Kevin Shatzkamer

System and methods for modifying streaming data based on radio frequency information is provided. As radio transceivers transition move to a shared resource or cloud model and the existing radio transceivers are split into a baseband unit and a remote radio head, radio frequency (RF) information including power levels, encoding, data rates, and bandwidth can be provided to video optimization server. The RF information can be provided more frequently to allow real-time modifications to streaming… Show more

System and methods for modifying streaming data based on radio frequency information is provided. As radio transceivers transition move to a shared resource or cloud model and the existing radio transceivers are split into a baseband unit and a remote radio head, radio frequency (RF) information including power levels, encoding, data rates, and bandwidth can be provided to video optimization server. The RF information can be provided more frequently to allow real-time modifications to streaming video data. Existing protocols are reactionary in nature and perceive changing channel conditions indirectly. By providing RF information from the baseband unit on a low latency channel, modifications to the video stream can be made before an impact would be noticed at the protocol level. Also, policy information can be used to influence the changes made to streaming data in addition to the RF information. Show less

Systems and methods for performing content control in a mobile network using an out-of-band signaling channel are disclosed. In one embodiment, content control may be performed on a network device by collecting usage data for media consumption and caching from a mobile device via an out-of-band channel; receiving the usage data at an intermediate device via the out-of-band channel; building a predictive user profile based on the usage data; determining a schedule for downloading content from… Show more

Systems and methods for performing content control in a mobile network using an out-of-band signaling channel are disclosed. In one embodiment, content control may be performed on a network device by collecting usage data for media consumption and caching from a mobile device via an out-of-band channel; receiving the usage data at an intermediate device via the out-of-band channel; building a predictive user profile based on the usage data; determining a schedule for downloading content from one or more media servers based on at least the predictive user profile; and sending instructions to perform one of time-shifting or pre-positioning to the one or more media servers according to the schedule for downloading content via an out-of-band channel. Show less

An example method is provided in one example embodiment and can include obtaining, within a radio access network, a channel state for a data channel associated with a mobile terminal; including the channel state in a differentiated services (diffserv) marking within an Internet Protocol (IP) header of at least one IP packet associated with the mobile terminal; and transmitting the at least one IP packet including the IP header having the diffserv marking toward a packet data network.

A first virtual machine is established in a virtual private service chain to provide a first network service to virtual private service chain traffic. A second virtual machine is also established the virtual private service chain to provide a second network service to the virtual private service chain traffic. The virtual private service chain traffic is encrypted for transmission within the virtual private service chain from the first virtual machine to the second virtual machine, wherein the… Show more

A first virtual machine is established in a virtual private service chain to provide a first network service to virtual private service chain traffic. A second virtual machine is also established the virtual private service chain to provide a second network service to the virtual private service chain traffic. The virtual private service chain traffic is encrypted for transmission within the virtual private service chain from the first virtual machine to the second virtual machine, wherein the encryption uses a key shared by the first and second virtual machines. Show less

In one embodiment, a method comprises receiving by an apparatus, via a wide area network, a request for deployment of a selected one of available virtualized network services advertised by the apparatus, the request identifying a host service provider to deploy the one virtualized network service; identifying, by the apparatus, virtualized network functions required by the host service provider for implementation of the one virtualized network service, each virtualized network function having a… Show more

In one embodiment, a method comprises receiving by an apparatus, via a wide area network, a request for deployment of a selected one of available virtualized network services advertised by the apparatus, the request identifying a host service provider to deploy the one virtualized network service; identifying, by the apparatus, virtualized network functions required by the host service provider for implementation of the one virtualized network service, each virtualized network function having a corresponding and distinct virtualized container specifying attributes for defining execution of the corresponding virtualized network function within one or more physical machines of the host service provider; and sending to the host service provider, by the apparatus, a service container specifying instructions for deploying the one virtualized network service, the service container including instructions for deploying the virtualized network functions as interdependent for implementation of the one virtualized network service by the host service provider. Show less

Network operators are striving to find ways to provide stable video services amid a rapid increase in video data traffic. In order to provide stable video services with constrained network resources, network operators attempted to deploy multiple communication networks in parallel. However, network operators failed to effectively balance data traffic across parallel communication networks. This disclosure provides systems and methods for effectively balancing data traffic across parallel… Show more

