公开(公告)号：US20170195133A1

公开(公告)日：2017-07-06

申请号：US14989132

申请日：2016-01-06

Applicant: Cisco Technology, Inc.

Inventor： Gonzalo Salgueiro ,  Prashanth Patil ,  K. Tirumaleswar Reddy ,  Carlos M. Pignataro

IPC: H04L12/46 ,  H04L12/741 ,  H04L12/751

CPC classification number: H04L12/4633 ,  H04L45/02 ,  H04L45/74 ,  H04L67/146 ,  H04L67/16

Abstract: A classifier node in a service function chaining system receives a media stream from an endpoint device. The media stream is associated with a media session between the endpoint and at least one other endpoint. The classifier node determines a service function path for the media stream. The service function path includes an ordered list of service functions to process the media stream. The classifier node determines a session identifier for the media stream and encapsulates the media stream with a Network Service Header. The Network Service Header includes an indication of the service function path and a metadata header with the session identifier.

公开(公告)号：US20160352628A1

公开(公告)日：2016-12-01

申请号：US14724635

申请日：2015-05-28

Applicant: CISCO TECHNOLOGY, INC.

Inventor： K. Tirumaleswar Reddy ,  Prashanth Patil ,  Daniel G. Wing ,  Ram Mohan Ravindranath ,  William C. VerSteeg ,  Charles U. Eckel

IPC: H04L12/721

CPC classification number: H04L45/38 ,  H04L12/4633 ,  H04L45/302

Abstract: A computer-implemented method includes sending a first request message to a first server associated with a first access network indicative of a request for an indication of whether the first server is configured to support prioritization of tunneled traffic, receiving a first response message from the first server indicative of whether the first server is configured to support prioritization of tunneled traffic, establishing one or more first tunnels with a security service when the first response message is indicative that the first server is configured to support prioritization of tunneled traffic, sending first flow characteristics and a first tunnel identifier to the first server; and receiving the first flow characteristics for each first tunnel from the first server at a first network controller. The first network controller is configured to apply a quality of service policy within the first access network for each tunnel in accordance with the flow characteristics.

Abstract translation: 计算机实现的方法包括向与第一接入网络相关联的第一服务器发送指示对第一服务器是否被配置为支持隧道通信的优先级的指示的请求的第一请求消息，从第一接入网络接收第一响应消息 服务器，其指示第一服务器是否被配置为支持隧道传输的流量的优先级，当第一响应消息指示第一服务器被配置为支持隧道传输的流量的优先级时，建立与安全服务的一个或多个第一隧道，发送第一流特性 以及到所述第一服务器的第一隧道标识符; 以及在第一网络控制器处从第一服务器接收针对每个第一隧道的第一流特性。 第一网络控制器被配置为根据流量特性为每个隧道在第一接入网络内应用服务质量策略。

公开(公告)号：US09288231B2

公开(公告)日：2016-03-15

申请号：US13947498

申请日：2013-07-22

Applicant: Cisco Technology, Inc.

Inventor： Tirumaleswar Reddy ,  Prashanth Patil ,  Ramesh Nethi ,  Daniel Wing ,  Christopher Wild

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L63/0281 ,  H04L63/10

Abstract: In one implementation, Web-Cache deployed in the Enterprise premises and cloud-based SecaaS are combined such that similar identity-based polices are enforced on both the SecaaS and content delivered from the Web-Cache. This identity-based policy implementation outside the network using SecaaS and within the network for web-cached content provides consistent identity-based security while still providing content to end-users with high performance. Content inspected and/or modified by SecaaS may be cached in the enterprise premises so that requests for content from an origin server decreases, freeing Internet bandwidth and reducing access time. Local caching of streaming content may decrease latency while local implementation of identity-based policy continues to limit the streamed content as appropriate. Local implementation of identity-based policy may reduce the load on SecaaS. Rather than using content delivery networks provided by a service provider for web-content, a cache server within the enterprise is used.

