Cisco Applies For Patents To Secured TCP

An anonymous reader writes "Following the recent excitement over a potential vulnerability in TCP, Cisco's "Worldwide Patent Counsel", Robert Barr, has let it be known that they have pending patent applications for one or more of the IETF recommendations for improving TCP's security. KernelTrap has the full details."

not more patents

don't we have enough patents as it is?

if tcp is copyrighted

and you use it illegally, you're in trouble.

only the criminals will have network connections

Re:if tcp is copyrighted

So in the future a criminal could use a pirated wireless connection, using a pirated connection protocol to download pirated music and movies? Neat!

On the plus side, the (MP|RI)AA would be just as illegal in hunting you down... maybe I should take up P2P trading.

Re:if tcp is copyrighted

OK, I'm sorry for correcting an otherwise funny comment, but there seems to be much confusion about copyright lay and patent law that I think could some correction.

Patent law is about the implementation of ideas. Cisco filed a patent for their implementation of secured TCP. Anyone who wants to use the same implementation for the duration of the patent has to license the right to do so from Cisco.

Copyright on the other hand is about the contents of artistic word like books. There is no need to file for copyright since it's an automatic right obtained by creating those works. If people develop similar works totally independent from each other, that's fine.

A Google search [google.com] should give you more information.

Re:if tcp is copyrighted

Right - the implementation of ideas. Except it's not, because the USPTO allows processes - ideas themselves - to be patented.

If it was as simple as implementation (binary or even source code), "we" could write a new implementation that was compatible with their one (did the same thing in a different way), and multi-vendor secure TCP comms could happen. Unfortunately it's not that simple because they've likely patented the processes, although we'd have to wait for the patents to be available to see, I think.

This is actually rather risky for Cisco, because they may cut themselves off from everyone else. If OpenBSD indeed has a better and free solution, organisations should be using them. The result then is no secure communications if your non-Cisco equipment talks to Cisco equipment (unless Cisco implements the OpenBSD stuff too...).

Presumably the USPTO is smart enough to shoot down a process patent that's based on published recommendations by a third party, but maybe there's something clever in Cisco's particular implementation that's worthy. Either way, I suspect Cisco has just killed an otherwise reasonable way of doing secure TCP on the public Internet.

And props to people like the OpenBSD guys for being there and continuing to grind out alternative and often better solutions.

Re:if tcp is copyrighted

Presumably the USPTO is smart enough to shoot down a process patent that's based on published recommendations by a third party, but maybe there's something clever in Cisco's particular implementation that's worthy.

Dream on:
- USPTO Grants CA Lawyer Domain-Naming Patent [slashdot.org]
- Patent Granted on Sideways Swinging [slashdot.org]
- Patent On Software Downloads Upheld [slashdot.org]

and to sum it all up:
- Enter The 'Stupid Patent Tricks' Contest [slashdot.org]

Well...

They better hope their applications are dated before the recommendations.

Re:Well...

You're assuming you need strong claims to get a patent application approved by the USPTO.

Re:Well...

Depends from what perspective. They have already pulled out the stunt of suing Aclcatel and OpenBSD for VRRP without doing the proper patent disclosure in IETF. So one more case one less is not going to change a lot.

Methinks that it is much more interesting that there were people from outside Cisco working on that vulnerability. If I recall correctly the list there was Juniper and someone else there as well. So unless Cisco did the correct paperwork with these guys they are fully entitled to sue Cisco's arse flat.

In btw, it is quite time someone questions the exact origin of SSL, SSH, NTP and a few other items in IOS which are known to be bug for bug compatible with OSS code and do not have stated copyrights in the IOS release notes.

Oh goody.

Do you think they'll patent the backdoor they're planning on putting in it? I'd hate to have to reverse engineer that.

I used to be very pro-cisco, but with the recent "Self protecting networks" ads that are misleading at best, and the backdoor snafu, I don't see how I could reccomend to anyone that they're worth the cost.

Re:Oh goody.

I can't stand those ads either. It is not possible to defend against humans from the inside. That's liek trying to build a car that is intentionally-driving-over-a-cliff proof.

It's all about the phbs

Phb: "Oh, SELF PROTECTING NETWORK! Oooo! We need one of those!"

Such crap. It's like those blatantly false microsoft ads where they show microsoft office as a wonderful beautiful thing. I've worked with office for years, and the only time I danced through my office with a newly printed office document involved a printer incompatibility, a long project, and way too much coffee.

Show me an ad that says, "Hey this works okay most of the time," or "this router can detect and contain unusual network activity, so viri spread slower" and that's a product that I can trust. Promising pie in the sky only works for idiots.

Re:It's all about the phbs

Show me an ad that says, "Hey this works okay most of the time," or "this router can detect and contain unusual network activity, so viri spread slower" and that's a product that I can trust. Promising pie in the sky only works for idiots.

It's been my experience that the idiots are the ones making the purchasing decisions, hence the nature of the advertising.

Re:It's all about the phbs

I agree completely, thus the "Pointy-Haired Boss" reference.

