Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Patents

Cisco Patents NAT RFC? 158

rageout noted that Cisco seems to have filed patent US5793763, which looks remarkably like RFC 1631 (the RFC that defines NAT). This came from this story on freebsddiary.
This discussion has been archived. No new comments can be posted.

IBM Patents NAT RFC?

Comments Filter:
  • I was at slashdot the other day and they were talking about a patent on clicking on things to buy stuff online! Slashdot's patentening online shopping! Those bastards!

    &lt/sarcasm&gt

    Mike

    "I would kill everyone in this room for a drop of sweet beer."
  • From previous history applying for bad patents earns a boycott from a lot of people who read slashdot. Is everybody going to boycott cisco now, perhaps refuse to use the internet till cisco kills the patent (you may personally decide not to use cisco products, but any data you send out will surely pass through evil cisco products)?

    Or will this be ignored because the boycott would actually inconvenience you?

  • by mindstrm ( 20013 ) on Wednesday September 20, 2000 @05:27AM (#766043)
    Well... it's prior art unless Cisco wrote the RFC, which I believe they did.
  • I'm sorry, I have to give you credit. I've "borrowed" your post and taken it elsewhere. It's so Beautiful. http://forumsa.nytimes.com/webin/WebX?14@150.I5sTa mR5aIz^446514@.f0d28a2/86152
  • no no no.

    NAT translates internal address into one external address just like masquerading does. (trust me. i'm using it now).
  • I didn't know Al Gore wrote RFC's
  • Cisco, not IBM.

    Users should read the related material before posting...

    --
  • I'm not terribly familiar with other implementations so I won't speak of those; but in the case of Linux, you're wrong. The NAT that linux 2.2+ does behaves as stated. See the iproute2 IP Command Reference [freedom.org] (the link is to the NAT section).

  • Ahh, thanks! Serves me right for learning about patents in Australia :)

    Bill - aka taniwha
    --

  • I have seen licencing agreements where the royalties are a percentage of the unit cost. In the case an opensource project, whatever percentage of zero they claim the amount is always $0.
  • by jallen02 ( 124384 ) on Wednesday September 20, 2000 @07:23AM (#766051) Homepage Journal
    I suppose that would be the case if they were patenting NAT, but they are just patenting a security measure for NAT..... heh read the patent not just what /. posts

    Jeremy
  • by Anonymous Coward
    That's one way of saying something. I'd like to calmly suggest to Taco (And any other authors who post these stories) that you my want to contact the companies involved before posting these things, to get somewhat of a balanced view, and also give the companies a fighting chance to defend themselves. I'd be willing to bet that any "scoop" time you lose (and really who would /. lose it to?) you would make up for in added discussion.

    My reccomendation, try to make a freind or two in either the PR or Marketing (yes, I'm serious) departments, as well as maintain a list of engineers or other geeks you could contact for comment on short notice. If you can't get any information out of them, let them know you're running a story and will state that they have no comment@this time. My bet is you'll either get a response PDQ or you'll have people from the companies actually posting rebuttals/comments back to your users.

    Just a small suggestion. For the AC above, it's funny that you verbally rape Taco for posting something inflammatory.
  • by Anonymous Coward
    as the verifiable AC that i am, i state unequivalableable that i was using NAT two years prior to the time i knew what NAT was. !
  • Okay.

    I read the patent application. I read the posted comments. I noted that this has been in effect for TWO YEARS NOW without a worry. And I spend 10 hours a day, 5 days a week inside a Cisco router.

    The only thing that this patent is doing is allowing Static NAT with NAT pools OR one-to-many NAT a la masquerading to be used without compromising the effectiveness of a firewall; most likely in this case Cisco's Access List filters. What they're doing is patenting a method of applying filters based on internal network addresses from external hosts and not blowing A) System Integrity or B) Efficiency out of the water. And what it does it does very very well. The basic/standard Linux firewall and routing routines currently released - no, I'm not talking about the 2.4.0-test series - can only just barely keep up with what a Cisco 2500 with 4 megs of ram can do with a pair of T-1s and a large network behind it.

    Believe me. If we haven't seen it yet, we're not going to. That's because they're NOT PATENTING NAT.
  • The patent office is currently mostly filled with mechanical engineers, and chemists and chemical engineerers, which reflect the bulk of the patents that were filed prior to computers. They have not had any opportunity to hire those with significant computer skills (as the application of law towards computers is a very new area), and thus we get things that shouldn't be patented in the first place.


  • The first paragraph of the Introduction section in RFC 1631 is:

    "... Long-term and short-term solutions to these problems are being developed. The short-term solution is CIDR (Classless InterDomain Routing) [2]. The long-term solutions consist of various proposals for new internet protocols with larger addresses. "

    if you look up the reference [2] at the bottom of the RFC, you will see:

    REFERENCES

    [1] Karn, P., "KA9Q", anonymous FTP from ucsd.edu (hamradio/packet/ka9q/docs).
    [2] Fuller, V., Li, T., and J. Yu, "Classless Inter-Domain Routing (CIDR) an Address Assignment and Aggregation Strategy", RFC 1519, BARRNet, cisco, Merit, OARnet, September 1993.

    note that this RFC (1631) references RFC 1519 [cmu.edu] (Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy) which includes personnel from Cisco Systems, Inc. (Tony Li). RFC 1519 was written in 1993.

    further note that RFC 1519 itself references RFC 1518 [cmu.edu] whose authors are from IBM and from Cisco.

