Cisco Patents NAT RFC? 158
rageout noted that
Cisco seems to have filed
patent US5793763, which looks remarkably like
RFC 1631 (the RFC that defines NAT).
This came from this story on freebsddiary.
Let's organize this thing and take all the fun out of it.
Slashdot patents 1-Click shopping! (Score:2)
</sarcasm>
Mike
"I would kill everyone in this room for a drop of sweet beer."
Boycott? (Score:1)
Or will this be ignored because the boycott would actually inconvenience you?
Re:Prior Art here (Score:3)
your post (SEWilco) (Score:1)
Re:This could do a lot of good (Score:1)
NAT translates internal address into one external address just like masquerading does. (trust me. i'm using it now).
Re:Read the actual patent (Score:1)
Re:You mean I have to ask my DSL ISP for more IPs? (Score:1)
Users should read the related material before posting...
--
Re:This could do a lot of good (Score:1)
Re:Prior Art here (Score:1)
Bill - aka taniwha
--
Re:Lets see what a REAL lawyer says.... (Score:1)
Re:This could do a lot of good (Score:3)
Jeremy
Re:THEY ARE NOT PATENTING NAT (Score:2)
My reccomendation, try to make a freind or two in either the PR or Marketing (yes, I'm serious) departments, as well as maintain a list of engineers or other geeks you could contact for comment on short notice. If you can't get any information out of them, let them know you're running a story and will state that they have no comment@this time. My bet is you'll either get a response PDQ or you'll have people from the companies actually posting rebuttals/comments back to your users.
Just a small suggestion. For the AC above, it's funny that you verbally rape Taco for posting something inflammatory.
Re:Lets see what a REAL lawyer says.... (Score:1)
Raise your hand if you know IOS!!! (Score:1)
I read the patent application. I read the posted comments. I noted that this has been in effect for TWO YEARS NOW without a worry. And I spend 10 hours a day, 5 days a week inside a Cisco router.
The only thing that this patent is doing is allowing Static NAT with NAT pools OR one-to-many NAT a la masquerading to be used without compromising the effectiveness of a firewall; most likely in this case Cisco's Access List filters. What they're doing is patenting a method of applying filters based on internal network addresses from external hosts and not blowing A) System Integrity or B) Efficiency out of the water. And what it does it does very very well. The basic/standard Linux firewall and routing routines currently released - no, I'm not talking about the 2.4.0-test series - can only just barely keep up with what a Cisco 2500 with 4 megs of ram can do with a pair of T-1s and a large network behind it.
Believe me. If we haven't seen it yet, we're not going to. That's because they're NOT PATENTING NAT.
Re:More patent problems.... (Score:2)
RFC 1631 references Cisco (Score:1)
The first paragraph of the Introduction section in RFC 1631 is:
if you look up the reference [2] at the bottom of the RFC, you will see:
note that this RFC (1631) references RFC 1519 [cmu.edu] (Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy) which includes personnel from Cisco Systems, Inc. (Tony Li). RFC 1519 was written in 1993.
further note that RFC 1519 itself references RFC 1518 [cmu.edu] whose authors are from IBM and from Cisco.
Cisco obviously has prior work in this area well before RFC 1631. Cisco employee Tony Li contributed to the two RFCs on which RFC 1631 are based.
Re:This could do a lot of good (Score:2)
IIRC patent issues are already causing problems with the adoption of IPv6.
Re:Offtopic but interesting (Score:2)
Re:Read the actual patent (Score:1)
Stefan.
It takes a lot of brains to enjoy satire, humor and wit-
Re:The patent does reference RFC 1631 (Score:2)
But you can patent a device consisting of any computer running any software that -implements- the algorithm... d'oh.
Also you "can't" patent an idea that is 'obvious to someone versed in the art' according to the laws, but the patent office seems to interpret this as 'if it isn't obvious to -everyone- who has ever used a computer that in must be non-obvious to -someone- so it's patentable'
So, yes, in the end, you might as well be able to patent obvious algorithms, given the current interpretations, since the 'protections' are worked around with technicalities. But technically you can't. So you just have to say it differently. D'oh.
Anyway, the person you were replying to knows all this, s/he was being ironic.
--Parity
NAT Pool (Score:2)
NAT? Not exactally. (Score:2)
However, it irks me that something like this can even be patented at all. This is a fairly simple concept that I am sure many a network tech have considered at one point or another. Its implementation would be fairly simple in a Linux box with a couple of NICs.
It really makes me feel that patents are starting to cause more conflicts than they solve. The patent system either needs some reform, or to be dissolved and replaced by something that fits the times.
