公开(公告)号：US20170034137A1

公开(公告)日：2017-02-02

申请号：US14810899

申请日：2015-07-28

Applicant: Cisco Technology, Inc.

Inventor： Padmakumar Ampady Vasudevan Pillai ,  Brian Eliot Weis ,  Thamilarasu Kandasamy

IPC: H04L29/06

CPC classification number: H04L63/0435 ,  H04L9/08 ,  H04L63/061 ,  H04L63/062

Abstract: A Key Generation System (KGS) includes a key server, a first network element, and a second network element. The first and second network elements register with the key server and receive first and second KGS key seeds and first and second KGS identifiers, respectively. The first network element transmits the first KGS identifier to the second network element and obtains the second KGS identifier. The first network element computes a shared key based on the first KGS key seed and the second KGS identifier. The second network element receives the first KGS identifier from the first network element and computes the shared key based on the second KGS key seed and the first KGS identifier.

Abstract translation: 密钥生成系统（KGS）包括密钥服务器，第一网络元件和第二网络元件。 第一和第二网络元件与密钥服务器注册并分别接收第一和第二KGS密钥种子和第一和第二KGS标识符。 第一网元将第一KGS标识符发送到第二网元，并获得第二KGS标识符。 第一网元基于第一KGS密钥种子和第二KGS标识符来计算共享密钥。 第二网络元件从第一网络元件接收第一KGS标识符，并且基于第二KGS密钥种子和第一KGS标识符来计算共享密钥。

公开(公告)号：US09674285B2

公开(公告)日：2017-06-06

申请号：US14505161

申请日：2014-10-02

Applicant: Cisco Technology, Inc.

Inventor： Frederic Detienne ,  Mark Comeadow ,  Padmakumar Av ,  Thamilarasu Kandasamy

IPC: H04L29/08 ,  H04L29/14 ,  H04L29/06

CPC classification number: H04L67/142 ,  H04L63/0272 ,  H04L69/40

Abstract: In an embodiment, a method comprises using a first hub device: establishing one or more secure connections with one or more spoke devices logically arranged as spokes with respect to a data processing system; generating and sending via a high-speed link a hub probe to a second hub device; in response to determining that the second hub device is nonresponsive, transmitting, to the one or more spoke devices a first communication indicating that the second hub device is nonresponsive; using a spoke device, receiving the first communication indicating that the second hub device is nonresponsive; determining whether the spoke device has established a secure connection with the second hub device; in response to determining that the spoke device has established the secure connection with the second hub device, selecting a third hub device, establishing a secure connection with the third hub device, and communicating with the third hub device.

公开(公告)号：US20150058913A1

公开(公告)日：2015-02-26

申请号：US13973109

申请日：2013-08-22

Applicant: Cisco Technology, Inc.

Inventor： Thamilarasu Kandasamy ,  Ly Loi ,  Rajeshwar Singh Jenwar

IPC: H04L29/06

CPC classification number: H04L63/061 ,  H04L9/14 ,  H04L63/20

Abstract: Techniques are presented for establishing context awareness during first negotiation of secure key exchange. These techniques may be embodied as a method, apparatus or instructions in a computer-readable storage media. At a first network device, a message is received from a second network device as part of an initial exchange of information of a secure key exchange, the message containing information indicating one or more secure key exchange policies acceptable to the second network device and defining one or more associated security parameters. The message further contains context-specific information identifying a context of the second network device. The first network device selects a secure key exchange policy for communicating with the second network device based upon the context-specific information and sends a response message to the second network device containing the selected secure key exchange policy. If the context was understood, the response message also includes context-specific information.

Abstract translation: 提出了在安全密钥交换的首次协商期间建立上下文感知的技术。 这些技术可以体现为计算机可读存储介质中的方法，装置或指令。 在第一网络设备处，作为安全密钥交换的信息的初始交换的一部分，从第二网络设备接收消息，该消息包含指示第二网络设备可接受的一个或多个安全密钥交换策略的信息，并且定义一个 或更多相关的安全参数。 该消息还包含识别第二网络设备的上下文的上下文特定信息。 第一网络设备基于上下文特定信息选择用于与第二网络设备进行通信的安全密钥交换策略，并向包含所选择的安全密钥交换策略的第二网络设备发送响应消息。 如果上下文被理解，响应消息还包括上下文特定信息。

公开(公告)号：US10404588B2

公开(公告)日：2019-09-03

申请号：US15258444

申请日：2016-09-07

Applicant: Cisco Technology, Inc.

