Cisco Applies For Patents To Secured TCP

An anonymous reader writes "Following the recent excitement over a potential vulnerability in TCP, Cisco's "Worldwide Patent Counsel", Robert Barr, has let it be known that they have pending patent applications for one or more of the IETF recommendations for improving TCP's security. KernelTrap has the full details."

Re:Oh goody.

[cuban321]

If you look at their Host based IDS solution it's pretty impressive. It prevents users from doing incredibly stupid things on their workstations and reports back to a central server.

OpenBSD

[LittleLebowskiUrbanA]

How fortunate of a timing right after OpenBSD just decided to combat software patents with Open Source [openbsd.org].

Re:Well...

[EmbeddedJanitor]

Not necessarily. I believe you have a year to make the application after it becomes public. However, they better have some strong records to back up the claims that they made the invention at an earlier date.

Re:Did ANYONE RTFA???

[Aneurysm9]

You forget, this is /. People see "patent" and panic. People rarely read the article or patent application. I'm not sure, but it looks like this might be the application they're referencing. United States Patent Application 20040081154: Internal BGP downloader. [uspto.gov] I tend to think like you do, Cisco sees this as something that is essential to the future of TCP as a viable standard and will not charge an arm and a leg for a license.

Cisco turning into junk, as is linksys.

[Mustang Matt]

For the record... I did some tests on linksys, dlink and netgear wireless access points and linksys was the worst. Netgear was actually the only one to function in all modes as advertised with perfect stability.

I'm not affiliated with any of the above companies. I just thought I'd mention that linksys is junk and owned by cisco. So maybe it's a family trait.

Re:Did ANYONE RTFA???

[rusty0101]

As CISCO has not disclosed the terms of their licencing, RAND means nothing. Setting the cost at a billion dollars, can be asserted as being Reasonable and Non Discriminatory, as the only "customer" involved would be Microsoft.

In all likelyhood you very well may be right. I don't know what Cisco thinks the market for licences to their patch happens to be, so neither of us are likely to be "correct" in our valuation.

-Rusty

Re:Did ANYONE RTFA???

[chrome]

Rather than guess, I asked Robert Barr himself if I could get a license for the Linux Kernel Project, and this is what he said:

Hi Nathan There is no patent and there is no standard, so it's a bit premature.

But if a patent does issue and a standard is approved, this is our policy

Cisco will not assert any patents owned or controlled by Cisco against any party for making, using, selling, importing or offering for sale a product that implements IETF RFCXXXX, provided, however that: Cisco retains the right to assert its patents (including the right to claim past royalties) against any party that asserts a patent it owns or controls (either directly or indirectly) against Cisco or any of Cisco's affiliates or successors in title; and Cisco retains the right to assert its patents against any product or portion thereof that is not necessary for compliance with RFC XXXX.

Royalty bearing licenses will also be available as an option.

Please let me know if you have any questions.

Robert Barr

NOT AN IETF RECOMMENDATION

[anti-NAT]

It is just an Internet-Draft (ID), that has been submitted for IETF approval. The IETF haven't reviewed it yet, nor taken a position on whether it should be a standard or not.

I could submit a ID for a protocol for standing on my head. That doesn't mean it is an IETF recommendation or that it will be.

With all the FUD being expressed by people who don't know much (anything?) about the IETF and its processes, maybe the next higher level after RTFA should be GAFC (Get A F**king Clue).

More from Theo and Company

[Ded Mike]

...as Tony says, in the BSD thread, in partial reply to Theo:

QUOTE
What's very amusing is reading section 5 of the draft, wherein the author distributes credit to a number of parties. If Cisco were to file a patent at this point and not include those parties (including other companies), the patent validity would be at risk by reason of excluding a contributor. If Cisco does include all of those other companies in the patent, then all of them must also present the IETF with relevant IPR statements.
Frankly, this is yet another PR blunder by Cisco. If they had simply said nothing or formally put their contribution into the public domain, they wouldn't look so egregiously greedy.
ENDQUOTE

From the 10EAST archive [theaimsgroup.com], as quoted in kerneltrap...Theo has some choice comments about the US Patent System and the IETF, too.

IOW, yet again, Cisco trying to cash in on Open Source, in order to desperately prop up their miserable recent record of development, innovation and security, as well as theft from the Open Source Community, in order to keep their stock price up and keep from being listed on F'd Co., where they belong.

Re:Did ANYONE RTFA???

[chrome]

Okay, I got this back:

On May 12, 2004, at 12:46 PM, Robert Barr wrote:

> Okay, I get that point now, but is there anything stopping Cisco from
> asserting its patents just for the hell of it?

Yes, my written statement above would stop us. I can turn it into a contract if that is necessary, but I don't think it is. Anybody who relies on that statement is protected, but I guess they should consult their own lawyer.

> You say that Cisco will only assert its patent against someone who
> tries to assert a patent against Cisco, but what is stopping
> Cisco from just doing it anyway?

see above.

