Patents by Inventor Jonas Zaddach
Jonas Zaddach has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 12250215Abstract: This disclosure describes techniques for device to device authentication. For instance, a first device may detect a second device, such as when a user physically attaches the second device to the first device or when the second device wireless communicates with the first device. A component of the first device and/or an authentication entity may then determine to authenticate the second device. In some instances, the component determines to authenticate the second device using information associated with an environment of the second device. To authenticate the second device, the authentication entity may send a request to a user, receive a response from the user, and then verify the response. After the authentication, the first device may determine that the second device includes a trusted device and establish a connection with the second device.Type: GrantFiled: August 6, 2020Date of Patent: March 11, 2025Assignee: Cisco Technology, Inc.Inventors: Patrick Wetterwald, Jonas Zaddach, Pascal Thubert, Eric Levy-Abegnoli
-
Publication number: 20250070980Abstract: Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications and verify an authenticity of a client device attempting to use a virtual IP (VIP) address. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a VIP address that is mapped to the client device and the endpoint device. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can verify an authenticity of the client device and convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.Type: ApplicationFiled: August 24, 2023Publication date: February 27, 2025Inventors: Pascal Thubert, Eric A. Voit, Eric Levy-Abegnoli, Patrick Wetterwald, Jonas Zaddach
-
Publication number: 20250071089Abstract: Techniques for varying locations of virtual networks associated with endpoints using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS). Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a virtual IP (VIP) address that is mapped to the client device and the endpoint device. The VIP address may be selected based on a number of factors (e.g., power usage, privacy requirements, virtual distances, etc.). In this way, IP addresses of servers are obfuscated by a virtual network of VIP addresses that can be periodically rotated and/or load balanced. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.Type: ApplicationFiled: September 13, 2024Publication date: February 27, 2025Inventors: Pascal Thubert, Eric Voit, Eric Levy-Abegnoli, Patrick Wetterwald, Jonas Zaddach
-
Patent number: 12231417Abstract: Techniques for adjusting a duration of an authenticated user device session. A baseline session duration is determined for a session for which a user account is authorized in response to a request for authentication. A first session is established on behalf of a user device associated with the user account based at least in part on the user account performing a first authentication. A posture associated with the user device is determined. The baseline duration is then adjusted to a dynamic duration based at least in part upon the posture associated with the user device. Based at least in part on the dynamic duration the user can be required to re-authenticate.Type: GrantFiled: March 13, 2023Date of Patent: February 18, 2025Assignee: Cisco Technology, Inc.Inventors: Pascal Thubert, Patrick Wetterwald, Jonas Zaddach, Eric Levy-Abegnoli
-
Patent number: 12213052Abstract: In one embodiment, an illustrative method herein may comprise: receiving, at a first edge device, a direct indication from a second edge device that a mobile device has moved from the first to the second edge device; determining, based on the direct indication, a first time at which the mobile device attached to the second edge device; receiving a network routing update message indicative of a routing update for the mobile device having moved to the second edge device; determining, based on the network routing update message, a second time at which convergence completed at the first edge device; and calculating a convergence time for the mobile device to be detected as having moved to the second edge device based on a difference between the first time and the second time.Type: GrantFiled: May 20, 2022Date of Patent: January 28, 2025Assignee: Cisco Technology, Inc.Inventors: Pascal Thubert, Eric Levy-Abegnoli, Jonas Zaddach, Patrick Wetterwald
-
Patent number: 12155622Abstract: Techniques for varying locations of virtual networks associated with endpoints using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS). Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a virtual IP (VIP) address that is mapped to the client device and the endpoint device. The VIP address may be selected based on a number of factors (e.g., power usage, privacy requirements, virtual distances, etc.). In this way, IP addresses of servers are obfuscated by a virtual network of VIP addresses that can be periodically rotated and/or load balanced. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.Type: GrantFiled: August 24, 2023Date of Patent: November 26, 2024Assignee: Cisco Technology, Inc.Inventors: Pascal Thubert, Eric A. Voit, Eric Levy-Abegnoli, Patrick Wetterwald, Jonas Zaddach
-
Patent number: 11941146Abstract: A container includes a user program and data generated by the user program within a regulatory jurisdiction. Before the container leaves the regulatory jurisdiction, the data is validated by the jurisdiction to ensure the data complies with privacy laws of the jurisdiction. Upon ingress to a second regulatory jurisdiction, the data is signed locally to provide for confirmation that the data can leave the second regulatory jurisdiction, since it was not generated within the second jurisdiction. By allowing the user program to move from the first regulatory jurisdiction to a second regulatory jurisdiction, the disclosed embodiments overcome limitations in current solutions that restrict access to local data based on what a public application programming interface (API) can provide. By operating within the regulatory jurisdiction, albeit subject to access controls imposed by that jurisdiction, flexibility in the processing of sensitive data is improved.Type: GrantFiled: August 31, 2021Date of Patent: March 26, 2024Assignee: CISCO TECHNOLOGY, INC.Inventors: Pascal Thubert, Patrick Wetterwald, Eric Levy- Abegnoli, Jonas Zaddach
