公开(公告)号：US09525703B2

公开(公告)日：2016-12-20

申请号：US14521856

申请日：2014-10-23

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Alessandro Duminuco ,  Hendrikus G. P. Bosch ,  Surendra M. Kumar ,  Humberto J. La Roche ,  Jeffrey Napper ,  Kevin D. Shatzkamer ,  Daniel G. Wing

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/166 ,  H04L63/0281 ,  H04L63/0435 ,  H04L63/168 ,  H04L67/02 ,  H04L67/42

Abstract: In an embodiment, a method is provided for enabling in-band data exchange between networks. The method can comprise receiving, by a first enveloping proxy located in the first network, at least one regular secure sockets layer (SSL) record for a SSL session established between a client and a server; receiving the data from a network element located in the first network; encoding the data into at least one custom SSL record; and transmitting the at least one regular SSL record and the at least one custom SSL record to an enveloping proxy. In another embodiment, a method can comprise receiving at least one regular secure sockets layer (SSL) record and at least one custom SSL record for a SSL session established between a client and a server; extracting the data from the at least one custom SSL; transmitting the at least one regular SSL record.

公开(公告)号：US20160344565A1

公开(公告)日：2016-11-24

申请号：US14717887

申请日：2015-05-20

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Robert M. Batz ,  Ian McDowell Campbell ,  Hendrikus G. P. Bosch

IPC: H04L12/14 ,  H04L29/12 ,  H04M15/00 ,  H04L29/08

CPC classification number: H04L12/1407 ,  H04L12/1403 ,  H04L41/0893 ,  H04L41/5096 ,  H04L43/028 ,  H04L61/25 ,  H04L61/2514 ,  H04L61/6068 ,  H04L67/1002 ,  H04L67/14 ,  H04M15/66 ,  H04M15/8044 ,  H04M15/8214

Abstract: A method is provided in one example embodiment and may include receiving a first Internet protocol (IP) flow for an IP session for a subscriber; selecting a first service function group from a plurality of service function groups to perform one or more services for the IP session for the subscriber, wherein each of the plurality of service function groups comprises a plurality of service function chain types and wherein each service function chain type comprises an ordered combination of one or more service functions; assigning the IP session for the subscriber to the first service function group; and forwarding the first IP flow for the IP session of the subscriber across a first service function chain type for the first service function group based, at least in part, on a service policy for the subscriber.

公开(公告)号：US09426176B2

公开(公告)日：2016-08-23

申请号：US14520118

申请日：2014-10-21

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Alessandro Duminuco ,  Hendrikus G. P. Bosch ,  Surendra M. Kumar ,  Humberto J. La Roche ,  Jeffrey Napper ,  Kevin D. Shatzkamer ,  Daniel G. Wing

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/166 ,  H04L63/0281 ,  H04L63/0435 ,  H04L63/168 ,  H04L67/02 ,  H04L67/42

Abstract: In an embodiment, a method is provided for enabling in-band data exchange between networks. The method can comprise receiving, by a first enveloping proxy located in the first network, at least one regular secure sockets layer (SSL) record for a SSL session established between a client and a server; receiving the data from a network element located in the first network; encoding the data into at least one custom SSL record; and transmitting the at least one regular SSL record and the at least one custom SSL record to an enveloping proxy. In another embodiment, a method can comprise receiving at least one regular secure sockets layer (SSL) record and at least one custom SSL record for a SSL session established between a client and a server; extracting the data from the at least one custom SSL; transmitting the at least one regular SSL record.

