idnits 2.17.1 draft-gont-opsec-ip-options-filtering-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (February 2010) is 5177 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC0826' is defined on line 737, but no explicit reference was found in the text == Unused Reference: 'RFC1112' is defined on line 750, but no explicit reference was found in the text == Unused Reference: 'RFC1122' is defined on line 753, but no explicit reference was found in the text == Unused Reference: 'RFC1191' is defined on line 756, but no explicit reference was found in the text == Unused Reference: 'RFC1349' is defined on line 759, but no explicit reference was found in the text == Unused Reference: 'RFC2474' is defined on line 777, but no explicit reference was found in the text == Unused Reference: 'RFC2475' is defined on line 782, but no explicit reference was found in the text == Unused Reference: 'RFC2644' is defined on line 786, but no explicit reference was found in the text == Unused Reference: 'RFC3927' is defined on line 789, but no explicit reference was found in the text == Unused Reference: 'RFC4821' is defined on line 793, but no explicit reference was found in the text == Unused Reference: 'RFC5735' is defined on line 796, but no explicit reference was found in the text == Unused Reference: 'Anderson2001' is defined on line 801, but no explicit reference was found in the text == Unused Reference: 'Arkin2000' is defined on line 805, but no explicit reference was found in the text == Unused Reference: 'Barisani2006' is defined on line 811, but no explicit reference was found in the text == Unused Reference: 'Bellovin1989' is defined on line 816, but no explicit reference was found in the text == Unused Reference: 'Bellovin2002' is defined on line 821, but no explicit reference was found in the text == Unused Reference: 'Bendi1998' is defined on line 825, but no explicit reference was found in the text == Unused Reference: 'CERT1996a' is defined on line 834, but no explicit reference was found in the text == Unused Reference: 'CERT1996b' is defined on line 839, but no explicit reference was found in the text == Unused Reference: 'CERT1996c' is defined on line 844, but no explicit reference was found in the text == Unused Reference: 'CERT1997' is defined on line 849, but no explicit reference was found in the text == Unused Reference: 'CERT1998a' is defined on line 854, but no explicit reference was found in the text == Unused Reference: 'CERT1998b' is defined on line 859, but no explicit reference was found in the text == Unused Reference: 'CERT1999' is defined on line 864, but no explicit reference was found in the text == Unused Reference: 'CERT2001' is defined on line 868, but no explicit reference was found in the text == Unused Reference: 'CERT2003' is defined on line 873, but no explicit reference was found in the text == Unused Reference: 'CIPSOWG1994' is defined on line 883, but no explicit reference was found in the text == Unused Reference: 'Cerf1974' is defined on line 892, but no explicit reference was found in the text == Unused Reference: 'Cisco2003' is defined on line 898, but no explicit reference was found in the text == Unused Reference: 'Clark1988' is defined on line 909, but no explicit reference was found in the text == Unused Reference: 'Ed3f2002' is defined on line 914, but no explicit reference was found in the text == Unused Reference: 'Fuller2008a' is defined on line 926, but no explicit reference was found in the text == Unused Reference: 'Fyodor2004' is defined on line 933, but no explicit reference was found in the text == Unused Reference: 'GIAC2000' is defined on line 937, but no explicit reference was found in the text == Unused Reference: 'Gont2006' is defined on line 941, but no explicit reference was found in the text == Unused Reference: 'Haddad2004' is defined on line 945, but no explicit reference was found in the text == Unused Reference: 'Humble1998' is defined on line 950, but no explicit reference was found in the text == Unused Reference: 'I-D.fuller-240space' is defined on line 955, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-tcpm-icmp-attacks' is defined on line 960, but no explicit reference was found in the text == Unused Reference: 'I-D.templin-mtuassurance' is defined on line 965, but no explicit reference was found in the text == Unused Reference: 'I-D.wilson-class-e' is defined on line 970, but no explicit reference was found in the text == Unused Reference: 'IANA2006a' is defined on line 976, but no explicit reference was found in the text == Unused Reference: 'IANA2006c' is defined on line 984, but no explicit reference was found in the text == Unused Reference: 'Jones2002' is defined on line 994, but no explicit reference was found in the text == Unused Reference: 'Kenney1996' is defined on line 1000, but no explicit reference was found in the text == Unused Reference: 'Kent1987' is defined on line 1004, but no explicit reference was found in the text == Unused Reference: 'Klein2007' is defined on line 1008, but no explicit reference was found in the text == Unused Reference: 'LBNL2006' is defined on line 1020, but no explicit reference was found in the text == Unused Reference: 'Linux2006' is defined on line 1023, but no explicit reference was found in the text == Unused Reference: 'Microsoft1999' is defined on line 1026, but no explicit reference was found in the text == Unused Reference: 'NISCC2004' is defined on line 1032, but no explicit reference was found in the text == Unused Reference: 'NISCC2005' is defined on line 1038, but no explicit reference was found in the text == Unused Reference: 'NISCC2006' is defined on line 1044, but no explicit reference was found in the text == Unused Reference: 'Northcutt2000' is defined on line 1049, but no explicit reference was found in the text == Unused Reference: 'Novak2005' is defined on line 1054, but no explicit reference was found in the text == Unused Reference: 'OpenBSD-PF' is defined on line 1059, but no explicit reference was found in the text == Unused Reference: 'OpenBSD1998' is defined on line 1063, but no explicit reference was found in the text == Unused Reference: 'Paxson2001' is defined on line 1068, but no explicit reference was found in the text == Unused Reference: 'Ptacek1998' is defined on line 1074, but