公开(公告)号：US11283831B2

公开(公告)日：2022-03-22

申请号：US16421858

申请日：2019-05-24

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Eliot Lear ,  Brian E. Weis

IPC: H04L29/06 ,  H04L29/12 ,  H04L61/4511 ,  H04L61/5014 ,  H04L61/103

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

公开(公告)号：US20180255092A1

公开(公告)日：2018-09-06

申请号：US15446707

申请日：2017-03-01

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Eliot Lear ,  Brian E. Weis

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L63/1458 ,  H04L61/103 ,  H04L61/1511 ,  H04L61/2015 ,  H04L63/10 ,  H04L63/102

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

公开(公告)号：US10601664B2

公开(公告)日：2020-03-24

申请号：US15582294

申请日：2017-04-28

Applicant: Cisco Technology, Inc.

Inventor： Kannan Kumar ,  Brian E. Weis ,  Rashmikant B. Shah ,  Manoj Kumar Nayak

IPC: H04L12/24 ,  H04L29/06 ,  H04W12/10 ,  H04L29/08 ,  H04W4/50 ,  H04W12/08 ,  H04W12/00 ,  H04W4/70

Abstract: In one embodiment, a network controller for a computer network receives details of a provisioned device and policy requirements for the provisioned device. The network controller may then determine, based on the details and policy requirements for the provisioned device, a plurality of network devices that the provisioned device is configured to communicate through, and may then translate the details and policy requirements for the provisioned device into a plurality of network-device-specific policies, each respective network-device-specific policy corresponding to one of the plurality of network devices that the provisioned device is configured to communicate through. As such, the network controller may then transmit a respective network-device-specific policy of the plurality of network-device-specific policies to the plurality of network devices that the provisioned device is configured to communicate through.

公开(公告)号：US20190281085A1

公开(公告)日：2019-09-12

申请号：US16421858

申请日：2019-05-24

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Eliot Lear ,  Brian E. Weis

IPC: H04L29/06 ,  H04L29/12

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

公开(公告)号：US10356124B2

公开(公告)日：2019-07-16

申请号：US15446707

申请日：2017-03-01

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Eliot Lear ,  Brian E. Weis

IPC: H04L29/06 ,  H04L29/12

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

公开(公告)号：US20130195037A1

公开(公告)日：2013-08-01

申请号：US13733579

申请日：2013-01-03

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Srinath Gundavelli ,  Brian E. Weis

IPC: H04W72/04

CPC classification number: H04L61/2007 ,  H04L29/12254 ,  H04L29/12283 ,  H04L29/12933 ,  H04L45/00 ,  H04L45/72 ,  H04L61/2038 ,  H04L61/2061 ,  H04L61/6068 ,  H04L63/0428 ,  H04L67/12 ,  H04W8/04 ,  H04W72/04

Abstract: An example method includes receiving an Internet protocol (IP) address request in a network and selecting an IP address associated with a prefix that represents an IP subnet. The prefix includes a color attribute to be provided as part of a communication session that includes a plurality of packets. The prefix defines one or more properties associated with an application for the session. The prefix is communicated to a network element in a signaling plane, the prefix is configured to be used to make a routing decision for at least some of the plurality of packets. In more specific embodiments, the method can include applying one or more network policies based on the prefix associated with the IP address. The method could also include decrypting an encryption protocol in order to identify the prefix of a subsequent communication flow, and executing a routing decision based on the prefix.

Abstract translation: 示例性方法包括在网络中接收因特网协议（IP）地址请求，并且选择与表示IP子网的前缀相关联的IP地址。 前缀包括要作为包括多个分组的通信会话的一部分提供的颜色属性。 前缀定义与会话的应用程序相关联的一个或多个属性。 前缀被传送到信令平面中的网元，前缀被配置为用于为多个分组中的至少一些分组做出路由决定。 在更具体的实施例中，该方法可以包括基于与IP地址相关联的前缀应用一个或多个网络策略。 该方法还可以包括解密加密协议以便识别后续通信流的前缀，以及基于前缀执行路由决定。

公开(公告)号：US11909741B2

公开(公告)日：2024-02-20

申请号：US17330641

申请日：2021-05-26

Applicant: Cisco Technology, Inc.