公开(公告)号：US09300453B2

公开(公告)日：2016-03-29

申请号：US14086781

申请日：2013-11-21

Applicant: CISCO TECHNOLOGY, INC. ,  VODAFONE IP LICENSING LIMITED

Inventor： Malgorzata Kaczmarska-Wojtania ,  Martin Schubert ,  Hendrikus G. P. Bosch ,  Humberto J. La Roche ,  Adam O. MacHale ,  Walter Gottfried Bindrim ,  John L. Moughton

IPC: H04L5/00 ,  H04W4/00 ,  H04W8/18 ,  H04W76/02 ,  H04W8/20

CPC classification number: H04L5/0053 ,  H04W8/18 ,  H04W8/20 ,  H04W76/11

Abstract: A method is provided in one example embodiment and includes sending, by a first entity associated with an access network, a first request message including a session identifier associated with a user session to a second entity associated with a core network. The method further includes establishing a first control channel with the second entity in which the first control channel is associated with the session identifier. The first control channel is an in-band channel between the first entity and the second entity. The method further includes receiving policy information associated with the user session from the second entity using the first control channel. The policy information is indicative of one or more policies to be applied in the access network to user data associated with the user session.

Abstract translation: 在一个示例实施例中提供了一种方法，并且包括由与接入网络相关联的第一实体发送包括与用户会话相关联的会话标识符的第一请求消息到与核心网络相关联的第二实体。 该方法还包括与第二实体建立第一控制信道，其中第一控制信道与会话标识符相关联。 第一控制信道是第一实体与第二实体之间的带内信道。 该方法还包括使用第一控制信道从第二实体接收与用户会话相关联的策略信息。 策略信息指示要在接入网络中应用于与用户会话相关联的用户数据的一个或多个策略。

公开(公告)号：US20150365323A1

公开(公告)日：2015-12-17

申请号：US14301767

申请日：2014-06-11

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Alessandro Duminuco ,  Hendrikus G. P. Bosch ,  Jeffrey Napper

IPC: H04L12/741 ,  H04L12/851 ,  H04L12/801

CPC classification number: H04L45/745 ,  H04L47/18 ,  H04L47/2441

Abstract: An example method for distributed network address and port translation (NAPT) for migrating flows between service chains in a network environment is provided and includes distributing translation state for a flow traversing the network across a plurality of NAPT service nodes in the network, with packets belonging to the flow being translated according to the translation state, associating the flow with a first service chain at a flow classifier in the network, and updating the association when the flow migrates from the first service chain to a second service chain, with packets belonging to the migrated flow also being translated according to the translation state. The method may be executed at a pool manager in the network. In specific embodiments, the pool manager may include a distributed storage located across the plurality of NAPT service nodes.

Abstract translation: 提供了一种用于在网络环境中的服务链之间迁移流的分布式网络地址和端口转换（NAPT）的示例方法，并且包括：跨越网络中的多个NAPT服务节点的跨流过的流的分发转换状态，分组属于 根据所述翻译状态对所述流进行翻译，将所述流与所述网络中的流分类器处的第一服务链相关联，以及当所述流从所述第一服务链迁移到第二服务链时更新所述关联，其中分组属于 迁移流也根据翻译状态进行翻译。 该方法可以在网络中的池管理器处执行。 在具体实施例中，池管理器可以包括跨越多个NAPT服务节点的分布式存储器。

公开(公告)号：US20150365322A1

公开(公告)日：2015-12-17

申请号：US14304043

申请日：2014-06-13

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Kevin D. Shatzkamer ,  James N. Guichard ,  Hendrikus G. P. Bosch ,  Alessandro Duminuco ,  Humberto J. La Roche ,  Jeffrey Napper

IPC: H04L12/741 ,  H04L12/851 ,  H04L12/721

CPC classification number: H04L45/74 ,  H04L45/306 ,  H04L45/38 ,  H04L47/2441 ,  H04L47/2483

Abstract: A method provided in one embodiment includes receiving a first data packet of a data flow at a first classifier in which the first data packet includes a first identifier. The method further includes determining a second classifier associated with the first identifier in which the second classifier is further associated with at least one service chain of a service chain environment. The method still further includes forwarding the first data packet to the second classifier. The second classifier is configured to receive the first data packet, determine a particular service chain of the at least one service chain to which the first data packet is to be forwarded, and forward the first data packet to the particular service chain.