no explicit reference was found in the text == Unused Reference: 'RFC0815' is defined on line 1080, but no explicit reference was found in the text == Unused Reference: 'RFC1858' is defined on line 1083, but no explicit reference was found in the text == Unused Reference: 'RFC1918' is defined on line 1087, but no explicit reference was found in the text == Unused Reference: 'RFC2544' is defined on line 1091, but no explicit reference was found in the text == Unused Reference: 'RFC2827' is defined on line 1094, but no explicit reference was found in the text == Unused Reference: 'RFC3056' is defined on line 1098, but no explicit reference was found in the text == Unused Reference: 'RFC3128' is defined on line 1101, but no explicit reference was found in the text == Unused Reference: 'RFC3168' is defined on line 1104, but no explicit reference was found in the text == Unused Reference: 'RFC3530' is defined on line 1108, but no explicit reference was found in the text == Unused Reference: 'RFC3704' is defined on line 1112, but no explicit reference was found in the text == Unused Reference: 'RFC4459' is defined on line 1115, but no explicit reference was found in the text == Unused Reference: 'RFC4632' is defined on line 1118, but no explicit reference was found in the text == Unused Reference: 'RFC4963' is defined on line 1122, but no explicit reference was found in the text == Unused Reference: 'RFC4987' is defined on line 1125, but no explicit reference was found in the text == Unused Reference: 'RFC5082' is defined on line 1128, but no explicit reference was found in the text == Unused Reference: 'RFC5570' is defined on line 1136, but no explicit reference was found in the text == Unused Reference: 'Sanfilippo1998a' is defined on line 1143, but no explicit reference was found in the text == Unused Reference: 'Sanfilippo1998b' is defined on line 1148, but no explicit reference was found in the text == Unused Reference: 'Sanfilippo1999' is defined on line 1153, but no explicit reference was found in the text == Unused Reference: 'Shankar2003' is defined on line 1158, but no explicit reference was found in the text == Unused Reference: 'Shannon2001' is defined on line 1164, but no explicit reference was found in the text == Unused Reference: 'Silbersack2005' is defined on line 1168, but no explicit reference was found in the text == Unused Reference: 'Song1999' is defined on line 1179, but no explicit reference was found in the text == Unused Reference: 'US-CERT2001' is defined on line 1183, but no explicit reference was found in the text == Unused Reference: 'US-CERT2002' is defined on line 1189, but no explicit reference was found in the text == Unused Reference: 'Watson2004' is defined on line 1195, but no explicit reference was found in the text == Unused Reference: 'Zakrzewski2002' is defined on line 1199, but no explicit reference was found in the text ** Obsolete normative reference: RFC 1038 (Obsoleted by RFC 1108) ** Obsolete normative reference: RFC 1063 (Obsoleted by RFC 1191) ** Downref: Normative reference to an Historic RFC: RFC 1108 ** Obsolete normative reference: RFC 1349 (Obsoleted by RFC 2474) ** Obsolete normative reference: RFC 1393 (Obsoleted by RFC 6814) ** Obsolete normative reference: RFC 1770 (Obsoleted by RFC 6814) ** Downref: Normative reference to an Informational RFC: RFC 2475 ** Obsolete normative reference: RFC 5735 (Obsoleted by RFC 6890) == Outdated reference: A later version (-12) exists of draft-ietf-tcpm-icmp-attacks-11 -- Obsolete informational reference (is this intentional?): RFC 3530 (Obsoleted by RFC 7530) Summary: 10 errors (**), 0 flaws (~~), 89 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Operational Security Capabilities F. Gont 3 for IP Network Infrastructure UTN/FRH 4 (opsec) S. Fouant 5 Internet-Draft Shortest Path First 6 Intended status: BCP February 2010 7 Expires: August 5, 2010 9 IP Options Filtering Recommendations 10 draft-gont-opsec-ip-options-filtering-00.txt 12 Abstract 14 This document document provides advice on the filtering of packets 15 based on the IP options they contain. Additionally, it discusses the 16 operational and interoperability implications of such filtering. 18 Status of this Memo 20 This Internet-Draft is submitted to IETF in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF), its areas, and its working groups. Note that 25 other groups may also distribute working documents as Internet- 26 Drafts. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 The list of current Internet-Drafts can be accessed at 34 http://www.ietf.org/ietf/1id-abstracts.txt. 36 The list of Internet-Draft Shadow Directories can be accessed at 37 http://www.ietf.org/shadow.html. 39 This Internet-Draft will expire on August 5, 2010. 41 Copyright Notice 43 Copyright (c) 2010 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (http://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 59 2. IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . 5 60 3. Processing requirements . . . . . . . . . . . . . . . . . . . 6 61 4. Advice on handling of specific IP Options . . . . . . . . . . 6 62 4.1. End of Option List (Type = 0) . . . . . . . . . . . . . . 6 63 4.1.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 6 64 4.1.2. Option specification . . . . . . . . . . . . . . . . . 7 65 4.1.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 7 66 4.1.4. Operational/interoperability impact if blocked . . . . 7 67 4.1.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 7 68 4.2. No Operation (Type = 1) . . . . . . . . . . . . . . . . . 7 69 4.2.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 7 70 4.2.2. Option specification . . . . . . . . . . . . . . . . . 7 71 4.2.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 7 72 4.2.4. Operational/interoperability impact if blocked . . . . 7 73 4.2.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 7 74 4.3. Loose Source and Record Route (LSRR) (Type = 131) . . . . 7 75 4.3.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 8 76 4.3.2. Option specification . . . . . . . . . . . . . . . . . 8 77 4.3.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 8 78 4.3.4. Operational/interoperability impact if blocked . . . . 9 79 4.3.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 9 80 4.4. Strict Source and Record Route (SSRR) (Type = 137) . . . . 