公开(公告)号：US20170346855A1

公开(公告)日：2017-11-30

申请号：US15165032

申请日：2016-05-26

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Prashanth Patil ,  Daniel G. Wing

IPC: H04L29/06 ,  H04L29/12 ,  H04L29/08

CPC classification number: H04L63/20 ,  H04L61/1511 ,  H04L61/6009 ,  H04L63/104 ,  H04L67/2842

Abstract: A local network element on an enterprise network caches Domain Name System (DNS) responses in association with user identifiers in accordance with a DNS-based access control policy. The network element receives a DNS request from a first endpoint device. The DNS request includes a domain name to resolve. The network element forwards the DNS request to a domain name server along with a first user identifier associated with the first endpoint device. The network element receives a DNS response from the domain name server. The DNS response includes a network address associated with the domain name, as well as the first user identifier and at least one other user identifier. The network element stores the network address in a DNS cache as a cached DNS response for the domain name. The cached DNS response is stored in association with the first user identifier and the other user identifier(s).

公开(公告)号：US20170339130A1

公开(公告)日：2017-11-23

申请号：US15157588

申请日：2016-05-18

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Prashanth Patil ,  Daniel G. Wing

IPC: H04L29/06 ,  H04L29/12 ,  H04L9/30 ,  H04L9/32 ,  H04L29/08

CPC classification number: H04L63/0823 ,  H04L9/30 ,  H04L9/3263 ,  H04L61/1511 ,  H04L61/6013 ,  H04L63/0428 ,  H04L63/1466 ,  H04L63/166 ,  H04L67/2847 ,  H04L69/326

Abstract: In one embodiment, a Domain Name Service (DNS) server pre-fetches domain information regarding a domain that includes certificate information for the domain. The DNS server receives a DNS request that includes a security request for the domain in metadata of a Network Service Header (NSH) of the DNS request. The DNS server retrieves the certificate information for the domain from the pre-fetched information regarding the domain, in response to receiving the security request. The DNS server sends, to a Transport Layer Security (TLS) proxy, a DNS response for the domain that includes the certificate information in metadata of an NSH of the DNS response.

公开(公告)号：US20170222917A1

公开(公告)日：2017-08-03

申请号：US15013027

申请日：2016-02-02

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Prashanth Patil ,  Daniel G. Wing ,  James Neil Guichard

IPC: H04L12/707 ,  H04L12/851 ,  H04L12/741

CPC classification number: H04L45/24 ,  H04L45/74 ,  H04L47/193 ,  H04L47/2441

Abstract: A service classifier network device receives a subflow and identifies that the subflow is one of at least two subflows in a multipath data flow. Related data packets are sent from a source node to a destination node in the multipath data flow. The service classifier generates a multipath flow identifier and encapsulates the subflow with a header to produce an encapsulated first subflow. The header identifies a service function path and includes metadata with the multipath flow identifier.

公开(公告)号：US20170142096A1

公开(公告)日：2017-05-18

申请号：US14942898

申请日：2015-11-16

Applicant: Cisco Technology, Inc.

Inventor： K Tirumaleswar Reddy ,  Daniel G. Wing ,  Prashanth Patil ,  Sandeep Rao

IPC: H04L29/06

CPC classification number: H04L63/0823 ,  H04L12/1813 ,  H04L12/1827 ,  H04L63/0414 ,  H04L63/0421 ,  H04L63/0884 ,  H04L63/101 ,  H04L65/1069 ,  H04L65/1096 ,  H04L65/403

Abstract: In one embodiment, a first request may be received from a first endpoint to access a cloud-based conference platform. The first request can include a first access token. Based at least on the first request, a first certificate may be provided to the first endpoint, wherein the first certificate may not include an identity of the first endpoint. A second request may be received from a second endpoint to access the cloud-based conference platform. The second request can include a second access token. Based at least on the second request, a second certificate can be provided to the second endpoint, wherein the second certificate may not include an identity of the second endpoint. Data can be routed within the cloud-based conference platform between the first endpoint and second endpoint based at least upon the first certificate and the second certificate.

公开(公告)号：US20160366191A1

公开(公告)日：2016-12-15

申请号：US14734164

申请日：2015-06-09

Applicant: Cisco Technology, Inc.

