Patent application number | Description | Published |
20090006844 | VERIFYING CRYPTOGRAPHIC IDENTITY DURING MEDIA SESSION INITIALIZATION - An authentication agent may cryptographically identify a remote endpoint that sent a media initialization message even though intermediate devices may modify certain fields in the message after a signature is inserted. The originating endpoint's agent may create the signature over some fields of the message using an enterprise network's private key. The agent may insert the signature into the message and send the message to a recipient endpoint's authentication agent. The recipient agent may verify the signature, receive a certificate including a second public key, and challenge the identity of the originating endpoint in order to confirm that identity. This challenge may request a confirmation that the originating endpoint knows the private key corresponding to the second public key and may occur while running encrypted media at the endpoints. After the originating endpoint is authenticated, the endpoints may exchange encrypted and/or unencrypted media. | 01-01-2009 |
20090022149 | Using PSTN Reachability to Verify VoIP Call Routing Information - A system for verifying VoIP call routing information. In particular implementations, a method includes verifying one or more Voice-over-Internet-Protocol (VoIP) call agents for respective destination telephone numbers based on demonstrated knowledge of previous public switched telephone network (PSTN) calls to the respective destination telephone numbers; receiving a call initiation message identifying a destination telephone number; and conditionally initiating a call over a VoIP network to a target VoIP call agent, or over a circuit switched network, based on whether the target VoIP call agent has been verified for the destination telephone number identified in the call initiation message. | 01-22-2009 |
20090022155 | Using PSTN Reachability to Verify Caller ID Information in Received VoIP Calls - A system for verifying caller ID information in received VoIP calls. In particular implementations, a method includes receiving a caller identification (ID) identifying a calling party telephone number in a call initiation message transmitted from a VoIP call agent; determining the identity of the VoIP call agent; verifying that a public switched telephone network (PSTN) call to the calling party telephone number would arrive at a VoIP call agent having the determined identity; and applying, responsive to the call initiation message, one or more rules based at least in part on the verifying step. | 01-22-2009 |
20090094666 | DISTRIBUTING POLICIES TO PROTECT AGAINST VOICE SPAM AND DENIAL-OF-SERVICE - In one embodiment, a network device generates a protection policy responsive to identifying undesired voice data traffic. The network device then distributes the generated protection policy along a call path used for transferring the undesired voice data traffic. The proxy may distribute the protection policy by inserting the protection policy in a call response or other message that traces the call path back to a calling endpoint. | 04-09-2009 |
20100071050 | OPTIMIZING STATE SHARING BETWEEN FIREWALLS ON MULTI-HOMED NETWORKS - In one embodiment, a security device monitors for outgoing re-transmission messages indicating that an endpoint located in a multi-homed network transmitted an unanswered initial connection request. Responsive to identifying one of the outgoing re-transmission messages, the security device identifies destination address information included in the identified re-transmission message. The security device then causes another security device associated with a different link of the same multi-homed network to update its internal state table according to the identified destination address information. As a result, a response to the outgoing re-transmission can be forwarded to the multi-homed network regardless of which security device receives the response. | 03-18-2010 |
20100172359 | INTELLIGENT ALG FUNCTIONALITY IN NETWORKS SUPPORTING ENDPOINTS PERFORMING NETWORK ADDRESS TRANSLATION - In one embodiment, a signaling message is received from an endpoint. It is determined from the signaling message whether, prior to sending the signaling message, the endpoint performed network address translation on the body of the signaling message. If it is determined from the signaling message that, prior to sending the signaling message, the endpoint did not perform network address translation on the body of the signaling message, application layer gateway functionality is applied to the body of the signaling message such that a modified signaling message is generated. | 07-08-2010 |
20100183151 | USING AUTHENTICATION TOKENS TO AUTHORIZE A FIREWALL TO OPEN A PINHOLE - Techniques are described for the use of a cryptographic token to authorize a firewall to open a pinhole which permits certain network traffic to traverse firewalls. An initiating endpoint requests a token from a call controller, which authorizes a pinhole though the firewall. In response, the call controller may generate a cryptographic authorization token (CAT) sent towards the destination endpoint. The call controller may generate the token based on an authorization ID associated with the call controller, a shared secret known to both the call controller and the firewall, and data specific to the media flow for which authorization is requested. | 07-22-2010 |