9 81 4.4.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 9 82 4.4.2. Option specification . . . . . . . . . . . . . . . . . 9 83 4.4.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 9 84 4.4.4. Operational/interoperability impact if blocked . . . . 9 85 4.4.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 9 86 4.5. Record Route (Type = 7) . . . . . . . . . . . . . . . . . 10 87 4.5.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 10 88 4.5.2. Option specification . . . . . . . . . . . . . . . . . 10 89 4.5.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 10 90 4.5.4. Operational/interoperability impact if blocked . . . . 10 91 4.5.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 10 92 4.6. Stream Identifier (Type = 136) . . . . . . . . . . . . . . 10 93 4.6.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 10 94 4.6.2. Option specification . . . . . . . . . . . . . . . . . 11 95 4.6.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 11 96 4.6.4. Operational/interoperability impact if blocked . . . . 11 97 4.6.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 11 98 4.7. Internet Timestamp (Type = 68) . . . . . . . . . . . . . . 11 99 4.7.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 11 100 4.7.2. Option specification . . . . . . . . . . . . . . . . . 11 101 4.7.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 11 102 4.7.4. Operational/interoperability impact if blocked . . . . 12 103 4.7.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 12 104 4.8. Router Alert (Type = 148) . . . . . . . . . . . . . . . . 12 105 4.8.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 12 106 4.8.2. Option specification . . . . . . . . . . . . . . . . . 12 107 4.8.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 12 108 4.8.4. Operational/interoperability impact if blocked . . . . 12 109 4.8.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 12 110 4.9. Probe MTU (Type = 11) (obsolete) . . . . . . . . . . . . . 12 111 4.9.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 12 112 4.9.2. Option specification . . . . . . . . . . . . . . . . . 12 113 4.9.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 13 114 4.9.4. Operational/interoperability impact if blocked . . . . 13 115 4.9.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 13 116 4.10. Reply MTU (Type = 12) (obsolete) . . . . . . . . . . . . . 13 117 4.10.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 13 118 4.10.2. Option specification . . . . . . . . . . . . . . . . . 13 119 4.10.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 13 120 4.10.4. Operational/interoperability impact if blocked . . . . 13 121 4.10.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 13 122 4.11. Traceroute (Type = 82) . . . . . . . . . . . . . . . . . . 13 123 4.11.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 13 124 4.11.2. Option specification . . . . . . . . . . . . . . . . . 13 125 4.11.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 14 126 4.11.4. Operational/interoperability impact if blocked . . . . 14 127 4.11.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 14 128 4.12. DoD Basic Security Option (Type = 130) . . . . . . . . . . 14 129 4.12.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 14 130 4.12.2. Option specification . . . . . . . . . . . . . . . . . 14 131 4.12.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 15 132 4.12.4. Operational/interoperability impact if blocked . . . . 15 133 4.12.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 15 134 4.13. DoD Extended Security Option (Type = 133) . . . . . . . . 15 135 4.13.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 15 136 4.13.2. Option specification . . . . . . . . . . . . . . . . . 15 137 4.13.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 15 138 4.13.4. Operational/interoperability impact if blocked . . . . 15 139 4.13.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 15 140 4.14. Commercial IP Security Option (CIPSO) (Type = 134) . . . . 15 141 4.14.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 15 142 4.14.2. Option specification . . . . . . . . . . . . . . . . . 16 143 4.14.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 16 144 4.14.4. Operational/interoperability impact if blocked . . . . 16 145 4.14.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 16 146 4.15. Sender Directed Multi-Destination Delivery (Type = 149) . 16 147 4.15.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 16 148 4.15.2. Option specification . . . . . . . . . . . . . . . . . 16 149 4.15.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 16 150 4.15.4. Operational/interoperability impact if blocked . . . . 16 151 4.15.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 16 152 5. Security Considerations . . . . . . . . . . . . . . . . . . . 16 153 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17 154 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 155 7.1. Normative References . . . . . . . . . . . . . . . . . . . 17 156 7.2. Informative References . . . . . . . . . . . . . . . . . . 18 157 Appendix A. Changes from previous versions of the draft (to 158 be removed by the RFC Editor before publishing 159 this document as an RFC) . . . . . . . . . . . . . . 27 160 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27 162 1. Introduction 164 This document document provides advice on the filtering of IP Options 165 within IPv4 headers. Various protocols may use IP Options to some 166 extent, therefore the filtering of such options may have implications 167 on proper functioning of the protocol. As such, this document 168 attempts to discuss the operational and interoperability implications 169 of such filtering. Additionaly, this document will outline what a 170 network operator might do in a typical enterprise or Service Provider 171 environment. 173 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 174 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 175 document are to be interpreted as described in [RFC2119]. 177 2. IP Options 179 IP options allow for the extension of the Internet Protocol 181 There are two cases for the format of an option: 183 o Case 1: A single byte of option-type. 185 o Case 2: An option-type byte, an option-length byte, and the actual 186 option-data bytes. 