My mother is just like this. I can tell her something over and over and over again, and it means nothing to her. But if she hears the same thing from a random, poorly-informed stranger, it's a proven fact.

It's sad that they know enough to hire skilled people, and then choose to listen to simplistic (though slick) advertising instead.

Re:It's all about the phbs

>> My mother is just like this. I can tell her something over and over and over again, and it means nothing to her. But if she hears the same thing from a random, poorly-informed stranger, it's a proven fact.

Now you know how she felt when you were growing up.

:)

Re:It's all about the phbs

It's been my experience that the idiots are the ones making the purchasing decisions, hence the nature of the advertising.

It's not just the idiots. If you didn't know anything else about the product, which would you buy?

• Product A -- Claims to be 73% good.
• Product B -- Claims to be 96% good.
• Product C -- Claims to be 99.999% good.
• Product D -- Claims to be 100% good.

Being skeptical, you would probably pick product A has having truthful ads. Product B, you might think, has really good real-world performance. Product C is just marketing hype, and product D is impossible in the real world.

But if you see a big brand name (Microsoft, Cisco, Intel, etc.) on product C, you might say "Well, it isn't 100%, and they are a good company. Maybe it's the truth. Of course, claiming to be Product C happens, and that's where the trap is.

It might be that you are looking at Microsoft statement claiming "5 nines" of 99.999% uptime [dell.com] (that's down for 5 minutes each year). Or Sun claiming the same 99.999% [com.com]. Or Cingular Wireless claiming 99.999% reliable networks [cingular.com], excluding several days of downtime [merit.edu] that they must not factor into their percentage. Maybe it's that 99.999% pure copper speaker cable [audiovisualonline.co.uk] you were looking for. (For the chemists, here's a site where you can buy over a dozen other '99.999% pure metal' wires [eurotitan.co.uk].) Lots of people get caught into that.

In some cases it really is justified. If I were a chemist, maybe having iridium wire that is only 99.9% pure might cause problems, and those extra 9's might be significant. But that usually isn't the case for most marketing.

But I don't think it's just a PHB issue, it's a problem of 'I really want the best, and I only want to spend 5 minutes to find out which one that is'.

frob

Re:It's all about the phbs

IAAC. Most reagents are indeed rated rather precisely with respect to their purity. For example, "spectroscopic" grade toluene is different than "hplc" grade toluene, and they're both different from "reagant" grade toluene. (These are so-called "customary" names for different purity grades. It can be a little confusing even to practitioners, so typically something will be labeled like "Reagent Grade (95%) Foo.")

Those extra 9s frequently are important. For a plain synthesis reaction, 95% may be ok (you may just want to make some of product X to prove that it can be made, so if you have some miniscule fraction of an isomer of X due to that 5% similarly-reactive reagent impurity, it's not such a big deal). But if you're doing a really precise analysis (say ppt range), you don't want any peaks from chemically similar impurities crowding into the spectral range you're looking at.

But yeah, outside of the actual practice of science, most anything above 99% is speculative horseshit dreamed up by a marketer. _Proving_ that something is that pure is an expensive and time-consuming prospect.

Re:It's all about the phbs

The point is that it works! Not because people are idiots, but because they're muggles. They don't get it. To them, the act of sending email might as well be magic for all the understanding they might have, so promising them something that's technically infeasible is worthwhile and profitable. If it's presented well, if it uses cultural memes that are accepted and understood by the target audience, if it tells them something they want to hear, it'll work.

Re:It's all about the phbs

Show me an ad that says, "Hey this works okay most of the time," or "this router can detect and contain unusual network activity, so viri spread slower" and that's a product that I can trust.

That's not a product I would trust. Routers should do one thing, and that's routing. Firewalls should be the devices that implement policies, not routers.

It's the same premise as buggy, hole-ridden software. A good 30% of 'features' in software don't need to be there, but they are, and they introduce problems. Take Norton Systemworks (2002) ... while it's scanning the disk, you can have it animate the logo and/or play some music. Why does that need to be there? It doesn't ...

The same goes for Cisco ... the hardware isn't spectacular, but they make up for it in software. They add feature upon feature upon feature, which leads to the code getting overly complex, which leads to bugs. You then get vulnerabilities like the one for LEAP, or now this TCP reset business, when they (the bugs) likely wouldn't exist if the routers just did routing and the engineers focused on that.

Re:Oh goody.

No, you were right. It would make the car more dangerous.

A car suddenly deciding it isn't willing to listen to your inputs is just scary.

Because in any condition in which the computer takes control, the driver won't know what the hell happened, and the computer might not have all the information.

Now if it picks me up, drives me to my destination, and goes away to refuel itsself and hang out with other cars, it is perfectly allowed to retain control at all times. =)

(And I wouldn't trust *that* unless it was on a track with guaranteed physical distance between vehicles.)

Protecting the network from humans on the inside

Actually, the router in question is very intelligent. All attempts to connect to MSN are re-routed to Google, and any software downloaded is first routed to the system admin for approval. When it recieves a query for windows update, it returns a package containing FireFox, ThunderBird, AVG antivirus, and SpyBot. I can't tell you what it installs when the user attempts to get SP2, but I can tell you that it isn't called "Lindows."

