公开(公告)号：US09967372B2

公开(公告)日：2018-05-08

申请号：US15077052

申请日：2016-03-22

Applicant: Cisco Technology, Inc.

Inventor： Kuralvanan Arangasamy ,  Brian Eliot Weis ,  Rakesh Chopra ,  Hugo J. W. Vliegen

IPC: H04L12/741 ,  H04L29/06 ,  H04L12/28 ,  H04L12/46

CPC classification number: H04L69/22 ,  H04L12/28 ,  H04L12/4633 ,  H04L63/0428 ,  H04L63/162 ,  H04L63/164

Abstract: In an egress processing method, an egress frame is received. The egress frame includes an outer Ethernet frame, an Internet Protocol (IP) header, a layer 3 (L3) encapsulation identifying a layer 2 (L2)-over-L3 tunnel protocol, and an inner Ethernet frame with a payload. The outer Ethernet frame, the IP header, and the inner Ethernet frame, and the L3 encapsulation are parsed. Based on results of the parsing, a media access control security (MACsec) policy that defines how to protect the inner Ethernet frame is determined, and the inner Ethernet frame is protected according to the MACsec policy, while leaving unprotected the outer Ethernet frame, the IP header, and the L3 encapsulation, to produce a partly protected output egress frame. The partly protected output egress frame is transmitted to the peer network device over a public wide area network.

公开(公告)号：US20170104851A1

公开(公告)日：2017-04-13

申请号：US15077061

申请日：2016-03-22

Applicant: Cisco Technology, Inc.

Inventor： Kuralvanan Arangasamy ,  Brian Eliot Weis ,  Rakesh Chopra ,  Hugo J.W. Vliegen

IPC: H04L29/06 ,  H04L12/741 ,  H04L12/28 ,  H04L29/08

CPC classification number: H04L69/22 ,  H04L12/28 ,  H04L12/4633 ,  H04L63/0428 ,  H04L63/162 ,  H04L63/164

Abstract: An egress frame processing method, an Ethernet frame is received. Information defining an Internet Protocol (IP) tunnel between the network device and a peer network device over a public wide area network is determined. A media access control security (MACsec) policy that defines how to protect the Ethernet frame is determined based on the information defining the IP tunnel. The Ethernet frame is protected according to the MACsec policy. The following fields are appended to the protected Ethernet frame: (i) an unprotected layer 3 (L3) encapsulation identifying a layer 2 (L2)-over-L3 tunnel protocol; (ii) an unprotected IP header corresponding to the IP tunnel; and (iii) an unprotected outer Ethernet header, to produce a partly protected egress frame. The partly protected egress frame is transmitted to the peer network device over the IP tunnel of the public wide area network.

公开(公告)号：US10187321B2

公开(公告)日：2019-01-22

申请号：US15058447

申请日：2016-03-02

Applicant: Cisco Technology, Inc.

Inventor： Fabio R. Maino ,  Horia Miclea ,  John Evans ,  Brian Eliot Weis ,  Vina Ermagan

IPC: H04L29/06 ,  H04L12/911 ,  H04L12/24 ,  H04L12/715 ,  H04L12/26

Abstract: High-level network policies that represent a virtual private network (VPN) as a high-level policy model are received. The VPN is to provide secure connectivity between connection sites of the VPN based on the high-level network policies. The high-level network policies are translated into low-level device configuration information represented in a network overlay and used for configuring a network underlay that provides the connections sites to the VPN. The network underlay is configured with the device configuration information so that the network underlay implements the VPN in accordance with the high-level policies. It is determined whether the network underlay is operating to direct traffic flows between the connection sites in compliance with the high-level network policies. If it is determined that the network underlay is not operating in compliance, the network underlay is reconfigured with new low-level device configuration information so that the network underlay operates in compliance.

公开(公告)号：US20170104850A1

公开(公告)日：2017-04-13

申请号：US15077052

申请日：2016-03-22

Applicant: Cisco Technology, Inc.

Inventor： Kuralvanan Arangasamy ,  Brian Eliot Weis ,  Rakesh Chopra ,  Hugo J.W. Vliegen

IPC: H04L29/06 ,  H04L12/741 ,  H04L12/28 ,  H04L29/08

CPC classification number: H04L69/22 ,  H04L12/28 ,  H04L12/4633 ,  H04L63/0428 ,  H04L63/162 ,  H04L63/164

Abstract: In an egress processing method, an egress frame is received. The egress frame includes an outer Ethernet frame, an Internet Protocol (IP) header, a layer 3 (L3) encapsulation identifying a layer 2 (L2)-over-L3 tunnel protocol, and an inner Ethernet frame with a payload. The outer Ethernet frame, the IP header, and the inner Ethernet frame, and the L3 encapsulation are parsed. Based on results of the parsing, a media access control security (MACsec) policy that defines how to protect the inner Ethernet frame is determined, and the inner Ethernet frame is protected according to the MACsec policy, while leaving unprotected the outer Ethernet frame, the IP header, and the L3 encapsulation, to produce a partly protected output egress frame. The partly protected output egress frame is transmitted to the peer network device over a public wide area network.

公开(公告)号：US09871653B2

公开(公告)日：2018-01-16

申请号：US13945369

申请日：2013-07-18

Applicant: Cisco Technology, Inc.

