公开(公告)号：US11451560B2

公开(公告)日：2022-09-20

申请号：US16808114

申请日：2020-03-03

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners ,  Selvaraj Mani ,  Eliot Lear

IPC: H04L12/00 ,  H04L9/40 ,  H04L61/5014 ,  H04L101/686

Abstract: Systems, methods, and computer-readable media are disclosed for measurement of trustworthiness of network devices prior to their configuration and deployment in a network. In one aspect of the present disclosure, a method for pre-configuration of network devices includes receiving, at a dynamic host configuration server, a first request from a network device for configuration data, the configuration data including at least an IP address; sending, by the dynamic host configuration server, a second request to the network device for attestation information; verifying, by the dynamic host configuration server, the network device based on the attestation information; and assigning, by the dynamic host configuration server, the configuration data to the network device upon verifying the network device.

公开(公告)号：US20220174091A1

公开(公告)日：2022-06-02

申请号：US17672502

申请日：2022-02-15

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  William F. Sulzen ,  Frank Brockners

IPC: H04L9/40 ,  H04L61/103

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices operating within a network. An ARP responder can receive an ARP request from an ARP requestor for performing address resolution between the ARP requestor and the ARP responder in a network environment. The ARP responder can build an ARP response including attestation information of the ARP responder. Further, the ARP responder can provide, to the ARP requestor, the attestation information for verifying the ARP responder using the ARP response and the attestation information of the ARP responder.

公开(公告)号：US11343091B2

公开(公告)日：2022-05-24

申请号：US16784025

申请日：2020-02-06

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32

Abstract: Systems, methods, and computer-readable media for authenticating access control messages include receiving, at a first node, access control messages from a second node. The first node and the second node including network devices and the access control messages can be based on RADIUS or TACACS+ protocols among others. The first node can obtain attestation information from one or more fields of the access control messages determine whether the second node is authentic and trustworthy based on the attestation information. The first node can also determine reliability or freshness of the access control messages based on the attestation information. The first node can be a server and the second node can be a client, or the first node can be a client and the second node can be a server. The attestation information can include Proof of Integrity based on a hardware fingerprint, device identifier, or Canary Stamp.

公开(公告)号：US20220070251A1

公开(公告)日：2022-03-03

申请号：US17499731

申请日：2021-10-12

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L29/08 ,  H04W24/10 ,  H04L29/06 ,  H04L29/12 ,  H04L9/32

Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.

公开(公告)号：US20220060384A1

公开(公告)日：2022-02-24

申请号：US17517622

申请日：2021-11-02

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L12/24 ,  H04W84/18 ,  H04L12/721 ,  H04L12/751 ,  H04W40/24

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices operating within a network. A recipient node in a network environment can receive a neighbor discovery (ND) message from an originating node in the network environment that are both implementing a neighbor discovery protocol. Trustworthiness of the originating node can be verified by identifying a level of trust of the originating node based on attestation information for the originating node included in the ND message received at the recipient node. Connectivity with the recipient node through the network environment can be managed based on the level of trust of the originating node identified from the attestation information included in the ND message.

公开(公告)号：US11212318B2

公开(公告)日：2021-12-28

申请号：US16684094

申请日：2019-11-14

Applicant: Cisco Technology, Inc.

Inventor： Selvaraj Mani ,  Frank Brockners ,  Shwetha Subray Bhandari

IPC: H04L29/06 ,  H04L9/32 ,  H04L29/12

Abstract: Technologies for attestation techniques, systems, and methods to confirm the integrity of a device for service discovery and more specifically, for proving trustworthiness of particular service devices and/or mDNS controller/network elements with respect to DNS/mDNS service discovery. Such attestation techniques may implement canary stamps (e.g., tokens or metadata elements containing or reflecting security measures taken at the device).

公开(公告)号：US20210344598A1

公开(公告)日：2021-11-04

申请号：US17377047

申请日：2021-07-15

Applicant: Cisco Technology, Inc.

Inventor： Atri Indiresan ,  Frank Brockners ,  Shwetha Subray Bhandari

IPC: H04L12/743 ,  H04L12/24 ,  H04L12/851 ,  H04L29/12

Abstract: This disclosure describes various methods, systems, and devices related to identifying path changes of data flows in a network. An example method includes receiving, at a node, a packet including a first value. The method further includes generating a second value by inputting the first value and one or more node details into a hash function. The method includes replacing the first value with the second value in the packet. The packet including the second value is forwarded by the node.

公开(公告)号：US11122346B1

公开(公告)日：2021-09-14

申请号：US16912238

申请日：2020-06-25

Applicant: Cisco Technology, Inc.

Inventor： Manoj Kumar ,  Sujal Sheth ,  Zafar Ali ,  Eric Voit ,  Shwetha Subray Bhandari

IPC: H04Q11/00 ,  H04L29/06

Abstract: The present technology discloses methods, systems, and non-transitory computer-readable media for receiving, by a relying node in an optical transport network environment, attestation information in a trail trace identifier of an optical unit from an attester node in the optical transport network environment; verifying a trustworthiness of the attester node by identifying a level of trust of the attester node from the attestation information; and controlling network service access of the attester node through the relying node in the network environment based on the level of trust of the attester node identified from the attestation information.

公开(公告)号：US11038744B2

公开(公告)日：2021-06-15

申请号：US16839273

申请日：2020-04-03

Applicant: Cisco Technology, Inc.

Inventor： David D. Ward ,  Carlos M. Pignataro ,  Frank Brockners ,  Shwetha Subray Bhandari

IPC: H04L12/26 ,  H04L12/46 ,  H04L12/723 ,  H04L12/70 ,  H04L12/24 ,  H04L12/54 ,  H04L29/06

Abstract: Embodiments of the disclosure pertain to activating in-band OAM based on a triggering event. Aspects of the embodiments are directed to receiving a first notification indicating a problem in a network; triggering a data-collection feature on one or more nodes in the network for subsequent packets that traverse the one or more nodes; evaluating a subsequent packet that includes data augmented by the data collection feature; and determining the problem in the network based on the data augmented to the subsequent packet.

公开(公告)号：US11012353B2

公开(公告)日：2021-05-18

申请号：US16231319

申请日：2018-12-21

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Nagendra Kumar Nainar ,  Carlos M. Pignataro ,  Frank Brockners

IPC: H04L12/741 ,  H04L29/06 ,  H04L9/08 ,  H04L12/707 ,  H04L9/32 ,  H04L12/935

Abstract: In one embodiment, nodes use in-band operations data (e.g., carried in iOAM data field(s)) to signal departures in the processing of a packet in a network. A “departure” refers to a divergence or deviation, as from an established rule, plan, or procedure. Departures include, but are not limited to, sending a packet over a backup path (thus, a departure/deviation from sending over a primary path); offload processing of a packet (thus, a departure/deviation from processing of a packet by an application processing apparatus); and exception or punting/slow/software path processing of a packet (thus, a departure/deviation from normal or fast/hardware path processing of a packet). In one embodiment, a proof of transit validation apparatus uses departure information to select among multiple possible verification secrets, with the selected verification secret used in validation processing with a cumulative secret value obtained from the packet.