Abstract translation: 在一个实施例中提供的方法包括在第一分类器处接收数据流的第一数据分组，其中第一数据分组包括第一标识符。 该方法还包括确定与第一标识符相关联的第二分类器，其中第二分类器进一步与服务链环境的至少一个服务链相关联。 该方法还包括将第一数据分组转发到第二分类器。 第二分类器被配置为接收第一数据分组，确定要转发第一数据分组的至少一个服务链的特定服务链，并将第一数据分组转发到特定服务链。

公开(公告)号：US20150271204A1

公开(公告)日：2015-09-24

申请号：US14520118

申请日：2014-10-21

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Alessandro Duminuco ,  Hendrikus G. P. Bosch ,  Surendra M. Kumar ,  Humberto J. La Roche ,  Jeffrey Napper ,  Kevin D. Shatzkamer ,  Daniel G. Wing

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/166 ,  H04L63/0281 ,  H04L63/0435 ,  H04L63/168 ,  H04L67/02 ,  H04L67/42

Abstract: In an embodiment, a method is provided for enabling in-band data exchange between networks. The method can comprise receiving, by a first enveloping proxy located in the first network, at least one regular secure sockets layer (SSL) record for a SSL session established between a client and a server; receiving the data from a network element located in the first network; encoding the data into at least one custom SSL record; and transmitting the at least one regular SSL record and the at least one custom SSL record to an enveloping proxy. In another embodiment, a method can comprise receiving at least one regular secure sockets layer (SSL) record and at least one custom SSL record for a SSL session established between a client and a server; extracting the data from the at least one custom SSL; transmitting the at least one regular SSL record.

公开(公告)号：US12238099B2

公开(公告)日：2025-02-25

申请号：US18323183

申请日：2023-05-24

Applicant: Cisco Technology, Inc.

Inventor： Stefan Olofsson ,  Ijsbrand Wijnands ,  Hendrikus G. P. Bosch

IPC: H04L9/40 ,  H04L12/46 ,  H04L61/256

Abstract: In one embodiment, an apparatus includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors. The one or more computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the apparatus to perform operations including receiving a user credential from a remote access client within a network and communicating the user credential to an authentication, authorization and accounting (AAA) server within the network. The operations also include receiving a user attribute from the AAA server and generating a contextual label based on the user attribute. The contextual label includes routing instructions associated with traffic behavior within the network. The operations further include advertising a control message, which includes the contextual label, to the remote access client.

公开(公告)号：US12232077B2

公开(公告)日：2025-02-18

申请号：US17931333

申请日：2022-09-12

Applicant: Cisco Technology, Inc.

Inventor： Anubhav Gupta ,  Hendrikus G. P. Bosch ,  Vamsidhar Valluri ,  Stefan Olofsson

IPC: H04W64/00 ,  H04L61/2585 ,  H04W24/08 ,  H04W48/16

Abstract: According to certain embodiments, a system comprises one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations comprising: receiving location data associated with a plurality of remote users accessing one or more existing remote access gateways that are located at one or more network locations; building a heatmap of user locations based at least in part on the received location data; and identifying, from the heatmap of user locations, at least one new network location in which to generate at least one new remote access gateway, or at least one existing network location in which to remove at least one of the existing remote access gateways.

公开(公告)号：US20240273187A1

公开(公告)日：2024-08-15

申请号：US18326194

申请日：2023-05-31

Applicant: Cisco Technology, Inc.

Inventor： Marcelo Yannuzzi ,  Jean Diaconu ,  Jeffrey M. Napper ,  Herve Muyal ,  Hendrikus G. P. Bosch

IPC: G06F21/55 ,  G06F16/9035 ,  G06F16/907 ,  G06F21/62

CPC classification number: G06F21/552 ,  G06F16/9035 ,  G06F16/907 ,  G06F21/6254 ,  G06F2221/034

Abstract: In one embodiment, a method for storing auditable metadata, by a system, includes receiving incoming signals communicated from at least one application service to a first pod associated with a user space of a node. The method further includes extracting metadata associated with data provided by the received incoming signals. The method further includes receiving outgoing signals communicated from the first pod to an external entity, wherein the incoming signals and the outgoing signals are received by a listener module. The method further includes comparing the incoming signals to the outgoing signals to detect a variation and determining that the data has been transmitted to the external entity based on a determination that there is no detected variation from the comparison between the incoming signals and the outgoing signals.