公开(公告)号：US11979366B2

公开(公告)日：2024-05-07

申请号：US18195136

申请日：2023-05-09

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Pradeep Kumar Kathail ,  Eric Levy-Abegnoli ,  David A. Maluf

IPC: G06F15/16 ,  H04L61/2503 ,  H04L61/4511

CPC classification number: H04L61/2503 ,  H04L61/4511

Abstract: Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a virtual IP (VIP) address that is mapped to the client device and the endpoint device. In this way, IP addresses of servers are obfuscated by a virtual network of VIP addresses. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.

公开(公告)号：US20230216847A1

公开(公告)日：2023-07-06

申请号：US18120889

申请日：2023-03-13

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Patrick Wetterwald ,  Jonas Zaddach ,  Eric Levy-Abegnoli

IPC: H04L9/40

CPC classification number: H04L63/0876 ,  H04L63/108

Abstract: Techniques for adjusting a duration of an authenticated user device session. A baseline session duration is determined for a session for which a user account is authorized in response to a request for authentication. A first session is established on behalf of a user device associated with the user account based at least in part on the user account performing a first authentication. A posture associated with the user device is determined. The baseline duration is then adjusted to a dynamic duration based at least in part upon the posture associated with the user device. Based at least in part on the dynamic duration the user can be required to re-authenticate.

公开(公告)号：US11683286B2

公开(公告)日：2023-06-20

申请号：US17530244

申请日：2021-11-18

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Pradeep Kumar Kathail ,  Eric Levy-Abegnoli ,  David A. Maluf

IPC: G06F15/173 ,  H04L61/2503 ,  H04L61/4511

CPC classification number: H04L61/2503 ,  H04L61/4511

Abstract: Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a virtual IP (VIP) address that is mapped to the client device and the endpoint device. In this way, IP addresses of servers are obfuscated by a virtual network of VIP addresses. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.

公开(公告)号：US11425009B2

公开(公告)日：2022-08-23

申请号：US16709235

申请日：2019-12-10

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Pascal Thubert ,  Eric Levy-Abegnoli ,  Patrick Wetterwald

IPC: H04L43/062 ,  G06N5/04 ,  G06N20/00 ,  H04L41/0826 ,  H04L41/0853 ,  H04L41/14 ,  H04L43/08 ,  H04L41/0631 ,  H04L41/147 ,  G06N3/04 ,  G06N5/00 ,  G06N7/00

Abstract: In one embodiment, a service receives a feature availability report indicative of which telemetry variables are available at a device in a network and resource costs associated with data features that the device could compute from the telemetry variables. The service selects at least a subset of the data features for input to a machine learning model, based on their associated resource costs and on their respective impacts on one or more performance metrics for the machine learning model. The service trains the machine learning model to evaluate the selected data features. The service sends the trained machine learning model to the device. The device computes the selected data features from the telemetry variables available at the device and uses the computed data features as input to the machine learning model.

公开(公告)号：US11418481B2

公开(公告)日：2022-08-16

申请号：US17492214

申请日：2021-10-01

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Jonas Zaddach ,  Patrick Wetterwald

IPC: G06F15/16 ,  H04L61/3015 ,  H04L45/02 ,  H04L61/30 ,  H04L9/40 ,  H04L101/622

Abstract: Systems and methods may include sending, to a network registrar, a first message including a first nonce generated by a host computing device, and receiving, from the network registrar, a second message including a second nonce, the second nonce being signed by the network registrar via a private key of a first public key infrastructure (PKI) key pair of the network registrar via a first signature. The method further includes sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and the private key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that the router is not impersonating the network.

公开(公告)号：US20220116354A1

公开(公告)日：2022-04-14

申请号：US17492214

申请日：2021-10-01

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Jonas Zaddach ,  Patrick Wetterwald

IPC: H04L29/12 ,  H04L12/751 ,  H04L29/06

Abstract: Systems and methods may include sending, to a network registrar, a first message including a first nonce generated by a host computing device, and receiving, from the network registrar, a second message including a second nonce, the second nonce being signed by the network registrar via a private key of a first public key infrastructure (PKI) key pair of the network registrar via a first signature. The method further includes sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and the private key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that the router is not impersonating the network.

公开(公告)号：US11283831B2

公开(公告)日：2022-03-22

申请号：US16421858

申请日：2019-05-24

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Eliot Lear ,  Brian E. Weis

IPC: H04L29/06 ,  H04L29/12 ,  H04L61/4511 ,  H04L61/5014 ,  H04L61/103

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

公开(公告)号：US20220070156A1

公开(公告)日：2022-03-03

申请号：US17004368

申请日：2020-08-27

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Patrick Wetterwald ,  Jonas Zaddach ,  Eric Levy-Abegnoli

IPC: H04L29/06 ,  H04L29/08

Abstract: This disclosure describes techniques for authenticating a user device for a session. For instance, an authentication entity may authenticate a user device using single sign-on authentication and/or multi-factor authentication. The authentication entity may then determine a duration for which the user device is authenticated for the session. For example, the authentication entity may receive information representing a state of an environment of the user device. The authentication entity may then use the information to identify one or more transitions associated with the environment between the session and a previous session. Using the one or more transitions, the authentication entity may determine the duration for the session by increasing or decreasing a previous duration associated with the previous session.

公开(公告)号：US20210105668A1

公开(公告)日：2021-04-08

申请号：US16594316

申请日：2019-10-07

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Patrick Wetterwald ,  Eric Levy-Abegnoli ,  Xiaoguang Jason Chen

IPC: H04W28/22

Abstract: In one embodiment, a device in a mesh network joins a source-destination oriented partial directed acyclic graph (SDO-PDAG) between a source node and a destination node in the network. The device receives operations, administration and maintenance (OAM) packets flooded along reverse paths of the SDO-PDAG. The device determines, based on the received OAM packets, packet drop rate (PDR) capacities of different paths between the device and the destination node. The device replicates a data packet sent from the source node to the destination node along two or more of the paths between the device and the destination node, based on the determined PDR capacities of those paths.

公开(公告)号：US20210058478A1

公开(公告)日：2021-02-25

申请号：US16545225

申请日：2019-08-20

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Robert Edgar Barton ,  Jerome Henry ,  Eric Levy-Abegnoli

IPC: H04L29/08 ,  H04L29/12

Abstract: Presented herein are techniques that aggregate messages using a subroot node. A plurality of messages is received from a corresponding plurality of nodes by a subroot node acting as a proxy in a wireless mesh sub-network. The plurality of messages is aggregated into a single message according to a template. The single message is wireless transmitted to a root node, wherein the root node has a wired connection to a network.