公开(公告)号：US20240086205A1

公开(公告)日：2024-03-14

申请号：US17943440

申请日：2022-09-13

Applicant: Cisco Technology, Inc.

Inventor： Reda Haddad ,  Martin Edward Ramsdale ,  Srihari Raghavan ,  Jabir Hamediya Mohammed ,  Sandesh K. Rao

IPC: G06F9/4401 ,  G06F9/448 ,  H04L9/32

CPC classification number: G06F9/4401 ,  G06F9/4482 ,  H04L9/3268

Abstract: Techniques and architecture are described for validating and verifying iPXE scripts prior to execution during a booting process. During the booting process of a network device, right after the UEFI/BIOS stage of the booting process, a trusted iPXE script may make a request to a network server for the ownership voucher and owner certificate of the network device. The ownership voucher and owner certificate may then be stored in a trusted platform module (TPM) on the network device. In configurations, the retrieved owner certificate may be validated by the ownership voucher. The owner certificate may be used to validate iPXE scripts. Once validated, the iPXE scripts may be executed and the booting process may be continued to the kernel loading step and the application loading step. During a subsequent booting process of the network device, the ownership voucher and owner certificate may be retrieved from the TPM.

公开(公告)号：US12206664B2

公开(公告)日：2025-01-21

申请号：US17745417

申请日：2022-05-16

Applicant: Cisco Technology, Inc.

Inventor： Jabir Hamediya Mohammed ,  Reda Haddad ,  Srihari Raghavan ,  Sandesh K. Rao

IPC: G06F21/00 ,  H04L9/40

Abstract: Techniques and architecture are described for providing a configurable security posture for a network device using an extended ownership artifact, e.g., an ownership voucher, an ownership certificate, etc., and a security profile mechanism that scales to user needs and desires for security profiles on network devices, i.e., easily and securely customizable on thousands of nodes of a network. The configurable security posture may be achieved using the manufacturer authorized signing authority (MASA) to issue an ownership voucher with a security bit extension to support security profile additions. Using the MASA service, a user may explicitly decide on various security postures of a given network device and may apply that profile across the fixed or modular chassis of a network of network devices.

公开(公告)号：US10069708B2

公开(公告)日：2018-09-04

申请号：US14635438

申请日：2015-03-02

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Srihari Raghavan ,  Nobushige Akiya ,  Carlos M. Pignataro ,  Mallik Mudigonda ,  Nagendra Kumar Nainar

IPC: H04L12/26 ,  H04L12/24

Abstract: In one embodiment, a method includes assigning a discriminator to a target in communication with a reflector at a network device, identifying at the reflector, a packet comprising the discriminator, the packet transmitted from an initiator in a seamless bidirectional forwarding detection (S-BFD) session, and transmitting a response packet from the reflector to the initiator. The response packet includes information for the target obtained by the reflector through monitoring of the target. The target may comprise a plurality of entities. An apparatus and logic are also disclosed herein.

公开(公告)号：US20250112921A1

公开(公告)日：2025-04-03

申请号：US18979272

申请日：2024-12-12

Applicant: Cisco Technology, Inc.

Inventor： Jabir Hamediya Mohammed ,  Reda Haddad ,  Srihari Raghavan ,  Sandesh K. Rao

IPC: H04L9/40

Abstract: Techniques and architecture are described for providing a configurable security posture for a network device using an extended ownership artifact, e.g., an ownership voucher, an ownership certificate, etc., and a security profile mechanism that scales to user needs and desires for security profiles on network devices, i.e., easily and securely customizable on thousands of nodes of a network. The configurable security posture may be achieved using the manufacturer authorized signing authority (MASA) to issue an ownership voucher with a security bit extension to support security profile additions. Using the MASA service, a user may explicitly decide on various security postures of a given network device and may apply that profile across the fixed or modular chassis of a network of network devices.

公开(公告)号：US20230394493A1

公开(公告)日：2023-12-07

申请号：US17830848

申请日：2022-06-02

Applicant: Cisco Technology, Inc.

Inventor： Sandesh K. Rao ,  Reda Haddad ,  Srihari Raghavan ,  Jabir Hamediya Mohammed

IPC: G06Q30/00

CPC classification number: G06Q30/018

Abstract: In one embodiment, methods for mediated transfer of ownership are described. The method may include receiving a request for an ownership voucher from a device, validating an identifier of the device, determining whether to issue the ownership voucher, generating a signed ownership voucher, and sending the signed ownership voucher to the device. In another embodiment, methods for unmediated transfer of ownership are described, including receiving, an ownership voucher associated with a first ownership certificate, determining whether the ownership voucher comprises a signature associated with a manufacturer, based at least in part on determining that the signature of the manufacturer is absent, determining that a second ownership certificate is stored in memory, determining that the second ownership certificate comprises a signature associated with a user, validating the ownership voucher; and based at least in part on the validating, enrolling the first ownership certificate on the network device.

公开(公告)号：US20230370454A1

公开(公告)日：2023-11-16

申请号：US17745417

申请日：2022-05-16

Applicant: Cisco Technology, Inc.