    Cisco obviously has prior work in this area well before RFC 1631. Cisco employee Tony Li contributed to the two RFCs on which RFC 1631 are based.

  • Unless Cisco (or Microsoft) patents IPv6 or at least one important aspect of it (like method of constructing datagrams from optional headers).

    IIRC patent issues are already causing problems with the adoption of IPv6.
  • Actually, link-local IP addresses can be used for a variety of purposes. For example, say we're in a wireless environment where we wish to configure a device using DHCP. In such an environment, we may not have the ability to broadcast messages to the wireless device (due to limitations at layer 2). So it becomes necessary to provide a valid temporary layer 3 address before requesting configuration parameters from the network.
  • As many have said before me in response to other reactions with In other words, it's not a patent on NAT in it: read the claims. They are the things to be patented, with the blurb in front no more than a global summary of the whole. Pay particular attention to cliims 1, 2 and 3, where the words "encryption" and "decryption" are conspicuous by absence. Claim no 1. is a pretty good description of general NAT, unless English has been severely altered in meaning overnight.

    Stefan.
    It takes a lot of brains to enjoy satire, humor and wit-

  • Uhm, no, technically you can't, and to be fair the original XOR-cursor patent was for blinking-block-cursors so that the letter under them would always be the inverse of the current cursor color. But, algorithms and mathematical formulas and scientific laws are 'natural' and are 'discovered' not 'invented' so you can't patent them. Technically.
    But you can patent a device consisting of any computer running any software that -implements- the algorithm... d'oh.
    Also you "can't" patent an idea that is 'obvious to someone versed in the art' according to the laws, but the patent office seems to interpret this as 'if it isn't obvious to -everyone- who has ever used a computer that in must be non-obvious to -someone- so it's patentable' ... or something.
    So, yes, in the end, you might as well be able to patent obvious algorithms, given the current interpretations, since the 'protections' are worked around with technicalities. But technically you can't. So you just have to say it differently. D'oh.
    Anyway, the person you were replying to knows all this, s/he was being ironic.

    --Parity
  • What this patent is really about is Cisco's NAT pool technology. Basically it gives the external side of the firewall several external IP addresses rather then just one as seen with most firewalls today. I know that Cisco uses this technology with their PIX Firewall [cisco.com] boxes. But I don't know if they use this with any of their other firewalls. -Sean
  • This patent actually looks more like a NAT/DHCP hybrid rather than a rip of NAT.

    However, it irks me that something like this can even be patented at all. This is a fairly simple concept that I am sure many a network tech have considered at one point or another. Its implementation would be fairly simple in a Linux box with a couple of NICs.

    It really makes me feel that patents are starting to cause more conflicts than they solve. The patent system either needs some reform, or to be dissolved and replaced by something that fits the times.
  • What you also meant to say was that these extra IPs (because of a 'shortage') cost lots of money to obtain from an ISP. Which is why NAT saves you vast sums of money.

    Actually most companies I know of don't use NAT at all, just proxies.
  • IBM hold many, many, MANY patents. Keep in mind they they have been real innovators in the field of computers, so don't judge them too harshly. While this is obviously a bogus patent and we don't know how many more have made it through, IBM is a large, productive company where things like this might slip through the cracks. I have faith that IBM will drop this patent if it's brought to their attention that it is bogus. Just let them know, and I'm sure they'll be nice :)

    I'm off now to write them a polite email :)

    Dave
    'Round the firewall,
    Out the modem,
    Through the router,
    Down the wire,
  • This seems add security on top of the RFC and mentions it. The detail description though sounds a lot like the 'IPTABLES' feature in the upcoming Linux 2.4 kernel. I really hope there is enough of a difference that it doesn't cause a conflict because i have really been looking forward to using the IPTABLES it is a huge improvement over the current ipchains setup. On a positive side I havent heard anything from Cisco about trying to enforce this patent yet...
  • mmm you might want to read the pantent first and then send that mail to Cisco...
  • Where the hell did IBM come from??

    Possibly because the luser that submitted the story saw ibm in the URL (something like www.patents.ibm.com) and made an ASS out of U and ME.

    Eric

  • by Sun Tzu ( 41522 ) on Wednesday September 20, 2000 @05:31AM (#766068) Homepage Journal
    Erm... what makes you think they are competent to recognize real geeks? I know of a technically unsophisticated organization that hires "technical experts" that just turn out to be more bureaucrats.

    Once again, we run into that old problem: you can't manage what you don't understand. If the subject matter is difficult enough to understand, a naive manager won't be able to tell which "experts" are real and which are totally off base. In the experiences I'm familiar with, credentials don't seem to help much -- in either the high level strategic decisions or the lower level technical ones.

    Maybe I'm a pessimist, but I don't expect the problems at the PTO to be solved without a near-total replacement of their structure.
  • This should really say "Granted a patent". If you bother to read the web page, it says under Legal Status: "Aug. 11, 1998 - A - Patent". This means that the patent was granted and the invention was published on Aug. 11, 1998. It was filed in November of 1995.
  • So basically, all you have to do to avoid legal action is say "oh... that's not a device I'm using. It's an algorithm!"

    fine... that's a patent I can live with.
  • So tell it to the USPTO :-)
  • I do standards work, both in ETSI and the IETF. Each standards body sets up its own rules about how IPR is handled.