Network operators are striving to find ways to provide stable video services amid a rapid increase in video data traffic. In order to provide stable video services with constrained network resources, network operators attempted to deploy multiple communication networks in parallel. However, network operators failed to effectively balance data traffic across parallel communication networks. This disclosure provides systems and methods for effectively balancing data traffic across parallel communication networks.
Show less

In an embodiment, a method is provided for enabling in-band data exchange between networks. The method can comprise receiving, by a first enveloping proxy located in the first network, at least one regular secure sockets layer (SSL) record for a SSL session established between a client and a server; receiving the data from a network element located in the first network; encoding the data into at least one custom SSL record; and transmitting the at least one regular SSL record and the at least… Show more

In an embodiment, a method is provided for enabling in-band data exchange between networks. The method can comprise receiving, by a first enveloping proxy located in the first network, at least one regular secure sockets layer (SSL) record for a SSL session established between a client and a server; receiving the data from a network element located in the first network; encoding the data into at least one custom SSL record; and transmitting the at least one regular SSL record and the at least one custom SSL record to an enveloping proxy. In another embodiment, a method can comprise receiving at least one regular secure sockets layer (SSL) record and at least one custom SSL record for a SSL session established between a client and a server; extracting the data from the at least one custom SSL; transmitting the at least one regular SSL record. Show less

A method provided in one embodiment includes receiving a first data packet of a data flow at a first classifier in which the first data packet includes a first identifier. The method further includes determining a second classifier associated with the first identifier in which the second classifier is further associated with at least one service chain of a service chain environment. The method still further includes forwarding the first data packet to the second classifier. The second… Show more

A method provided in one embodiment includes receiving a first data packet of a data flow at a first classifier in which the first data packet includes a first identifier. The method further includes determining a second classifier associated with the first identifier in which the second classifier is further associated with at least one service chain of a service chain environment. The method still further includes forwarding the first data packet to the second classifier. The second classifier is configured to receive the first data packet, determine a particular service chain of the at least one service chain to which the first data packet is to be forwarded, and forward the first data packet to the particular service chain. Show less

A method provided in one embodiment includes receiving, at a first network element, a first data packet of a data flow, wherein the data flow is associated with a subscriber. The method further includes receiving subscriber information associated with the subscriber, and encapsulating the subscriber information with the first data packet to form an encapsulated data packet. The method still further includes determining a service chain including one or more services to which the encapsulated… Show more

A method provided in one embodiment includes receiving, at a first network element, a first data packet of a data flow, wherein the data flow is associated with a subscriber. The method further includes receiving subscriber information associated with the subscriber, and encapsulating the subscriber information with the first data packet to form an encapsulated data packet. The method still further includes determining a service chain including one or more services to which the encapsulated data packet is to be forwarded, and forwarding the encapsulated data packet to the service chain. Show less

Systems and method are provided that allow an application layer client in a mobile device to manage multiple interfaces in a communication network. The multiple interfaces can include WiFi, cellular, Femto, WiMAX, Bluetooth, infrared, Ethernet, and other types of interfaces for communication in a network. The client on the mobile device can use intelligence and rules to determine how and when request fragments are communicated over the various interfaces available to the client. The… Show more

Systems and method are provided that allow an application layer client in a mobile device to manage multiple interfaces in a communication network. The multiple interfaces can include WiFi, cellular, Femto, WiMAX, Bluetooth, infrared, Ethernet, and other types of interfaces for communication in a network. The client on the mobile device can use intelligence and rules to determine how and when request fragments are communicated over the various interfaces available to the client. The intelligence can include parameters such as performance information for a particular interface and subscriber preferences. Based on this information the client can decide to use a combination of the interfaces to obtain multimedia content and render the content for display on the mobile device. By using a combination of interfaces and tracking the advantages and disadvantages of each interface, the client can make intelligent decisions in providing multimedia content to the user. Show less

A method is provided in one example and includes receiving a request from a first network element associated with a first network for establishing a first communication session between the first network element to a first user device associated with a second network. The request includes a first user identifier used to identify a first user associated with the first user device within the first network. The method further includes translating the first user identifier to a second user… Show more

A method is provided in one example and includes receiving a request from a first network element associated with a first network for establishing a first communication session between the first network element to a first user device associated with a second network. The request includes a first user identifier used to identify a first user associated with the first user device within the first network. The method further includes translating the first user identifier to a second user identifier in which the second user identifier is used to identify the first user within the second network. The method still further includes sending a first query including the second user identifier to a second network element, and receiving a first response message including quality of service information indicated by a policy associated with the second user identifier. Show less

