Keyur Patel

Network nodes can use authentication facilities in transport layer communication protocols, such as Transmission Control Protocol Authentication Option (“TCP-AO”), in a data communications network to authenticate each other. TCP-AO addresses network security and key rollover methods.

TCP-AO provides security measures for a variety of TCP applications. For example, TCP-AO may be executed by the peering nodes that implement a network reachability protocol such as Border Gateway… Show more

Network nodes can use authentication facilities in transport layer communication protocols, such as Transmission Control Protocol Authentication Option (“TCP-AO”), in a data communications network to authenticate each other. TCP-AO addresses network security and key rollover methods.

TCP-AO provides security measures for a variety of TCP applications. For example, TCP-AO may be executed by the peering nodes that implement a network reachability protocol such as Border Gateway Protocol (“BGP”), TCP applications such as a Label Distribution Protocol (“LDP”), a Protocol Independent Multicast (“PIM”)-over-TCP, and Multicast Source Discovery Protocol (“MSDP”)-over-TCP, etc.

In a network using TCP-AO, when a BGP peer router suffers a cold reboot after an unexpected restart, the time period for the BGP peers to recover from the reboot and to set up new BGP sessions with the rebooted peer may require considerable time. Show less

An apparatus for providing reachability in a routing domain of a data communications network having as components nodes and links therebetween for a routing domain external destination address is provided. The apparatus is arranged to advertise destination address reachability internally to nodes in the routing domain and associate a reachability category with the internal advertisement of the destination address reachability.

In one embodiment, an apparatus and method are described for constructing a repair path in the event of non-availability of a routing domain component of a routing domain comprising, as components, links and nodes. The apparatus is arranged to receive respective network repair addresses from each of the far-side and near-side advertising node for use in the event of non-availability of a routing domain component between the advertising node. The apparatus is further arranged to advertise the… Show more

In one embodiment, an apparatus and method are described for constructing a repair path in the event of non-availability of a routing domain component of a routing domain comprising, as components, links and nodes. The apparatus is arranged to receive respective network repair addresses from each of the far-side and near-side advertising node for use in the event of non-availability of a routing domain component between the advertising node. The apparatus is further arranged to advertise the near-side advertising node network repair address to one or more far-side nodes via a path external to the routing domain. Show less

In one embodiment, an apparatus and method are described for constructing a repair path in the event of non-availability of a routing domain component of a routing domain comprising, as components, links and nodes. The apparatus is arranged to receive respective network repair addresses from each of the far-side and near-side advertising node for use in the event of non-availability of a routing domain component between the advertising node. The apparatus is further arranged to advertise the… Show more

In one embodiment, an apparatus and method are described for constructing a repair path in the event of non-availability of a routing domain component of a routing domain comprising, as components, links and nodes. The apparatus is arranged to receive respective network repair addresses from each of the far-side and near-side advertising node for use in the event of non-availability of a routing domain component between the advertising node. The apparatus is further arranged to advertise the near-side advertising node network repair address to one or more far-side nodes via a path external to the routing domain.
Show less

A soft notification technique isolates address family application based errors or events occurring within a routing protocol, such as the Border Gateway Protocol (BGP), used to exchange routing information between a router and its peer router over a BGP session operating on a reliable transport.

Approaches are disclosed for switching transport protocol connection keys.

An apparatus and method as described for constructing a repair path for use in the event of failure of an inter-routing domain connection between respective components in first and second routing domains of a data communications network. The apparatus is arranged to assign a propagatable repair address for use in the event of failure of the inter-routing domain connection and to propagate the repair address via data communications network components other than the inter-routing domain… Show more

An apparatus and method as described for constructing a repair path for use in the event of failure of an inter-routing domain connection between respective components in first and second routing domains of a data communications network. The apparatus is arranged to assign a propagatable repair address for use in the event of failure of the inter-routing domain connection and to propagate the repair address via data communications network components other than the inter-routing domain connection. Show less