    For the IETF, IPR handling is outlined quite clearly in RFC 2026 [ietf.org], section 10.

    In short, patents are allowed, as long as they are licensed on non-discriminitory terms. Most standards bodies have similar stipulations.

  • If they wrote and published the RFC before applying for the patent, they effectively released it into public domain.

    Can you provide any documentation for this claim? I'm assuming from your comment that there is some contract somplace that must be signed before releasing an RFC, and that contract specifies that RFC's are in the "public domain" (whatever that means).

    Clearly, there are some copyright issues involved with the release of an RFC -- I'm assuming that since RFC's get copied so freely, there is some type of license that allows copying under certain circumstances. But I am intrigued by the idea that in addition to copyright issues, there is some type of patent issue involved.

    Like I say, please provide some references to this "public domain" idea. Thanks.
  • Next they will try to patent Internet SCSI. http://www.ece.cmu.edu/~ips/ Just watch...
  • FreeBSD's ipfw/natd does as well. It was merged into the tree around 2.1.x. Sorry but netfilter isn't BSD, you couldn't have been farther off there. It's being worked on but won't make it into 2.4.x for a while yet. Netfilter is going to blow away the crappy masq/ipchains but it'll still fall short of ipfw/natd and ipf/ipnat.
  • No, i believe the reason people use the IPs set aside for private networks is b/c they are running a private network. I'm sure a company does not want all of thier computers to be acessible to the entire internet. Those ranges were set aside just for that purpose, and so that a company with 10,000 computers would not suck 10,000 real ips out of the pool. It also adds a layer of security, since packets with such internal IP numbers are not routed to the internet.
  • It's about time that the patent office hires a group of geeks to consult with whenever there's a pending technology patent. If we're going to have people running the patent office who know nothing about existing technology, this problem is only going to get worse.
  • IIRC patent issues are already causing problems with the adoption of IPv6.

    I didn't know that, but I expected something like this - it is a logical consequence of current approach to patent law in the US. The problem is: how far will it get?

  • by FascDot Killed My Pr ( 24021 ) on Wednesday September 20, 2000 @05:14AM (#766079)
    "Applicant: Cisco Technology Systems."
    --
    Linux MAPI Server!
    http://www.openone.com/software/MailOne/
  • And then give the proceeds to OSS projects. Man, the BS is getting thick in this business.
  • You try to make a joke and you get moderated as offtopic. Sheesh!

    I know, I know, this is offtopic too. Screw it.

    EMUSE.NET [emuse.net]
  • by Parity ( 12797 ) on Wednesday September 20, 2000 @07:52AM (#766082)
    Yes, -do- read the actual patent; in particular, claim 1. Translated,
    'A method wherein: if someone on the intranet sends out a packet, we translate their address to one that the internet accepts, and remember who they are. If a packet comes back for that exact translated address, and we haven't timed out the connection yet, then pass it through to the appropriate intranet host.'

    If that isn't a patent on 'NAT implemented as device consisting of software on a computer' I don't know what is.

    Please remember that each -claim- stands on its own as separate invention, put together in one patent for convenience and relatedness, but Cisco is claiming claim 1 all by itself as an invention regardless of other complexities in the claims.

    Real text for reference, but it's more readable on the database page:
    1. A method for translating network addresses on packets destined for local hosts on a private network from hosts on an external network, the method comprising the following steps:
    identifying a global IP destination address on an inbound packet arriving at the private network;
    determining whether the global IP destination address corresponds to any local host on the private network by determining if a translation slot data structure exists for the global IP destination address, which translation slot associates the global IP destination address to a corresponding local IP address for a particular local host which has sent an outbound packet to an external network host on the external network within a defined time period;
    if the inbound packet is found to be intended for the particular local host on the private network which has sent the outbound packet to the external network host within said defined time period, determining whether the inbound packet meets defined security criteria;
    if the inbound packet meets said security criteria, replacing the inbound packet's global IP destination address with the corresponding local IP address for the particular local host to which the inbound packet was addressed; and
    forwarding the inbound packet to the particular local host to which the inbound packet was addressed.


    --Parity
  • The original posting by Cmdr Taco said IBM. He changed it to CISCO later.

    EMUSE.NET [emuse.net]
  • You should check out the slashdot FAQ [slashdot.org] (Tech section) if you wonder about the hardware slashdot is running on...

    (5 load balanced Web servers dedicated to pages
    3 load balanced Web servers dedicated to images
    1 SQL server
    1 NFS Server)

    --
  • by lomion ( 33716 ) on Wednesday September 20, 2000 @05:15AM (#766085) Homepage
    Actually the patent referenced by that link is for a Cisco patent, not IBM. The IBM patenets seems todeal with classified information sent via email or something similar. That said, the RFC itself dates to 1994, the patent's inital date is Nov 1995. Looks like prior art to me if they push this one.
  • Well, as sort of a correction to myself, it was published as being patented in August of 1998. The first time it was listed, it was published in the patent office's regular publishing as well.
  • After the day-long error of the itolympics.org link, I place a bet of $10 that the IBM->Cisco won't be fixed before noon EST. Another $5 that it won't be fixed by 5PM!

    Pay up. I noticed the change at 1132 AM EDT. Send money order to ... dont_mail@me.com!