A data flow is received from a mobile network relating to a mobile subscriber. Subscriber data is received for the subscriber identifying a service path corresponding to the subscriber and at least one service policy corresponding to the subscriber, the service path including a set of network service nodes in a plurality of network service nodes. Packets of the data flow are routed according to the service path, the packets corresponding to a request for a resource. At least one packet is… Show more

A data flow is received from a mobile network relating to a mobile subscriber. Subscriber data is received for the subscriber identifying a service path corresponding to the subscriber and at least one service policy corresponding to the subscriber, the service path including a set of network service nodes in a plurality of network service nodes. Packets of the data flow are routed according to the service path, the packets corresponding to a request for a resource. At least one packet is appended with service header data identifying the service policy. Each service node performs at least one service based on received request data, each service node in the set of service nodes performing a service defined in a service subscription of the subscriber. At least one particular service node in the set of network service nodes performs a particular service based at least in part on the service policy. Show less

In one embodiment, a load balancer receives a message from a tunnel termination gateway (TTG) associated with a mobile device. The load balancer may receive messages from a plurality of TTGs. A gateway node in a plurality of gateway nodes in which to send the message is determined. The load balancer then assigns a NSAPI for use by the gateway node. For example, the NSAPI may be associated with a tunnel that is generated between the TTG and GGSN. The load balancer ensures that the assigned NSAPI… Show more

In one embodiment, a load balancer receives a message from a tunnel termination gateway (TTG) associated with a mobile device. The load balancer may receive messages from a plurality of TTGs. A gateway node in a plurality of gateway nodes in which to send the message is determined. The load balancer then assigns a NSAPI for use by the gateway node. For example, the NSAPI may be associated with a tunnel that is generated between the TTG and GGSN. The load balancer ensures that the assigned NSAPI is not currently in use at the gateway node. Thus, no overlapping of NSAPIs may occur even though the load balancer is processing messages from multiple TTGs for multiple gateway nodes. Show less

Techniques for providing access to cloud services via a plurality of different network interfaces of a client device. In accordance with one example, during establishment of a communication session between the cloud computing system and the client device, an interface-independent identifier is provided to the client device via a first of the plurality of different network interfaces. Following determination to establish the communication session via the second network interface, the cloud… Show more

Techniques for providing access to cloud services via a plurality of different network interfaces of a client device. In accordance with one example, during establishment of a communication session between the cloud computing system and the client device, an interface-independent identifier is provided to the client device via a first of the plurality of different network interfaces. Following determination to establish the communication session via the second network interface, the cloud computing system is configured to maintain a virtual environment associated with the communication session for a period of time. A message is received, via a second of the plurality of different network interfaces, from the client device that includes the interface-independent identifier. In response to the received interface-independent identifier, the communication session is re-established with the client device via the second network interface, thereby enabling access to the virtual environment maintained by the cloud computing system. Show less

A method is provided in one example embodiment and includes receiving a request for a service for a subscriber at an access gateway; receiving a default subscriber policy and a default service policy at the access gateway; receiving a subscriber policy and a service policy for the service being requested at the access gateway; receiving the service being requested at the access gateway; and communicating the service being requested from the access gateway to the subscriber in response to the… Show more

A method is provided in one example embodiment and includes receiving a request for a service for a subscriber at an access gateway; receiving a default subscriber policy and a default service policy at the access gateway; receiving a subscriber policy and a service policy for the service being requested at the access gateway; receiving the service being requested at the access gateway; and communicating the service being requested from the access gateway to the subscriber in response to the request. Show less

Systems and method are provided that allow an application layer client in a mobile device to manage multiple interfaces in a communication network. The multiple interfaces can include WiFi, cellular, Femto, WiMAX, Bluetooth, infrared, Ethernet, and other types of interfaces for communication in a network. The client on the mobile device can use intelligence and rules to determine how and when request fragments are communicated over the various interfaces available to the client. The… Show more

Systems and method are provided that allow an application layer client in a mobile device to manage multiple interfaces in a communication network. The multiple interfaces can include WiFi, cellular, Femto, WiMAX, Bluetooth, infrared, Ethernet, and other types of interfaces for communication in a network. The client on the mobile device can use intelligence and rules to determine how and when request fragments are communicated over the various interfaces available to the client. The intelligence can include parameters such as performance information for a particular interface and subscriber preferences. Based on this information the client can decide to use a combination of the interfaces to obtain multimedia content and render the content for display on the mobile device. By using a combination of interfaces and tracking the advantages and disadvantages of each interface, the client can make intelligent decisions in providing multimedia content to the user. Show less

A method is provided in one example embodiment that includes receiving a radio signal stream and segmenting the radio signal stream into segments (e.g., blocks of data, pieces of information, bits of data, etc.). The segments may be packetized and transported in packets over a pseudowire in a packet-switched network.

