise network, instructions from an enterprise network to validate a file uploaded by a first user associated with the enterprise network before allowing the file to be downloaded. The file sharing server may then receive the file from the first user and forward the file to a cloud-based… Show more

A method of leveraging security-as-a-service for cloud-based file sharing includes receiving, at a cloud-based file sharing server external to an enterprise network and having connectivity to the enterprise network, instructions from an enterprise network to validate a file uploaded by a first user associated with the enterprise network before allowing the file to be downloaded. The file sharing server may then receive the file from the first user and forward the file to a cloud-based security-as-a-service (SECaaS) server that is also external to the enterprise network and has connectivity to the enterprise network. The file sharing server receives a determination of validation from the cloud-based SECaaS server and allows a second user to download the file based on the determination. To make the determination, the SECaaS server retrieves cryptographic keying material from a cloud-based key management server, and decrypts the file.
Show less

In one embodiment, a method for the prioritized transmission of messages includes monitoring a network link of a mobile device to determine performance characteristics of the network link, establishing a network association between the mobile device and a routing network node, receiving a connection request from an application that is directed to a connection between the mobile device and a destination server, determining a relative priority of the connection, mapping the connection to a stream… Show more

In one embodiment, a method for the prioritized transmission of messages includes monitoring a network link of a mobile device to determine performance characteristics of the network link, establishing a network association between the mobile device and a routing network node, receiving a connection request from an application that is directed to a connection between the mobile device and a destination server, determining a relative priority of the connection, mapping the connection to a stream of the network association that is associated with the relative priority of the connection and identifies the destination server, and transmitting messages for the stream to the routing network node interlaced with messages of other streams of the network association based on the performance characteristics of the network link and the relative priority associated with the stream in comparison to relative priorities associated with the other streams of the network association.
Show less

In one embodiment, a distributed denial of service attack on a network is identified. In response to the distributed denial of service attack, a script to request a short term certificate is executed. The short term certificate is generated by a certificate server and received either directly or indirectly from the certificate server. An instruction to redirect traffic using the short term certificate and private key is sent to a distributed denial of service attack protection service that is… Show more

In one embodiment, a distributed denial of service attack on a network is identified. In response to the distributed denial of service attack, a script to request a short term certificate is executed. The short term certificate is generated by a certificate server and received either directly or indirectly from the certificate server. An instruction to redirect traffic using the short term certificate and private key is sent to a distributed denial of service attack protection service that is operable to filter or otherwise mitigate malicious traffic involved in the distributed denial of service attack.
Show less

A method is provided in one example embodiment and includes receiving at a first network node a request to obtain data from a second network node, wherein the first and second network nodes are connected via n access networks; partitioning the request into n subrequests proportionally based on relative throughputs of the n access networks; and transmitting each of the n subrequests to the second network node via a respective one of the n access networks.

A service classifier network device receives a subflow and identifies that the subflow is one of at least two subflows in a multipath data flow. Related data packets are sent from a source node to a destination node in the multipath data flow. The service classifier generates a multipath flow identifier and encapsulates the subflow with a header to produce an encapsulated first subflow. The header identifies a service function path and includes metadata with the multipath flow identifier.

A first service node receives a message configured to set up a secure communication session between a client and a server, in which the first service node acts as a proxy. Data packets in the secure communication session are subject to multiple service functions that require decryption of the data packets. A service function chain assigns a service node to each of the service functions. A service header is generated including metadata instructing the service nodes other than the first service… Show more

A first service node receives a message configured to set up a secure communication session between a client and a server, in which the first service node acts as a proxy. Data packets in the secure communication session are subject to multiple service functions that require decryption of the data packets. A service function chain assigns a service node to each of the service functions. A service header is generated including metadata instructing the service nodes other than the first service node not to act as proxies in the secure communication session. The message and the service header are transmitted to a second service node in the service function chain. Show less

In one embodiment, a Domain Name Service (DNS) server pre-fetches domain information regarding a domain that includes certificate information for the domain. The DNS server receives a DNS request that includes a security request for the domain in metadata of a Network Service Header (NSH) of the DNS request. The DNS server retrieves the certificate information for the domain from the pre-fetched information regarding the domain, in response to receiving the security request. The DNS server… Show more

In one embodiment, a Domain Name Service (DNS) server pre-fetches domain information regarding a domain that includes certificate information for the domain. The DNS server receives a DNS request that includes a security request for the domain in metadata of a Network Service Header (NSH) of the DNS request. The DNS server retrieves the certificate information for the domain from the pre-fetched information regarding the domain, in response to receiving the security request. The DNS server sends, to a Transport Layer Security (TLS) proxy, a DNS response for the domain that includes the certificate information in metadata of an NSH of the DNS response. Show less

In one embodiment, a device in a network receives privatized network trace data that comprises round trip time information for hops along a communication path. The device groups the trace data into a plurality of network segments based on the round trip time information. The device calculates a segment trip time metric for one or more of the network segments based on the round trip time information associated with the one or more network segments.

In one embodiment, a device in an access network receives network condition data regarding the access network and requested flow characteristic data. The requested flow characteristic data is indicative of one or more flow characteristics requested by one or more subscribers for different periods of time. The device trains a machine learning-based classifier using the network condition data and the request flow characteristic data and receives a particular flow characteristic request from a… Show more

In one embodiment, a device in an access network receives network condition data regarding the access network and requested flow characteristic data. The requested flow characteristic data is indicative of one or more flow characteristics requested by one or more subscribers for different periods of time. The device trains a machine learning-based classifier using the network condition data and the request flow characteristic data and receives a particular flow characteristic request from a particular subscriber node. The particular request indicates one or more requested flow characteristics for a specified time period. The device determines a probability of the access network being able to accommodate the particular flow characteristic request by classifying the particular flow characteristic request using the trained classifier. The device sends a flow characteristic response to the node of the particular subscriber node based on the determined probability.
Show less

In one implementation, an endpoint or client device sends a control message into a network to control how a subsequent flow from the endpoint is handled by one or more nodes in the network. A node in the network receives the control message including an encapsulated command and a counter value and modifies the counter value. The node compares the modified counter value to a predetermined limit. When the modified counter value is equal to the predetermined limit, the control message is… Show more

In one implementation, an endpoint or client device sends a control message into a network to control how a subsequent flow from the endpoint is handled by one or more nodes in the network. A node in the network receives the control message including an encapsulated command and a counter value and modifies the counter value. The node compares the modified counter value to a predetermined limit. When the modified counter value is equal to the predetermined limit, the control message is designated for execution of the encapsulated command. When the modified counter value exceeds the predetermined limit, the control message is forwarded to a subsequent node.
Show less

In one embodiment, a first device in a network sends a Session Traversal Utilities for Network Address Translation (STUN) binding request towards an endpoint device of a media session between the first and endpoint devices. The binding request includes one or more network attribute fields. The first device receives a binding response from an intermediate node between the first and endpoint devices in the network, in response to sending the binding request towards the endpoint device. The… Show more

