Patents by Inventor Brian Weis
Brian Weis has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 9686186Abstract: A network device receives packets for one or more traffic flows to be sent into a network. The network device computes a flow identifier for each of the one or more traffic flows based on information contained in one or more headers of the packets for each of the one or more traffic flows and based on at least one value that is changed on an ongoing basis. The packets for each of the one or more traffic flows are encrypted to produce encrypted packets for each of the one or more traffic flows. An encapsulation is added to the encrypted packets for the one or more traffic flows. The flow identifier is included in a field of the encapsulation for a corresponding traffic flow.Type: GrantFiled: April 22, 2015Date of Patent: June 20, 2017Assignee: Cisco Technology, Inc.Inventors: Jose Liste, Brian Weis
-
Publication number: 20170033984Abstract: Presented herein are techniques in which one or more network devices can use information provided by a special purpose network connected device to retrieve a usage profile (i.e., configuration file) associated with the special purpose network connected device. The retrieved usage profile, which includes/describes preselected (predetermined) usage descriptions associated with the special purpose network connected device, can then be used to configure one or more network devices. For example, the predetermined usage descriptions associated with the special purpose network connected device can be instantiated and enforced at a network device or the predetermined usage descriptions can be used for auditing the special purpose network connected device (e.g., monitoring of traffic within the network).Type: ApplicationFiled: January 27, 2016Publication date: February 2, 2017Inventors: Eliot Lear, Nancy Cam-Winget, Brian Weis
-
Patent number: 9544282Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.Type: GrantFiled: December 29, 2015Date of Patent: January 10, 2017Assignee: Cisco Technology, Inc.Inventors: Aamer S. Akhter, Rajiv Asati, Brian Weis, Mohamed Khalid
-
Publication number: 20160380894Abstract: Techniques are described herein for optimizing communications in a network. At a router in a virtual private network, a packet is received from a device in a subnetwork protected by the router. The router examines the packet to determine a source address that identifies the device and a destination address that identifies a destination network device for the packet. The router also analyzes the packet to determine a size of the packet and determines whether or not the size of the packet is larger than a maximum transmission unit size. If the size of the packet is larger than the maximum transmission unit size, the router encapsulates the packet with a header that includes the destination address and a new source address that identifies the router.Type: ApplicationFiled: September 7, 2016Publication date: December 29, 2016Inventors: Thamilarasu Kandasamy, Scott Fluhrer, Lewis Chen, Brian Weis
-
Publication number: 20160344713Abstract: Techniques are presented for optimizing secure communications in a network. As disclosed herein, a key server is configured to provision a plurality of routers that are part of a virtual private network. The key server selects a counter value that is part of a security association and calculates a key value. The key server sends the key value, together with the security association, to the plurality of routers that are part of the virtual private network to enable them to exchange encrypted packets with each other in the virtual private network using the key value and the security association. The key server then increments the counter value to a value within a range of counter values capable of being predicted by the plurality of routers that received the key value.Type: ApplicationFiled: August 8, 2016Publication date: November 24, 2016Inventors: Lewis Chen, Scott Fluhrer, Warren Scott Wainner, Brian Weis
-
Publication number: 20160315853Abstract: A network device receives packets for one or more traffic flows to be sent into a network. The network device computes a flow identifier for each of the one or more traffic flows based on information contained in one or more headers of the packets for each of the one or more traffic flows and based on at least one value that is changed on an ongoing basis. The packets for each of the one or more traffic flows are encrypted to produce encrypted packets for each of the one or more traffic flows. An encapsulation is added to the encrypted packets for the one or more traffic flows. The flow identifier is included in a field of the encapsulation for a corresponding traffic flow.Type: ApplicationFiled: April 22, 2015Publication date: October 27, 2016Inventors: Jose Liste, Brian Weis
-
Patent number: 9461914Abstract: Techniques are described herein for optimizing communications in a network. At a router in a virtual private network, a packet is received from a device in a subnetwork protected by the router. The router examines the packet to determine a source address that identifies the device and a destination address that identifies a destination network device for the packet. The router also analyzes the packet to determine a size of the packet and determines whether or not the size of the packet is larger than a maximum transmission unit size. If the size of the packet is larger than the maximum transmission unit size, the router encapsulates the packet with a header that includes the destination address and a new source address that identifies the router.Type: GrantFiled: April 7, 2014Date of Patent: October 4, 2016Assignee: Cisco Technology, Inc.Inventors: Thamilarasu Kandasamy, Scott Fluhrer, Lewis Chen, Brian Weis
-
Patent number: 9444796Abstract: Techniques are presented for optimizing secure communications in a network. A first router receives from a second router an encrypted packet with an unknown security association. The first router examines the packet to determine whether the counter value is in a range of predicted counter values. Additionally, a key server is configured to provision routers that are part of a virtual private network. The key server selects a counter value that is part of a security association and calculates a key value. The key server sends the key value together with the security association to enable routers to exchange encrypted packets with each other in the virtual private network using the key value and the security association. The key server increments the counter value to a value within a range of counter values capable of being predicted by the routers.Type: GrantFiled: April 9, 2014Date of Patent: September 13, 2016Assignee: Cisco Technology, Inc.Inventors: Lewis Chen, Scott Fluhrer, Warren Scott Wainner, Brian Weis
-