> ie, the methods are integrated into the Linux Kernel TCP/IP stack and
> gain wide acceptance, and Cisco then sees value in trying to claim that
> all users of Linux need to pay Cisco a licensing fee of $200 per CPU to
> use the proprietary, patented methods included in Linux.
>
> I know its far-fetched, but 3 years ago, anyone saying that SCO would
> try to claim ownership of Linux would be laughed at.

SCO never made a statement like I did

> What agreement can open source projects enter into with Cisco to ensure
> that the above is legally impossible?

I'll execute an agreement with those terms if necessary

> Lastly, the GPL states:
>
> "Finally, any free program is threatened constantly by software
> patents. We wish to avoid the danger that redistributors of a free
> program will individually obtain patent licenses, in effect making the
> program proprietary. To prevent this, we have made it clear that any
> patent must be licensed for everyone's free use or not licensed at
> all."

Prof Eben Moglen says this about GPL, I think it applie

"Section 7 prohibits distribution under GPL if you cannot fulfill the requirements of the license because of other conditions *imposed* on you by, among other things, a judgment of patent infringement, interim measures short of judgment, such as a preliminary injunction, or contractual limitations such as non-disclosure agreements or patent licenses. But you are not unable to distribute under GPL unless those requirements have been *imposed*. Until a particular party distributing GPL'd code has either accepted a license whose requirements are incompatible with GPL or has been ordered by a court of competent jurisdiction to do or refrain from doing in a fashion incompatible with GPL, there is no direct conflict with the requirements of the license, and no requirement to refrain from distribution. With regard to patents, in particular, no one *ever* has an obligation to refrain from making, using or selling technology that *may* practice patent claims solely because someone somewhere has taken a patent, claims to have a patent, or even publishes a license. Only the demand that you in particular take a license or cease infringing triggers theoretical liability under US patent law. Whether there can be liability for damages for the period before such notification is another question, legitimately of importance to those who commercially distribute free software, but not ordinarily of significance to those who develop only, or who distribute non-commercially.

Moreover, patents are not global, only local. To say that we cannot *develop* under GPL because a patent exists in country X, and a license has been published there to which those making, using, or selling in country X *might* be asked to subscribe would go much too far. That situation certainly does not prevent development elsewhere, and distribution under GPL can certainly proceed."

***

> So, for any GPL software use Cisco's methods, Cisco will need to
> provide a guarantee that under the GPL, any future patent for these
> methods will be free for use by that GPL software.
>
> Just taking your word for it that Cisco won't assert it's patent in the
> future isn't goo

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Before anyone spouts off at the mouth

[Alsee]

Patents exist to protect inventions. And pretty much every country on Earth has - correction - *had* rules stating that math is not an invention. That you cannot patent math, calculations, or math algorithms.

Well, programming is a feild of math. All software is a mathematical function. The only thing a computer can do is calculations.

You can hook a computer up to a speaker that produces sound, you can invent and patent that speaker, but the computer itself can only do math calculations.

Math is not an invention. Software is not an invention. You can't patent addition, you can't patent calculus, and you can't patent the math that is software MP3 calculations.

The US screwed up a case where the court upheld a patent doing a calculus integral to decide how long to cook rubber during manufacturing. You simply integrate heat over time. Simple math, if you are familiar with calculus. It was the ordinary rubber manufacturing process, they just "invented" an equation to decide how long to run the heat. That one bad ruling opened the door to software patents. The US patent office took that lousy ruling and threw the door wide open for patents on math.

Of course they don't directly let you say you're patenting math. Word the application one way and it gets rejected, word the exact same claims a different way and it gets approved. Software patent attorneys admit it's all about using "the magic words". You're patenting the process of doing some calculationon on some hardware. Ordinary PC hardware.

-

There may be method to this madness

[eclecticIO]

It appears that Mr. Barr at least feels he has a good reason for applying for the patent. If you read the statement he made before the FTC during their hearing on "Competition and Intellectual Property Law and Policy in the Knowledge-Based Economy" he argues against the current patent system. However, he also explains why Cisco, under his direction, applies for so many patents:

"It makes more business sense to assume that, despite the fact that we do not copy other company's products, and despite the fact that we do not derive solutions to problems from the patent literature, we will be accused of patent infringement. The only practical response to this problem of unintentional and sometimes unavoidable patent infringement is to file hundreds of patents each year ourselves, so that we can have something to bring to the table in cross-licensing negotiations. In other words, the only rational response to the large number of patents in our field is to contribute to it."

He goes on to make some very interesting arguments saying...

"The patent system does not exist to protect the rights of inventors, or any particular interest group. It doesn't exist to protect what we now call "intellectual property", as if it were protectable for its own sake. The patent system exists to protect the progress of science and the useful arts. If the patent system fails to do that in certain areas, then the costs and negative effects of the patent monopoly cannot be justified. Where the patent system enables true innovation, true progress, where it enables companies to bring new products to consumers in circumstances where they otherwise would not do it, or where it disseminates knowledge that others need and want, then it's working."

