公开(公告)号：US20250063014A1

公开(公告)日：2025-02-20

申请号：US18936837

申请日：2024-11-04

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent E. Parla

IPC: H04L61/2557 ,  H04L9/40 ,  H04L61/256 ,  H04L61/4511

Abstract: Techniques for binding communication flows to unique addresses and/or ports, and configuring networking devices internal to a network to apply policy without the need to further introspect a given stream. Further, by creating mappings of unique addresses and/or ports to flows, the network devices are able to enforce policy without needing to coordinate with an edge node of the network at which the communication session terminates. Further, the techniques may include providing an SDN controller with a mapping between a unique address/port and a network flow, determining flow-specific policy to enforce on the flow, and programming one or more network devices to enforce the flow-specific policy in the network using the unique address/port.

公开(公告)号：US20250039143A1

公开(公告)日：2025-01-30

申请号：US18625739

申请日：2024-04-03

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla ,  Kyle Andrew Donald Mestery ,  Andrew Zawadowskiy

IPC: H04L9/40 ,  H04L9/32

Abstract: A system and method are provided for communicating security service context within a network. Intermediary nodes located along the path of a data flow apply various security services to the data flow, and keep a record of the security services by generating in-band and out-of-band information. The in-band information is limited, e.g., by the maximum transmission unit (MTU) to short attestations that fit within optional IPv6 extension headers. The out-of-bound information, which is recorded, e.g., in a ledger using an overlay network, provides additional information fully describing the security services. Based on the in-band and out-of-band information (e.g., using the attestations to retrieve the additional information from the ledger), the data flow is either allowed or denied entrance to a particular workload. Applying the security services and generating the in-band and out-of-band information can be performed using data processing units (DPUs) and/or an extended Berkley packet filters (eBPFs).

公开(公告)号：US20250039133A1

公开(公告)日：2025-01-30

申请号：US18623550

申请日：2024-04-01

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent Parla

IPC: H04L9/40

Abstract: A system and method are provided for adding in-band metadata with a data flow. The in-band metadata can be based on observations by an extended Berkley packet filter (eBPF) of an application running in a datacenter, for example. A processor executes the application to generate data that is encoded in the payloads of packets in a data flow to be transmitted via a network to a destination. The eBPF is also executed on the processor and generates observations of the application (e.g., OSI layer 7 observations). Metadata is generated based on the observations and encoded into headers of the packets of the data flow. The metadata can then be used at the destination to determine the next processing steps for the data flow (e.g., is the data flow trusted and allowed into another workload).

公开(公告)号：US20250023852A1

公开(公告)日：2025-01-16

申请号：US18901354

申请日：2024-09-30

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent E. Parla

IPC: H04L9/40 ,  H04L12/46

Abstract: Techniques for routing service mesh traffic based on whether the traffic is encrypted or unencrypted are described herein. The techniques may include receiving, from a first node of a cloud-based network, traffic that is to be sent to a second node of the cloud-based network and determining whether the traffic is encrypted or unencrypted. If it is determined that the traffic is encrypted, the traffic may be sent to the second node via a service mesh of the cloud-based platform. Alternatively, or additionally, if it is determined that the traffic is unencrypted, the traffic may be sent to the second node via an encrypted tunnel. In some examples, the techniques may be performed at least partially by a program running on the first node of the cloud-based network, such as an extended Berkeley Packet Filter (eBPF) program, and the like.

公开(公告)号：US20240430338A1

公开(公告)日：2024-12-26

申请号：US18829034

申请日：2024-09-09

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent E. Parla

IPC: H04L67/561 ,  H04L9/40 ,  H04L12/46 ,  H04L45/00 ,  H04L45/42 ,  H04L61/103 ,  H04L61/4511 ,  H04L67/02 ,  H04L67/101 ,  H04L67/1012 ,  H04L67/141 ,  H04L67/562

Abstract: Techniques for managing migrations of QUIC connection session(s) across proxy nodes, data centers, and/or private application nodes are described herein. A global key-value datastore, accessible by proxy nodes and/or application nodes, may store mappings between a first QUIC connection, associated with a proxy node and a client device, on the frontend of the proxy node and a second QUIC connection, associated with the proxy node and an application node, on the backend of the proxy node. With the global key-value datastore being accessible by the proxy nodes, when a proxy node receives a QUIC packet on the front end or the back end, the proxy node may determine where to map this connection to on the opposite end. Additionally, with the global key-value datastore being accessible to the application nodes, when an application node receives a QUIC packet, the application node may determine the client device associated with the connection.