Re:This could do a lot of good (Score:2)
Actually most companies I know of don't use NAT at all, just proxies.
IBM hold a lot of patents, (Score:2)
I'm off now to write them a polite email
Dave
'Round the firewall,
Out the modem,
Through the router,
Down the wire,
New linux Kernels (Score:1)
Re:IBM hold a lot of patents, (Score:1)
Re:Um, NOT IBM! (Score:1)
Possibly because the luser that submitted the story saw ibm in the URL (something like www.patents.ibm.com) and made an ASS out of U and ME.
Eric
Re:More patent problems... (Score:3)
Once again, we run into that old problem: you can't manage what you don't understand. If the subject matter is difficult enough to understand, a naive manager won't be able to tell which "experts" are real and which are totally off base. In the experiences I'm familiar with, credentials don't seem to help much -- in either the high level strategic decisions or the lower level technical ones.
Maybe I'm a pessimist, but I don't expect the problems at the PTO to be solved without a near-total replacement of their structure.
Isn't nessecairly "Filed" anymore... (Score:1)
Re:The patent does reference RFC 1631 (Score:1)
fine... that's a patent I can live with.
Re:Prior art kills this patent (Score:1)
STANDARDS BODIES DO NOT PRECLUDE PATENTS (Score:1)
For the IETF, IPR handling is outlined quite clearly in RFC 2026 [ietf.org], section 10.
In short, patents are allowed, as long as they are licensed on non-discriminitory terms. Most standards bodies have similar stipulations.
Re:Prior Art here (Score:1)
Can you provide any documentation for this claim? I'm assuming from your comment that there is some contract somplace that must be signed before releasing an RFC, and that contract specifies that RFC's are in the "public domain" (whatever that means).
Clearly, there are some copyright issues involved with the release of an RFC -- I'm assuming that since RFC's get copied so freely, there is some type of license that allows copying under certain circumstances. But I am intrigued by the idea that in addition to copyright issues, there is some type of patent issue involved.
Like I say, please provide some references to this "public domain" idea. Thanks.
what is next? Internet SCSI patent? (Score:1)
Re:PRIOR ART - Linux IP masquerade predates NAT RF (Score:1)
Re:This could do a lot of good (Score:1)
More patent problems.... (Score:1)
Re:This could do a lot of good (Score:1)
IIRC patent issues are already causing problems with the adoption of IPv6.
I didn't know that, but I expected something like this - it is a logical consequence of current approach to patent law in the US. The problem is: how far will it get?
Hey, good reading skills (Score:3)
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
Can I patent wire? (Score:1)
What a bunch of tightass moderators. (Score:1)
I know, I know, this is offtopic too. Screw it.
EMUSE.NET [emuse.net]
Re:Read the actual patent (Score:5)
'A method wherein: if someone on the intranet sends out a packet, we translate their address to one that the internet accepts, and remember who they are. If a packet comes back for that exact translated address, and we haven't timed out the connection yet, then pass it through to the appropriate intranet host.'
If that isn't a patent on 'NAT implemented as device consisting of software on a computer' I don't know what is.
Please remember that each -claim- stands on its own as separate invention, put together in one patent for convenience and relatedness, but Cisco is claiming claim 1 all by itself as an invention regardless of other complexities in the claims.
Real text for reference, but it's more readable on the database page:
1. A method for translating network addresses on packets destined for local hosts on a private network from hosts on an external network, the method comprising the following steps:
identifying a global IP destination address on an inbound packet arriving at the private network;
determining whether the global IP destination address corresponds to any local host on the private network by determining if a translation slot data structure exists for the global IP destination address, which translation slot associates the global IP destination address to a corresponding local IP address for a particular local host which has sent an outbound packet to an external network host on the external network within a defined time period;
if the inbound packet is found to be intended for the particular local host on the private network which has sent the outbound packet to the external network host within said defined time period, determining whether the inbound packet meets defined security criteria;
if the inbound packet meets said security criteria, replacing the inbound packet's global IP destination address with the corresponding local IP address for the particular local host to which the inbound packet was addressed; and
forwarding the inbound packet to the particular local host to which the inbound packet was addressed.
--Parity
Re:You mean I have to ask my DSL ISP for more IPs? (Score:2)
EMUSE.NET [emuse.net]
Re:This could do a lot of good (Score:2)
(5 load balanced Web servers dedicated to pages
3 load balanced Web servers dedicated to images
1 SQL server
1 NFS Server)
--
Prior Art here (Score:3)
Re:Isn't nessecairly "Filed" anymore... (Score:1)
Re:$10 says (Score:2)
Pay up. I noticed the change at 1132 AM EDT. Send money order to ... dont_mail@me.com!
