摘要:
A technique for managing the streaming of digital video content involves providing a unicast stream to a client in response to the playout status of the unicast stream at the client. In particular, a unicast stream is provided to a client based on whether or not the unicast stream is intended for real-time playout at the client. In order to preserve valuable network resources, if the client does not intend the unicast stream for real-time playout, the unicast stream is not provided to the client. Network resources can also be conserved by utilizing one session between a stream server and a client to support more than one active unicast stream between the stream server and the client in the case where at least one of the active unicast streams is not intended for real-time playout at the client.
摘要:
A technique for managing session setup for video on demand sessions involves caching information related to session setup for a session manager and then utilizing the cached information to setup a video on demand session for a client in response to a session setup request that is received from the client. Because information related to session setup is cached for the session manager, the session manager can utilize the information to establish a session without having to exchange messages with other video on demand elements, in particular other servers in the video on demand network. Reducing or eliminating the number of messages exchanged between video on demand elements enables video on demand sessions to be quickly and efficiently setup.
摘要:
A method for improving network security in a network that includes a star configured interconnection device such as a repeater, a bridge or a switch, that has a plurality of ports adapted for connection to respective MAC layer devices includes storing authentication data in the star configured interconnection device that maps MAC addresses of end stations in the network to particular ports on the star configured interconnection device. Upon receiving a packet on a particular port, the process involves determining whether the packet carries a source address which the authentication data maps to the particular port. If the packet carries a source address which the authentication data maps to the particular port, then the packet is accepted. If the packet does not carry a source MAC address which the authentication maps to the port, then an authentication protocol is executed on the port to determine whether the MAC address originates from an authorized sender according to the authentication protocol.
摘要:
A security feature is added to the Wake On LAN packet protocol, and an extensible mechanism is provided allowing for other commands and options to be specified within the Wake On LAN packet. The protocol allows for signaling power management circuits in a host computer in response to messages received through a network interface. Logic coupled to the network interface detects a received network packet carrying a message from a source to the management circuits in the host computer. The logic includes security logic that is responsive to data in the packet to authenticate the source of the message, to accept the message and generate a signal to the management circuit in the host computer when the message passes authentication, and to discard the message when the message fails authentication. The message includes a message authentication code timestamp indicating a time at which the source produced the message and/or a random value token. The security logic includes resources to verify the message authentication code and to prevent re-use of the message.
摘要翻译:Wake on LAN包协议中增加了一项安全功能,并提供了可扩展机制,允许在LAN唤醒包内指定其他命令和选项。 该协议允许响应于通过网络接口接收的消息,在主计算机中发送信号功率管理电路。 耦合到网络接口的逻辑检测从主机到主计算机中的管理电路的接收的网络分组携带消息。 该逻辑包括响应于分组中的数据来认证消息源的安全逻辑,当消息通过认证时接受该消息并向主计算机中的管理电路生成信号,并且当该消息通过认证时丢弃该消息 消息认证失败。 消息包括指示源产生消息的时间和/或随机值令牌的消息认证码时间戳。 安全逻辑包括用于验证消息认证码并防止重新使用消息的资源。
摘要:
Active networking techniques enable intermediate systems to determine whether data in a packet which is traversing the system is compressed, encrypted or otherwise dynamically processed. Based on this determination, the dynamic processing resources at the intermediate system are invoked or not. Thus, dynamic processing resources can be conserved. Active networking data is placed in packets flowing between end systems. The end system sending these packets may not know whether there are intermediate systems between it and the other end system that require knowledge about compressed data in the packet. It places the active networking data in packets so that any intermediate systems that can use knowledge of which packets contain compressed data may use the active networking data to make the determination.