    Eric

  • The patent even specifies RFC 1631 in its references section, so anything in RFC 1631 would obviously be prior art... so it seems rather unclear what exactly the patent is about.
  • With prior art as easy as that and seen by millions this should be a snap.
  • I know of a technically unsophisticated organization that hires "technical experts" that just turn out to be more bureaucrats.

    I see no reason to involve the Office of the Vice President of the United States.

  • Just found this one out yesterday.

    If you've got a Windows 2000 machine running DHCP and it can't find a DHCP server, it just makes up a number, and then pings to see if anyone else is using it. It's an interesting idea for people who just bought a use-at-home hub without a server or any networking knowledge.

    The wierd thing is that instead of using a 10. or 192.168. address from RFC 1918, they actually bought a class B subnet at 169.254. aren't using it on the internet(try tracerouting to an address), and assign a random number from that subnet when you don't get a response from a DCHP server.

    Why? I don't get it? Any conspiracy theories?

  • Actually, it's part of patent law. You cannot patent that which has already been published.

    Bill - aka taniwha
    --

  • I'm pretty sure that all publications count as prior art, even if the author/publisher is the one applying for the patent. At least, that's the way it is in most countries. Apparently it wasn't always like this in the US though... I've heard that RSA was published before it was patented.

    Yep, all publications (released to the public, e.g., not an internal company memo) count as prior art. In the U.S., however, an inventor does have a 1-year grace period after publication in which he can still file for a patent. (Irrelevant in this particular case, since the RFC was published in May '94 and the application was filed in Nov. '95.) Most countries don't have this grace period, and publication even one day before filing will invalidate the patent (at least in theory).

  • It seems that they're too busy "empowering the internet generation" to see that other companies have already used NAT (I'm using it right now on my Linksys 4-port DSL router). I'm sure not going to pay the Cisco router tariff unless they manage to string OC3 to my doorstep.
  • by TheReverand ( 95620 ) on Wednesday September 20, 2000 @05:38AM (#766100) Homepage
    How stupid do you feel that you didn't bother to read the article in your attempt for 1st post karma-osity?

    1. IBM didn't apply for the patent. Cisco did.

    2. It's not a patent on NAT, it is a patent on a Security system on NAT.

    I get the feeling that some troll is cracking up after submitting this story.

  • by SEWilco ( 27983 ) on Wednesday September 20, 2000 @05:44AM (#766105) Journal
    Yes, it's some sort of NAT security algorithm -- Oh, you can't patent an algorithm -- security device.

    NAT devices just have to use different NAT security devices or license the patented security device. Unless there's only one way to perform the "security check" (ie, TCP sequence number or port number), in which case it's obvious to any expert and not patentable.

  • by hald ( 1811 ) on Wednesday September 20, 2000 @08:57AM (#766109)
    But you missed part in the translation
    A system and method are provided for translating local IP addresses to globally unique IP addresses. This allows local hosts in an enterprise network to share global IP addresses from a limited pool of such addresses available to the enterprise. The translation is accomplished by replacing the source address in headers on packets destined for the Internet and by replacing destination address in headers on packets entering the local enterprise network from the Internet.
    Packets arriving from the Internet are screened by an adaptive security algorithm. According to this algorithm, packets are dropped and logged unless they are deemed nonthreatening. DNS packets and certain types of ICMP packets are allowed to enter local network. In addition, FTP data packets are allowed to enter the local network, but only after it has been established that their destination on the local network initiated an FTP session.
    A method for translating network addresses on packets destined for local hosts on a private network from hosts on an external network, the method comprising the following steps:
    • identifying a global IP destination address on an inbound packet arriving at the private network;
    • determining whether the global IP destination address corresponds to any local host on the private network by determining if a translation slot data structure exists for the global IP destination address, which translation slot associates the global IP destination address to a corresponding local IP address for a particular local host which has sent an outbound packet to an external network host on the external network within a defined time period;
    • if the inbound packet is found to be intended for the particular local host on the private network which has sent the outbound packet to the external network host within said defined time period, determining whether the inbound packet meets defined security criteria;
    • if the inbound packet meets said security criteria, replacing the inbound packet's global IP destination address with the corresponding local IP address for the particular local host to which the inbound packet was addressed; and
    • forwarding the inbound packet to the particular local host to which the inbound packet was addressed.
    Emphasis mine.
    This sounds like NAT + firewall even in claim #1.

    Hal Duston
    hald@sound.net

  • Extremely anal moderators on the loose.

    At least when I mod, I try to do a good job at it :P
  • Never mind!! Stupid me, I mis-read the post. Duh.
    'Round the firewall,
    Out the modem,
    Through the router,
    Down the wire,
  • by Paladin128 ( 203968 ) <aaron@@@traas...org> on Wednesday September 20, 2000 @06:25AM (#766117) Homepage
    Umm... no! There are MANY other uses for NAT. For instance, I have a DSL account with Verizon (they suck, but are my only option). I can either A) pay lots of cash for multiple accounts and addresses, as the account specifically states it can only be used for 1 PC, or B) set up my spare Linux box to do IP Masquerading (NAT), which makes all my PC's look like one.

    Also, what about load balancing?? Load Balancing devices (HydraWEB, F5 BigIP, Cisco LocalDirector, etc.) rely on NAT to make multiple web servers look like one. I'm pretty sure Slashdot has a load balancing pool... it would be pretty expensive to buy a single webserver that could handle the load Slashdot deals with.

