公开(公告)号：US11960607B2

公开(公告)日：2024-04-16

申请号：US17547084

申请日：2021-12-09

Applicant: Cisco Technology, Inc.

Inventor： Eric Voit ,  Einar Nilsen-Nygaard ,  Frank Brockners ,  Pradeep Kumar Kathail

IPC: G06F21/57

CPC classification number: G06F21/57 ,  G06F2221/033

Abstract: This disclosure describes techniques for selectively placing and maintaining sensitive workloads in subsystems that achieve a minimum level of trustworthiness. An example method includes identifying at least one trustworthiness requirement associated with an application and transmitting, to a first subsystem, a request for at least one trustworthiness characteristic of the first subsystem and at least one second subsystem connected to the first subsystem. A response indicating the at least one trustworthiness characteristic is received from the first subsystem. The example method further includes determining that the at least one trustworthiness characteristic satisfies the at least one trustworthiness requirement; and causing the application to operate on a mesh comprising the first subsystem and the at least one second subsystem.

公开(公告)号：US11956273B2

公开(公告)日：2024-04-09

申请号：US17818147

申请日：2022-08-08

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L9/40

CPC classification number: H04L63/162 ,  H04L63/083 ,  H04L63/0853 ,  H04L63/126 ,  H04L63/1433

Abstract: Systems, methods, and computer-readable media for discovering trustworthy devices through attestation and authenticating devices through mutual attestation. A relying node in a network environment can receive attestation information from an attester node in the network environment as part of a unidirectional push of information from the attester node according to a unidirectional link layer communication scheme. A trustworthiness of the attester node can be verified by identifying a level of trust of the attester node from the attestation information. Further, network service access of the attester node through the relying node in the network environment can be controlled based on the level of trust of the attester node identified from the attestation information.

公开(公告)号：US11924043B2

公开(公告)日：2024-03-05

申请号：US17517622

申请日：2021-11-02

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L41/12 ,  H04L45/00 ,  H04L45/02 ,  H04W40/24 ,  H04W84/18

CPC classification number: H04L41/12 ,  H04L45/02 ,  H04L45/26 ,  H04W40/246 ,  H04W84/18

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices operating within a network. A recipient node in a network environment can receive a neighbor discovery (ND) message from an originating node in the network environment that are both implementing a neighbor discovery protocol. Trustworthiness of the originating node can be verified by identifying a level of trust of the originating node based on attestation information for the originating node included in the ND message received at the recipient node. Connectivity with the recipient node through the network environment can be managed based on the level of trust of the originating node identified from the attestation information included in the ND message.

公开(公告)号：US11863433B2

公开(公告)日：2024-01-02

申请号：US18153903

申请日：2023-01-12

Applicant: Cisco Technology, Inc.

Inventor： Clarence Filsfils ,  Zafar Ali ,  Frank Brockners

IPC: H04L45/302 ,  H04L45/02 ,  H04L45/12 ,  H04L69/22

CPC classification number: H04L45/302 ,  H04L45/04 ,  H04L45/127 ,  H04L45/306 ,  H04L69/22 ,  H04L2212/00

Abstract: The present technology provides a system and method for implementing targeted collection of in-situ Operation, Administration and Maintenance data from select nodes in a Segment Routing Domain. The selection is programmable and is implemented by setting an iOAM bit in the function arguments field of a Segment Identifier. In this way only the nodes associated with local Segment Identifiers (Function field of a Segment Identifier) with an iOAM argument bit are directed to generate iOAM data. The iOAM data generated by target nodes may be stored in TLV field of the segment routing header. The Segment Routing packet is then decapsulated at a Segment Routing egress node and the Header information with the collected iOAM data is sent to a controller entity for further processing, analysis and/or monitoring.

公开(公告)号：US11818044B2

公开(公告)日：2023-11-14

申请号：US17377047

申请日：2021-07-15

Applicant: Cisco Technology, Inc.

Inventor： Atri Indiresan ,  Frank Brockners ,  Shwetha Subray Bhandari

IPC: H04W72/04 ,  H04L45/7453 ,  H04L41/0695 ,  H04L47/2483 ,  H04L61/5007

CPC classification number: H04L45/7453 ,  H04L41/0695 ,  H04L47/2483 ,  H04L61/5007

Abstract: This disclosure describes various methods, systems, and devices related to identifying path changes of data flows in a network. An example method includes receiving, at a node, a packet including a first value. The method further includes generating a second value by inputting the first value and one or more node details into a hash function. The method includes replacing the first value with the second value in the packet. The packet including the second value is forwarded by the node.