Patent number: 9374340Abstract: First and second nested virtual private networks share a common rekey service. A first key server generates first cryptographic keys and policies for use by gateways of the VPN to encrypt and decrypt data packets. The key server establishes a connection with a second key server to generate second cryptographic keys and policies independently of the first key server for use by encryption units of a second VPN that is nested with and operates independently of the first VPN. The first key server refreshes the first cryptographic keys in the first VPN gateways using a common rekey service, and cooperates with the second key server to refresh the second cryptographic keys in the second VPN encryption units using the common rekey service.Type: GrantFiled: April 21, 2014Date of Patent: June 21, 2016Assignee: Cisco Technology, Inc.Inventors: Hong Xu, Brian Weis, Jie Chu, Sheela Rowles
-
Publication number: 20160134606Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.Type: ApplicationFiled: December 29, 2015Publication date: May 12, 2016Inventors: AAMER S. AKHTER, RAJIV ASATI, BRIAN WEIS, MOHAMED KHALID
-
Patent number: 9300642Abstract: In an embodiment, a method comprises establishing a first data communications session with a first router. In response to receiving a first request to establish a second data communications session, a probe message that is configured to test whether the first data communications session or the first router is responsive is sent to the first router. In response to determining that the first router has not acknowledged the probe message before a probe timer has expired, and receiving a second request to establish the second data communications session, the second data communications session with the first router is established and a state for the first data communications session is deleted.Type: GrantFiled: November 9, 2010Date of Patent: March 29, 2016Assignee: Cisco Technology, Inc.Inventors: Brian Weis, Mahesh Jethanandani, Keyur Patel, Anantha Ramaiah
-
Patent number: 9253172Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.Type: GrantFiled: April 8, 2015Date of Patent: February 2, 2016Assignee: Cisco Technology, Inc.Inventors: Aamer S. Akhter, Rajiv Asati, Brian Weis, Mohamed Khalid
-
Publication number: 20150304282Abstract: First and second nested virtual private networks share a common rekey service. A first key server generates first cryptographic keys and policies for use by gateways of the VPN to encrypt and decrypt data packets. The key server establishes a connection with a second key server to generate second cryptographic keys and policies independently of the first key server for use by encryption units of a second VPN that is nested with and operates independently of the first VPN. The first key server refreshes the first cryptographic keys in the first VPN gateways using a common rekey service, and cooperates with the second key server to refresh the second cryptographic keys in the second VPN encryption units using the common rekey service.Type: ApplicationFiled: April 21, 2014Publication date: October 22, 2015Applicant: Cisco Technology, Inc.Inventors: Hong Xu, Brian Weis, Jie Chu, Sheela Rowles
-
Publication number: 20150295899Abstract: Techniques are presented for optimizing secure communications in a network. A first router receives from a second router an encrypted packet with an unknown security association. The first router examines the packet to determine whether the counter value is in a range of predicted counter values. Additionally, a key server is configured to provision routers that are part of a virtual private network. The key server selects a counter value that is part of a security association and calculates a key value. The key server sends the key value together with the security association to enable routers to exchange encrypted packets with each other in the virtual private network using the key value and the security association. The key server increments the counter value to a value within a range of counter values capable of being predicted by the routers.Type: ApplicationFiled: April 9, 2014Publication date: October 15, 2015Applicant: Cisco Technology, Inc.Inventors: Lewis Chen, Scott Fluhrer, Warren Scott Wainner, Brian Weis
-
Publication number: 20150288603Abstract: Techniques are described herein for optimizing communications in a network. At a router in a virtual private network, a packet is received from a device in a subnetwork protected by the router. The router examines the packet to determine a source address that identifies the device and a destination address that identifies a destination network device for the packet. The router also analyzes the packet to determine a size of the packet and determines whether or not the size of the packet is larger than a maximum transmission unit size. If the size of the packet is larger than the maximum transmission unit size, the router encapsulates the packet with a header that includes the destination address and a new source address that identifies the router.Type: ApplicationFiled: April 7, 2014Publication date: October 8, 2015Applicant: Cisco Technology, Inc.Inventors: Thamilarasu Kandasamy, Scott Fluhrer, Lewis Chen, Brian Weis
-
Publication number: 20150215298Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.Type: ApplicationFiled: April 8, 2015Publication date: July 30, 2015Inventors: AAMER S. AKHTER, RAJIV ASATI, BRIAN WEIS, MOHAMED KHALID
-
Patent number: 9027114Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.Type: GrantFiled: March 12, 2013Date of Patent: May 5, 2015Assignee: Cisco Technology, Inc.Inventors: Aamer S. Akhter, Rajiv Asati, Brian Weis, Mohamed Khalid
-
Patent number: 8983066Abstract: In an example embodiment, a key generation system (KGS) is used to generate private pairwise keys between peers belonging to a group. Each member of the group is provisioned with a set of parameters which allows each member to generate a key with any other member of the group; however, no group member can derive a key for pairings involving other group members. The private pairwise keys may be used to derive session keys between peers belonging to the group. Optionally, an epoch value may be employed to derive the private pairwise keys.Type: GrantFiled: April 28, 2009Date of Patent: March 17, 2015Assignee: Cisco Technology, Inc.Inventors: Johannes Petrus Kruys, David McGrew, Max Pritikin, Joseph Salowey, Brian Weis
-
Publication number: 20140281508Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.Type: ApplicationFiled: March 12, 2013Publication date: September 18, 2014Applicant: Cisco Technology, Inc.Inventors: AAMER S. AKHTER, RAJIV ASATI, BRIAN WEIS, MOHAMED KHALID
-
Publication number: 20140258532Abstract: In an embodiment, a method is performed by one or more processors and comprises obtaining a hiatus declaration that indicates that a network device will be incommunicable; suspending communication with the network device until expiration of a hiatus time period during which the network device is expected to be incommunicable; resuming communication with the network device in response to any of: determining that the hiatus time period has expired; obtaining a keep-alive message from the network device; or obtaining other indication that the network device can communicate.Type: ApplicationFiled: May 19, 2014Publication date: September 11, 2014Applicant: Cisco Technology, Inc.Inventor: BRIAN WEIS