公开(公告)号：US20160359738A1

公开(公告)日：2016-12-08

申请号：US14730654

申请日：2015-06-04

Applicant: Cisco Technology, Inc.

Inventor： Michael L. Sullenberger ,  Manish Kumar ,  Eitan Ben-Nun ,  Anand Oswal

IPC: H04L12/741 ,  H04L12/46 ,  H04L29/06

CPC classification number: H04L12/4633 ,  H04L45/50 ,  H04L45/74 ,  H04L61/2592 ,  H04L69/22

Abstract: In one embodiment, a device in a network identifies a translated source network address for a tunnel source of a tunnel-in-tunnel packet. The device includes the translated source network address within a header of the packet. The header of the packet identifies an inner tunnel that is encapsulated within an outer tunnel during transmission of the packet within the network. The device sends the packet with the translated source network address within the header of the packet.

Abstract translation: 在一个实施例中，网络中的设备识别隧道隧道分组的隧道源的转换的源网络地址。 该设备包括分组报头内的经翻译的源网络地址。 分组的报头标识在网络内的分组传输期间封装在外部隧道内的内部隧道。 设备将数据包的转发源地址发送到数据包的头部。

公开(公告)号：US09729348B2

公开(公告)日：2017-08-08

申请号：US14730654

申请日：2015-06-04

Applicant: Cisco Technology, Inc.

Inventor： Michael L. Sullenberger ,  Manish Kumar ,  Eitan Ben-Nun ,  Anand Oswal

IPC: H04L12/46 ,  H04L29/12 ,  H04L12/741 ,  H04L29/06

CPC classification number: H04L12/4633 ,  H04L45/50 ,  H04L45/74 ,  H04L61/2592 ,  H04L69/22

Abstract: In one embodiment, a device in a network identifies a translated source network address for a tunnel source of a tunnel-in-tunnel packet. The device includes the translated source network address within a header of the packet. The header of the packet identifies an inner tunnel that is encapsulated within an outer tunnel during transmission of the packet within the network. The device sends the packet with the translated source network address within the header of the packet.

公开(公告)号：US10178181B2

公开(公告)日：2019-01-08

申请号：US14328094

申请日：2014-07-10

Applicant: Cisco Technology, Inc.

Inventor： Eitan Ben-Nun ,  Michael Zayats ,  Daniel G. Wing ,  Kirtesh Patil ,  Jaideep Padhye ,  Manohar B. Hungund ,  Saravanan Agasaveeran

IPC: H04L29/06 ,  H04L29/08

Abstract: An interposer is provided that is configured to interpose into an application security protocol exchange by obtaining application session security state. The interposer does this without holding any private keying material of client or server. An out-of-band Security Assistant Key Escrow service (SAS/SAKE) is also provided. The SAKE resides in the secure physical network perimeter and holds the private keying material required to derive session keys for interposing into application security protocol. During a security protocol handshake, the interposer sends SAKE security protocol handshake messages and in return receives from the SAKE session security state that allows it to participate in application security protocol.

公开(公告)号：US09998428B2

公开(公告)日：2018-06-12

申请号：US14753172

申请日：2015-06-29

Applicant: Cisco Technology, Inc.

Inventor： Michael L. Sullenberger ,  Manish Kumar ,  Eitan Ben-Nun

IPC: H04L29/06

CPC classification number: H04L63/0272 ,  H04L63/029

Abstract: In one embodiment, a device in a network maintains first and second routing tables associated with a virtual private network (VPN) tunnel. The first and second routing tables comprise routing information used to route packets external to a particular routing domain. The device routes a first packet in the network via the VPN tunnel and a second tunnel that encapsulates the VPN tunnel, using the routing information in the first routing table. The device receives a second packet via the VPN tunnel that was routed to the device using the routing information in the second routing table and bypasses the second tunnel.

公开(公告)号：US20160380973A1

公开(公告)日：2016-12-29

申请号：US14753172

申请日：2015-06-29

Applicant: Cisco Technology, Inc.

Inventor： Michael T. Sullenberger ,  Manish Kumar ,  Eitan Ben-Nun

IPC: H04L29/06

CPC classification number: H04L63/0272 ,  H04L63/029

Abstract: In one embodiment, a device in a network maintains first and second routing tables associated with a virtual private network (VPN) tunnel. The first and second routing tables comprise routing information used to route packets external to a particular routing domain. The device routes a first packet in the network via the VPN tunnel and a second tunnel that encapsulates the VPN tunnel, using the routing information in the first routing table. The device receives a second packet via the VPN tunnel that was routed to the device using the routing information in the second routing table and bypasses the second tunnel.

Abstract translation: 在一个实施例中，网络中的设备维护与虚拟专用网（VPN）隧道相关联的第一和第二路由表。 第一和第二路由表包括用于在特定路由域外部路由分组的路由信息​​。 该设备通过VPN隧道在网络中路由第一个数据包，并使用第一个路由表中的路由信息​​来封装VPN隧道的第二个隧道。 设备经由VPN隧道接收第二个分组，该隧道使用第二个路由表中的路由信息​​路由到设备，并绕过第二个隧道。

公开(公告)号：US20150288679A1

公开(公告)日：2015-10-08

申请号：US14328094

申请日：2014-07-10

Applicant: Cisco Technology, Inc.

Inventor： Eitan Ben-Nun ,  Michael Zayats ,  Daniel G. Wing ,  Kirtesh Patil ,  Jaideep Padhye ,  Manohar B. Hungund ,  Saravanan Agasaveeran

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L67/141 ,  H04L63/0281 ,  H04L63/0823 ,  H04L63/168 ,  H04L67/28

Abstract: An interposer is provided that is configured to interpose into an application security protocol exchange by obtaining application session security state. The interposer does this without holding any private keying material of client or server. An out-of-band Security Assistant Key Escrow service (SAS/SAKE) is also provided. The SAKE resides in the secure physical network perimeter and holds the private keying material required to derive session keys for interposing into application security protocol. During a security protocol handshake, the interposer sends SAKE security protocol handshake messages and in return receives from the SAKE session security state that allows it to participate in application security protocol.

Abstract translation: 提供了一种插入器，其被配置为通过获得应用程序会话安全状态来插入到应用程序安全协议交换中。 插件不需要持有客户端或服务器的任何私有密钥材料即可。 还提供了带外安全助理密钥托管服务（SAS / SAKE）。 SAKE驻留在安全的物理网络周边，并保存导出会话密钥所需的私人密钥材料，以插入到应用安全协议中。 在安全协议握手期间，插入器发送SAKE安全协议握手消息，并返回从SAKE会话安全状态接收，允许其参与应用安全协议。