Patents by Inventor Kyle Mestery
Kyle Mestery has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20240114015Abstract: An Internet Key Exchange protocol message indicating a first Internet Protocol Security traffic flow is to be established via a first device is obtained at the first device. The Internet Key Exchange protocol message is forwarded from the first device to a second device. An encryption key used to transmit traffic via the first Internet Protocol Security Traffic flow is received at the first device from a key value store. The key value store is populated with the encryption key in response to the second device obtaining the Internet Key Exchange protocol message. A first data packet to be transmitted via the first Internet Protocol Security traffic flow is obtained at the first device. The first device provides the first data packet encrypted with the encryption key of the first Internet Protocol Security traffic flow.Type: ApplicationFiled: December 12, 2023Publication date: April 4, 2024Inventors: Andree Toonk, Grzegorz Boguslaw Duraj, Alvin Sai Weng Wong, Kyle Mestery
-
Patent number: 11888831Abstract: An Internet Key Exchange protocol message indicating a first Internet Protocol Security traffic flow is to be established via a first device is obtained at the first device. The Internet Key Exchange protocol message is forwarded from the first device to a second device. An encryption key used to transmit traffic via the first Internet Protocol Security Traffic flow is received at the first device from a key value store. The key value store is populated with the encryption key in response to the second device obtaining the Internet Key Exchange protocol message. A first data packet to be transmitted via the first Internet Protocol Security traffic flow is obtained at the first device. The first device provides the first data packet encrypted with the encryption key of the first Internet Protocol Security traffic flow.Type: GrantFiled: October 21, 2021Date of Patent: January 30, 2024Assignee: CISCO TECHNOLOGY, INC.Inventors: Andree Toonk, Grzegorz Boguslaw Duraj, Alvin Sai Weng Wong, Kyle Mestery
-
Patent number: 11831767Abstract: Methods are provided for decentralized key negotiation. One method includes initiating, by a first Internet Key Exchange (IKE) node from among a plurality of IKE nodes, a rekeying process for an Internet Protocol Security (IPSec) communication session established with a client device and serviced by a second IKE node from among the plurality of IKE nodes, and in which a first encryption key is used to encrypt traffic. The method further includes obtaining, by the first IKE node from a key value store, information about the IPSec communication session and performing, by the first IKE node, at least a part of the rekeying process in which the first encryption key is replaced with a second encryption key for the IPSec communication session.Type: GrantFiled: March 28, 2022Date of Patent: November 28, 2023Assignee: CISCO TECHNOLOGY, INC.Inventors: Kyle Mestery, Grzegorz Boguslaw Duraj
-
Patent number: 11558354Abstract: Techniques are described to provide efficient protection for a virtual private network. In one example, a method is provided that includes obtaining a packet at a first network entity; determining that the packet is a packet type of an authentication type; determining whether authentication content for the packet matches known good criteria for the packet type of the authentication type; based on determining that the authentication content for the packet does not match the known good criteria, performing at least one of dropping the packet and generating an alarm; and based on determining that the authentication content for the packet does match the known good criteria, processing the packet at the first network entity or forwarding the packet toward a second network entity.Type: GrantFiled: April 15, 2020Date of Patent: January 17, 2023Assignee: CISCO TECHNOLOGY, INC.Inventors: Kyle Mestery, Graham Bartlett
-
Patent number: 11463410Abstract: Presented herein are techniques for establishing VPN services. According to example embodiments, an initial VPN message configured to establish a VPN session between the initiating device and a responding device is received at a VPN node. The initial VPN message is received from an initiating device. Data indicative of the initiating device and data indicative of the responding device is extracted from the initial VPN message. A VPN namespace is established to facilitate the VPN session between the initiating device and the responding device based on the data indicative of the initiating device and the data indicative of the responding device. One or more messages comprising data indicative of the VPN session are transmitted to a database.Type: GrantFiled: April 10, 2020Date of Patent: October 4, 2022Assignee: CISCO TECHNOLOGY, INC.Inventors: Kyle Mestery, Grzegorz Boguslaw Duraj
-
Publication number: 20220224529Abstract: Methods are provided for decentralized key negotiation. One method includes initiating, by a first Internet Key Exchange (IKE) node from among a plurality of IKE nodes, a rekeying process for an Internet Protocol Security (IPSec) communication session established with a client device and serviced by a second IKE node from among the plurality of IKE nodes, and in which a first encryption key is used to encrypt traffic. The method further includes obtaining, by the first IKE node from a key value store, information about the IPSec communication session and performing, by the first IKE node, at least a part of the rekeying process in which the first encryption key is replaced with a second encryption key for the IPSec communication session.Type: ApplicationFiled: March 28, 2022Publication date: July 14, 2022Inventors: Kyle Mestery, Grzegorz Boguslaw Duraj
-
Patent number: 11368298Abstract: Methods are provided for decentralized key negotiation. One method includes initiating, by a first Internet Key Exchange (IKE) node from among a plurality of IKE nodes, a rekeying process for an Internet Protocol Security (IPSec) communication session established with a client device and serviced by a second IKE node from among the plurality of IKE nodes, and in which a first encryption key is used to encrypt traffic. The method further includes obtaining, by the first IKE node from a key value store, information about the IPSec communication session and performing, by the first IKE node, at least a part of the rekeying process in which the first encryption key is replaced with a second encryption key for the IPSec communication session.Type: GrantFiled: September 13, 2019Date of Patent: June 21, 2022Assignee: CISCO TECHNOLOGY, INC.Inventors: Kyle Mestery, Grzegorz Boguslaw Duraj
