公开(公告)号：US20160315819A1

公开(公告)日：2016-10-27

申请号：US14992114

申请日：2016-01-11

Applicant: Cisco Technology, Inc.

Inventor： Venkata Krishna Sashank Dara ,  Shwetha Subray Bhandari ,  Andrew Yourtchenko ,  Eric Vyncke ,  Frank Brockners

IPC: H04L12/24 ,  H04L29/12 ,  H04L12/46 ,  H04L29/06

CPC classification number: H04L9/32 ,  H04L12/4633 ,  H04L41/0246 ,  H04L41/0853 ,  H04L41/0866 ,  H04L41/28 ,  H04L45/26 ,  H04L61/6059 ,  H04L63/06 ,  H04L63/12 ,  H04L63/1408 ,  H04L69/166 ,  H04L69/22

Abstract: A system and methods are provided herein for verifying proof of transit of traffic through a plurality of network nodes in a network. In one embodiment, a method is provided in which information is obtained about a packet at a network node in a network. The information includes in-band metadata. Verification information is read from the in-band metadata. The verification information for use in verifying a path of the packet in the network. Updated verification information is generated from the verification information read from the packet. The updated verification information is written to the in-band metadata of the packet, and the packet is forwarded from the network node in the network.

Abstract translation: 本文提供的系统和方法用于验证通过网络中的多个网络节点的业务的传输证明。 在一个实施例中，提供了一种方法，其中获得关于网络中网络节点处的分组的信息。 该信息包括带内元数据。 从带内元数据中读取验证信息。 用于验证网络中分组路径的验证信息。 根据从数据包读取的验证信息生成更新的验证信息。 将更新的验证信息写入分组的带内元数据，并且从网络中的网络节点转发分组。

公开(公告)号：US11934525B2

公开(公告)日：2024-03-19

申请号：US17712499

申请日：2022-04-04

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: G06F21/57 ,  H04L9/08 ,  H04L9/32

CPC classification number: G06F21/57 ,  H04L9/0869 ,  H04L9/3213

Abstract: Technologies for attestation techniques, systems, and methods to confirm the integrity of a device for establishing and/or maintaining a trustworthy encrypted network session. An example method can include sending, via a server and using a cryptographic security protocol, a message associated with establishing an encrypted network session; receiving a response from a client device; identifying a level of trust of the client device based on the response; determining whether to perform a next step in the cryptographic security protocol based on the level of trust, wherein the cryptographic security protocol comprises at least one of a Secure Shell (SSH) protocol, a Transport Layer Security (TLS) protocol, a Secure Sockets Layer (SSL) protocol, and an Internet Protocol Security (IPsec) protocol.

公开(公告)号：US11924223B2

公开(公告)日：2024-03-05

申请号：US17728333

申请日：2022-04-25

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Eric Voit ,  Frank Brockners ,  Carlos M. Pignataro ,  Nagendra Kumar Nainar

IPC: H04L9/40 ,  H04L69/22

CPC classification number: H04L63/123 ,  H04L63/1425 ,  H04L69/22

Abstract: Technologies for proving packet transit through uncompromised nodes are provided. An example method can include receiving a packet including one or more metadata elements generated based on security measurements from a plurality of nodes along a path of the packet; determining a validity of the one or more metadata elements based on a comparison of one or more values in the one or more metadata elements with one or more expected values calculated for the one or more metadata elements, one or more signatures in the one or more metadata elements, and/or timing information associated with the one or more metadata elements; and based on the one or more metadata elements, determining whether the packet traversed any compromised nodes along the path of the packet.

公开(公告)号：US20240048487A1

公开(公告)日：2024-02-08

申请号：US18377712

申请日：2023-10-06

Applicant: Cisco Technology, Inc.

Inventor： Atri Indiresan ,  Frank Brockners ,  Shwetha Subray Bhandari

IPC: H04L45/7453 ,  H04L41/0695 ,  H04L47/2483 ,  H04L61/5007

CPC classification number: H04L45/7453 ,  H04L41/0695 ,  H04L47/2483 ,  H04L61/5007

Abstract: This disclosure describes various methods, systems, and devices related to identifying path changes of data flows in a network. An example method includes receiving, at a node, a packet including a first signature. The method further includes generating a second signature by inputting the first signature and one or more node details into a hash function. The method includes replacing the first signature with the second signature in the packet. The packet including the second value is forwarded by the node.