    "Evil beware: I'm armed to the teeth and packing a hampster!"
  • by mr ( 88570 ) on Wednesday September 20, 2000 @05:53AM (#766118)
    Summary: It may be tossed out because of the RFC/standards process. (besides prior art)

    From: Darren Reed
    To: ipfilter@coombs.anu.edu.au
    Subject: Those turds over at (1$(0.

    Someone has unfortunately brought to my attention the fact that certain
    parts of NAT have been patented by the company which lovingly likes to
    think it "runs the internet" (puke, spew, vomit). #5793763 patents a
    complete implementation of what is essentially described in RFC 1631.
    The patent was filed a whole 8 days prior to the first public release
    (beta) of IPFilter with NAT.

    If anyone can provide a legal opinion on whether or not that particular
    patent would stand up in court, please let me know. That's legal opinions,
    not personal opinions (they're dime a dozen). I'd be especially interested
    to know of there are other NAT implemtenations which date back to prior to
    that patent being filed and how complete they are/were.

    And the non-legal reply:

    From: Nigel Dyson-Hudson
    To: ipfilter@coombs.anu.edu.au
    Subject: Re: Those turds over at (1$(0.

    folks,

    Apparently you can not patent material from working with a standards body.
    Dell was smacked down on this in 1996. You might want to look at what is
    happening with RAMBUS memory, www.tomshardware.com has a number of
    articles, since RAMBUS was a member of JEDC and has patented stuff from
    those meetings.

    So, if said company was anywhere near the RFC process, they would be trying
    to patent stuff from an open standards body.

  • According to our patent lawyers at work it depends on the bylaws of the organization in question and any agreement the company signed to join the process - some "standards bodies" allow companies to patent their submissions, but most that do so require some sort of licensing scheme that allows other companies to implement the standard (although sometimes at a quite healthy profit to the patent owner).
  • by grantma ( 34946 ) on Wednesday September 20, 2000 @06:26AM (#766120)
    Linux IP masquerade predates the NAT RFC, and includes behaviour that is definitely the equivalent of stateful filtering, due to its masquerading of FTP and HTTP sessions from one IP number. This is done by using lookup tables based on the TCP sessions port numbers, and special case reverse TCP session mapping for the FTP (I believe this also uses mathing based on port numbers). Check out the 1.1? dvelopment kernels, and some of the 1.2.x ones. This was about 1994/1995. There are also probably patches that predate this.

    Then there is also the BSD netfilter which maybe precedes this work.

    Please correct me if I am wrong.
  • Hey, I'm not the only one who made the mistake! :) Apparently, they've changed it, without letting us know they updated the post. That's irritating. Ah well, I read the meat of the patent, not the little stuff ;)
    'Round the firewall,
    Out the modem,
    Through the router,
    Down the wire,
  • Uhh.. if it's *stated* then they are showing why their patent is unique compared to it. That's what prior art was all about.

    FYI.. simply showing prior art once a patent is granted is not always enough to overturn it.
    Showing that the patent application KNEW about prior art and did not disclose it IS a good way to turn it over.

    Cisco isnt' saying they invented NAT. They are patenting a security mechanism used for inbound NAT connections, that appears to deal with stateful inspection.
  • The first patent claim alone clearly claims NAT in general, not some specific variant. Even later claims do not seem to stray beyond what is (and was) standard practice: the "adaptive security algorithm" refers to the obvious methods needed to make ping, traceroute, and ftp work.
  • I only hate them for trying to usurp the consumer market. They have no expertise there (you wouldn't stand paying $500 for a 4-port 10-100 switch, would you?).
  • from http://www.ietf.org/i nternet-drafts/draft-manning-dsua-03.txt [ietf.org]

    169.254.0.0/16 has been ear-marked as the IP range to use for end node
    auto-configuration when a DHCP server may not be found. As such, network
    operations and administrators should be VERY aggressive in ensuring that
    neither route advertisements nor packet forwarding should occur across
    any media boundaries. This is true for the Internet as well as any
    private networks that use the IP protocols. End node administrators
    should be aware that some vendors will auto-configure and add this
    prefix to the nodes forwarding table. This will cause problems with
    sites that run router discovery or deprecated routing protocols such as
    RIP.
  • Some standards bodies will consider a patented algorithm for the standard, as long as the company is willing to make the patents available for everyone's use for a reasonable royalty. Not to defend Fraunhofer, but their royalty charges probably are reasonable to an old-school closed company, which would presumably rake in enough money per mp3 encoder (IIRC, only encoding is patented, decoding is not) to pay for the patent license. Of course, the royalties just aren't workable for freely-distributable software which normally has little-to-no revenue.

    Now waiting until it became the widespread standard to enforce the patent and extract royalties - that does seem indefensible (albeit probably legal) to me. In effect, Fraunhofer artificially sweetened the allure of the mp3 format for encoder writers (both pay and free), just to get them hooked. Perhaps the ISO should adopt some rules so that you can't arbitrarily raise royalties or expand patent enforcement significantly above the rates set when the standard was enacted?

  • A careful reading of the patent reveals that it is not NAT itself that is being patented; rather a security add-on algorithm to the existing NAT system that disallows dangerous packets.

    What it actually sounds like is a patent on masquerading with a pool of possable outbound addresses rather than a single address.

