idnits 2.17.1 draft-gont-behave-nat-security-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.2b on line 18. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 208. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 219. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 226. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 232. -- The document has an RFC 3978 Section 5.2(b) Derivative Works Limitation clause. If this document is intended for submission to the IESG for publication, this constitutes an error. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 27, 2008) is 5660 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC0791' is defined on line 161, but no explicit reference was found in the text == Unused Reference: 'RFC0793' is defined on line 164, but no explicit reference was found in the text == Unused Reference: 'RFC1122' is defined on line 167, but no explicit reference was found in the text == Unused Reference: 'RFC1323' is defined on line 170, but no explicit reference was found in the text == Unused Reference: 'RFC2663' is defined on line 178, but no explicit reference was found in the text ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Obsolete normative reference: RFC 1323 (Obsoleted by RFC 7323) Summary: 3 errors (**), 0 flaws (~~), 7 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 BEHAVE WG F. Gont 3 Internet-Draft UTN/FRH 4 Intended status: BCP October 27, 2008 5 Expires: April 30, 2009 7 Security implications arising from the non-modification of protocol 8 header fields by Network Address Translators (NATs) 9 draft-gont-behave-nat-security-00.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 This document may not be modified, and derivative works of it may not 18 be created. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on April 30, 2009. 38 Abstract 40 This document analizes the security implications arising from the 41 non-modification of some TCP and IP protocol header fields by Network 42 Address Translators (NATs). 44 Table of Contents 46 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 47 2. Internet Protocol version 4 (IPv4) header fields . . . . . . . 3 48 2.1. Version . . . . . . . . . . . . . . . . . . . . . . . . . . 3 49 2.2. IHL . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 50 2.3. Type of Service . . . . . . . . . . . . . . . . . . . . . . 3 51 2.4. Total Length . . . . . . . . . . . . . . . . . . . . . . . 3 52 2.5. Identification . . . . . . . . . . . . . . . . . . . . . . 3 53 2.6. Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 2.7. Fragment Offset . . . . . . . . . . . . . . . . . . . . . . 3 55 2.8. Time to Live . . . . . . . . . . . . . . . . . . . . . . . 3 56 2.9. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2.10. Header Checksum . . . . . . . . . . . . . . . . . . . . . . 3 58 2.11. Source Address . . . . . . . . . . . . . . . . . . . . . . 3 59 2.12. Destination Address . . . . . . . . . . . . . . . . . . . . 3 60 2.13. Options . . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2.14. Padding . . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 3. Transmission Control Protocol (TCP) header fields . . . . . . . 3 63 3.1. Source Port . . . . . . . . . . . . . . . . . . . . . . . . 3 64 3.2. Destination Port . . . . . . . . . . . . . . . . . . . . . 4 65 3.3. Sequence Number . . . . . . . . . . . . . . . . . . . . . . 4 66 3.4. Acknowledgment Number . . . . . . . . . . . . . . . . . . . 4 67 3.5. Data Offset . . . . . . . . . . . . . . . . . . . . . . . . 4 68 3.6. Reserved . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 3.7. Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 70 3.8. Window . . . . . . . . . . . . . . . . . . . . . . . . . . 4 71 3.9. Checksum . . . . . . . . . . . . . . . . . . . . . . . . . 4 72 3.10. Urgent Pointer . . . . . . . . . . . . . . . . . . . . . . 4 73 3.11. Options . . . . . . . . . . . . . . . . . . . . . . . . . . 4 74 3.12. Padding . . . . . . . . . . . . . . . . . . . . . . . . . . 4 75 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 76 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4 77 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 4 78 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 4 79 7.1. Normative References . . . . . . . . . . . . . . . . . . . 4 80 7.2. Informative References . . . . . . . . . . . . . . . . . . 5 81 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 5 82 Intellectual Property and Copyright Statements . . . . . . . . . . 6 84 1. Introduction 86 This document analizes the security implications arising from the 87 non-modification of some TCP and IP protocol header fields by Network 88 Address Translators (NATs). 90 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 91 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 92 document are to be interpreted as described in RFC 2119 [RFC2119]. 94 2. Internet Protocol version 4 (IPv4) header fields 96 2.1. Version 98 2.2. IHL 100 2.3. Type of Service 102 2.4. Total Length 104 2.5. Identification 106 2.6. Flags 108 2.7. Fragment Offset 110 2.8. Time to Live 112 2.9. Protocol 114 2.10. Header Checksum 116 2.11. Source Address 118 2.12. Destination Address 120 2.13. Options 122 2.14. Padding 124 3. Transmission Control Protocol (TCP) header fields 126 3.1. Source Port 127 3.2. Destination Port 129 3.3. Sequence Number 131 3.4. Acknowledgment Number 133 3.5. Data Offset 135 3.6. Reserved 137 3.7. Flags 139 3.8. Window 141 3.9. Checksum 143 3.10. Urgent Pointer 145 3.11. Options 147 3.12. Padding 149 4. Security Considerations 151 5. IANA Considerations 153 This document has no actions for IANA. 155 6. Acknowledgements 157 7. References 159 7.1. Normative References 161 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 162 September 1981. 164 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 165 RFC 793, September 1981. 167 [RFC1122] Braden, R., "Requirements for Internet Hosts - 168 Communication Layers", STD 3, RFC 1122, October 1989. 170 [RFC1323] Jacobson, V., Braden, B., and D. Borman, "TCP Extensions 171 for High Performance", RFC 1323, May 1992. 173 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 174 Requirement Levels", BCP 14, RFC 2119, March 1997. 176 7.2. Informative References 178 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 179 Translator (NAT) Terminology and Considerations", 180 RFC 2663, August 1999. 182 Author's Address 184 Fernando Gont 185 Universidad Tecnologica Nacional / Facultad Regional Haedo 186 Evaristo Carriego 2644 187 Haedo, Provincia de Buenos Aires 1706 188 Argentina 190 Phone: +54 11 4650 8472 191 Email: fernando@gont.com.ar 192 URI: http://www.gont.com.ar 194 Full Copyright Statement 196 Copyright (C) The IETF Trust (2008). 198 This document is subject to the rights, licenses and restrictions 199 contained in BCP 78, and except as set forth therein, the authors 200 retain all their rights. 202 This document and the information contained herein are provided on an 203 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 204 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 205 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 206 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 207 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 208 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 210 Intellectual Property 212 The IETF takes no position regarding the validity or scope of any 213 Intellectual Property Rights or other rights that might be claimed to 214 pertain to the implementation or use of the technology described in 215 this document or the extent to which any license under such rights 216 might or might not be available; nor does it represent that it has 217 made any independent effort to identify any such rights. Information 218 on the procedures with respect to rights in RFC documents can be 219 found in BCP 78 and BCP 79. 221 Copies of IPR disclosures made to the IETF Secretariat and any 222 assurances of licenses to be made available, or the result of an 223 attempt made to obtain a general license or permission for the use of 224 such proprietary rights by implementers or users of this 225 specification can be obtained from the IETF on-line IPR repository at 226 http://www.ietf.org/ipr. 228 The IETF invites any interested party to bring to its attention any 229 copyrights, patents or patent applications, or other proprietary 230 rights that may cover technology that may be required to implement 231 this standard. Please address the information to the IETF at 232 ietf-ipr@ietf.org.