-
Publication number: 20220124075Abstract: An Internet Key Exchange protocol message indicating a first Internet Protocol Security traffic flow is to be established via a first device is obtained at the first device. The Internet Key Exchange protocol message is forwarded from the first device to a second device. An encryption key used to transmit traffic via the first Internet Protocol Security Traffic flow is received at the first device from a key value store. The key value store is populated with the encryption key in response to the second device obtaining the Internet Key Exchange protocol message. A first data packet to be transmitted via the first Internet Protocol Security traffic flow is obtained at the first device. The first device provides the first data packet encrypted with the encryption key of the first Internet Protocol Security traffic flow.Type: ApplicationFiled: October 21, 2021Publication date: April 21, 2022Inventors: Andree Toonk, Grzegorz Boguslaw Duraj, Alvin Sai Weng Wong, Kyle Mestery
-
Patent number: 11196726Abstract: An Internet Key Exchange protocol message indicating a first Internet Protocol Security traffic flow is to be established via a first device is obtained at the first device. The Internet Key Exchange protocol message is forwarded from the first device to a second device. An encryption key used to transmit traffic via the first Internet Protocol Security Traffic flow is received at the first device from a key value store. The key value store is populated with the encryption key in response to the second device obtaining the Internet Key Exchange protocol message. A first data packet to be transmitted via the first Internet Protocol Security traffic flow is obtained at the first device. The first device provides the first data packet encrypted with the encryption key of the first Internet Protocol Security traffic flow.Type: GrantFiled: May 2, 2019Date of Patent: December 7, 2021Assignee: CISCO TECHNOLOGY, INC.Inventors: Andree Toonk, Grzegorz Boguslaw Duraj, Alvin Sai Weng Wong, Kyle Mestery
-
Patent number: 11075857Abstract: Techniques are described to provide a peephole optimization for processing traffic for lightweight protocols at lower layers by executing them inside a virtual switch rather than using the network stack of a host node. In one example, a method includes determining by forwarding logic of a virtual switch that a received packet is associated with a query for one of domain information or address information. Based on such a determination, the virtual switch determines whether the query is contained within a single Ethernet frame and is answerable. Based on a positive determination for both, the virtual switch determines whether a response to the query can be transmitted in a single packet within a single Ethernet frame. Based on a positive determination of a single packet response, a response packet for the query is formed and injected into the forwarding logic for the virtual switch for transmitting to a destination.Type: GrantFiled: June 13, 2019Date of Patent: July 27, 2021Assignee: CISCO TECHNOLOGY, INC.Inventors: Kyle Mestery, Ian Wells, David Delano Ward
-
Patent number: 11075985Abstract: A system is provided to support a serverless environment and quickly generate containers to handle requests. The system includes a first network node, a container orchestration system, and a serving node. The first network node receives an initial packet of a request from a host and sends a notification to a container orchestration system. The notification includes header information from the initial packet and signals the reception of the initial packet of the request. The container orchestration system creates one or more new containers in response to the notification based on the header information of the initial packet. The serving node instantiates the new containers, receives the request from the host, and processes the request from the host with the new containers.Type: GrantFiled: November 9, 2018Date of Patent: July 27, 2021Assignee: CISCO TECHNOLOGY, INC.Inventors: Kyle Mestery, Ian Wells
-
Publication number: 20210136040Abstract: Presented herein are techniques for establishing VPN services. According to example embodiments, an initial VPN message configured to establish a VPN session between the initiating device and a responding device is received at a VPN node. The initial VPN message is received from an initiating device. Data indicative of the initiating device and data indicative of the responding device is extracted from the initial VPN message. A VPN namespace is established to facilitate the VPN session between the initiating device and the responding device based on the data indicative of the initiating device and the data indicative of the responding device. One or more messages comprising data indicative of the VPN session are transmitted to a database.Type: ApplicationFiled: April 10, 2020Publication date: May 6, 2021Inventors: Kyle Mestery, Grzegorz Boguslaw Duraj
-
Publication number: 20200396178Abstract: Techniques are described to provide a peephole optimization for processing traffic for lightweight protocols at lower layers by executing them inside a virtual switch rather than using the network stack of a host node. In one example, a method includes determining by forwarding logic of a virtual switch that a received packet is associated with a query for one of domain information or address information. Based on such a determination, the virtual switch determines whether the query is contained within a single Ethernet frame and is answerable. Based on a positive determination for both, the virtual switch determines whether a response to the query can be transmitted in a single packet within a single Ethernet frame. Based on a positive determination of a single packet response, a response packet for the query is formed and injected into the forwarding logic for the virtual switch for transmitting to a destination.Type: ApplicationFiled: June 13, 2019Publication date: December 17, 2020Inventors: Kyle Mestery, Ian Wells, David Delano Ward
