摘要:
Methods and apparatus for verifying--in a network comprised of LANs and bridges connected to LANs, in which the bridges associate the LANs with LAN numbers--that bridges connected to a given LAN have been configured with the same LAN number for that LAN. A first bridge encodes the LAN number configured for the given LAN into a LAN number verification message and transmits the message to a second bridge connected to the LAN. The second bridge then compares the LAN number encoded in the received LAN number verification message to the LAN number configured for the LAN at the second bridge. A bridge which performs this method includes storage for associating the LANs connected to the bridge with LAN numbers, an encoder for encoding the LAN number for a given LAN into a LAN number verification message, and a transmitter for transmitting the LAN number verification message onto the given LAN.
摘要:
To avoid exponential proliferation of explorer packets through a LAN/Bridge network, each bridge gathers information sufficient to compute routes through the network by sharing routing messages with other bridges. Then, to find a route from a particular source end system to a particular destination end system, a broadcast message identifying the desired source and destination is sent to the bridges. In response, the bridges compute the optimal route to each attached LAN, convert the broadcast message into one or more counterfeit explorer messages by incorporating these routes, and then transmit the counterfeit explorer messages to the LANs for which the incorporated route was computed. The destination end system then receives one or more of the counterfeit explorer messages and responds to the source end system as if the counterfeit explorer message was genuine.
摘要:
A technique for issuing and revoking user certificates of authenticity in a public key cryptography system, wherein certificates do not need expiration dates, and the inconvenience and overhead associated with routine certificate renewals are minimized or avoided entirely. A Certification Authority issues certificates as required, and issues a blacklist having a start date, an expiration date, and an entry for every invalid certificate issued after the start date. Users assume that every certificate issued prior to the blacklist start date is invalid, and that invalid certificates issued after the start date will be included in the current blacklist. A new blacklist is issued prior to expiration of the current one, and the blacklist start date is changed only when the blacklist becomes unmanageably long.
摘要:
A technique for distributing updated distance vectors used in routers, which are connected by point-to-point links having datagram service. Distance vectors are used by routers to route messages over the most desirable paths, but must be continually modified as a result of update messages passed between routers, to reflect changes in network topology. Datagram service does not normally ensure that such update messages will reach other routers, but the technique of the invention uses unique sequence numbers on all information packets containing distance vector update messages, and achieves efficient and timely distribution of updated distance vector information with only a modest storage requirements. Unlike reliable service, which requires each message to be delivered exactly once and in the order sent, the invention allows subsequent update messages to be delivered to the same neighboring router even if previous messages have not yet been received and processed. The invention also provides for retransmission of unacknowledged distance vector information, but without the burden of having to store all transmitted packets until they are acknowledged.
摘要:
A method and apparatus for creating and managing databases in routers of a routing network. The databases store link state packets, each packet being originated by nodes in the network, and transmitted to other nodes through the network. Each packet contains data identifying its originating node, a sequence number in a linear space indicating its place in the sequence of packets generated by its originating node, and an age value indicating the time remaining before it expires. The contents of the databases are updated by newly received packets. In addition, the nodes themselves are reset if the packets currently in the network have later sequence numbers than new packets. Also, a mechanism is provided to purge the databases of packets from a given router by issuing a purging packet.
摘要:
One embodiment of the present invention provides a system for accessing an encrypted file through a file system. During operation, the system receives a request to access the encrypted file. In response to the request, the system sends an encrypted file key for the encrypted file from the file system to a tamper-resistant module. Next, the tamper-resistant module uses a master secret to decrypt the encrypted file key to restore the file key, wherein the master secret is obtained from an external source by the tamper-resistant module. The system then uses the file key to access the encrypted file.
摘要:
One embodiment of the present invention provides a system for accessing an encrypted file through a file system. During operation, the system receives a request to access the encrypted file. In response to the request, the system sends an encrypted file key for the encrypted file from the file system to a tamper-resistant module. Next, the tamper-resistant module uses a master secret to decrypt the encrypted file key to restore the file key, wherein the master secret is obtained from an external source by the tamper-resistant module. The system then uses the file key to access the encrypted file.
摘要:
A system and method for adding routing information for a node to a routing table, which efficiently makes necessary changes to the routing table to support routing to and from the node, while maintaining the deadlock-free quality of the paths described by the routing table. The routing table is generated by storing routing information in the routing table that reflects and describes a deadlock-free set of paths through a network of nodes. A row of entries is added to the routing table describing how to forward data units from the node. A column of entries is added to the routing table describing how to forward data units addressed to the node. The forwarding information within each entry added to the routing table maintains the deadlock-free quality of the set of paths represented by the forwarding table.
摘要:
A distributed system and method generate “layered routes” that reflect a layered representation of a network, which representation provides deadlock-free routes. The layered representation consists of an ordered set of layers, where each layer is a deadlock-free sub-topology of the network. In determining routes, the links used in each route are constrained to be taken from layers of non-decreasing order as the route extends from source to destination. A device that determines a better or equal cost path to a destination node with respect to its current path to that node sends a route information message to its neighbor devices. The receiver of a route information message may then accept the message and begin using the new path described by the message, or reject the message without using the new path.
摘要:
A method and system for evaluating a set of credentials that includes at least one group credential and that may include one or more additional credentials. A trust rating is provided in association with the at least one group credential within the set of credentials and trust ratings may also be provided in other credentials within the set of credentials. Each trust rating provides an indication of the level of confidence in the information being certified in the respective credential. In response to a request for access to a resource or service, an evaluation of the group credentials is performed by an access control program to determine whether access to the requested resource or service should be provided. In one embodiment, within any given certification path a composite trust rating for the respective path is determined. An overall trust rating for the set of credentials is determined based upon the composite trust ratings. Upon a determination that a user requesting access to a resource has an acceptable set of credentials and a satisfactory trust rating, access to the requested resource or service is granted to the user.