-
公开(公告)号:US11212119B2
公开(公告)日:2021-12-28
申请号:US16782235
申请日:2020-02-05
Applicant: Cisco Technology, Inc.
Inventor: Shwetha Subray Bhandari , Eric Voit , Jesse Daniel Backman , Robert Stephen Rodgers , Joseph Eryx Malcolm
Abstract: A methodology for requesting at least one signed security measurement from at least one module with a corresponding cryptoprocessor is provided. The methodology includes receiving the at least one signed security measurement from the at least one module with the corresponding cryptoprocessor; validating the at least one signed security measurement; generating a signed dossier including all validated signed security measurements in a secure enclave, the signed dossier being used by an external network device for remote attestation of the device.
-
62.发明授权公开(公告)号:US11165861B2
公开(公告)日:2021-11-02
申请号:US16783942
申请日:2020-02-06
Applicant: Cisco Technology, Inc.
Inventor: Sujal Sheth , Shwetha Subray Bhandari , Eric Voit , William F. Sulzen , Frank Brockners
Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.
-
63.发明授权公开(公告)号:US10887209B2
公开(公告)日:2021-01-05
申请号:US15996796
申请日:2018-06-04
Applicant: Cisco Technology, Inc.
IPC: H04L12/26 , H04L12/761 , H04L12/753 , H04L29/06
Abstract: A method is provided that is performed by a network element in a network. The network element receives a packet. The network element inserts into a header of the packet, packet replication information indicating whether and to which egress interface the network element performs a replication operation on the packet, wherein the header is an In-Situ Operations, Administration and Management (IOAM) header. The network element sends the packet, with the packet replication information included in the IOAM header, in the network.
-
64.发明授权公开(公告)号:US10833975B2
公开(公告)日:2020-11-10
申请号:US16230933
申请日:2018-12-21
Applicant: Cisco Technology, Inc.
IPC: G06F15/173 , H04L12/761 , H04L12/749 , H04L12/723 , H04L12/715
Abstract: In one embodiment, improved operations processing of multiple-protocol packets is performed by a node connected to a network. Received is a multiple-protocol (MP) packet that has multiple protocol headers, each having an operations data field. The operations data field of a first protocol header includes first protocol ordered operations data. Operations data is cohered from the operations data field of each of multiple protocol headers into the operations data field of a second protocol header resulting in the operations data field of the second protocol header including ordered MP operations data evidencing operations data of each of the multiple network nodes in a node traversal order taken by the MP packet among multiple network nodes. The ordered MP operations data includes said first protocol ordered operations data cohered from the operations data field of the first protocol header.
-
公开(公告)号:US20200322353A1
公开(公告)日:2020-10-08
申请号:US16555869
申请日:2019-08-29
Applicant: Cisco Technology, Inc.
Inventor: Shwetha Subray Bhandari , Eric Voit , Frank Brockners , Carlos M. Pignataro , Nagendra Kumar Nainar
IPC: H04L29/06
Abstract: Technologies for proving packet transit through uncompromised nodes are provided. An example method can include receiving a packet including one or more metadata elements generated based on security measurements from a plurality of nodes along a path of the packet; determining a validity of the one or more metadata elements based on a comparison of one or more values in the one or more metadata elements with one or more expected values calculated for the one or more metadata elements, one or more signatures in the one or more metadata elements, and/or timing information associated with the one or more metadata elements; and based on the one or more metadata elements, determining whether the packet traversed any compromised nodes along the path of the packet.
-
Patent Agency Ranking
公开(公告)号:US20200322334A1
公开(公告)日:2020-10-08
申请号:US16782903
申请日:2020-02-05
Applicant: Cisco Technology, Inc.
Inventor: Sujal Sheth , Shwetha Subray Bhandari , Eric Voit , William F. Sulzen , Frank Brockners
IPC: H04L29/06
Abstract: Systems, methods, and computer-readable media for authenticating extensible authentication protocol (EAP) messages include receiving, at a first node, EAP messages from a second node. The first node and the second node including network devices and the EAP messages can be based on Diameter protocol or other. The first node can obtain attestation information from one or more EAP messages to determine whether the second node is authentic and trustworthy based on the attestation information. The EAP messages can include a Capabilities Exchange Request (CER) or a Capabilities Exchange Answer (CEA) whose fields or combination of fields can include the attestation information. The EAP messages can also include a Trust Information Request (TIR) or a Trust Information Answer (TIA) which include the authentication information. The attestation information can include Proof of Integrity based on a hardware fingerprint, device identifier, or Canary Stamp.
