公开(公告)号：US20240114015A1

公开(公告)日：2024-04-04

申请号：US18537260

申请日：2023-12-12

Applicant: Cisco Technology, Inc.

Inventor： Andree Toonk ,  Grzegorz Boguslaw Duraj ,  Alvin Sai Weng Wong ,  Kyle Mestery

IPC: H04L9/40 ,  H04L45/16 ,  H04L45/24

CPC classification number: H04L63/0485 ,  H04L45/16 ,  H04L45/24 ,  H04L63/061 ,  H04L63/20

Abstract: An Internet Key Exchange protocol message indicating a first Internet Protocol Security traffic flow is to be established via a first device is obtained at the first device. The Internet Key Exchange protocol message is forwarded from the first device to a second device. An encryption key used to transmit traffic via the first Internet Protocol Security Traffic flow is received at the first device from a key value store. The key value store is populated with the encryption key in response to the second device obtaining the Internet Key Exchange protocol message. A first data packet to be transmitted via the first Internet Protocol Security traffic flow is obtained at the first device. The first device provides the first data packet encrypted with the encryption key of the first Internet Protocol Security traffic flow.

公开(公告)号：US11196726B2

公开(公告)日：2021-12-07

申请号：US16401304

申请日：2019-05-02

Applicant: Cisco Technology, Inc.

Inventor： Andree Toonk ,  Grzegorz Boguslaw Duraj ,  Alvin Sai Weng Wong ,  Kyle Mestery

IPC: H04L29/06 ,  H04L9/18 ,  H04L12/761 ,  H04L12/707 ,  H04L9/12

Abstract: An Internet Key Exchange protocol message indicating a first Internet Protocol Security traffic flow is to be established via a first device is obtained at the first device. The Internet Key Exchange protocol message is forwarded from the first device to a second device. An encryption key used to transmit traffic via the first Internet Protocol Security Traffic flow is received at the first device from a key value store. The key value store is populated with the encryption key in response to the second device obtaining the Internet Key Exchange protocol message. A first data packet to be transmitted via the first Internet Protocol Security traffic flow is obtained at the first device. The first device provides the first data packet encrypted with the encryption key of the first Internet Protocol Security traffic flow.

公开(公告)号：US20250132910A1

公开(公告)日：2025-04-24

申请号：US18489317

申请日：2023-10-18

Applicant: Cisco Technology, Inc.

Inventor： Kyle Mestery ,  Grzegorz Boguslaw Duraj

IPC: H04L9/08 ,  H04L9/16 ,  H04L9/40 ,  H04L12/46 ,  H04L45/24 ,  H04L67/01

Abstract: Methods are provided for decentralized key negotiation. One method includes initiating, by a first Internet Key Exchange (IKE) node from among a plurality of IKE nodes, a rekeying process for an Internet Protocol Security (IPSec) communication session established with a client device and serviced by a second IKE node from among the plurality of IKE nodes, and in which a first encryption key is used to encrypt traffic. The method further includes obtaining, by the first IKE node from a key value store, information about the IPSec communication session and performing, by the first IKE node, at least a part of the rekeying process in which the first encryption key is replaced with a second encryption key for the IPSec communication session.

公开(公告)号：US11463410B2

公开(公告)日：2022-10-04

申请号：US16845753

申请日：2020-04-10

Applicant: Cisco Technology, Inc.

Inventor： Kyle Mestery ,  Grzegorz Boguslaw Duraj

IPC: H04L9/40 ,  H04L67/143 ,  H04L67/141 ,  H04L9/08

Abstract: Presented herein are techniques for establishing VPN services. According to example embodiments, an initial VPN message configured to establish a VPN session between the initiating device and a responding device is received at a VPN node. The initial VPN message is received from an initiating device. Data indicative of the initiating device and data indicative of the responding device is extracted from the initial VPN message. A VPN namespace is established to facilitate the VPN session between the initiating device and the responding device based on the data indicative of the initiating device and the data indicative of the responding device. One or more messages comprising data indicative of the VPN session are transmitted to a database.

公开(公告)号：US20220124075A1

公开(公告)日：2022-04-21

申请号：US17507312

申请日：2021-10-21

Applicant: Cisco Technology, Inc.

Inventor： Andree Toonk ,  Grzegorz Boguslaw Duraj ,  Alvin Sai Weng Wong ,  Kyle Mestery

IPC: H04L45/16 ,  H04L45/24

Abstract: An Internet Key Exchange protocol message indicating a first Internet Protocol Security traffic flow is to be established via a first device is obtained at the first device. The Internet Key Exchange protocol message is forwarded from the first device to a second device. An encryption key used to transmit traffic via the first Internet Protocol Security Traffic flow is received at the first device from a key value store. The key value store is populated with the encryption key in response to the second device obtaining the Internet Key Exchange protocol message. A first data packet to be transmitted via the first Internet Protocol Security traffic flow is obtained at the first device. The first device provides the first data packet encrypted with the encryption key of the first Internet Protocol Security traffic flow.