188 In the Case 2, the option-length byte counts the option-type byte and 189 the option-length byte, as well as the actual option-data bytes. 191 All current and future options except "End of Option List" (Type = 0) 192 and "No Operation" (Type = 1), are of Class 2. 194 The option-type has three fields: 196 o 1 bit: copied flag. 198 o 2 bits: option class. 200 o 5 bits: option number. 202 The copied flag indicates whether this option should be copied to all 203 fragments in the event the packet carrying it needs to be fragmented: 205 o 0 = not copied. 207 o 1 = copied. 209 The values for the option class are: 211 o 0 = control. 213 o 1 = reserved for future use. 215 o 2 = debugging and measurement. 217 o 3 = reserved for future use. 219 This format allows for the creation of new options for the extension 220 of the Internet Protocol (IP). 222 Finally, the option number identifies the syntax of the rest of the 223 option. 225 [IANA2006b] contains the list of the currently assigned IP option 226 numbers. 228 3. Processing requirements 230 Router manufacturers tend to do IP option processing on the main 231 processor, rather than on line cards. Unless special care is taken, 232 this represents Denial of Service (DoS) risk, as there is potential 233 for overwhelming the router with option processing. 235 The following sections contain a description of each of the IP 236 options that have so far been specified, a discussion of possible 237 interoperability implications if packets containing such options are 238 filtered, and specific advice on whether to filter packets containing 239 these options in a typical enterprise or Service Provider 240 environment. 242 4. Advice on handling of specific IP Options 244 4.1. End of Option List (Type = 0) 246 4.1.1. Uses 248 This option is used to indicate the "end of options" in those cases 249 in which the end of options would not coincide with the end of the 250 Internet Protocol Header. 252 4.1.2. Option specification 254 Specified in RFC 791 [RFC0791]. 256 4.1.3. Threats 258 TBD 260 4.1.4. Operational/interoperability impact if blocked 262 Packets containing any IP options are likely to include an End of 263 Option List. Therefore, if packets containing this option are 264 filtered, it is very likely that legitimate traffic is filtered. 266 4.1.5. Advice 268 Do not filter packets containing this option. 270 4.2. No Operation (Type = 1) 272 4.2.1. Uses 274 The no-operation option is basically meant to allow the sending 275 system to align subsequent options in, for example, 32-bit 276 boundaries. 278 4.2.2. Option specification 280 Specified in RFC 791 [RFC0791]. 282 4.2.3. Threats 284 TBD 286 4.2.4. Operational/interoperability impact if blocked 288 4.2.5. Advice 290 Do not filter packets containing this option. 292 4.3. Loose Source and Record Route (LSRR) (Type = 131) 294 RFC 791 states that this option should appear, at most, once in a 295 given packet. Thus, if a packet contains more than one LSRR option, 296 it should be dropped, and this event should be logged (e.g., a 297 counter could be incremented to reflect the packet drop). 298 Additionally, packets containing a combination of LSRR and SSRR 299 options should be dropped, and this event should be logged (e.g., a 300 counter could be incremented to reflect the packet drop). 302 4.3.1. Uses 304 This option lets the originating system specify a number of 305 intermediate systems a packet must pass through to get to the 306 destination host. Additionally, the route followed by the packet is 307 recorded in the option. The receiving host (end-system) must use the 308 reverse of the path contained in the received LSRR option. 310 The LSSR option can be of help in debugging some network problems. 311 Some ISP (Internet Service Provider) peering agreements require 312 support for this option in the routers within the peer of the ISP. 314 4.3.2. Option specification 316 Specified in RFC 791 [RFC0791]. 318 4.3.3. Threats 320 The LSRR option has well-known security implications. Among other 321 things, the option can be used to: 323 o Bypass firewall rules 325 o Reach otherwise unreachable internet systems 327 o Establish TCP connections in a stealthy way 329 o Learn about the topology of a network 331 o Perform bandwidth-exhaustion attacks 333 Of these attack vectors, the one that has probably received least 334 attention is the use of the LSRR option to perform bandwidth 335 exhaustion attacks. The LSRR option can be used as an amplification 336 method for performing bandwidth-exhaustion attacks, as an attacker 337 could make a packet bounce multiple times between a number of systems 338 by carefully crafting an LSRR option. 340 This is the IPv4-version of the IPv6 amplification attack that was 341 widely publicized in 2007 [Biondi2007]. The only difference is 342 that the maximum length of the IPv4 header (and hence the LSRR 343 option) limits the amplification factor when compared to the IPv6 344 counter-part. 346 4.3.4. Operational/interoperability impact if blocked 348 TBD 350 4.3.5. Advice 352 All systems should, by default, drop IP packets that contain an LSRR 353 option. 355 4.4. Strict Source and Record Route (SSRR) (Type = 137) 357 4.4.1. Uses 359 This option allows the originating system to specify a number of 360 intermediate systems a packet must pass through to get to the 361 destination host. Additionally, the route followed by the packet is 362 recorded in the option, and the destination host (end-system) must 363 use the reverse of the path contained in the received SSRR option. 365 This option is similar to the Loose Source and Record Route (LSRR) 366 option, with the only difference that in the case of SSRR, the route 367 specified in the option is the exact route the packet must take 368 (i.e., no other intervening routers are allowed to be in the route). 370 The SSSR option can be of help in debugging some network problems. 371 Some ISP (Internet Service Provider) peering agreements require 372 support for this option in the routers within the peer of the ISP. 374 4.4.2. Option specification 376 Specified in RFC 791 [RFC0791]. 378 4.4.3. Threats 380 The SSRR option has the same security implications as the LSRR 381 option. Please refer to Section 4.3 for a discussion of such 382 security implications. 