公开(公告)号：WO2020206106A1

公开(公告)日：2020-10-08

申请号：PCT/US2020/026367

申请日：2020-04-02

Applicant: CISCO TECHNOLOGY, INC.

Inventor： KATHAIL, Pradeep Kumar ,  VOIT, Eric

IPC: H04L29/06

Abstract: Systems, methods, and computer-readable media for evaluation of trustworthiness of network devices are proposed. In one aspect, a first network device can determine a first determine a first probability of a security compromise of a second network device based on visible indicators. The first network device can also determine a second probability of the security compromise of the second device based on invisible indicators. The first network device also determines a trust degradation score for the second network device and establishes, based on the trust degradation score, a specified type of communication session with the second network device.

公开(公告)号：WO2023022880A1

公开(公告)日：2023-02-23

申请号：PCT/US2022/039230

申请日：2022-08-03

Applicant: CISCO TECHNOLOGY, INC.

Inventor： AGRAWAL, Swadesh ,  RAO, Dhananjaya Kasargod ,  HEITZ, Jakob ,  VOIT, Eric

IPC: H04L9/40 ,  H04L9/32 ,  H04L45/74

Abstract: Disclosed are systems, apparatuses, methods, and computer-readable media for secure network routing. A method includes: receiving, at a network node, an advertisement message for a network route including an IP address prefix; receiving, at the network node, a route origin authorization associated with the IP address prefix, the route origin authorization including a digital signature and a security requirement of a route to a destination that corresponds to the IP address prefix; determining, by the network node, one or more network nodes satisfies the security requirement to yield a determination; and determining, by the network node, to route network traffic to the IP address prefix based on the determination. In one example, the method can include, when the one or more network nodes satisfies the security requirement, advertising the route to the one or more network nodes that satisfies the security requirement.

公开(公告)号：WO2022213072A1

公开(公告)日：2022-10-06

申请号：PCT/US2022/071419

申请日：2022-03-29

Applicant: CISCO TECHNOLOGY, INC.

Inventor： VOIT, Eric ,  KATHAIL, Pradeep Kumar ,  KALYANARAMAN, Avinash

IPC: G06F21/44 ,  G06F21/57 ,  H04L9/40 ,  G06F21/445 ,  H04L63/0869 ,  H04L63/0876 ,  H04L63/126

Abstract: Disclosed are systems, apparatuses, methods, and computer-readable media for providing security postures for a service provided by a heterogenous system. A method for verifying trust by a service node includes receiving a request for a security information of the service node from a client device, wherein the request includes information identifying a service to receive from the service node, identifying a related node to communicate with the service node based on the service, after identifying the related node, requesting a security information of the related node, generating a composite security information from the security information of the service node and the security information of the related node, and sending the composite security information to the client device. The composite security information provides security claims for a service implemented by a heterogenous devices that have different trusted execution environments.

公开(公告)号：WO2020206084A1

公开(公告)日：2020-10-08

申请号：PCT/US2020/026338

申请日：2020-04-02

Applicant: CISCO TECHNOLOGY, INC.

Inventor： SHETH, Sujal ,  BHANDARI, Shwetha Subray ,  VOIT, Eric ,  SULZEN, William F. ,  BROCKNERS, Frank

IPC: G06F21/57 ,  H04L29/06

Abstract: Systems, methods, and computer-readable media for authenticating access control messages include receiving, at a first node, access control messages from a second node. The first node and the second node including network devices and the access control messages can be based on RADIUS or TACACS+ protocols among others. The first node can obtain attestation information from one or more fields of the access control messages determine whether the second node is authentic and trustworthy based on the attestation information. The first node can also determine reliability or freshness of the access control messages based on the attestation information. The first node can be a server and the second node can be a client, or the first node can be a client and the second node can be a server. The attestation information can include Proof of Integrity based on a hardware fingerprint, device identifier, or Canary Stamp.

公开(公告)号：WO2007059406A2

公开(公告)日：2007-05-24

申请号：PCT/US2006/060720

申请日：2006-11-09

Applicant: CISCO TECHNOLOGY, INC.

Inventor： VOIT, Eric ,  BROCKNERS, Frank ,  JONES, Huw ,  DEC, Wojciech

IPC: H04L12/56

CPC classification number: H04L12/4633 ,  H04L45/54 ,  H04L45/66

Abstract: Techniques for inserting a network service in an Ethernet access .network operated by an access service provider include sending routing data to customer premises equipment. The access network is between a physical layer link with customer premises equipment and a remote packet switched network. The routing data indicates a logical network address for an access gateway for access to the remote packet, switched network, and a logical network address for an ancillary gateway for an ancillary service different from access to the remote packet-switched network. A data packet is received from customer premises equipment aid it. is determined whether a layer 2 destination address indicates the ancillary gateway. If so the data, packet is directed to the ancillary gateway instead of the access gateway. Thus, the ancillary service is provided topologically closer to the customer premises equipment.

Abstract translation: 在由接入服务提供商操作的以太网接入网络中插入网络服务的技术包括向客户端设备发送路由数据。 接入网络在与客户端设备的物理层链路和远程分组交换网络之间。 路由数据指示用于访问远程分组，交换网络的接入网关的逻辑网络地址，以及用于辅助服务的辅助网关的逻辑网络地址，该辅助网关不同于对远程分组交换网络的访问。 从客户驻地设备接收的数据包帮助它。 确定层2目的地址是否指示辅助网关。 如果是这样，数据，分组被引导到辅助网关而不是接入网关。 因此，辅助服务在拓扑上提供更接近客户驻地设备。

公开(公告)号：WO2021126590A1

公开(公告)日：2021-06-24

申请号：PCT/US2020/063722

申请日：2020-12-08

Applicant: CISCO TECHNOLOGY, INC.