In one embodiment, a first device in a network sends a Session Traversal Utilities for Network Address Translation (STUN) binding request towards an endpoint device of a media session between the first and endpoint devices. The binding request includes one or more network attribute fields. The first device receives a binding response from an intermediate node between the first and endpoint devices in the network, in response to sending the binding request towards the endpoint device. The intermediate node inserted the one or more network attribute fields into the binding response. The received binding response includes one or more metrics for the media session in the one or more network attribute fields. The first device adjusts one or more bitrates of the media session based on the one or more metrics for the media session in the received binding response.
Show less

In one embodiment, a device in a network establishes a trust relationship between the device and a key management service. The device receives keying information from the key management service based on the established trust relationship. The device applies a digital signature to media data for a conference using the keying information, whereby the device is designated as a speaker of the conference. The device provides the signed media data to one or more conference participant devices. The… Show more

In one embodiment, a device in a network establishes a trust relationship between the device and a key management service. The device receives keying information from the key management service based on the established trust relationship. The device applies a digital signature to media data for a conference using the keying information, whereby the device is designated as a speaker of the conference. The device provides the signed media data to one or more conference participant devices. The one or more conference participant devices use the signed media data to validate that the media data was signed by the designated speaker of the conference.
Show less

In one embodiment, a method includes identifying unusual behavior with respect to a handshake between a first endpoint and a second endpoint that are included in a network, and determining whether the unusual behavior with respect to the handshake indicates presence of malicious software. The method also includes identifying at least one of the first endpoint and the second endpoint as potentially being infected by the malicious software if it is determined that the unusual behavior with… Show more

In one embodiment, a method includes identifying unusual behavior with respect to a handshake between a first endpoint and a second endpoint that are included in a network, and determining whether the unusual behavior with respect to the handshake indicates presence of malicious software. The method also includes identifying at least one of the first endpoint and the second endpoint as potentially being infected by the malicious software if it is determined that the unusual behavior with respect to the handshake indicates the presence of malicious software.
Show less

A computer-implemented method includes sending a first request message to a first server associated with a first access network indicative of a request for an indication of whether the first server is configured to support prioritization of tunneled traffic, receiving a first response message from the first server indicative of whether the first server is configured to support prioritization of tunneled traffic, establishing one or more first tunnels with a security service when the first… Show more

A computer-implemented method includes sending a first request message to a first server associated with a first access network indicative of a request for an indication of whether the first server is configured to support prioritization of tunneled traffic, receiving a first response message from the first server indicative of whether the first server is configured to support prioritization of tunneled traffic, establishing one or more first tunnels with a security service when the first response message is indicative that the first server is configured to support prioritization of tunneled traffic, sending first flow characteristics and a first tunnel identifier to the first server; and receiving the first flow characteristics for each first tunnel from the first server at a first network controller. The first network controller is configured to apply a quality of service policy within the first access network for each tunnel in accordance with the flow characteristics.
Show less

In one implementation, a network device is configured to monitor communications associated with an endpoint and identify domain name service messages in the communications. Subsequently, the network device receives a hypertext transfer protocol (HTTP) request and determines whether a destination internet protocol (IP) address of the HTTP request is present in or absent from the domain name service messages. When the IP address is absent from the domain name service messages, the HTTP request is… Show more

In one implementation, a network device is configured to monitor communications associated with an endpoint and identify domain name service messages in the communications. Subsequently, the network device receives a hypertext transfer protocol (HTTP) request and determines whether a destination internet protocol (IP) address of the HTTP request is present in or absent from the domain name service messages. When the IP address is absent from the domain name service messages, the HTTP request is modified to trigger increased security.
Show less

In one embodiment, A tracker computer receives from a first device in a peer-to-peer network that the first device has content for serving. A content request for the content is received from a second device in the peer-to-peer network. The tracker computer routes the content from the first device to the second device through a server. The content routed through the server is inspected for malicious code.

In one embodiment, a method comprises obtaining, by a client device via a wireless data link with a wireless access point, information from a network device within a data network reachable via the wireless access point, the information describing network conditions associated with a service provided to the client device via the data network; and the client device optimizing a transmission control protocol (TCP) communication, via the wireless data link, for optimization of the service provided… Show more

In one embodiment, a method comprises obtaining, by a client device via a wireless data link with a wireless access point, information from a network device within a data network reachable via the wireless access point, the information describing network conditions associated with a service provided to the client device via the data network; and the client device optimizing a transmission control protocol (TCP) communication, via the wireless data link, for optimization of the service provided by the client device.
Show less

In one embodiment, first content is served by an application server to a client computer through an Internet service provider network. The first content includes a link to second content on a third-party server. A token request is sent from the third-party server to the application server in response to selection of the link by the client computer. A token is provided to the third-party server by the application server in response to the token request. The token is configured to authorize data… Show more

In one embodiment, first content is served by an application server to a client computer through an Internet service provider network. The first content includes a link to second content on a third-party server. A token request is sent from the third-party server to the application server in response to selection of the link by the client computer. A token is provided to the third-party server by the application server in response to the token request. The token is configured to authorize data flow at a bandwidth for the second content by the Internet service provider network to the client computer. The data flow is authorized based on an agreement for the bandwidth between an operator of the application server and an operator of the Internet service provider network.
Show less

In one embodiment, characteristics of a connection traversing a packet switching device is determined, which includes, but not limited to, determining a network port number and/or address of an established connection based on a signature of the connection. In one embodiment, a packet switching device receives and forwards packets of particular communication between a device and a remote node in a network. The packet switching device maintains information of the particular communication and… Show more

In one embodiment, characteristics of a connection traversing a packet switching device is determined, which includes, but not limited to, determining a network port number and/or address of an established connection based on a signature of the connection. In one embodiment, a packet switching device receives and forwards packets of particular communication between a device and a remote node in a network. The packet switching device maintains information of the particular communication and identification data for use in subsequent identification of said particular communication. In response to receiving a communications information request specifying a signature related to said particular communications, the packet switching device prepares and sends a response, which typically includes matching the signature to said maintained identification data resulting in identification of said information including a characterization of said particular communications, and sending a reply including the characterization of said particular communications.
Show less

In one implementation, downloading of streaming content using a security as a service (SecaaS) system is more efficient because portions of the streaming content may not be inspected by the SecaaS. A first request to download content from a content provider is received, and a connection is initiated with a security provider, which inspects the first chunk of the content and generates a routing instruction based on the inspection of the first chunk of content. Based on the routing instructions… Show more