384 4.4.4. Operational/interoperability impact if blocked 386 TBD 388 4.4.5. Advice 390 All systems should, by default, drop IP packets that contain an SSRR 391 option. 393 4.5. Record Route (Type = 7) 395 4.5.1. Uses 397 This option provides a means to record the route that a given packet 398 follows. 400 4.5.2. Option specification 402 Specified in RFC 791 [RFC0791]. 404 4.5.3. Threats 406 This option can be exploited to map the topology of a network. 407 However, the limited space in the IP header limits the usefulness of 408 this option for that purpose. 410 4.5.4. Operational/interoperability impact if blocked 412 TBD 414 4.5.5. Advice 416 Drop IP packets that contain a Record Route option. 418 4.6. Stream Identifier (Type = 136) 420 The Stream Identifier option originally provided a means for the 16- 421 bit SATNET stream Identifier to be carried through networks that did 422 not support the stream concept. 424 However, as stated by Section 4.2.2.1 of RFC 1812 [RFC1812], this 425 option is obsolete. Therefore, it must be ignored by the processing 426 systems. 428 In the case of legacy systems still using this option, the length 429 field of the option should be checked to be 4. If the option does 430 not pass this check, it should be dropped, and this event should be 431 logged (e.g., a counter could be incremented to reflect the packet 432 drop). 434 RFC 791 states that this option appears at most once in a given 435 datagram. Therefore, if a packet contains more than one instance of 436 this option, it should be dropped, and this event should be logged 437 (e.g., a counter could be incremented to reflect the packet drop). 439 4.6.1. Uses 440 4.6.2. Option specification 442 Specified in RFC 791 [RFC0791]. 444 4.6.3. Threats 446 4.6.4. Operational/interoperability impact if blocked 448 4.6.5. Advice 450 4.7. Internet Timestamp (Type = 68) 452 4.7.1. Uses 454 This option provides a means for recording the time at which each 455 system processed this datagram. 457 4.7.2. Option specification 459 Specified by RFC 791 [RFC0791]. 461 4.7.3. Threats 463 The timestamp option has a number of security implications. Among 464 them are: 466 o It allows an attacker to obtain the current time of the systems 467 that process the packet, which the attacker may find useful in a 468 number of scenarios. 470 o It may be used to map the network topology, in a similar way to 471 the IP Record Route option. 473 o It may be used to fingerprint the operating system in use by a 474 system processing the datagram. 476 o It may be used to fingerprint physical devices, by analyzing the 477 clock skew. 479 [Kohno2005] describes a technique for fingerprinting devices by 480 measuring the clock skew. It exploits, among other things, the 481 timestamps that can be obtained by means of the ICMP timestamp 482 request messages [RFC0791]. However, the same fingerprinting method 483 could be implemented with the aid of the Internet Timestamp option. 485 4.7.4. Operational/interoperability impact if blocked 487 TBD. 489 4.7.5. Advice 491 Filter IP packets that contain an Internet Timestamp option. 493 4.8. Router Alert (Type = 148) 495 4.8.1. Uses 497 The Router Alert option has the semantic "routers should examine this 498 packet more closely, if they participate in the functionality denoted 499 by the Value of the option". 501 4.8.2. Option specification 503 The Router Alert option is defined in RFC 2113 [RFC2113] and later 504 updates to it have been clarified by RFC 5350 [RFC5350]. It contains 505 a 16-bit Value governed by an IANA registry (see [RFC5350]). 507 4.8.3. Threats 509 TBD. 511 4.8.4. Operational/interoperability impact if blocked 513 TBD 515 4.8.5. Advice 517 TBD 519 4.9. Probe MTU (Type = 11) (obsolete) 521 4.9.1. Uses 523 This option originally provided a mechanism to discover the Path-MTU. 524 It has been declared obsolete. 526 4.9.2. Option specification 528 This option was defined in RFC 1063 [RFC1063]. This option is 529 obsolete. 531 4.9.3. Threats 533 None 535 4.9.4. Operational/interoperability impact if blocked 537 None 539 4.9.5. Advice 541 Filter IP packets that contain a Probe MTU option. 543 4.10. Reply MTU (Type = 12) (obsolete) 545 4.10.1. Uses 547 This option and originally provided a mechanism to discover the Path- 548 MTU. It is now obsolete. 550 4.10.2. Option specification 552 This option was originally specified by RFC 1063 [RFC1063], and is 553 now obsolete. 555 4.10.3. Threats 557 None. 559 4.10.4. Operational/interoperability impact if blocked 561 None 563 4.10.5. Advice 565 Filter IP packets that contain a Reply MTU option. 567 4.11. Traceroute (Type = 82) 569 4.11.1. Uses 571 This option originally provided a mechanism to trace the path to a 572 host. 574 4.11.2. Option specification 576 This option was originally specified by RFC 1393 [RFC1393]. It has 577 been declared obsolete. 579 4.11.3. Threats 581 None 583 4.11.4. Operational/interoperability impact if blocked 585 None 587 4.11.5. Advice 589 Filter IP packets that contain a Traceroute option. 591 4.12. DoD Basic Security Option (Type = 130) 593 4.12.1. Uses 595 This option is used by Multi-Level-Secure (MLS) end-systems and 596 intermediate systems in specific environments to [RFC1108]: 598 o Transmit from source to destination in a network standard 599 representation the common security labels required by computer 600 security models, 602 o Validate the datagram as appropriate for transmission from the 603 source and delivery to the destination, and, 605 o Ensure that the route taken by the datagram is protected to the 606 level required by all protection authorities indicated on the 607 datagram. 609 The DoD Basic Security Option is currently implemented in a number of 610 operating systems (e.g., [IRIX2008], [SELinux2008], [Solaris2008], 611 and [Cisco2008]), and deployed in a number of high-security networks. 613 4.12.2. Option specification 615 It is specified by RFC 1108 [RFC1108] (which obsoletes RFC 1038 616 [RFC1038]). 618 RFC 791 [RFC0791] defined the "Security Option" (Type = 130), 619 which used the same option type as the DoD Basic Security option 620 discussed in this section. The "Security Option" specified in RFC 621 791 is considered obsolete by Section 3.2.1.8 of RFC 1122, and 622 therefore the discussion in this section is focused on the DoD 623 Basic Security option specified by RFC 1108 [RFC1108]. 