Before anyone spouts off at the mouth

Let's keep in mind that patents are in place to protect the innovators and keep them innovating. Yes, it sucks that maybe other vendors can't use this for a while, but that's the price of progress.

Re:Before anyone spouts off at the mouth

Bollocks. They are there to protect investors not innovators. They are there to maintain a monopoly for a limited time, and come from an age that moved far slower than ours does. They are regularly abused, and they hamper progress more often than they promote it. Go ask anyone with a technical or science perspective rather than a business perspective.

Re:I don't understand

Patents were put in place for the good of society. I have just as much right to have an opinion on them as any CEO or lawyer.

After talking to the likes of Radia Perlman (who is extremely cool fwiw) I have extreme reservations that business model aka software patents do any good for society at all. I wonder where the state of networking would be now if spanning-tree had been patented and we had to wait 17 years before anybody was willing to implement it. I wonder where we could be if a mind like Ms. Perlman's could work on certain areas which really interest her (PKI for one iirc) except it isn't worth walking through a minefield of worthless patents. If HTTP had been patented do we you think we'd be using it or would we be using Gopher? Huh. Cisco has patents related to VRRP so the OpenBSD team develops an alternative and improves on the concept by adding in cryptography and increasing reliability.

And just remember this. For all the success stories you talk about - if it harms society, if it inhibits the arts and sciences - what the government gives it can taketh away. The Wright brothers didn't get to keep their patents.

Actually...

I can and have thought up a number of ways to use our IP laws to discourage innovation.

For example, there's some stupid precident where something like 5 notes were supposedly "subconciously copied." I remember that, from the way they decided things, someone calculated that there were only 5,000 some odd different types of music that would be legally recognized under that precident.

Therefore, if you simply make a CD with each variation (and to comply with other wacky precidents and laws, make it a "dramatic" work--e.g. put some kind of story in there with your music, as well as mixing up the order so as to make your creation more creative than a mere listing of all the possible note combinations), and file a copyright on it.

Voila, you've copyrighted all the music. But you probably don't dare distribute any of it, lest you infringe on every pre-existing work, so you play SCO. Manage to get in the media with some wacky press release (Slashdot would be a good target), and spout off about how you intend to use this to stifle musical innovation "because it's clearly not profitable."

Ramble on a bit about how the industry knows what is best for us--"only unoriginal crap sells! so long as they're just rehashing their old works, we feel that they're not deriving anything from ours, and we simply want the music producers to make money, something you cannot do unless you force-feed the public unoriginal music." Thus you're never under obligation to actually sue anyone, though you can make a show of menacing anyone whose music might be original, telling them that it doesn't seem to derive enough from all their old records, so they must have stolen it from you...

Yes, I realize that this is incredibly contorted logic (I must have been reading too many SCO stories here...), but the upshot of it is that you would be using such a copyright registration to (at least attempt) to stifle innovation. ...

Now then, as for patents? It's harder to find an example of a bottleneck, as above, and these will cost you over $1,000 each in filing fees alone. Still, you seem to be able to patent the most rediculous things. You could always file some nonsense like "n-click shopping, for n greater than one" (note that you can make "shopping" into any other activity, though you might get hillarious results like "3-click bowling") or just "___ over the internet" ...

I can even imagine being bored enough to write an "absurd patent generator" in Perl, if I could just think of more such patterns to feed into it :] For irony's sake, one could then patent that nonsense generating algorithm (though proving it useful in commerce might be another hurdle... I wonder if they would buy the thought that putting it on a page with ads and making a grand total of $0.38 from the ads would be enough? :)

Of course, if you really did invent something wonderful, and you could patent up all the possible ways of using it (so that others couldn't just tweak it and get around your patent), you could always just publicize it and say that you have absolutely no intention of ever letting anyone use your invention until the patent expires. If it was software, you might then make it available via your website for *only* those people where your patent doesn't apply...

Re:Before anyone spouts off at the mouth

Patents exist to protect inventions. And pretty much every country on Earth has - correction - *had* rules stating that math is not an invention. That you cannot patent math, calculations, or math algorithms.

Well, programming is a feild of math. All software is a mathematical function. The only thing a computer can do is calculations.

You can hook a computer up to a speaker that produces sound, you can invent and patent that speaker, but the computer itself can only do math calculations.

Math is not an invention. Software is not an invention. You can't patent addition, you can't patent calculus, and you can't patent the math that is software MP3 calculations.

The US screwed up a case where the court upheld a patent doing a calculus integral to decide how long to cook rubber during manufacturing. You simply integrate heat over time. Simple math, if you are familiar with calculus. It was the ordinary rubber manufacturing process, they just "invented" an equation to decide how long to run the heat. That one bad ruling opened the door to software patents. The US patent office took that lousy ruling and threw the door wide open for patents on math.

Of course they don't directly let you say you're patenting math. Word the application one way and it gets rejected, word the exact same claims a different way and it gets approved. Software patent attorneys admit it's all about using "the magic words". You're patenting the process of doing some calculationon on some hardware. Ordinary PC hardware.