Abstract translation: 在一个实现中，部署在企业场所和基于云的SecaaS中的Web-Cache组合起来，从而在SecaaS和从Web-Cache传递的内容上实施类似的基于身份的策略。 网络外的基于身份的策略实施使用SecaaS并在网络缓存的内容中提供了一致的基于身份的安全性，同时仍向最终用户提供高性能的内容。 SecaaS检查和/或修改的内容可能会缓存在企业场所，以便来自原始服务器的内容请求减少，释放Internet带宽并减少访问时间。 流内容的本地缓存可能会降低延迟，而本地实施基于身份的策略会继续适当地限制流内容。 基于身份的策略的本地实施可能会降低对SecaaS的负担。 不使用服务提供商提供的内容传递网络进行Web内容，而是使用企业内的缓存服务器。

公开(公告)号：US20160013985A1

公开(公告)日：2016-01-14

申请号：US14328421

申请日：2014-07-10

Applicant: CISCO TECHNOLOGY, INC.

Inventor： K. Tirumaleswar Reddy ,  Prashanth Patil ,  Daniel G. Wing ,  William C. VerSteeg ,  Christopher Wild

IPC: H04L12/24 ,  H04L12/825 ,  H04L29/06

CPC classification number: H04L41/0896 ,  H04L41/18 ,  H04L41/5003 ,  H04L43/10 ,  H04L47/25 ,  H04L63/0807 ,  H04L63/0892 ,  H04L67/42

Abstract: An example method for facilitating on-demand bandwidth provisioning in a network environment is provided and includes receiving a request from a client at a first network for accommodating flow characteristics at a second network that is associated with executing an application at the first network, determining that the request cannot be fulfilled with available network resources allocated to the client by the second network, advising the client of additional cost for accommodating the flow characteristics, and authorizing additional network resources in the second network to accommodate the flow characteristics after receiving notification from the client of payment of the additional cost.

Abstract translation: 提供了一种用于促进网络环境中的按需带宽供应的示例性方法，并且包括从第一网络的客户端接收请求，以便在与在第一网络处执行应用相关联的第二网络处容纳流特性， 该请求无法通过第二网络分配给客户端的可用网络资源来满足，向客户端通知用于适应流量特性的额外成本，以及授权第二网络中的附加网络资源以在从客户端接收到通知之后适应流量特性 支付额外费用。

公开(公告)号：US11589226B2

公开(公告)日：2023-02-21

申请号：US16716786

申请日：2019-12-17

Applicant: Cisco Technology, Inc.

Inventor： Prashanth Patil ,  Ram Mohan Ravindranath ,  Rajesh Indira Viswambharan

IPC: H04L29/06 ,  H04W12/06 ,  H04W12/08 ,  H04L9/40 ,  H04L9/08 ,  H04W8/04 ,  H04L12/28 ,  H04W12/37 ,  H04W12/67 ,  H04W12/0431

Abstract: In one example, a home network associated with a user equipment obtains an authentication request to authenticate the user equipment to a serving network. The home network generates an authentication vector of a mobile security protocol. The authentication vector includes an indication that the user equipment is to be authenticated using a multi-factor authentication process. The home network provides the authentication vector to the serving network to prompt a response from the user equipment that is in accordance with the multi-factor authentication process. The home network authenticates the user equipment to the serving network based on the response.

公开(公告)号：US10798067B2

公开(公告)日：2020-10-06

申请号：US14643802

申请日：2015-03-10

Applicant: Cisco Technology, Inc.

Inventor： Tirumaleswar Reddy ,  Daniel G. Wing ,  Prashanth Patil ,  Ram Mohan R.

IPC: H04L9/32 ,  H04L29/06 ,  H04L9/08

Abstract: In one implementation, a media stream is recorded using one or more keys. The one or more keys are also encrypted. The one or more encrypted keys may be stored with the encrypted media session at a cloud storage service. A network device receives a request to record a media stream and accesses at least one stream key for the media stream. The stream key is for encrypting the media stream. The network device encrypts the stream key with a master key. The encrypted stream key is stored in association with the encrypted media stream.