In one implementation, downloading of streaming content using a security as a service (SecaaS) system is more efficient because portions of the streaming content may not be inspected by the SecaaS. A first request to download content from a content provider is received, and a connection is initiated with a security provider, which inspects the first chunk of the content and generates a routing instruction based on the inspection of the first chunk of content. Based on the routing instructions and the inspection of the first chunk, a request for a second chunk of the streaming content is addressed to the content provider. The second chunk of the streaming content, circumvents the SecaaS system.
Show less

In an embodiment, a method is provided for enabling in-band data exchange between networks. The method can comprise receiving, by a first enveloping proxy located in the first network, at least one regular secure sockets layer (SSL) record for a SSL session established between a client and a server; receiving the data from a network element located in the first network; encoding the data into at least one custom SSL record; and transmitting the at least one regular SSL record and the at least… Show more

In an embodiment, a method is provided for enabling in-band data exchange between networks. The method can comprise receiving, by a first enveloping proxy located in the first network, at least one regular secure sockets layer (SSL) record for a SSL session established between a client and a server; receiving the data from a network element located in the first network; encoding the data into at least one custom SSL record; and transmitting the at least one regular SSL record and the at least one custom SSL record to an enveloping proxy. In another embodiment, a method can comprise receiving at least one regular secure sockets layer (SSL) record and at least one custom SSL record for a SSL session established between a client and a server; extracting the data from the at least one custom SSL; transmitting the at least one regular SSL record.
Show less

In an embodiment, a method is provided for enabling in-band data exchange between networks. The method can comprise receiving, by a first enveloping proxy located in the first network, at least one regular secure sockets layer (SSL) record for a SSL session established between a client and a server; receiving the data from a network element located in the first network; encoding the data into at least one custom SSL record; and transmitting the at least one regular SSL record and the at least… Show more

In an embodiment, a method is provided for enabling in-band data exchange between networks. The method can comprise receiving, by a first enveloping proxy located in the first network, at least one regular secure sockets layer (SSL) record for a SSL session established between a client and a server; receiving the data from a network element located in the first network; encoding the data into at least one custom SSL record; and transmitting the at least one regular SSL record and the at least one custom SSL record to an enveloping proxy. In another embodiment, a method can comprise receiving at least one regular secure sockets layer (SSL) record and at least one custom SSL record for a SSL session established between a client and a server; extracting the data from the at least one custom SSL; transmitting the at least one regular SSL record.
Show less

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium for Content Delivery Networks Interconnection (CDNI) request routing using the PCP FLOWDATA option. In one aspect, a method includes receiving a request for content, and receiving, from a PCP server, flow characteristics for providing the content, where the PCP server receives the flow characteristics for providing the content from a PCP proxy that receives the flow characteristics from the client… Show more

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium for Content Delivery Networks Interconnection (CDNI) request routing using the PCP FLOWDATA option. In one aspect, a method includes receiving a request for content, and receiving, from a PCP server, flow characteristics for providing the content, where the PCP server receives the flow characteristics for providing the content from a PCP proxy that receives the flow characteristics from the client device. The method includes transmitting first data for querying the downstream content delivery network (CDN) to determine whether the downstream CDN can provide the content and satisfy the flow characteristics. The method includes receiving a response indicating the ability of the downstream CDN to provide the content and satisfy the flow characteristics, and transmitting second data based on the response, where the client device transmits flow metadata based on the second data to the PCP proxy.
Show less

In an embodiment, a method is provided for enabling in-band data exchange between networks. The method can comprise receiving, by a first enveloping proxy located in the first network, at least one regular secure sockets layer (SSL) record for a SSL session established between a client and a server; receiving the data from a network element located in the first network; encoding the data into at least one custom SSL record; and transmitting the at least one regular SSL record and the at least… Show more

In an embodiment, a method is provided for enabling in-band data exchange between networks. The method can comprise receiving, by a first enveloping proxy located in the first network, at least one regular secure sockets layer (SSL) record for a SSL session established between a client and a server; receiving the data from a network element located in the first network; encoding the data into at least one custom SSL record; and transmitting the at least one regular SSL record and the at least one custom SSL record to an enveloping proxy. In another embodiment, a method can comprise receiving at least one regular secure sockets layer (SSL) record and at least one custom SSL record for a SSL session established between a client and a server; extracting the data from the at least one custom SSL; transmitting the at least one regular SSL record. Show less

Various embodiments are disclosed for prioritizing network flows and providing differentiated quality of service in a telecommunications network. In some embodiments, a SecaaS can be utilized to signal flow characteristics of one or more network flows to a connector in a network so that the network can install differentiated quality of service against the one or more network flows based upon the received flow characteristics. Some embodiments enable a connector in a network to act as a PCP… Show more

Various embodiments are disclosed for prioritizing network flows and providing differentiated quality of service in a telecommunications network. In some embodiments, a SecaaS can be utilized to signal flow characteristics of one or more network flows to a connector in a network so that the network can install differentiated quality of service against the one or more network flows based upon the received flow characteristics. Some embodiments enable a connector in a network to act as a PCP client to signal received flow characteristics to an upstream PCP server hosted by an adjacent access network.
Show less

In one implementation, two or more endpoints or client devices communication uses a peer-to-peer, browser based, real time communication protocol. One example of such a protocol is Web Real-Time Communication (WebRTC). An intermediary device receives from a first endpoint, a request for communication with a second endpoint, using the browser based real time communication. The intermediary device identifies a control protocol based on the request for communication, and receives one or more write… Show more

In one implementation, two or more endpoints or client devices communication uses a peer-to-peer, browser based, real time communication protocol. One example of such a protocol is Web Real-Time Communication (WebRTC). An intermediary device receives from a first endpoint, a request for communication with a second endpoint, using the browser based real time communication. The intermediary device identifies a control protocol based on the request for communication, and receives one or more write keys from the first endpoint. The intermediary device monitors communication between the first endpoint and the second endpoint using the one or more write keys. Examples for the intermediary devices include servers, firewalls, and other network devices.
Show less

An example method for facilitating on-demand bandwidth provisioning in a network environment is provided and includes receiving a request from a client at a first network for accommodating flow characteristics at a second network that is associated with executing an application at the first network, determining that the request cannot be fulfilled with available network resources allocated to the client by the second network, advising the client of additional cost for accommodating the flow… Show more

An example method for facilitating on-demand bandwidth provisioning in a network environment is provided and includes receiving a request from a client at a first network for accommodating flow characteristics at a second network that is associated with executing an application at the first network, determining that the request cannot be fulfilled with available network resources allocated to the client by the second network, advising the client of additional cost for accommodating the flow characteristics, and authorizing additional network resources in the second network to accommodate the flow characteristics after receiving notification from the client of payment of the additional cost.
Show less

In one implementation, Web-Cache deployed in the Enterprise premises and cloud-based SecaaS are combined such that similar identity-based polices are enforced on both the SecaaS and content delivered from the Web-Cache. This identity-based policy implementation outside the network using SecaaS and within the network for web-cached content provides consistent identity-based security while still providing content to end-users with high performance. Content inspected and/or modified by SecaaS may… Show more

