公开(公告)号：US11412000B2

公开(公告)日：2022-08-09

申请号：US16741794

申请日：2020-01-14

Applicant: Cisco Technology, Inc.

Inventor： Michel Khouderchah ,  Jayaraman Iyer ,  Kent K. Leung ,  Jianxin Wang ,  Donovan O'Hara ,  Saman Taghavi Zargar ,  Subharthi Paul

IPC: H04L9/40 ,  H04L67/02 ,  H04L41/22

Abstract: Presented herein are methodologies for implementing application security. A method includes generating an extraction vector based on a plurality of application security rules to be enforced, transmitting the extraction vector to a first agent operating on a first network device and to a second agent operating on a second network device; receiving, separately, from the first agent and from the second agent, first metadata generated by the first agent and second metadata generated by the second agent by the agents applying the extraction vector to network traffic passing, respectively, through the first network device and the second network device. The first metadata includes a transaction ID assigned by the first agent, and the second metadata includes the same transaction ID. The method further includes correlating the first metadata with the second metadata based on the transaction ID to construct a transactional service graph for the network traffic.

公开(公告)号：US20190068490A1

公开(公告)日：2019-02-28

申请号：US16170175

申请日：2018-10-25

Applicant: Cisco Technology, Inc.

Inventor： Reinaldo Penno ,  Carlos M. Pignataro ,  Paul Quinn ,  Hung The Chau ,  Chui-Tin Yen ,  Vivek Kansal ,  Jianxin Wang ,  Kent K. Leung

IPC: H04L12/721 ,  H04L12/801 ,  H04L12/703 ,  H04L12/911 ,  H04L12/715 ,  H04L12/851

Abstract: Embodiments are directed to receiving an original packet at a service function; determining, for a reverse packet, a reverse service path identifier for a previous hop on a service function chain; determining, for the reverse packet, a service index for the reverse service path identifier; and transmitting the reverse packet to the previous hop on the service function chain.

公开(公告)号：US10084703B2

公开(公告)日：2018-09-25

申请号：US15143253

申请日：2016-04-29

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Surendra M. Kumar ,  Hendrikus G. P. Bosch ,  Kent K. Leung ,  Abhijit Patra

IPC: H04L12/741 ,  H04L12/935 ,  H04L12/743 ,  H04L12/701

CPC classification number: H04L45/74 ,  H04L45/00 ,  H04L45/7453 ,  H04L49/3009

Abstract: A method is provided in one example embodiment and includes receiving at a network element a packet including a Network Services Header (“NSH”), in which the NSH includes an Infrastructure (“I”) flag and a service path header comprising a Service Index (“SI”), and a Service Path ID (“SPI”) and determining whether the I flag is set to a first value. The method further includes, if the I flag is set to the first value, setting the I flag to a second value and forwarding the packet to the service function that corresponds to the SI for processing. The method still further includes, if the I flag is not set to the first value, decrementing the SI and making a forwarding decision based on a new value of the SI and the SPI.

公开(公告)号：US10063556B2

公开(公告)日：2018-08-28

申请号：US15228558

申请日：2016-08-04

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Kent K. Leung ,  Jayaraman R. Iyer ,  Bruce A. Thompson ,  Flemming S. Andreasen

IPC: H04L29/06 ,  H04L12/24

CPC classification number: H04L63/10 ,  H04L41/0896 ,  H04L63/0807 ,  H04L63/0876

Abstract: A method is provided and may include receiving a request for a network content delivery service from an access device; directing the access device to a network service provider for authentication for the network content delivery service; receiving a network authorization token from the access device, where the network authorization token is associated with the access device; obtaining a network access token from the network service provider; and binding the network access token to a content access token.

公开(公告)号：US09413748B2

公开(公告)日：2016-08-09

申请号：US13842426

申请日：2013-03-15

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Kent K. Leung ,  Jayaraman R. Iyer ,  Bruce A. Thompson ,  Flemming S. Andreasen

IPC: H04L29/06

CPC classification number: H04L63/10 ,  H04L41/0896 ,  H04L63/0807 ,  H04L63/0876

Abstract: A method is provided and may include receiving a request for a network content delivery service from an access device; directing the access device to a network service provider for authentication for the network content delivery service; receiving a network authorization token from the access device, where the network authorization token is associated with the access device; obtaining a network access token from the network service provider; and binding the network access token to a content access token.

Abstract translation: 提供了一种方法，并且可以包括从接入设备接收对网络内容传送服务的请求; 将访问设备引导到网络服务提供商以进行网络内容传递服务的认证; 从所述接入设备接收网络授权令牌，其中所述网络授权令牌与所述接入设备相关联; 从网络服务提供商获取网络访问令牌; 并将网络访问令牌绑定到内容访问令牌。

公开(公告)号：US09397940B2

公开(公告)日：2016-07-19

申请号：US14180379

申请日：2014-02-14

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Srinath Gundavelli ,  Frank Brockners ,  Mark Grayson ,  Kent K. Leung ,  Flemming S. Andreasen