Inventor： Thamilarasu Kandasamy ,  Scott Fluhrer ,  Lewis Chen ,  Brian Weis

IPC: H04L12/741 ,  H04L12/805 ,  H04L29/06 ,  H04L12/46 ,  H04W28/02

Abstract: Techniques are described herein for optimizing communications in a network. At a router in a virtual private network, a packet is received from a device in a subnetwork protected by the router. The router examines the packet to determine a source address that identifies the device and a destination address that identifies a destination network device for the packet. The router also analyzes the packet to determine a size of the packet and determines whether or not the size of the packet is larger than a maximum transmission unit size. If the size of the packet is larger than the maximum transmission unit size, the router encapsulates the packet with a header that includes the destination address and a new source address that identifies the router.

公开(公告)号：US09124564B2

公开(公告)日：2015-09-01

申请号：US13973109

申请日：2013-08-22

Applicant: Cisco Technology, Inc.

Inventor： Thamilarasu Kandasamy ,  Ly Loi ,  Rajeshwar Singh Jenwar

IPC: H04L29/06 ,  H04L9/14

CPC classification number: H04L63/061 ,  H04L9/14 ,  H04L63/20

Abstract: Techniques are presented for establishing context awareness during first negotiation of secure key exchange. These techniques may be embodied as a method, apparatus or instructions in a computer-readable storage media. At a first network device, a message is received from a second network device as part of an initial exchange of information of a secure key exchange, the message containing information indicating one or more secure key exchange policies acceptable to the second network device and defining one or more associated security parameters. The message further contains context-specific information identifying a context of the second network device. The first network device selects a secure key exchange policy for communicating with the second network device based upon the context-specific information and sends a response message to the second network device containing the selected secure key exchange policy. If the context was understood, the response message also includes context-specific information.

Abstract translation: 提出了在首次协商安全密钥交换时建立上下文感知的技术。 这些技术可以体现为计算机可读存储介质中的方法，装置或指令。 在第一网络设备处，作为安全密钥交换的信息的初始交换的一部分，从第二网络设备接收消息，该消息包含指示第二网络设备可接受的一个或多个安全密钥交换策略的信息，并且定义一个 或更多相关的安全参数。 该消息还包含识别第二网络设备的上下文的上下文特定信息。 第一网络设备基于上下文特定信息选择用于与第二网络设备进行通信的安全密钥交换策略，并向包含所选择的安全密钥交换策略的第二网络设备发送响应消息。 如果上下文被理解，响应消息还包括上下文特定信息。

公开(公告)号：US09794234B2

公开(公告)日：2017-10-17

申请号：US14810899

申请日：2015-07-28

Applicant: Cisco Technology, Inc.

Inventor： Padmakumar Ampady Vasudevan Pillai ,  Brian Eliot Weis ,  Thamilarasu Kandasamy

IPC: H04L29/06

CPC classification number: H04L63/0435 ,  H04L9/08 ,  H04L63/061 ,  H04L63/062

Abstract: A Key Generation System (KGS) includes a key server, a first network element, and a second network element. The first and second network elements register with the key server and receive first and second KGS key seeds and first and second KGS identifiers, respectively. The first network element transmits the first KGS identifier to the second network element and obtains the second KGS identifier. The first network element computes a shared key based on the first KGS key seed and the second KGS identifier. The second network element receives the first KGS identifier from the first network element and computes the shared key based on the second KGS key seed and the first KGS identifier.

公开(公告)号：US20160380894A1

公开(公告)日：2016-12-29

申请号：US15258444

申请日：2016-09-07

Applicant: Cisco Technology, Inc.