A method is provided in one example embodiment and includes creating (e.g., generating, establishing, provisioning, etc.) a service flow with an endpoint over a wireless link coupled to a backhaul. The service flow can include access to a network, access to a specific service, access to a particular location in the network, etc. The method can further include notifying (e.g., through any appropriate signaling mechanism) a mobility anchor of a location associated with the endpoint; relaying… Show more

A method is provided in one example embodiment and includes creating (e.g., generating, establishing, provisioning, etc.) a service flow with an endpoint over a wireless link coupled to a backhaul. The service flow can include access to a network, access to a specific service, access to a particular location in the network, etc. The method can further include notifying (e.g., through any appropriate signaling mechanism) a mobility anchor of a location associated with the endpoint; relaying control packets between the endpoint and an access gateway; and relaying bearer packets between the endpoint and the mobility anchor, where the bearer packets are exchanged with the endpoint over a locally terminated bearer tunnel and the bearer packets are exchanged with the mobility anchor using Proxy Mobile Internet Protocol.

In more specific embodiments, the backhaul provides a DOCSIS link between a cable modem and a cable modem termination system. Additionally, the request can include a quality of service parameter, which is mapped to a DOCSIS quality of service class for the backhaul. In particular implementations, packets can be exchanged between a cable modem termination system and a home agent in a WiMAX network, and a care-of-address is sent in a router advertise message to the endpoint. In addition, the method can include assigning a subscriber policy profile to the endpoint, where the subscriber policy profile includes a quality of service parameter for the wireless link. In certain architectures, the backhaul is a hybrid fiber-coaxial backhaul. Show less

A method is provided in one example embodiment and includes receiving a plurality of status signals, for a plurality of radio links, at a microwave device; detecting a bandwidth anomaly based on the status signals; and communicating a quality of service (QoS) control signal, which is based on the bandwidth anomaly, to a gateway coupled to at least one of the radio links. [The gateway could be an access gateway, a serving gateway, a packet data network (PDN) gateway (PGW), an aggregation… Show more

A method is provided in one example embodiment and includes receiving a plurality of status signals, for a plurality of radio links, at a microwave device; detecting a bandwidth anomaly based on the status signals; and communicating a quality of service (QoS) control signal, which is based on the bandwidth anomaly, to a gateway coupled to at least one of the radio links. [The gateway could be an access gateway, a serving gateway, a packet data network (PDN) gateway (PGW), an aggregation provider edge (Agg-PE), etc.]

In more specific implementations, at least one of the radio links is an Ethernet microwave backhaul link. Additionally, link rate information can be communicated to a particular network element that serves as a point of attachment (PoA) to an Internet protocol (IP) network. Separately, the status signals can be received using a Metro Ethernet Forum User Network Interface. Also, the QoS control signal can be sent using an Access Node Control Protocol in specific instances of the present disclosure. In other example scenarios, the access gateway is configured to modify the QoS of user equipment supported by the access gateway based on the QoS control signal. Show less

A method is provided in one example embodiment and includes receiving a first congestion message associated with traffic congestion in a signaling system seven (SS7) a network, the first congestion message being associated with a first timer. The method also includes receiving a second congestion message after the first timer has expired and before a second timer has expired. The method further includes communicating a portion of traffic, which was originally intended for a first destination… Show more

A method is provided in one example embodiment and includes receiving a first congestion message associated with traffic congestion in a signaling system seven (SS7) a network, the first congestion message being associated with a first timer. The method also includes receiving a second congestion message after the first timer has expired and before a second timer has expired. The method further includes communicating a portion of traffic, which was originally intended for a first destination, to a second destination in the network based on receiving the second congestion message. The method can further include recovering and returning to an initial state. Show less