Inventor： Jabir Hamediya Mohammed ,  Reda Haddad ,  Srihari Raghavan ,  Sandesh K. Rao

IPC: H04L9/40

CPC classification number: H04L63/0876 ,  H04L63/102 ,  H04L63/20

Abstract: Techniques and architecture are described for providing a configurable security posture for a network device using an extended ownership artifact, e.g., an ownership voucher, an ownership certificate, etc., and a security profile mechanism that scales to user needs and desires for security profiles on network devices, i.e., easily and securely customizable on thousands of nodes of a network. The configurable security posture may be achieved using the manufacturer authorized signing authority (MASA) to issue an ownership voucher with a security bit extension to support security profile additions. Using the MASA service, a user may explicitly decide on various security postures of a given network device and may apply that profile across the fixed or modular chassis of a network of network devices.

公开(公告)号：US12067402B2

公开(公告)日：2024-08-20

申请号：US17943440

申请日：2022-09-13

Applicant: Cisco Technology, Inc.

Inventor： Reda Haddad ,  Martin Edward Ramsdale ,  Srihari Raghavan ,  Jabir Hamediya Mohammed ,  Sandesh K. Rao

IPC: G06F9/4401 ,  G06F9/448 ,  H04L9/32

CPC classification number: G06F9/4401 ,  G06F9/4482 ,  H04L9/3268

Abstract: Techniques and architecture are described for validating and verifying iPXE scripts prior to execution during a booting process. During the booting process of a network device, right after the UEFI/BIOS stage of the booting process, a trusted iPXE script may make a request to a network server for the ownership voucher and owner certificate of the network device. The ownership voucher and owner certificate may then be stored in a trusted platform module (TPM) on the network device. In configurations, the retrieved owner certificate may be validated by the ownership voucher. The owner certificate may be used to validate iPXE scripts. Once validated, the iPXE scripts may be executed and the booting process may be continued to the kernel loading step and the application loading step. During a subsequent booting process of the network device, the ownership voucher and owner certificate may be retrieved from the TPM.

公开(公告)号：US11245484B2

公开(公告)日：2022-02-08

申请号：US16790935

申请日：2020-02-14

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Frank Brockners ,  Srihari Raghavan

IPC: H04J3/06 ,  H04L9/32

Abstract: Systems, methods, and computer-readable media for authenticating time sources using attestation-based techniques include receiving, at a destination device, a time reference signal from a source device, the source and destination devices being network devices. The time reference signal can include a time synchronization signal or a time distribution signal. The destination device can obtain attestation information from one or more fields of the time reference signal and determine whether the source device is authentic and trustworthy based on the attestation information. The destination device can also determine reliability or freshness of the time reference signal based on the attestation information. The time reference signal can be based on a Network Time Protocol (NTP), a Precision Time Protocol (NTP), or other protocol. The attestation information can include Proof of Integrity based a Canary stamp, a hardware fingerprint, a Secure Unique Device Identification (SUDI) of the source device, or an attestation key.

公开(公告)号：US20200322075A1

公开(公告)日：2020-10-08

申请号：US16790935

申请日：2020-02-14

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Frank Brockners ,  Srihari Raghavan

IPC: H04J3/06 ,  H04L9/32

Abstract: Systems, methods, and computer-readable media for authenticating time sources using attestation-based techniques include receiving, at a destination device, a time reference signal from a source device, the source and destination devices being network devices. The time reference signal can include a time synchronization signal or a time distribution signal. The destination device can obtain attestation information from one or more fields of the time reference signal and determine whether the source device is authentic and trustworthy based on the attestation information. The destination device can also determine reliability or freshness of the time reference signal based on the attestation information. The time reference signal can be based on a Network Time Protocol (NTP), a Precision Time Protocol (NTP), or other protocol. The attestation information can include Proof of Integrity based a Canary stamp, a hardware fingerprint, a Secure Unique Device Identification (SUDI) of the source device, or an attestation key.

公开(公告)号：US20160261474A1

公开(公告)日：2016-09-08

申请号：US14635438

申请日：2015-03-02

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Srihari Raghavan ,  Nobushige Akiya ,  Carlos M. Pignataro ,  Mallik Mudigonda ,  Nagendra Kumar Nainar

IPC: H04L12/26

CPC classification number: H04L43/10 ,  H04L41/5012

Abstract: In one embodiment, a method includes assigning a discriminator to a target in communication with a reflector at a network device, identifying at the reflector, a packet comprising the discriminator, the packet transmitted from an initiator in a seamless bidirectional forwarding detection (S-BFD) session, and transmitting a response packet from the reflector to the initiator. The response packet includes information for the target obtained by the reflector through monitoring of the target. The target may comprise a plurality of entities. An apparatus and logic are also disclosed herein.

Abstract translation: 在一个实施例中，一种方法包括将鉴别器分配给与网络设备上的反射器通信的目标，在反射器处识别包括鉴别器的分组，在无缝双向转发检测（S-BFD）中从发起者发送的分组 ）会话，并将响应分组从反射器发送到发起者。 响应包包括通过对目标的监视由反射器获得的目标的信息。 目标可以包括多个实体。 本文还公开了一种装置和逻辑。