公开(公告)号：US20200177631A1

公开(公告)日：2020-06-04

申请号：US16780047

申请日：2020-02-03

Applicant: Cisco Technology, Inc.

Inventor： K Tirumaleswar Reddy ,  Prashanth Patil ,  Carlos M. Pignataro

IPC: H04L29/06 ,  H04L9/08

Abstract: A method for resuming a Transport Layer Security (TLS) session in a Service Function Chain comprising a plurality of Service Function nodes coupled to a Service Function Forwarder. A request is received at a first Service Function node to establish a TLS session, and a Pre-Shared Key (PSK) and a PSK identifier that uniquely correspond to the first Service Function node and the TLS session are generated. The PSK identifier is forwarded to one or more of the Service Function Forwarder and the plurality of Service Function nodes. A request to resume the TLS session is received from a client device that previously disconnected. It is determined that the connection request contains the PSK identifier, a second Service Function node is selected, and the TLS session is re-established between the client device and the second Service Function node using the same PSK as the prior TLS session.

公开(公告)号：US20190387020A1

公开(公告)日：2019-12-19

申请号：US16551280

申请日：2019-08-26

Applicant: Cisco Technology, Inc.

Inventor： K Tirumaleswar Reddy ,  Ram Mohan Ravindranath ,  Prashanth Patil ,  Carlos M. Pignataro

IPC: H04L29/06 ,  H04L9/32

Abstract: A web conferencing operator can enable participants to share multimedia content in real-time despite one or more of the participants operating from behind a middlebox via network address translation (NAT) traversal protocols and tools, such as STUN, TURN, and/or ICE. In NAT traversal, participants share a transport addresses that the participants can use to establish a joint media session. However, connectivity checks during NAT traversal can expose a media distribution device hosted by the web conferencing operator to various vulnerabilities, such as distributed denial of service (DDoS) attacks. The web conferencing operator can minimize the effects of a DDoS attack during the connectivity checks at scale and without significant performance degradation by configuring the middlebox to validate incoming requests for the connectivity checks without persistent signaling between the web conference operator and the middlebox.

公开(公告)号：US10397271B2

公开(公告)日：2019-08-27

申请号：US15646429

申请日：2017-07-11

Applicant: Cisco Technology, Inc.

Inventor： K Tirumaleswar Reddy ,  Ram Mohan Ravindranath ,  Prashanth Patil ,  Carlos M. Pignataro

IPC: H04L9/32 ,  H04L29/06

Abstract: A web conferencing operator can enable participants to share multimedia content in real-time despite one or more of the participants operating from behind a middlebox via network address translation (NAT) traversal protocols and tools, such as STUN, TURN, and/or ICE. In NAT traversal, participants share a transport addresses that the participants can use to establish a joint media session. However, connectivity checks during NAT traversal can expose a media distribution device hosted by the web conferencing operator to various vulnerabilities, such as distributed denial of service (DDoS) attacks. The web conferencing operator can minimize the effects of a DDoS attack during the connectivity checks at scale and without significant performance degradation by configuring the middlebox to validate incoming requests for the connectivity checks without persistent signaling between the web conference operator and the middlebox.

公开(公告)号：US10375020B2

公开(公告)日：2019-08-06

申请号：US15408616

申请日：2017-01-18

Applicant: Cisco Technology, Inc.

Inventor： Daniel G. Wing ,  K. Tirumaleswar Reddy ,  Prashanth Patil

IPC: H04L29/06 ,  H04L29/12 ,  H04L29/08

Abstract: In one embodiment, a browser operating on a host device receives, from a user, a request to access a web server that includes a Uniform Resource Locator (URL) associated with the web server. In response, the browser sends, to a Domain Name System (DNS) server, a request for an Internet Protocol (IP) address correlated with the domain hosting the URL, and receives, from the DNS server, a response that comprises a block policy IP address and an appropriate error code. Based on this IP address and the error code indicated in the response, the browser renders an access denied page indicating that access to the web server associated with the URL is not permitted, wherein at least a portion of the access denied page is stored in memory accessible to the browser prior to sending the request for the IP address correlated with the domain that is hosting the URL.