625 Section 4.2.2.1 of RFC 1812 states that routers "SHOULD implement 626 this option". 628 4.12.3. Threats 630 TBD. 632 4.12.4. Operational/interoperability impact if blocked 634 TBD 636 4.12.5. Advice 638 TBD 640 4.13. DoD Extended Security Option (Type = 133) 642 4.13.1. Uses 644 This option permits additional security labeling information, beyond 645 that present in the Basic Security Option (Section 4.12), to be 646 supplied in an IP datagram to meet the needs of registered 647 authorities. 649 4.13.2. Option specification 651 This option is specified by RFC 1108 [RFC1108]. 653 4.13.3. Threats 655 TBD 657 4.13.4. Operational/interoperability impact if blocked 659 TBD 661 4.13.5. Advice 663 TBD 665 4.14. Commercial IP Security Option (CIPSO) (Type = 134) 667 4.14.1. Uses 669 This option was proposed by the Trusted Systems Interoperability 670 Group (TSIG), with the intent of meeting trusted networking 671 requirements for the commercial trusted systems market place. 673 It is currently implemented in a number of operating systems (e.g., 674 IRIX [IRIX2008], Security-Enhanced Linux [SELinux2008], and Solaris 675 [Solaris2008]), and deployed in a number of high-security networks. 677 4.14.2. Option specification 679 This option is specified in [CIPSO1992] and [FIPS1994]. 681 4.14.3. Threats 683 TBD 685 4.14.4. Operational/interoperability impact if blocked 687 TBD 689 4.14.5. Advice 691 TBD 693 4.15. Sender Directed Multi-Destination Delivery (Type = 149) 695 4.15.1. Uses 697 This option originally provided unreliable UDP delivery to a set of 698 addresses included in the option. It is currently obsolete. 700 4.15.2. Option specification 702 This option is defined in RFC 1770 [RFC1770]. 704 4.15.3. Threats 706 TBD 708 4.15.4. Operational/interoperability impact if blocked 710 TBD 712 4.15.5. Advice 714 TBD 716 5. Security Considerations 718 This document provides advice on the filtering of IP packets that 719 contain IP options. 721 6. Acknowledgements 723 Part of this document is based on the document &Security Assesment of 724 the Internet Protocol& [CPNI2008] that is the result of a project 725 carried out by Fernando Gont on behalf of UK CPNI (formerly NISCC). 727 Fernando Gont would like to thank UK CPNI (formerly NISCC) for their 728 continued support. 730 7. References 732 7.1. Normative References 734 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 735 September 1981. 737 [RFC0826] Plummer, D., "Ethernet Address Resolution Protocol: Or 738 converting network protocol addresses to 48.bit Ethernet 739 address for transmission on Ethernet hardware", STD 37, 740 RFC 826, November 1982. 742 [RFC1038] St. Johns, M., "Draft revised IP security option", 743 RFC 1038, January 1988. 745 [RFC1063] Mogul, J., Kent, C., Partridge, C., and K. McCloghrie, "IP 746 MTU discovery options", RFC 1063, July 1988. 748 [RFC1108] Kent, S., "U.S", RFC 1108, November 1991. 750 [RFC1112] Deering, S., "Host extensions for IP multicasting", STD 5, 751 RFC 1112, August 1989. 753 [RFC1122] Braden, R., "Requirements for Internet Hosts - 754 Communication Layers", STD 3, RFC 1122, October 1989. 756 [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, 757 November 1990. 759 [RFC1349] Almquist, P., "Type of Service in the Internet Protocol 760 Suite", RFC 1349, July 1992. 762 [RFC1393] Malkin, G., "Traceroute Using an IP Option", RFC 1393, 763 January 1993. 765 [RFC1770] Graff, C., "IPv4 Option for Sender Directed Multi- 766 Destination Delivery", RFC 1770, March 1995. 768 [RFC1812] Baker, F., "Requirements for IP Version 4 Routers", 769 RFC 1812, June 1995. 771 [RFC2113] Katz, D., "IP Router Alert Option", RFC 2113, 772 February 1997. 774 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 775 Requirement Levels", BCP 14, RFC 2119, March 1997. 777 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, 778 "Definition of the Differentiated Services Field (DS 779 Field) in the IPv4 and IPv6 Headers", RFC 2474, 780 December 1998. 782 [RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z., 783 and W. Weiss, "An Architecture for Differentiated 784 Services", RFC 2475, December 1998. 786 [RFC2644] Senie, D., "Changing the Default for Directed Broadcasts 787 in Routers", BCP 34, RFC 2644, August 1999. 789 [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic 790 Configuration of IPv4 Link-Local Addresses", RFC 3927, 791 May 2005. 793 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 794 Discovery", RFC 4821, March 2007. 796 [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses", 797 BCP 153, RFC 5735, January 2010. 799 7.2. Informative References 801 [Anderson2001] 802 Anderson, J., "An Analysis of Fragmentation Attacks", 803 Available at: http://www.ouah.org/fragma.html , 2001. 805 [Arkin2000] 806 Arkin, "IP TTL Field Value with ICMP (Oops - Identifying 807 Windows 2000 again and more)", http:// 808 ofirarkin.files.wordpress.com/2008/11/ 809 ofirarkin2000-06.pdf, 2000. 811 [Barisani2006] 812 Barisani, A., "FTester - Firewall and IDS testing tool", 813 Available at: http://dev.inversepath.com/trac/ftester , 814 2001. 816 [Bellovin1989] 817 Bellovin, S., "Security Problems in the TCP/IP Protocol 818 Suite", Computer Communication Review Vol. 19, No. 2, pp. 819 32-48, 1989. 821 [Bellovin2002] 822 Bellovin, S., "A Technique for Counting NATted Hosts", 823 IMW'02 Nov. 6-8, 2002, Marseille, France, 2002. 825 [Bendi1998] 826 Bendi, "Boink exploit", http://www.insecure.org/sploits/ 827 95.NT.fragmentation.bonk.html , 1998. 829 [Biondi2007] 830 Biondi, P. and A. Ebalard, "IPv6 Routing Header Security", 831 CanSecWest 2007 Security Conference http://www.secdev.org/ 832 conf/IPv6_RH_security-csw07.pdf, 2007. 834 [CERT1996a] 835 CERT, "CERT Advisory CA-1996-01: UDP Port Denial-of- 836 Service Attack", 837 http://www.cert.org/advisories/CA-1996-01.html, 1996. 839 [CERT1996b] 840 CERT, "CERT Advisory CA-1996-21: TCP SYN Flooding and IP 841 Spoofing Attacks", 842 http://www.cert.org/advisories/CA-1996-21.html, 1996. 844 [CERT1996c] 845 CERT, "CERT Advisory CA-1996-26: Denial-of-Service Attack 846 via ping", 847 http://www.cert.org/advisories/CA-1996-26.html, 1996. 849 [CERT1997] 850 CERT, "CERT Advisory CA-1997-28: IP Denial-of-Service 851 Attacks", http://www.cert.org/advisories/CA-1997-28.html, 852 1997. 