idnits 2.17.1 draft-ietf-opsec-ip-security-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 3 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (October 21, 2010) is 4936 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'CERT2001' is defined on line 3184, but no explicit reference was found in the text == Unused Reference: 'I-D.templin-mtuassurance' is defined on line 3281, but no explicit reference was found in the text == Unused Reference: 'RFC2544' is defined on line 3403, but no explicit reference was found in the text == Unused Reference: 'RFC3056' is defined on line 3406, but no explicit reference was found in the text == Unused Reference: 'RFC4459' is defined on line 3416, but no explicit reference was found in the text ** Obsolete normative reference: RFC 1038 (Obsoleted by RFC 1108) ** Obsolete normative reference: RFC 1063 (Obsoleted by RFC 1191) ** Obsolete normative reference: RFC 1349 (Obsoleted by RFC 2474) ** Obsolete normative reference: RFC 1393 (Obsoleted by RFC 6814) ** Obsolete normative reference: RFC 1770 (Obsoleted by RFC 6814) ** Obsolete normative reference: RFC 5735 (Obsoleted by RFC 6890) -- Obsolete informational reference (is this intentional?): RFC 3530 (Obsoleted by RFC 7530) -- Obsolete informational reference (is this intentional?): RFC 5696 (Obsoleted by RFC 6660) Summary: 7 errors (**), 0 flaws (~~), 9 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Operational Security Capabilities F. Gont 3 for IP Network Infrastructure UK CPNI 4 (opsec) October 21, 2010 5 Internet-Draft 6 Intended status: Informational 7 Expires: April 24, 2011 9 Security Assessment of the Internet Protocol version 4 10 draft-ietf-opsec-ip-security-04.txt 12 Abstract 14 This document contains a security assessment of the IETF 15 specifications of the Internet Protocol version 4, and of a number of 16 mechanisms and policies in use by popular IPv4 implementations. It 17 is based on the results of a project carried out by the UK's Centre 18 for the Protection of National Infrastructure (CPNI). 20 Status of this Memo 22 This Internet-Draft is submitted to IETF in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on April 24, 2011. 37 Copyright Notice 39 Copyright (c) 2010 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 55 1.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 5 56 1.2. Scope of this document . . . . . . . . . . . . . . . . . . 7 57 1.3. Organization of this document . . . . . . . . . . . . . . 7 58 2. The Internet Protocol . . . . . . . . . . . . . . . . . . . . 8 59 3. Internet Protocol Header Fields . . . . . . . . . . . . . . . 8 60 3.1. Version . . . . . . . . . . . . . . . . . . . . . . . . . 9 61 3.2. IHL (Internet Header Length) . . . . . . . . . . . . . . . 10 62 3.3. Type of Service . . . . . . . . . . . . . . . . . . . . . 11 63 3.3.1. Original Interpretation . . . . . . . . . . . . . . . 11 64 3.3.2. Standard Interpretation . . . . . . . . . . . . . . . 12 65 3.3.2.1. Differentiated Services field . . . . . . . . . . 12 66 3.3.2.2. Explicit Congestion Notification (ECN) . . . . . 13 67 3.4. Total Length . . . . . . . . . . . . . . . . . . . . . . . 14 68 3.5. Identification (ID) . . . . . . . . . . . . . . . . . . . 15 69 3.5.1. Some Workarounds Implemented by the Industry . . . . . 16 70 3.5.2. Possible security improvements . . . . . . . . . . . . 17 71 3.5.2.1. Connection-Oriented Transport Protocols . . . . . 17 72 3.5.2.2. Connectionless Transport Protocols . . . . . . . 18 73 3.6. Flags . . . . . . . . . . . . . . . . . . . . . . . . . . 19 74 3.7. Fragment Offset . . . . . . . . . . . . . . . . . . . . . 21 75 3.8. Time to Live (TTL) . . . . . . . . . . . . . . . . . . . . 22 76 3.8.1. Fingerprinting the operating system in use by the 77 source host . . . . . . . . . . . . . . . . . . . . . 24 78 3.8.2. Fingerprinting the physical device from which the 79 packets originate . . . . . . . . . . . . . . . . . . 24 80 3.8.3. Mapping the Network Topology . . . . . . . . . . . . . 24 81 3.8.4. Locating the source host in the network topology . . . 25 82 3.8.5. Evading Network Intrusion Detection Systems . . . . . 26 83 3.8.6. Improving the security of applications that make 84 use of the Internet Protocol (IP) . . . . . . . . . . 27 85 3.8.7. Limiting spread . . . . . . . . . . . . . . . . . . . 28 86 3.9. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 28 87 3.10. Header Checksum . . . . . . . . . . . . . . . . . . . . . 28 88 3.11. Source Address . . . . . . . . . . . . . . . . . . . . . . 28 89 3.12. Destination Address . . . . . . . . . . . . . . . . . . . 29 90 3.13. Options . . . . . . . . . . . . . . . . . . . . . . . . . 30 91 3.13.1. General issues with IP options . . . . . . . . . . . . 31 92 3.13.1.1. Processing requirements . . . . . . . . . . . . . 