公开(公告)号：US06526055B1

公开(公告)日：2003-02-25

申请号：US09175552

申请日：1998-10-20

申请人： Radia J. Perlman ,  Dah Ming Chiu

发明人： Radia J. Perlman ,  Dah Ming Chiu

IPC分类号： H04L1228

CPC分类号： H04L61/00 ,  H04L29/12009 ,  H04L45/742 ,  H04L45/7457

摘要： A method and apparatus that constructs a “router database” and then uses the database to determine a longest match between a piece of target data, such as an address in a packet to be routed, and the database. The database contains a comparison table having a plurality of entries. In a first embodiment, each entry has up to k values, where 2

摘要翻译： 构建“路由器数据库”的方法和装置，然后使用该数据库来确定一条目标数据（例如要路由的分组中的地址）与数据库之间的最长匹配。 数据库包含具有多个条目的比较表。 在第一实施例中，每个条目具有至多k个值，其中2 <= k <= N，其中N是数据库中的比较值的数量。 在第二实施例中，每个条目具有至多k-1个值。 在操作期间，加载比较表条目中的各种条目，并将其与地址进行比较，以确定路由器数据库中最长的匹配前缀。 比较可以并行进行。

公开(公告)号：US6134599A

公开(公告)日：2000-10-17

申请号：US61849

申请日：1998-04-18

申请人： Dah Ming Chiu ,  Miriam Kadansky ,  Radia J. Perlman

发明人： Dah Ming Chiu ,  Miriam Kadansky ,  Radia J. Perlman

IPC分类号： H04L12/18 ,  H04L12/56 ,  G06F15/16 ,  H04L12/28

CPC分类号： H04L45/48 ,  H04L12/185 ,  H04L45/16 ,  H04L12/1863

摘要： In a digital data network, a plurality of devices interconnected by a communication link organize themselves into a tree structure. Each of the devices has an associated suitability value that generally relates to the device's suitability for becoming a node in the tree structure. The devices organize themselves into a tree structure in one or more iterations, each iteration comprising two general steps, namely, a node election step and a tree establishment step. In the node election step, the devices whose suitability values are such that they can become nodes in the tree broadcast over the communication link node election messages including their respective suitability values. These devices also receive the node election messages that are broadcast by other devices. Each device determines whether it is elected a node in the tree structure in connection with a comparison between its suitability value and suitability values of node election messages received thereby. During the tree establishment step, the devices in the network communicate with at least one of the device or devices which is or are elected respective nodes in the tree structure to facilitate becoming respective children thereof.

摘要翻译： 在数字数据网络中，通过通信链路互连的多个设备将自身组织成树结构。 每个设备具有相关联的适用性值，其通常涉及设备适合于成为树结构中的节点。 这些设备在一个或多个迭代中将自身组织成树结构，每次迭代包括两个一般步骤，即节点选举步骤和树建立步骤。 在节点选举步骤中，其适用性值使得它们可以成为通过通信链路节点选举消息广播的树中的节点的设备，包括它们各自的适用性值。 这些设备还接收由其他设备广播的节点选举消息。 每个设备确定它是否被选为树结构中的节点，与其适用性值和由此接收的节点选举消息的适用性值进行比较。 在树建立步骤期间，网络中的设备与树结构中的或被选为相应节点的设备或设备中的至少一个通信以便于成为其相应的子节点。

公开(公告)号：US06788680B1

公开(公告)日：2004-09-07

申请号：US09383086

申请日：1999-08-25

申请人： Radia J. Perlman ,  Joseph E. Provino

发明人： Radia J. Perlman ,  Joseph E. Provino

IPC分类号： H04L1228

CPC分类号： H04L45/00 ,  H04L29/06 ,  H04L45/566 ,  H04L69/22

摘要： A system and method for providing deferred processing of information within a received data unit. An indication of a deferrable processing option in a received packet is detected, such as a particular option type or flag, as well as other deferred processing control parameters, and some relevant portion of the packet is stored. The received packet may then be forwarded out of the device, without waiting for the deferred processing to be completed. The deferred processing may be performed in parallel, or subsequent to, forwarding of the packet. The disclosed system is embodied in a networking device such as a router, which includes a fast processing path for packet forwarding functions, and a relatively slow processing path for other functions such as network management. Detection of the deferred processing indication and copying of the relevant packet portion are performed in the fast path. Deferred processing itself may be performed in the slow path.

