公开(公告)号：US10686889B2

公开(公告)日：2020-06-16

申请号：US16287099

申请日：2019-02-27

Applicant: Cisco Technology, Inc.

Inventor： Manish Pathak ,  Venkatesh N. Gautam ,  Jianxin Wang

IPC: G06F13/00 ,  H04L29/08 ,  H04L29/06

Abstract: A handshake procedure to establish a first connection between a client and a server is monitored at an intermediate network device. A request message sent to the server from the client is received at the intermediate network device. The request message includes parameters defining a manner of receiving information from the server. The parameters defining the manner of receiving information from the server are modified to produce modified parameters. A redirect message is sent from the intermediate network device to the client to induce or cause the client to establish a second connection with the server based upon the modified parameters, wherein the redirect message contains the modified parameters.

公开(公告)号：US20190356694A1

公开(公告)日：2019-11-21

申请号：US15984637

申请日：2018-05-21

Applicant: Cisco Technology, Inc.

Inventor： Jianxin Wang ,  Prashanth Patil ,  Flemming Andreasen ,  Nancy Cam-Winget ,  Hari Shankar

IPC: H04L29/06

Abstract: Techniques are presented herein for engagement and disengagement of Transport Layer Security proxy services with encrypted handshaking. In one embodiment, a first initial message of a first encrypted handshaking procedure for a first secure communication session between a first device and a second device is intercepted at a proxy device. The first initial message includes first key exchange information for encrypting the first encrypted handshaking procedure. A copy of the first initial message is stored at the proxy device. A second initial message of a second encrypted handshaking procedure for a second secure communication session between the proxy device and the second device is sent from the proxy device to the second device. The second initial message includes second key exchange information for encrypting the second encrypted handshaking procedure. The proxy device determines, based on the second encrypted handshaking procedure, whether to remain engaged or to disengage.

公开(公告)号：US20190199804A1

公开(公告)日：2019-06-27

申请号：US16287099

申请日：2019-02-27

Applicant: Cisco Technology, Inc.

Inventor： Manish Pathak ,  Venkatesh N. Gautam ,  Jianxin Wang

IPC: H04L29/08 ,  H04L29/06

CPC classification number: H04L67/142 ,  H04L67/146 ,  H04L69/22

Abstract: A handshake procedure to establish a first connection between a client and a server is monitored at an intermediate network device. A request message sent to the server from the client is received at the intermediate network device. The request message includes parameters defining a manner of receiving information from the server. The parameters defining the manner of receiving information from the server are modified to produce modified parameters. A redirect message is sent from the intermediate network device to the client to induce or cause the client to establish a second connection with the server based upon the modified parameters, wherein the redirect message contains the modified parameters.

公开(公告)号：US20190068490A1

公开(公告)日：2019-02-28

申请号：US16170175

申请日：2018-10-25

Applicant: Cisco Technology, Inc.

Inventor： Reinaldo Penno ,  Carlos M. Pignataro ,  Paul Quinn ,  Hung The Chau ,  Chui-Tin Yen ,  Vivek Kansal ,  Jianxin Wang ,  Kent K. Leung

IPC: H04L12/721 ,  H04L12/801 ,  H04L12/703 ,  H04L12/911 ,  H04L12/715 ,  H04L12/851

Abstract: Embodiments are directed to receiving an original packet at a service function; determining, for a reverse packet, a reverse service path identifier for a previous hop on a service function chain; determining, for the reverse packet, a service index for the reverse service path identifier; and transmitting the reverse packet to the previous hop on the service function chain.

公开(公告)号：US20170223054A1

公开(公告)日：2017-08-03

申请号：US15013413

申请日：2016-02-02

Applicant: Cisco Technology, Inc.

Inventor： Daniel Wing ,  Jianxin Wang ,  Venkatesh Narsipur Gautam

IPC: H04L29/06

CPC classification number: H04L63/166 ,  H04L63/0281 ,  H04L63/0823

Abstract: A proxy device intercepts a client transport layer security message including a server name indicator from a client device. The first client transport layer security message is addressed to a server. The proxy device generates a second client transport layer security message including the server name indicator from the first client transport layer security message and sends the second client transport layer security message to the server. The proxy device receives a certificate from the server, validates its identity, and performs policy functions based on that identity.

公开(公告)号：US11949659B2

公开(公告)日：2024-04-02

申请号：US17374468

申请日：2021-07-13

Applicant: Cisco Technology, Inc.