In one implementation, Web-Cache deployed in the Enterprise premises and cloud-based SecaaS are combined such that similar identity-based polices are enforced on both the SecaaS and content delivered from the Web-Cache. This identity-based policy implementation outside the network using SecaaS and within the network for web-cached content provides consistent identity-based security while still providing content to end-users with high performance. Content inspected and/or modified by SecaaS may be cached in the enterprise premises so that requests for content from an origin server decreases, freeing Internet bandwidth and reducing access time. Local caching of streaming content may decrease latency while local implementation of identity-based policy continues to limit the streamed content as appropriate. Local implementation of identity-based policy may reduce the load on SecaaS. Rather than using content delivery networks provided by a service provider for web-content, a cache server within the enterprise is used.
Show less

Modern day user applications leverages new communication technologies such as WebRTC, WebEx, and Jabber allow devices to connect and exchange media content including audio streams, video streams, and data stream/channels. The present disclosure describes mechanisms for a Port Control Protocol (PCP) server to provide feedback to PCP clients to enforce certain policies on the transport of such media content for a network. A policy may include a traffic handling policy for enforcing differentiated… Show more

Modern day user applications leverages new communication technologies such as WebRTC, WebEx, and Jabber allow devices to connect and exchange media content including audio streams, video streams, and data stream/channels. The present disclosure describes mechanisms for a Port Control Protocol (PCP) server to provide feedback to PCP clients to enforce certain policies on the transport of such media content for a network. A policy may include a traffic handling policy for enforcing differentiated quality of service characteristics for different types of media streams. Another policy may include a security policy ensuring a data files being transmitted over a data channel from one endpoint travels to a security application via a relay element before the packets reaches another endpoint. The mechanisms are transparent to the endpoints, and advantageously preserve the user experience for these user applications.
Show less

A STUN message is received at a router device in a network from a client device in the network along a network path. The STUN message is evaluated for information that indicates to the router device to modify media that is subsequently sent along the network path. If the evaluating indicates that the router device is to modify the media, the media is modified in accordance with information in the STUN message that indicates attributes of the network.

In one embodiment, an edge router of a local computer network snoops client-server protocol configuration information of a customer-premises equipment (CPE) device. From the snooping, the edge router may identify an Internet Protocol version 6 (IPv6) transition option in place at the CPE device along with associated configuration parameters for the IPv6 transition option. As such, the edge router may then advertise the IPv6 transition option along with associated configuration parameters to one… Show more

In one embodiment, an edge router of a local computer network snoops client-server protocol configuration information of a customer-premises equipment (CPE) device. From the snooping, the edge router may identify an Internet Protocol version 6 (IPv6) transition option in place at the CPE device along with associated configuration parameters for the IPv6 transition option. As such, the edge router may then advertise the IPv6 transition option along with associated configuration parameters to one or more border/relay routers of the local computer network to cause the one or more border/relay routers to provision themselves with the IPv6 transition option and associated configuration parameters.
Show less

In one implementation, traffic in a mobile network is directed across multiple paths to a single cloud server or security server (e.g., a security as a service). The mobile device detects a cloud connector through a primary connection based on an attachment or connection via a first interface of a mobile device. The mobile device sends a request to the cloud connector for an identification of a cloud security server associated with the cloud connector. After receiving the identification of the… Show more

In one implementation, traffic in a mobile network is directed across multiple paths to a single cloud server or security server (e.g., a security as a service). The mobile device detects a cloud connector through a primary connection based on an attachment or connection via a first interface of a mobile device. The mobile device sends a request to the cloud connector for an identification of a cloud security server associated with the cloud connector. After receiving the identification of the cloud security server, the mobile device directs one or more subsequent data flows or subflows for a second interface or another interface of the mobile device to the cloud server or security server. The second data flow and the second interface are associated with another network that is external to the enterprise network and trusted network connection or not associated with the enterprise network and the trusted network connection.
Show less

In one implementation, identity based security features and policies are applied to endpoint devices behind an intermediary device, such as a network address translation device. The access network switch authenticates an endpoint based on a user identity and a credential. A hypertext transfer protocol (HTTP) packet is generated or modified to include the user identity in an inline header. The HTTP packet including the user identity is sent to a policy enforcement device to look up one or more… Show more

In one implementation, identity based security features and policies are applied to endpoint devices behind an intermediary device, such as a network address translation device. The access network switch authenticates an endpoint based on a user identity and a credential. A hypertext transfer protocol (HTTP) packet is generated or modified to include the user identity in an inline header. The HTTP packet including the user identity is sent to a policy enforcement device to look up one or more policies for the endpoint. The access switch receives traffic from the policy enforcement device that is filtered according the user identity. Subsequent TCP connections may also include identity information within the TCP USER_HINT option in a synchronization packet thus allowing identity propagation for other applications and protocols.
Show less

In one embodiment, a system and method include determining bandwidth of a link that connects a local modem to a remote router. A first percentage of the bandwidth is assigned to a first class of data and a second percentage of bandwidth is assigned to a second class of data. The remaining percentage of the bandwidth is assigned for nominal excess capacity. The flow of first class of data and second class of data are controlled to below respective percentages of the bandwidth.

In one embodiment, an endpoint elicits a pattern of STUN responses to identify security devices located on a call path. The endpoint then uses address information from the identified security devices to establish an efficient media flow with a remote endpoint. The endpoint can optimize the number of network devices and network paths that process the endpoint's keepalive message. Additionally, the endpoint may request custom inactivity timeouts with each of the identified security devices for… Show more

In one embodiment, an endpoint elicits a pattern of STUN responses to identify security devices located on a call path. The endpoint then uses address information from the identified security devices to establish an efficient media flow with a remote endpoint. The endpoint can optimize the number of network devices and network paths that process the endpoint's keepalive message. Additionally, the endpoint may request custom inactivity timeouts with each of the identified security devices for reducing bandwidth consumed by keepalive traffic.
Show less

Intercepting a secure communication session includes distributing a key from a key distribution point to establish a secure communication session between a first endpoint and a second endpoint. A secure channel is established between the key distribution point and an intercepting point. The intercepting endpoint may be determined to be authorized to intercept the secure communication session. The key is provided to the intercepting endpoint only if the intercepting endpoint is authorized to… Show more

Intercepting a secure communication session includes distributing a key from a key distribution point to establish a secure communication session between a first endpoint and a second endpoint. A secure channel is established between the key distribution point and an intercepting point. The intercepting endpoint may be determined to be authorized to intercept the secure communication session. The key is provided to the intercepting endpoint only if the intercepting endpoint is authorized to intercept the secure communication session, where the key provides the intercepting endpoint with access to intercept the secure communication session.
Show less