In one embodiment, a router located at an exit edge of an autonomous system (AS) receives a data packet in a data plane, and determines a destination of the data packet and an associated AS-path information to the destination. The router may then insert the AS-path information into the data packet, and forwards the data packet with the AS-path information toward the destination, such that a receiving device in a destination AS can validate whether the data packet was routed through a path that… Show more

In one embodiment, a router located at an exit edge of an autonomous system (AS) receives a data packet in a data plane, and determines a destination of the data packet and an associated AS-path information to the destination. The router may then insert the AS-path information into the data packet, and forwards the data packet with the AS-path information toward the destination, such that a receiving device in a destination AS can validate whether the data packet was routed through a path that was secure from a control plane perspective based on a collection of one or more insertions of AS-path information. Show less

In one embodiment, a plurality of packets is sent from an origin device along a communication path toward a destination device. Each packet includes a lifespan indicator which is incrementally increased for each subsequently sent packet. A plurality of response messages are received at the origin device from a plurality of intermediate devices, respectively. A plurality of secure path objects included in the plurality of response messages, respectively, is determined. Additionally, the… Show more

In one embodiment, a plurality of packets is sent from an origin device along a communication path toward a destination device. Each packet includes a lifespan indicator which is incrementally increased for each subsequently sent packet. A plurality of response messages are received at the origin device from a plurality of intermediate devices, respectively. A plurality of secure path objects included in the plurality of response messages, respectively, is determined. Additionally, the plurality of secure path objects are validated based on validation information accessible by the origin device. Validation results of the plurality of secure path objects are checked to determine whether a packet that is sent from the origin device and received by the destination device travels along a particular communication path as dictated by control plane information. Show less

EFFICIENT GENERATION OF VPN-BASED BGP UPDATES
Improves IOS BGP PE-CE convergence upto 300% (in 1/3rd of the original time, for a scale of 4000 VRFs, 8000 PE-CE interfaces and 2.3M routes) on Cisco IOS ASR1K, making it the fastest implementation in the industry at that time.
Cisco Serial No.: 12/643,036

Implementation of a VPN service such as a VPLS (Virtual Private Local area network Service) is performed utilizing a two-stage process. A first stage of the two-stage process involves providing notification of whether a PE (Provider Edge) router in a label-switching network has VPLS capability. Notification can include broadcasting a message from a PE router to remote PE routers in the label-switching network to indicate whether the broadcasting PE router is VPLS enabled. A second stage of the… Show more

Implementation of a VPN service such as a VPLS (Virtual Private Local area network Service) is performed utilizing a two-stage process. A first stage of the two-stage process involves providing notification of whether a PE (Provider Edge) router in a label-switching network has VPLS capability. Notification can include broadcasting a message from a PE router to remote PE routers in the label-switching network to indicate whether the broadcasting PE router is VPLS enabled. A second stage of the two-stage process involves, based on receiving a notification that a PE router is VPLS enabled, generating a query message to discover a set of VPLS instances to which the broadcasting PE router belongs. In this way, a given PE router generating the query message can identify other PE routers in the label-switching network associated with the same VPLS for purposes of setting up the VPLS in the label-switching network. Show less

Implementation of a VPN service such as a VPLS (Virtual Private Local area network Service) is performed utilizing a two-stage process. A first stage of the two-stage process involves providing notification of whether a PE (Provider Edge) router in a label-switching network has VPLS capability. Notification can include broadcasting a message from a PE router to remote PE routers in the label-switching network to indicate whether the broadcasting PE router is VPLS enabled. A second stage of the… Show more

Implementation of a VPN service such as a VPLS (Virtual Private Local area network Service) is performed utilizing a two-stage process. A first stage of the two-stage process involves providing notification of whether a PE (Provider Edge) router in a label-switching network has VPLS capability. Notification can include broadcasting a message from a PE router to remote PE routers in the label-switching network to indicate whether the broadcasting PE router is VPLS enabled. A second stage of the two-stage process involves, based on receiving a notification that a PE router is VPLS enabled, generating a query message to discover a set of VPLS instances to which the broadcasting PE router belongs. In this way, a given PE router generating the query message can identify other PE routers in the label-switching network associated with the same VPLS for purposes of setting up the VPLS in the label-switching network. Show less