-

i'm starting to agree

The US business model sucks.

Patenting a security feature in TCP? Cisco sucks. I won't use another one of their products again if I can possibly help it.

Unfortunately that's probably not going to happen. In fact, I have this CSS 11150 box that i'm going to have to configure. sigh.

When the choice is principles and employment, employment wins. I have child support to pay.

Re:i'm starting to agree

well, if it makes you feel any better, we just made a purchasing decision against cisco in favor of two simple linux boxes running a combination of shorewall [shorewall.net] and heartbeat [linux-ha.org]. The cost savings versus the cheapest cisco firewall that does failover was worth the effort of installing the open source software. I also highly recommend m0n0wall [m0n0.ch] for a SOHO cisco replacement. I'd chose m0n0wall over a cheaper watchguard or sonicwall box any day.

Some IETF and patent background...

It was never the object of patent laws to grant a monopoly for every trifling device, every shadow of a shade of an idea, which would naturally and spontaneously occur to any skilled mechanic or operator in the ordinary progress of manufactures. Such an indiscriminate creation of exclusive privileges tends rather to obstruct than to stimulate invention. It creates a class of speculative schemers who make it their business to watch the advancing wave of improvement, and gather its foam in the form of patented monopolies, which enable them to lay a heavy tax on the industry of the country, without contributing anything to the real advancement of the arts. It embarrasses the honest pursuit of business with fears and apprehensions of unknown liability lawsuits and vexatious accounting for profits made in good faith. --

U.S. Supreme Court, Atlantic Works vs. Brady, 1882 [mit.edu]

Historically, the IETF has been neutral about using patents in the Standards process, and its position is summed up best in the charter of the IPR Working Group (http://www.ietf.org/html.charters/ipr-charter.htm l [ietf.org]):

The IETF and the Internet have greatly benefited from the free exchange of ideas and technology. For many years the IETF normal behavior was to standardize only unencumbered technology.

While the 'Tao' of the IETF is still strongly oriented toward unencumbered technology, we can and do make use of technology that has various encumbrances. One of the goals of RFC2026 'The Internet Standards Process -- Revision 3' was to make it easier for the IETF to make use of encumbered technology when it made sense to do so.

Last year, there was an attempt to make the IETF change their policy, but it failed miserably (http://news.com.com/2100-1013-996351.html?tag=fd_ top [com.com]).

So you can have more secure communications, but only if you pay Cisco.

Bastards.

Re:Some IETF and patent background...

So you can have more secure communications, but only if you pay Cisco.

Actually, according to the "full details" link, you can have more secure communications, but only if you pay attention to OpenBSD's recommendations (and ignore Cisco's patent-encumbered implementation which isn't as good).

This is the second time in six months OpenBSD has seriously one-upped Cisco and its patents. :-) They even wrote a song [openbsd.org] about the first!

Re:Some IETF and patent background...

No, I'm not sure. Don't mistake me for an expert on this set of vulnerabilities. I was going by what was said in the link and on the OpenBSD misc@ mailing list.

According to some messages on the list, Cisco was one of the worst affected by the recently announced set of TCP vulnerabilities, and OpenBSD had only minimal exposure in the first place.

It strikes me that this may be PR ploy on Cisco's part to cover up for their past mistakes by appearing to rush to the rescue with a patent pending solution. They'll even graciously let others use them in exchange for cross-licensing. After all, if it's pending a patent, those Cisco guys must be really on the ball ...right? ;)

Personally, I trust the OpenBSD project a great deal more than Cisco when it comes to security. I mean, OpenBSD wasn't even vulnerable to the no-workaround backdoor password issue!

Luckily in that case, locking a user account had a considerable amount of prior art.

This could set a REALLY bad precedent...

...if it gets past the patent office (who here doubts that it will? I don't).

The reason is that this is basically a patch to a protocol. The TCP protocol itself was a novel invention. But most patches to protocols, or to code to fix a particular problem, are fairly obvious to someone skilled in the requisite arts. Generally, the nature of the bug is what determines the solution, and often the solution is obvious to someone who is familiar with the protocol (or code) and the problem in question.

If this gets through then you can expect a lot of patents to be filed on patches to many things, including open source projects. And that means that unless the code is protected by something like the GPL (which requires a patent license grant as a condition of redistribution), the projects (and those who maintain and use them) will be vulnerable to patent infringement suits.

This is going to get nasty. But I think most of us who have been keeping track of this nonsense already know that.

Re:This could set a REALLY bad precedent...

Er, people are _already_ filing patents on patches. In fact, that's the backbone of the patent system - most patents filed are on small tweaks to existing mechanisms.

So don't adopt these as a standard

Official standards should not include anything that is proprietary, as that gives someone a monopoly and shuts out open source solutions. Standards should be designed so that everyone can use them without having to pay royalties.

What is....

exitement?

Is that a cross between excitement and excrement?