The present application provides an authentication scheme that allows a device to provide additional authentication of a Publicly Switched Telephone Network (PSTN) identity assertion made in a PSTN call by also sending an Internet Protocol (IP) communication. The device sends the IP communication generally in parallel with the PSTN call. The IP communication includes a network identity assertion, which optionally may be authenticated using a cryptographically secure technique. The network… Show more

The present application provides an authentication scheme that allows a device to provide additional authentication of a Publicly Switched Telephone Network (PSTN) identity assertion made in a PSTN call by also sending an Internet Protocol (IP) communication. The device sends the IP communication generally in parallel with the PSTN call. The IP communication includes a network identity assertion, which optionally may be authenticated using a cryptographically secure technique. The network identity assertion, being more difficult to falsify, provides additional authentication of the PSTN identity assertion.
Show less

In one embodiment, a reservation proxy monitors for received connectivity check messages or beginning-of-media-flow indication messages. When either type of message is observed, the reservation proxy requests resource allocation for a media flow associated with the received message. The amount of resource allocation requested may be coordinated by exchanging messages with a call controller or policy server for one of the endpoints of the media flow, or the amount of resource allocation may be… Show more

In one embodiment, a reservation proxy monitors for received connectivity check messages or beginning-of-media-flow indication messages. When either type of message is observed, the reservation proxy requests resource allocation for a media flow associated with the received message. The amount of resource allocation requested may be coordinated by exchanging messages with a call controller or policy server for one of the endpoints of the media flow, or the amount of resource allocation may be identified within the received message.
Show less

In one embodiment, receiving a neighbor solicitation message from a stateless address configuration host; processing the neighbor solicitation message to obtain a device identifier and an internet protocol version six (IPv6) address; storing a mapping between the device identifier and the IPv6 address in a database associated with the network device; and sending the mapping in a new message to a server. In more particular embodiments, the method can include evaluating the database in order to… Show more

In one embodiment, receiving a neighbor solicitation message from a stateless address configuration host; processing the neighbor solicitation message to obtain a device identifier and an internet protocol version six (IPv6) address; storing a mapping between the device identifier and the IPv6 address in a database associated with the network device; and sending the mapping in a new message to a server. In more particular embodiments, the method can include evaluating the database in order to determine whether a particular IPv6 address is a duplicate; and marking an entry associated with the particular IPv6 address in the database for deletion.
Show less

In one embodiment, a security device monitors for outgoing re-transmission messages indicating that an endpoint located in a multi-homed network transmitted an unanswered initial connection request. Responsive to identifying one of the outgoing re-transmission messages, the security device identifies destination address information included in the identified re-transmission message. The security device then causes another security device associated with a different link of the same multi-homed… Show more

In one embodiment, a security device monitors for outgoing re-transmission messages indicating that an endpoint located in a multi-homed network transmitted an unanswered initial connection request. Responsive to identifying one of the outgoing re-transmission messages, the security device identifies destination address information included in the identified re-transmission message. The security device then causes another security device associated with a different link of the same multi-homed network to update its internal state table according to the identified destination address information. As a result, a response to the outgoing re-transmission can be forwarded to the multi-homed network regardless of which security device receives the response.
Show less

A system for verifying VoIP call routing information. In particular implementations, a method includes verifying one or more Voice-over-Internet-Protocol (VoIP) call agents for respective destination telephone numbers based on demonstrated knowledge of previous public switched telephone network (PSTN) calls to the respective destination telephone numbers; receiving a call initiation message identifying a destination telephone number; and conditionally initiating a call over a VoIP network to a… Show more

A system for verifying VoIP call routing information. In particular implementations, a method includes verifying one or more Voice-over-Internet-Protocol (VoIP) call agents for respective destination telephone numbers based on demonstrated knowledge of previous public switched telephone network (PSTN) calls to the respective destination telephone numbers; receiving a call initiation message identifying a destination telephone number; and conditionally initiating a call over a VoIP network to a target VoIP call agent, or over a circuit switched network, based on whether the target VoIP call agent has been verified for the destination telephone number identified in the call initiation message.
Show less

Disclosed are, inter alia, methods, apparatus, computer-storage media, mechanisms, and means associated with a protected device initiating a pinhole through a network address translator and/or firewall to allow access to the protected device in response to a Domain Name System (DNS) query. In response to a received DNS query from a domain name system (DNS) server, an apparatus requests a traffic pinhole be created in a firewall or network address translator for allowing traffic initiated from a… Show more

Disclosed are, inter alia, methods, apparatus, computer-storage media, mechanisms, and means associated with a protected device initiating a pinhole through a network address translator and/or firewall to allow access to the protected device in response to a Domain Name System (DNS) query. In response to a received DNS query from a domain name system (DNS) server, an apparatus requests a traffic pinhole be created in a firewall or network address translator for allowing traffic initiated from a device, on another side of the firewall or said network address translator from the apparatus, to reach the apparatus.
Show less

In one embodiment, an endpoint elicits a pattern of STUN responses to identify security devices located on a call path. The endpoint then uses address information from the identified security devices to establish an efficient media flow with a remote endpoint. The endpoint can optimize the number of network devices and network paths that process the endpoint's keepalive message. Additionally, the endpoint may request custom inactivity timeouts with each of the identified security devices for… Show more

In one embodiment, an endpoint elicits a pattern of STUN responses to identify security devices located on a call path. The endpoint then uses address information from the identified security devices to establish an efficient media flow with a remote endpoint. The endpoint can optimize the number of network devices and network paths that process the endpoint's keepalive message. Additionally, the endpoint may request custom inactivity timeouts with each of the identified security devices for reducing bandwidth consumed by keepalive traffic.
Show less

An authentication agent may cryptographically identify a remote endpoint that sent a media initialization message even though intermediate devices may modify certain fields in the message after a signature is inserted. The originating endpoint's agent may create the signature over some fields of the message using an enterprise network's private key. The agent may insert the signature into the message and send the message to a recipient endpoint's authentication agent. The recipient agent may… Show more

An authentication agent may cryptographically identify a remote endpoint that sent a media initialization message even though intermediate devices may modify certain fields in the message after a signature is inserted. The originating endpoint's agent may create the signature over some fields of the message using an enterprise network's private key. The agent may insert the signature into the message and send the message to a recipient endpoint's authentication agent. The recipient agent may verify the signature, receive a certificate including a second public key, and challenge the identity of the originating endpoint in order to confirm that identity. This challenge may request a confirmation that the originating endpoint knows the private key corresponding to the second public key and may occur while running encrypted media at the endpoints. After the originating endpoint is authenticated, the endpoints may exchange encrypted and/or unencrypted media.
Show less

In one embodiment a method and apparatus are provided that automatically establish an real time protocol (RTP) tunnel between an originator node or router and a terminator node or router, wherein the terminator node is close to a remote RTP peer. A method includes detecting a new flow of RTP packets wherein the RTP packets are encoded with a destination Internet Protocol (IP) address. Responsive to detecting the new flow, a probe is sent towards a same IP address as the destination IP address… Show more

