公开(公告)号：US20140123278A1

公开(公告)日：2014-05-01

申请号：US13662023

申请日：2012-10-26

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Vincent J. Ribiere

IPC: G06F21/00

CPC classification number: H04L63/1458 ,  G06F21/554 ,  H04L45/52

Abstract: In one embodiment, a device detects a denial-of-service attack and generates a message in response to the detection of the denial-of-service attack. The message is then virally distributed to a plurality of subscribed devices.

Abstract translation: 在一个实施例中，设备检测到拒绝服务攻击，并响应于对拒绝服务攻击的检测而生成消息。 然后将消息病毒地分发到多个订阅的设备。

公开(公告)号：US20250071089A1

公开(公告)日：2025-02-27

申请号：US18885330

申请日：2024-09-13

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Voit ,  Eric Levy-Abegnoli ,  Patrick Wetterwald ,  Jonas Zaddach

IPC: H04L61/5007 ,  H04L9/40 ,  H04L61/2503 ,  H04L61/4511

Abstract: Techniques for varying locations of virtual networks associated with endpoints using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS). Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a virtual IP (VIP) address that is mapped to the client device and the endpoint device. The VIP address may be selected based on a number of factors (e.g., power usage, privacy requirements, virtual distances, etc.). In this way, IP addresses of servers are obfuscated by a virtual network of VIP addresses that can be periodically rotated and/or load balanced. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.

公开(公告)号：US20250071083A1

公开(公告)日：2025-02-27

申请号：US18237578

申请日：2023-08-24

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric A. Voit ,  Eric Levy-Abegnoli

IPC: H04L61/2503 ,  H04L9/40 ,  H04L61/4511

Abstract: Techniques for using Prefix Address Translation (PAT), Mobile Internet Protocol (MIP), and/or other techniques to anonymize server-side addresses in data communications. Rather than allowing a server and/or endpoint have visibility of a client IP address of a client device accessing the server and/or endpoint, a virtual network service instead returns a PAT IP address that is mapped to the client device and/or the endpoint device. In this way, IP addresses of clients devices are obfuscated by the virtual network. The client device may then communicate data packets to the server and/or endpoint using the PAT IP address as the source address, and the virtual network service that works in conjunction with the server and/or endpoints can convert the PAT IP address to the actual IP address of the client for return packets using PAT and forward the return packet onto the client device.

公开(公告)号：US20250070980A1

公开(公告)日：2025-02-27

申请号：US18237583

申请日：2023-08-24

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric A. Voit ,  Eric Levy-Abegnoli ,  Patrick Wetterwald ,  Jonas Zaddach

IPC: H04L9/32 ,  H04L61/2503

Abstract: Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications and verify an authenticity of a client device attempting to use a virtual IP (VIP) address. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a VIP address that is mapped to the client device and the endpoint device. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can verify an authenticity of the client device and convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.

公开(公告)号：US12034707B2

公开(公告)日：2024-07-09

申请号：US18104603

申请日：2023-02-01

Applicant: Cisco Technology, Inc.

Inventor： David A. Maluf ,  Srinath Gundavelli ,  Pascal Thubert ,  Pradeep Kumar Kathail ,  Eric Levy-Abegnoli ,  Eric Voit ,  Ali Sajassi

IPC: H04L9/40 ,  H04L61/2521 ,  H04L61/2539 ,  H04L61/4511

CPC classification number: H04L63/0421 ,  H04L61/2525 ,  H04L61/2539 ,  H04L61/4511

Abstract: Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a random IP address that is mapped to the client device and the endpoint device. In this way, IP addresses of servers are obfuscated by a random IP address that cannot be used to identify the endpoint device or service. The client device may then communicate data packets to the server using the random IP address as the destination address, and a gateway that works in conjunction with DNS can convert the random IP address to the actual IP address of the server using NAT and forward the data packet onto the server.

