公开(公告)号：US20220247757A1

公开(公告)日：2022-08-04

申请号：US17728333

申请日：2022-04-25

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Eric Voit ,  Frank Brockners ,  Carlos M. Pignataro ,  Nagendra Kumar Nainar

IPC: H04L9/40 ,  H04L69/22

Abstract: Technologies for proving packet transit through uncompromised nodes are provided. An example method can include receiving a packet including one or more metadata elements generated based on security measurements from a plurality of nodes along a path of the packet; determining a validity of the one or more metadata elements based on a comparison of one or more values in the one or more metadata elements with one or more expected values calculated for the one or more metadata elements, one or more signatures in the one or more metadata elements, and/or timing information associated with the one or more metadata elements; and based on the one or more metadata elements, determining whether the packet traversed any compromised nodes along the path of the packet.

公开(公告)号：US20220239476A1

公开(公告)日：2022-07-28

申请号：US17659530

申请日：2022-04-18

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L9/08 ,  H04L9/32 ,  H04L9/40

Abstract: Systems, methods, and computer-readable media for authenticating access control messages include receiving, at a first node, access control messages from a second node. The first node and the second node including network devices and the access control messages can be based on RADIUS or TACACS+ protocols among others. The first node can obtain attestation information from one or more fields of the access control messages determine whether the second node is authentic and trustworthy based on the attestation information. The first node can also determine reliability or freshness of the access control messages based on the attestation information. The first node can be a server and the second node can be a client, or the first node can be a client and the second node can be a server. The attestation information can include Proof of Integrity based on a hardware fingerprint, device identifier, or Canary Stamp.

公开(公告)号：US11321465B2

公开(公告)日：2022-05-03

申请号：US16752488

申请日：2020-01-24

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: G06F21/57 ,  H04L9/32 ,  H04L9/08

Abstract: Technologies for attestation techniques, systems, and methods to confirm the integrity of a device for establishing and/or maintaining a trustworthy encrypted network session. An example method can include sending, via a server and using a cryptographic security protocol, a message associated with establishing an encrypted network session; receiving a response from a client device; identifying a level of trust of the client device based on the response; determining whether to perform a next step in the cryptographic security protocol based on the level of trust, wherein the cryptographic security protocol comprises at least one of a Secure Shell (SSH) protocol, a Transport Layer Security (TLS) protocol, a Secure Sockets Layer (SSL) protocol, and an Internet Protocol Security (IPsec) protocol.

公开(公告)号：US11316869B2

公开(公告)日：2022-04-26

申请号：US16709532

申请日：2019-12-10

Applicant: Cisco Technology, Inc.

Inventor： Craig Thomas Hill ,  Frank Brockners ,  Shwetha Subray Bhandari ,  Chennakesava Reddy Gaddam

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08

Abstract: Disclosed is a method of establishing secure communications. The method includes receiving an attestation parameter associated with a first peer in a potential peer-to-peer communication, adding the attestation parameter to an MACsec Key Agreement (MKA) protocol key exchange, transmitting the key exchange from the first peer to a second peer in the potential peer-to-peer communication and upon a validation of the attestation parameter by the second peer, enabling secure communication between the first peer and the second peer.

公开(公告)号：US20220086076A1

公开(公告)日：2022-03-17

申请号：US17532776

申请日：2021-11-22

Applicant: Cisco Technology, Inc.

Inventor： Atri Indiresan ,  Frank Brockners ,  Akshay Dorwat

IPC: H04L12/26 ,  H04L29/06

Abstract: This disclosure describes various methods, systems, and devices related to identifying an issue in a network using a probe packet. An example method includes identifying an expired data packet transmitted in a network and addressed to a destination; generating a probe packet addressed to the destination; and forwarding the probe packet. When the probe packet is received, a report indicating a routing loop in the network can be transmitted to an administrator.

公开(公告)号：US11102121B2

公开(公告)日：2021-08-24

申请号：US16661540

申请日：2019-10-23

Applicant: Cisco Technology, Inc.