Inventor： Brian E. Weis ,  Blake Harrell Anderson ,  Rashmikant B. Shah ,  David McGrew

IPC: H04L29/06 ,  G06N99/00 ,  H04L9/40 ,  G06N20/00

CPC classification number: H04L63/104 ,  G06N20/00 ,  H04L63/20

Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.

公开(公告)号：US20160164848A1

公开(公告)日：2016-06-09

申请号：US15010679

申请日：2016-01-29

Applicant: Cisco Technology, Inc.

Inventor： Warren Scott Wainner ,  Sheela D. Rowles ,  Brian E. Weis ,  David Arthur McGrew ,  Scott R. Fluhrer ,  Kavitha Kamarthy

IPC: H04L29/06 ,  H04L12/18

CPC classification number: H04L63/0428 ,  H04L9/0833 ,  H04L9/0891 ,  H04L12/1818 ,  H04L63/061 ,  H04L63/104 ,  H04L63/20

Abstract: Various techniques that allow group members to detect the use of stale encryption policy by other group members are disclosed. One method involves receiving a message from a first group member via a network. The message is received by a second group member. The method then detects that the first group member is not using a most recent policy update supplied by a key server, in response to information in the message. In response, a notification message can be sent from the second group member. The notification message indicates that at least one group member is not using the most recently policy update. The notification message can be sent to the key server or towards the first group member.

Abstract translation: 公开了允许组成员检测到其他组成员使用过时加密策略的各种技术。 一种方法涉及经由网络从第一组成员接收消息。 该消息由第二组成员接收。 然后该方法检测到第一组成员不响应于消息中的信息使用由密钥服务器提供的最新策略更新。 作为响应，可以从第二组成员发送通知消息。 通知消息表示至少有一个组成员没有使用最近的策略更新。 通知消息可以发送到密钥服务器或朝向第一个组成员。

公开(公告)号：US10785809B1

公开(公告)日：2020-09-22

申请号：US15383442

申请日：2016-12-19

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Max Pritikin ,  Eliot Lear ,  Toerless Eckert ,  Nancy Cam-Winget ,  Brian E. Weis

IPC: H04W76/10 ,  H04W40/24 ,  H04L29/08

Abstract: In one embodiment, a device in a network receives node information regarding a plurality of nodes that are to join the network. The device determines network formation parameters based on the received node information. The network formation parameters are indicative of a network join schedule and join location for a particular node from the plurality of nodes. The device generates, according to the network join schedule, a join invitation for the particular node based on the network formation parameters. The join invitation allows the particular node to attempt joining the network at the join location via a specified access point. The device causes the sending of one or more beacons via the network that include the join invitation to the particular node. The particular node attempts to join the network via the specified access point based on the one or more beacons.

公开(公告)号：US10298581B2

公开(公告)日：2019-05-21

申请号：US15582113

申请日：2017-04-28

Applicant: Cisco Technology, Inc.

Inventor： Rashmikant B. Shah ,  Brian E. Weis ,  Kannan Kumar ,  Manoj Kumar Nayak

IPC: H04L29/06

Abstract: In one embodiment, an authorized signing authority server receives an authenticity request from a security registrar to vouch for authenticity of a particular device. Based on receiving the authenticity request, the authorized signing authority server may then determine an authenticity state of the particular device, and may also request a device provisioning file for the particular device from a device provisioning server, the device provisioning file defining one or more network security policies for the particular device. Upon receiving the device provisioning file from the device provisioning server, the authorized signing authority server may then return the authenticity state and the device provisioning file for the particular device to the security registrar, causing the security registrar to complete authentication of the particular device based on the authenticity state and the device provisioning file.