公开(公告)号：US11196634B2

公开(公告)日：2021-12-07

申请号：US16728323

申请日：2019-12-27

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L12/24 ,  H04W84/18 ,  H04L12/721 ,  H04L12/751 ,  H04W40/24

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices operating within a network. A recipient node in a network environment can receive a neighbor discovery (ND) message from an originating node in the network environment that are both implementing a neighbor discovery protocol. Trustworthiness of the originating node can be verified by identifying a level of trust of the originating node based on attestation information for the originating node included in the ND message received at the recipient node. Connectivity with the recipient node through the network environment can be managed based on the level of trust of the originating node identified from the attestation information included in the ND message.

公开(公告)号：US11082540B2

公开(公告)日：2021-08-03

申请号：US16231301

申请日：2018-12-21

Applicant: Cisco Technology, Inc.

Inventor： Nagendra Kumar Nainar ,  Carlos M. Pignataro ,  Frank Brockners ,  Shwetha Subray Bhandari

IPC: G06F15/16 ,  H04L29/06 ,  H04L12/713 ,  H04L12/46

Abstract: In one embodiment, network operations are improved by performing updating operations data in an operations data field associated with the header of a particular protocol during the processing of a different protocol. A particular multiple-protocol (MP) packet is received by a particular network node in a network. The particular MP packet includes multiple protocol headers, including a first protocol header associated with a first protocol and a second protocol header associated with a second protocol. Further, the second protocol header associated with a second operations data field. During protocol processing of the first protocol on the particular MP packet, the second operations data field updated with particular operations data. The particular MP packet is sent from the particular network node, with said sent particular MP packet including said updated second operations data field with particular operations data.

公开(公告)号：US20200336360A1

公开(公告)日：2020-10-22

申请号：US16839273

申请日：2020-04-03

Applicant: Cisco Technology, Inc.

Inventor： David D. Ward ,  Carlos M. Pignataro ,  Frank Brockners ,  Shwetha Subray Bhandari

IPC: H04L12/24 ,  H04L12/54 ,  H04L29/06 ,  H04L12/26 ,  H04L12/46 ,  H04L12/723

Abstract: Embodiments of the disclosure pertain to activating in-band OAM based on a triggering event. Aspects of the embodiments are directed to receiving a first notification indicating a problem in a network; triggering a data-collection feature on one or more nodes in the network for subsequent packets that traverse the one or more nodes; evaluating a subsequent packet that includes data augmented by the data collection feature; and determining the problem in the network based on the data augmented to the subsequent packet.

公开(公告)号：US20200322145A1

公开(公告)日：2020-10-08

申请号：US16784025

申请日：2020-02-06

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L9/08 ,  H04L29/06 ,  H04L9/32

Abstract: Systems, methods, and computer-readable media for authenticating access control messages include receiving, at a first node, access control messages from a second node. The first node and the second node including network devices and the access control messages can be based on RADIUS or TACACS+ protocols among others. The first node can obtain attestation information from one or more fields of the access control messages determine whether the second node is authentic and trustworthy based on the attestation information. The first node can also determine reliability or freshness of the access control messages based on the attestation information. The first node can be a server and the second node can be a client, or the first node can be a client and the second node can be a server. The attestation information can include Proof of Integrity based on a hardware fingerprint, device identifier, or Canary Stamp.

公开(公告)号：US10742551B2

公开(公告)日：2020-08-11

申请号：US15188810

申请日：2016-06-21

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Sashank Venkata Krishna Dara ,  Shwetha Subray Bhandari ,  Frank Brockners

IPC: H04L12/733 ,  H04L29/06 ,  H04L12/749 ,  H04L12/721 ,  H04L12/715 ,  H04L12/751 ,  H04L12/717

Abstract: Aspects of the embodiments are directed to systems, apparatuses and methods performed at a network element. Embodiments include receiving a packet; identifying a hop number for the network element; identifying a unique identifier for the network element; determining a path identifier based on the hop number and the unique identifier; augmenting the packet metadata with the path identifier; and transmitting the packet to a next network element.

公开(公告)号：US10582027B2

公开(公告)日：2020-03-03

申请号：US15844741

申请日：2017-12-18

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Frank Brockners ,  Akshaya Nadahalli ,  Carlos M. Pignataro

IPC: H04L12/26 ,  H04L12/24 ,  H04L12/855 ,  H04L29/06 ,  H04L29/08 ,  H04L12/741 ,  H04L12/805

Abstract: A method provided that is performed at one or more intermediate nodes in a path in a network. The node receives a packet having a header that includes metadata that has been accumulated as the packet travels along the path in the network. The node detects whether a trigger condition has occurred. In response to detecting that the trigger condition has occurred, the node exports, to a destination entity, at least a portion of the metadata that has been accumulated in the header so that the portion of the metadata is removed from the header after it has been exported.