摘要翻译： 一种用于在接收的数据单元内提供信息的延迟处理的系统和方法。 检测到接收到的分组中的可延迟处理选项的指示，例如特定选项类型或标志以及其他延迟处理控制参数，并且存储分组的一些相关部分。 然后可以将所接收的分组转发出设备，而不等待延迟处理完成。 延迟处理可以并行地或者在转发分组之后执行。 所公开的系统体现在诸如路由器的网络设备中，其包括用于分组转发功能的快速处理路径，以及用于诸如网络管理的其他功能的相对较慢的处理路径。 在快速路径中执行延迟处理指示的检测和相关分组部分的复制。 延迟处理本身可以在慢速路径中执行。

公开(公告)号：US6131123A

公开(公告)日：2000-10-10

申请号：US79505

申请日：1998-05-14

申请人： Stephen A. Hurst ,  Radia J. Perlman

发明人： Stephen A. Hurst ,  Radia J. Perlman

IPC分类号： H04L12/18 ,  H04L12/56 ,  G06F13/00

CPC分类号： H04L12/18 ,  H04L12/1886

摘要： A computer sends a message to each of a number of recipient computers of a computer network by sending the message as a multicast message to near ones of the recipient computers and sending the message as unicast messages to far ones of the recipient computers. The sending computer determines the circumstances under which a combination of multicast and unicast messages are efficient by determining that many recipient computers are near the sending computer and that few recipient computers are far. The sending computer makes such a determination by determining no more than a predetermined number of recipient computers are at least a predetermined distance further from the sending computer than are the others of the recipient messages. The sending computer can also determine that the burden imposed upon the computer network by a multicast message is justified by the need to deliver the message to its intended recipients. For intended recipients which are too far and too few to justify use of a multicast message, unicast messages are sent.

摘要翻译： 计算机通过将消息作为多播消息发送到接近的收件人计算机的一个并且将消息作为单播消息发送到接收者计算机的远端，向计算机网络的多个收件人计算机中的每一个发送消息。 发送计算机通过确定许多接收方计算机位于发送计算机附近，并且少数接收方计算机很远，来确定组播和单播消息的组合在何种情况下是有效的。 发送计算机通过确定不超过预定数量的接收方计算机与发送计算机相距至少比接收方消息的其他方式更远的预定距离进行这样的确定。 发送计算机还可以通过将消息传递到其预期接收者的需要来确定由多播消息施加在计算机网络上的负担是合理的。 对于太多和太少以至无法证明使用多播消息的预期接收者，发送单播消息。

公开(公告)号：US20100329460A1

公开(公告)日：2010-12-30

申请号：US12494486

申请日：2009-06-30

申请人： Radia J. Perlman

发明人： Radia J. Perlman

IPC分类号： H04L9/00 ,  H04L9/06 ,  G06F21/00

CPC分类号： G06F21/62 ,  G06F21/556 ,  G06F21/606 ,  G06F2221/2107 ,  H04L9/0825 ,  H04L9/0841 ,  H04L9/3236 ,  H04L2209/04 ,  H04L2209/56 ,  H04L2209/60 ,  H04L2209/80

摘要： Some embodiments provide a system to assure enhanced security, e.g., by assuring that information is not revealed over a covert channel. All communications between a source system and a destination system may pass through an intermediate system. In some embodiments, the intermediate system may perform an additional level of blinding to ensure that the source system does not covertly reveal information to the destination system. In some embodiments, the intermediate system may request the source system to perform a modification operation, and then check if the source system performed the modification operation. Examples of the modification operation include a blinding operation and a cryptographic hashing operation.

摘要翻译： 一些实施例提供了一种系统，以确保增强的安全性，例如通过确保在隐蔽通道上不显示信息。 源系统和目的地系统之间的所有通信可以通过中间系统。 在一些实施例中，中间系统可以执行额外的盲目级别，以确保源系统不隐蔽地向目的地系统显露信息。 在一些实施例中，中间系统可以请求源系统执行修改操作，然后检查源系统是否执行修改操作。 修改操作的示例包括盲目操作和密码散列操作。

公开(公告)号：US07596696B1

公开(公告)日：2009-09-29

申请号：US11214958

申请日：2005-08-29

申请人： Radia J. Perlman

发明人： Radia J. Perlman

IPC分类号： H04L9/00

CPC分类号： H04L9/083 ,  H04L9/0897

摘要： One embodiment of the present invention provides a system that facilitates making the files permanently unreadable. During operation, the system encrypts a file with a key K at a file manager and then stores the encrypted file in non-volatile storage. Next, the system stores the key K in a key database located in volatile storage at the file manager. The system then encrypts the key database, and stores the encrypted key database in non-volatile storage. Additionally, a key that can be used to decrypt the encrypted key database is maintained by a key manager, and is not maintained in non-volatile form by the file manager. In this way, if the file manager crashes, losing the contents of its volatile storage, the file manager must interact with the key manager to decrypt the encrypted key database.