公开(公告)号：US20230275904A1

公开(公告)日：2023-08-31

申请号：US18195081

申请日：2023-05-09

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Santhosh N ,  Rakesh Reddy Kandula ,  Saiprasad Reddy Muchala ,  Frank Brockners

IPC: H04L9/40 ,  H04L45/00 ,  H04L9/32 ,  H04L9/08

CPC classification number: H04L63/123 ,  H04L45/72 ,  H04L9/321 ,  H04L63/0435 ,  H04L9/0869 ,  H04L63/0428

Abstract: Techniques to facilitate verification of in-situ network telemetry data of data packet of data traffic of packet-switched networks are described herein. A technique described herein includes a network node obtaining a data packet of data traffic of a packet-switched network. The data packet includes an in-situ network telemetry block. The network node obtains telemetry data and cryptographic key. The cryptographic key confidentially identifies the network node. The node encrypts at least a portion of the telemetry data based on the cryptographic key to produce signed telemetry data and updates telemetry-data entry of the in-situ network telemetry block. The telemetry data and signed telemetry data is inserted into the telemetry-data entry. The node forwards the data packet with the updated telemetry-data entry to another network node of the packet-switched network.

公开(公告)号：US20230188534A1

公开(公告)日：2023-06-15

申请号：US17546492

申请日：2021-12-09

Applicant: Cisco Technology, Inc.

Inventor： Craig Thomas Hill ,  Sujal Sheth ,  Frank Brockners ,  Cesar Obediente

IPC: H04L9/40 ,  H04L9/08

CPC classification number: H04L63/123 ,  H04L63/0464 ,  H04L63/205 ,  H04L9/0838

Abstract: According to an embodiment, a node comprises one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the node to perform operations. The operations comprise determining security validation information that the node associates with a packet, inserting into the packet an identifier associated with the node and the security validation information that the node associates with the packet, and transmitting the packet comprising the identifier associated with the node and the security validation information that the node associates with the packet. The security validation information comprises one or more proof of security attributes and/or one or more proof of security level attributes.

公开(公告)号：US20230171172A1

公开(公告)日：2023-06-01

申请号：US17538109

申请日：2021-11-30

Applicant: Cisco Technology, Inc.

Inventor： Domenico Ficara ,  Vincent Cuissard ,  Luca Bisti ,  Alessandro Erta ,  Arun Khanna ,  Frank Brockners

IPC: H04L43/08 ,  H04L12/46

CPC classification number: H04L43/08 ,  H04L12/4633

Abstract: In one embodiment, a network device along a path in a network receives a schedule that controls when the networking device is to insert telemetry data into data traffic passing through the networking device. The networking device generates the telemetry data for insertion into the data traffic passing through the networking device. The networking device inserts, according to the schedule, the telemetry data into a particular packet of the data traffic passing through the networking device. The networking device sends the particular packet to a next hop along the path in the network.

公开(公告)号：US20230155926A1

公开(公告)日：2023-05-18

申请号：US18153903

申请日：2023-01-12

Applicant: Cisco Technology, Inc.

Inventor： Clarence Filsfils ,  Zafar Ali ,  Frank Brockners

IPC: H04L45/302 ,  H04L45/02 ,  H04L45/12 ,  H04L69/22

CPC classification number: H04L45/302 ,  H04L45/04 ,  H04L45/127 ,  H04L45/306 ,  H04L69/22 ,  H04L2212/00

Abstract: The present technology provides a system and method for implementing targeted collection of in-situ Operation, Administration and Maintenance data from select nodes in a Segment Routing Domain. The selection is programmable and is implemented by setting an iOAM bit in the function arguments field of a Segment Identifier. In this way only the nodes associated with local Segment Identifiers (Function field of a Segment Identifier) with an iOAM argument bit are directed to generate iOAM data. The iOAM data generated by target nodes may be stored in TLV field of the segment routing header. The Segment Routing packet is then decapsulated at a Segment Routing egress node and the Header information with the collected iOAM data is sent to a controller entity for further processing, analysis and/or monitoring.

公开(公告)号：US11444955B2

公开(公告)日：2022-09-13

申请号：US16916368

申请日：2020-06-30

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Santhosh N ,  Rakesh Reddy Kandula ,  Saiprasad Reddy Muchala ,  Frank Brockners

IPC: H04L29/06 ,  H04L9/40 ,  H04L45/00 ,  H04L9/32 ,  H04L9/08

Abstract: Techniques to facilitate verification of in-situ network telemetry data of data packet of data traffic of packet-switched networks are described herein. A technique described herein includes a network node obtaining a data packet of data traffic of a packet-switched network. The data packet includes an in-situ network telemetry block. The network node obtains telemetry data and cryptographic key. The cryptographic key confidentially identifies the network node. The node encrypts at least a portion of the telemetry data based on the cryptographic key to produce signed telemetry data and updates telemetry-data entry of the in-situ network telemetry block. The telemetry data and signed telemetry data is inserted into the telemetry-data entry. The node forwards the data packet with the updated telemetry-data entry to another network node of the packet-switched network.