Eric
RFC is 1631 stated prior art. (Score:1)
Then it should be easy as hell to challenge (Score:1)
Re:More patent problems... (Score:2)
I see no reason to involve the Office of the Vice President of the United States.
Offtopic but interesting (Score:2)
Just found this one out yesterday.
If you've got a Windows 2000 machine running DHCP and it can't find a DHCP server, it just makes up a number, and then pings to see if anyone else is using it. It's an interesting idea for people who just bought a use-at-home hub without a server or any networking knowledge.
The wierd thing is that instead of using a 10. or 192.168. address from RFC 1918, they actually bought a class B subnet at 169.254. aren't using it on the internet(try tracerouting to an address), and assign a random number from that subnet when you don't get a response from a DCHP server.
Why? I don't get it? Any conspiracy theories?
Re:Prior Art here (Score:2)
Bill - aka taniwha
--
Re:Prior Art here (Score:2)
Yep, all publications (released to the public, e.g., not an internal company memo) count as prior art. In the U.S., however, an inventor does have a 1-year grace period after publication in which he can still file for a patent. (Irrelevant in this particular case, since the RFC was published in May '94 and the application was filed in Nov. '95.) Most countries don't have this grace period, and publication even one day before filing will invalidate the patent (at least in theory).
Cisco, the monopoly of routers. (Score:2)
Re:IBM hold a lot of patents, (Score:3)
1. IBM didn't apply for the patent. Cisco did.
2. It's not a patent on NAT, it is a patent on a Security system on NAT.
I get the feeling that some troll is cracking up after submitting this story.
Re:The patent does reference RFC 1631 (Score:3)
NAT devices just have to use different NAT security devices or license the patented security device. Unless there's only one way to perform the "security check" (ie, TCP sequence number or port number), in which case it's obvious to any expert and not patentable.
Re:Read the actual patent (Score:3)
This sounds like NAT + firewall even in claim #1.
Hal Duston
hald@sound.net
Warning! (Score:2)
At least when I mod, I try to do a good job at it
Oops! (Score:2)
'Round the firewall,
Out the modem,
Through the router,
Down the wire,
Re:This could do a lot of good (Score:3)
Also, what about load balancing?? Load Balancing devices (HydraWEB, F5 BigIP, Cisco LocalDirector, etc.) rely on NAT to make multiple web servers look like one. I'm pretty sure Slashdot has a load balancing pool... it would be pretty expensive to buy a single webserver that could handle the load Slashdot deals with.
"Evil beware: I'm armed to the teeth and packing a hampster!"
Lets see what a REAL lawyer says.... (Score:5)
From: Darren Reed
To: ipfilter@coombs.anu.edu.au
Subject: Those turds over at (1$(0.
Someone has unfortunately brought to my attention the fact that certain
parts of NAT have been patented by the company which lovingly likes to
think it "runs the internet" (puke, spew, vomit). #5793763 patents a
complete implementation of what is essentially described in RFC 1631.
The patent was filed a whole 8 days prior to the first public release
(beta) of IPFilter with NAT.
If anyone can provide a legal opinion on whether or not that particular
patent would stand up in court, please let me know. That's legal opinions,
not personal opinions (they're dime a dozen). I'd be especially interested
to know of there are other NAT implemtenations which date back to prior to
that patent being filed and how complete they are/were.
And the non-legal reply:
From: Nigel Dyson-Hudson
To: ipfilter@coombs.anu.edu.au
Subject: Re: Those turds over at (1$(0.
folks,
Apparently you can not patent material from working with a standards body.
Dell was smacked down on this in 1996. You might want to look at what is
happening with RAMBUS memory, www.tomshardware.com has a number of
articles, since RAMBUS was a member of JEDC and has patented stuff from
those meetings.
So, if said company was anywhere near the RFC process, they would be trying
to patent stuff from an open standards body.
Re:Lets see what a REAL lawyer says.... (Score:2)
PRIOR ART - Linux IP masquerade predates NAT RFC! (Score:3)
Then there is also the BSD netfilter which maybe precedes this work.
Please correct me if I am wrong.
Re:Oops! (Score:2)
'Round the firewall,
Out the modem,
Through the router,
Down the wire,
Re:RFC is 1631 stated prior art. (Score:2)
FYI.. simply showing prior art once a patent is granted is not always enough to overturn it.
Showing that the patent application KNEW about prior art and did not disclose it IS a good way to turn it over.
Cisco isnt' saying they invented NAT. They are patenting a security mechanism used for inbound NAT connections, that appears to deal with stateful inspection.