31 93 3.13.1.2. Processing of the options by the upper layer 94 protocol . . . . . . . . . . . . . . . . . . . . 32 95 3.13.1.3. General sanity checks on IP options . . . . . . . 32 97 3.13.2. Issues with specific options . . . . . . . . . . . . . 33 98 3.13.2.1. End of Option List (Type=0) . . . . . . . . . . . 34 99 3.13.2.2. No Operation (Type=1) . . . . . . . . . . . . . . 34 100 3.13.2.3. Loose Source and Record Route (LSRR) 101 (Type=131) . . . . . . . . . . . . . . . . . . . 34 102 3.13.2.4. Strict Source and Record Route (SSRR) 103 (Type=137) . . . . . . . . . . . . . . . . . . . 37 104 3.13.2.5. Record Route (Type=7) . . . . . . . . . . . . . . 39 105 3.13.2.6. Stream Identifier (Type=136) . . . . . . . . . . 40 106 3.13.2.7. Internet Timestamp (Type=68) . . . . . . . . . . 40 107 3.13.2.8. Router Alert (Type=148) . . . . . . . . . . . . . 43 108 3.13.2.9. Probe MTU (Type=11) (obsolete) . . . . . . . . . 44 109 3.13.2.10. Reply MTU (Type=12) (obsolete) . . . . . . . . . 44 110 3.13.2.11. Traceroute (Type=82) . . . . . . . . . . . . . . 44 111 3.13.2.12. DoD Basic Security Option (Type=130) . . . . . . 44 112 3.13.2.13. DoD Extended Security Option (Type=133) . . . . . 46 113 3.13.2.14. Commercial IP Security Option (CIPSO) 114 (Type=134) . . . . . . . . . . . . . . . . . . . 46 115 3.13.2.15. Sender Directed Multi-Destination Delivery 116 (Type=149) . . . . . . . . . . . . . . . . . . . 47 117 4. Internet Protocol Mechanisms . . . . . . . . . . . . . . . . . 47 118 4.1. Fragment reassembly . . . . . . . . . . . . . . . . . . . 47 119 4.1.1. Security Implications of Fragment Reassembly . . . . . 48 120 4.1.1.1. Problems related with memory allocation . . . . . 48 121 4.1.1.2. Problems that arise from the length of the IP 122 Identification field . . . . . . . . . . . . . . 50 123 4.1.1.3. Problems that arise from the complexity of 124 the reassembly algorithm . . . . . . . . . . . . 51 125 4.1.1.4. Problems that arise from the ambiguity of the 126 reassembly process . . . . . . . . . . . . . . . 51 127 4.1.1.5. Problems that arise from the size of the IP 128 fragments . . . . . . . . . . . . . . . . . . . . 53 129 4.1.2. Possible security improvements . . . . . . . . . . . . 53 130 4.1.2.1. Memory allocation for fragment reassembly . . . . 53 131 4.1.2.2. Flushing the fragment buffer . . . . . . . . . . 54 132 4.1.2.3. A more selective fragment buffer flushing 133 strategy . . . . . . . . . . . . . . . . . . . . 55 134 4.1.2.4. Reducing the fragment timeout . . . . . . . . . . 57 135 4.1.2.5. Countermeasure for some IDS evasion techniques . 57 136 4.1.2.6. Countermeasure for firewall-rules bypassing . . . 57 137 4.2. Forwarding . . . . . . . . . . . . . . . . . . . . . . . . 58 138 4.2.1. Precedence-ordered queue service . . . . . . . . . . . 58 139 4.2.2. Weak Type of Service . . . . . . . . . . . . . . . . . 59 140 4.2.3. Impact of Address Resolution on Buffer Management . . 59 141 4.2.4. Dropping packets . . . . . . . . . . . . . . . . . . . 60 142 4.3. Addressing . . . . . . . . . . . . . . . . . . . . . . . . 60 143 4.3.1. Unreachable addresses . . . . . . . . . . . . . . . . 61 144 4.3.2. Private address space . . . . . . . . . . . . . . . . 61 145 4.3.3. Former Class D Addresses (224/4 Address Block) . . . . 61 146 4.3.4. Former Class E Addresses (240/4 Address Block) . . . . 62 147 4.3.5. Broadcast/Multicast addresses, and 148 Connection-Oriented Protocols . . . . . . . . . . . . 62 149 4.3.6. Broadcast and network addresses . . . . . . . . . . . 62 150 4.3.7. Special Internet addresses . . . . . . . . . . . . . . 62 151 5. Security Considerations . . . . . . . . . . . . . . . . . . . 65 152 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 65 153 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 65 154 7.1. Normative References . . . . . . . . . . . . . . . . . . . 65 155 7.2. Informative References . . . . . . . . . . . . . . . . . . 67 156 Appendix A. Advice and guidance to vendors . . . . . . . . . . . 76 157 Appendix B. Changes from previous versions of the draft . . . . . 76 158 B.1. Changes from draft-ietf-opsec-ip-security-03 . . . . . . . 76 159 B.2. Changes from draft-ietf-opsec-ip-security-02 . . . . . . . 76 160 B.3. Changes from draft-ietf-opsec-ip-security-01 . . . . . . . 76 161 B.4. Changes from draft-ietf-opsec-ip-security-00 . . . . . . . 77 162 B.5. Changes from draft-gont-opsec-ip-security-01 . . . . . . . 77 163 B.6. Changes from draft-gont-opsec-ip-security-00 . . . . . . . 