-
公开(公告)号:US10735308B2
公开(公告)日:2020-08-04
申请号:US16230751
申请日:2018-12-21
Applicant: Cisco Technology, Inc.
Inventor: Eric Voit , Shwetha Subray Bhandari , William F. Sulzen , Sujal Sheth
IPC: H04L12/761 , H04L29/06 , H04L12/721 , H04L12/773 , H04L12/751
Abstract: At a networking device, a method includes obtaining, according to a predefined protocol, a first plurality of attestation vectors from a corresponding plurality of candidate next-hop nodes. Each of the plurality of candidate next-hop nodes is included within a respective route between a particular node and a destination node. The method further includes determining a plurality of confidence scores. Each of the plurality of confidence scores is based on a comparison between a corresponding one of the first plurality of attestation vectors and a trusted image vector. The method further includes selecting, from the plurality of confidence scores, a particular confidence score that satisfies one or more selection criteria. Each of the particular confidence score is associated with a particular candidate next-hop node of the plurality of candidate next-hop nodes. The method further includes directing, to the particular candidate next-hop node, a data packet destined for the destination node.
-
公开(公告)号:US10361969B2
公开(公告)日:2019-07-23
申请号:US15252028
申请日:2016-08-30
Applicant: CISCO TECHNOLOGY, INC.
Inventor: Hendrikus G. P. Bosch , Jeffrey Napper , Surendra M. Kumar , Alessandro Duminuco , Sape Jurriën Mullender , Humberto J. La Roche , Louis Gwyn Samuel , Frank Brockners , Shwetha Subray Bhandari
IPC: H04L12/917 , H04L12/911 , H04L12/725 , H04L12/841
Abstract: An example method is provided in one example embodiment and may include configuring a measurement indication for a packet; forwarding the packet through a service chain comprising one or more service functions; recording measurement information for the packet as it is forwarded through the service chain; and managing capacity for the service chain based, at least in part, on the measurement information. In some cases, the method can include determining end-to-end measurement information for the service chain using the recorded measurement information. In some cases, managing capacity for the service chain can further include identifying a particular service function as a bottleneck service function for the service chain; and increasing capacity for the bottleneck service. In various instances, increasing capacity for the bottleneck service can include at least one of: instantiating additional instances of the bottleneck service; and instantiating additional instances of the service chain.
-
公开(公告)号:US20190141168A1
公开(公告)日:2019-05-09
申请号:US15844741
申请日:2017-12-18
Applicant: Cisco Technology, Inc.
Inventor: Shwetha Subray Bhandari , Frank Brockners , Akshaya Nadahalli , Carlos M. Pignataro
IPC: H04L29/06 , H04L12/741 , H04L12/805
CPC classification number: H04L69/22 , H04L43/026 , H04L43/028 , H04L43/04 , H04L45/74 , H04L47/36 , H04L67/2804
Abstract: A method provided that is performed at one or more intermediate nodes in a path in a network. The node receives a packet having a header that includes metadata that has been accumulated as the packet travels along the path in the network. The node detects whether a trigger condition has occurred. In response to detecting that the trigger condition has occurred, the node exports, to a destination entity, at least a portion of the metadata that has been accumulated in the header so that the portion of the metadata is removed from the header after it has been exported.
-
公开(公告)号:US10277686B2
公开(公告)日:2019-04-30
申请号:US14812367
申请日:2015-07-29
Applicant: Cisco Technology, Inc.
Inventor: Shwetha Subray Bhandari , Pascal Thubert , Selvaraj Mani
IPC: H04L29/08 , H04L12/741 , H04L12/701 , H04L12/751
Abstract: In one embodiment, a method comprises generating, by a network device in a network, a Bloom filter bit vector representing services provided by service provider devices in the network; and the network device executing a service discovery operation based on identifying, relative to the Bloom filter bit vector, whether an identified service in a received message is executed in the network.
-
-
-
-
-
-
-
-
-
Search Results
102
records
(took 0.024 seconds)
