公开(公告)号：US20150067337A1

公开(公告)日：2015-03-05

申请号：US14532131

申请日：2014-11-04

Applicant: Cisco Technology, Inc.

Inventor： Kunal Patel ,  Yixin Sun ,  Puneet Gupta ,  Vinod Arjun ,  David McGrew

IPC: H04L29/06

CPC classification number: H04L63/0823 ,  H04L9/321 ,  H04L9/3263 ,  H04L63/0428 ,  H04L63/0435 ,  H04L63/061 ,  H04L63/164

Abstract: Techniques are provided for obtaining first and second digital certificates from a certificate authority database for establishing a secure exchange between network devices. The first digital certificate contains identity information of a first network device, and the second digital certificate contains classification information of the first network device. In one embodiment, a secure key exchange is initiated with the second network device, and the first and second digital certificates are transmitted as a part of the secure key exchange to the second network device. In another embodiment, the first and second digital certificates are received by an intermediate network device. The first digital certificate is encrypted and is not evaluated by the intermediate network device. The second digital certificate is evaluated for classification information of the first network device. Source information associated with the first network device is stored, and encrypted traffic is processed between the network devices.

Abstract translation: 提供了用于从证书机构数据库获得第一和第二数字证书以建立网络设备之间的安全交换的技术。 第一数字证书包含第一网络设备的身份信息，第二数字证书包含第一网络设备的分类信息。 在一个实施例中，与第二网络设备一起发起安全密钥交换，并且将第一和第二数字证书作为安全密钥交换的一部分被发送到第二网络设备。 在另一个实施例中，第一和第二数字证书由中间网络设备接收。 第一个数字证书是加密的，不被中间网络设备评估。 对第一个网络设备的分类信息进行第二个数字证书的评估。 存储与第一网络设备相关联的源信息，并且在网络设备之间处理加密流量。

公开(公告)号：US09306936B2

公开(公告)日：2016-04-05

申请号：US14532131

申请日：2014-11-04

Applicant: Cisco Technology, Inc.

Inventor： Kunal Patel ,  Yixin Sun ,  Puneet Gupta ,  Vinod Arjun ,  David McGrew

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/0823 ,  H04L9/321 ,  H04L9/3263 ,  H04L63/0428 ,  H04L63/0435 ,  H04L63/061 ,  H04L63/164

Abstract: Techniques are provided for obtaining first and second digital certificates from a certificate authority database for establishing a secure exchange between network devices. The first digital certificate contains identity information of a first network device, and the second digital certificate contains classification information of the first network device. In one embodiment, a secure key exchange is initiated with the second network device, and the first and second digital certificates are transmitted as a part of the secure key exchange to the second network device. In another embodiment, the first and second digital certificates are received by an intermediate network device. The first digital certificate is encrypted and is not evaluated by the intermediate network device. The second digital certificate is evaluated for classification information of the first network device. Source information associated with the first network device is stored, and encrypted traffic is processed between the network devices.

Abstract translation: 提供了用于从认证机构数据库获得第一和第二数字证书以建立网络设备之间的安全交换的技术。 第一数字证书包含第一网络设备的身份信息，第二数字证书包含第一网络设备的分类信息。 在一个实施例中，与第二网络设备一起发起安全密钥交换，并且将第一和第二数字证书作为安全密钥交换的一部分被发送到第二网络设备。 在另一个实施例中，第一和第二数字证书由中间网络设备接收。 第一个数字证书是加密的，不被中间网络设备评估。 对第一个网络设备的分类信息进行第二个数字证书的评估。 存储与第一网络设备相关联的源信息，并且在网络设备之间处理加密流量。