A method is provided in one example embodiment that includes receiving a radio signal stream, segmenting the radio signal stream based on a control word in the radio signal stream, mapping the segmented radio signal stream to a service class, transporting the segmented radio signal stream in packets through channels over a backhaul link, and maintaining the order of the radio signal stream over the backhaul link. In more particular embodiments, the backhaul link may use a DOCSIS link, the radio… Show more

A method is provided in one example embodiment that includes receiving a radio signal stream, segmenting the radio signal stream based on a control word in the radio signal stream, mapping the segmented radio signal stream to a service class, transporting the segmented radio signal stream in packets through channels over a backhaul link, and maintaining the order of the radio signal stream over the backhaul link. In more particular embodiments, the backhaul link may use a DOCSIS link, the radio signal stream can be received using a Common Public Radio Interface, and the radio signal stream may include sub-streams transported through segmented channels over the backhaul link. Show less

An Unlicensed Mobile Access (UMA) network architecture. In a specific embodiment, the network architecture includes a mobile station and an access point in communication with the mobile station. A UMA Controller (UNC) communicates with the access point. A Service GateWay (SGW) communicates with the UMA controller. The SGW includes functionality to route user-plane packets in the UMA. In a more specific embodiment, the functionality includes UNC user-plane functionality offloaded from the UNC to… Show more

An Unlicensed Mobile Access (UMA) network architecture. In a specific embodiment, the network architecture includes a mobile station and an access point in communication with the mobile station. A UMA Controller (UNC) communicates with the access point. A Service GateWay (SGW) communicates with the UMA controller. The SGW includes functionality to route user-plane packets in the UMA. In a more specific embodiment, the functionality includes UNC user-plane functionality offloaded from the UNC to the SGW; Serving GPRS Support Node (SGSN) user-plane functionality; access-authentication functionality sufficient to enable the SGW to enable the SGW to bypass a legacy SGSN control plane; and/or Radio Network Controller (RNC) user-plane functionality sufficient to enable communications between the SGW and the RNC. Show less

Systems and methods for modifying a media protocol based on subscriber and network performance information is disclosed. Media protocols such as adaptive bitrate protocol can adjust bit rates based on conditions perceived at the mobile device and with a goal of obtaining the highest bit rate possible. The media protocols residing on the mobile device do not have access to network performance information that can change rapidly and impact the experience at the mobile device. For example… Show more

Systems and methods for modifying a media protocol based on subscriber and network performance information is disclosed. Media protocols such as adaptive bitrate protocol can adjust bit rates based on conditions perceived at the mobile device and with a goal of obtaining the highest bit rate possible. The media protocols residing on the mobile device do not have access to network performance information that can change rapidly and impact the experience at the mobile device. For example, congestion, radio air link interference, handoffs, and quality of service parameters can all impact the experience a user has when accessing media files from a mobile device. The requests made by a mobile device can be modified to take into account these factors to enhance the user experience. Show less

In one embodiment, a method includes receiving authorization data at a local node of a network. The authorization data indicates a particular network address of a different node in the network and an authenticated user ID of a user of the different node. Resource profile data is retrieved based on the user ID. The resource profile data indicates all application layer resources on the network that the user is allowed to access. The particular network address is associated at the local node with… Show more

In one embodiment, a method includes receiving authorization data at a local node of a network. The authorization data indicates a particular network address of a different node in the network and an authenticated user ID of a user of the different node. Resource profile data is retrieved based on the user ID. The resource profile data indicates all application layer resources on the network that the user is allowed to access. The particular network address is associated at the local node with the resource profile data for the user. A request from the particular network address for a requested application layer resource on the network is blocked based on the resource profile data associated with the particular network address. Show less

A data flow is received from a mobile network relating to a mobile subscriber. Subscriber data is received for the subscriber identifying a service path corresponding to the subscriber and at least one service policy corresponding to the subscriber, the service path including a set of network service nodes in a plurality of network service nodes. Packets of the data flow are routed according to the service path, the packets corresponding to a request for a resource. At least one packet is… Show more

A data flow is received from a mobile network relating to a mobile subscriber. Subscriber data is received for the subscriber identifying a service path corresponding to the subscriber and at least one service policy corresponding to the subscriber, the service path including a set of network service nodes in a plurality of network service nodes. Packets of the data flow are routed according to the service path, the packets corresponding to a request for a resource. At least one packet is appended with service header data identifying the service policy. Each service node performs at least one service based on received request data, each service node in the set of service nodes performing a service defined in a service subscription of the subscriber. At least one particular service node in the set of network service nodes performs a particular service based at least in part on the service policy. Show less