Inventor： WARD, David Delano ,  CAM-WINGET, Nancy ,  VOIT, Eric ,  BACKMAN, Jesse Daniel

IPC: H04L29/06 ,  G06F21/57 ,  G06F21/74 ,  H04L63/029 ,  H04L63/105 ,  H04L63/1433

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices across domains. Attestation information for an attester node in a first domain is received at a verifier gateway in the first domain. The attestation information is translated at the verifier gateway into translated attestation information for a second domain. Specifically, the attestation information is translated into translated attested information for a second domain that is a different administrative domain from the first domain. The translated attestation information can be provided to a verifier in the second domain. The verifier can be configured to verify the trustworthiness of the attester node for a relying node in the second domain by identifying a level of trust of the attester node based on the translated attestation information.

公开(公告)号：WO2020206398A1

公开(公告)日：2020-10-08

申请号：PCT/US2020/026781

申请日：2020-04-05

Applicant: CISCO TECHNOLOGY, INC. ,  FRAUNHOFER INSTITUTE FOR SECURE INFORMATION TECHNOLOGY

Inventor： BROCKNERS, Frank ,  VOIT, Eric ,  SALAM, Samer ,  BHANDARI, Shwetha Subray ,  BIRKHOLTZ, Henk ,  FUCHS, Andreas

IPC: H04L29/06 ,  H04W12/10

Abstract: Systems, methods, and computer-readable media are disclosed for verifying proper implementation of remote certification of network devices. In one aspect, a method includes receiving, at a network node, computer-executable code for self-certifying the network node or at least a component thereof; executing, at the network node, the computer-executable code to obtain self-certification results; updating, at a trust module of the network node, an event log with the self-certification results; performing, by the network node, an attestation of the event log to generate a digital proof of authenticity of the network node; and sending, by the network node, the digital proof to a requesting node, the digital proof of authenticity enabling the requesting node to verify the network node prior to communication with the network node.

公开(公告)号：WO2020191027A1

公开(公告)日：2020-09-24

申请号：PCT/US2020/023325

申请日：2020-03-18

Applicant: CISCO TECHNOLOGY, INC.

Inventor： VOIT, Eric ,  LAPIER, David, C. ,  SULZEN, William, F. ,  KRISHNAMOORTHY, Pagalavan

IPC: H04L29/06 ,  H04L9/32

Abstract: A secure bus for pre-placement of device capabilities across a set of cryptoprocessors may be provided. A first cryptoprocessor may receive a key corresponding to a second cryptoprocessor and it may receive an object in response to the object being instantiated on the second cryptoprocessor. Next, the first cryptoprocessor may use the key to determine that the second cryptoprocessor signed the object. The first cryptoprocessor may then store the object in the first cryptoprocessor in response to determining that the second cryptoprocessor signed the object. Then the first cryptoprocessor may receive a request for the object and provide a response to the request.

公开(公告)号：WO2006130251A2

公开(公告)日：2006-12-07

申请号：PCT/US2006/014706

申请日：2006-04-17

Applicant: CISCO TECHNOLOGY, INC. ,  VOIT, Eric ,  WOOD, Ian ,  ROIGER, Wayne

Inventor： VOIT, Eric ,  WOOD, Ian ,  ROIGER, Wayne

CPC classification number: H04L63/0838 ,  H04L63/0892 ,  H04L63/162

Abstract: A Service Provider (SP) authentication method includes receiving a message from a subscriber-premises device, the message being compatible with an authentication protocol and being transported from the subscriber- premises device to a u-PE device operating in compliance with an IEEE 802.1 x compatible protocol. Access to the SP network is either allowed or denied access based on a logical identifier contained in the message. It is emphasized that this abstract is provided to comply with the rules requiring an abstract that will allow a searcher or other reader to quickly ascertain the subject matter of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. 37 CFR 1.72(b).

Abstract translation: 服务提供商（SP）认证方法包括从用户驻地设备接收消息，所述消息与认证协议兼容并且从用户驻地设备传送到按照IEEE 802.1x操作的u-PE设备 兼容协议。 根据包含在消息中的逻辑标识符，对SP网络的访问被允许或拒绝访问。 要强调的是，该摘要被提供以符合要求抽象的规则，允许搜索者或其他读者快速确定技术公开内容的主题。 提交它的理解是，它不会用于解释或限制权利要求的范围或含义。 37 CFR 1.72（b）。

公开(公告)号：WO2020206370A1

公开(公告)日：2020-10-08

申请号：PCT/US2020/026742

申请日：2020-04-03

Applicant: CISCO TECHNOLOGY, INC.

Inventor： SHETH, Sujal ,  BHANDARI, Shwetha Subray ,  VOIT, Eric ,  SULZEN, William F. ,  BROCKNERS, Frank

IPC: H04L29/06 ,  G06F21/53 ,  G06F21/44 ,  H04L12/24 ,  H04L12/751 ,  H04W84/18

Abstract: Systems, methods, and computer-readable media for discovering trustworthy devices through attestation and authenticating devices through mutual attestation. A relying node in a network environment can receive attestation information from an attester node in the network environment as part of a unidirectional push of information from the attester node according to a unidirectional link layer communication scheme. A trustworthiness of the attester node can be verified by identifying a level of trust of the attester node from the attestation information. Further, network service access of the attester node through the relying node in the network environment can be controlled based on the level of trust of the attester node identified from the attestation information.