-
Publication number: 20240098063Abstract: In one embodiment, a method includes identifying, using a Static Context Header Compression (SCHC) rules engine, one or more packets matching a rule, selecting a firewall decision based on the identified one or more packets and the rule, and applying the firewall decision to the one or more identified packets.Type: ApplicationFiled: September 16, 2022Publication date: March 21, 2024Inventors: Pascal Thubert, Jonas Zaddach, Patrick Wetterwald, Eric Levy-Abegnoli
-
Patent number: 11894939Abstract: Techniques are provided that validate a participant in a video conference. As a video conferencing system is remote from a video conference participant, and user devices are not trusted, traditional methods such as client side facial recognition are ineffective at validating a participant from a video conferencing system. Thus, the embodiments encode modulated data for projection onto a face of the participant. A video of the participant is then captured. The conferencing system then confirms that the modulated data is present in the captured video.Type: GrantFiled: May 11, 2021Date of Patent: February 6, 2024Assignee: CISCO TECHNOLOGY, INC.Inventors: Pascal Thubert, Patrick Wetterwald, Eric Levy- Abegnoli, Jonas Zaddach
-
Publication number: 20230413156Abstract: In one embodiment, an illustrative method herein may comprise: receiving, at a first edge device, a direct indication from a second edge device that a mobile device has moved from the first to the second edge device; determining, based on the direct indication, a first time at which the mobile device attached to the second edge device; receiving a network routing update message indicative of a routing update for the mobile device having moved to the second edge device; determining, based on the network routing update message, a second time at which convergence completed at the first edge device; and calculating a convergence time for the mobile device to be detected as having moved to the second edge device based on a difference between the first time and the second time.Type: ApplicationFiled: May 20, 2022Publication date: December 21, 2023Inventors: Pascal Thubert, Eric LEVY-ABEGNOLI, Jonas ZADDACH, Patrick WETTERWALD
-
Publication number: 20230379250Abstract: In one embodiment, an illustrative method herein may comprise: receiving, at an access device for a network, a packet having a set of packet features; making, by the access device, a determination that the set of packet features of the packet match a forwarding ruleset that defines differentiated services for different types of packets based on their packet features; formulating, by the access device and based on the determination, a compressed header for the packet that has one or more differentiated service indicators based on the forwarding ruleset; and forwarding, from the access device, the packet with the compressed header, to cause forwarding decisions to be made within the network for the packet based on the one or more differentiated service indicators in its compressed header.Type: ApplicationFiled: May 20, 2022Publication date: November 23, 2023Inventors: Pascal Thubert, Patrick WETTERWALD, Eric LEVY-ABEGNOLI, Jonas ZADDACH
-
Patent number: 11784970Abstract: The present disclosure is directed to systems and methods for first hop security in a multi-site and multi-vendor cloud. The method may include receiving, at a first hop security (FHS) device located within a defined security perimeter, a message from a first host; validating a security of the message; signing the message with a signature to prove validation of the message, the signature comprising at least a Crypto-ID Parameters Option (CIPO) and a Neighbor Discovery Protocol Signature Option (NDPSO); and transmitting the signed message to one or more network FHS devices within the security perimeter.Type: GrantFiled: June 29, 2021Date of Patent: October 10, 2023Assignee: CISCO TECHNOLOGY, INC.Inventors: Pascal Thubert, Eric M. Levy-Abegnoli, Patrick M. P. Wetterwald, Jonas Zaddach
-
Patent number: 11757827Abstract: Systems and methods may include sending, to a network registrar, an extended duplicate address request (EDAR) message including a first nonce generated by a host computing device, and receiving, from the network registrar, an extended duplicate address confirmation (EDAC) message including a second nonce and a first signature, a first nonce pair including the first nonce and the second nonce being signed by the network registrar via a first key pair of the network registrar via the first signature. The systems and methods may further include sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and a public key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that a router through which the host computing device connects to a network is not impersonating the network.Type: GrantFiled: August 15, 2022Date of Patent: September 12, 2023Assignee: Cisco Technology, Inc.Inventors: Pascal Thubert, Eric Levy-Abegnoli, Jonas Zaddach, Patrick Wetterwald
-
Publication number: 20230216847Abstract: Techniques for adjusting a duration of an authenticated user device session. A baseline session duration is determined for a session for which a user account is authorized in response to a request for authentication. A first session is established on behalf of a user device associated with the user account based at least in part on the user account performing a first authentication. A posture associated with the user device is determined. The baseline duration is then adjusted to a dynamic duration based at least in part upon the posture associated with the user device. Based at least in part on the dynamic duration the user can be required to re-authenticate.Type: ApplicationFiled: March 13, 2023Publication date: July 6, 2023Inventors: Pascal Thubert, Patrick Wetterwald, Jonas Zaddach, Eric Levy-Abegnoli
