May 19, 2004 5:30 PM PDT

Cisco to patent security fix

Cisco Systems has applied for patents on technology that it claims will fix a flaw that has recently been found in one of the most common communications protocols.

Last month, Robert Barr, an in-house patent attorney for the company, publicly acknowledged that Cisco has applied for U.S. patents on fixes to a protocol called TCP, or Transmission Control Protocol. A flaw in this protocol, which is used for sending data over the Internet, was discovered last month by security expert Paul Watson, a security specialist for industry automation company Rockwell Automation. Watson's discovery resulted in a worldwide security warning that affected many vendors' products.

Cisco has also acknowledged that it plans to standardize some of the technology outlined in its patent applications. The company submitted an Internet draft to the Internet Engineering Task Force (IETF) on April 19.

The vulnerability allows for what's known as a reset attack, which falsely terminates an established TCP connection or session between two different devices. TCP connections are established between two devices. The way the attack works is that a third device, or hacker, sends a packet that matches the source port and IP address of one of the devices involved in the TCP connection. When the hacker sends a reset packet to one of the devices, it terminates the connection.

Cisco's fix requires the receiver to acknowledge the reset packet by sending a packet back to the sender, thus validating that the reset packet is coming from a valid host. The benefit of Cisco's solution is that devices using the IETF draft would have a greater assurance that the reset packets they are receiving are valid. The other benefit is that it doesn't require every device on the Internet to be upgraded at the same time.

Watson commends Cisco for trying to solve the issue, but he said the new fixes could create other problems.

For one, Watson said that Cisco's solution could actually increase the risk of denial of service attacks. Because the Cisco solution requires the receiving device to send an acknowledgement packet every time it receives a reset packet, a spoofed attack could flood the network with extra packets.

Another potential problem could occur when a valid reset packet is sent, but for some reason the device on the other side is unable to acknowledge it. Because an acknowledgement of the reset wasn't received, the connection stays open. For example, this could lead to a router sending packets to a bogus connection that no longer exists. This would result in packets being dropped, because there isn't a router on the other side to receive them.

"In both instances the risk is relatively low, since these scenarios would only occur in specialized circumstances," Watson said. "But it is something that Cisco and the standards community should consider."

A better solution already exists in the standard version of TCP, Watson said. The protocol calls for devices to verify the sequence of the reset acknowledgments before terminating a connection. But many vendors have not implemented this piece of the standard, he said. Still, Watson recommends that vendors update their products to adhere to what's already available in the standard, rather than updating gear to take advantage of Cisco's solution.

In addition to seeking patents on the technology, Cisco is also working within the IETF to make its solution a standard. Cisco is not the first company to patent technologies that have become standards. Others including Lucent Technologies, 3Com, Nortel Networks and Siemens have also patented technologies that are included in IETF standards.

A Cisco spokeswoman said the company would not charge licensing fees for the use of the technology if it is granted patents and the draft becomes an official IETF standard.

"While many companies charge royalties for implementing their patented technology in a standard, Cisco has never charged royalties for implementing its patented technology in a standard and will not with respect to this solution, should it be standardized," Cisco spokeswoman Penny Bruce said in an e-mail. "The company does retain the right to use its patent defensively if another party asserts patents against Cisco."

Cisco's pledge that it will not charge for the use of the patent is encouraging, Watson said.

"Everyone's worst fear is that Cisco will patent the idea and then charge royalties for its use, to the detriment of the security of all TCP-based devices," he said. "Since Cisco is publicly assuring that this will not happen, then I am confident that they would not pursue this route."

2 comments

Join the conversation!
Add your comment
Sisco is trying to own TCP.
From now on, every packet of data sent will have to pay a royalty to Sisco. Why didn't Microsoft think of this. Oh well, just one more patent for MS to steal.
Posted by bjbrock (98 comments )
Reply Link Flag
Cisco Security leak
To cisco Corporate - I can supply a program in which you can take your source code and transform it into a one-time pad. To decrypt it the receiver only needs a companion disc inserted in his PC. If you are interested you can contact me at jincarna@aol.com
Posted by (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.