公开(公告)号：US20240195868A1

公开(公告)日：2024-06-13

申请号：US18418156

申请日：2024-01-19

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L67/104 ,  H04L9/32 ,  H04L9/40 ,  H04L61/4511 ,  H04L67/1001 ,  H04W24/10

CPC classification number: H04L67/104 ,  H04L9/3247 ,  H04L61/4511 ,  H04L63/0823 ,  H04L67/1001 ,  H04W24/10

Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.

公开(公告)号：US11979412B2

公开(公告)日：2024-05-07

申请号：US18195081

申请日：2023-05-09

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Santhosh N ,  Rakesh Reddy Kandula ,  Saiprasad Reddy Muchala ,  Frank Brockners

IPC: H04L9/40 ,  H04L9/08 ,  H04L9/32 ,  H04L45/00

CPC classification number: H04L63/123 ,  H04L9/0869 ,  H04L9/321 ,  H04L45/72 ,  H04L63/0428 ,  H04L63/0435

Abstract: Techniques to facilitate verification of in-situ network telemetry data of data packet of data traffic of packet-switched networks are described herein. A technique described herein includes a network node obtaining a data packet of data traffic of a packet-switched network. The data packet includes an in-situ network telemetry block. The network node obtains telemetry data and cryptographic key. The cryptographic key confidentially identifies the network node. The node encrypts at least a portion of the telemetry data based on the cryptographic key to produce signed telemetry data and updates telemetry-data entry of the in-situ network telemetry block. The telemetry data and signed telemetry data is inserted into the telemetry-data entry. The node forwards the data packet with the updated telemetry-data entry to another network node of the packet-switched network.

公开(公告)号：US11411994B2

公开(公告)日：2022-08-09

申请号：US16839576

申请日：2020-04-03

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L29/06 ,  H04L9/40

Abstract: Systems, methods, and computer-readable media for discovering trustworthy devices through attestation and authenticating devices through mutual attestation. A relying node in a network environment can receive attestation information from an attester node in the network environment as part of a unidirectional push of information from the attester node according to a unidirectional link layer communication scheme. A trustworthiness of the attester node can be verified by identifying a level of trust of the attester node from the attestation information. Further, network service access of the attester node through the relying node in the network environment can be controlled based on the level of trust of the attester node identified from the attestation information.

公开(公告)号：US20220222347A1

公开(公告)日：2022-07-14

申请号：US17712499

申请日：2022-04-04

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: G06F21/57 ,  H04L9/08 ,  H04L9/32

Abstract: Technologies for attestation techniques, systems, and methods to confirm the integrity of a device for establishing and/or maintaining a trustworthy encrypted network session. An example method can include sending, via a server and using a cryptographic security protocol, a message associated with establishing an encrypted network session; receiving a response from a client device; identifying a level of trust of the client device based on the response; determining whether to perform a next step in the cryptographic security protocol based on the level of trust, wherein the cryptographic security protocol comprises at least one of a Secure Shell (SSH) protocol, a Transport Layer Security (TLS) protocol, a Secure Sockets Layer (SSL) protocol, and an Internet Protocol Security (IPsec) protocol.

公开(公告)号：US11245484B2

公开(公告)日：2022-02-08

申请号：US16790935

申请日：2020-02-14

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Frank Brockners ,  Srihari Raghavan

IPC: H04J3/06 ,  H04L9/32

Abstract: Systems, methods, and computer-readable media for authenticating time sources using attestation-based techniques include receiving, at a destination device, a time reference signal from a source device, the source and destination devices being network devices. The time reference signal can include a time synchronization signal or a time distribution signal. The destination device can obtain attestation information from one or more fields of the time reference signal and determine whether the source device is authentic and trustworthy based on the attestation information. The destination device can also determine reliability or freshness of the time reference signal based on the attestation information. The time reference signal can be based on a Network Time Protocol (NTP), a Precision Time Protocol (NTP), or other protocol. The attestation information can include Proof of Integrity based a Canary stamp, a hardware fingerprint, a Secure Unique Device Identification (SUDI) of the source device, or an attestation key.

公开(公告)号：US10972377B2

公开(公告)日：2021-04-06

申请号：US16231096

申请日：2018-12-21

Applicant: Cisco Technology, Inc.