-
Patent number: 11606347Abstract: This disclosure describes techniques for authenticating a user device for a session. For instance, an authentication entity may authenticate a user device using single sign-on authentication and/or multi-factor authentication. The authentication entity may then determine a duration for which the user device is authenticated for the session. For example, the authentication entity may receive information representing a state of an environment of the user device. The authentication entity may then use the information to identify one or more transitions associated with the environment between the session and a previous session. Using the one or more transitions, the authentication entity may determine the duration for the session by increasing or decreasing a previous duration associated with the previous session.Type: GrantFiled: August 27, 2020Date of Patent: March 14, 2023Assignee: Cisco Technology, Inc.Inventors: Pascal Thubert, Patrick Wetterwald, Jonas Zaddach, Eric Levy-Abegnoli
-
Publication number: 20230068788Abstract: A container includes a user program and data generated by the user program within a regulatory jurisdiction. Before the container leaves the regulatory jurisdiction, the data is validated by the jurisdiction to ensure the data complies with privacy laws of the jurisdiction. Upon ingress to a second regulatory jurisdiction, the data is signed locally to provide for confirmation that the data can leave the second regulatory jurisdiction, since it was not generated within the second jurisdiction. By allowing the user program to move from the first regulatory jurisdiction to a second regulatory jurisdiction, the disclosed embodiments overcome limitations in current solutions that restrict access to local data based on what a public application programming interface (API) can provide. By operating within the regulatory jurisdiction, albeit subject to access controls imposed by that jurisdiction, flexibility in the processing of sensitive data is improved.Type: ApplicationFiled: August 31, 2021Publication date: March 2, 2023Inventors: Pascal Thubert, Patrick Wetterwald, Eric Levy- Abegnoli, Jonas Zaddach
-
Publication number: 20220417213Abstract: The present disclosure is directed to systems and methods for first hop security in a multi-site and multi-vendor cloud. The method may include receiving, at a first hop security (FHS) device located within a defined security perimeter, a message from a first host; validating a security of the message; signing the message with a signature to prove validation of the message, the signature comprising at least a Crypto-ID Parameters Option (CIPO) and a Neighbor Discovery Protocol Signature Option (NDPSO); and transmitting the signed message to one or more network FHS devices within the security perimeter.Type: ApplicationFiled: June 29, 2021Publication date: December 29, 2022Inventors: Pascal Thubert, Eric M. Levy-Abegnoli, Patrick M. P. Wetterwald, Jonas Zaddach
-
Publication number: 20220394009Abstract: Systems and methods may include sending, to a network registrar, an extended duplicate address request (EDAR) message including a first nonce generated by a host computing device, and receiving, from the network registrar, an extended duplicate address confirmation (EDAC) message including a second nonce and a first signature, a first nonce pair including the first nonce and the second nonce being signed by the network registrar via a first key pair of the network registrar via the first signature. The systems and methods may further include sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and a public key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that a router through which the host computing device connects to a network is not impersonating the network.Type: ApplicationFiled: August 15, 2022Publication date: December 8, 2022Applicant: Cisco Technology, Inc.Inventors: Pascal Thubert, Eric Levy-Abegnoli, Jonas Zaddach, Patrick Wetterwald
-
Publication number: 20220368547Abstract: Techniques are provided that validate a participant in a video conference. As a video conferencing system is remote from a video conference participant, and user devices are not trusted, traditional methods such as client side facial recognition are ineffective at validating a participant from a video conferencing system. Thus, the embodiments encode modulated data for projection onto a face of the participant. A video of the participant is then captured. The conferencing system then confirms that the modulated data is present in the captured video.Type: ApplicationFiled: May 11, 2021Publication date: November 17, 2022Inventors: Pascal Thubert, Patrick Wetterwald, Eric Levy- Abegnoli, Jonas Zaddach
-
Patent number: 11418481Abstract: Systems and methods may include sending, to a network registrar, a first message including a first nonce generated by a host computing device, and receiving, from the network registrar, a second message including a second nonce, the second nonce being signed by the network registrar via a private key of a first public key infrastructure (PKI) key pair of the network registrar via a first signature. The method further includes sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and the private key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that the router is not impersonating the network.Type: GrantFiled: October 1, 2021Date of Patent: August 16, 2022Assignee: Cisco Technology, Inc.Inventors: Pascal Thubert, Eric Levy-Abegnoli, Jonas Zaddach, Patrick Wetterwald