公开(公告)号：US20220222347A1

公开(公告)日：2022-07-14

申请号：US17712499

申请日：2022-04-04

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: G06F21/57 ,  H04L9/08 ,  H04L9/32

Abstract: Technologies for attestation techniques, systems, and methods to confirm the integrity of a device for establishing and/or maintaining a trustworthy encrypted network session. An example method can include sending, via a server and using a cryptographic security protocol, a message associated with establishing an encrypted network session; receiving a response from a client device; identifying a level of trust of the client device based on the response; determining whether to perform a next step in the cryptographic security protocol based on the level of trust, wherein the cryptographic security protocol comprises at least one of a Secure Shell (SSH) protocol, a Transport Layer Security (TLS) protocol, a Secure Sockets Layer (SSL) protocol, and an Internet Protocol Security (IPsec) protocol.

公开(公告)号：US11283704B2

公开(公告)日：2022-03-22

申请号：US16744447

申请日：2020-01-16

Applicant: Cisco Technology, Inc.

Inventor： Atri Indiresan ,  Frank Brockners ,  Akshay Dorwat

IPC: H04L12/26 ,  H04L29/06 ,  H04L43/12 ,  H04L43/0823

Abstract: This disclosure describes various methods, systems, and devices related to identifying an issue in a network using a probe packet. An example method includes identifying an expired data packet transmitted in a network and addressed to a destination; generating a probe packet addressed to the destination; and forwarding the probe packet. When the probe packet is received, a report indicating a routing loop in the network can be transmitted to an administrator.

公开(公告)号：US11245484B2

公开(公告)日：2022-02-08

申请号：US16790935

申请日：2020-02-14

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Frank Brockners ,  Srihari Raghavan

IPC: H04J3/06 ,  H04L9/32

Abstract: Systems, methods, and computer-readable media for authenticating time sources using attestation-based techniques include receiving, at a destination device, a time reference signal from a source device, the source and destination devices being network devices. The time reference signal can include a time synchronization signal or a time distribution signal. The destination device can obtain attestation information from one or more fields of the time reference signal and determine whether the source device is authentic and trustworthy based on the attestation information. The destination device can also determine reliability or freshness of the time reference signal based on the attestation information. The time reference signal can be based on a Network Time Protocol (NTP), a Precision Time Protocol (NTP), or other protocol. The attestation information can include Proof of Integrity based a Canary stamp, a hardware fingerprint, a Secure Unique Device Identification (SUDI) of the source device, or an attestation key.

公开(公告)号：US11115280B2

公开(公告)日：2021-09-07

申请号：US16789723

申请日：2020-02-13

Applicant: Cisco Technology, Inc.

Inventor： Wenqin Shao ,  Frank Brockners ,  Parisa Foroughi ,  Thomas Michel-Ange Feltin

IPC: H04L12/24

Abstract: Techniques and mechanisms for automatically identifying counters/features of a network component that are related to a state change (or event) for the network component or for the network itself. For example, using data obtained from the network component around a time of the state change, delta averages for the features around the time of the state change may be determined. The delta averages may be utilized to determine which counters/features are most descriptive for a particular state change. The counter/features that are the most descriptive for a particular state change is as important as the change detection itself. This is especially true since in a case of an event/state change occurring, a large amount of counters/features may react to the state change or event. Thus, the techniques described herein provide for an approach to distill which counters/features contribute the most to a particular state change from a data driven perspective.

公开(公告)号：US20210226879A1

公开(公告)日：2021-07-22

申请号：US16744447

申请日：2020-01-16

Applicant: Cisco Technology, Inc.

Inventor： Atri Indiresan ,  Frank Brockners ,  Akshay Dorwat

IPC: H04L12/26 ,  H04L29/06

Abstract: This disclosure describes various methods, systems, and devices related to identifying an issue in a network using a probe packet. An example method includes identifying an expired data packet transmitted in a network and addressed to a destination; generating a probe packet addressed to the destination; and forwarding the probe packet. When the probe packet is received, a report indicating a routing loop in the network can be transmitted to an administrator.

公开(公告)号：US10972377B2

公开(公告)日：2021-04-06

申请号：US16231096

申请日：2018-12-21

Applicant: Cisco Technology, Inc.

