公开(公告)号：US20250070980A1

公开(公告)日：2025-02-27

申请号：US18237583

申请日：2023-08-24

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric A. Voit ,  Eric Levy-Abegnoli ,  Patrick Wetterwald ,  Jonas Zaddach

IPC: H04L9/32 ,  H04L61/2503

Abstract: Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications and verify an authenticity of a client device attempting to use a virtual IP (VIP) address. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a VIP address that is mapped to the client device and the endpoint device. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can verify an authenticity of the client device and convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.

公开(公告)号：US20230068788A1

公开(公告)日：2023-03-02

申请号：US17462501

申请日：2021-08-31

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Patrick Wetterwald ,  Eric Levy- Abegnoli ,  Jonas Zaddach

IPC: G06F21/62 ,  H04L9/32 ,  G06F9/455

Abstract: A container includes a user program and data generated by the user program within a regulatory jurisdiction. Before the container leaves the regulatory jurisdiction, the data is validated by the jurisdiction to ensure the data complies with privacy laws of the jurisdiction. Upon ingress to a second regulatory jurisdiction, the data is signed locally to provide for confirmation that the data can leave the second regulatory jurisdiction, since it was not generated within the second jurisdiction. By allowing the user program to move from the first regulatory jurisdiction to a second regulatory jurisdiction, the disclosed embodiments overcome limitations in current solutions that restrict access to local data based on what a public application programming interface (API) can provide. By operating within the regulatory jurisdiction, albeit subject to access controls imposed by that jurisdiction, flexibility in the processing of sensitive data is improved.

公开(公告)号：US20220394009A1

公开(公告)日：2022-12-08

申请号：US17819783

申请日：2022-08-15

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Jonas Zaddach ,  Patrick Wetterwald

IPC: H04L61/3015 ,  H04L61/30 ,  H04L45/02 ,  H04L9/40

Abstract: Systems and methods may include sending, to a network registrar, an extended duplicate address request (EDAR) message including a first nonce generated by a host computing device, and receiving, from the network registrar, an extended duplicate address confirmation (EDAC) message including a second nonce and a first signature, a first nonce pair including the first nonce and the second nonce being signed by the network registrar via a first key pair of the network registrar via the first signature. The systems and methods may further include sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and a public key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that a router through which the host computing device connects to a network is not impersonating the network.

公开(公告)号：US11165748B1

公开(公告)日：2021-11-02

申请号：US17069579

申请日：2020-10-13

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Jonas Zaddach ,  Patrick Wetterwald

IPC: G06F15/16 ,  H04L29/12 ,  H04L12/751 ,  H04L29/06

Abstract: Systems and methods may include sending, to a network registrar, an extended duplicate address request (EDAR) message including a first nonce generated by a host computing device, and receiving, from the network registrar, an extended duplicate address confirmation (EDAC) message including a second nonce, the second nonce being signed by the network registrar via a private key of a first public key infrastructure (PM) key pair of the network registrar via a first signature. The method further includes sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and the private key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that the router is not impersonating the network.

公开(公告)号：US12231417B2

公开(公告)日：2025-02-18

申请号：US18120889

申请日：2023-03-13

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Patrick Wetterwald ,  Jonas Zaddach ,  Eric Levy-Abegnoli

IPC: H04L9/40 ,  H04L67/141 ,  H04L67/142

Abstract: Techniques for adjusting a duration of an authenticated user device session. A baseline session duration is determined for a session for which a user account is authorized in response to a request for authentication. A first session is established on behalf of a user device associated with the user account based at least in part on the user account performing a first authentication. A posture associated with the user device is determined. The baseline duration is then adjusted to a dynamic duration based at least in part upon the posture associated with the user device. Based at least in part on the dynamic duration the user can be required to re-authenticate.

公开(公告)号：US12213052B2

公开(公告)日：2025-01-28

申请号：US17750229

申请日：2022-05-20

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Jonas Zaddach ,  Patrick Wetterwald

IPC: H04W40/24

Abstract: In one embodiment, an illustrative method herein may comprise: receiving, at a first edge device, a direct indication from a second edge device that a mobile device has moved from the first to the second edge device; determining, based on the direct indication, a first time at which the mobile device attached to the second edge device; receiving a network routing update message indicative of a routing update for the mobile device having moved to the second edge device; determining, based on the network routing update message, a second time at which convergence completed at the first edge device; and calculating a convergence time for the mobile device to be detected as having moved to the second edge device based on a difference between the first time and the second time.

公开(公告)号：US12155622B1

公开(公告)日：2024-11-26

申请号：US18237590

申请日：2023-08-24

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric A. Voit ,  Eric Levy-Abegnoli ,  Patrick Wetterwald ,  Jonas Zaddach

IPC: H04L61/5007 ,  H04L9/40 ,  H04L61/2503 ,  H04L61/4511

Abstract: Techniques for varying locations of virtual networks associated with endpoints using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS). Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a virtual IP (VIP) address that is mapped to the client device and the endpoint device. The VIP address may be selected based on a number of factors (e.g., power usage, privacy requirements, virtual distances, etc.). In this way, IP addresses of servers are obfuscated by a virtual network of VIP addresses that can be periodically rotated and/or load balanced. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.

公开(公告)号：US20240098063A1

公开(公告)日：2024-03-21

申请号：US17932754

申请日：2022-09-16

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Jonas Zaddach ,  Patrick Wetterwald ,  Eric Levy-Abegnoli

IPC: H04L9/40

CPC classification number: H04L63/0263

Abstract: In one embodiment, a method includes identifying, using a Static Context Header Compression (SCHC) rules engine, one or more packets matching a rule, selecting a firewall decision based on the identified one or more packets and the rule, and applying the firewall decision to the one or more identified packets.

公开(公告)号：US11894939B2

公开(公告)日：2024-02-06

申请号：US17317124

申请日：2021-05-11

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Patrick Wetterwald ,  Eric Levy- Abegnoli ,  Jonas Zaddach

IPC: H04L12/18 ,  G06V40/40 ,  G06V40/16

CPC classification number: H04L12/1822 ,  G06V40/168 ,  G06V40/40

Abstract: Techniques are provided that validate a participant in a video conference. As a video conferencing system is remote from a video conference participant, and user devices are not trusted, traditional methods such as client side facial recognition are ineffective at validating a participant from a video conferencing system. Thus, the embodiments encode modulated data for projection onto a face of the participant. A video of the participant is then captured. The conferencing system then confirms that the modulated data is present in the captured video.

公开(公告)号：US11606347B2

公开(公告)日：2023-03-14

申请号：US17004368

申请日：2020-08-27

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Patrick Wetterwald ,  Jonas Zaddach ,  Eric Levy-Abegnoli

IPC: H04L9/40 ,  H04L67/141 ,  H04L67/142

Abstract: This disclosure describes techniques for authenticating a user device for a session. For instance, an authentication entity may authenticate a user device using single sign-on authentication and/or multi-factor authentication. The authentication entity may then determine a duration for which the user device is authenticated for the session. For example, the authentication entity may receive information representing a state of an environment of the user device. The authentication entity may then use the information to identify one or more transitions associated with the environment between the session and a previous session. Using the one or more transitions, the authentication entity may determine the duration for the session by increasing or decreasing a previous duration associated with the previous session.