Client-driven randomized and changing media access control (mac) address (rcm) mechanism
US-2024422202-A1 · Dec 19, 2024 · US
Protecting secure session from iot gateways
US2019089747A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2019089747-A1 |
| Application number | US-201715708453-A |
| Country | US |
| Kind code | A1 |
| Filing date | Sep 19, 2017 |
| Priority date | Sep 19, 2017 |
| Publication date | Mar 21, 2019 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A process to protect secure communication sessions from a network device that may have been subjected to a malicious network attack or otherwise the source of malicious network traffic. A cellular-connected network device, such as an IoT gateway, may receive data from one or more IoT devices. The cellular-connected network device may also communicate with a datacenter via a communication tunnel. The network device may include a usage profile reference. The network device, before transmitting data received from the IoT devices, may transmit the usage profile reference to the datacenter for authentication purposes. The datacenter may use the usage profile reference to resolve a usage profile that the usage profile reference references. Using the usage profile, the datacenter may negotiate with the cellular-connected network device to restrict the types of data that is transmitted between the datacenter and the cellular-connected network device.
First claim
Opening claim text (preview).
What is claimed is: 1 . A computer-implemented method comprising: establishing a communication tunnel over a network with a network device; receiving via the communication tunnel, at a tunnel headend, a usage profile reference from the network device; transmitting the usage profile reference to a usage profile storage system; receiving, from the usage profile storage system, a policy, based on the usage profile reference, for filtering network traffic; and enforcing the policy at the tunnel headend on network traffic between the network device and the tunnel headend via the communication tunnel. 2 . The computer-implemented method of claim 1 , wherein the usage profile reference is a manufacturer usage description (MUD) reference and the usage profile storage system is a MUD server. 3 . The computer-implemented method of claim 1 , wherein enforcing the policy further comprises negotiating between the tunnel headend and the network device to restrict a type of network traffic that the tunnel headend accepts. 4 . The computer-implemented method of claim 1 , further comprising: forwarding the policy to the network device; and enforcing the policy by the network device. 5 . The computer-implemented method of claim 1 , further comprising: generating Internet Key Exchange (IKE) traffic selectors based on the policy to restrict a type of network traffic that the tunnel headend accepts. 6 . The computer-implemented method of claim 1 , wherein a portion of the communication tunnel traverses at least a part of a mobile or cellular network. 7 . The computer-implemented method of claim 1 , wherein the communication tunnel is virtual private network (VPN) tunnel. 8 . The computer-implemented method of claim 1 , wherein the network device is an Internet-of-Things (IoT) gateway. 9 . The computer-implemented method of claim 8 , wherein the IoT gateway is connected to a plurality of IoT devices, and wherein the usage profile reference is a summary of usage profile references associated with each IoT device connected to the gateway. 10 . An apparatus comprising: a communication interface configured to enable network communications; a processor coupled with the communication interface, and configured to: establish a communication tunnel over a network with a network device; receive via the communication tunnel at a tunnel headend, a usage profile reference from the network device; transmit the usage profile reference to a usage profile storage system; receive, from the usage profile storage system, a policy, based on the usage profile reference, for filtering network traffic; and enforce the policy at the tunnel headend on network traffic between the network device and the tunnel headend via the communication tunnel. 11 . The apparatus of claim 10 wherein the usage profile reference is a manufacturer usage description (MUD) reference and the usage profile storage system is a MUD server. 12 . The apparatus of claim 10 , wherein the processor is configured to enforce the policy by negotiating between a tunnel headend and the network device to restrict a type of network traffic that the tunnel headend accepts. 13 . The apparatus of claim 10 , wherein the processor is further configured to: generate Internet Key Exchange (IKE) traffic selectors based on the policy to restrict a type of network traffic that the tunnel headend accepts. 14 . The apparatus of claim 10 , wherein a portion of the communication tunnel traverses at least a part of a mobile network. 15 . The apparatus of claim 10 , wherein the network device is an Internet-of-Things (IoT) gateway, wherein the IoT gateway is connected to a plurality of IoT devices, and wherein the usage profile reference is a summary of usage profile references associated with each IoT device connected to the IoT gateway. 16 . A non-transitory computer-readable storage media encoded with software comprising computer executable instructions and when the software is executed by a processor, the processor is caused to: establish a communication tunnel over a network with a network device; receive via the communication tunnel, at a tunnel headend, a usage profile reference from the network device; transmit the usage profile reference to a usage profile storage system; receive, from the usage profile storage system, a policy, based on the usage profile reference, for filtering network traffic; and enforce the policy at the tunnel headend on network traffic between the network device and the tunnel headend via the communication tunnel. 17 . The computer-readable storage media of claim 16 , wherein the usage profile reference is a manufacturer usage description (MUD) reference and the usage profile storage system is a MUD server. 18 . The computer-readable storage media of claim 16 , wherein the instructions that cause the processor to enforce the policy include instructions to cause the processor to negotiate between the tunnel headend and the network device to restrict a type of network traffic that the tunnel headend accepts. 19 . The computer-readable storage media of claim 16 , further comprising instructions that cause the processor to: generate Internet Key Exchange (IKE) traffic selectors based on the policy to restrict a type of network traffic that the tunnel headend accepts. 20 . The computer-readable storage media of claim 16 , wherein a portion of the communication tunnel traverses at least a part of a mobile or cellular network.
Assignees
Inventors
Classifications
involving Diffie-Hellman or related key agreement protocols · CPC title
Proxies · CPC title
Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms (network architectures or network communication protocols for using time-dependent keys in a packet data network H04L63/068) · CPC title
Virtual private networks · CPC title
Rule management · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2019089747A1 cover?
- A process to protect secure communication sessions from a network device that may have been subjected to a malicious network attack or otherwise the source of malicious network traffic. A cellular-connected network device, such as an IoT gateway, may receive data from one or more IoT devices. The cellular-connected network device may also communicate with a datacenter via a communication tunnel…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/205. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Mar 21 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).