In one embodiment a method and apparatus are provided that automatically establish an real time protocol (RTP) tunnel between an originator node or router and a terminator node or router, wherein the terminator node is close to a remote RTP peer. A method includes detecting a new flow of RTP packets wherein the RTP packets are encoded with a destination Internet Protocol (IP) address. Responsive to detecting the new flow, a probe is sent towards a same IP address as the destination IP address of the RTP packets. A response to the probe is received, the response including an identifier of a node that generated the response. Then, using the identifier, a tunnel is established with the node that generated the response, and thereafter compressed packets (compressed headers, compressed payloads, or both) are passed via the tunnel.
Show less

In one embodiment, a reservation proxy monitors for received connectivity check messages or beginning-of-media-flow indication messages. When either type of message is observed, the reservation proxy requests resource allocation for a media flow associated with the received message. The amount of resource allocation requested may be coordinated by exchanging messages with a call controller or policy server for one of the endpoints of the media flow, or the amount of resource allocation may be… Show more

In one embodiment, a reservation proxy monitors for received connectivity check messages or beginning-of-media-flow indication messages. When either type of message is observed, the reservation proxy requests resource allocation for a media flow associated with the received message. The amount of resource allocation requested may be coordinated by exchanging messages with a call controller or policy server for one of the endpoints of the media flow, or the amount of resource allocation may be identified within the received message.
Show less

In one embodiment, a network device generates a protection policy responsive to identifying undesired voice data traffic. The network device then distributes the generated protection policy along a call path used for transferring the undesired voice data traffic. The proxy may distribute the protection policy by inserting the protection policy in a call response or other message that traces the call path back to a calling endpoint.

Techniques are described for the use of a cryptographic token to authorize a firewall to open a pinhole which permits certain network traffic to traverse firewalls. An initiating endpoint requests a token from a call controller, which authorizes a pinhole though the firewall. In response, the call controller may generate a cryptographic authorization token (CAT) sent towards the destination endpoint. The call controller may generate the token based on an authorization ID associated with the… Show more

Techniques are described for the use of a cryptographic token to authorize a firewall to open a pinhole which permits certain network traffic to traverse firewalls. An initiating endpoint requests a token from a call controller, which authorizes a pinhole though the firewall. In response, the call controller may generate a cryptographic authorization token (CAT) sent towards the destination endpoint. The call controller may generate the token based on an authorization ID associated with the call controller, a shared secret known to both the call controller and the firewall, and data specific to the media flow for which authorization is requested.
Show less

Techniques are provided herein to enable monitoring of a real-time transport protocol (RTP) packet flow in devices along the path that the RTP packet flow traversed from a source to a destination. A device that is a source or destination of a RTP packet flow transmits a monitor request message that requests one or more other devices along a path of the RTP packet flow to monitor the RTP packet flow. The device that is the source or destination of the RTP packet flow receives one or more… Show more

Techniques are provided herein to enable monitoring of a real-time transport protocol (RTP) packet flow in devices along the path that the RTP packet flow traversed from a source to a destination. A device that is a source or destination of a RTP packet flow transmits a monitor request message that requests one or more other devices along a path of the RTP packet flow to monitor the RTP packet flow. The device that is the source or destination of the RTP packet flow receives one or more monitoring reports from the one or more other devices along the path of the RTP packet flow. This allows a device that requested monitoring of the RTP packet flow to analyze the monitor reports in order to determine a location of a cause of reduced performance in the RTP packet flow. e.g., missing packets, overly delayed packets, etc.
Show less

A system for verifying caller ID information in received VoIP calls. In particular implementations, a method includes receiving a caller identification (ID) identifying a calling party telephone number in a call initiation message transmitted from a VoIP call agent; determining the identity of the VoIP call agent; verifying that a public switched telephone network (PSTN) call to the calling party telephone number would arrive at a VoIP call agent having the determined identity; and applying… Show more

A system for verifying caller ID information in received VoIP calls. In particular implementations, a method includes receiving a caller identification (ID) identifying a calling party telephone number in a call initiation message transmitted from a VoIP call agent; determining the identity of the VoIP call agent; verifying that a public switched telephone network (PSTN) call to the calling party telephone number would arrive at a VoIP call agent having the determined identity; and applying, responsive to the call initiation message, one or more rules based at least in part on the verifying step.
Show less

A system for verifying VoIP call routing information. In particular implementations, a method includes verifying one or more Voice-over-Internet-Protocol (VoIP) call agents for respective destination telephone numbers based on demonstrated knowledge of previous public switched telephone network (PSTN) calls to the respective destination telephone numbers; receiving a call initiation message identifying a destination telephone number; and conditionally initiating a call over a VoIP network to a… Show more

A system for verifying VoIP call routing information. In particular implementations, a method includes verifying one or more Voice-over-Internet-Protocol (VoIP) call agents for respective destination telephone numbers based on demonstrated knowledge of previous public switched telephone network (PSTN) calls to the respective destination telephone numbers; receiving a call initiation message identifying a destination telephone number; and conditionally initiating a call over a VoIP network to a target VoIP call agent, or over a circuit switched network, based on whether the target VoIP call agent has been verified for the destination telephone number identified in the call initiation message.
Show less

An authentication agent may cryptographically identify a remote endpoint that sent a media initialization message even though intermediate devices may modify certain fields in the message after a signature is inserted. The originating endpoint's agent may create the signature over some fields of the message using an enterprise network's private key. The agent may insert the signature into the message and send the message to a recipient endpoint's authentication agent. The recipient agent may… Show more

An authentication agent may cryptographically identify a remote endpoint that sent a media initialization message even though intermediate devices may modify certain fields in the message after a signature is inserted. The originating endpoint's agent may create the signature over some fields of the message using an enterprise network's private key. The agent may insert the signature into the message and send the message to a recipient endpoint's authentication agent. The recipient agent may verify the signature, receive a certificate including a second public key, and challenge the identity of the originating endpoint in order to confirm that identity. This challenge may request a confirmation that the originating endpoint knows the private key corresponding to the second public key and may occur while running encrypted media at the endpoints. After the originating endpoint is authenticated, the endpoints may exchange encrypted and/or unencrypted media.
Show less

A security policy enables security devices to forward ICE messages. The security policy may use protection tokens to prevent Denial of Service (DoS) attacks. This allows endpoints to use Interactive Connectivity Establishment (ICE) to enable multimedia communications across Network Address Translators (NATs) and other security devices.