公开(公告)号：US12101257B2

公开(公告)日：2024-09-24

申请号：US17681079

申请日：2022-02-25

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery ,  Doron Levari

IPC: H04L47/12 ,  H04L67/141 ,  H04L67/148

CPC classification number: H04L47/12 ,  H04L67/141 ,  H04L67/148

Abstract: Techniques for scaling additional capacity for secure access solutions and other workloads of enterprise edge networks in and out of a cloud-computing network based on demand. The techniques may include determining that a capacity associated with a secure access node of an enterprise edge network meets or exceeds a threshold capacity. Based at least in part on the capacity meeting or exceeding the threshold capacity, the techniques may include causing a facsimile of the secure access node to be spun up on a cloud-computing network that is remote from the enterprise edge network. In this way, new connection requests received from client devices can be redirected to the facsimile of the secure access node. Additionally, or alternatively, one or more existing connections between client devices and the secure access node may be migrated to the facsimile of the secure access node in the cloud.

公开(公告)号：US20240314219A1

公开(公告)日：2024-09-19

申请号：US18670513

申请日：2024-05-21

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla ,  Kyle Andrew Donald Mestery

IPC: H04L67/63 ,  H04L45/74 ,  H04L47/2475 ,  H04L67/1001

CPC classification number: H04L67/63 ,  H04L45/74 ,  H04L47/2475 ,  H04L67/1001

Abstract: Techniques for using computer networking protocol extensions to route control-plane traffic and data-plane traffic associated with a common application are described herein. For instance, a traffic flow associated with an application may be established such that control-plane traffic is sent to a control-plane node associated with the application and data-plane traffic is sent to a data-plane node associated with the application. When a client device sends an authentication request to connect to the application, the control-plane node may send an indication of a hostname to be used by the client device to send data-plane traffic to the data-node. As such, when a packet including the hostname corresponding with the data-plane node is received, the packet may be forwarded to the data-plane node.

公开(公告)号：US12081530B2

公开(公告)日：2024-09-03

申请号：US18234247

申请日：2023-08-15

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Ian James Wells ,  Grzegorz Boguslaw Duraj

IPC: H04L9/40 ,  H04L9/32 ,  H04L12/46

CPC classification number: H04L63/0478 ,  H04L9/321 ,  H04L12/4633 ,  H04L63/08

Abstract: Techniques and mechanisms to reduce double encryption of packets that are transmitted using encrypted tunnels. The techniques described herein include determining that portions of the packets are already encrypted, identifying portions of the packets that are unencrypted, and selectively encrypting the portions of the packets that are unencrypted prior to transmission through the encrypted tunnel. In this way, potentially private or sensitive data in the packets that is unencrypted, such as information in the packet headers, will be encrypted using the encryption protocol of the encrypted tunnel, but the data of the packets that is already encrypted, such as the payload, may avoid unnecessary double encryption. By reducing (or eliminating) the amount of data in data packets that is double encrypted, the amount of time taken by computing devices, and computing resources consumed, to encrypted traffic for encrypted tunnels may be reduced.

公开(公告)号：US12058051B2

公开(公告)日：2024-08-06

申请号：US17678866

申请日：2022-02-23

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Mark A. Bakke ,  William Mark Townsley

IPC: H04L47/2441 ,  H04L9/40 ,  H04L61/5007

CPC classification number: H04L47/2441 ,  H04L61/5007 ,  H04L63/02

Abstract: The present disclosure is directed to network traffic management and load balancing at a cloud-based secure access service accessible to remotely connected user devices. In one example, a cloud-based secure service system includes a network controller configured to receive network traffic from one or more user devices remotely connected to the controller; parse the network traffic into flow data and contextual information associated with the network traffic; determine that the network traffic is to be serviced by a target firewall service at the cloud-based secure service system based on the flow data and the contextual information; and direct the network traffic to the target firewall service to be serviced.

公开(公告)号：US12034813B2

公开(公告)日：2024-07-09

申请号：US18124435

申请日：2023-03-21

Applicant: Cisco Technology, Inc.

Inventor： Paul Quinn ,  Kyle Andrew Donald Mestery

IPC: H04L61/4511 ,  H04L41/0894 ,  H04L41/50 ,  H04L67/141 ,  H04L101/668

CPC classification number: H04L67/141 ,  H04L41/0894 ,  H04L41/5058 ,  H04L61/4511 ,  H04L2101/668

Abstract: Techniques for policy-based connection provisioning using Domain Name System (DNS) requests are described herein. The techniques may include receiving policy data associated with one or more headend nodes that manage connections to computing resources. Additionally, the techniques may include receiving a DNS request from a client device to establish a connection between the client device and a first headend node of the one or more headend nodes. The DNS request may include an attribute associated with the client device. A provisioning service may determine that the connection should be established between the client device and the first headend node based at least in part on evaluating the attribute with respect to the policy data. Additionally, the techniques may include sending an internet protocol (IP) address, which is associated with the first headend node, to the client device to facilitate establishment of the connection.