Slashdot Mirror
Cisco Patents NAT RFC?
rageout noted that
Cisco seems to have filed
patent US5793763, which looks remarkably like
RFC 1631 (the RFC that defines NAT).
This came from this story on freebsddiary.
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
Well... it's prior art unless Cisco wrote the RFC, which I believe they did.
I suppose that would be the case if they were patenting NAT, but they are just patenting a security measure for NAT..... heh read the patent not just what /. posts
Jeremy
Erm... what makes you think they are competent to recognize real geeks? I know of a technically unsophisticated organization that hires "technical experts" that just turn out to be more bureaucrats.
Once again, we run into that old problem: you can't manage what you don't understand. If the subject matter is difficult enough to understand, a naive manager won't be able to tell which "experts" are real and which are totally off base. In the experiences I'm familiar with, credentials don't seem to help much -- in either the high level strategic decisions or the lower level technical ones.
Maybe I'm a pessimist, but I don't expect the problems at the PTO to be solved without a near-total replacement of their structure.
Geeky modern art T-shirts
"Applicant: Cisco Technology Systems."
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Yes, -do- read the actual patent; in particular, claim 1. Translated,
'A method wherein: if someone on the intranet sends out a packet, we translate their address to one that the internet accepts, and remember who they are. If a packet comes back for that exact translated address, and we haven't timed out the connection yet, then pass it through to the appropriate intranet host.'
If that isn't a patent on 'NAT implemented as device consisting of software on a computer' I don't know what is.
Please remember that each -claim- stands on its own as separate invention, put together in one patent for convenience and relatedness, but Cisco is claiming claim 1 all by itself as an invention regardless of other complexities in the claims.
Real text for reference, but it's more readable on the database page:
1. A method for translating network addresses on packets destined for local hosts on a private network from hosts on an external network, the method comprising the following steps:
identifying a global IP destination address on an inbound packet arriving at the private network;
determining whether the global IP destination address corresponds to any local host on the private network by determining if a translation slot data structure exists for the global IP destination address, which translation slot associates the global IP destination address to a corresponding local IP address for a particular local host which has sent an outbound packet to an external network host on the external network within a defined time period;
if the inbound packet is found to be intended for the particular local host on the private network which has sent the outbound packet to the external network host within said defined time period, determining whether the inbound packet meets defined security criteria;
if the inbound packet meets said security criteria, replacing the inbound packet's global IP destination address with the corresponding local IP address for the particular local host to which the inbound packet was addressed; and
forwarding the inbound packet to the particular local host to which the inbound packet was addressed.
--Parity
--Parity
'Card carrying' member of the EFF.
Actually the patent referenced by that link is for a Cisco patent, not IBM. The IBM patenets seems todeal with classified information sent via email or something similar. That said, the RFC itself dates to 1994, the patent's inital date is Nov 1995. Looks like prior art to me if they push this one.
this space for rent
1. IBM didn't apply for the patent. Cisco did.
2. It's not a patent on NAT, it is a patent on a Security system on NAT.
I get the feeling that some troll is cracking up after submitting this story.
NAT devices just have to use different NAT security devices or license the patented security device. Unless there's only one way to perform the "security check" (ie, TCP sequence number or port number), in which case it's obvious to any expert and not patentable.
This sounds like NAT + firewall even in claim #1.
Hal Duston
hald@sound.net
Umm... no! There are MANY other uses for NAT. For instance, I have a DSL account with Verizon (they suck, but are my only option). I can either A) pay lots of cash for multiple accounts and addresses, as the account specifically states it can only be used for 1 PC, or B) set up my spare Linux box to do IP Masquerading (NAT), which makes all my PC's look like one.
Also, what about load balancing?? Load Balancing devices (HydraWEB, F5 BigIP, Cisco LocalDirector, etc.) rely on NAT to make multiple web servers look like one. I'm pretty sure Slashdot has a load balancing pool... it would be pretty expensive to buy a single webserver that could handle the load Slashdot deals with.
"Evil beware: I'm armed to the teeth and packing a hampster!"
Lex orandi, lex credendi.
Summary: It may be tossed out because of the RFC/standards process. (besides prior art)
From: Darren Reed
To: ipfilter@coombs.anu.edu.au
Subject: Those turds over at (1$(0.
Someone has unfortunately brought to my attention the fact that certain
parts of NAT have been patented by the company which lovingly likes to
think it "runs the internet" (puke, spew, vomit). #5793763 patents a
complete implementation of what is essentially described in RFC 1631.
The patent was filed a whole 8 days prior to the first public release
(beta) of IPFilter with NAT.
If anyone can provide a legal opinion on whether or not that particular
patent would stand up in court, please let me know. That's legal opinions,
not personal opinions (they're dime a dozen). I'd be especially interested
to know of there are other NAT implemtenations which date back to prior to
that patent being filed and how complete they are/were.
