公开(公告)号：US20250039082A1

公开(公告)日：2025-01-30

申请号：US18410078

申请日：2024-01-11

Applicant: Cisco Technology, Inc.

Inventor： Stephen Craig Connors, JR. ,  Mili Anand Taggarsi

IPC: H04L45/24 ,  H04L45/80

Abstract: A system and method are provided for implementing a network component, such as a software-defined wide area network, a firewall, a router, or a load balancer. The network component can be an embedded network edge device that is implemented, e.g., in software, in circuitry, or using hardware acceleration (e.g., a data processing unit (DPU), a smart network interface card (SmartNIC), etc.). The system can include multiple dataplanes, including a primary dataplane and a shadow dataplane. A packet dispatcher relays received data packets to a primary dataplane and the shadow dataplane. The primary dataplane applies a current version of the network component to data packets, and the secondary dataplane applies a new version of the network component to identical replicas of the data packets. A control plane agent compares performance data gathered from the respective dataplanes to perform verification testing on the new version of the network component.

公开(公告)号：US20250039135A1

公开(公告)日：2025-01-30

申请号：US18779939

申请日：2024-07-22

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla ,  Kyle Andrew Donald Mestery ,  Stephen Craig Connors, JR.

IPC: H04L9/40

Abstract: A system and method are provided that use metadata encoded in a data flow to determine security actions to perform at a policy-enforcement point based on the security-chain context for the data flow that is provided by metadata (e.g., the security-chain context can include which security operations have been performed upstream on which data packets). The policy-enforcement point receives the data flow and the metadata, including attestations of the security operations that have previously (e.g., upstream) been applied to the data flow. Based on the attested to security operations, the policy-enforcement point selects what security actions to apply next to the data flow, e.g., additional security operations to apply, allow the data flow into a workload or trust zone, drop the workload, perform dynamic load balancing.

公开(公告)号：US20250039220A1

公开(公告)日：2025-01-30

申请号：US18537516

申请日：2023-12-12

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla ,  Stephen Craig Connors, JR.

IPC: H04L9/40

Abstract: A system and method are provided for dynamically placing security controls in a network infrastructure. Input values representing the workload are ingested. A network component is placed in front of the workload to process/filter ingress traffic into the workload. The input values are analyzed to determine the asset criticality of the workload and to determine which vulnerabilities to which the workload is susceptible. Based on this analysis of the input values, compensating controls are selected to protect the workload from the determined vulnerabilities, and the network component is dynamically programed to perform these compensating controls on the ingress traffic. The network component is located directly in front of the workload, and it can be a data processing unit (DPU), a Berkley packet filter (BPF), and/or an extended BPF (eBPF) capability.

公开(公告)号：US20250039052A1

公开(公告)日：2025-01-30

申请号：US18600918

申请日：2024-03-11

Applicant: Cisco Technology, Inc.

Inventor： Stephen Craig Connors, JR.

IPC: H04L41/0869 ,  H04L41/0816

Abstract: A system and method are provided for continuous integration, continuous deployment of a network component, such as a software-defined wide area network, a firewall, a router, or a load balancer. The software development lifecycle is achieved without interrupting the data flow of the network by using a multi-dataplane architecture, including a primary dataplane and a shadow dataplane. A packet dispatcher relays ingress data packets to the primary dataplane executing a current version of the network component and the shadow dataplane executing an upgrade to the network component. A control plane agent analyzes/compares the performances of the respective dataplanes for verification testing, and the control plane agent upgrades the network component to the new version upon passing the verification testing. The upgrades is achieved without interruption to the data flow of the network component by gradually transitioning to outputting egress data packets generated using the upgraded version.

公开(公告)号：US20250039051A1

公开(公告)日：2025-01-30

申请号：US18410207

申请日：2024-01-11

Applicant: Cisco Technology, Inc.

Inventor： Stephen Craig Connors, JR.

IPC: H04L41/0869

Abstract: A system and method are provided for implementing a network component and verifying an update of the network component. The network component can be, e.g., a software-defined wide area network, a firewall, a router, or a load balancer. The network component can be an embedded network edge device that is implemented, e.g., in software, in circuitry, or using hardware acceleration (e.g., a data processing unit (DPU), a smart network interface card (SmartNIC), etc.). The updated version of the network component is verified by implementing it on a shadow dataplane concurrently with the current version operating on a primary dataplane, and comparing the performances of these two versions. Based on this comparison satisfying various verification criteria, the updated version passes a verification test and can be promoted to the primary dataplane.