公开(公告)号：US12256006B1

公开(公告)日：2025-03-18

申请号：US17807287

申请日：2022-06-16

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G. P. Bosch ,  Alessandro Duminuco

IPC: H04L9/32 ,  G06F9/54 ,  H04L9/00 ,  H04L67/133

Abstract: In one embodiment, a method by a first network apparatus includes receiving an authorization request from a user device redirected from a second network apparatus, generating an authorization response comprising a resource authorization token, and transmitting the resource authorization token to the user device and to a distributed ledger for storage, wherein the distributed ledger is a blockchain record.

公开(公告)号：US20230283608A1

公开(公告)日：2023-09-07

申请号：US18197895

申请日：2023-05-16

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus GP Bosch ,  Jeffrey Michael Napper ,  Alessandro Duminuco ,  Sape Jurrien Mullender ,  Julien Barbot ,  Vinny Parla

IPC: H04L9/40 ,  H04L61/4511

CPC classification number: H04L63/10 ,  H04L61/4511 ,  H04L63/0876 ,  H04L63/20 ,  H04L63/0272

Abstract: This disclosure describes techniques including, by a domain name service (DNS), receiving a name resolution request from a client computing device and, by the DNS, providing a nonce to the client computing device, wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce. This disclosure further describes techniques include a method of validating a connection request from a client computing device, including receiving the connection request, the connection request including a nonce. The techniques further include determining that the nonce is a valid nonce. The techniques further include, based at least in part on determining that the nonce is a valid nonce, authorizing the connection request and disabling the nonce.

公开(公告)号：US20220217132A1

公开(公告)日：2022-07-07

申请号：US17141007

申请日：2021-01-04

Applicant: Cisco Technology, Inc.

Inventor： Ahmed Bakry Helmy Ahmed ,  Sape Jurrien Mullender ,  Hendrikus G. P. Bosch ,  Alessandro Duminuco ,  Jeffrey Michael Napper

IPC: H04L29/06

Abstract: Operations include transmitting, on behalf of a first application, a first request to a first service provider, the first request requesting first services from the first service provider, intercepting, at a local agent, a first redirect message from the first service provider to an identity provider, receiving an identity provider cookie from the identity provider based on a validation of credentials during the authentication process, storing a copy of the identity provider cookie, transmitting, on behalf of a second application, a second request to a second service provider, the second request requesting second services from the second service provider, intercepting a second redirect message from the second service provider to the identity provider, adding the identity provider cookie to the second redirect message, and receiving validation to access the second service provider from the identity provider based on the identity provider cookie stored by the local agent.

公开(公告)号：US09992103B2

公开(公告)日：2018-06-05

申请号：US14162954

申请日：2014-01-24

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G. P. Bosch ,  Peter Weinberger ,  Praveen Bhagwatula ,  Michael E. Lipman ,  Alessandro Duminuco ,  Louis Gwyn Samuel

IPC: H04L12/721 ,  H04W24/02

CPC classification number: H04L45/38 ,  H04W24/02

Abstract: Presented herein are techniques to reduce the number of redirected subscriber packet flows while performing sticky hierarchical load balancing. An Nth head end network element may be activated such that a plurality of N head end network elements are active and capable of receiving and processing one or more packet flows. A primary load balancer may then be directed to overwrite a portion of pointers of a hash table in an evenly distributed manner with pointers to the Nth head end network element such that packet flows are forwarded to the Nth head end network element, wherein the hash table retains a static number of entries as the number of head end network elements is modified.

公开(公告)号：US20170359265A1

公开(公告)日：2017-12-14

申请号：US15181159

申请日：2016-06-13

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Hendrikus G. P. Bosch ,  Jeffrey Napper ,  Alessandro Duminuco ,  Humberto J. La Roche ,  Surendra M. Kumar ,  Aeneas Sean Dodd-Noble ,  Anil Kumar Chandrupatla

IPC: H04L12/851 ,  H04L12/713 ,  H04L12/803 ,  H04L29/08 ,  H04L12/801

CPC classification number: H04L47/2441 ,  H04L45/586 ,  H04L47/125 ,  H04L47/14 ,  H04L67/1076 ,  H04L67/2842

Abstract: A method is provided in one example embodiment and includes receiving at a network element a packet associated with a flow and determining whether a flow cache of the network element includes an entry for the flow indicating a classification for the flow. The method further includes, if the network element flow cache does not include an entry for the flow, punting the packet over a default path to a classifying service function, in which the classifying service function classifies the flow and determines a control plane service function for handling the flow, and receiving from the classifying service function a service path identifier (“SPI”) of a service path leading to the determined control plane service function. The flow is subsequently offloaded from the classifying service function to the network element.

公开(公告)号：US20170208000A1

公开(公告)日：2017-07-20

申请号：US14997212

申请日：2016-01-15

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Hendrikus Bosch ,  Sape Jurriën Mullender ,  Jeffrey Napper ,  Surendra M. Kumar ,  Alessandro Duminuco

IPC: H04L12/721 ,  H04L12/741

CPC classification number: H04L45/38 ,  H04L45/745

Abstract: Particular embodiments described herein provide for a communication system that can be configured for receiving, at a network element, a flow offload decision for a first service node. The flow offload decision can include a portion of a service chain for processing a flow and updating next hop flow based routing information for the flow. A next hop in the flow can insert flow specific route information in its routing tables to bypass a packet forwarder serving the service that offloaded the flow in the reverse direction.