Limited use if proprietary

Unless Cisco licenses the technology and other companies bite, I don't see this getting very far on the Internet. Too much of the backbone is comprised of equipment from multiple vendors. I work for a large Tier 1 ISP. Most of the edge routers are Cisco, but the core routers are Juniper. Things get even messier in a Co-location data center, where customers can be using who knows what brand of equipment to connect to the data center's network.

Ci...SCO ?

Bastards, patenting a public working group's suggestion for fixing the broken widget. Anyone else wonder if there is a conspiracy here? If this works for the network appliance giant, SCO might just have a case if they patent a few of the publically submitted kernel patches.

OpenBSD

How fortunate of a timing right after OpenBSD just decided to combat software patents with Open Source [openbsd.org].

hmmmmm....

CARS (RFC793 [1]) are widely deployed and one of the most often used reliable end to end protocols for PEOPLE TRANSPORTATION. Yet when it was defined over 20 years ago the ROAD SYSTEM, as we know it, was a different place lacking many of the threats that are now common. Recently several rather serious threats have been detailed that can pose new methods for both denial of service and possibly data injection by blind attackers. This document details those threats and also proposes some small changes to the way CARS handle inbound segments that either eliminate the threats or at least minimize them to a more acceptable level.

I don't know if I'm for it or against it now...

Robert Barr?

You mean Robert Barr, the man from the Redundancy Van from the monopoly of Cizzzcoo-eeeee?

(If you don't get the joke, go check the openBSD website.)

Solution:

Read my last post [slashdot.org].

And in other news...

NetBEUI becomes a routable protocol... :P

Great timing

I was planning on migrating two legacy networks off of DECnet and NETBeui over to TCP/IP transports. Considering this, I might as well leave the older protocols in place. Besides being easier to contain at the firewall (drop all non-ip), they are so old as to not be patent encumbered. Plus the netbeui stack actually fits on a floppy, unlike the MS TCP stack, which only fits after massive pruning and compression.

New Protocol

It looks like it is time to switch to IPX or NetBEUI for the internet.

Did ANYONE RTFA???

Especially the part where Robert Barr says "any party will be able to obtain a license from Cisco to use any such patent claims under reasonable, non-discriminatory terms, with reciprocity, to implement and fully comply with the standard."

That sounds like to me that Cisco will not be charging a whole lot for this license, it will probably be one of those $1 license deals where once you have it, you have it in perpetuity.

If Cisco don't apply for a patent, someone else WILL and those barstards might end up charging so much for the method that it never becomes a standard.

I don't think Cisco's intent is to make the standard too expensive for it to become an actual standard in use.

Re:Did ANYONE RTFA???

Rather than guess, I asked Robert Barr himself if I could get a license for the Linux Kernel Project, and this is what he said:

Hi Nathan There is no patent and there is no standard, so it's a bit premature.

But if a patent does issue and a standard is approved, this is our policy

Cisco will not assert any patents owned or controlled by Cisco against any party for making, using, selling, importing or offering for sale a product that implements IETF RFCXXXX, provided, however that: Cisco retains the right to assert its patents (including the right to claim past royalties) against any party that asserts a patent it owns or controls (either directly or indirectly) against Cisco or any of Cisco's affiliates or successors in title; and Cisco retains the right to assert its patents against any product or portion thereof that is not necessary for compliance with RFC XXXX.

Royalty bearing licenses will also be available as an option.

Please let me know if you have any questions.

Robert Barr

Re:Did ANYONE RTFA???

Right. I checked the GPL and it does say that.

I got a response back from Robert, my stuff is in bold, his is the reply below:

> If I read this correctly (IANAL, obviously) the Linux Kernel project
> could go right ahead and use the methods that Cisco has applied patents
> for, however at any time after a Patent has been issued (IF it is
> issued - and I think its a fair bet its going to happen, the USPO seems
> to rubber stamp anything out of tech companies these days) Cisco could
> demand that the Linux Kernel project pay them whatever.

Not at all. That's not what it says, or what I mean to say. It says that
nobody has to pay anything, or even ask for a license, unless they want to
assert patents against Cisco. You don't read it that way?

Well, I'm not quite mollified by this. So I sent the following:


Okay, I get that point now, but is there anything stopping Cisco from asserting its patents just for the hell of it?

You say that Cisco will only assert its patent against someone who tries to assert a patent against Cisco, but what is stopping Cisco from just doing it anyway?

ie, the methods are integrated into the Linux Kernel TCP/IP stack and gain wide acceptance, and Cisco then sees value in trying to claim that all users of Linux need to pay Cisco a licensing fee of $200 per CPU to use the proprietary, patented methods included in Linux.

I know its far-fetched, but 3 years ago, anyone saying that SCO would try to claim ownership of Linux would be laughed at.

What agreement can open source projects enter into with Cisco to ensure that the above is legally impossible?

Lastly, the GPL states:

"Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all."

So, for any GPL software use Cisco's methods, Cisco will need to provide a guarantee that under the GPL, any future patent for these methods will be free for use by that GPL software.

Just taking your word for it that Cisco won't assert it's patent in the future isn't good enough :)



Now, I'll happily grant that my analysis if probably flawed, but I think I'm on the right track here ;)

Re:Did ANYONE RTFA???