In one embodiment, a first access request is received from a mobile device. The access request may be received through a first access medium for a virtual access point name (APN). A session is created with a service using a first real access point name (APN) for the mobile device. A second access request is received through a second type of access medium. The request may be received through a second virtual APN. A session is determined that is active for the mobile device through the first… Show more

In one embodiment, a first access request is received from a mobile device. The access request may be received through a first access medium for a virtual access point name (APN). A session is created with a service using a first real access point name (APN) for the mobile device. A second access request is received through a second type of access medium. The request may be received through a second virtual APN. A session is determined that is active for the mobile device through the first access medium and the second access request is assigned the first real APN even though the request is received through a second access medium. The continuity of the connection may then be maintained because the first real APN is still being used. In this case, a handoff of the connection from the first access network to the second access network is performed while the connection to the service is maintained through the first real APN. Show less

A system for facilitating persistent communications between entities in a network. In a specific embodiment, the system is adapted to facilitate fast reauthentication of a client performed by a server, such as an Authentication, Authorization, and Accounting (AAA) server, that is coupled to the client via a load balancer. The system includes a first message to be exchanged between the server and the client, wherein the first message includes a field identifying the server and/or the client. A… Show more

A system for facilitating persistent communications between entities in a network. In a specific embodiment, the system is adapted to facilitate fast reauthentication of a client performed by a server, such as an Authentication, Authorization, and Accounting (AAA) server, that is coupled to the client via a load balancer. The system includes a first message to be exchanged between the server and the client, wherein the first message includes a field identifying the server and/or the client. A matching module communicates with or is otherwise incorporated within the load balancer. The matching module includes one or more routines for employing the field to selectively route the first message to the client and/or server. In a more specific embodiment, the server a fast reauthentication module adapted to append the field in the message. The field includes sub-realm information identifying the server. Show less

In one embodiment, a load balancer receives a message from a tunnel termination gateway (TTG) associated with a mobile device. The load balancer may receive messages from a plurality of TTGs. A gateway node in a plurality of gateway nodes in which to send the message is determined. The load balancer then assigns a NSAPI for use by the gateway node. For example, the NSAPI may be associated with a tunnel that is generated between the TTG and GGSN. The load balancer ensures that the assigned NSAPI… Show more

In one embodiment, a load balancer receives a message from a tunnel termination gateway (TTG) associated with a mobile device. The load balancer may receive messages from a plurality of TTGs. A gateway node in a plurality of gateway nodes in which to send the message is determined. The load balancer then assigns a NSAPI for use by the gateway node. For example, the NSAPI may be associated with a tunnel that is generated between the TTG and GGSN. The load balancer ensures that the assigned NSAPI is not currently in use at the gateway node. Thus, no overlapping of NSAPIs may occur even though the load balancer is processing messages from multiple TTGs for multiple gateway nodes. Show less

Facilitating packet flow in a communication network includes receiving at a defender a request packet sent from a node. The request packet is communicated to a load balancer operable to communicate the request packet to a network element server selected from a plurality of network element servers. The request packet has a destination address associated with the load balancer. A response packet is received from the network element server. The response packet has a tunnel endpoint address… Show more

Facilitating packet flow in a communication network includes receiving at a defender a request packet sent from a node. The request packet is communicated to a load balancer operable to communicate the request packet to a network element server selected from a plurality of network element servers. The request packet has a destination address associated with the load balancer. A response packet is received from the network element server. The response packet has a tunnel endpoint address. Whether the tunnel endpoint address corresponds to an approved network element server is determined. The response packet is communicated to the node if the tunnel endpoint address corresponds to an approved network element server. Show less

A system for efficiently reauthenticating a client of a network. In a specific embodiment, the system includes an authentication server and a Security GateWay (SGW) in communication with the client. The SGW includes reauthentication information associated with the client. In a more specific embodiment, the authentication server includes an Authentication, Authorization, and Accounting (AAA) server. The SGW further includes one or more routines for employing the reauthentication information to… Show more

A system for efficiently reauthenticating a client of a network. In a specific embodiment, the system includes an authentication server and a Security GateWay (SGW) in communication with the client. The SGW includes reauthentication information associated with the client. In a more specific embodiment, the authentication server includes an Authentication, Authorization, and Accounting (AAA) server. The SGW further includes one or more routines for employing the reauthentication information to reauthenticate the client. The AAA server performs initial authentication of the client to enable client access to the network, which yields the reauthentication information. The reauthentication information includes one or more keys and/or counters, such as an authorization key, an encryption key, and a master key, which is/are predetermined by the AAA server. Show less