  • the sad part is that, to him, it's just a little game - he's getting some little thrill out of the vague notion of getting people 'fired up.' and it works - at least, insofar as to make me goddamned angry.

    /. derives revenue from displaying banner ads. The more page views, the more ads they can sell. I'm not disparaging the ethics of Taco, but remember that /. (who are owned by a public company) have a vested interest in controversy.

    And Cisco aren't patenting NAT, infact they even reference the RFC in their application.

  • My experience in studying Cisco is that they patent just about everything. They try and patent all of their protocols (i.e. EIGRP, PAgP, etc.) I was working on implementing Fast EtherChannel at a startup and we wanted to support Cisco's PAgP (Port Aggregation Protocol). I reverse engineered the protocol, which was surprisingly simple, only to find that Cisco received a patent on it a month prior.

    Cisco would patent the IP address if they could. Also, Cisco is great at taking work done by others. It seems that very little "innovation" comes out of Cisco. Cisco must buy all of their innovation and spend all their time porting it to IOS.
  • And if they all have to jump to IPv6, would not Ci$co benefit there, too?



    It's all true! ±5%
  • Yeah, no shit. But since an article about it was posted on Slashdot, doesn't that mean that Slashdot filed for the patent?
  • by Dienyddio ( 161154 ) on Wednesday September 20, 2000 @05:17AM (#766148)
    OK so at first this looks like a bad thing but *gasp* could there be a positive aspect?

    The real reasion we have NAT at the moment is due to the limits of IPv4 addresses which causes many people, including many companies, to masqurade their private networks. If all of a sudden people have to pay vast sums of money to do this there will be an incredable amount of pressure to move to IPv6.

    IMHO anything that speeds the uptake of IPv6 is a very good thing.

  • by imp ( 7585 ) on Wednesday September 20, 2000 @10:32AM (#766150) Homepage
    TIA 1.0 was released in late 1993 or early 1994. It did NAT-like address translation. I worked on the code from September 1995. The patent was filed November 5, 1995. When I started at Cyberspace Developement (the folks that did TIA), the address translation code was in place. When I was brought on, one of the first things I did was to create a CVS tree with all the sources in it. I went back to the original 1.0 release and put those sources in, then the interrum 1.1 sources (I was working on 2.0) and then the current 2.0 pre-alpha sources. The address translation for FTP, and a few other protocols was in place from at least 1.0 forward.

    SLiRP also did TIA-like things. IIRC, it was release the summer of 1995. So there's an OPEN SOURCE release prior to CISCO's patent being filed. I don't know if it predates their internal first use, which may be a wash here.

    I'd be happy to testify to these facts in a court of law, should it come to that, assuming that I can convince the folks that bought Cyberspace Developement to allow me to do so.

    Warner Losh

  • I don't think Cisco is trying to patent NAT here, but there's little doubt in my mind that they could.

    A few years ago, Cisco bought a company called Network Translation, which had one product: the now-famous PIX. This was a very interesting box, with a custom OS-9-like operating system, and was legitimately, so far as I know, the first implementation of any kind of network address translation. I know Network Translation had some patents pending back years ago, we may just be seing these now. If so, they have a legitimate claim, since I was following NAT pretty closely back then (this was the time leading up to the "we're running out of IP addresses!" paranoia), and there was *no one* else doing NAT at that time. Cisco watched, and then, wisely, bought them.

    I doubt they could enforce the patent, due to the later IETF work (we were in the RFC 1200-1300 range when I was looking at this stuff), but having the patent issue may be entirely appropriate, even if it is for the basic concept of NAT.
  • by Jammer@CMH ( 117977 ) on Wednesday September 20, 2000 @05:18AM (#766152)
    See "Other References", at the bottom. Presumably their patent adds some value to 1631, and isn't just a restatement of it.
  • How it's diffence from ipchains or ipfilter please tell me!!

    ipchains / ipfilter aren't "patent pending". :)

    Actually, after reading the request, it sounds like they're trying to patent the use of NAT for security. They're not doing anything special, they've no special formula, they're just describing the "use" of ipfwadm that's been on my 486 DX4/120 with a modem since I bought it with the exact purpose of providing security and connection sharing about 4 years ago.

    Hey, maybe I should file a patent for "connection sharing through NAT"...

  • [i]A system and method are provided for translating local IP addresses to globally unique IP addresses. This allows local hosts in an enterprise network to share global IP addresses from a limited pool of such addresses available to the enterprise. The translation is accomplished by replacing the source address in headers on packets destined for the Internet and by replacing destination address in headers on packets entering the local enterprise network from the Internet.[/i]

    That is RFC1631 in a nutshell

    [i]Packets arriving from the Internet are screened by an adaptive security algorithm.[/i]

    Ok, I'm interested now. Explain.

    [i]According to this algorithm, packets are dropped and logged unless they are deemed nonthreatening. DNS packets and certain types of ICMP packets are allowed to enter local network. In addition, FTP data packets are allowed to enter the local network, but only after it has been established that their destination on the local network initiated an FTP session.[/i]

    Uhm, NAT does this already. This description of Cisco's 'NAT' is inherent in the design of traditional RFC1631 NAT. If a packet is going to an internal computer, where the internal computer did not initiate the connection, then drop it, otherwise let it through. Exceptions are made where the NAT proxy cannot determine if a connection was initiated (like DNS or ICMP).