摘要翻译： 本发明的一个实施例提供了一种有助于使文件永久不可读的系统。 在操作过程中，系统在文件管理器中用密钥K加密文件，然后将加密的文件存储在非易失性存储器中。 接下来，系统将密钥K存储在位于文件管理器的易失性存储器中的密钥数据库中。 然后系统对密钥数据库进行加密，并将加密的密钥数据库存储在非易失性存储器中。 此外，可以用于解密加密密钥数据库的密钥由密钥管理器维护，并且文件管理器不保持非易失性形式。 这样，如果文件管理器崩溃，丢失其易失性存储器的内容，则文件管理器必须与密钥管理器进行交互以对加密的密钥数据库进行解密。

公开(公告)号：US07409545B2

公开(公告)日：2008-08-05

申请号：US10665386

申请日：2003-09-18

申请人： Radia J. Perlman

发明人： Radia J. Perlman

IPC分类号： H04L9/00

CPC分类号： H04L63/0428 ,  H04L9/002 ,  H04L9/088 ,  H04L9/3013 ,  H04L9/302 ,  H04L63/068 ,  H04L2209/04 ,  H04L2209/42

摘要： A method and system is disclosed for utilizing an ephemeral encryption or decryption agent so as to preclude access by the ephemeral encryption agent or decryption agent, respectively, to the information being ephemerally encrypted or decrypted. To preclude access by the ephemeral encryption agent, a blinding function is applied to the information prior to forwarding such information to the encryption agent for encryption. To preclude access to the information by the ephemeral decryption agent, a blinding function is applied to the encrypted information prior to forwarding the encrypted information to the decryption agent for decryption. Once the information has been returned, the information is unblinded, leaving an encrypted or decrypted message respectively.

摘要翻译： 公开了一种用于利用临时加密或解密代理的方法和系统，以便分别防止临时加密代理或解密代理人对被短时加密或解密的信息进行访问。 为了排除临时加密代理的访问，在将这些信息转发到加密代理进行加密之前，将盲目的功能应用于信息。 为了防止临时解密代理访问信息，在将加密信息转发到解密代理进行解密之前，将加密信息应用于加密信息。 一旦信息被返回，信息就被解除隐藏，分别留下加密或解密的消息。

公开(公告)号：US07178021B1

公开(公告)日：2007-02-13

申请号：US09517410

申请日：2000-03-02

申请人： Stephen R. Hanna ,  Radia J. Perlman

发明人： Stephen R. Hanna ,  Radia J. Perlman

IPC分类号： G06F17/30

CPC分类号： G06F21/6209 ,  G06F2221/2107 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/0833 ,  H04L9/0894 ,  H04L9/321

摘要： A method and apparatus for utilizing a non-secure file server for storing and sharing data securely only among clients and groups authorized to read and modify the data. A first client that desires to store data on the file server encrypts the data with a first encryption key having an associated first decryption key. The client encrypts the first decryption key with a second encryption key having an associated second decryption key known to the first client. Additionally, the first decryption key is encrypted with respective encryption keys of other clients or groups intended to have access to the data stored on the file server and the clients and groups retain their respective decryption keys. All of the encrypted first decryption keys are stored within an access control list in association with the encrypted data on the non-secure file server. In response to an indication that the data should be transmitted to one of the clients, the file server returns to the client the encrypted data along with at least the applicable encrypted first decryption key for the respective client. The client is able to decrypt the first decryption key and decrypt the data using the unencrypted first decryption key. The data may then be modified and securely stored on the file server as described above. The first decryption key may also be encrypted with a second encryption key having a second decryption key known to members of a group or a group server. The first encryption key encrypted with the group second encryption key is stored in the access control list so that group members can obtain access to the encrypted data stored on the file server.