公开(公告)号：US20200053169A1

公开(公告)日：2020-02-13

申请号：US16100830

申请日：2018-08-10

Applicant: Cisco Technology, Inc.

Inventor： Selvaraj Mani ,  Shwetha Subray Bhandari ,  Rakesh Reddy Kandula ,  Saiprasad Muchala ,  Swapna Gopalkrishna Shingre ,  Srinivasu Angadala

IPC: H04L29/08 ,  G06F17/30 ,  H04L29/12 ,  H04L29/06

Abstract: In one embodiment, a service configured to execute on trusted participant devices authenticates network service devices each having identifying information and one or more offered services, and creates an entry into a secure digital ledger for each authenticated network service device and associated offered services, each entry based on the identifying information and the one or more offered services for a corresponding network service device. Upon receiving an advertisement for an advertised service from an advertising device attached to a given trusted participant device, the service then requests and may receive an authentic ledger entry from the secure digital ledger for the advertised service. In response to either validating or failing to validate authenticity of the advertised service based on the authentic ledger entry, registration at the given trusted participant device of the advertised service for the received advertisement from the advertising device may either be permitted or denied, respectively.

公开(公告)号：US20190297011A1

公开(公告)日：2019-09-26

申请号：US15926292

申请日：2018-03-20

Applicant: Cisco Technology, Inc.

Inventor： Nagendra Kumar Nainar ,  Carlos M. Pignataro ,  Frank Brockners ,  Shwetha Subray Bhandari

IPC: H04L12/741 ,  H04L12/721 ,  H04L12/803 ,  H04L12/26

Abstract: Presented herein are techniques for monitoring packets in a container networking environment. A method includes receiving a packet at a network node, the packet having been routed to the network node in accordance with instructions from a container orchestration system, inserting an additional field in the packet that is configured to record a path of the packet within a first POD of the host device that includes at least one container, forwarding the packet to the first POD of the host device in accordance with the instructions from the container orchestration system, updating the additional field with container networking path information as the packet transits the first POD and the at least one container therein, storing the container path information in an analytics node of the network node, removing the additional field from the packet, and transmitting the packet from the network node to the network.

公开(公告)号：US20190296988A1

公开(公告)日：2019-09-26

申请号：US15926264

申请日：2018-03-20

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Nagendra Kumar Nainar ,  Carlos M. Pignataro ,  Frank Brockners ,  Reshad Rahman

IPC: H04L12/24 ,  H04L12/26 ,  H04L12/803 ,  H04L12/707

Abstract: A reactive mechanism for in-situ operation, administration, and maintenance (IOAM) traffic is provided. In one embodiment, a method is provided that includes assigning a plurality of discriminator identifiers associated with a plurality of discriminators. Each discriminator is mapped to a specified action. The method includes receiving a data packet that includes an IOAM header comprising telemetry data associated with the data packet and a bidirectional forwarding detection (BFD) field that includes a specified discriminator identifier. The method further includes determining whether the specified discriminator identifier matches one of the plurality of discriminator identifiers, and, upon determining that the specified discriminator identifier matches a first discriminator identifier of the plurality of discriminator identifiers, the method includes initiating a seamless bidirectional forwarding detection (S-BFD) reflector session to transmit a response packet according to a first action mapped to a first discriminator associated with the first discriminator identifier.

公开(公告)号：US20160315850A1

公开(公告)日：2016-10-27

申请号：US14992109

申请日：2016-01-11

Applicant: Cisco Technology, Inc.

Inventor： Venkata Krishna Sashank Dara ,  Shwetha Subray Bhandari ,  Andrew Yourtchenko ,  Eric Vyncke ,  Frank Brockners

IPC: H04L12/721 ,  H04L29/06 ,  H04L12/24

CPC classification number: H04L9/32 ,  H04L12/4633 ,  H04L41/0246 ,  H04L41/0853 ,  H04L41/0866 ,  H04L41/28 ,  H04L45/26 ,  H04L61/6059 ,  H04L63/06 ,  H04L63/12 ,  H04L63/1408 ,  H04L69/166 ,  H04L69/22

Abstract: A system and methods are provided for verifying proof of transit of network traffic through a plurality of network nodes in a network. Information is obtained about a packet at a network node in a network. The information may include in-band metadata of the packet. Verification information is read from in-band metadata of the packet. Updated verification information is generated from the verification information read from the packet and based on configuration information associated with the network node. The updated verification information is written back to the in-band metadata in the packet. The packet is forwarded from the network node in the network.

Abstract translation: 提供了一种用于验证通过网络中的多个网络节点的网络流量的过境证明的系统和方法。 获取关于网络中的网络节点上的分组的信息。 信息可以包括分组的带内元数据。 从分组的带内元数据中读取验证信息。 根据从分组读取的验证信息，并根据与网络节点相关联的配置信息生成更新的验证信息。 更新的验证信息被写回到分组中的带内元数据。 该分组从网络中的网络节点转发。