公开(公告)号：US11870762B2

公开(公告)日：2024-01-09

申请号：US17368902

申请日：2021-07-07

Applicant: Cisco Technology Inc.

Inventor： Craig Thomas Hill ,  Aaron Christopher Warner ,  Michael William Bessette ,  Chennakesava Reddy Gaddam

IPC: H04L29/06 ,  H04L9/40 ,  H04L12/46

CPC classification number: H04L63/061 ,  H04L12/462 ,  H04L63/0464 ,  H04L63/162

Abstract: The present disclosure is directed to systems and methods for transparent Provider Backbone Bridge forwarding of MACsec key exchanges over public Ethernet provider backbones. The method includes the steps of receiving, at a first PBB device, an Ethernet frame from a first edge router for transmission to a second edge router via a MACsec connection, the Ethernet frame comprising a plurality of fields; performing a lookup of one or more fields of the plurality of fields to determine a match with one or more pre-defined values; determining that the one or more fields of the Ethernet frame match the one or more pre-defined values; rewriting the one or more fields of the Ethernet frame to one or more open values operable to allow the Ethernet frame to be transmitted to a next hop device; and transmitting the Ethernet frame to the next hop device.

公开(公告)号：US11792065B2

公开(公告)日：2023-10-17

申请号：US17674686

申请日：2022-02-17

Applicant: Cisco Technology, Inc.

Inventor： Nagendra Kumar Nainar ,  Jaganbabu Rajamanickam ,  David John Zacks ,  Carlos M. Pignataro ,  Madhan Sankaranarayanan ,  Cesar Obediente ,  Craig Thomas Hill

IPC: H04L41/0604 ,  H04L41/0654 ,  H04L9/40 ,  H04L61/103 ,  H04L41/0631 ,  H04L67/133

CPC classification number: H04L41/0627 ,  H04L41/0631 ,  H04L41/0654 ,  H04L61/103 ,  H04L63/101 ,  H04L67/133

Abstract: Methods and devices provide fault injection testing techniques in a production network environment without risking service outages for hosted computing services, by providing examples of a remote network controller configured to communicate with network devices of a network; a remote fault injection communication protocol configuring a remote network controller in communication with a network device to signal a failure injection; and a failure injection module configuring a network device to configure a network device processor to implement a failure injection signaled according to the remote failure injection communication protocol. The method includes a network controller transmitting a failure injection signal in a control plane packet over a network connection to a network device, and the network device creating a child process by executing, in a dedicated runtime environment, a copy of one or more processes impacted by a parsed failure type.

公开(公告)号：US20230008699A1

公开(公告)日：2023-01-12

申请号：US17368902

申请日：2021-07-07

Applicant: Cisco Technology Inc.

Inventor： Craig Thomas Hill ,  Aaron Christopher Warner ,  Michael William Bessette ,  Chennakesava Reddy Gaddam

IPC: H04L29/06 ,  H04L12/46

Abstract: The present disclosure is directed to systems and methods for transparent Provider Backbone Bridge forwarding of MACsec key exchanges over public Ethernet provider backbones. The method includes the steps of receiving, at a first PBB device, an Ethernet frame from a first edge router for transmission to a second edge router via a MACsec connection, the Ethernet frame comprising a plurality of fields; performing a lookup of one or more fields of the plurality of fields to determine a match with one or more pre-defined values; determining that the one or more fields of the Ethernet frame match the one or more pre-defined values; rewriting the one or more fields of the Ethernet frame to one or more open values operable to allow the Ethernet frame to be transmitted to a next hop device; and transmitting the Ethernet frame to the next hop device.

公开(公告)号：US20220353143A1

公开(公告)日：2022-11-03

申请号：US17243740

申请日：2021-04-29

Applicant: Cisco Technology, Inc.

Inventor： Craig Thomas Hill ,  Cesar Obediente

IPC: H04L12/24

Abstract: A network controller is configured to control a plurality of network devices in a network. The network controller generates one or more commands that are configured to inject a failure to propagate through two or more network devices in the network. The network controller provides the one or more commands to at least one of the two or more network devices to initiate the failure. The one or more commands cause the failure cause the two or more network devices to collect and propagate telemetry data, on a hop-by-hop basis. The network controller obtains the telemetry data collected from the two or more network devices, and analyzes the telemetry data to determine an impact in the network of the failure propagated through the two or more network devices.

公开(公告)号：US11411915B2

公开(公告)日：2022-08-09

申请号：US16243733

申请日：2019-01-09

Applicant: Cisco Technology, Inc.

Inventor： Craig Thomas Hill ,  Stephen Michael Orr

IPC: H04L45/021 ,  H04L9/40 ,  H04L9/08 ,  H04L69/18

Abstract: A network device configured to communicate with a network executes a security protocol. The security protocol establishes a secure session with a security peer network device, exchanges security protected traffic with the security peer network device over a secure link, detects whether there is a security failure in the secure session, and upon detecting a security failure, signals there is a security failure. The network device also executes a routing protocol. The routing protocol maintains a routing table that includes a route to the security peer over the secure link, routes the security protected traffic along the route, and, upon receiving from the security protocol the signal that there is a security failure, removes the route from the routing table to stop the routing.