A system for enhancing functionality of a network. In a specific embodiment, the system employs strategic communications between a network controller and a security gateway. The strategic communications occur via a feedback communications channel between the network controller and the security gateway. The feedback communications channel facilitates transferring security information, such as International Mobile Subscriber Identity (IMSI) and other information, between the network controller… Show more

A system for enhancing functionality of a network. In a specific embodiment, the system employs strategic communications between a network controller and a security gateway. The strategic communications occur via a feedback communications channel between the network controller and the security gateway. The feedback communications channel facilitates transferring security information, such as International Mobile Subscriber Identity (IMSI) and other information, between the network controller and the security gateway. The security information may facilitate enabling the SGW to make intelligent decisions as to how to treat a client communications session. In the specific embodiment, the feedback communications channel includes an intervening Authentication, Authorization, and Accounting (AAA) server that is coupled between the UMA and the network controller. Show less

According to one embodiment of the present invention, there is provided a method for providing security in a network environment that includes receiving a flow that propagates through an access gateway. The flow is initiated by an end user associated with the flow and propagates through a network. The method also includes receiving accounting information indicative of the termination of the flow. In response, tearing down of the communication associated with the flow is initiated.

In one embodiment, a method includes receiving authorization data at a local node of a network. The authorization data indicates a particular network address of a different node in the network and an authenticated user ID of a user of the different node. Resource profile data is retrieved based on the user ID. The resource profile data indicates all application layer resources on the network that the user is allowed to access. The particular network address is associated at the local node with… Show more

In one embodiment, a method includes receiving authorization data at a local node of a network. The authorization data indicates a particular network address of a different node in the network and an authenticated user ID of a user of the different node. Resource profile data is retrieved based on the user ID. The resource profile data indicates all application layer resources on the network that the user is allowed to access. The particular network address is associated at the local node with the resource profile data for the user. A request from the particular network address for a requested application layer resource on the network is blocked based on the resource profile data associated with the particular network address. Show less

In one embodiment, while being connected to the network, a security issue may be detected and associated with the device. The device may be placed on a blacklist for the security issue. The blacklist is a list that is used to deny service for the device when it attempts to connect. Thus, the device is disconnected from the network. Identification information for the device is added to the blacklist at the authentication server. If the device attempts to reconnect to the network, the request is… Show more

In one embodiment, while being connected to the network, a security issue may be detected and associated with the device. The device may be placed on a blacklist for the security issue. The blacklist is a list that is used to deny service for the device when it attempts to connect. Thus, the device is disconnected from the network. Identification information for the device is added to the blacklist at the authentication server. If the device attempts to reconnect to the network, the request is received at the authentication server. The authentication server can then check the blacklist and deny the request for access to the network if the identification information is on the blacklist. This denial is determined without sending the request to the HLR. Accordingly, the HLR is protected in that requests from a device that may be considered a security issue are not sent to the HLR. Show less

In one embodiment, a security gateway receives an IPSec Initiation (IPSec INIT) request from a client. The security gateway may communicate with a AAA server to authenticate the client. After authentication, the security gateway intercepts a URR Discovery request from the client. The security gateway determines registration information for a response to the registration request. The registration information may be information on where the client can locate a D-GANC. A response is generated… Show more

In one embodiment, a security gateway receives an IPSec Initiation (IPSec INIT) request from a client. The security gateway may communicate with a AAA server to authenticate the client. After authentication, the security gateway intercepts a URR Discovery request from the client. The security gateway determines registration information for a response to the registration request. The registration information may be information on where the client can locate a D-GANC. A response is generated using the determined information and sent to the client. The response to the discovery request is performed without communicating with a P-GANC. Accordingly, a security gateway is used to authenticate the client and also to respond to the discovery request. This does not require that a P-GANC function be deployed in a network. Thus, cost and processing power may be saved. Show less

In one embodiment, techniques for authorizing a mobile device are provided. A registration request is received for the mobile device. The registration request may include location identifier information. For example, a cell ID may be provided. Static location information is then determined based on the location identifier information. The static location information may be spatial coordinates. The registration request is then authorized based on the static location information. For example, a… Show more