IPC: H04L12/28 ,  H04L12/56 ,  H04L12/46 ,  H04L29/12 ,  H04L29/06

CPC classification number: H04L45/741 ,  H04L12/4633 ,  H04L29/12367 ,  H04L29/12377 ,  H04L61/106 ,  H04L61/2514 ,  H04L61/2517 ,  H04L69/22

Abstract: An example method is provided and includes receiving a packet associated with a flow, determining a tunnel identifier for the flow, and determining a flow identifier for the flow. The method includes associating the flow identifier and the tunnel identifier to an Internet protocol (IP) address to generate a binding to be used for a network address and port translation (NAPT). In other embodiments, a routing decision is executed based on the binding between the identifiers and the IP address. The flow identifier can be a context identifier (CID), and the tunnel identifier can be a softwire tunnel ID. In yet other embodiments, the packet can be tagged as part of an encapsulation operation, which includes providing information about a network location at which the network address and port translation is to be executed.

Abstract translation: 提供了示例性方法，并且包括接收与流相关联的分组，确定流的隧道标识符，以及确定流的流标识符。 该方法包括将流标识符和隧道标识符与因特网协议（IP）地址相关联，以生成用于网络地址和端口转换（NAPT）的绑定。 在其他实施例中，基于标识符和IP地址之间的绑定来执行路由决定。 流标识符可以是上下文标识符（CID），隧道标识符可以是软线隧道ID。 在其他实施例中，分组可以被标记为封装操作的一部分，其包括提供关于将要执行网络地址和端口转换的网络位置的信息。

公开(公告)号：US20210218771A1

公开(公告)日：2021-07-15

申请号：US16741794

申请日：2020-01-14

Applicant: Cisco Technology, Inc.

Inventor： Michel Khouderchah ,  Jayaraman Iyer ,  Kent K. Leung ,  Jianxin Wang ,  Donovan O'Hara ,  Saman Taghavi Zargar ,  Subharthi Paul

IPC: H04L29/06 ,  H04L12/24 ,  H04L29/08

Abstract: Presented herein are methodologies for implementing application security. A method includes generating an extraction vector based on a plurality of application security rules to be enforced, transmitting the extraction vector to a first agent operating on a first network device and to a second agent operating on a second network device; receiving, separately, from the first agent and from the second agent, first metadata generated by the first agent and second metadata generated by the second agent by the agents applying the extraction vector to network traffic passing, respectively, through the first network device and the second network device. The first metadata includes a transaction ID assigned by the first agent, and the second metadata includes the same transaction ID. The method further includes correlating the first metadata with the second metadata based on the transaction ID to construct a transactional service graph for the network traffic.

公开(公告)号：US10708178B2

公开(公告)日：2020-07-07

申请号：US16170175

申请日：2018-10-25

Applicant: Cisco Technology, Inc.

Inventor： Reinaldo Penno ,  Carlos M. Pignataro ,  Paul Quinn ,  Hung The Chau ,  Chui-Tin Yen ,  Vivek Kansal ,  Jianxin Wang ,  Kent K. Leung

IPC: H04L12/721 ,  H04L12/801 ,  H04L12/715 ,  H04L12/703 ,  H04L12/911 ,  H04L12/851

Abstract: Embodiments are directed to receiving an original packet at a service function; determining, for a reverse packet, a reverse service path identifier for a previous hop on a service function chain; determining, for the reverse packet, a service index for the reverse service path identifier; and transmitting the reverse packet to the previous hop on the service function chain.

公开(公告)号：US10171350B2

公开(公告)日：2019-01-01

申请号：US15160804

申请日：2016-05-20

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Reinaldo Penno ,  Carlos M. Pignataro ,  Paul Quinn ,  Hung The Chau ,  Chui-Tin Yen ,  Vivek Kansal ,  Jianxin Wang ,  Kent K. Leung

IPC: H04L12/721 ,  H04L12/703 ,  H04L12/911 ,  H04L12/801 ,  H04L12/715 ,  H04L12/851

Abstract: Embodiments are directed to receiving an original packet at a service function; determining, for a reverse packet, a reverse service path identifier for a previous hop on a service function chain; determining, for the reverse packet, a service index for the reverse service path identifier; and transmitting the reverse packet to the previous hop on the service function chain.

公开(公告)号：US20170163531A1

公开(公告)日：2017-06-08

申请号：US15143253

申请日：2016-04-29

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Surendra M. Kumar ,  Hendrikus G. P. Bosch ,  Kent K. Leung ,  Abhijit Patra

IPC: H04L12/741 ,  H04L12/743 ,  H04L12/935

CPC classification number: H04L45/74 ,  H04L45/00 ,  H04L45/7453 ,  H04L49/3009

Abstract: A method is provided in one example embodiment and includes receiving at a network element a packet including a Network Services Header (“NSH”), in which the NSH includes an Infrastructure (“I”) flag and a service path header comprising a Service Index (“SI”), and a Service Path ID (“SPI”) and determining whether the I flag is set to a first value. The method further includes, if the I flag is set to the first value, setting the I flag to a second value and forwarding the packet to the service function that corresponds to the SI for processing. The method still further includes, if the I flag is not set to the first value, decrementing the SI and making a forwarding decision based on a new value of the SI and the SPI.