May 19, 2004 5:30 PM PDT
Cisco to patent security fix
Last month, Robert Barr, an in-house patent attorney for the company, publicly acknowledged that Cisco has applied for U.S. patents on fixes to a protocol called TCP, or Transmission Control Protocol. A flaw in this protocol, which is used for sending data over the Internet, was discovered last month by security expert Paul Watson, a security specialist for industry automation company Rockwell Automation. Watson's discovery resulted in a worldwide security warning that affected many vendors' products.
Cisco has also acknowledged that it plans to standardize some of the technology outlined in its patent applications. The company submitted an Internet draft to the Internet Engineering Task Force (IETF) on April 19.
The vulnerability allows for what's known as a reset attack, which falsely terminates an established TCP connection or session between two different devices. TCP connections are established between two devices. The way the attack works is that a third device, or hacker, sends a packet that matches the source port and IP address of one of the devices involved in the TCP connection. When the hacker sends a reset packet to one of the devices, it terminates the connection.
Cisco's fix requires the receiver to acknowledge the reset packet by sending a packet back to the sender, thus validating that the reset packet is coming from a valid host. The benefit of Cisco's solution is that devices using the IETF draft would have a greater assurance that the reset packets they are receiving are valid. The other benefit is that it doesn't require every device on the Internet to be upgraded at the same time.
Watson commends Cisco for trying to solve the issue, but he said the new fixes could create other problems.
For one, Watson said that Cisco's solution could actually increase the risk of denial of service attacks. Because the Cisco solution requires the receiving device to send an acknowledgement packet every time it receives a reset packet, a spoofed attack could flood the network with extra packets.
Another potential problem could occur when a valid reset packet is sent, but for some reason the device on the other side is unable to acknowledge it. Because an acknowledgement of the reset wasn't received, the connection stays open. For example, this could lead to a router sending packets to a bogus connection that no longer exists. This would result in packets being dropped, because there isn't a router on the other side to receive them.
"In both instances the risk is relatively low, since these scenarios would only occur in specialized circumstances," Watson said. "But it is something that Cisco and the standards community should consider."
A better solution already exists in the standard version of TCP, Watson said. The protocol calls for devices to verify the sequence of the reset acknowledgments before terminating a connection. But many vendors have not implemented this piece of the standard, he said. Still, Watson recommends that vendors update their products to adhere to what's already available in the standard, rather than updating gear to take advantage of Cisco's solution.
In addition to seeking patents on the technology, Cisco is also working within the IETF to make its solution a standard. Cisco is not the first company to patent technologies that have become standards. Others including Lucent Technologies, 3Com, Nortel Networks and Siemens have also patented technologies that are included in IETF standards.
A Cisco spokeswoman said the company would not charge licensing fees for the use of the technology if it is granted patents and the draft becomes an official IETF standard.
"While many companies charge royalties for implementing their patented technology in a standard, Cisco has never charged royalties for implementing its patented technology in a standard and will not with respect to this solution, should it be standardized," Cisco spokeswoman Penny Bruce said in an e-mail. "The company does retain the right to use its patent defensively if another party asserts patents against Cisco."
Cisco's pledge that it will not charge for the use of the patent is encouraging, Watson said.
"Everyone's worst fear is that Cisco will patent the idea and then charge royalties for its use, to the detriment of the security of all TCP-based devices," he said. "Since Cisco is publicly assuring that this will not happen, then I am confident that they would not pursue this route."
2 commentsJoin the conversation! Add your comment