Inventor： Nagendra Kumar Nainar ,  Carlos M. Pignataro ,  Frank Brockners ,  Shwetha Subray Bhandari

IPC: H04L12/715 ,  H04L12/751 ,  H04L29/06 ,  H04L12/24 ,  H04L12/741

Abstract: In one embodiment, network nodes coordinate recording of In-Situ Operations, Administration, and Maintenance (IOAM) data in packets traversing the network nodes, including a node adding IOAM data of another node to packets on behalf of the another node. After receiving a particular packet, a network node adds first IOAM data and second IOAM data to the particular packet, with the first IOAM data related to the first network node and the second IOAM data related to a second network node. The packet is then sent from the first network node. The coordinated offloading of the adding of IOAM data to packets allows a node to free up resources currently used for IOAM operations to be used for other packet processing operations, while still having IOAM data related to the node recorded in packets. The coordinated offloading may include control plane communication (e.g., via a routing or other protocol).

公开(公告)号：US10805215B2

公开(公告)日：2020-10-13

申请号：US15926292

申请日：2018-03-20

Applicant: Cisco Technology, Inc.

Inventor： Nagendra Kumar Nainar ,  Carlos M. Pignataro ,  Frank Brockners ,  Shwetha Subray Bhandari

IPC: H04L12/741 ,  H04L12/721 ,  H04L12/803 ,  H04L12/26

Abstract: Presented herein are techniques for monitoring packets in a container networking environment. A method includes receiving a packet at a network node, the packet having been routed to the network node in accordance with instructions from a container orchestration system, inserting an additional field in the packet that is configured to record a path of the packet within a first POD of the host device that includes at least one container, forwarding the packet to the first POD of the host device in accordance with the instructions from the container orchestration system, updating the additional field with container networking path information as the packet transits the first POD and the at least one container therein, storing the container path information in an analytics node of the network node, removing the additional field from the packet, and transmitting the packet from the network node to the network.

公开(公告)号：US20200322176A1

公开(公告)日：2020-10-08

申请号：US16782235

申请日：2020-02-05

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Eric Voit ,  Jesse Daniel Backman ,  Robert Stephen Rodgers ,  Joseph Eryx Malcolm

IPC: H04L9/32 ,  G06F21/72 ,  H04L29/06 ,  H04L9/08 ,  G06F21/57

Abstract: The present technology discloses systems, methods, and computer-readable media for requesting at least one signed security measurement from at least one module with a corresponding cryptoprocessor, the at least one module existing within a device; receiving the at least one signed security measurement from the at least one module with the corresponding cryptoprocessor; validating the at least one signed security measurement; generating a signed dossier including all validated signed security measurements in a secure enclave, the signed dossier being used by an external network device for remote attestation of the device.

公开(公告)号：US20200322075A1

公开(公告)日：2020-10-08

申请号：US16790935

申请日：2020-02-14

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Frank Brockners ,  Srihari Raghavan

IPC: H04J3/06 ,  H04L9/32

Abstract: Systems, methods, and computer-readable media for authenticating time sources using attestation-based techniques include receiving, at a destination device, a time reference signal from a source device, the source and destination devices being network devices. The time reference signal can include a time synchronization signal or a time distribution signal. The destination device can obtain attestation information from one or more fields of the time reference signal and determine whether the source device is authentic and trustworthy based on the attestation information. The destination device can also determine reliability or freshness of the time reference signal based on the attestation information. The time reference signal can be based on a Network Time Protocol (NTP), a Precision Time Protocol (NTP), or other protocol. The attestation information can include Proof of Integrity based a Canary stamp, a hardware fingerprint, a Secure Unique Device Identification (SUDI) of the source device, or an attestation key.

公开(公告)号：US10749710B2

公开(公告)日：2020-08-18

申请号：US16231247

申请日：2018-12-21

Applicant: Cisco Technology, Inc.

Inventor： Carlos M. Pignataro ,  Frank Brockners ,  Shwetha Subray Bhandari ,  Nagendra Kumar Nainar

IPC: H04L12/46 ,  H04L12/54 ,  H04L12/749 ,  H04L12/70

Abstract: In one embodiment, a service function forwarder (SFF) analyzes pre-service state and post-service state of an original packet to determine whether to initiate and perform service offload or service bypass. A service function forwarder (SFF) receives a particular packet having a service function chain (SFC) encapsulation of the original packet, the SFC encapsulation identifying a particular service function path (SFP) designating a particular service function (SF). The SFF extracts pre-service state of the original packet, typically adding it to the particular packet in an In-Situ Operations, Administration, and Maintenance (IOAM) data field (or alternatively storing locally) before sending the particular packet to the particular SF. The SFF receives the particular packet after the SF applies the particular network service. In response to analyzing pre-service state and post-service state by the SFF, the SFF may perform service bypass or service offload for subsequently received packets identifying the same particular SFP.