Inventor： Prashanth Patil ,  Tirumaleswar Reddy ,  Daniel G. Wing ,  James Guichard

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L65/1069 ,  H04L63/0281 ,  H04L63/0471 ,  H04L63/166 ,  H04L67/141 ,  H04L67/28

Abstract: A first service node receives a message configured to set up a secure communication session between a client and a server, in which the first service node acts as a proxy. Data packets in the secure communication session are subject to multiple service functions that require decryption of the data packets. A service function chain assigns a service node to each of the service functions. A service header is generated including metadata instructing the service nodes other than the first service node not to act as proxies in the secure communication session. The message and the service header are transmitted to a second service node in the service function chain.

Abstract translation: 第一服务节点接收被配置为在客户机和服务器之间建立安全通信会话的消息，其中第一服务节点用作代理。 安全通信会话中的数据分组受到需要解密数据分组的多种服务功能。 服务功能链将服务节点分配给每个服务功能。 生成服务报头，包括指示不同于第一服务节点的服务节点的元数据不作为安全通信会话中的代理。 消息和服务头部被发送到服务功能链中的第二服务节点。

公开(公告)号：US20160269365A1

公开(公告)日：2016-09-15

申请号：US14643802

申请日：2015-03-10

Applicant: Cisco Technology, Inc.

Inventor： Tirumaleswar Reddy ,  Daniel G. Wing ,  Prashanth Patil ,  Ram Mohan R.

IPC: H04L29/06 ,  H04L9/14

Abstract: In one implementation, a media stream is recorded using one or more keys. The one or more keys are also encrypted. The one or more encrypted keys may be stored with the encrypted media session at a cloud storage service. A network device receives a request to record a media stream and accesses at least one stream key for the media stream. The stream key is for encrypting the media stream. The network device encrypts the stream key with a master key. The encrypted stream key is stored in association with the encrypted media stream.

Abstract translation: 在一个实现中，使用一个或多个键来记录媒体流。 一个或多个键也被加密。 一个或多个加密密钥可以与云存储服务处的加密的媒体会话一起存储。 网络设备接收记录媒体流的请求，并访问媒体流的至少一个流密钥。 流密钥用于加密媒体流。 网络设备用主密钥加密流密钥。 加密的流密钥与加密的媒体流相关联地存储。

公开(公告)号：US20150288679A1

公开(公告)日：2015-10-08

申请号：US14328094

申请日：2014-07-10

Applicant: Cisco Technology, Inc.

Inventor： Eitan Ben-Nun ,  Michael Zayats ,  Daniel G. Wing ,  Kirtesh Patil ,  Jaideep Padhye ,  Manohar B. Hungund ,  Saravanan Agasaveeran

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L67/141 ,  H04L63/0281 ,  H04L63/0823 ,  H04L63/168 ,  H04L67/28

Abstract: An interposer is provided that is configured to interpose into an application security protocol exchange by obtaining application session security state. The interposer does this without holding any private keying material of client or server. An out-of-band Security Assistant Key Escrow service (SAS/SAKE) is also provided. The SAKE resides in the secure physical network perimeter and holds the private keying material required to derive session keys for interposing into application security protocol. During a security protocol handshake, the interposer sends SAKE security protocol handshake messages and in return receives from the SAKE session security state that allows it to participate in application security protocol.

Abstract translation: 提供了一种插入器，其被配置为通过获得应用程序会话安全状态来插入到应用程序安全协议交换中。 插件不需要持有客户端或服务器的任何私有密钥材料即可。 还提供了带外安全助理密钥托管服务（SAS / SAKE）。 SAKE驻留在安全的物理网络周边，并保存导出会话密钥所需的私人密钥材料，以插入到应用安全协议中。 在安全协议握手期间，插入器发送SAKE安全协议握手消息，并返回从SAKE会话安全状态接收，允许其参与应用安全协议。

公开(公告)号：US20150271205A1

公开(公告)日：2015-09-24

申请号：US14521856

申请日：2014-10-23

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Alessandro Duminuco ,  Hendrikus G. P. Bosch ,  Surendra M. Kumar ,  Humberto J. La Roche ,  Jeffrey Napper ,  Kevin D. Shatzkamer ,  Daniel G. Wing

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/166 ,  H04L63/0281 ,  H04L63/0435 ,  H04L63/168 ,  H04L67/02 ,  H04L67/42