20100191863 | Protected Device Initiated Pinhole Creation to Allow Access to the Protected Device in Response to a Domain Name System (DNS) Query - Disclosed are, inter alia, methods, apparatus, computer-storage media, mechanisms, and means associated with a protected device initiating a pinhole through a network address translator and/or firewall to allow access to the protected device in response to a Domain Name System (DNS) query. In response to a received DNS query from a domain name system (DNS) server, an apparatus requests a traffic pinhole be created in a firewall or network address translator for allowing traffic initiated from a device, on another side of the firewall or said network address translator from the apparatus, to reach the apparatus. | 07-29-2010 |
20100318784 | CLIENT IDENTIFICATION FOR TRANSPORTATION LAYER SECURITY SESSIONS - Systems, methods, and other embodiments associated with client identification for transportation layer security sessions are described. One example method includes monitoring a first transportation layer security (TLS) communication between a server and a client. The example method may also include interrupting the first TLS communication and causing the first TLS communication to be interrupted. The example method may also include initiating a second TLS communication with a client side device. The second TLS communication may request a certificate from the client side device. The certificate may include secure information that identifies the client. The example method may also include receiving the certificate from the client side device. The example method may also include authenticating the client, the client side device, and so on, based, at least in part, on the certificate. | 12-16-2010 |
20110032940 | TRIGGERING BANDWIDTH RESERVATION AND PRIORITY REMARKING - In one embodiment, a reservation proxy monitors for received connectivity check messages or beginning-of-media-flow indication messages. When either type of message is observed, the reservation proxy requests resource allocation for a media flow associated with the received message. The amount of resource allocation requested may be coordinated by exchanging messages with a call controller or policy server for one of the endpoints of the media flow, or the amount of resource allocation may be identified within the received message. | 02-10-2011 |
20120110152 | REAL TIME PROTOCOL PACKET TUNNELING - In one embodiment a method and apparatus are provided that automatically establish an real time protocol (RTP) tunnel between an originator node or router and a terminator node or router, wherein the terminator node is close to a remote RTP peer. A method includes detecting a new flow of RTP packets wherein the RTP packets are encoded with a destination Internet Protocol (IP) address. Responsive to detecting the new flow, a probe is sent towards a same IP address as the destination IP address of the RTP packets. A response to the probe is received, the response including an identifier of a node that generated the response. Then, using the identifier, a tunnel is established with the node that generated the response, and thereafter compressed packets (compressed headers, compressed payloads, or both) are passed via the tunnel. | 05-03-2012 |
20120219153 | Intercepting a Communication Session in a Telecommunication Network - Intercepting a secure communication session includes distributing a key from a key distribution point to establish a secure communication session between a first endpoint and a second endpoint. A secure channel is established between the key distribution point and an intercepting point. The intercepting endpoint may be determined to be authorized to intercept the secure communication session. The key is provided to the intercepting endpoint only if the intercepting endpoint is authorized to intercept the secure communication session, where the key provides the intercepting endpoint with access to intercept the secure communication session. | 08-30-2012 |
20120243530 | USING PSTN REACHABILITY TO VERIFY VOIP CALL ROUTING INFORMATION - A system for verifying VoIP call routing information. In particular implementations, a method includes verifying one or more Voice-over-Internet-Protocol (VoIP) call agents for respective destination telephone numbers based on demonstrated knowledge of previous public switched telephone network (PSTN) calls to the respective destination telephone numbers; receiving a call initiation message identifying a destination telephone number; and conditionally initiating a call over a VoIP network to a target VoIP call agent, or over a circuit switched network, based on whether the target VoIP call agent has been verified for the destination telephone number identified in the call initiation message. | 09-27-2012 |
20120246467 | Verifying Cryptographic Identity During Media Session Initialization - An authentication agent may cryptographically identify a remote endpoint that sent a media initialization message even though intermediate devices may modify certain fields in the message after a signature is inserted. The originating endpoint's agent may create the signature over some fields of the message using an enterprise network's private key. The agent may insert the signature into the message and send the message to a recipient endpoint's authentication agent. The recipient agent may verify the signature, receive a certificate including a second public key, and challenge the identity of the originating endpoint in order to confirm that identity. This challenge may request a confirmation that the originating endpoint knows the private key corresponding to the second public key and may occur while running encrypted media at the endpoints. After the originating endpoint is authenticated, the endpoints may exchange encrypted and/or unencrypted media. | 09-27-2012 |