公开(公告)号：US09509614B2

公开(公告)日：2016-11-29

申请号：US13923257

申请日：2013-06-20

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Hendrikus G. P. Bosch ,  David Richard Barach ,  Michael E. Lipman ,  Alessandro Duminuco ,  James N. Guichard ,  Humberto J. La Roche

IPC: H04L12/803

CPC classification number: H04L47/125

Abstract: An example method for load balancing in a network environment is provided and includes receiving a packet from a first stage load-balancer in a network environment, where the packet is forwarded from the first stage load-balancer to one of a plurality of second stage load-balancers in the network according to a hash based forwarding scheme, and routing the packet from the second stage load-balancer to one of a plurality of servers in the network according to a per-session routing scheme. The per-session routing scheme includes retrieving a session routing state from a distributed hash table in the network. In a specific embodiment, the hash based forwarding scheme includes equal cost multi path routing. The session routing state can include an association between a next hop for the packet and the packet's 5-tuple representing a session to which the packet belongs.

Abstract translation: 提供了一种用于在网络环境中进行负载平衡的示例性方法，并且包括在网络环境中从第一级负载平衡器接收分组，其中分组从第一级负载平衡器转发到多个第二级负载 根据基于散列的转发方案的网络中的平衡器，并且根据每会话路由方案将分组从第二阶段负载平衡器路由到网络中的多个服务器之一。 每会话路由方案包括从网络中的分布式哈希表检索会话路由状态。 在具体实施例中，基于散列的转发方案包括相同成本的多路径路由。 会话路由状态可以包括分组的下一跳与分组所属的会话的分组的5元组之间的关联。

公开(公告)号：US09413655B2

公开(公告)日：2016-08-09

申请号：US14304043

申请日：2014-06-13

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Kevin D. Shatzkamer ,  James N. Guichard ,  Hendrikus G. P. Bosch ,  Alessandro Duminuco ,  Humberto J. La Roche ,  Jeffrey Napper

IPC: H04L12/741 ,  H04L12/721 ,  H04L12/851 ,  H04L12/725

CPC classification number: H04L45/74 ,  H04L45/306 ,  H04L45/38 ,  H04L47/2441 ,  H04L47/2483

Abstract: A method provided in one embodiment includes receiving a first data packet of a data flow at a first classifier in which the first data packet includes a first identifier. The method further includes determining a second classifier associated with the first identifier in which the second classifier is further associated with at least one service chain of a service chain environment. The method still further includes forwarding the first data packet to the second classifier. The second classifier is configured to receive the first data packet, determine a particular service chain of the at least one service chain to which the first data packet is to be forwarded, and forward the first data packet to the particular service chain.

Abstract translation: 在一个实施例中提供的方法包括在第一分类器处接收数据流的第一数据分组，其中第一数据分组包括第一标识符。 该方法还包括确定与第一标识符相关联的第二分类器，其中第二分类器进一步与服务链环境的至少一个服务链相关联。 该方法还包括将第一数据分组转发到第二分类器。 第二分类器被配置为接收第一数据分组，确定要转发第一数据分组的至少一个服务链的特定服务链，并将第一数据分组转发到特定服务链。

公开(公告)号：US20150172170A1

公开(公告)日：2015-06-18

申请号：US14108994

申请日：2013-12-17

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Hendrikus G.P. Bosch ,  James N. Guichard ,  David D. Ward ,  Alessandro Duminuco ,  Rex E. Fernando ,  Paul Quinn

IPC: H04L12/733

CPC classification number: H04L45/20 ,  H04L45/04 ,  H04L45/24 ,  H04L45/28 ,  H04L45/586

Abstract: An example method is provided in one example embodiment and includes receiving a packet of a session from a previous hop router at a service zone of a service chain; recording the previous hop router for the session; determining an appliance to service the packet in the service zone using load balancing; recording an appliance identity for servicing the session in the service zone; determining a next hop router in the service chain for the packet using load balancing; and recording the next hop router for the session.

Abstract translation: 在一个示例实施例中提供了示例性方法，并且包括从服务链的服务区的前一跳路由器接收会话的分组; 记录会话的上一跳路由器; 确定使用负载平衡来服务所述服务区中的分组的设备; 记录在服务区域中为会话服务的设备身份; 使用负载平衡确定所述分组的服务链中的下一跳路由器; 并为会话记录下一跳路由器。

公开(公告)号：US20240265112A1

公开(公告)日：2024-08-08

申请号：US18330214

申请日：2023-06-06

Applicant: Cisco Technology, Inc.

Inventor： Jeffrey M. Napper ,  Hendrikus G. P. Bosch ,  Jean Diaconu ,  Marcelo Yannuzzi ,  Alessandro Duminuco ,  Guillaume Sauvage De Saint Marc ,  Marc Scibelli

IPC: G06F21/57 ,  G06F9/451

CPC classification number: G06F21/577 ,  G06F9/451 ,  G06F2221/033

Abstract: A system and a method to map attack paths in a visualization interface may include storing in a memory asset inventory indicating application assets, attack vector parameters configured to indicate vulnerabilities of one or more of the application assets, and asset mapping information. A processor may determine multiple vulnerable assets in the application assets based at least in part upon the attack vector parameters. Further, the processor may obtain security parameters from a security framework indicating one or more attack techniques, associate each of the vulnerable assets to one or more of the security parameters, and generate a visual interface showing the vulnerable assets and the security parameters. The processor may determine an attack path connecting the vulnerable assets based at least in part upon the asset mapping information, and map the attack path to the application layers and the security parameters in the visual interface.