公开(公告)号：US20150200924A1

公开(公告)日：2015-07-16

申请号：US14155865

申请日：2014-01-15

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  David McGrew ,  Andrzej Kielbasinski

IPC: H04L29/06

CPC classification number: H04L63/0815 ,  H04L63/04 ,  H04L63/08 ,  H04L63/0884

Abstract: An authentication request is generated when a user of a client device attempts to initiate a user session with an application managed by a service provider. An authentication response is generated based on credentials received from the user. The authentication response includes an assertion on behalf of the user. A delivery resource locator for the assertion is rewritten to a resource locator of a proxy in order to redirect the assertion to the proxy. The authentication response is sent to the client device together with the resource locator of the proxy in order to cause the client device to send the assertion to the proxy that decodes the re-written resource locator and sends the assertion to the service provider.

Abstract translation: 当客户机设备的用户尝试发起与由服务提供商管理的应用的用户会话时，生成认证请求。 基于从用户接收的凭证生成认证响应。 认证响应包括代表用户的断言。 用于断言的传送资源定位符被重写到代理的资源定位符，以便将断言重定向到代理。 认证响应与代理的资源定位器一起被发送到客户机设备，以便使客户端设备将该断言发送到对重写的资源定位符进行解码的代理，并将该断言发送给服务提供商。

公开(公告)号：US20150096008A1

公开(公告)日：2015-04-02

申请号：US14041107

申请日：2013-09-30

Applicant: Cisco Technology, Inc.

Inventor： Todd Short ,  Andrew Zawadowskiy ,  Antonio Martin ,  Vincent E. Parla

IPC: H04L29/06 ,  H04L12/721

CPC classification number: H04L63/0227 ,  H04L45/306 ,  H04L45/566 ,  H04L63/0245 ,  H04L63/08 ,  H04L63/10 ,  H04L67/02

Abstract: A method for providing authoritative application-based routing and an improved application firewall, as well as a method for application classification, is described. The first embodiment, which provides a method for authoritative application-based routing, comprises tagging packets with an application identifier, and pushing the tagged packets to the network to enable the application identifier to be used in routing and priority decisions. In the second embodiment, a method for improving application firewall comprises using the application identifier to minimize the amount of processing required by the firewall when analyzing packet information.

Abstract translation: 描述了一种用于提供权威的基于应用的路由和改进的应用防火墙的方法以及应用分类的方法。 提供用于基于权威应用的路由的方法的第一实施例包括使用应用标识符来标记分组，并且将标记的分组推送到网络以使应用标识符能够用于路由和优先级决策。 在第二实施例中，用于改进应用防火墙的方法包括使用应用标识符来最小化防火墙在分析分组信息时所需的处理量。

公开(公告)号：US20250119471A1

公开(公告)日：2025-04-10

申请号：US18376676

申请日：2023-10-04

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Jerome Tollet ,  Aloys Christophe Augustin ,  Mohammed Hawari

IPC: H04L67/141 ,  H04L9/40

Abstract: Techniques for utilizing a portion of a communication session identifier (e.g., a Session-ID, an SPI, a CID, a DCID, and/or the like) to indicate a target routing device (e.g., a VPN and/or ZTNA termination device) for establishing control plane session(s) and/or data plane session(s) at wire-speed in a networked computing environment. The routing device(s) of a networked computing environment may generate a communication session identifier and send the communication session identifier to the client device, such that subsequent packets send from the client device may be forwarded to the proper routing device indicated by the communication session identifier for establishment of one or more data plane sessions. Additionally, data plane sessions may be established using a Resumed Handshake rather than a full handshake that is typically required, as Session Resumption utilizes the assigned communication session identifier for mapping.

公开(公告)号：US12255831B2

公开(公告)日：2025-03-18

申请号：US17866932

申请日：2022-07-18

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery

IPC: H04L47/726 ,  H04L47/11 ,  H04L47/70 ,  H04L47/74

Abstract: Techniques for migrating on-premises and/or cloud-based workloads to follow a network session as it potentially migrates, due to multipathing techniques, across multiple edge and/or cloud datacenters. The techniques may include determining, by a controller of a network, that a traffic flow between an endpoint device and a workload has migrated to a different path of a multipath flow such that the traffic flow terminates at a different termination point than the workload. Based at least in part on determining that the traffic flow has migrated, the controller may cause a migration of a state of the workload to a location associated with the different termination point. That is, the controller may cause the workload to be migrated in its current state, which may be specific to the endpoint device, to follow the traffic flow.

公开(公告)号：US20250071180A1

公开(公告)日：2025-02-27

申请号：US18816911

申请日：2024-08-27

Applicant: Cisco Technology, Inc.

Inventor： Jerome Henry ,  Bart A. Brinckman ,  Vincent E. Parla ,  Srinath Gundavelli ,  Shree N. Murthy ,  Matthew S. MacPherson

IPC: H04L67/306 ,  H04L67/14

Abstract: Profile-based association method for enterprise networks may be provided. A computing device may configure a first profile and a second profile. Next, the client device may be configured with a set of network profiles associated with a plurality of networks. A user of the client device may be queried for a profile choice for one of the plurality of networks. Then the client device may associate with the one of the plurality of networks according to the profile choice provide by the user.