Inventor： Atri Indiresan ,  Frank Brockners ,  Shwetha Subray Bhandari

IPC: H04L29/06 ,  H04L12/743 ,  H04L12/851 ,  H04L29/12 ,  H04L12/24

Abstract: This disclosure describes various methods, systems, and devices related to identifying path changes of data flows in a network. An example method includes receiving, at a node, a packet including a first path signature. The method further includes generating a second path signature by inputting the first path signature and one or more node details into a hash function. The method includes replacing the first path signature with the second path signature in the packet. The packet including the second path signature is forwarded by the node.

公开(公告)号：US20210176255A1

公开(公告)日：2021-06-10

申请号：US16709532

申请日：2019-12-10

Applicant: Cisco Technology, Inc.

Inventor： Craig Thomas Hill ,  Frank Brockners ,  Shwetha Subray Bhandari ,  Chennakesava Reddy Gaddam

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32

Abstract: Disclosed is a method of establishing secure communications. The method includes receiving an attestation parameter associated with a first peer in a potential peer-to-peer communication, adding the attestation parameter to an MACsec Key Agreement (MKA) protocol key exchange, transmitting the key exchange from the first peer to a second peer in the potential peer-to-peer communication and upon a validation of the attestation parameter by the second peer, enabling secure communication between the first peer and the second peer.

公开(公告)号：US11005756B2

公开(公告)日：2021-05-11

申请号：US16231197

申请日：2018-12-21

Applicant: Cisco Technology, Inc.

Inventor： Nagendra Kumar Nainar ,  Carlos M. Pignataro ,  Frank Brockners ,  Shwetha Subray Bhandari

IPC: H04L12/715 ,  H04L12/741 ,  H04L12/801 ,  H04L12/54 ,  H04L12/713 ,  H04L12/803 ,  H04L12/70

Abstract: In one embodiment, in-band operations data included in packets being processed is used to signal among entities of a virtualized packet processing apparatus. Using in-band operations data provides insight on actual entities used in processing of the packet within the virtualized packet processing apparatus. The operations data in the packet is modified to signal a detected overload condition of an entity that participates in communicating the packet within the virtualized packet processing apparatus and/or applying a network service to the packet. An In-Situ Operations, Administration, and Maintenance (IOAM) header is used in one embodiment, with the IOAM header typically including a new Overload Flag to signal the detection of the overload condition. In response to the signaled overload condition, a load balancer is adjusted such that future packets are not distributed to the virtualized entity associated with the detected overload condition.

公开(公告)号：US20210092009A1

公开(公告)日：2021-03-25

申请号：US17020384

申请日：2020-09-14

Applicant: Cisco Technology, Inc.

Inventor： Thomas Michel-Ange Feltin ,  Wenqin Shao ,  Parisa Foroughi ,  Frank Brockners

IPC: H04L12/24 ,  G06F17/18 ,  G06F17/40 ,  G06N3/08

Abstract: Techniques and mechanisms for automatically identifying counters/features of a network component that are related to a state change (or event) for the network component or for the network itself. For example, using data obtained from the network component around a time of the state change, delta-averages for the counters/features around the time of the state change may be determined. The delta-averages may be utilized to determine which counters/features are most descriptive for a particular state change. Determining which counters/features are most descriptive may also include determining which counters/features are most relevant, i.e., counters/features that contribute most to preserving the manifold structure of the original data or counters/features with the highest or lowest correlation with the other counters/features in the data set. Thus, the techniques described herein provide for an approach to distill which counters/features contribute the most to a particular state change from a data driven perspective.

公开(公告)号：US20200322375A1

公开(公告)日：2020-10-08

申请号：US16712584

申请日：2019-12-12

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  William F. Sulzen ,  Frank Brockners

IPC: H04L29/06 ,  H04L29/12

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices operating within a network. An ARP responder can receive an ARP request from an ARP requestor for performing address resolution between the ARP requestor and the ARP responder in a network environment. The ARP responder can build an ARP response including attestation information of the ARP responder. Further, the ARP responder can provide, to the ARP requestor, the attestation information for verifying the ARP responder using the ARP response and the attestation information of the ARP responder.