In one embodiment, techniques for authorizing a mobile device are provided. A registration request is received for the mobile device. The registration request may include location identifier information. For example, a cell ID may be provided. Static location information is then determined based on the location identifier information. The static location information may be spatial coordinates. The registration request is then authorized based on the static location information. For example, a cell ID may be received and then spatial coordinates may be determined based on the cell ID. The registration request is then authorized based on the spatial coordinates. A response to the registration request is then sent. Show less

In one embodiment, a method for providing correlation of billing entries for a mobile communications network is provided. A correlating network element in a bearer path determines a plurality of billing entries for a flow. One or more of the billing entries may be received from other network elements and includes traffic altering information for a flow. The correlating network element correlates the plurality of billing entries using state information included in the billing entries. The state… Show more

In one embodiment, a method for providing correlation of billing entries for a mobile communications network is provided. A correlating network element in a bearer path determines a plurality of billing entries for a flow. One or more of the billing entries may be received from other network elements and includes traffic altering information for a flow. The correlating network element correlates the plurality of billing entries using state information included in the billing entries. The state information is used to determine information in billing entries that may be related, such as billing entries for a single flow. Also, the correlating network element uses the traffic altering information to determine a data volume sent for the flow. A correlated billing entry may then be generated using the data volume for the flow. The correlated billing entry is then sent to a billing system from the correlating network element. Billing entries are not sent from other network elements that may be generating billing entries in a link to the billing system. Show less

Techniques for distributing network traffic from an access server to a service gateway include receiving, at a load balancer, sticky table data that indicates an association between a particular subscriber IP address and a particular subscriber-aware service gateway in a gateway cluster. An input data packet is received with an input source address and an input transport-layer destination. If it is determined that the input transport-layer destination indicates a type of payload that uses a… Show more

Techniques for distributing network traffic from an access server to a service gateway include receiving, at a load balancer, sticky table data that indicates an association between a particular subscriber IP address and a particular subscriber-aware service gateway in a gateway cluster. An input data packet is received with an input source address and an input transport-layer destination. If it is determined that the input transport-layer destination indicates a type of payload that uses a service gateway, then the particular service gateway associated with the particular subscriber is determined based on the sticky table and IP address in the input source address. An output data packet is directed to the particular service gateway using a link-layer or networking-layer destination address. These techniques allow a load balancer to be located anywhere on the network and to bypass a subscriber-aware service gateway for some data traffic. Show less

Techniques for distributing control plane traffic, from an end node in a packet switched network to a cluster of service gateway nodes that host subscriber-aware application servers, include receiving a control plane message for supporting data plane traffic from a particular subscriber. A particular service gateway node is determined among the cluster of service gateway nodes based on policy-based routing (PBR) for the data plane traffic from the particular subscriber. A message based on the… Show more

Techniques for distributing control plane traffic, from an end node in a packet switched network to a cluster of service gateway nodes that host subscriber-aware application servers, include receiving a control plane message for supporting data plane traffic from a particular subscriber. A particular service gateway node is determined among the cluster of service gateway nodes based on policy-based routing (PBR) for the data plane traffic from the particular subscriber. A message based on the control plane message is sent to a control plane process on the particular service gateway node. Thereby, data plane traffic and control plane traffic from the same subscriber are directed to the same gateway node, or otherwise related gateway nodes, of the cluster of service gateway nodes. This approach allows currently-available, hardware-accelerated PBR to be used with clusters of subscriber-aware service gateways that must also monitor control plane traffic from the same subscriber. Show less

Techniques and systems for server farm load balancing and resource allocation are disclosed. In one embodiment, a method of load balancing can include: arranging servers into service groups; receiving an access request with information related to a differentiation between the service groups; selecting one of the service groups based on a mapping comparison to the information; and selecting one of the servers within the selected service group based on a hardware utilization comparison. The… Show more

Techniques and systems for server farm load balancing and resource allocation are disclosed. In one embodiment, a method of load balancing can include: arranging servers into service groups; receiving an access request with information related to a differentiation between the service groups; selecting one of the service groups based on a mapping comparison to the information; and selecting one of the servers within the selected service group based on a hardware utilization comparison. The servers can include GPRS (General Packet Radio Service) Gateway Support Node (GGSN) or Remote Authentication Dial In User Service (RADIUS) servers, for example. The information can include an Access Point Name (APN) or Calling Station ID, for example. Show less