公开(公告)号：US20200153897A1

公开(公告)日：2020-05-14

申请号：US16185623

申请日：2018-11-09

Applicant: Cisco Technology, Inc.

Inventor： Kyle Mestery ,  Ian Wells

IPC: H04L29/08 ,  G06F9/50 ,  H04L12/803 ,  H04L12/801 ,  G06F9/48

Abstract: A system is provided to support a serverless environment and quickly generate containers to handle requests. The system includes a first network node, a container orchestration system, and a serving node. The first network node receives an initial packet of a request from a host and sends a notification to a container orchestration system. The notification includes header information from the initial packet and signals the reception of the initial packet of the request. The container orchestration system creates one or more new containers in response to the notification based on the header information of the initial packet. The serving node instantiates the new containers, receives the request from the host, and processes the request from the host with the new containers.

公开(公告)号：US11831767B2

公开(公告)日：2023-11-28

申请号：US17705810

申请日：2022-03-28

Applicant: Cisco Technology, Inc.

Inventor： Kyle Mestery ,  Grzegorz Boguslaw Duraj

IPC: H04L9/08 ,  H04L9/16 ,  H04L9/40 ,  H04L45/24 ,  H04L12/46 ,  H04L67/01

CPC classification number: H04L9/0891 ,  H04L9/16 ,  H04L12/4633 ,  H04L12/4641 ,  H04L45/24 ,  H04L63/0272 ,  H04L63/0428 ,  H04L63/061 ,  H04L63/164 ,  H04L67/01

Abstract: Methods are provided for decentralized key negotiation. One method includes initiating, by a first Internet Key Exchange (IKE) node from among a plurality of IKE nodes, a rekeying process for an Internet Protocol Security (IPSec) communication session established with a client device and serviced by a second IKE node from among the plurality of IKE nodes, and in which a first encryption key is used to encrypt traffic. The method further includes obtaining, by the first IKE node from a key value store, information about the IPSec communication session and performing, by the first IKE node, at least a part of the rekeying process in which the first encryption key is replaced with a second encryption key for the IPSec communication session.

公开(公告)号：US11558354B2

公开(公告)日：2023-01-17

申请号：US16849251

申请日：2020-04-15

Applicant: Cisco Technology, Inc.

Inventor： Kyle Mestery ,  Graham Bartlett

IPC: H04L9/40 ,  H04L12/46 ,  H04L47/34

Abstract: Techniques are described to provide efficient protection for a virtual private network. In one example, a method is provided that includes obtaining a packet at a first network entity; determining that the packet is a packet type of an authentication type; determining whether authentication content for the packet matches known good criteria for the packet type of the authentication type; based on determining that the authentication content for the packet does not match the known good criteria, performing at least one of dropping the packet and generating an alarm; and based on determining that the authentication content for the packet does match the known good criteria, processing the packet at the first network entity or forwarding the packet toward a second network entity.

公开(公告)号：US11075857B2

公开(公告)日：2021-07-27

申请号：US16440101

申请日：2019-06-13

Applicant: Cisco Technology, Inc.

Inventor： Kyle Mestery ,  Ian Wells ,  David Delano Ward

IPC: H04L12/28 ,  H04L12/947 ,  H04L12/931 ,  H04L29/12

Abstract: Techniques are described to provide a peephole optimization for processing traffic for lightweight protocols at lower layers by executing them inside a virtual switch rather than using the network stack of a host node. In one example, a method includes determining by forwarding logic of a virtual switch that a received packet is associated with a query for one of domain information or address information. Based on such a determination, the virtual switch determines whether the query is contained within a single Ethernet frame and is answerable. Based on a positive determination for both, the virtual switch determines whether a response to the query can be transmitted in a single packet within a single Ethernet frame. Based on a positive determination of a single packet response, a response packet for the query is formed and injected into the forwarding logic for the virtual switch for transmitting to a destination.

公开(公告)号：US20210136040A1

公开(公告)日：2021-05-06

申请号：US16845753

申请日：2020-04-10

Applicant: Cisco Technology, Inc.

Inventor： Kyle Mestery ,  Grzegorz Boguslaw Duraj

IPC: H04L29/06 ,  H04L9/08 ,  H04L29/08

Abstract: Presented herein are techniques for establishing VPN services. According to example embodiments, an initial VPN message configured to establish a VPN session between the initiating device and a responding device is received at a VPN node. The initial VPN message is received from an initiating device. Data indicative of the initiating device and data indicative of the responding device is extracted from the initial VPN message. A VPN namespace is established to facilitate the VPN session between the initiating device and the responding device based on the data indicative of the initiating device and the data indicative of the responding device. One or more messages comprising data indicative of the VPN session are transmitted to a database.