公开(公告)号：US20170111209A1

公开(公告)日：2017-04-20

申请号：US15148864

申请日：2016-05-06

Applicant: CISCO TECHNOLOGY, INC.

Inventor： David D. Ward ,  Carlos M. Pignataro ,  Frank Brockners ,  Shwetha Subray Bhandari

IPC: H04L12/24 ,  H04L29/06 ,  H04L12/54

CPC classification number: H04L41/0631 ,  H04L12/4633 ,  H04L12/4641 ,  H04L12/56 ,  H04L41/04 ,  H04L41/0677 ,  H04L41/0686 ,  H04L43/024 ,  H04L43/04 ,  H04L43/0811 ,  H04L43/0817 ,  H04L43/0829 ,  H04L43/0852 ,  H04L43/087 ,  H04L43/0876 ,  H04L43/10 ,  H04L45/50 ,  H04L69/22 ,  H04L2012/5625

Abstract: Embodiments of the disclosure pertain to activating in-band OAM based on a triggering event. Aspects of the embodiments are directed to receiving a first notification indicating a problem in a network; triggering a data-collection feature on one or more nodes in the network for subsequent packets that traverse the one or more nodes; evaluating a subsequent packet that includes data augmented by the data collection feature; and determining the problem in the network based on the data augmented to the subsequent packet.

公开(公告)号：US12267357B2

公开(公告)日：2025-04-01

申请号：US17672502

申请日：2022-02-15

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  William F. Sulzen ,  Frank Brockners

IPC: H04L9/40 ,  H04L61/103

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices operating within a network. An ARP responder can receive an ARP request from an ARP requestor for performing address resolution between the ARP requestor and the ARP responder in a network environment. The ARP responder can build an ARP response including attestation information of the ARP responder. Further, the ARP responder can provide, to the ARP requestor, the attestation information for verifying the ARP responder using the ARP response and the attestation information of the ARP responder.

公开(公告)号：US12206581B2

公开(公告)日：2025-01-21

申请号：US18377712

申请日：2023-10-06

Applicant: Cisco Technology, Inc.

Inventor： Atri Indiresan ,  Frank Brockners ,  Shwetha Subray Bhandari

IPC: H04L45/74 ,  H04L41/0695 ,  H04L45/7453 ,  H04L47/2483 ,  H04L61/5007

Abstract: This disclosure describes various methods, systems, and devices related to identifying path changes of data flows in a network. An example method includes receiving, at a node, a packet including a first signature. The method further includes generating a second signature by inputting the first signature and one or more node details into a hash function. The method includes replacing the first signature with the second signature in the packet. The packet including the second value is forwarded by the node.

公开(公告)号：US11570242B2

公开(公告)日：2023-01-31

申请号：US17499731

申请日：2021-10-12

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: G06F15/173 ,  H04L67/104 ,  H04L9/40 ,  H04W24/10 ,  H04L9/32 ,  H04L61/4511 ,  H04L67/1001

Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.

公开(公告)号：US20220247757A1

公开(公告)日：2022-08-04

申请号：US17728333

申请日：2022-04-25

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Eric Voit ,  Frank Brockners ,  Carlos M. Pignataro ,  Nagendra Kumar Nainar

IPC: H04L9/40 ,  H04L69/22

Abstract: Technologies for proving packet transit through uncompromised nodes are provided. An example method can include receiving a packet including one or more metadata elements generated based on security measurements from a plurality of nodes along a path of the packet; determining a validity of the one or more metadata elements based on a comparison of one or more values in the one or more metadata elements with one or more expected values calculated for the one or more metadata elements, one or more signatures in the one or more metadata elements, and/or timing information associated with the one or more metadata elements; and based on the one or more metadata elements, determining whether the packet traversed any compromised nodes along the path of the packet.