摘要翻译： 一种利用非安全文件服务器的方法和装置，用于仅在授权读取和修改数据的客户端和组之间安全地存储和共享数据。 希望在文件服务器上存储数据的第一客户端使用具有关联的第一解密密钥的第一加密密钥加密数据。 客户端用具有第一客户端已知的相关联的第二解密密钥的第二加密密钥来加密第一解密密钥。 此外，第一解密密钥用其他客户端或组的相应加密密钥进行加密，这些客户端或组旨在访问存储在文件服务器上的数据，并且客户端和组保留其各自的解密密钥。 所有加密的第一解密密钥与非安全文件服务器上的加密数据相关联地存储在访问控制列表内。 响应于将数据发送到客户端之一的指示，文件服务器返回客户端加密数据以及相应客户端的至少可应用的加密的第一解密密钥。 客户端能够解密第一解密密钥并使用未加密的第一解密密钥解密数据。 然后可以如上所述将数据修改并安全地存储在文件服务器上。 第一解密密钥也可以用具有组或组服务器的成员已知的第二解密密钥的第二加密密钥来加密。 利用组第二加密密钥加密的第一加密密钥存储在访问控制列表中，使得组成员可以获得对存储在文件服务器上的加密数据的访问。

公开(公告)号：US06996712B1

公开(公告)日：2006-02-07

申请号：US09632557

申请日：2000-08-04

申请人： Radia J. Perlman ,  Stephen R. Hanna

发明人： Radia J. Perlman ,  Stephen R. Hanna

IPC分类号： H04L9/18

CPC分类号： H04L9/3247

摘要： A data authentication system that at the sender produces for a plurality of data packets a plurality of “integrity checks” by selecting an integrity function from a family or set of integrity functions, selecting a number of bytes from a given packet and manipulating the bytes in accordance with the selected integrity function to produce the integrity check. The system then selects corresponding bytes or bytes that are offset from the corresponding bytes from a next packet and produces a next associated integrity check using the same or another selected integrity check function, and so forth. The system encrypts the integrity checks associated with the plurality of data packets using, for example, a shared secret key, and produces an integrity block. The system then sends the encrypted integrity block and the data packets to the intended recipients. A recipient decrypts the integrity block using the shared secret key and reproduces the integrity checks. It then uses the integrity checks to authenticate the associated data packets by manipulating selected data bytes in accordance with selected integrity check functions. The recipient thus authenticates a plurality of data packets by performing a single decryption operation and a plurality of relatively fast integrity check operations using a selection of integrity check functions that are unknown to an interloper. The sender may also include in a transmission one or more extraneous, or “chaff,” data packets, which are data packets that intentionally fail the associated integrity checks. The sender may, for example, include in a transmission multiple sets of packets with the same sequence numbers. The recipient readily determines which of the packets with the same sequence numbers are valid using the appropriate integrity check. However, an interloper who cannot decipher the encrypted integrity block cannot as easily determine which of the packets are valid, and thus, cannot determine which packets to alter and/or how to alter these packets without detection by the integrity checks.

公开(公告)号：US06898187B2

公开(公告)日：2005-05-24

申请号：US09726378

申请日：2000-11-30

申请人： Radia J. Perlman ,  Eric A. Guttman

发明人： Radia J. Perlman ,  Eric A. Guttman

IPC分类号： H04L12/56 ,  H04J1/16

CPC分类号： H04L45/02 ,  H04L29/12264 ,  H04L45/44 ,  H04L61/2046

摘要： To ensure uniqueness of a router identifier in routing protocol messages (RPMs), a router determines whether an identifier IDR in received RPMs is the same as an identifier IDS in RPMs originated by the router. For RPMs having the same identifier, sequence information such as a sequence number is compared with sequence information in the RPM most recently originated by the router, the comparison indicating whether the received RPM appears to have been originated more recently. The rate at which such RPMs are being received is monitored. If the rate is above a predetermined threshold rate, the router infers that another router is using the same identifier, and selects a different identifier for subsequent use. The sequence information preferably includes a checksum calculated over contents of the message including a random number, to ensure proper flooding of each message to other routers that may be using a duplicate identifier.

摘要翻译： 为了确保路由器标识符在路由协议消息（RPM）中的唯一性，路由器确定接收的RPM中的标识符ID _{R 是否与RPM中的标识符ID S 相同 由路由器发起。 对于具有相同标识符的RPM，将诸如序列号的序列信息与路由器最近发起的RPM中的序列信息进行比较，该比较指示接收的RPM是否最近似乎已经发起。 监视这些RPM的接收速率。 如果速率高于预定阈值速率，则路由器推断另一个路由器正在使用相同的标识符，并选择不同的标识符供后续使用。 序列信息优选地包括通过包括随机数的消息的内容计算的校验和，以确保每个消息适当地泛滥到可能使用重复标识符的其他路由器。}