公开(公告)号：US11212265B2

公开(公告)日：2021-12-28

申请号：US16738722

申请日：2020-01-09

Applicant: Cisco Technology, Inc.

Inventor： Craig Thomas Hill ,  Chennakesava Reddy Gaddam ,  Annu Singh ,  Gaurav Kumar

IPC: H04L29/06 ,  H04L9/30 ,  H04L9/08

Abstract: A non-transitory computer readable medium including instructions stored thereon, when executed, the instructions being effective to cause at least one processor of a first network device to: derive a private key encryption key based on a public key, a first private key of the first network device, a second private key of a live peer device, and a Connectivity Association Key (CAK); transmit a secret key encrypted by the private key encryption key to the live peer device; and receive a communication from the live peer device, the communication being encrypted by the secret key.

公开(公告)号：US11128663B2

公开(公告)日：2021-09-21

申请号：US16161716

申请日：2018-10-16

Applicant: Cisco Technology, Inc.

Inventor： Craig Thomas Hill ,  Stephen Michael Orr

IPC: H04L29/06 ,  H04L29/08

Abstract: A first network element, such as a router, in a computer network may have established a communication link with a second network element in the computer network. A secure session associated with the communication link between the first and second network elements may then be established. The secure session may use a secure communication function on each of the first network element and the second network element. The first network element may then detect that the first network element cannot communicate with the second network element over the communication link. When the first network element cannot communicate with the second network element, the first network element may terminate the communication link and the secure session associated with the communication link.

公开(公告)号：US20250023919A1

公开(公告)日：2025-01-16

申请号：US18352165

申请日：2023-07-13

Applicant: Cisco Technology, Inc.

Inventor： Madhan SANKARANARAYANAN ,  Nagendra Kumar Nainar ,  Jaganbabu Rajamanickam ,  Selvam Murugesan ,  Monitto Pitchaimani Sebastin ,  Craig Thomas Hill

IPC: H04L9/40 ,  H04L45/24

Abstract: Techniques for optimizing routing decisions based on security metrics within a network environment are described herein. In some cases, by using various security metrics, such as encryption indicators, attestation indicators, secureness metrics, and reliability metrics, an exemplary system can assess the security level and reliability of network paths. These metrics may provide valuable insights into the trustworthiness and integrity of participating nodes and links and enable informed decision-making regarding path selection.

公开(公告)号：US12149436B2

公开(公告)日：2024-11-19

申请号：US17979640

申请日：2022-11-02

Applicant: Cisco Technology, Inc.

Inventor： David John Zacks ,  Nagendra Kumar Nainar ,  Madhan Sankaranarayanan ,  Jaganbabu Rajamanickam ,  Craig Thomas Hill ,  Cesar Obediente

IPC: H04L45/00 ,  H04L43/50 ,  H04L45/28

Abstract: Technologies for testing resiliency of a data network with real-world accuracy without affecting the flow of production data through the network. A method according to the technologies may include receiving a production data packet and determining a preferred data route toward a destination node for the production data packet based on a first routing information base, wherein the first routing information base includes a database where routes and route metadata are stored according to a routing protocol. The method may also include, receiving a test data packet, and determining an alternate data route toward the destination node for the test data packet based on a second routing information base, wherein the second routing information base simulates an error in the preferred data route. The method may include sending the production data packet to the preferred data route and sending the test data packet to the alternate data route.

公开(公告)号：US20240291639A1

公开(公告)日：2024-08-29

申请号：US18115718

申请日：2023-02-28

Applicant: Cisco Technology, Inc.

Inventor： Kapildeep Singh Bakshi ,  Craig Thomas Hill ,  Raymond Allan Blair ,  Michael Alan Kowal ,  Steven M. Carter ,  Stephen Michael Orr

IPC: H04L9/08 ,  H04L9/14 ,  H04L9/32 ,  H04L9/40 ,  H04W12/64

CPC classification number: H04L9/083 ,  H04L9/08 ,  H04L9/14 ,  H04L9/321 ,  H04L9/40 ,  H04W12/64

Abstract: Techniques for ensuring that geographic location specific security policies are enforce for an agent or agent device. An Agent service of an agent device accesses an Agent Authentication Service for a key to initiate one or more functions of the agent device. The Agent Authentication Service determines the location of the agent device and determines whether the agent device is within an approved geographic location based on geographic location specific security policies. If the agent device is within the approved geographic location, the Agent Authentication Services accesses a Key Management Service for a cryptographic key and delivers the cryptographic key to the Agent. If the Agent Authentication Service determines that the Agent device is outside of the approved location, access to the cryptographic key is denied.