Inventor： Nagendra Kumar Nainar ,  Carlos M. Pignataro ,  Frank Brockners ,  Shwetha Subray Bhandari

IPC: H04L12/715 ,  H04L12/751 ,  H04L29/06 ,  H04L12/24 ,  H04L12/741

Abstract: In one embodiment, network nodes coordinate recording of In-Situ Operations, Administration, and Maintenance (IOAM) data in packets traversing the network nodes, including a node adding IOAM data of another node to packets on behalf of the another node. After receiving a particular packet, a network node adds first IOAM data and second IOAM data to the particular packet, with the first IOAM data related to the first network node and the second IOAM data related to a second network node. The packet is then sent from the first network node. The coordinated offloading of the adding of IOAM data to packets allows a node to free up resources currently used for IOAM operations to be used for other packet processing operations, while still having IOAM data related to the node recorded in packets. The coordinated offloading may include control plane communication (e.g., via a routing or other protocol).

公开(公告)号：US20210092010A1

公开(公告)日：2021-03-25

申请号：US16789723

申请日：2020-02-13

Applicant: Cisco Technology, Inc.

Inventor： Wenqin Shao ,  Frank Brockners ,  Parisa Foroughi ,  Thomas Michel-Ange Feltin

IPC: H04L12/24

Abstract: Techniques and mechanisms for automatically identifying counters/features of a network component that are related to a state change (or event) for the network component or for the network itself. For example, using data obtained from the network component around a time of the state change, delta averages for the features around the time of the state change may be determined. The delta averages may be utilized to determine which counters/features are most descriptive for a particular state change. The counter/features that are the most descriptive for a particular state change is as important as the change detection itself. This is especially true since in a case of an event/state change occurring, a large amount of counters/features may react to the state change or event. Thus, the techniques described herein provide for an approach to distill which counters/features contribute the most to a particular state change from a data driven perspective.

公开(公告)号：US10805215B2

公开(公告)日：2020-10-13

申请号：US15926292

申请日：2018-03-20

Applicant: Cisco Technology, Inc.

Inventor： Nagendra Kumar Nainar ,  Carlos M. Pignataro ,  Frank Brockners ,  Shwetha Subray Bhandari

IPC: H04L12/741 ,  H04L12/721 ,  H04L12/803 ,  H04L12/26

Abstract: Presented herein are techniques for monitoring packets in a container networking environment. A method includes receiving a packet at a network node, the packet having been routed to the network node in accordance with instructions from a container orchestration system, inserting an additional field in the packet that is configured to record a path of the packet within a first POD of the host device that includes at least one container, forwarding the packet to the first POD of the host device in accordance with the instructions from the container orchestration system, updating the additional field with container networking path information as the packet transits the first POD and the at least one container therein, storing the container path information in an analytics node of the network node, removing the additional field from the packet, and transmitting the packet from the network node to the network.

公开(公告)号：US20200322075A1

公开(公告)日：2020-10-08

申请号：US16790935

申请日：2020-02-14

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Frank Brockners ,  Srihari Raghavan

IPC: H04J3/06 ,  H04L9/32

Abstract: Systems, methods, and computer-readable media for authenticating time sources using attestation-based techniques include receiving, at a destination device, a time reference signal from a source device, the source and destination devices being network devices. The time reference signal can include a time synchronization signal or a time distribution signal. The destination device can obtain attestation information from one or more fields of the time reference signal and determine whether the source device is authentic and trustworthy based on the attestation information. The destination device can also determine reliability or freshness of the time reference signal based on the attestation information. The time reference signal can be based on a Network Time Protocol (NTP), a Precision Time Protocol (NTP), or other protocol. The attestation information can include Proof of Integrity based a Canary stamp, a hardware fingerprint, a Secure Unique Device Identification (SUDI) of the source device, or an attestation key.

公开(公告)号：US10749710B2

公开(公告)日：2020-08-18

申请号：US16231247

申请日：2018-12-21

Applicant: Cisco Technology, Inc.

Inventor： Carlos M. Pignataro ,  Frank Brockners ,  Shwetha Subray Bhandari ,  Nagendra Kumar Nainar

IPC: H04L12/46 ,  H04L12/54 ,  H04L12/749 ,  H04L12/70

Abstract: In one embodiment, a service function forwarder (SFF) analyzes pre-service state and post-service state of an original packet to determine whether to initiate and perform service offload or service bypass. A service function forwarder (SFF) receives a particular packet having a service function chain (SFC) encapsulation of the original packet, the SFC encapsulation identifying a particular service function path (SFP) designating a particular service function (SF). The SFF extracts pre-service state of the original packet, typically adding it to the particular packet in an In-Situ Operations, Administration, and Maintenance (IOAM) data field (or alternatively storing locally) before sending the particular packet to the particular SF. The SFF receives the particular packet after the SF applies the particular network service. In response to analyzing pre-service state and post-service state by the SFF, the SFF may perform service bypass or service offload for subsequently received packets identifying the same particular SFP.