Okay, I got this back:

On May 12, 2004, at 12:46 PM, Robert Barr wrote:

> Okay, I get that point now, but is there anything stopping Cisco from
> asserting its patents just for the hell of it?

Yes, my written statement above would stop us. I can turn it into a contract if that is necessary, but I don't think it is. Anybody who relies on that statement is protected, but I guess they should consult their own lawyer.

> You say that Cisco will only assert its patent against someone who
> tries to assert a patent against Cisco, but what is stopping
> Cisco from just doing it anyway?

see above.

> ie, the methods are integrated into the Linux Kernel TCP/IP stack and
> gain wide acceptance, and Cisco then sees value in trying to claim that
> all users of Linux need to pay Cisco a licensing fee of $200 per CPU to
> use the proprietary, patented methods included in Linux.
>
> I know its far-fetched, but 3 years ago, anyone saying that SCO would
> try to claim ownership of Linux would be laughed at.

SCO never made a statement like I did

> What agreement can open source projects enter into with Cisco to ensure
> that the above is legally impossible?

I'll execute an agreement with those terms if necessary

> Lastly, the GPL states:
>
> "Finally, any free program is threatened constantly by software
> patents. We wish to avoid the danger that redistributors of a free
> program will individually obtain patent licenses, in effect making the
> program proprietary. To prevent this, we have made it clear that any
> patent must be licensed for everyone's free use or not licensed at
> all."

Prof Eben Moglen says this about GPL, I think it applie

"Section 7 prohibits distribution under GPL if you cannot fulfill the requirements of the license because of other conditions *imposed* on you by, among other things, a judgment of patent infringement, interim measures short of judgment, such as a preliminary injunction, or contractual limitations such as non-disclosure agreements or patent licenses. But you are not unable to distribute under GPL unless those requirements have been *imposed*. Until a particular party distributing GPL'd code has either accepted a license whose requirements are incompatible with GPL or has been ordered by a court of competent jurisdiction to do or refrain from doing in a fashion incompatible with GPL, there is no direct conflict with the requirements of the license, and no requirement to refrain from distribution. With regard to patents, in particular, no one *ever* has an obligation to refrain from making, using or selling technology that *may* practice patent claims solely because someone somewhere has taken a patent, claims to have a patent, or even publishes a license. Only the demand that you in particular take a license or cease infringing triggers theoretical liability under US patent law. Whether there can be liability for damages for the period before such notification is another question, legitimately of importance to those who commercially distribute free software, but not ordinarily of significance to those who develop only, or who distribute non-commercially.

Moreover, patents are not global, only local. To say that we cannot *develop* under GPL because a patent exists in country X, and a license has been published there to which those making, using, or selling in country X *might* be asked to subscribe would go much too far. That situation certainly does not prevent development elsewhere, and distribution under GPL can certainly proceed."

***

> So, for any GPL software use Cisco's methods, Cisco will need to
> provide a guarantee that under the GPL, any future patent for these
> methods will be free for use by that GPL software.
>
> Just taking your word for it that Cisco won't assert it's patent in the
> future isn't goo

Re:Did ANYONE RTFA???

You do, of course, realize that if everyone who had an RFC that they charged a license fee for, the Internet would not exist at all?

The Internet was built off of the same philosophy as OSS. It's a bunch of people putting their heads together and throwing their ideas in the ring to make things better for all involved. What if all of these people clutched their ideas to their chest and said "This is MY piece and you have to pay me to use it"?

It doesn't matter whether or not Cisco would charge a small license fee for this new implementation. They are running against the philosophy that built the Internet in the first place. Standards must be open and free for the widest possible adaptation or you are looking at vendor lock-in ala Microsoft. In other words, to hell with Cisco.

I did RTFA and it looks like this is a proposed draft - It has not been ratified. Cisco is saying that if it is they've got the patents. What they're going to do with it I'd rather not find out. I'm willing to bet that most vendors won't follow the new recommendation to escape potential fees/lawsuits and instead go with another implemenation...Possibly their own. And that can't be a good thing.

Ambivalent about this

Boo to Cisco for applying for dodgy software patents.

Yay to Cisco for being honest and telling people about it from the get-go.

Nothing to see here

There's really nothing to be upset about. From the article:

In response, OpenBSD creator Theo de Raadt said, "The Cisco/IETF recommendations contain numerous problems and issues. They should not be followed. We have better fixes in OpenBSD. Other vendors should be looking at these." For example, as mentioned in our earlier article about TCP reset attacks, with the IETF's/Cisco's recommendations in place it would be possible for an attacker to use one host to potentially flood another.

Basically, the implementation that Cisco is trying to patent is also flawed. OpenBSD's implementation contains better fixes. Who cares if Cisco tries to patent a flawed fix that no one will end up using? Let them waste their money. Let's face it, this move is upsetting on principal but there's really nothing to see here ... move along.

Right, that's it!

The Cisco is banished from Bejor, never to return.
The prophets have spoken.

since the act of patenting is itself a process...

