Jim Thompson of NetGate wrote a short analysis of the Nomadix gateway redirection patent, which he gave us permission to reproduce: Jim is the former CTO of Wayport, and an engineer with many years standing in the Wi-Fi industry. He writes about Rob Flickenger's response to the Nomadix patent on the NoCat mailing list. NoCat is an open-source authentication gateway project.
Here's Jim's email to myself and a Freenetworks.org list. Some of the terminology may be obscure to those of you not in the industry, but I hope we can start a dialog to explain these parts.
(Disclaimer: Jim is representing his own opinion on his own time and his opinion doesn't represent the view of this site or any of his employers past and present.)
Jim writes:
[Rob writes] specifically:
I think the critical phrase from the press release is: "This redirection takes place regardless of the host computer's settings and without altering the user's browser settings."
Unfortunately, that has little or nothing to do with the patent. When one reads patents, one has to read the claims. The other text is basically fluff.
[Patent number] 6,636,894 has 11 claims. Of these, 2 are so-called "independent claims", and the other 9 depend on one of these two independent claims (or on another dependent claim.)
The two independent claims are #1 and #6.
1. A method for redirecting an original destination address access request to a redirected destination address, the method comprising the steps of:
receiving, at a gateway device, all original destination address access requests originating from a computer;
determining, at the gateway device, which of the original destination address requests require redirection;
storing the original destination address if redirection is required;
modifying, at the gateway device, the original destination address access request and communicating the modified request to a redirection server if redirection is required;
responding, at the redirection server, to the modified request with a browser redirect message that reassigns the modified request to an administrator-specified, redirected destination address;
intercepting, at the gateway device, the browser redirect message and modifying it with the stored original destination address; and
sending the modified browser redirect message to the computer, which automatically redirects the computer to the redirected destination address.
and
6. A system for redirecting an original destination address access request to a redirected destination address, the system comprising:
a computer that initiates original destination address requests;
a gateway device in communication with the computer, that receives the original destination address requests from the computer, determines if redirection of any of the original destination address requests is required, stores the original destination address request if redirection is required and modifies the original destination address request if redirection is required, and
a redirection server in communication with the gateway device that receives the modified request from the gateway device and responds with a browser redirect message that reassigns the request to an administrator-specified, redirect destination address, wherein the gateway device intercepts the browser redirect message and modifies the response with the stored original destination address before forwarding the browser redirect message to the computer and wherein the computer receives the modified browser redirect message and the computer is automatically redirected to the redirect destination address.
Note the lack of arp-hacks. That's a different patent. [Editor's note : ARP is Address Resolution Protocol, which maps unique Ethernet or Wi-Fi network interface card addresses to Internet Protocol addresses.]
So, the question becomes, does (for example) NoCatAuth [NoCat's software package] cross the line of (infringe) one or both of these claims? Lets look at claim 1:
receiving, at a gateway device, all original destination address access requests originating from a computer;
Check.
determining, at the gateway device, which of the original destination address requests require redirection;
Could be all of them. Check.
storing the original destination address if redirection is required;
maybe not.
modifying, at the gateway device, the original destination address access request and communicating the modified request to a redirection server if redirection is required;
Generate a new URL: Check
responding, at the redirection server, to the modified request with a browser redirect message that reassigns the modified request to an administrator-specified, redirected destination address;
Send a 304. Check.
intercepting, at the gateway device, the browser redirect message and modifying it with the stored original destination address; and
maybe not?
sending the modified browser redirect message to the computer, which automatically redirects the computer to the redirected destination address.
Yep.
Given my 20 minutes of reading, NoCat (and the others) likely infringe on this patent. Note that you infringe if you "make, use, or sell" the invention.
The places to attack this are:
1) prior art, especially given the 1999 filing date. (Note that they could have a disclosure from up to a year before that.)
I may have some of that, from Wayport or even before. See the reference to the Cisco TACACS+ document? I know nothing about that.
Nor do I know anything about Cisco's Lock-and-Key, or an experiment to control access to a network via a web browser that took place in 1996. (ahem)
2) Other people (a company called ATCOM-INFO, subsequently acquired by CAIS Internet, and then sold to Cisco) were doing this long before Nomadix showed up on the scene. Cisco calls this BBSM now.
3) Ignore the damn thing. Use 802.1x/EAP. If the user can't authenticate, punt her packets (over a tunnel or vlan) back to some central point. Implement the Walled Garden/Captive Portal there. Once they authenticate there, open the port.