And the non-legal reply:
From: Nigel Dyson-Hudson
To: ipfilter@coombs.anu.edu.au
Subject: Re: Those turds over at (1$(0.
folks,
Apparently you can not patent material from working with a standards body.
Dell was smacked down on this in 1996. You might want to look at what is
happening with RAMBUS memory, www.tomshardware.com has a number of
articles, since RAMBUS was a member of JEDC and has patented stuff from
those meetings.
So, if said company was anywhere near the RFC process, they would be trying
to patent stuff from an open standards body.
If it was said on slashdot, it MUST be true!
Linux IP masquerade predates the NAT RFC, and includes behaviour that is definitely the equivalent of stateful filtering, due to its masquerading of FTP and HTTP sessions from one IP number. This is done by using lookup tables based on the TCP sessions port numbers, and special case reverse TCP session mapping for the FTP (I believe this also uses mathing based on port numbers). Check out the 1.1? dvelopment kernels, and some of the 1.2.x ones. This was about 1994/1995. There are also probably patches that predate this.
Then there is also the BSD netfilter which maybe precedes this work.
Please correct me if I am wrong.
OK so at first this looks like a bad thing but *gasp* could there be a positive aspect?
The real reasion we have NAT at the moment is due to the limits of IPv4 addresses which causes many people, including many companies, to masqurade their private networks. If all of a sudden people have to pay vast sums of money to do this there will be an incredable amount of pressure to move to IPv6.
IMHO anything that speeds the uptake of IPv6 is a very good thing.
SLiRP also did TIA-like things. IIRC, it was release the summer of 1995. So there's an OPEN SOURCE release prior to CISCO's patent being filed. I don't know if it predates their internal first use, which may be a wash here.
I'd be happy to testify to these facts in a court of law, should it come to that, assuming that I can convince the folks that bought Cyberspace Developement to allow me to do so.
Warner Losh
See "Other References", at the bottom. Presumably their patent adds some value to 1631, and isn't just a restatement of it.
The way I understood it, it would prevent a malicious external traffic source from sneaking their evil packets past the NAT using the source/destination port numbers that the NAT was sending out on its outbound packets. So FTP packets get through only if an internal host initiated an FTP session, DNS packets get through, certain ICMP packets, etc.
--Ford Prefect
Check out the list of 10 patents that reference this one, especially 6006272 "Method for Network Address Translation", by Lucent. That one sounds like a more general one, and a lot more like the RFC.
the Hyper Light Speed Antenna. Woo, we can communicate faster than the speed of light! This is about the equivilent of a perpetual motion machine, just not nearly as famous. It's empty techie-gizmo gee-whiz terminology that convinced some shoe horn to grab the wrong stamp. This has got to be someone playing a joke on the pto. Sure, they do employ a lot of trained engineers but there's definitely something amiss with the amount of applictions slipping thru the cracks and getting approved - they need geeks who know whats going on - not the current crop of Al Gore wannabe airheads who've no concept of objective, verifiable facts. I sure hope the NIST doesn't turn into this kind of political swamp.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Actually, they didn't buy anything. This range is registered with IANA as the link-local IP address range, from which a machine can assign itself a temporary IP, for use during configuration. The range for that is 169.254/16. The definition for how this range is used in IPv4 as part of an ad hoc network is located here. It's also used in IPv6 in RFC 2462.
But it doesn't seem like this combination is anything to write home about.
--
Scroll all the way to the bottom of the page, and you'll see the patent does, in fact, reference RFC 1631. They're not patenting NAT, they're patenting "an adaptive security algorithm" for use with NAT.
However, Checkpoint's Firewall-1 product has been doing this for years now- even before Cisco bought the PIX and started adding firewall features (the PIX initially was just a NAT device). It wouldn't surprise me one bit to find out that other vendors (including IPChains) have been doing this for a while either.
Of course with the patent office being apparently run buy a bunch of idiots, it wouldn't surprise me one bit that this gets through.
Adaptive Security Algorithm or (ASA) is the marketing name for the stateful packet filtering that the Cisco PIX Firewall does. Nothing more, nothing less. Info at Cisco on ASA can be found here.
"Any sufficiently advanced technology is indistiguishable from magic." - Arthur C. Clarke
As far as I can make out, the difference in the patent and the RFC seems to me to be that the patent specifies that the packets are filtered by a security algorithm, where the RFC states that it has no security algorithm.
The patent then, only applies to a version of NAT that uses an adaptive security algorithm.
Anything less than this would definately hit the prior art. And it's quite likely that even this will hit the prior art bin too.
From the Patent:
Packets arriving from the Internet are screened by an adaptive security algorithm
From the RFC:
Unfortunately, NAT reduces the number of options for providing security. With NAT, nothing that carries an IP address or information derived from an IP address (such as the TCP-header checksum) can be encrypted. While most application-level encryption should be ok, this prevents encryption of the TCP header.