Systems, methods, and other embodiments associated with multiple NAT traversal are provided. A request is received from a host for a publicly-routable communication path identifier for the host, where the host is a member of a private network associated with a first network address translation device. The first network address translation device communicates with a second network address translation device using an address-port-borrowing-protocol to acquire information related to the… Show more

Systems, methods, and other embodiments associated with multiple NAT traversal are provided. A request is received from a host for a publicly-routable communication path identifier for the host, where the host is a member of a private network associated with a first network address translation device. The first network address translation device communicates with a second network address translation device using an address-port-borrowing-protocol to acquire information related to the publicly-routable communication path identifier. Information related to the publicly-routable communication path identifier is received with the first network address translation device and the publicly-routable communication path identifier is provided to the host.
Show less

In one embodiment, a signaling message is received from an endpoint. It is determined from the signaling message whether, prior to sending the signaling message, the endpoint performed network address translation on the body of the signaling message. If it is determined from the signaling message that, prior to sending the signaling message, the endpoint did not perform network address translation on the body of the signaling message, application layer gateway functionality is applied to the… Show more

In one embodiment, a signaling message is received from an endpoint. It is determined from the signaling message whether, prior to sending the signaling message, the endpoint performed network address translation on the body of the signaling message. If it is determined from the signaling message that, prior to sending the signaling message, the endpoint did not perform network address translation on the body of the signaling message, application layer gateway functionality is applied to the body of the signaling message such that a modified signaling message is generated.
Show less

Authenticating an endpoint using a STUN server includes facilitating a communication session between a first endpoint and a second endpoint over a network. A challenge request is sent to the second endpoint. The challenge request attempts to authenticate the second endpoint and includes an identification. The identification is associated with an expected response identification. A response to the challenge request is received from the second endpoint. The response has an actual response… Show more

Authenticating an endpoint using a STUN server includes facilitating a communication session between a first endpoint and a second endpoint over a network. A challenge request is sent to the second endpoint. The challenge request attempts to authenticate the second endpoint and includes an identification. The identification is associated with an expected response identification. A response to the challenge request is received from the second endpoint. The response has an actual response identification. The received response is verified to establish whether the second endpoint is legitimate. The second endpoint is legitimate if the actual response identification includes the expected response identification.
Show less

In one embodiment, a reservation proxy monitors for received connectivity check messages or beginning-of-media-flow indication messages. When either type of message is observed, the reservation proxy requests resource allocation for a media flow associated with the received message. The amount of resource allocation requested may be coordinated by exchanging messages with a call controller or policy server for one of the endpoints of the media flow, or the amount of resource allocation may be… Show more

In one embodiment, a reservation proxy monitors for received connectivity check messages or beginning-of-media-flow indication messages. When either type of message is observed, the reservation proxy requests resource allocation for a media flow associated with the received message. The amount of resource allocation requested may be coordinated by exchanging messages with a call controller or policy server for one of the endpoints of the media flow, or the amount of resource allocation may be identified within the received message.
Show less

In one embodiment, an endpoint sends messages containing Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) (STUN) requests to traceroute a path to the remote endpoint. The traceroute may be completed through security devices such as NATs and firewalls. Receipt of a STUN response from the remote endpoint signals that one of the traceroute packets reached the remote endpoint whereas the other traceroute packets have elicited error responses from… Show more

In one embodiment, an endpoint sends messages containing Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) (STUN) requests to traceroute a path to the remote endpoint. The traceroute may be completed through security devices such as NATs and firewalls. Receipt of a STUN response from the remote endpoint signals that one of the traceroute packets reached the remote endpoint whereas the other traceroute packets have elicited error responses from intermediary, on-path routers, allowing these routers to be identified.
Show less

No-op media payload packets are used to analyze a media path in a packet switched network. In one embodiment, the no-op packets are Real Time Protocol (RTP) payload packets that contain no media content. A Real Time Control Protocol (RTCP) report is generated for the received RTP no-op packets. A marker bit is set in one of the no-op packets that triggers the no-op packet receiver to send back the RTCP report. The media steam is transmitted when the statistics in the RTCP report indicate a… Show more

No-op media payload packets are used to analyze a media path in a packet switched network. In one embodiment, the no-op packets are Real Time Protocol (RTP) payload packets that contain no media content. A Real Time Control Protocol (RTCP) report is generated for the received RTP no-op packets. A marker bit is set in one of the no-op packets that triggers the no-op packet receiver to send back the RTCP report. The media steam is transmitted when the statistics in the RTCP report indicate a viable media path.
Show less

A domain based tunneling scheme allows a Network Management System (NMS) to manage devices in a private network operating behind a NAT boundary. A device in the private network provides the NMS with information including a public NAT IP address, a private device IP address, and a unique device identifier. The NMS uses the public NAT IP address to set up and maintain a tunnel to the private network. The NMS stores the NAT information and a tunnel identifier in a table entry associated with the… Show more

A domain based tunneling scheme allows a Network Management System (NMS) to manage devices in a private network operating behind a NAT boundary. A device in the private network provides the NMS with information including a public NAT IP address, a private device IP address, and a unique device identifier. The NMS uses the public NAT IP address to set up and maintain a tunnel to the private network. The NMS stores the NAT information and a tunnel identifier in a table entry associated with the device. The NMS then uses the tunnel and the contents of the table entry to conduct management operations with the device operating in the private network.
Show less

In one embodiment, a router examines an incoming packet for a flow monitoring request. The router may examine every packet for the flow monitoring request, or preferably may only examine packets including a lifetime value indicating that the packet should be dropped and not forwarded or may only examine packets having a predetermined message format. When the flow monitoring request is included, the router performs detailed flow analysis or other monitoring according to the flow monitoring… Show more

In one embodiment, a router examines an incoming packet for a flow monitoring request. The router may examine every packet for the flow monitoring request, or preferably may only examine packets including a lifetime value indicating that the packet should be dropped and not forwarded or may only examine packets having a predetermined message format. When the flow monitoring request is included, the router performs detailed flow analysis or other monitoring according to the flow monitoring request.
Show less

In one embodiment, a signaling message is received from an endpoint. It is determined from the signaling message whether, prior to sending the signaling message, the endpoint performed network address translation on the body of the signaling message. If it is determined from the signaling message that, prior to sending the signaling message, the endpoint did not perform network address translation on the body of the signaling message, application layer gateway functionality is applied to the… Show more

In one embodiment, a signaling message is received from an endpoint. It is determined from the signaling message whether, prior to sending the signaling message, the endpoint performed network address translation on the body of the signaling message. If it is determined from the signaling message that, prior to sending the signaling message, the endpoint did not perform network address translation on the body of the signaling message, application layer gateway functionality is applied to the body of the signaling message such that a modified signaling message is generated.
Show less

A route convergence monitoring system and method provide for determining routing changes or affected devices that may cause detrimental or other quality conditions to occur in an endpoint device. In one embodiment, ongoing endpoint quality monitoring of quality conditions and convergence occurrence monitoring of successive route changes that may occur are initiated. An endpoint quality monitor provides for determining an endpoint quality condition and transferring an indicator of the condition… Show more