-
Publication number: 20200389427Abstract: A first request for a loopback address is obtained at a first device. The loopback address is associated with a service provided by a second device, and is obtained via a first interface of the second device. The loopback address is provided to the second device via the first interface. A second request for the loopback address associated with the service provided by the second device is obtained at the first device via a second interface of the second device. The loopback address is provided to the second device via the second interface. A first route to the service utilizing the loopback address and the first interface is programmed at the first device. A second route to the service utilizing the loopback address and the second interface is also programmed at the first device.Type: ApplicationFiled: June 7, 2019Publication date: December 10, 2020Inventors: Ian Wells, Kyle Mestery
-
Publication number: 20200366478Abstract: Methods are provided for decentralized key negotiation. One method includes initiating, by a first Internet Key Exchange (IKE) node from among a plurality of IKE nodes, a rekeying process for an Internet Protocol Security (IPSec) communication session established with a client device and serviced by a second IKE node from among the plurality of IKE nodes, and in which a first encryption key is used to encrypt traffic. The method further includes obtaining, by the first IKE node from a key value store, information about the IPSec communication session and performing, by the first IKE node, at least a part of the rekeying process in which the first encryption key is replaced with a second encryption key for the IPSec communication session.Type: ApplicationFiled: September 13, 2019Publication date: November 19, 2020Inventors: Kyle Mestery, Grzegorz Boguslaw Duraj
-
Publication number: 20200336465Abstract: Techniques are described to provide efficient protection for a virtual private network. In one example, a method is provided that includes obtaining a packet at a first network entity; determining that the packet is a packet type of an authentication type; determining whether authentication content for the packet matches known good criteria for the packet type of the authentication type; based on determining that the authentication content for the packet does not match the known good criteria, performing at least one of dropping the packet and generating an alarm; and based on determining that the authentication content for the packet does match the known good criteria, processing the packet at the first network entity or forwarding the packet toward a second network entity.Type: ApplicationFiled: April 15, 2020Publication date: October 22, 2020Inventors: Kyle Mestery, Graham Bartlett
-
Publication number: 20200280548Abstract: An Internet Key Exchange protocol message indicating a first Internet Protocol Security traffic flow is to be established via a first device is obtained at the first device. The Internet Key Exchange protocol message is forwarded from the first device to a second device. An encryption key used to transmit traffic via the first Internet Protocol Security Traffic flow is received at the first device from a key value store. The key value store is populated with the encryption key in response to the second device obtaining the Internet Key Exchange protocol message. A first data packet to be transmitted via the first Internet Protocol Security traffic flow is obtained at the first device. The first device provides the first data packet encrypted with the encryption key of the first Internet Protocol Security traffic flow.Type: ApplicationFiled: May 2, 2019Publication date: September 3, 2020Inventors: Andree Toonk, Grzegorz Boguslaw Duraj, Alvin Sai Weng Wong, Kyle Mestery
-
Publication number: 20200153897Abstract: A system is provided to support a serverless environment and quickly generate containers to handle requests. The system includes a first network node, a container orchestration system, and a serving node. The first network node receives an initial packet of a request from a host and sends a notification to a container orchestration system. The notification includes header information from the initial packet and signals the reception of the initial packet of the request. The container orchestration system creates one or more new containers in response to the notification based on the header information of the initial packet. The serving node instantiates the new containers, receives the request from the host, and processes the request from the host with the new containers.Type: ApplicationFiled: November 9, 2018Publication date: May 14, 2020Inventors: Kyle Mestery, Ian Wells
-
Patent number: 9203784Abstract: In one embodiment, a secure transport layer tunnel may be established over a public network between a first cloud gateway in a private cloud and a second cloud gateway in a public cloud, where the secure transport layer tunnel is configured to provide a link layer network extension between the private cloud and the public cloud. In addition, a cloud virtual Ethernet module (cVEM) may be executed (instantiated) within the public cloud, where the cVEM is configured to switch inter-virtual-machine (VM) traffic between the private cloud and one or more private application VMs in the public cloud connected to the cVEM.Type: GrantFiled: April 24, 2012Date of Patent: December 1, 2015Assignee: Cisco Technology, Inc.Inventors: David W. Chang, Abhijit Patra, Nagaraj A. Bagepalli, Kyle Mestery
-
Publication number: 20130283364Abstract: In one embodiment, a secure transport layer tunnel may be established over a public network between a first cloud gateway in a private cloud and a second cloud gateway in a public cloud, where the secure transport layer tunnel is configured to provide a link layer network extension between the private cloud and the public cloud. In addition, a cloud virtual Ethernet module (cVEM) may be executed (instantiated) within the public cloud, where the cVEM is configured to switch inter-virtual-machine (VM) traffic between the private cloud and one or more private application VMs in the public cloud connected to the cVEM.Type: ApplicationFiled: April 24, 2012Publication date: October 24, 2013Applicant: Cisco Technology, Inc.Inventors: David W. Chang, Abhijit Patra, Nagaraj A. Bagepalli, Kyle Mestery