Inventor： Pradeep Patel ,  Jonathan A. Kunder ,  Ashish K. Dey ,  Andrew E. Ossipov ,  Jianxin Wang

IPC: H04L9/40 ,  G06F16/901 ,  H04L47/2441

CPC classification number: H04L63/0245 ,  G06F16/9017 ,  H04L47/2441 ,  H04L63/1425

Abstract: A first packet of a packet flow is received at a classifying network device. The first packet is forwarded from the classifying network device to a firewall network device. An indication that the packet flow is to be offloaded is received at the classifying network device. Data is stored at the classifying network device indicating that the packet flow is to be offloaded. A non-control packet of the packet flow is received at the classifying network device. A determination is made that the non-control packet belongs to the packet flow by comparing data contained in the non-control packet to the stored data. The non-control packet of the packet flow is directed to a processing entity in response to the determining. A control packet of the packet flow is received at the classifying network device. The control packet of the packet flow is directed to the firewall network device.

公开(公告)号：US11777845B2

公开(公告)日：2023-10-03

申请号：US18147063

申请日：2022-12-28

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Jianxin Wang

IPC: H04L45/00 ,  H04L43/026 ,  H04L61/2521 ,  H04L67/59 ,  H04L47/2483 ,  H04L45/745 ,  H04L61/2517 ,  H04L61/2514

CPC classification number: H04L45/38 ,  H04L61/2521 ,  H04L67/59 ,  H04L43/026 ,  H04L45/745 ,  H04L47/2483 ,  H04L61/2514 ,  H04L61/2517

Abstract: An extended service-function chain (SFC) proxy is hosted on a network node and connected to a service path formed by one or more network nodes hosting a chain of service-functions applied to packets traversing the service path. The packets each include a service header having a service path identifier and a service index. A packet of a traffic flow destined for a service-function is received from the service path and sent to the service-function. An indication to offload the traffic flow is received from the service-function. The indication is stored in a flow table having entries each identifying a respective traffic flow. A subsequent packet of the traffic flow is received from the service path. The flow table is searched for the indication to offload the traffic flow. Upon finding the indication, the service-function is bypassed, and the subsequent packet is forwarded along the service path.

公开(公告)号：US20230171185A1

公开(公告)日：2023-06-01

申请号：US18147063

申请日：2022-12-28

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Jianxin Wang

IPC: H04L45/00 ,  H04L61/2521 ,  H04L67/59

CPC classification number: H04L45/38 ,  H04L61/2521 ,  H04L67/59 ,  H04L47/2483

Abstract: An extended service-function chain (SFC) proxy is hosted on a network node and connected to a service path formed by one or more network nodes hosting a chain of service-functions applied to packets traversing the service path. The packets each include a service header having a service path identifier and a service index. A packet of a traffic flow destined for a service-function is received from the service path and sent to the service-function. An indication to offload the traffic flow is received from the service-function. The indication is stored in a flow table having entries each identifying a respective traffic flow. A subsequent packet of the traffic flow is received from the service path. The flow table is searched for the indication to offload the traffic flow. Upon finding the indication, the service-function is bypassed, and the subsequent packet is forwarded along the service path.

公开(公告)号：US20210111993A1

公开(公告)日：2021-04-15

申请号：US17130865

申请日：2020-12-22

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Jianxin Wang

IPC: H04L12/721 ,  H04L29/08 ,  H04L29/12

Abstract: An extended service-function chain (SFC) proxy is hosted on a network node and connected to a service path formed by one or more network nodes hosting a chain of service-functions applied to packets traversing the service path. The packets each include a service header having a service path identifier and a service index. A packet of a traffic flow destined for a service-function is received from the service path and sent to the service-function. An indication to offload the traffic flow is received from the service-function. The indication is stored in a flow table having entries each identifying a respective traffic flow. A subsequent packet of the traffic flow is received from the service path. The flow table is searched for the indication to offload the traffic flow. Upon finding the indication, the service-function is bypassed, and the subsequent packet is forwarded along the service path.

公开(公告)号：US20200021520A1

公开(公告)日：2020-01-16

申请号：US16578517

申请日：2019-09-23

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Jianxin Wang

IPC: H04L12/721 ,  H04L29/08

Abstract: An extended service-function chain (SFC) proxy is hosted on a network node and connected to a service path formed by one or more network nodes hosting a chain of service-functions applied to packets traversing the service path. The packets each include a service header having a service path identifier and a service index. A packet of a traffic flow destined for a service-function is received from the service path and sent to the service-function. An indication to offload the traffic flow is received from the service-function. The indication is stored in a flow table having entries each identifying a respective traffic flow. A subsequent packet of the traffic flow is received from the service path. The flow table is searched for the indication to offload the traffic flow. Upon finding the indication, the service-function is bypassed, and the subsequent packet is forwarded along the service path.