Abstract: In an embodiment, a method is provided for enabling in-band data exchange between networks. The method can comprise receiving, by a first enveloping proxy located in the first network, at least one regular secure sockets layer (SSL) record for a SSL session established between a client and a server; receiving the data from a network element located in the first network; encoding the data into at least one custom SSL record; and transmitting the at least one regular SSL record and the at least one custom SSL record to an enveloping proxy. In another embodiment, a method can comprise receiving at least one regular secure sockets layer (SSL) record and at least one custom SSL record for a SSL session established between a client and a server; extracting the data from the at least one custom SSL; transmitting the at least one regular SSL record.

Abstract translation: 在一个实施例中，提供了一种用于实现网络之间的带内数据交换的方法。 该方法可以包括通过位于第一网络中的第一包络代理接收在客户端和服务器之间建立的SSL会话的至少一个常规安全套接字层（SSL）记录; 从位于所述第一网络中的网元接收所述数据; 将数据编码成至少一个自定义SSL记录; 以及将所述至少一个常规SSL记录和所述至少一个定制SSL记录发送到包络代理。 在另一个实施例中，一种方法可以包括：在客户端和服务器之间建立的SSL会话接收至少一个常规安全套接字层（SSL）记录和至少一个定制SSL记录; 从至少一个自定义SSL提取数据; 发送所述至少一个常规SSL记录。

公开(公告)号：US09054922B2

公开(公告)日：2015-06-09

申请号：US13754220

申请日：2013-01-30

Applicant: Cisco Technology, Inc.

Inventor： Daniel G. Wing ,  Cullen Jennings ,  Jonathan D. Rosenberg

IPC: G06F15/16 ,  H04L29/12

CPC classification number: H04L29/12066 ,  H04L29/12386 ,  H04L29/12528 ,  H04L61/2521 ,  H04L61/2575

Abstract: In one embodiment, an endpoint elicits a pattern of STUN responses to identify security devices located on a call path. The endpoint then uses address information from the identified security devices to establish an efficient media flow with a remote endpoint. The endpoint can optimize the number of network devices and network paths that process the endpoint's keepalive message. Additionally, the endpoint may request custom inactivity timeouts with each of the identified security devices for reducing bandwidth consumed by keepalive traffic.

Abstract translation: 在一个实施例中，端点引出STUN响应的模式以识别位于呼叫路径上的安全设备。 然后，端点使用来自所识别的安全设备的地址信息来建立与远程端点的有效媒体流。 端点可以优化处理端点的keepalive消息的网络设备和网络路径的数量。 此外，端点可以请求自定义的不活动超时与每个已标识的安全设备，以减少由keepalive流量消耗的带宽。

公开(公告)号：US08891521B2

公开(公告)日：2014-11-18

申请号：US13827366

申请日：2013-03-14

Applicant: Cisco Technology, Inc.

Inventor： Daniel G. Wing ,  Bruce Davie ,  John Restrick ,  Jonathan D. Rosenberg

IPC: H04L12/28 ,  H04L12/927 ,  H04L12/911 ,  H04L12/913 ,  H04L12/833 ,  H04L12/54 ,  H04L12/801 ,  H04L29/06

CPC classification number: H04L47/724 ,  H04L47/10 ,  H04L47/11 ,  H04L47/2458 ,  H04L47/2491 ,  H04L47/70 ,  H04L47/748 ,  H04L47/805 ,  H04L65/80 ,  H04L67/28

Abstract: In one embodiment, a reservation proxy monitors for received connectivity check messages or beginning-of-media-flow indication messages. When either type of message is observed, the reservation proxy requests resource allocation for a media flow associated with the received message. The amount of resource allocation requested may be coordinated by exchanging messages with a call controller or policy server for one of the endpoints of the media flow, or the amount of resource allocation may be identified within the received message.

Abstract translation: 在一个实施例中，预留代理监视所接收的连接性检查消息或媒体流指示消息的开始。 当观察到任一类型的消息时，预留代理请求与所接收消息相关联的媒体流的资源分配。 可以通过与媒体流的端点之一的呼叫控制器或策略服务器交换消息来协调所请求的资源分配的量，或者可以在所接收的消息内识别资源分配的量。