公开(公告)号：US11695769B2

公开(公告)日：2023-07-04

申请号：US16989234

申请日：2020-08-10

Applicant: Cisco Technology, Inc.

Inventor： Sape Jurrien Mullender ,  Hendrikus G. P. Bosch ,  Alessandro Duminuco ,  Ahmed Bakry Helmy Ahmed ,  Aaron T. Woland

IPC: H04L29/06 ,  H04L9/40

CPC classification number: H04L63/0892

Abstract: This disclosure describes techniques for dynamically changing a user authorization with a service provider during an ongoing user session. The changing user authorization may be used to address changing confidence in an identity of a user consuming a service provided by the service provider. The changing user authorization may also be used to adjust a scope of a service to which a user has access. The present techniques may allow single-sign-on type protocols to accomplish the flexible and dynamic change-of-authorization functionality of some traditional protocols to handle ongoing client-server sessions, rather than simply revoking authorization for access to the service. For this reason, the present techniques are able to integrate advantages of traditional protocols with newer, single-sign-on-type protocols.

公开(公告)号：US11683308B2

公开(公告)日：2023-06-20

申请号：US16562867

申请日：2019-09-06

Applicant: Cisco Technology Inc.

Inventor： Stefan Olofsson ,  Ijsbrand Wijnands ,  Hendrikus G. P. Bosch

IPC: H04L9/40 ,  H04L12/46 ,  H04L61/256

CPC classification number: H04L63/0892 ,  H04L12/4641 ,  H04L63/0272 ,  H04L63/083 ,  H04L63/0823 ,  H04L63/168 ,  H04L61/2571

Abstract: In one embodiment, an apparatus includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors. The one or more computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the apparatus to perform operations including receiving a user credential from a remote access client within a network and communicating the user credential to an authentication, authorization and accounting (AAA) server within the network. The operations also include receiving a user attribute from the AAA server and generating a contextual label based on the user attribute. The contextual label includes routing instructions associated with traffic behavior within the network. The operations further include advertising a control message, which includes the contextual label, to the remote access client.

公开(公告)号：US11658847B2

公开(公告)日：2023-05-23

申请号：US17937961

申请日：2022-10-04

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Pablo Camarillo Garvia ,  Hendrikus G. P. Bosch ,  Clarence Filsfils

IPC: H04L12/46 ,  H04L45/74 ,  H04L45/50 ,  H04W84/04

CPC classification number: H04L12/4633 ,  H04L45/74 ,  H04L45/50 ,  H04L2212/00 ,  H04W84/042

Abstract: In one embodiment, a segment routing and tunnel exchange provides packet forwarding efficiencies in a network, including providing an exchange between a segment routing domain and a packet tunnel domain. One application includes the segment routing and tunnel exchange interfacing segment routing packet forwarding (e.g., in a Evolved Packet Core (EPC) and/or 5-G user plane) and packet tunnel forwarding in access networks (e.g., replacing a portion of a tunnel between an access node and a user plane function for accessing a corresponding data network). In one embodiment, a network provides mobility services using a segment routing data plane that spans segment routing and tunnel exchange(s) and segment routing-enabled user plane functions. One embodiment uses the segment routing data plane without any modification to a (radio) access network (R)AN (e.g., Evolved NodeB, Next Generation NodeB) nor to user equipment (e.g., any end user device).

公开(公告)号：US11483796B2

公开(公告)日：2022-10-25

申请号：US16694509

申请日：2019-11-25

Applicant: Cisco Technology, Inc.

Inventor： Anubhav Gupta ,  Hendrikus G. P. Bosch ,  Vamsidhar Valluri ,  Stefan Olofsson

IPC: H04W64/00 ,  H04L61/2585 ,  H04W24/08 ,  H04W48/16

Abstract: According to certain embodiments, a system comprises one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations comprising: receiving location data associated with a plurality of remote users accessing one or more existing remote access gateways that are located at one or more network locations; building a heatmap of user locations based at least in part on the received location data; and identifying, from the heatmap of user locations, at least one new network location in which to generate at least one new remote access gateway, or at least one existing network location in which to remove at least one of the existing remote access gateways.

