AT&T Labs Research — Leading Invention, Driving Innovation

The present invention is a method and apparatus for counting the number of active hosts behind network address translation boxes. The technique is based on the observation that on many operating systems, the IP header's ID field is a simple counter. By suitable processing of trace data, packets emanating from individual machines can be isolated, and the number of machines determined.

A method, system and non-transitory computer-readable medium for the efficient routing of data packets across a plurality of routers when a link is unavailable which includes connecting a plurality of nodes in a network using a plurality of routers having a plurality of links between the routers, informing the routers in the network when one or more of the links in the network will be unavailable at a specified time in the future, recalculating the routing tables to determine the most efficient routing paths when the links in the network become unavailable and, when the time in the future arrives, switching the routers in the network to the new routing tables at the same time.

A method for the efficient routing of data packets across a plurality of routers when a link is unavailable which includes connecting a plurality of nodes in a network using a plurality of routers having a plurality of links between the routers, informing the routers in the network when one or more of the links in the network will be unavailable at a specified time in the future, recalculating the routing tables to determine the most efficient routing paths when the links in the network become unavailable and, when the time in the future arrives, switching the routers in the network to the new routing tables at the same time.

A method and apparatus for anticipating communication interruption. If, during an established call between two communication devices, a telecommunication device determines that a communication link to one of the devices will be interrupted, either temporarily or permanently, the device predicts the interruption in the communication link. The device may send a message, as pre-determined by at least one of the communication device, to the communication device of the predicted or pending call drop or interruption. After the interruption the previously established call is resumed. If a reconnection attempt is appropriate, then the device will attempt to reconnect to the dropped device. If a reconnection attempt is not appropriate, or if the reconnection attempt is unsuccessful, the non-dropped communication device is connected, as predetermined by either of the communication devices, to an appropriate connection, such as, to a voice mail. If the reconnection attempt is successful, the call between the two communication devices is re-established.

Encryption with keys that form an Abelian group are used in combination with a semi-trusted party that converts queries that are encrypted with the key of a querier to queries that are encrypted with the key of the encrypted database, without knowing the actual keys. In an illustrative embodiment, encryption is done with Bloom filters that employ Pohlig-Hellman encryption. Since the querier's key is not divulged, neither the semi-trusted party nor the publisher of the database can see the original queries. Provision can be made for fourth party "warrant servers", as well as "censorship sets" that limit the data to be shared.

The present invention permits a network service provider to detect an operational condition--such as congestion--in a packet-switched network and to alleviate such congestion by providing customer incentives to avoid use of the network. The detection mechanism triggers an incentive such as the modification of the user's access charges and the customer can be immediately notified of either the occurrence of the congestion or of information regarding the incentive. Usage of the network during congested periods can be deterred by imposing additional access charges during such periods--similarly, customers can be given a discount to encourage usage during periods of low congestion. An incentive schedule can be tailored to dynamically change the usage patterns of the customers of the network to accommodate the operational conditions in the network. The present invention has application in the Internet, where a detection/notification mechanism, for example, can be implemented in a network node such as a router or in a network endpoint such as a client machine or a proxy or mail server.

A method and apparatus for a implementing a distributed firewall is described. A packet filter processor receives a packet sent from a first device to a second device. The packet filter processor authenticates an identifier for the packet. For example, authentication could be performed using a cryptographically-verifiable identifier. The packet filter processor determines whether to send the packet to the second device, based on the authentication and a set of policy rules. The packet filter processor sends the packet to the second device in accordance with the determination.

The broadband telephony interface is provisioned by receiving information authenticating a provisioning server, establishing a communication channel between the user and the provisioning server over which is transmitted authorization information from the user to the provisioning server, and encrypting and transmitting a cryptographic key associated with the user to the provisioning server. The cryptographic key can be a symmetric key or a public key corresponding to a private key stored in the broadband telephony interface. The cryptographic key can be utilized to generate other keys which are utilized to secure communication channels for the telephony service. The broadband telephony interface advantageously can be implemented as untrusted hardware or software that is installed by a customer.

A call between a first network associated with a calling party and a second network associated with a called party is connected. The source address for packets associated with the call arc translated. The packets are sent from the calling party to the called party without the called party receiving the source address that indicates at least one from the group of a logical identity of the calling party and a geographical identity of the calling party.

A system and method for providing telephony and high speed data access over a broadband access network, comprising a network interface unit (NIU) coupled to a backup local exchange carrier (LEC) line, the broadband access network coupled to the NIU, an intermediate point-of-presence (IPOP) coupled to the broadband access network, and at least one external access network coupled to the IPOP. The system also provides for a fail-safe mode in which the NIU supports the LEC line for lifeline services.

A device and method filter information to restrict access to private information of a domain in a domain name system. The device includes a filtering device. The filtering device filters information received from devices external to the domain by removing the private information before forwarding the information to devices within the domain. The private information includes IP addresses and domain names. The private information also includes any additional information appended to legitimate responses to requests from devices in the domain.

A system identifies transmission routes between a user and a desired destination site on a wide area communications network, such as the Internet. The system then detects transit characteristics for each of the transmission routes. A user can request the level of activity on the routes. Thus, the user can be apprised of the existence of possible congestion in any attempt to access the desired destination site.