Re:Read the actual patent (Score:2)
Re:Cisco, the monopoly of routers. (Score:2)
Re:Offtopic but interesting (Score:2)
169.254.0.0/16 has been ear-marked as the IP range to use for end node
auto-configuration when a DHCP server may not be found. As such, network
operations and administrators should be VERY aggressive in ensuring that
neither route advertisements nor packet forwarding should occur across
any media boundaries. This is true for the Internet as well as any
private networks that use the IP protocols. End node administrators
should be aware that some vendors will auto-configure and add this
prefix to the nodes forwarding table. This will cause problems with
sites that run router discovery or deprecated routing protocols such as
RIP.
Re:Lets see what a REAL lawyer says.... (Score:2)
Some standards bodies will consider a patented algorithm for the standard, as long as the company is willing to make the patents available for everyone's use for a reasonable royalty. Not to defend Fraunhofer, but their royalty charges probably are reasonable to an old-school closed company, which would presumably rake in enough money per mp3 encoder (IIRC, only encoding is patented, decoding is not) to pay for the patent license. Of course, the royalties just aren't workable for freely-distributable software which normally has little-to-no revenue.
Now waiting until it became the widespread standard to enforce the patent and extract royalties - that does seem indefensible (albeit probably legal) to me. In effect, Fraunhofer artificially sweetened the allure of the mp3 format for encoder writers (both pay and free), just to get them hooked. Perhaps the ISO should adopt some rules so that you can't arbitrarily raise royalties or expand patent enforcement significantly above the rates set when the standard was enacted?
Re:Read the actual patent (Score:2)
A careful reading of the patent reveals that it is not NAT itself that is being patented; rather a security add-on algorithm to the existing NAT system that disallows dangerous packets.
What it actually sounds like is a patent on masquerading with a pool of possable outbound addresses rather than a single address.
Re:THEY ARE NOT PATENTING NAT (Score:2)
And Cisco aren't patenting NAT, infact they even reference the RFC in their application.
Cisco patents everything (Score:2)
Cisco would patent the IP address if they could. Also, Cisco is great at taking work done by others. It seems that very little "innovation" comes out of Cisco. Cisco must buy all of their innovation and spend all their time porting it to IOS.
Re:This could do a lot of good (Score:2)
It's all true! ±5%
Re:Hey, good reading skills (Score:2)
This could do a lot of good (Score:3)
The real reasion we have NAT at the moment is due to the limits of IPv4 addresses which causes many people, including many companies, to masqurade their private networks. If all of a sudden people have to pay vast sums of money to do this there will be an incredable amount of pressure to move to IPv6.
IMHO anything that speeds the uptake of IPv6 is a very good thing.
Prior art kills this patent (Score:4)
SLiRP also did TIA-like things. IIRC, it was release the summer of 1995. So there's an OPEN SOURCE release prior to CISCO's patent being filed. I don't know if it predates their internal first use, which may be a wash here.
I'd be happy to testify to these facts in a court of law, should it come to that, assuming that I can convince the folks that bought Cyberspace Developement to allow me to do so.
Warner Losh
Re:Looks like Checkpoint Firewall-1 (Score:2)
A few years ago, Cisco bought a company called Network Translation, which had one product: the now-famous PIX. This was a very interesting box, with a custom OS-9-like operating system, and was legitimately, so far as I know, the first implementation of any kind of network address translation. I know Network Translation had some patents pending back years ago, we may just be seing these now. If so, they have a legitimate claim, since I was following NAT pretty closely back then (this was the time leading up to the "we're running out of IP addresses!" paranoia), and there was *no one* else doing NAT at that time. Cisco watched, and then, wisely, bought them.
I doubt they could enforce the patent, due to the later IETF work (we were in the RFC 1200-1300 range when I was looking at this stuff), but having the patent issue may be entirely appropriate, even if it is for the basic concept of NAT.
The patent cites RFCs 1597 & 1631 (Score:3)
Re:The patent does reference RFC 1631 (Score:2)
ipchains / ipfilter aren't "patent pending". :)
Actually, after reading the request, it sounds like they're trying to patent the use of NAT for security. They're not doing anything special, they've no special formula, they're just describing the "use" of ipfwadm that's been on my 486 DX4/120 with a modem since I bought it with the exact purpose of providing security and connection sharing about 4 years ago.
Hey, maybe I should file a patent for "connection sharing through NAT"...
Lets break down the patents abstract. (Score:2)
That is RFC1631 in a nutshell
[i]Packets arriving from the Internet are screened by an adaptive security algorithm.[/i]
Ok, I'm interested now. Explain.