公开(公告)号：US11683324B2

公开(公告)日：2023-06-20

申请号：US17846381

申请日：2022-06-22

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Santhosh N ,  Rakesh Reddy Kandula ,  Saiprasad Reddy Muchala ,  Frank Brockners

IPC: H04L9/40 ,  H04L45/00 ,  H04L9/32 ,  H04L9/08

CPC classification number: H04L63/123 ,  H04L9/0869 ,  H04L9/321 ,  H04L45/72 ,  H04L63/0428 ,  H04L63/0435

Abstract: Techniques to facilitate verification of in-situ network telemetry data of data packet of data traffic of packet-switched networks are described herein. A technique described herein includes a network node obtaining a data packet of data traffic of a packet-switched network. The data packet includes an in-situ network telemetry block. The network node obtains telemetry data and cryptographic key. The cryptographic key confidentially identifies the network node. The node encrypts at least a portion of the telemetry data based on the cryptographic key to produce signed telemetry data and updates telemetry-data entry of the in-situ network telemetry block. The telemetry data and signed telemetry data is inserted into the telemetry-data entry. The node forwards the data packet with the updated telemetry-data entry to another network node of the packet-switched network.

公开(公告)号：US11652874B2

公开(公告)日：2023-05-16

申请号：US17857729

申请日：2022-07-05

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: G06F15/173 ,  H04L67/104 ,  H04L9/40 ,  H04W24/10 ,  H04L9/32 ,  H04L61/4511 ,  H04L67/1001

CPC classification number: H04L67/104 ,  H04L9/3247 ,  H04L61/4511 ,  H04L63/0823 ,  H04L67/1001 ,  H04W24/10

Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.

公开(公告)号：US20220394054A1

公开(公告)日：2022-12-08

申请号：US17818147

申请日：2022-08-08

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L9/40

Abstract: Systems, methods, and computer-readable media for discovering trustworthy devices through attestation and authenticating devices through mutual attestation. A relying node in a network environment can receive attestation information from an attester node in the network environment as part of a unidirectional push of information from the attester node according to a unidirectional link layer communication scheme. A trustworthiness of the attester node can be verified by identifying a level of trust of the attester node from the attestation information. Further, network service access of the attester node through the relying node in the network environment can be controlled based on the level of trust of the attester node identified from the attestation information.

公开(公告)号：US20220329606A1

公开(公告)日：2022-10-13

申请号：US17846381

申请日：2022-06-22

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Santhosh N ,  Rakesh Reddy Kandula ,  Saiprasad Reddy Muchala ,  Frank Brockners

IPC: H04L9/40 ,  H04L45/00 ,  H04L9/32 ,  H04L9/08

Abstract: Techniques to facilitate verification of in-situ network telemetry data of data packet of data traffic of packet-switched networks are described herein. A technique described herein includes a network node obtaining a data packet of data traffic of a packet-switched network. The data packet includes an in-situ network telemetry block. The network node obtains telemetry data and cryptographic key. The cryptographic key confidentially identifies the network node. The node encrypts at least a portion of the telemetry data based on the cryptographic key to produce signed telemetry data and updates telemetry-data entry of the in-situ network telemetry block. The telemetry data and signed telemetry data is inserted into the telemetry-data entry. The node forwards the data packet with the updated telemetry-data entry to another network node of the packet-switched network.

公开(公告)号：US20220094559A1

公开(公告)日：2022-03-24

申请号：US17542142

申请日：2021-12-03

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Eric Voit ,  Jesse Daniel Backman ,  Robert Stephen Rodgers ,  Joseph Eryx Malcolm

IPC: H04L9/32 ,  G06F21/72 ,  G06F21/57 ,  H04L29/06 ,  H04L9/08

Abstract: A methodology for requesting at least one signed security measurement from at least one module is provided. The methodology includes receiving the at least one signed security measurement from the at least one module; validating the at least one signed security measurement; generating a signed dossier including all validated signed security measurements in a secure enclave, the signed dossier being used by an external network device for remote attestation of the device.

公开(公告)号：US11277442B2

公开(公告)日：2022-03-15

申请号：US16712584

申请日：2019-12-12

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  William F. Sulzen ,  Frank Brockners

IPC: H04L29/06 ,  H04L61/103

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices operating within a network. An ARP responder can receive an ARP request from an ARP requestor for performing address resolution between the ARP requestor and the ARP responder in a network environment. The ARP responder can build an ARP response including attestation information of the ARP responder. Further, the ARP responder can provide, to the ARP requestor, the attestation information for verifying the ARP responder using the ARP response and the attestation information of the ARP responder.