77 164 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 77 166 1. Preface 168 1.1. Introduction 170 The TCP/IP protocols were conceived in an environment that was quite 171 different from the hostile environment in which they currently 172 operate. However, the effectiveness of the protocols led to their 173 early adoption in production environments, to the point that, to some 174 extent, the current world's economy depends on them. 176 While many textbooks and articles have created the myth that the 177 Internet protocols were designed for warfare environments, the top 178 level goal for the DARPA Internet Program was the sharing of large 179 service machines on the ARPANET [Clark1988]. As a result, many 180 protocol specifications focus only on the operational aspects of the 181 protocols they specify, and overlook their security implications. 183 While the Internet technology evolved since its inception, the 184 Internet's building blocks are basically the same core protocols 185 adopted by the ARPANET more than two decades ago. During the last 186 twenty years, many vulnerabilities have been identified in the TCP/IP 187 stacks of a number of systems. Some of them were based on flaws in 188 some protocol implementations, affecting only a reduced number of 189 systems, while others were based on flaws in the protocols 190 themselves, affecting virtually every existing implementation 191 [Bellovin1989]. Even in the last couple of years, researchers were 192 still working on security problems in the core protocols 193 [I-D.ietf-tcpm-icmp-attacks] [Watson2004] [NISCC2004] [NISCC2005]. 195 The discovery of vulnerabilities in the TCP/IP protocols led to 196 reports being published by a number of CSIRTs (Computer Security 197 Incident Response Teams) and vendors, which helped to raise awareness 198 about the threats and the best mitigations known at the time the 199 reports were published. Unfortunately, this also led to the 200 documentation of the discovered protocol vulnerabilities being spread 201 among a large number of documents, which are sometimes difficult to 202 identify. 204 For some reason, much of the effort of the security community on the 205 Internet protocols did not result in official documents (RFCs) being 206 issued by the IETF (Internet Engineering Task Force). This basically 207 led to a situation in which "known" security problems have not always 208 been addressed by all vendors. In addition, in many cases vendors 209 have implemented quick "fixes" to protocol flaws without a careful 210 analysis of their effectiveness and their impact on interoperability 211 [Silbersack2005]. 213 The lack of adoption of these fixes by the IETF means that any system 214 built in the future according to the official TCP/IP specifications 215 will reincarnate security flaws that have already hit our 216 communication systems in the past. 218 Producing a secure TCP/IP implementation nowadays is a very difficult 219 task, in part because of the lack of a single document that serves as 220 a security roadmap for the protocols. Implementers are faced with 221 the hard task of identifying relevant documentation and differentiate 222 between that which provides correct advisory, and that which provides 223 misleading advisory based on inaccurate or wrong assumptions. 225 There is a clear need for a companion document to the IETF 226 specifications that discusses the security aspects and implications 227 of the protocols, identifies the possible threats, discusses the 228 possible countermeasures, and analyzes their respective 229 effectiveness. 231 This document is the result of an assessment of the IETF 232 specifications of the Internet Protocol (IP), from a security point 233 of view. Possible threats were identified and, where possible, 234 countermeasures were proposed. Additionally, many implementation 235 flaws that have led to security vulnerabilities have been referenced 236 in the hope that future implementations will not incur the same 237 problems. Furthermore, this document does not limit itself to 238 performing a security assessment of the relevant IETF specifications, 239 but also provides an assessment of common implementation strategies 240 found in the real world. 242 This document does not aim to be the final word on the security of 243 the Internet Protocol (IP). On the contrary, it aims to raise 244 awareness about many security threats based on the IP protocol that 245 have been faced in the past, those that we are currently facing, and 246 those we may still have to deal with in the future. It provides 247 advice for the secure implementation of the Internet Protocol (IP), 248 but also provides insights about the security aspects of the Internet 249 Protocol that may be of help to the Internet operations community. 251 Feedback from the community is more than encouraged to help this 252 document be as accurate as possible and to keep it updated as new 253 threats are discovered. 255 This document is heavily based on the "Security Assessment of the 256 Internet Protocol" [CPNI2008] released by the UK Centre for the 257 Protection of National Infrastructure (CPNI), available at: 258 http://www.cpni.gov.uk/Products/technicalnotes/3677.aspx . 