Inventor： Thamilarasu Kandasamy ,  Scott Fluhrer ,  Lewis Chen ,  Brian Weis

IPC: H04L12/741 ,  H04L12/46 ,  H04W28/02

CPC classification number: H04L45/74 ,  H04L12/4633 ,  H04L12/4641 ,  H04L47/36 ,  H04L63/0272 ,  H04W28/0257

Abstract: Techniques are described herein for optimizing communications in a network. At a router in a virtual private network, a packet is received from a device in a subnetwork protected by the router. The router examines the packet to determine a source address that identifies the device and a destination address that identifies a destination network device for the packet. The router also analyzes the packet to determine a size of the packet and determines whether or not the size of the packet is larger than a maximum transmission unit size. If the size of the packet is larger than the maximum transmission unit size, the router encapsulates the packet with a header that includes the destination address and a new source address that identifies the router.

Abstract translation: 这里描述了用于优化网络中的通信的技术。 在虚拟专用网络中的路由器处，从由路由器保护的子网络中的设备接收分组。 路由器检查数据包以确定标识设备的源地址和标识数据包的目标网络设备的目标地址。 路由器还分析数据包以确定数据包的大小，并确定数据包的大小是否大于最大传输单元大小。 如果分组的大小大于最大传输单元大小，路由器将包含目标地址的报头和标识路由器的新源地址封装在一起。

公开(公告)号：US09461914B2

公开(公告)日：2016-10-04

申请号：US14246351

申请日：2014-04-07

Applicant: Cisco Technology, Inc.

Inventor： Thamilarasu Kandasamy ,  Scott Fluhrer ,  Lewis Chen ,  Brian Weis

IPC: H04L12/741 ,  H04L12/805 ,  H04L29/06

CPC classification number: H04L45/74 ,  H04L12/4633 ,  H04L12/4641 ,  H04L47/36 ,  H04L63/0272 ,  H04W28/0257

Abstract: Techniques are described herein for optimizing communications in a network. At a router in a virtual private network, a packet is received from a device in a subnetwork protected by the router. The router examines the packet to determine a source address that identifies the device and a destination address that identifies a destination network device for the packet. The router also analyzes the packet to determine a size of the packet and determines whether or not the size of the packet is larger than a maximum transmission unit size. If the size of the packet is larger than the maximum transmission unit size, the router encapsulates the packet with a header that includes the destination address and a new source address that identifies the router.

Abstract translation: 这里描述了用于优化网络中的通信的技术。 在虚拟专用网络中的路由器处，从由路由器保护的子网络中的设备接收分组。 路由器检查数据包以确定标识设备的源地址和标识数据包的目标网络设备的目标地址。 路由器还分析数据包以确定数据包的大小，并确定数据包的大小是否大于最大传输单元大小。 如果分组的大小大于最大传输单元大小，路由器将包含目标地址的报头和标识路由器的新源地址封装在一起。

公开(公告)号：US20150288603A1

公开(公告)日：2015-10-08

申请号：US14246351

申请日：2014-04-07

Applicant: Cisco Technology, Inc.

Inventor： Thamilarasu Kandasamy ,  Scott Fluhrer ,  Lewis Chen ,  Brian Weis

IPC: H04L12/741 ,  H04L12/805

CPC classification number: H04L45/74 ,  H04L12/4633 ,  H04L12/4641 ,  H04L47/36 ,  H04L63/0272 ,  H04W28/0257

Abstract: Techniques are described herein for optimizing communications in a network. At a router in a virtual private network, a packet is received from a device in a subnetwork protected by the router. The router examines the packet to determine a source address that identifies the device and a destination address that identifies a destination network device for the packet. The router also analyzes the packet to determine a size of the packet and determines whether or not the size of the packet is larger than a maximum transmission unit size. If the size of the packet is larger than the maximum transmission unit size, the router encapsulates the packet with a header that includes the destination address and a new source address that identifies the router.

Abstract translation: 这里描述了用于优化网络中的通信的技术。 在虚拟专用网络中的路由器处，从由路由器保护的子网络中的设备接收分组。 路由器检查数据包以确定标识设备的源地址和标识数据包的目标网络设备的目标地址。 路由器还分析数据包以确定数据包的大小，并确定数据包的大小是否大于最大传输单元大小。 如果分组的大小大于最大传输单元大小，路由器将包含目标地址的报头和标识路由器的新源地址封装在一起。