公开(公告)号：US12200080B2

公开(公告)日：2025-01-14

申请号：US17719787

申请日：2022-04-13

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery

IPC: H04L67/561 ,  H04L9/40 ,  H04L12/46 ,  H04L45/00 ,  H04L45/42 ,  H04L61/103 ,  H04L61/4511 ,  H04L67/02 ,  H04L67/101 ,  H04L67/1012 ,  H04L67/141 ,  H04L67/562

Abstract: Techniques for leveraging the MASQUE protocol to provide remote clients with full application access to private enterprise resources are described herein. One or more network nodes may be configured to execute a MASQUE proxy service to provide a remote client device with full access to an enterprise/private application resource executing on an application node and hosted in an enterprise/application network, behind the MASQUE proxy service. In some examples, the MASQUE proxy service may execute on a single proxy node hosted at an edge of a cloud network or at an edge of an enterprise network. Additionally, or alternatively, a first instance of the MASQUE proxy service may execute on a first proxy node hosted at an edge of a cloud network (e.g., an ingress proxy node) and a second instance of the MASQUE proxy service may execute on a second proxy node hosted at an edge of the enterprise network.

公开(公告)号：US12200068B2

公开(公告)日：2025-01-14

申请号：US18373724

申请日：2023-09-27

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla

IPC: G06F15/16 ,  H04L9/40 ,  H04L67/141 ,  H04L67/146

Abstract: Techniques for creating in/out App Connectors for secure access solutions without the need for STUN, TURN, and/or a long-lived control plane component. The techniques may include, among other things, establishing, by an App Connector associated with a workload hosted by an enterprise network, a pool of idle sessions between the App Connector and a termination node associated with the enterprise network. The techniques may also include determining, by the App Connector, that a first idle session of the pool of idle sessions has been consumed by the termination node to establish a communication session for a client device to communicate with the workload. Based at least in part on determining that the first idle session has been consumed, the techniques may include establishing, by the App Connector, a second idle session to be added to the pool of idle sessions between the App Connector and the termination node.

公开(公告)号：US12149596B2

公开(公告)日：2024-11-19

申请号：US18542094

申请日：2023-12-15

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent E. Parla

IPC: H04L67/561 ,  H04L9/40 ,  H04L12/46 ,  H04L45/00 ,  H04L45/42 ,  H04L61/103 ,  H04L61/4511 ,  H04L67/02 ,  H04L67/101 ,  H04L67/1012 ,  H04L67/141 ,  H04L67/562

Abstract: Techniques for managing migrations of QUIC connection session(s) across proxy nodes, data centers, and/or private application nodes are described herein. A global key-value datastore, accessible by proxy nodes and/or application nodes, may store mappings between a first QUIC connection, associated with a proxy node and a client device, on the frontend of the proxy node and a second QUIC connection, associated with the proxy node and an application node, on the backend of the proxy node. With the global key-value datastore being accessible by the proxy nodes, when a proxy node receives a QUIC packet on the front end or the back end, the proxy node may determine where to map this connection to on the opposite end. Additionally, with the global key-value datastore being accessible to the application nodes, when an application node receives a QUIC packet, the application node may determine the client device associated with the connection.

公开(公告)号：US20240364628A1

公开(公告)日：2024-10-31

申请号：US18769185

申请日：2024-07-10

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent E. Parla ,  Ian James Wells

IPC: H04L45/74 ,  H04L69/165

CPC classification number: H04L45/74 ,  H04L69/165

Abstract: Techniques for NAT-based steering of traffic in cloud-based networks. The techniques may include establishing, by a frontend node of a network, a connection with a client device. The frontend node may receive, via the connection, a packet including an indication of an identity of a service hosted on a backend node of the network. Based at least in part on the indication, the frontend node may establish a second connection with the backend node. Additionally, the frontend node may store a mapping indicating that packets received from the client device are to be sent to the backend node. The techniques may also include receiving another packet at the frontend node or another frontend node of the network. Based at least in part on the mapping, the frontend node or other frontend node may alter one or more network addresses of the other packet and forward it to the backend node.

公开(公告)号：US12107937B2

公开(公告)日：2024-10-01

申请号：US17679499

申请日：2022-02-24

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent E. Parla

IPC: H04L67/56 ,  H04L12/54 ,  H04L41/0895 ,  H04L49/45 ,  H04L49/60 ,  H04L67/00

CPC classification number: H04L67/56 ,  H04L12/56 ,  H04L41/0895 ,  H04L49/45 ,  H04L49/60 ,  H04L67/34

Abstract: Techniques for operationalizing workloads at edge network nodes, while maintaining centralized intent and policy controls. The techniques may include storing, in a cloud-computing network, a workload image that includes a function capability. The techniques may also include receiving, at the cloud-computing network, a networking policy associated with an enterprise network. Based at least in part on the networking policy, a determination may be made at the cloud-computing network that the function capability is to be operationalized on an edge device of the enterprise network. The techniques may also include sending the workload image to the edge device to be installed on the edge device to operationalize the function capability. In some examples, the function capability may be a security function capability (e.g., proxy, firewall, etc.), a routing function capability (e.g., network address translation, load balancing, etc.), or any other function capability.