... why can't someone identify the "bugs" in the US patent process, identify one or more "improvements" to the buggy US patent process, and then apply for US patent on bug-fix to the patent process itself?

Cisco turning into junk, as is linksys.

For the record... I did some tests on linksys, dlink and netgear wireless access points and linksys was the worst. Netgear was actually the only one to function in all modes as advertised with perfect stability.

I'm not affiliated with any of the above companies. I just thought I'd mention that linksys is junk and owned by cisco. So maybe it's a family trait.

No more early access for Cisco

If they are going to attempt to patent fixes to security problems that they had early access to (i.e. they were notified about the problem prior to it being released to the public), that access should be stripped. The idea of early access is to cooperate and fix problems as fast as possible. Patenting a solution is not cooperation, so Cisco should lose their access.

BTW: one poster said "don't get excited, they'll do a reasonable and non-discriminitory license". That's nice, but it is useless for GPL software (unless they release an implementation under the GPL) and a trap for BSD licensed software (you can end up with code that says you can use it but you can't because of the patent).

My new pending patent...

I now have pending: a patent on "doing stuff".

This is fair warning, go ahead and purchase your licenses for any activities that you may "do" in the future, available seperately or in bulk now to avoid future infringement prosecution by the Doing Stuff Alliance (DSA).

Don't get so worked up

Did any of you bother to read his email? He states "any claims of any Cisco patents are necessary for practicing the standard, any party will be able to obtain a license from Cisco to use any such patent claims."

NOT AN IETF RECOMMENDATION

It is just an Internet-Draft (ID), that has been submitted for IETF approval. The IETF haven't reviewed it yet, nor taken a position on whether it should be a standard or not.

I could submit a ID for a protocol for standing on my head. That doesn't mean it is an IETF recommendation or that it will be.

With all the FUD being expressed by people who don't know much (anything?) about the IETF and its processes, maybe the next higher level after RTFA should be GAFC (Get A F**king Clue).

More from Theo and Company

...as Tony says, in the BSD thread, in partial reply to Theo:

QUOTE
What's very amusing is reading section 5 of the draft, wherein the author distributes credit to a number of parties. If Cisco were to file a patent at this point and not include those parties (including other companies), the patent validity would be at risk by reason of excluding a contributor. If Cisco does include all of those other companies in the patent, then all of them must also present the IETF with relevant IPR statements.
Frankly, this is yet another PR blunder by Cisco. If they had simply said nothing or formally put their contribution into the public domain, they wouldn't look so egregiously greedy.
ENDQUOTE

From the 10EAST archive [theaimsgroup.com], as quoted in kerneltrap...Theo has some choice comments about the US Patent System and the IETF, too.

IOW, yet again, Cisco trying to cash in on Open Source, in order to desperately prop up their miserable recent record of development, innovation and security, as well as theft from the Open Source Community, in order to keep their stock price up and keep from being listed on F'd Co., where they belong.

well, the IETF will have to pick new protocols

you can't have a patent on a base RFC protocol on the internet, unless it's public domain, used to keep somebody from hijacking the technology. if cisco is filing, then the IETF has to open the process once again. just that simple.

I have a solution. Seriously.

The US needs to ditch its one year grace period. As it stands, any prior art found within a year before a patent application's filing date can be swore behind. Basically it's a way an inventor can say "I invented my invention up to a year before I filed the application." The problem is that a lot of developments, especially in software, happen within a short time frame. So if Cisco files an application on 12/31/2004, they basically can claim that any disclosures, such as newsgroup discussions, open source versions, etc that happened between 12/31/2003 and their filing date do not bar their application.

Europe on the other hand (well, the PCT) has no grace period. Once the invention is disclosed, your rights are out the window. Adopting a policy like this would make it much harder for companies to troll newsgroups/web/discussion boards, get ideas, and file an application based on an implementation. It's not a total solution, but it would be a good start.

As someone that was trying to invalidate an obvious patent filed on date X for a client, let me tell you that finding stuff on the web published over 1 year beforehand was a bitch. Plenty of stuff in the 6 month range, but the web wasn't full blown back in mid 90's like it is now...

-truth

There may be method to this madness

It appears that Mr. Barr at least feels he has a good reason for applying for the patent. If you read the statement he made before the FTC during their hearing on "Competition and Intellectual Property Law and Policy in the Knowledge-Based Economy" he argues against the current patent system. However, he also explains why Cisco, under his direction, applies for so many patents:

"It makes more business sense to assume that, despite the fact that we do not copy other company's products, and despite the fact that we do not derive solutions to problems from the patent literature, we will be accused of patent infringement. The only practical response to this problem of unintentional and sometimes unavoidable patent infringement is to file hundreds of patents each year ourselves, so that we can have something to bring to the table in cross-licensing negotiations. In other words, the only rational response to the large number of patents in our field is to contribute to it."

He goes on to make some very interesting arguments saying...