公开(公告)号：US11425098B2

公开(公告)日：2022-08-23

申请号：US16855809

申请日：2020-04-22

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G. P. Bosch ,  Alessandro Duminuco ,  Sape Jurriën Mullender ,  Jeffrey Michael Napper

IPC: H04L9/40 ,  H04L12/46

Abstract: An identity provider (IdP) service interoperates with a Virtual Private Network (VPN) client. The IdP service receives a login request originating from the VPN client to establish a VPN tunnel between the VPN client and a VPN host, the login request indicating a user of the VPN client. The IdP service provides a response to the login request. The response includes at least both first information including an indication that the user of the VPN client is an authorized user and second information including an indication of a VPN policy for the VPN tunnel, the VPN policy including a VPN client policy to be utilized during the VPN tunnel by the VPN client and a VPN host policy to be utilized during the VPN tunnel by the VPN host.

公开(公告)号：US09769217B2

公开(公告)日：2017-09-19

申请号：US14086734

申请日：2013-11-21

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Hendrikus G. P. Bosch ,  Paul A. Polakos ,  Humberto J. La Roche ,  Mahavir Dagdulal Karnavat

IPC: H04L29/06

CPC classification number: H04L65/1069 ,  H04L65/105

Abstract: A method is provided in one example embodiment and includes receiving a first request from a first user equipment by a first transport layer proxy located within an access network The first request includes a request to establish a user session between the first user equipment and a remote server. The method further includes establishing a first transport layer session between the first user equipment and the first transport layer proxy, establishing a second transport layer session between the first transport layer proxy and the remote server, and establishing a first control channel between the first transport layer proxy and a transport layer function manager within a core network. The method further includes sending session state parameters associated with the first transport layer session and the second transport layer session to the transport layer function manager using the first control channel.

公开(公告)号：US09479443B2

公开(公告)日：2016-10-25

申请号：US14285843

申请日：2014-05-23

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Hendrikus G. P. Bosch ,  Ian McDowell Campbell ,  Humberto J. La Roche ,  James N. Guichard ,  Surendra M. Kumar ,  Paul Quinn ,  Alessandro Duminuco ,  Jeffrey Napper ,  Ravi Shekhar

IPC: H04L12/851 ,  H04L12/801 ,  H04W72/04 ,  H04L12/721 ,  H04W88/16

CPC classification number: H04L47/2408 ,  H04L45/38 ,  H04L47/12 ,  H04L47/14 ,  H04W72/0493 ,  H04W88/16

Abstract: An example method is provided in one example embodiment and may include receiving a packet for a subscriber at a gateway, wherein the gateway includes a local policy anchor for interfacing with one or more policy servers and one or more classifiers for interfacing with one or more service chains, each service chain including one or more services accessible by the gateway; determining a service chain to receive the subscriber's packet; appending the subscriber's packet with a header, wherein the header includes, at least in part, identification information for the subscriber and an Internet Protocol (IP) address for the local policy anchor; and injecting the packet including the header into the service chain determined for the subscriber.

Abstract translation: 在一个示例性实施例中提供了示例性方法，并且可以包括在网关处接收订户的分组，其中所述网关包括用于与一个或多个策略服务器进行接口的本地策略锚点以及用于与一个或多个服务 每个服务链包括由网关可访问的一个或多个服务; 确定服务链以接收订户的分组; 用标题附加订户的分组，其中该报头至少部分地包括用户的标识信息和用于本地策略锚的因特网协议（IP）地址; 以及将包括所述头部的分组注入到为所述用户确定的服务链中。

公开(公告)号：US09413659B2

公开(公告)日：2016-08-09

申请号：US14301767

申请日：2014-06-11

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Alessandro Duminuco ,  Hendrikus G. P. Bosch ,  Jeffrey Napper