    Can you say 'Prior Art'? I knew you could.....
  • by F.Prefect ( 98101 ) on Wednesday September 20, 2000 @05:19AM (#766156) Homepage
    A careful reading of the patent reveals that it is not NAT itself that is being patented; rather a security add-on algorithm to the existing NAT system that disallows dangerous packets.

    The way I understood it, it would prevent a malicious external traffic source from sneaking their evil packets past the NAT using the source/destination port numbers that the NAT was sending out on its outbound packets. So FTP packets get through only if an internal host initiated an FTP session, DNS packets get through, certain ICMP packets, etc.

  • by slickwillie ( 34689 ) on Wednesday September 20, 2000 @11:21AM (#766157)
    Check out the list of 10 patents that reference this one, especially 6006272 "Method for Network Address Translation", by Lucent. That one sounds like a more general one, and a lot more like the RFC.
  • True (I did see that), but one should read the actual source material... the authors here have a increasing tendency to not read it themselves...
    --
  • by Parity ( 12797 ) on Wednesday September 20, 2000 @11:46AM (#766159)
    Okay, I'm not a lawyer here, but it seems to me that this could mean -any- filtering at all; which could mean (and I took to mean) something as simple as, 'this is a valid TCP/IP packet without source routing to a local host that has already opened a connection to the internet host within a reasonable time'; in otherwords, something exactly like Linux's IP Masquerading.

    So, what, you can have NAT without violating the patent iff you don't sanity check incoming packets? Nobody's going to do that. If that's the only way to implement NAT without violating the patent, it's not going to happen - it's just not sane to let arbitrary packets into your intranet.

    Now, if you're a big company... or even a medium company... you can just separate your packet-filtering firewall and your NAT router into separate physical devices and call it a 'configuration' and not a NAT with filtering at all, but for a homenet or a very small company, you may not be able to afford the space/electricity/hardware to have two devices where one would do.

    In otherwords, it doesn't sound like NAT+firewall to me, it sounds like NAT implemented with some nod towards security.

    Even if the patent doesn't describe the NAT rfc, and some particularly stupid NAT routers, it certainly describes a linux kernel with IP_MASQ and the the various ip_masq_* service modules.


    --Parity
  • by kinnunen ( 197981 ) on Wednesday September 20, 2000 @06:06AM (#766160)
    If they wrote and published the RFC before applying for the patent, they effectively released it into public domain.

    Besides, the RFC clearly states that the writers worked for Cray Communications and NTT.

    --

  • You are probably right that it's not the NAT itself, but still we (or rather - you out there in the US) are moving in a bad direction. Internet - AFAIK - was built upon the idea that protocols are public property, open for everyone to read, implement and use. Imagine where would we be now if all the "founding fathers" of the Net filed patents instead of writing RFCs?

    In my opinion this is just another example that the concept of copyright and intellectual property as defined by current US laws is simply wrong and doesn't fit into our networked world. It's a pity that now US wants to force its patent laws also in the EU.

  • by ch-chuck ( 9622 ) on Wednesday September 20, 2000 @06:14AM (#766162) Homepage
    the Hyper Light Speed Antenna [ibm.com]. Woo, we can communicate faster than the speed of light! This is about the equivilent of a perpetual motion machine, just not nearly as famous. It's empty techie-gizmo gee-whiz terminology that convinced some shoe horn to grab the wrong stamp. This has got to be someone playing a joke on the pto. Sure, they do employ a lot of trained engineers but there's definitely something amiss with the amount of applictions slipping thru the cracks and getting approved - they need geeks who know whats going on - not the current crop of Al Gore wannabe airheads who've no concept of objective, verifiable facts. I sure hope the NIST doesn't turn into this kind of political swamp.
  • by Abcd1234 ( 188840 ) on Wednesday September 20, 2000 @06:53AM (#766168) Homepage
    Actually, they didn't buy anything. This range is registered with IANA as the link-local IP address range, from which a machine can assign itself a temporary IP, for use during configuration. The range for that is 169.254/16. The definition for how this range is used in IPv4 as part of an ad hoc network is located here [ietf.org]. It's also used in IPv6 in RFC 2462.
  • by interiot ( 50685 ) on Wednesday September 20, 2000 @05:21AM (#766174) Homepage
    The difference is that the RFC doesn't deal with security. Cisco's patent seems to be a combination NAT+firewall. AFAIK, combinations of obvious/prior-art/patented things can be patented as long as the combination is non-obvious and novel. (*) [akingump.com]

    But it doesn't seem like this combination is anything to write home about.
    --

  • This doesn't look like plain NAT to me. Look at Claim 2 -- it looks like a method for re-using normal IP addresses. So if I'm at 123.123.123.123 behind the Cisco-patented router, I think this would allow me to talk to a different address at 123.123.123.123 *outside* the router.

    I'm not real good at lawyer-speak though :-)
  • by _|()|\| ( 159991 ) on Wednesday September 20, 2000 @05:23AM (#766177)
    Scroll all the way to the bottom of the page, and you'll see the patent does, in fact, reference RFC 1631. They're not patenting NAT, they're patenting "an adaptive security algorithm" for use with NAT.
  • by adturner ( 6453 ) on Wednesday September 20, 2000 @07:12AM (#766184) Homepage
    Like many people picked up, what Cisco is trying to patent isn't NAT itself but a way to do stateful inspection (ie. only allowing ftp-data through after a connection is made to the ftp control port) with NAT.