"The patent system does not exist to protect the rights of inventors, or any particular interest group. It doesn't exist to protect what we now call "intellectual property", as if it were protectable for its own sake. The patent system exists to protect the progress of science and the useful arts. If the patent system fails to do that in certain areas, then the costs and negative effects of the patent monopoly cannot be justified. Where the patent system enables true innovation, true progress, where it enables companies to bring new products to consumers in circumstances where they otherwise would not do it, or where it disseminates knowledge that others need and want, then it's working."

So, Cisco appears to be doing this as a matter to protect their own ability to use this fix, not to prevent other from using it. That would seem to fit with his explanation posted earlier...

"That's not what it says, or what I mean to say. It says that nobody has to pay anything, or even ask for a license, unless they want to assert patents against Cisco."

You can read Mr. Barr's full statement before the FTC online (ironically enough) at
Freedom for a Free Information Infrastucture [ffii.org]

If it's a patent, then it's an implementation

Well, the way I see it, they're essentially patenting an implementation of TCP. Surely the open-source community can implement a functionally equal TCP? As far as I know, this wouldn't violate the patent.

Is this correct?

Either way... yeah, that's a real friendly thing to do. Way to go.

no widespread use

If it's patented by Cisco it will only be used by cisco, so what good is it? Remember that the BSD TCP stack made TCP popular, and Novell who had their own protocols IPX/SPX lost to TCP/IP.

What about SCTP [sctp.org]? Isn't it a good replacement for TCP?

IPSec

As recent events have shown trying to secure TCP is not quite so easy, and using TLS/SSL inherits some of TCPs problems. It may also not be the best choice to do it on that layer because every application has to implement (via OpenSSL or else) the whole thing and there are a lot of things to be done wrong (have you tried to use OpenSSL? Its not that easy and there are pitfalls).

The best way to deal with the whole situation is to use IPSec. The operating system deals with this for you, and as user _or_ developer you dont't have to deal with it, at least not much.

Of course IPSec needs a working public key infrastructure (PKI), but there is no way around that anyway - at least not on the long run.

I'm also quite sure a working PKI involves Registrars and the DNS. The Registrars are the one instance that can identify an owner of a domain without doubt, because they registered it for them in the first place. And once the DNS has been fixed (this, too, involves a PKI) there is a good way of fetching the public key for a domain.

The fact alone that TLS is broken in respect to name-based virtual hosts is a good sign that it has to go away. IPv6 is still nowhere near our doorstep and wasting precious IPv4-space for virtual domains because of TLS is plain stupid.

But just one second

The recent "vulnerability" in TCP was not a vulnerability at all -- it was a fault in most implementations of the TCP stack (including the one in Cisco's IOS).

TCP isn't broken. It's just the implementations that are. When a RST is received in the SYN-SENT state, both the sequence number and the acknowledgement number should be tested for validity (ACK field must acknowledge the SYN). Most TCP stacks totally ignore this, some re-use SEQ numbers frequently making it easy to guess the window's position. The hole can be closed with decent validation.

I'm much more for an elegant solution to this, rather than a brainless "hurl encryption at it!" plan which doesn't sound particularly future-proof. There are already reserved fields in TCP which could be adopted to provide better validation of packets to those systems that require more certainty of the legitimacy of a RST. Perhaps we should be using those instead, at least that way we don't have to re-jig the whole thing.

This is particularly ironic...

... since back when cisco started building hardware, when SNA and DECnet were at the core of most commercial networks, the only way they got a foot in the door was because they had access to unencumbered technology.

It's also the case that the bright people who've come up with the real innovations - like Radia and Yakov - tend to do so regardless of who their current employer happens to be.

Yet another case of pulling up the rope once you've reached the top of the tree...

Sure, why not

Lets give total control of the entire internet and all communications between devices to one company.

That makes sence to me.

This is simply wrong...

.... and I don't mean the report, I mean that the IETF can publish something, and then Cisco can come along and patent something first published by the IETF. If I have understood correctly, this is the biggest abuse ever of the patent system. It would have to be thrown out under UK law, so I guess we will be free to use it here.

It would do everyone a big favour if an impartial body lkie the IETF were to automatically file patent applications for everything they publish, then issue a free licence to everyone. The cost of the patents could be funded by levying a small charge on each ISP, via their upstream provider, and/or from domain name registrars, per user it would be utterly negligible and impossible to collect.

Until, of course, Dubya is kicked out (I mean properly non-elected, not like last time) and the new incumbent reforms the USPTO, then this sort of thing should not happen again.

How long before it's reverse engineered?

If Comapq could reverse-engineer IBM's BIOS and AMD could do the same to Intel's CPU, how long will it be before someone does the same to this 'secure TCP' that Cisco is seeking to patent? Of course a closed-source TCP stack would mean that anyone with a mixed equipment and/or a mixed OS environment would have to decline Cisco's TCP implementation or go with another vendor. These Patents will only server to take companies down, not protect profits and stock prices. Once again, the buisness world has forgotten that only the strong survive, and the weak can mearly throw up roadblocks.

Doesn't that mean that CISCO is breaking copyright

From the Working Draft:

Copyright (C) The Internet Society (2004). All Rights Reserved.

Seems to me that by patenting something someone else copyrighted, that CISCO is breaking the law?