Inventor： Brian Eliot Weis ,  Maik Guenter Seewald ,  Ruben Gerald Lobo

IPC: H04L29/06 ,  H04L9/08

CPC classification number: H04L9/08 ,  H04L9/083 ,  H04L63/06 ,  H04L63/062 ,  H04L67/12 ,  H04L67/16

Abstract: A technique for key sharing among multiple key servers connected to one another over a communication network is provided herein. Each key sever of the multiple key servers stores respective cryptographic keys, and provides the keys to a local device group connected with the key server, to enable the device group to encrypt messages with the keys. Each key server acts as a proxy for the other key servers in order to receive other keys from the other key servers over the network, and provide the other keys to the device group for use to decrypt messages received from other local device groups respectively connected with the other key servers that were encrypted with the other keys and to check message integrity. The multiple key servers may share keys with each other directly, or alternatively, indirectly through a central key server, as needed to support secure communications between their respective device groups.

公开(公告)号：US20170034137A1

公开(公告)日：2017-02-02

申请号：US14810899

申请日：2015-07-28

Applicant: Cisco Technology, Inc.

Inventor： Padmakumar Ampady Vasudevan Pillai ,  Brian Eliot Weis ,  Thamilarasu Kandasamy

IPC: H04L29/06

CPC classification number: H04L63/0435 ,  H04L9/08 ,  H04L63/061 ,  H04L63/062

Abstract: A Key Generation System (KGS) includes a key server, a first network element, and a second network element. The first and second network elements register with the key server and receive first and second KGS key seeds and first and second KGS identifiers, respectively. The first network element transmits the first KGS identifier to the second network element and obtains the second KGS identifier. The first network element computes a shared key based on the first KGS key seed and the second KGS identifier. The second network element receives the first KGS identifier from the first network element and computes the shared key based on the second KGS key seed and the first KGS identifier.

Abstract translation: 密钥生成系统（KGS）包括密钥服务器，第一网络元件和第二网络元件。 第一和第二网络元件与密钥服务器注册并分别接收第一和第二KGS密钥种子和第一和第二KGS标识符。 第一网元将第一KGS标识符发送到第二网元，并获得第二KGS标识符。 第一网元基于第一KGS密钥种子和第二KGS标识符来计算共享密钥。 第二网络元件从第一网络元件接收第一KGS标识符，并且基于第二KGS密钥种子和第一KGS标识符来计算共享密钥。

公开(公告)号：US10972430B2

公开(公告)日：2021-04-06

申请号：US16552202

申请日：2019-08-27

Applicant: Cisco Technology, Inc.

Inventor： Brian Eliot Weis ,  Peter Geoffrey Jones

IPC: G06F15/173 ,  H04L29/12 ,  H04L29/06

Abstract: At a network device configured to control access to a network, a client device authentication request is received from a client device. The request includes identity credentials and a temporary media access control (MAC) address of the client device. The client device is successfully authenticated based on the identity credentials. After authentication, a new MAC address is established in the client device. A data frame is received from at the network device. It is determined whether the client device is using the new MAC address based on the received data frame. If it is determined that the client device is using the new MAC address, the client device is permitted access the network.

公开(公告)号：US10454887B2

公开(公告)日：2019-10-22

申请号：US14944743

申请日：2015-11-18

Applicant: Cisco Technology, Inc.

Inventor： Brian Eliot Weis ,  Peter Geoffrey Jones

IPC: G06F15/173 ,  H04L29/12 ,  H04L29/06

Abstract: At a network device configured to control access to a network, a client device authentication request is received from a client device. The request includes identity credentials and a temporary media access control (MAC) address of the client device. The client device is successfully authenticated based on the identity credentials. After authentication, a new MAC address is established in the client device. A data frame is received from at the network device. It is determined whether the client device is using the new MAC address based on the received data frame. If it is determined that the client device is using the new MAC address, the client device is permitted access the network.

公开(公告)号：US20170359323A1

公开(公告)日：2017-12-14

申请号：US13945369

申请日：2013-07-18

Applicant: Cisco Technology, Inc.

Inventor： Brian Eliot Weis ,  Maik Guenter Seewald ,  Ruben Gerald Lobo

IPC: H04L29/06 ,  H04W12/04 ,  G06F1/32

CPC classification number: H04L9/08 ,  H04L9/083 ,  H04L63/06 ,  H04L63/062 ,  H04L67/12 ,  H04L67/16

Abstract: A technique for key sharing among multiple key servers connected to one another over a communication network is provided herein. Each key sever of the multiple key servers stores respective cryptographic keys, and provides the keys to a local device group connected with the key server, to enable the device group to encrypt messages with the keys. Each key server acts as a proxy for the other key servers in order to receive other keys from the other key servers over the network, and provide the other keys to the device group for use to decrypt messages received from other local device groups respectively connected with the other key servers that were encrypted with the other keys and to check message integrity. The multiple key servers may share keys with each other directly, or alternatively, indirectly through a central key server, as needed to support secure communications between their respective device groups.

公开(公告)号：US20190386955A1

公开(公告)日：2019-12-19

申请号：US16552202

申请日：2019-08-27

Applicant: Cisco Technology, Inc.

Inventor： Brian Eliot Weis ,  Peter Geoffrey Jones

IPC: H04L29/12 ,  H04L29/06

Abstract: At a network device configured to control access to a network, a client device authentication request is received from a client device. The request includes identity credentials and a temporary media access control (MAC) address of the client device. The client device is successfully authenticated based on the identity credentials. After authentication, a new MAC address is established in the client device. A data frame is received from at the network device. It is determined whether the client device is using the new MAC address based on the received data frame. If it is determined that the client device is using the new MAC address, the client device is permitted access the network.