854 [CERT1998a] 855 CERT, "CERT Advisory CA-1998-01: Smurf IP Denial-of- 856 Service Attacks", 857 http://www.cert.org/advisories/CA-1998-01.html, 1998. 859 [CERT1998b] 860 CERT, "CERT Advisory CA-1998-13: Vulnerability in Certain 861 TCP/IP Implementations", 862 http://www.cert.org/advisories/CA-1998-13.html, 1998. 864 [CERT1999] 865 CERT, "CERT Advisory CA-1999-17: Denial-of-Service Tools", 866 http://www.cert.org/advisories/CA-1999-17.html, 1999. 868 [CERT2001] 869 CERT, "CERT Advisory CA-2001-09: Statistical Weaknesses in 870 TCP/IP Initial Sequence Numbers", 871 http://www.cert.org/advisories/CA-2001-09.html, 2001. 873 [CERT2003] 874 CERT, "CERT Advisory CA-2003-15 Cisco IOS Interface 875 Blocked by IPv4 Packet", 876 http://www.cert.org/advisories/CA-2003-15.html, 2003. 878 [CIPSO1992] 879 CIPSO, "COMMERCIAL IP SECURITY OPTION (CIPSO 2.2)", IETF 880 Internet-Draft (draft-ietf-cipso-ipsecurity-01.txt), work 881 in progress , 1992. 883 [CIPSOWG1994] 884 CIPSOWG, "Commercial Internet Protocol Security Option 885 (CIPSO) Working Group", http://www.ietf.org/proceedings/ 886 94jul/charters/cipso-charter.html, 1994. 888 [CPNI2008] 889 Gont, F., "Security Assessment of the Internet Protocol", 890 http://www.cpni.gov.uk/Docs/InternetProtocol.pdf, 2008. 892 [Cerf1974] 893 Cerf, V. and R. Kahn, "A Protocol for Packet Network 894 Intercommunication", IEEE Transactions on 895 Communications Vol. 22, No. 5, May 1974, pp. 637-648, 896 1974. 898 [Cisco2003] 899 Cisco, "Cisco Security Advisory: Cisco IOS Interface 900 Blocked by IPv4 packet", http://www.cisco.com/en/US/ 901 products/products_security_advisory09186a00801a34c2.shtml, 902 2003. 904 [Cisco2008] 905 Cisco, "Cisco IOS Security Configuration Guide, Release 906 12.2", http://www.cisco.com/en/US/docs/ios/12_2/security/ 907 configuration/guide/scfipso.html, 2003. 909 [Clark1988] 910 Clark, D., "The Design Philosophy of the DARPA Internet 911 Protocols", Computer Communication Review Vol. 18, No. 4, 912 1988. 914 [Ed3f2002] 915 Ed3f, "Firewall spotting and networks analisys with a 916 broken CRC", Phrack Magazine, Volume 0x0b, Issue 0x3c, 917 Phile #0x0c of 0x10 http://www.phrack.org/ 918 issues.html?issue=60&id=12&mode=txt, 2002. 920 [FIPS1994] 921 FIPS, "Standard Security Label for Information Transfer", 922 Federal Information Processing Standards Publication. FIP 923 PUBS 188 http://csrc.nist.gov/publications/fips/fips188/ 924 fips188.pdf, 1994. 926 [Fuller2008a] 927 Fuller, V., Lear, E., and D. Meyer, "240.0.0.0/4: The 928 Future Begins Now", Routing SIG Meeting, 25th APNIC Open 929 Policy Meeting, February 25 - 29 2008, Taipei, Taiwan http 930 ://www.apnic.net/meetings/25/program/routing/ 931 fuller-240-future.pdf, 2008. 933 [Fyodor2004] 934 Fyodor, "Idle scanning and related IP ID games", 935 http://www.insecure.org/nmap/idlescan.html, 2004. 937 [GIAC2000] 938 GIAC, "Egress Filtering v 0.2", 939 http://www.sans.org/y2k/egress.htm, 2000. 941 [Gont2006] 942 Gont, F., "Advanced ICMP packet filtering", 943 http://www.gont.com.ar/papers/icmp-filtering.html, 2006. 945 [Haddad2004] 946 Haddad, I. and M. Zakrzewski, "Security Distribution for 947 Linux Clusters", Linux 948 Journal http://www.linuxjournal.com/article/6943, 2004. 950 [Humble1998] 951 Gont, F., "Nestea exploit", 952 http://www.insecure.org/sploits/linux.PalmOS.nestea.html, 953 1998. 955 [I-D.fuller-240space] 956 Fuller, V., "Reclassifying 240/4 as usable unicast address 957 space", draft-fuller-240space-02 (work in progress), 958 March 2008. 960 [I-D.ietf-tcpm-icmp-attacks] 961 Gont, F., "ICMP attacks against TCP", 962 draft-ietf-tcpm-icmp-attacks-11 (work in progress), 963 February 2010. 965 [I-D.templin-mtuassurance] 966 Templin, F., "Requirements for IP-in-IP Tunnel MTU 967 Assurance", draft-templin-mtuassurance-02 (work in 968 progress), October 2006. 970 [I-D.wilson-class-e] 971 Wilson, P., Michaelson, G., and G. Huston, "Redesignation 972 of 240/4 from "Future Use" to "Private Use"", 973 draft-wilson-class-e-02 (work in progress), 974 September 2008. 976 [IANA2006a] 977 Ether Types, 978 "http://www.iana.org/assignments/ethernet-numbers". 980 [IANA2006b] 981 IP Parameters, 982 "http://www.iana.org/assignments/ip-parameters". 984 [IANA2006c] 985 Protocol Numbers, 986 "http://www.iana.org/assignments/protocol-numbers". 988 [IRIX2008] 989 IRIX, "IRIX 6.5 trusted_networking(7) manual page", http: 990 //techpubs.sgi.com/library/tpl/cgi-bin/ 991 getdoc.cgi?coll=0650&db=man&fname=/usr/share/catman/a_man/ 992 cat7/trusted_networking.z, 2008. 994 [Jones2002] 995 Jones, R., "A Method Of Selecting Values For the 996 Parameters Controlling IP Fragment Reassembly", ftp:// 997 ftp.cup.hp.com/dist/networking/briefs/ip_reass_tuning.txt, 998 2002. 1000 [Kenney1996] 1001 Kenney, M., "The Ping of Death Page", 1002 http://www.insecure.org/sploits/ping-o-death.html, 1996. 1004 [Kent1987] 1005 Kent, C. and J. Mogul, "Fragmentation considered harmful", 1006 Proc. SIGCOMM '87 Vol. 17, No. 5, October 1987, 1987. 1008 [Klein2007] 1009 Klein, A., "OpenBSD DNS Cache Poisoning and Multiple O/S 1010 Predictable IP ID Vulnerability", http:// 1011 www.trusteer.com/files/ 1012 OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP 1013 _ID_Vulnerability.pdf, 2007. 1015 [Kohno2005] 1016 Kohno, T., Broido, A., and kc. Claffy, "Remote Physical 1017 Device Fingerprinting", IEEE Transactions on Dependable 1018 and Secure Computing Vol. 2, No. 2, 2005. 1020 [LBNL2006] 1021 LBNL/NRG, "arpwatch tool", http://ee.lbl.gov/, 2006. 1023 [Linux2006] 1024 The Linux Project, "http://www.kernel.org". 1026 [Microsoft1999] 1027 Microsoft, "Microsoft Security Program: Microsoft Security 1028 Bulletin (MS99-038). Patch Available for "Spoofed Route 1029 Pointer" Vulnerability", http://www.microsoft.com/ 1030 technet/security/bulletin/ms99-038.mspx, 1999. 1032 [NISCC2004] 1033 NISCC, "NISCC Vulnerability Advisory 236929: Vulnerability 1034 Issues in TCP", 1035 http://www.uniras.gov.uk/niscc/docs/ 1036 re-20040420-00391.pdf, 2004. 1038 [NISCC2005] 1039 NISCC, "NISCC Vulnerability Advisory 532967/NISCC/ICMP: 1040 Vulnerability Issues in ICMP packets with TCP payloads", 1041 http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf, 1042 2005. 1044 [NISCC2006] 1045 NISCC, "NISCC Technical Note 01/2006: Egress and Ingress 1046 Filtering", http://www.niscc.gov.uk/niscc/docs/ 1047 re-20060420-00294.pdf?lang=en, 2006. 