Re: NISCC Vulnerability Advisory 236929: Vulnerability Issues in TCP

[Darren Reed <avalon () caligula anu edu au>]

In some mail from Bob Beck, sie said:
> > > http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt
> >
> > In the meantime, the IETF has disclosed the following IPR statement
> > from Cisco:
> >
> > <http://www.ietf.org/ietf/IPR/cisco-ipr-draft-ietf-tcpm-tcpsecure.txt>
>
>       Translation - BOHICA, Cisco doesn't want people writing compatible
> free network stacks, they want to patent TCP. RAND basically means no
> free software, you must license on some terms. So we end up with
> stupid situations like we did with VRRP (see
> http://www.openbsd.org/lyrics.html for that sordid tale), and the IETF
> will roll over and piddle on itself insted of standing up to this
> nonsense like W3C does.  This is nasty. 

Indeed.  But there's room here to fight it if you think it is possible.
The included text below is from an email to misc () openbsd org.  The summary
is if you feel that Cisco are not entitled to this patent then write to
the USPTO, at the appropriate time, and tell them.  Maybe Cisco won't
get the patent and then it'll be no more of an issue.  Of course doing
that is going to take more effort/dedication than sending an email to
bugtraq, but there you go.  If you don't want Internet security to belong
to corporate America, then you're going to have to fight for it.

Darren

> From avalon Wed May 12 15:05:21 2004
Subject: Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure
To: misc () openbsd org
Date: Wed, 12 May 2004 15:05:21 +1000 (Australia/ACT)
Cc: rbarr () cisco com
In-Reply-To: <200405112231.i4BMVSNx025733 () cvs openbsd org> from "Theo de Raadt" at May 11, 2004 04:31:27 PM
X-Mailer: ELM [version 2.5 PL1]
Content-Length: 3839      
Status: OR

I'm not 100% sure that everything I've said below is 100% correct,
but if anyone is sufficiently interested, it hopefully provides a
good pointer on where to start...most of my comments below are
based on the understanding that OpenBSD (if not others) had already
implemented some of the mechanisms discussed in that draft before
this all came to the fore.

While a patent is considered to be "pending", it can be objected to,
by anyone.  If the objection stands then the patent is not granted.
I don't know if you can lodge an objection by email and you will also
need to wait for the pending patent to be 'published'.  I don't know
if Cisco is oblidged to provide relevant details if asked for, or
not.  A "pending patent" is not a "granted patent".

If you can get the right reference to the patent application, the
thing to do then is write to the USPTO (US Patent & Trademarks Office)
and object to the patent application citing a few reasons, such
as the following...

First, that there is an independant implementation of the ideas in
this document already available and that this has been available to
the public for some time.

Second, that the ideas expressed in this document are not novel and
are a relatively straight forward progression in thinking on this
topic.  One of the basic tenants of granting patents is that they
must be novel.  This follows on from the first suggestion, somewhat,
above.

Suggest that if the list of references on the patent application
does not cite OpenBSD then it is not correct and has been prepared
by staff who have not fully researched the subject matter of the
patent.

Another important consideration is that the document they have filed
as a "pending patent" is not necessarily what will appear as the final
patent granted, so there is also scope for convincing Cisco to adjust
their application such that it does not make any claims they are not
entitled to.

i.e. Cisco do not appear to be in a good position on this, given
developments by others, and rather than wait for the IETF to do
something about it, use the system Cisco is trying to use against
itself.

Note, that you cannot object to a patent until it is published
because until that point in time you can't know what its exact
contents are in order to object to and the USPTO will just ignore
you.  It's filing ("patent pending"), publication and granting are
not all the same.  The only issue here is that its publication is
likely to happen at a point in time, in the future, when we've all
forgotten about it and are concerned with other things and so will
not be of a mind to write to the USPTO at the appropriate time.

Darren

In some mail from Theo de Raadt, sie said:
> IETF is utterly diseased.  Cisco can't help it -- this is a US
> business model.
>
> Patenting security.
>
> Feel free to give Robert at Cisco a call.
>
> I wonder if he knows about the song yet.
>
>
>
> http://www.ietf.org/ietf/IPR/cisco-ipr-draft-ietf-tcpm-tcpsecure.txt
>
> Title: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure
> Received: April 26, 2004
> From: Robert Barr <rbarr () cisco com>
>
> Cisco is the owner of one or more pending patent applications relating to
> the subject matter of "Transmission Control Protocol security
> considerations" <draft-ietf-tcpm-tcpsecure-00.txt>. If technology in this
> document is included in a standard adopted by IETF and any claims of any
> Cisco patents are necessary for practicing the standard, any party will be
> able to obtain a license from Cisco to use any such patent claims under
> reasonable, non-discriminatory terms, with reciprocity, to implement and
> fully comply with the standard.
>
> For information contact:
>
> Robert Barr
> Worldwide Patent Counsel
> Cisco Systems
> 408-525-9706
>
> rbarr () cisco com
>
> ------- End of Forwarded Message