A route convergence monitoring system and method provide for determining routing changes or affected devices that may cause detrimental or other quality conditions to occur in an endpoint device. In one embodiment, ongoing endpoint quality monitoring of quality conditions and convergence occurrence monitoring of successive route changes that may occur are initiated. An endpoint quality monitor provides for determining an endpoint quality condition and transferring an indicator of the condition (e.g., endpoint device and timing) to a network manager. The network manager may add one or more information indicators and provides the indicators to an end-to-end convergence monitor. The convergence monitor, receives the indicators and determines one or more of a second endpoint device, routing changes in at least a portion of the network and a correlation of routing changes that may have caused the indicated or other quality conditions to occur.
Show less

A method for authenticating communication traffic includes receiving a Session Initiation Protocol (SIP) data packet sent over a network from a source address to a destination address, sending an outgoing SIP message to the source address, receiving an incoming SIP message in response to the outgoing SIP message and processing the incoming SIP response message so as to assess authenticity of the received SIP data packet.

Timestamps are inserted into trace packet expiration messages to identify delay in a network. A Time To Live (TTL) value in the trace packet is varied to intentionally cause an intermediate node in the network to discard the trace packet and send back the packet expiration message. The intermediate node sending the packet expiration message inserts a time value in the message indicating when the intermediate node received the trace packet. The time value is then used to determine the time… Show more

Timestamps are inserted into trace packet expiration messages to identify delay in a network. A Time To Live (TTL) value in the trace packet is varied to intentionally cause an intermediate node in the network to discard the trace packet and send back the packet expiration message. The intermediate node sending the packet expiration message inserts a time value in the message indicating when the intermediate node received the trace packet. The time value is then used to determine the time required for the trace packet to reach the intermediate node.
Show less

An address management scheme allows a Network Management System (NMS) to manage devices in a private network operating behind a Network Address Translator (NAT) boundary. A device operating in the private network sends a communication to a Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) (STUN) server. The STUN server responds by communicating a public NAT IP address and a NAT port number back to the device. The device then provides the NMS with the… Show more

An address management scheme allows a Network Management System (NMS) to manage devices in a private network operating behind a Network Address Translator (NAT) boundary. A device operating in the private network sends a communication to a Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) (STUN) server. The STUN server responds by communicating a public NAT IP address and a NAT port number back to the device. The device then provides the NMS with the public NAT IP address, a NAT port number associated with the device, a unique device identifier, and the private device IP address. The NMS stores this information in a table and then accesses this address information to manage the device in the private network. The device then uses the STUN server to identify any changes to the device address information and then sends the changes to the NMS.
Show less

Time To Live (TTL) values are modified in media packets to intentionally cause rejection of the media packets at intermediate nodes in a media path. Rejection notices caused by the TTL modified media packets are then analyzed to isolate Quality of Service (QoS) problems in the media path.

Local address return services reduce the burden on central address return servers. A local client determines whether an intermediary Network Address Translator (NAT) resides between a local NAT and a public Internet network. The local address return service is enabled when no intermediary NAT resides between the local NAT and the public Internet network. The local address return service is disabled and the central address return service is used when an intermediary NAT resides between the local… Show more

Local address return services reduce the burden on central address return servers. A local client determines whether an intermediary Network Address Translator (NAT) resides between a local NAT and a public Internet network. The local address return service is enabled when no intermediary NAT resides between the local NAT and the public Internet network. The local address return service is disabled and the central address return service is used when an intermediary NAT resides between the local NAT and the public Internet network. In one embodiment, the local client is a Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATS) (STUN) client and the local and central address return services are STUN servers.
Show less

An endpoint uses Interactive Connectivity Establishment (ICE) to enable multimedia communications to traverse Network Address Translators (NATs). A security policy enables security devices and asymmetric security devices to forward ICE messages. A management device stores information about an initial message. Later, a security device receives an ICE message and sends and authorization request to the management device. The management device compares information in the authorization request to… Show more

An endpoint uses Interactive Connectivity Establishment (ICE) to enable multimedia communications to traverse Network Address Translators (NATs). A security policy enables security devices and asymmetric security devices to forward ICE messages. A management device stores information about an initial message. Later, a security device receives an ICE message and sends and authorization request to the management device. The management device compares information in the authorization request to information in memory. According to the comparison, the management device authorizes the security device to forward the ICE message.
Show less

An endpoint uses Interactive Connectivity Establishment (ICE) to enable multimedia communications to traverse Network Address Translators (NATs). A security policy enables security devices and asymmetric security devices to forward ICE messages. A management device stores information about an initial message. Later, a security device receives an ICE message and sends and authorization request to the management device. The management device compares information in the authorization request to… Show more

An endpoint uses Interactive Connectivity Establishment (ICE) to enable multimedia communications to traverse Network Address Translators (NATs). A security policy enables security devices and asymmetric security devices to forward ICE messages. A management device stores information about an initial message. Later, a security device receives an ICE message and sends and authorization request to the management device. The management device compares information in the authorization request to information in memory. According to the comparison, the management device authorizes the security device to forward the ICE message. Show less

A network processing device identifies call requests that require secure media connections and that also require transport over both a packet switched network and a circuit switched network. The network processing device establishes an IP link over the circuit switched network and directs endpoints for the media connection to use Internet Protocol (IP) media encryption. The same IP encrypted media is then transported end-to-end over both the packet switched network and the IP link in the… Show more

A network processing device identifies call requests that require secure media connections and that also require transport over both a packet switched network and a circuit switched network. The network processing device establishes an IP link over the circuit switched network and directs endpoints for the media connection to use Internet Protocol (IP) media encryption. The same IP encrypted media is then transported end-to-end over both the packet switched network and the IP link in the circuit switched network.
Show less

A communication system for transmission of facsimile (fax) information using an email message from a sending fax device used by a sending fax user to a receiving fax device used by a receiving fix user through at least one mailer device including a sending gateway device coupled to the sending fax device for causing transfer of a fax message received from the fax device. The sending gateway device further attaches the transferred fax message to an email message. [...]

Intercepting a secure communication session includes distributing a key from a key distribution point to establish a secure communication session between a first endpoint and a second endpoint. A secure channel is established between the key distribution point and an intercepting point. The intercepting endpoint may be determined to be authorized to intercept the secure communication session. The key is provided to the intercepting endpoint only if the intercepting endpoint is authorized to… Show more

Intercepting a secure communication session includes distributing a key from a key distribution point to establish a secure communication session between a first endpoint and a second endpoint. A secure channel is established between the key distribution point and an intercepting point. The intercepting endpoint may be determined to be authorized to intercept the secure communication session. The key is provided to the intercepting endpoint only if the intercepting endpoint is authorized to intercept the secure communication session, where the key provides the intercepting endpoint with access to intercept the secure communication session.
Show less