1049 [Northcutt2000] 1050 Northcut, S. and Novak, "Network Intrusion Detection - An 1051 Analyst's Handbook", Second Edition New Riders Publishing, 1052 2000. 1054 [Novak2005] 1055 Novak, "Target-Based Fragmentation Reassembly", 1056 http://www.snort.org/reg/docs/target_based_frag.pdf, 1057 2005. 1059 [OpenBSD-PF] 1060 Sanfilippo, S., "PF: Scrub (Packet Normalization)", 1061 http://www.openbsd.org/faq/pf/scrub.html, 2010. 1063 [OpenBSD1998] 1064 OpenBSD, "OpenBSD Security Advisory: IP Source Routing 1065 Problem", 1066 http://www.openbsd.org/advisories/sourceroute.txt, 1998. 1068 [Paxson2001] 1069 Paxson, V., Handley, M., and C. Kreibich, "Network 1070 Intrusion Detection: Evasion, Traffic Normalization, and 1071 End-to-End Protocol Semantics", USENIX Conference, 2001, 1072 2001. 1074 [Ptacek1998] 1075 Ptacek, T. and T. Newsham, "Insertion, Evasion and Denial 1076 of Service: Eluding Network Intrusion Detection", 1077 http://www.aciri.org/vern/Ptacek-Newsham-Evasion-98.ps, 1078 1998. 1080 [RFC0815] Clark, D., "IP datagram reassembly algorithms", RFC 815, 1081 July 1982. 1083 [RFC1858] Ziemba, G., Reed, D., and P. Traina, "Security 1084 Considerations for IP Fragment Filtering", RFC 1858, 1085 October 1995. 1087 [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and 1088 E. Lear, "Address Allocation for Private Internets", 1089 BCP 5, RFC 1918, February 1996. 1091 [RFC2544] Bradner, S. and J. McQuaid, "Benchmarking Methodology for 1092 Network Interconnect Devices", RFC 2544, March 1999. 1094 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: 1095 Defeating Denial of Service Attacks which employ IP Source 1096 Address Spoofing", BCP 38, RFC 2827, May 2000. 1098 [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains 1099 via IPv4 Clouds", RFC 3056, February 2001. 1101 [RFC3128] Miller, I., "Protection Against a Variant of the Tiny 1102 Fragment Attack (RFC 1858)", RFC 3128, June 2001. 1104 [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition 1105 of Explicit Congestion Notification (ECN) to IP", 1106 RFC 3168, September 2001. 1108 [RFC3530] Shepler, S., Callaghan, B., Robinson, D., Thurlow, R., 1109 Beame, C., Eisler, M., and D. Noveck, "Network File System 1110 (NFS) version 4 Protocol", RFC 3530, April 2003. 1112 [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed 1113 Networks", BCP 84, RFC 3704, March 2004. 1115 [RFC4459] Savola, P., "MTU and Fragmentation Issues with In-the- 1116 Network Tunneling", RFC 4459, April 2006. 1118 [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing 1119 (CIDR): The Internet Address Assignment and Aggregation 1120 Plan", BCP 122, RFC 4632, August 2006. 1122 [RFC4963] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly 1123 Errors at High Data Rates", RFC 4963, July 2007. 1125 [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common 1126 Mitigations", RFC 4987, August 2007. 1128 [RFC5082] Gill, V., Heasley, J., Meyer, D., Savola, P., and C. 1129 Pignataro, "The Generalized TTL Security Mechanism 1130 (GTSM)", RFC 5082, October 2007. 1132 [RFC5350] Manner, J. and A. McDonald, "IANA Considerations for the 1133 IPv4 and IPv6 Router Alert Options", RFC 5350, 1134 September 2008. 1136 [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common 1137 Architecture Label IPv6 Security Option (CALIPSO)", 1138 RFC 5570, July 2009. 1140 [SELinux2008] 1141 Security Enhanced Linux, "http://www.nsa.gov/selinux/". 1143 [Sanfilippo1998a] 1144 Sanfilippo, S., "about the ip header id", Post to Bugtraq 1145 mailing-list, Mon Dec 14 1146 1998 http://www.kyuzz.org/antirez/papers/ipid.html, 1998. 1148 [Sanfilippo1998b] 1149 Sanfilippo, S., "Idle scan", Post to Bugtraq mailing- 1150 list http://www.kyuzz.org/antirez/papers/dumbscan.html, 1151 1998. 1153 [Sanfilippo1999] 1154 Sanfilippo, S., "more ip id", Post to Bugtraq mailing- 1155 list http://www.kyuzz.org/antirez/papers/moreipid.html, 1156 1999. 1158 [Shankar2003] 1159 Shankar, U. and V. Paxson, "Active Mapping: Resisting NIDS 1160 Evasion Without Altering Traffic", 1161 http://www.icir.org/vern/papers/activemap-oak03.pdf, 1162 2003. 1164 [Shannon2001] 1165 Shannon, C., Moore, D., and K. Claffy, "Characteristics of 1166 Fragmented IP Traffic on Internet Links", 2001. 1168 [Silbersack2005] 1169 Silbersack, M., "Improving TCP/IP security through 1170 randomization without sacrificing interoperability", 1171 EuroBSDCon 2005 Conference http://www.silby.com/ 1172 eurobsdcon05/eurobsdcon_slides.pdf, 2005. 1174 [Solaris2008] 1175 Solaris Trusted Extensions - Labeled Security for Absolute 1176 Protection, "http://www.sun.com/software/solaris/ds/ 1177 trusted_extensions.jsp#3", 2008. 1179 [Song1999] 1180 Song, D., "Frag router tool", 1181 http://www.anzen.com/research/nidsbench/. 1183 [US-CERT2001] 1184 US-CERT, "US-CERT Vulnerability Note VU#446689: Check 1185 Point FireWall-1 allows fragmented packets through 1186 firewall if Fast Mode is enabled", 1187 http://www.kb.cert.org/vuls/id/446689, 2001. 1189 [US-CERT2002] 1190 US-CERT, "US-CERT Vulnerability Note VU#310387: Cisco IOS 1191 discloses fragments of previous packets when Express 1192 Forwarding is enabled", 1193 http://www.kb.cert.org/vuls/id/310387, 2002. 1195 [Watson2004] 1196 Watson, P., "Slipping in the Window: TCP Reset Attacks", 1197 2004 CanSecWest Conference , 2004. 1199 [Zakrzewski2002] 1200 Zakrzewski, M. and I. Haddad, "Linux Distributed Security 1201 Module", http://www.linuxjournal.com/article/6215, 2002. 1203 [daemon91996] 1204 daemon9, route, and infinity, "IP-spoofing Demystified 1205 (Trust-Relationship Exploitation)", Phrack Magazine, 1206 Volume Seven, Issue Forty-Eight, File 14 of 1207 18 http://www.phrack.org/phrack/48/P48-14 , 1988. 1209 Appendix A. Changes from previous versions of the draft (to be removed 1210 by the RFC Editor before publishing this document as an 1211 RFC) 1213 Authors' Addresses 1215 Fernando Gont 1216 Universidad Tecnologica Nacional / Facultad Regional Haedo 1217 Evaristo Carriego 2644 1218 Haedo, Provincia de Buenos Aires 1706 1219 Argentina 1221 Phone: +54 11 4650 8472 1222 Email: fernando@gont.com.ar 1223 URI: http://www.gont.com.ar 1225 Stefan Fouant 1226 Shortest Path First 1228 Email: sfouant@shortestpathfirst.net 1229 URI: http://www.shortestpathfirst.net