摘要:
A method and system for distributed network address translation with security features. The method and system allow Internet Protocol security protocol (“IPsec”) to be used with distributed network address translation. The distributed network address translation is accomplished with IPsec by mapping a local Internet Protocol (“IP”) address of a given local network device and a IPsec Security Parameter Index (“SPI”) associated with an inbound IPsec Security Association (“SA”) that terminates at the local network device. A router allocates locally unique security values that are used as the IPsec SPIs. A router used for distributed network address translation is used as a local certificate authority that may vouch for identities of local network devices, allowing local network devices to bind a public key to a security name space that combines a global IP address for the router with a set of locally unique port numbers used for distributed network address translation. The router issues security certificates and may itself be authenticated by a higher certificate authority. Using a security certificate, a local network device may initiate and be a termination point of an IPsec security association to virtually any other network device on an IP network like the Internet or an intranet. The method and system may also allow distributed network address translation with security features to be used with Mobile IP or other protocols in the Internet Protocol suite.
摘要:
A security feature is added to the Wake On LAN packet protocol, and an extensible mechanism is provided allowing for other commands and options to be specified within the Wake On LAN packet. The protocol allows for signaling power management circuits in a host computer in response to messages received through a network interface. Logic coupled to the network interface detects a received network packet carrying a message from a source to the management circuits in the host computer. The logic includes security logic that is responsive to data in the packet to authenticate the source of the message, to accept the message and generate a signal to the management circuit in the host computer when the message passes authentication, and to discard the message when the message fails authentication. The message includes a message authentication code timestamp indicating a time at which the source produced the message and/or a random value token The security logic includes resources to verify the message authentication code and to prevent re-use of the message.
摘要翻译:Wake on LAN包协议中增加了一项安全功能,并提供了可扩展机制,允许在LAN唤醒包内指定其他命令和选项。 该协议允许响应于通过网络接口接收的消息,在主计算机中发送信号功率管理电路。 耦合到网络接口的逻辑检测从主机到主计算机中的管理电路的接收的网络分组携带消息。 该逻辑包括响应于分组中的数据来认证消息源的安全逻辑,当消息通过认证时接受该消息并向主计算机中的管理电路生成信号,并且当该消息通过认证时丢弃该消息 消息认证失败。 消息包括指示源产生消息的时间和/或随机值令牌的消息认证码时间戳安全逻辑包括验证消息认证码并防止消息的重用的资源。
摘要:
A system for providing policy management in a network that includes nodes operating in multiple protocol layers and having enforcement functions. Multiple network devices, such as routers, remote access equipment, switches, repeaters and network cards, and end system processes having security functions are configured to contribute to implementation of policy enforcement in the network. By distributing policy enforcement functionality to a variety of network devices and end systems, a pervasive policy management system is implemented. The policy management system includes a policy implementation component that accepts policy, i.e. instructions or rules, that define how the network device should behave when confronted with a particular situation. The management system further includes a management station interface operating pursuant to a first process capable of providing an object to the network, the object including variables and one of a method or instructions to locate a method, executable on the network to set up a second process to enforce a portion of the policy.
摘要:
Embodiments of the present invention provide an improved method and system for securely controlling access to resources in a distributed computer system. One embodiment of the present invention stores and binds a group identification to a target object and then uses membership checking to determine whether a client object which requests access to the target object is a member of a group with access rights to the target object. In this way, the present invention avoids performing costly cryptographic operations in order to verify access rights of requesting objects, as was common in some prior art systems. A second embodiment of the present invention stores and binds a group identification to a target object reference and then passes the target object reference to client objects in the system. Since the target object reference includes a group identification entry, a first client object is able to determine which other clients in the system are members of the identified group. This determination allows the first client object to pass the target object reference to the other members of the group without first communicating with the server for the target object. In this way, the present invention avoids the costly transaction costs of communicating with the server for the target object.
摘要:
A method and system for using a key lease in a secondary authentication protocol after a primary authentication protocol has been performed is described. In one embodiment, the primary authentication protocol comprises a strong, secure, computationally complex authentication protocol. Moreover, the secondary authentication protocol comprises a less complex (compared to the primary authentication protocol) and less secure (compared to the primary authentication protocol) authentication protocol which can be performed in a length of time that is shorter than a length of time required to perform the primary authentication protocol. In an embodiment, the key lease includes context information. Moreover, a new session encryption key is computed after each time a quick re-authentication is performed by executing the secondary authentication protocol using the key lease, whereas the session encryption key is used for encrypting communication traffic, providing a solution to the potential communication traffic replay threat.