IPC: H04L12/26 ,  H04L12/741 ,  H04L12/801 ,  H04L12/851

CPC classification number: H04L45/745 ,  H04L47/18 ,  H04L47/2441

Abstract: An example method for distributed network address and port translation (NAPT) for migrating flows between service chains in a network environment is provided and includes distributing translation state for a flow traversing the network across a plurality of NAPT service nodes in the network, with packets belonging to the flow being translated according to the translation state, associating the flow with a first service chain at a flow classifier in the network, and updating the association when the flow migrates from the first service chain to a second service chain, with packets belonging to the migrated flow also being translated according to the translation state. The method may be executed at a pool manager in the network. In specific embodiments, the pool manager may include a distributed storage located across the plurality of NAPT service nodes.

Abstract translation: 提供了一种用于在网络环境中的服务链之间迁移流的分布式网络地址和端口转换（NAPT）的示例方法，并且包括：跨越网络中的多个NAPT服务节点的跨流过的流的分发转换状态，分组属于 根据所述翻译状态对所述流进行翻译，将所述流与所述网络中的流分类器处的第一服务链相关联，以及当所述流从所述第一服务链迁移到第二服务链时更新所述关联，其中分组属于 迁移流也根据翻译状态进行翻译。 该方法可以在网络中的池管理器处执行。 在具体实施例中，池管理器可以包括跨越多个NAPT服务节点的分布式存储器。

公开(公告)号：US09258243B2

公开(公告)日：2016-02-09

申请号：US13891247

申请日：2013-05-10

Applicant: Cisco Technology, Inc.

Inventor： James Guichard ,  Paul Quinn ,  Rex Fernando ,  Govind P. Sharma ,  David Ward ,  Hendrikus G. P. Bosch ,  Luyuan Fang

IPC: H04L12/721 ,  H04L12/859 ,  H04L12/851

CPC classification number: H04L47/2475 ,  H04L47/2441

Abstract: A plurality of network nodes are deployed in a network, each network node configured to apply a service function to traffic that passes through the respective network nodes. A controller generates information for a service chain that involves application to traffic of one or more service functions at corresponding ones of the plurality of network nodes along a forward path through the one or more network nodes. The controller identifies one or more of the service functions within the service chain that is stateful. When one or more of the service functions of the service chain is stateful, the controller generates information for a reverse path through the one or more service nodes for the one or more stateful service functions. The controller binds a forward chain identifier for the forward path with a reverse chain identifier for the reverse path for the service chain.

Abstract translation: 多个网络节点部署在网络中，每个网络节点被配置为向通过各个网络节点的业务应用服务功能。 控制器生成用于服务链的信息，其涉及通过所述一个或多个网络节点沿着前向路径应用于所述多个网络节点中的对应的一个或多个服务功能的业务。 控制器识别服务链中的一个或多个服务功能是有状态的。 当服务链的一个或多个服务功能是有状态时，控制器通过用于一个或多个有状态服务功能的一个或多个服务节点生成用于反向路径的信息。 控制器将正向路径的前向链标识符与用于服务链的反向路径的反向链标识符绑定。

公开(公告)号：US12261826B2

公开(公告)日：2025-03-25

申请号：US17857678

申请日：2022-07-05

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G. P. Bosch ,  Alessandro Duminuco ,  Zohar Kaufman

IPC: G06F21/00 ,  G06F9/455 ,  G06F9/54 ,  H04L9/40

Abstract: A system of one embodiment allows for redirecting service and API calls for containerized applications in a computer network. The system includes a memory and a processor. The system processes a plurality of application workflows of a containerized application workload. The system then identifies at least one application workflow of the plurality of application workflows and at least one workflow-specific routing rule associated with the at least one application workflow. The system then determines at least one proxy server address for each identified application workflow based on the at least one associated workflow-specific routing rule. Then the system determines at least one proxy server address for each identified application workflow based on the at least one associated workflow-specific routing rule. The system then may communicate the at least one identified application workflow to the at least one proxy server using the at least one determined proxy server addresses.