    However, Checkpoint's Firewall-1 product has been doing this for years now- even before Cisco bought the PIX and started adding firewall features (the PIX initially was just a NAT device). It wouldn't surprise me one bit to find out that other vendors (including IPChains) have been doing this for a while either.

    Of course with the patent office being apparently run buy a bunch of idiots, it wouldn't surprise me one bit that this gets through.

  • they filed it in 1995... They received it in late 1998. Have they chase after anyone for doing NAT? No... this is the first we've heard of it, by someone doing searches through patents.ibm.com.

    Frankly, if this patent is going to be filed and granted, i'm much happier to see that it's in the hands of a company that so far sees to have filed it as a means of protection rather than a means of harrassment.

    Now, if they start going after other router manufacturers, maybe it'll be time to get up in arms. But overall, this is old news, and in almost 2 years they've yet to pull any manueering with this patent...
  • It appears to be simply using NAT with a VERY simple firewall implementation. I THINK that this is pretty much the heart of their security model.

    SUMMARY OF THE INVENTION

    The present invention provides a system which employs NAT in conjunction with an adaptive security algorithm to keep unwanted packets from external sources out of a private network. According to this algorithm, packets are dropped and logged unless they are deemed nonthreatening. Domain Name Section "DNS" packets and certain types of Internet Control Message Protocol "ICMP" packets are allowed to enter local network. In addition, File Transfer Protocol "FTP" data packets are allowed to enter the local network, but only after it has been established that their destination on the local network initiated an FTP session.

    These and other features and advantages of the present invention will be presented in more detail in the following specification of the invention and the figures.

    ________From the detailed section: ____________
    The process by which translation system 34 handles inbound packets from the Internet (and arriving at NAT system outside interface 18b) is depicted in a process flow diagram 200 shown in FIG. 5. It should be understood that this procedure includes an adaptive security algorithm that does not block outbound packets. In a preferred embodiment, adaptive security follows these rules:

    1. Allow any TCP connections that originate from the inside network.
    2. Ensure that if an FTP data connection is initiated to a translation slot, there is already an FTP control connection between that translation slot and the remote host. Also ensure that a port command has been issued between the same two hosts. If these criteria are not met, the attempt to initiate an FTP data connection is dropped and logged.
    3. Prevent the initiation of a TCP connection to a translation slot from the outside. The offending packet is dropped and logged.
    4. Allow inbound UDP packets only from DNS. NFS is explicitly denied.
    5. Drop and log source routed IP packets sent to any translation slot on the translation system.
    6. Allow only ICMP of types 0, 3, 4, 8, 11, 12, 17 and 18.
    7. Ping requests from outside to dynamic translation slots are silently dropped.
    8. Ping requests to static translation slots are answered.
    So, I guess that the obvious question is whether or not anybody publicly discussed the idea of implementing any sort of firewalling on NATs before CISCO submitted their Patent.

    Personally, I think that if these kinds of firewall rules were suggested before (with or without NAT), that including a firewall in a NAT router would be an obvious action (especially in a general purpose computer being used as a NAT translator) would be an "obvious improvement".

    Actually, rereading this, it seems like a patent for a specific set of firewall rules. Other than checking to see if the NAT address is being used, there seems nothing in this section that's unique to NATs.

  • by Dwarf_Sibling ( 118360 ) on Wednesday September 20, 2000 @07:19AM (#766192)
    Adaptive Security Algorithm or (ASA) is the marketing name for the stateful packet filtering that the Cisco PIX Firewall does. Nothing more, nothing less. Info at Cisco on ASA can be found here. [cisco.com]
  • by Anonymous Coward
    From the patent:

    Issued/Filed Dates: Aug. 11, 1998 / Nov. 3, 1995

    Alert Ted Koppel!
  • After the day-long error of the itolympics.org link, I place a bet of $10 that the IBM->Cisco won't be fixed before noon EST. Another $5 that it won't be fixed by 5PM!
  • by malkavian ( 9512 ) on Wednesday September 20, 2000 @05:23AM (#766195)
    As far as I can make out, the difference in the patent and the RFC seems to me to be that the patent specifies that the packets are filtered by a security algorithm, where the RFC states that it has no security algorithm.

    The patent then, only applies to a version of NAT that uses an adaptive security algorithm.

    Anything less than this would definately hit the prior art. And it's quite likely that even this will hit the prior art bin too.

    From the Patent:


    Packets arriving from the Internet are screened by an adaptive security algorithm


    From the RFC:


    Unfortunately, NAT reduces the number of options for providing security. With NAT, nothing that carries an IP address or information derived from an IP address (such as the TCP-header checksum) can be encrypted. While most application-level encryption should be ok, this prevents encryption of the TCP header.
  • ...and it would appear that it extends NAT functionality in a (presumably) propietary way, adding security aspects and enabling transparency to DNS and ICMP packets. The embodiment also suggests that it's a way of doing it rather than the actual NAT process.
    I would have paid to watch the Patent Officer's eyes glaze over as he read it though.
  • Why limit yourself to just Linux admins? Other operating systems use a combination of NAT and firewalling programs as well. OpenBSD, FreeBSD, I'm sure Solaris as well... even Windows has programs to do NAT.

Let's organize this thing and take all the fun out of it.

Working...