公开(公告)号：US20220239476A1

公开(公告)日：2022-07-28

申请号：US17659530

申请日：2022-04-18

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L9/08 ,  H04L9/32 ,  H04L9/40

Abstract: Systems, methods, and computer-readable media for authenticating access control messages include receiving, at a first node, access control messages from a second node. The first node and the second node including network devices and the access control messages can be based on RADIUS or TACACS+ protocols among others. The first node can obtain attestation information from one or more fields of the access control messages determine whether the second node is authentic and trustworthy based on the attestation information. The first node can also determine reliability or freshness of the access control messages based on the attestation information. The first node can be a server and the second node can be a client, or the first node can be a client and the second node can be a server. The attestation information can include Proof of Integrity based on a hardware fingerprint, device identifier, or Canary Stamp.

公开(公告)号：US11381391B2

公开(公告)日：2022-07-05

申请号：US16902081

申请日：2020-06-15

Applicant: Cisco Technology, Inc.

Inventor： Lionel Florit ,  Chennakesava Reddy Gaddam ,  Annu Singh ,  Gaurav Kumar ,  Shwetha Subray Bhandari

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/40

Abstract: A first computing node configures for communication with a second computing node according to a secure Media Access Layer (MAC) layer communication protocol. The first computing node transmits a first message, to the second computing node. The first message includes at least a first indication that the first computing node is capable of communicating according to the secure MAC layer communication protocol based on a pre-shared secret key. The first computing nodes determines to communicate with the second computing node according to the secure MAC layer communication protocol based on one of a pre-shared secret key or a distributed shared key. The first computing node, at least in part based on the determining, transmits a second message to the second computing node according to the secure MAC layer communication protocol based on the one of the pre-shared secret key or the distributed shared key.

公开(公告)号：US11321465B2

公开(公告)日：2022-05-03

申请号：US16752488

申请日：2020-01-24

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: G06F21/57 ,  H04L9/32 ,  H04L9/08

Abstract: Technologies for attestation techniques, systems, and methods to confirm the integrity of a device for establishing and/or maintaining a trustworthy encrypted network session. An example method can include sending, via a server and using a cryptographic security protocol, a message associated with establishing an encrypted network session; receiving a response from a client device; identifying a level of trust of the client device based on the response; determining whether to perform a next step in the cryptographic security protocol based on the level of trust, wherein the cryptographic security protocol comprises at least one of a Secure Shell (SSH) protocol, a Transport Layer Security (TLS) protocol, a Secure Sockets Layer (SSL) protocol, and an Internet Protocol Security (IPsec) protocol.

公开(公告)号：US11316869B2

公开(公告)日：2022-04-26

申请号：US16709532

申请日：2019-12-10

Applicant: Cisco Technology, Inc.

Inventor： Craig Thomas Hill ,  Frank Brockners ,  Shwetha Subray Bhandari ,  Chennakesava Reddy Gaddam

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08

Abstract: Disclosed is a method of establishing secure communications. The method includes receiving an attestation parameter associated with a first peer in a potential peer-to-peer communication, adding the attestation parameter to an MACsec Key Agreement (MKA) protocol key exchange, transmitting the key exchange from the first peer to a second peer in the potential peer-to-peer communication and upon a validation of the attestation parameter by the second peer, enabling secure communication between the first peer and the second peer.

公开(公告)号：US20210391984A1

公开(公告)日：2021-12-16

申请号：US16902081

申请日：2020-06-15

Applicant: Cisco Technology, Inc.

Inventor： Lionel Florit ,  Chennakesava Reddy Gaddam ,  Annu Singh ,  Gaurav Kumar ,  Shwetha Subray Bhandari

IPC: H04L9/08 ,  H04L29/06

Abstract: A first computing node configures for communication with a second computing node according to a secure Media Access Layer (MAC) layer communication protocol. The first computing node transmits a first message, to the second computing node. The first message includes at least a first indication that the first computing node is capable of communicating according to the secure MAC layer communication protocol based on a pre-shared secret key. The first computing nodes determines to communicate with the second computing node according to the secure MAC layer communication protocol based on one of a pre-shared secret key or a distributed shared key. The first computing node, at least in part based on the determining, transmits a second message to the second computing node according to the secure MAC layer communication protocol based on the one of the pre-shared secret key or the distributed shared key.