[i]According to this algorithm, packets are dropped and logged unless they are deemed nonthreatening. DNS packets and certain types of ICMP packets are allowed to enter local network. In addition, FTP data packets are allowed to enter the local network, but only after it has been established that their destination on the local network initiated an FTP session.[/i]
Uhm, NAT does this already. This description of Cisco's 'NAT' is inherent in the design of traditional RFC1631 NAT. If a packet is going to an internal computer, where the internal computer did not initiate the connection, then drop it, otherwise let it through. Exceptions are made where the NAT proxy cannot determine if a connection was initiated (like DNS or ICMP).
Can you say 'Prior Art'? I knew you could.....
Read the actual patent (Score:5)
The way I understood it, it would prevent a malicious external traffic source from sneaking their evil packets past the NAT using the source/destination port numbers that the NAT was sending out on its outbound packets. So FTP packets get through only if an internal host initiated an FTP session, DNS packets get through, certain ICMP packets, etc.
Re:THEY ARE NOT PATENTING NAT (but Lucent is?) (Score:4)
Re:You mean I have to ask my DSL ISP for more IPs? (Score:2)
--
Re:Read the actual patent (Score:3)
So, what, you can have NAT without violating the patent iff you don't sanity check incoming packets? Nobody's going to do that. If that's the only way to implement NAT without violating the patent, it's not going to happen - it's just not sane to let arbitrary packets into your intranet.
Now, if you're a big company... or even a medium company... you can just separate your packet-filtering firewall and your NAT router into separate physical devices and call it a 'configuration' and not a NAT with filtering at all, but for a homenet or a very small company, you may not be able to afford the space/electricity/hardware to have two devices where one would do.
In otherwords, it doesn't sound like NAT+firewall to me, it sounds like NAT implemented with some nod towards security.
Even if the patent doesn't describe the NAT rfc, and some particularly stupid NAT routers, it certainly describes a linux kernel with IP_MASQ and the the various ip_masq_* service modules.
--Parity
Re:Prior Art here (Score:3)
Besides, the RFC clearly states that the writers worked for Cray Communications and NTT.
--
Re:Read the actual patent (Score:2)
You are probably right that it's not the NAT itself, but still we (or rather - you out there in the US) are moving in a bad direction. Internet - AFAIK - was built upon the idea that protocols are public property, open for everyone to read, implement and use. Imagine where would we be now if all the "founding fathers" of the Net filed patents instead of writing RFCs?
In my opinion this is just another example that the concept of copyright and intellectual property as defined by current US laws is simply wrong and doesn't fit into our networked world. It's a pity that now US wants to force its patent laws also in the EU.
Then explain this crud (Score:3)
Re:Offtopic but interesting (Score:4)
The Difference (Score:3)
But it doesn't seem like this combination is anything to write home about.
--
More complicated (Score:2)
I'm not real good at lawyer-speak though
The patent does reference RFC 1631 (Score:5)
Looks like Checkpoint Firewall-1 (Score:3)
However, Checkpoint's Firewall-1 product has been doing this for years now- even before Cisco bought the PIX and started adding firewall features (the PIX initially was just a NAT device). It wouldn't surprise me one bit to find out that other vendors (including IPChains) have been doing this for a while either.
Of course with the patent office being apparently run buy a bunch of idiots, it wouldn't surprise me one bit that this gets through.
Nothing to see here, move along... (Score:2)
Frankly, if this patent is going to be filed and granted, i'm much happier to see that it's in the hands of a company that so far sees to have filed it as a means of protection rather than a means of harrassment.
Now, if they start going after other router manufacturers, maybe it'll be time to get up in arms. But overall, this is old news, and in almost 2 years they've yet to pull any manueering with this patent...
Re:The patent does reference RFC 1631 (Score:2)
Adaptive Security Algorithm is on the PIX Firewall (Score:3)
And someone _just_ noticed this??? (Score:2)
Issued/Filed Dates: Aug. 11, 1998 / Nov. 3, 1995
Alert Ted Koppel!
$10 says (Score:2)
The patent seems to be on a security mechanism. (Score:5)
The patent then, only applies to a version of NAT that uses an adaptive security algorithm.
Anything less than this would definately hit the prior art. And it's quite likely that even this will hit the prior art bin too.
From the Patent:
Packets arriving from the Internet are screened by an adaptive security algorithm
From the RFC:
Unfortunately, NAT reduces the number of options for providing security. With NAT, nothing that carries an IP address or information derived from an IP address (such as the TCP-header checksum) can be encrypted. While most application-level encryption should be ok, this prevents encryption of the TCP header.
The background acknowledges the RFCs (Score:2)
I would have paid to watch the Patent Officer's eyes glaze over as he read it though.
Re:not cool at all (Score:2)