公开(公告)号：US10439993B2

公开(公告)日：2019-10-08

申请号：US15095421

申请日：2016-04-11

Applicant: Cisco Technology, Inc.

Inventor： Brian Eliot Weis

IPC: H04L9/32 ,  H04L29/06 ,  H04L12/46

Abstract: Presented herein is a system to set up a secure connection between nodes on two enterprise networks across a public network. The system includes a network element associated with each enterprise network. The first network element transmits a map request to a mapping server. The map request includes a destination address on the second enterprise network and a peer introduction request. The first network element includes a first key generation material in the peer introduction request. The second network element is configured to receive the map request forwarded from the mapping server, generate a map reply corresponding to the map request, and transmit the map reply to the first network element. The map reply includes a peer introduction reply with a second key generation material. The first network generates a secure key by inserting the second key generation material into a first key derivation function.

公开(公告)号：US09992310B2

公开(公告)日：2018-06-05

申请号：US15077061

申请日：2016-03-22

Applicant: Cisco Technology, Inc.

Inventor： Kuralvanan Arangasamy ,  Brian Eliot Weis ,  Rakesh Chopra ,  Hugo J. W. Vliegen

IPC: H04L12/28 ,  H04L29/06 ,  H04L12/46

CPC classification number: H04L69/22 ,  H04L12/28 ,  H04L12/4633 ,  H04L63/0428 ,  H04L63/162 ,  H04L63/164

Abstract: An egress frame processing method, an Ethernet frame is received. Information defining an Internet Protocol (IP) tunnel between the network device and a peer network device over a public wide area network is determined. A media access control security (MACsec) policy that defines how to protect the Ethernet frame is determined based on the information defining the IP tunnel. The Ethernet frame is protected according to the MACsec policy. The following fields are appended to the protected Ethernet frame: (i) an unprotected layer 3 (L3) encapsulation identifying a layer 2 (L2)-over-L3 tunnel protocol; (ii) an unprotected IP header corresponding to the IP tunnel; and (iii) an unprotected outer Ethernet header, to produce a partly protected egress frame. The partly protected egress frame is transmitted to the peer network device over the IP tunnel of the public wide area network.

公开(公告)号：US09794234B2

公开(公告)日：2017-10-17

申请号：US14810899

申请日：2015-07-28

Applicant: Cisco Technology, Inc.

Inventor： Padmakumar Ampady Vasudevan Pillai ,  Brian Eliot Weis ,  Thamilarasu Kandasamy

IPC: H04L29/06

CPC classification number: H04L63/0435 ,  H04L9/08 ,  H04L63/061 ,  H04L63/062

Abstract: A Key Generation System (KGS) includes a key server, a first network element, and a second network element. The first and second network elements register with the key server and receive first and second KGS key seeds and first and second KGS identifiers, respectively. The first network element transmits the first KGS identifier to the second network element and obtains the second KGS identifier. The first network element computes a shared key based on the first KGS key seed and the second KGS identifier. The second network element receives the first KGS identifier from the first network element and computes the shared key based on the second KGS key seed and the first KGS identifier.

公开(公告)号：US20170142064A1

公开(公告)日：2017-05-18

申请号：US14944743

申请日：2015-11-18

Applicant: Cisco Technology, Inc.

Inventor： Brian Eliot Weis ,  Peter Geoffrey Jones

IPC: H04L29/12 ,  H04L29/06

CPC classification number: H04L61/6022 ,  H04L61/2038 ,  H04L63/0428 ,  H04L63/061 ,  H04L63/08 ,  H04L63/123 ,  H04L63/162

Abstract: At a network device configured to control access to a network, a client device authentication request is received from a client device. The request includes identity credentials and a temporary media access control (MAC) address of the client device. The client device is successfully authenticated based on the identity credentials. After authentication, a new MAC address is established in the client device. A data frame is received from at the network device. It is determined whether the client device is using the new MAC address based on the received data frame. If it is determined that the client device is using the new MAC address, the client device is permitted access the network.

公开(公告)号：US20170054758A1

公开(公告)日：2017-02-23

申请号：US15058447

申请日：2016-03-02

Applicant: Cisco Technology, Inc.

Inventor： Fabio R. Maino ,  Horia Miclea ,  John Evans ,  Brian Eliot Weis ,  Vina Ermagan

IPC: H04L29/06

CPC classification number: H04L47/781 ,  H04L41/0823 ,  H04L41/5025 ,  H04L43/0882 ,  H04L45/64

Abstract: High-level network policies that represent a virtual private network (VPN) as a high-level policy model are received. The VPN is to provide secure connectivity between connection sites of the VPN based on the high-level network policies. The high-level network policies are translated into low-level device configuration information represented in a network overlay and used for configuring a network underlay that provides the connections sites to the VPN. The network underlay is configured with the device configuration information so that the network underlay implements the VPN in accordance with the high-level policies. It is determined whether the network underlay is operating to direct traffic flows between the connection sites in compliance with the high-level network policies. If it is determined that the network underlay is not operating in compliance, the network underlay is reconfigured with new low-level device configuration information so that the network underlay operates in compliance.

Abstract translation: 收到代表虚拟专用网（VPN）作为高级策略模型的高级网络策略。 VPN是基于高级网络策略在VPN的连接站点之间提供安全连接。 高级网络策略被转换为在网络覆盖中表示的低级设备配置信息，并用于配置向VPN提供连接站点的网络底层。 网络底层配置了设备配置信息，使得网络底层根据高级策略实现VPN。 确定网络底层是否正在操作以在连接站点之间引导符合高级网络策略的业务流。 如果确定网络底层不符合操作，则使用新的低级设备配置信息来重新配置网络底层，使得网络底层符合操作。

公开(公告)号：US20170054692A1

公开(公告)日：2017-02-23

申请号：US15095421

申请日：2016-04-11

Applicant: Cisco Technology, Inc.

Inventor： Brian Eliot Weis

IPC: H04L29/06 ,  H04L12/46

CPC classification number: H04L63/0428 ,  H04L12/4633 ,  H04L63/0272 ,  H04L63/029 ,  H04L63/061 ,  H04L63/20 ,  H04L2463/061

Abstract: Presented herein is a system to set up a secure connection between nodes on two enterprise networks across a public network. The system includes a network element associated with each enterprise network. The first network element transmits a map request to a mapping server. The map request includes a destination address on the second enterprise network and a peer introduction request. The first network element includes a first key generation material in the peer introduction request. The second network element is configured to receive the map request forwarded from the mapping server, generate a map reply corresponding to the map request, and transmit the map reply to the first network element. The map reply includes a peer introduction reply with a second key generation material. The first network generates a secure key by inserting the second key generation material into a first key derivation function.

Abstract translation: 这里提出的是在公共网络上的两个企业网络上的节点之间建立安全连接的系统。 该系统包括与每个企业网络相关联的网络元件。 第一个网络元件将地图请求发送到映射服务器。 地图请求包括第二企业网络上的目的地地址和对等体引入请求。 第一网元包括对等引入请求中的第一密钥生成材料。 第二网元被配置为接收从映射服务器转发的地图请求，生成与地图请求对应的地图应答，并将地图回复发送给第一网元。 地图回复包括具有第二密钥生成资料的对等体介绍回复。 第一网络通过将第二密钥生成材料插入到第一密钥导出函数中来生成安全密钥。