20120327954 | Packet Meta-Tagging Using Excess Payload - Packet meta-tagging using excess payload is described. In an implementation, a total packet length value specified in packet received at a network element is adjusted while preserving a data length value associated with a data portion of the packet to generate additional space in the packet to accommodate packet transmission meta-data. Packet-transmission meta-data can be inserted into the additional space created in the packet by the network element. In some implementations, the meta-data describes packet transmission characteristics of the packet. For example, the meta-data can be a timestamp corresponding to the time at which the packet was received by the network element. The meta-data can be an identifier corresponding to the network element that received the packet. | 12-27-2012 |
20130145044 | Discovering Security Devices Located on a Call Path and Extending Bindings at those Discovered Security Devices - In one embodiment, an endpoint elicits a pattern of STUN responses to identify security devices located on a call path. The endpoint then uses address information from the identified security devices to establish an efficient media flow with a remote endpoint. The endpoint can optimize the number of network devices and network paths that process the endpoint's keepalive message. Additionally, the endpoint may request custom inactivity timeouts with each of the identified security devices for reducing bandwidth consumed by keepalive traffic. | 06-06-2013 |
20130201991 | Triggering Bandwidth Reservation and Priority Remarking - In one embodiment, a reservation proxy monitors for received connectivity check messages or beginning-of-media-flow indication messages. When either type of message is observed, the reservation proxy requests resource allocation for a media flow associated with the received message. The amount of resource allocation requested may be coordinated by exchanging messages with a call controller or policy server for one of the endpoints of the media flow, or the amount of resource allocation may be identified within the received message. | 08-08-2013 |
20130238769 | DYNAMIC LEARNING BY A SERVER IN A NETWORK ENVIRONMENT - In one embodiment, receiving a neighbor solicitation message from a stateless address configuration host; processing the neighbor solicitation message to obtain a device identifier and an internet protocol version six (IPv6) address; storing a mapping between the device identifier and the IPv6 address in a database associated with the network device; and sending the mapping in a new message to a server. In more particular embodiments, the method can include evaluating the database in order to determine whether a particular IPv6 address is a duplicate; and marking an entry associated with the particular IPv6 address in the database for deletion. | 09-12-2013 |
20130329750 | DYNAMIC DISCOVERY OF IPV6 TRANSITION PARAMETERS BY BORDER/RELAY ROUTERS - In one embodiment, an edge router of a local computer network snoops client-server protocol configuration information of a customer-premises equipment (CPE) device. From the snooping, the edge router may identify an Internet Protocol version 6 (IPv6) transition option in place at the CPE device along with associated configuration parameters for the IPv6 transition option. As such, the edge router may then advertise the IPv6 transition option along with associated configuration parameters to one or more border/relay routers of the local computer network to cause the one or more border/relay routers to provision themselves with the IPv6 transition option and associated configuration parameters. | 12-12-2013 |
20140006639 | Rich Media Status and Feedback for Devices and Infrastructure Components Using in Path Signaling | 01-02-2014 |
20140237539 | Identity Propagation - In one implementation, identity based security features and policies are applied to endpoint devices behind an intermediary device, such as a network address translation device. The access network switch authenticates an endpoint based on a user identity and a credential. A hypertext transfer protocol (HTTP) packet is generated or modified to include the user identity in an inline header. The HTTP packet including the user identity is sent to a policy enforcement device to look up one or more policies for the endpoint. The access switch receives traffic from the policy enforcement device that is filtered according the user identity. Subsequent TCP connections may also include identity information within the TCP USER_HINT option in a synchronization packet thus allowing identity propagation for other applications and protocols. | 08-21-2014 |
20150029852 | MAXIMIZING BOTTLENECK LINK UTILIZATION UNDER CONSTRAINT OF MINIMIZING QUEUING DELAY FOR TARGETED DELAY-SENSITIVE TRAFFIC - In one embodiment, a system and method include determining bandwidth of a link that connects a local modem to a remote router. A first percentage of the bandwidth is assigned to a first class of data and a second percentage of bandwidth is assigned to a second class of data. The remaining percentage of the bandwidth is assigned for nominal excess capacity. The flow of first class of data and second class of data are controlled to below respective percentages of the bandwidth. | 01-29-2015 |