So, Cisco appears to be doing this as a matter to protect their own ability to use this fix, not to prevent other from using it. That would seem to fit with his explanation posted earlier...

"That's not what it says, or what I mean to say. It says that nobody has to pay anything, or even ask for a license, unless they want to assert patents against Cisco."

You can read Mr. Barr's full statement before the FTC online (ironically enough) at
Freedom for a Free Information Infrastucture [ffii.org]

Firewall Failover with CARP and pfsync

[Erik_]

The two main components provided by OpenBSD are CARP (the Common Address Redundancy Protocol) [countersiege.com], which allows a backup host to assume the identity of the primary, and pfsync, which ensures that firewall states are synchronised so that the backup can take over exactly where the master left off and no connections will be lost.

CARP
The Common Address Redundancy Protocol manages failover at the intersection of Layers 2 and 3 in the OSI Model (link layer and IP layer). Each CARP group has a virtual MAC (link layer) address, and one or more virtual host IP addresses (the common address). CARP hosts respond to ARP requests for the common address with the virtual MAC address, and the CARP advertisements themselves are sent out with this as the source address, which helps switches quickly determine which port the virtual MAC address is currently "at".

The master of the address sends out CARP advertisement messages via multicast using the CARP protocol (IP Protocol 112) on a regular basis, and the backup hosts listen for this advertisement. If the advertisements stop, the backup hosts will begin advertising. The advertisement frequency is configurable, and the host which advertises most frequently is the one most likely to become master in the event of a failure.

A reader who is familiar with VRRP will find this is somewhat familiar, however there are some significant differences:

* The CARP protocol is address family independent. The OpenBSD implementation supports both IPv4 and IPv6, as a transport for the CARP packets as well as common addresses to be shared.
* CARP has an "arpbalance" feature that allows multiple hosts to share a single IP address simultaneously; in this configuration, there is a virtual MAC address for each host, but only one IP address.
* CARP uses a cryptographically strong SHA-1 HMAC to protect each advertisement.

Besides these technical differences, there is another significant difference (perhaps the most important one, in fact): CARP is not patent encumbered. See this page for details on the history of CARP and our reasons for avoiding a VRRP implementation.

pfsync
pfsync transfers state insertion, update, and deletion messages between firewalls. Each firewall sends these messages out via multicast on a specified interface, using the PFSYNC protocol (IP Protocol 240). It also listens on that interface for similar messages from other firewalls, and imports them into the local state table.

In order to ensure that pfsync meets the packet volume and latency requirements, the initial implementation has no built-in authentication. An attacker who has local (link layer) access to the subnet used for pfsync traffic can trivially add, change, or remove states from the firewalls. It's possible to run the pfsync protocol on one of the "real" networks, but because of the security risks, it is strongly recommended that a dedicated, trusted network be used for pfsync. This can be as simple as a crossover cable between interfaces on two firewalls

Re:It's all about the phbs

[Trepalium]

The logo animation is a funny thing. It actually does serve a purpose. It tells you the program is not hung. It's the same thing as those silly spinners in text mode programs (-\|/). If you have a program that's just sitting there with nothing but static text, how long are you going to wait before deciding something might be wrong?

Re:if tcp is copyrighted

[olderchurch]

Presumably the USPTO is smart enough to shoot down a process patent that's based on published recommendations by a third party, but maybe there's something clever in Cisco's particular implementation that's worthy.

Dream on:
- USPTO Grants CA Lawyer Domain-Naming Patent [slashdot.org]
- Patent Granted on Sideways Swinging [slashdot.org]
- Patent On Software Downloads Upheld [slashdot.org]

and to sum it all up:
- Enter The 'Stupid Patent Tricks' Contest [slashdot.org]

Cisco using open source code

[Glamdrlng]

...it is quite time someone questions the exact origin of SSL, SSH, NTP and a few other items in IOS which are known to be bug for bug compatible with OSS code and do not have stated copyrights in the IOS release notes.

Parent raises a very good point. While Cisco has acknowledged [cisco.com] other use of open source code in the past, I've wondered if there was a use of the same source or maybe just shared libraries that caused vulnerabilities in openssh to affect the IOS, and the same with openssl. Cisco developers have also made open source contributions [sourceforge.net], so it's not like nobody there gets the GPL.

Re:VRRP Patent .. Not So

[Flower]

Go over the story at OpenBSD. [openbsd.org] Quote:

On August 7 2002, after many communications, Robert Barr (Cisco's lawyer) firmly informed the OpenBSD community that Cisco would defend its patents for VRRP implementations....

You also need to reread that comment you linked to as it doesn't say what you are implying. Quote:

In Cisco's assessment, the VRRP proposal does not represent any significantly different functionality from that available with HSRP....

However, now that the draft-li-hsrp-01.txt' submission is approaching expiration and the Working Group is continuing with the VRRP proposal, Cisco Systems reserves the right to protect its intellectual property.