公开(公告)号：US11689442B2

公开(公告)日：2023-06-27

申请号：US17559640

申请日：2021-12-22

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Jakob Heitz

IPC: H04L45/02

CPC classification number: H04L45/02

Abstract: A particular fat tree network node stores default routing information indicating that the particular fat tree network node can reach a plurality of parent fat tree network nodes of the particular fat tree network node. The particular fat tree network node obtains, from a first parent fat tree network node of the plurality of parent fat tree network nodes, a negative disaggregation advertisement indicating that the first parent fat tree network node cannot reach a specific destination. The particular fat tree network node determines whether the first parent fat tree network node is the only parent fat tree network node of the plurality of parent fat tree network nodes that cannot reach the specific destination. If so, the particular fat tree network node installs supplemental routing information indicating that every parent fat tree network node except the first parent fat tree network node can reach the specific destination.

公开(公告)号：US20230155978A1

公开(公告)日：2023-05-18

申请号：US17530244

申请日：2021-11-18

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Pradeep Kumar Kathail ,  Eric Levy-Abegnoli ,  David A. Maluf

IPC: H04L29/12

CPC classification number: H04L61/2507 ,  H04L61/1511

Abstract: Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a virtual IP (VIP) address that is mapped to the client device and the endpoint device. In this way, IP addresses of servers are obfuscated by a virtual network of VIP addresses. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.

公开(公告)号：US20220417143A1

公开(公告)日：2022-12-29

申请号：US17902158

申请日：2022-09-02

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Patrick Wetterwald

IPC: H04L45/00 ,  H04L12/46 ,  H04L45/02 ,  H04L49/201

Abstract: Techniques for leveraging MLD capabilities at edge nodes of network fabrics to receive SNMAs from silent hosts, and creating unicast addresses from the SNMAs for the silent nodes that are used as secondary matches in a network overlay if primary unicast address lookups fail. The edge nodes described herein may act as snoopers of MLD reports in order to identify the SNMAs of the silent hosts. The edge nodes then forge unicast addresses for the silent hosts that match with the least three bytes of the SNMAs. The forged unicast addresses are presented as unicast MAC/IP mappings in the fabric overlay. In situations where a primary IP address lookup fails, the look-up device performs a secondary lookup for a mapped address that has the last three bytes of the IP address. If a mapping is found, the lookup is sent as a unicast message to the matching MAC address.

公开(公告)号：US20220394009A1

公开(公告)日：2022-12-08

申请号：US17819783

申请日：2022-08-15

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Jonas Zaddach ,  Patrick Wetterwald

IPC: H04L61/3015 ,  H04L61/30 ,  H04L45/02 ,  H04L9/40

Abstract: Systems and methods may include sending, to a network registrar, an extended duplicate address request (EDAR) message including a first nonce generated by a host computing device, and receiving, from the network registrar, an extended duplicate address confirmation (EDAC) message including a second nonce and a first signature, a first nonce pair including the first nonce and the second nonce being signed by the network registrar via a first key pair of the network registrar via the first signature. The systems and methods may further include sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and a public key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that a router through which the host computing device connects to a network is not impersonating the network.

公开(公告)号：US11451945B2

公开(公告)日：2022-09-20

申请号：US16820843

申请日：2020-03-17

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Jean-Philippe Vasseur ,  Patrick Wetterwald ,  Eric Levy-Abegnoli

IPC: H04W48/20 ,  H04W4/70 ,  H04W48/18 ,  H04W24/02 ,  H04W88/12 ,  H04W88/08

Abstract: In one embodiment, a supervisory device in a network forms a virtual access point (VAP) for a node in the network. A set of access points (APs) in the network are mapped to the VAP as part of a VAP mapping and the node treats the APs in the VAP mapping as a single AP for purposes of communicating with the network. The supervisory device receives measurements from the APs in the VAP mapping regarding communications associated with the node. The supervisory device identifies a movement of the node based on the received measurements from the APs in the VAP mapping. The supervisory device adjusts the set of APs in the VAP mapping based on the identified movement of the node.