260 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 261 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 262 document are to be interpreted as described in RFC 2119 [RFC2119]. 264 1.2. Scope of this document 266 While there are a number of protocols that affect the way in which IP 267 systems operate, this document focuses only on the specifications of 268 the Internet Protocol (IP). For example, routing and bootstrapping 269 protocols are considered out of the scope of this project. 271 The following IETF RFCs were selected as the primary sources for the 272 assessment as part of this work: 274 o RFC 791, "Internet Protocol. DARPA Internet Program. Protocol 275 Specification" (51 pages). 277 o RFC 815, "IP datagram reassembly algorithms" (9 pages). 279 o RFC 919, "BROADCASTING INTERNET DATAGRAMS" (8 pages). 281 o RFC 950, "Internet Standard Subnetting Procedure" (18 pages) 283 o RFC 1112, "Host Extensions for IP Multicasting" (17 pages) 285 o RFC 1122, "Requirements for Internet Hosts -- Communication 286 Layers" (116 pages). 288 o RFC 1812, "Requirements for IP Version 4 Routers" (175 pages). 290 o RFC 2474, "Definition of the Differentiated Services Field (DS 291 Field) in the IPv4 and IPv6 Headers" (20 pages). 293 o RFC 2475, "An Architecture for Differentiated Services" (36 294 pages). 296 o RFC 3168, "The Addition of Explicit Congestion Notification (ECN) 297 to IP" (63 pages). 299 o RFC 4632, "Classless Inter-domain Routing (CIDR): The Internet 300 Address Assignment and Aggregation Plan" (27 pages). 302 1.3. Organization of this document 304 This document is basically organized in two parts: "Internet Protocol 305 header fields" and "Internet Protocol mechanisms". The former 306 contains an analysis of each of the fields of the Internet Protocol 307 header, identifies their security implications, and discusses 308 possible countermeasures for the identified threats. The latter 309 contains an analysis of the security implications of the mechanisms 310 implemented by the Internet Protocol. 312 2. The Internet Protocol 314 The Internet Protocol (IP) provides a basic data transfer function 315 for passing data blocks called "datagrams" from a source host to a 316 destination host, across the possible intervening networks. 317 Additionally, it provides some functions that are useful for the 318 interconnection of heterogeneous networks, such as fragmentation and 319 reassembly. 321 The "datagram" has a number of characteristics that makes it 322 convenient for interconnecting systems [Clark1988]: 324 o It eliminates the need of connection state within the network, 325 which improves the survivability characteristics of the network. 327 o It provides a basic service of data transport that can be used as 328 a building block for other transport services (reliable data 329 transport services, etc.). 331 o It represents the minimum network service assumption, which 332 enables IP to be run over virtually any network technology. 334 3. Internet Protocol Header Fields 336 The IETF specifications of the Internet Protocol define the syntax of 337 the protocol header, along with the semantics of each of its fields. 338 Figure 1 shows the format of an IP datagram. 340 0 1 2 3 341 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 342 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 343 |Version| IHL |Type of Service| Total Length | 344 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 345 | Identification |Flags| Fragment Offset | 346 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 347 | Time to Live | Protocol | Header Checksum | 348 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 349 | Source Address | 350 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 351 | Destination Address | 352 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 353 | [ Options ] | [ Padding ] | 354 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 356 Figure 1: Internet Protocol header format 358 Even though the minimum IP header size is 20 bytes, an IP module 359 might be handed an (illegitimate) "datagram" of less than 20 bytes. 360 Therefore, before doing any processing of the IP header fields, the 361 following check should be performed by the IP module on the packets 362 handed by the link layer: 364 LinkLayer.PayloadSize >= 20 366 where LinkLayer.PayloadSize is the length (in octets) of the datagram 367 passed from the link layer to the IP layer. 369 If the packet does not pass this check, it should be dropped, and 370 this event should be logged (e.g., a counter could be incremented 371 reflecting the packet drop). 373 The following subsections contain further sanity checks that should 374 be performed on IP packets. 376 3.1. Version 378 This is a 4-bit field that indicates the version of the Internet 379 Protocol (IP), and thus the syntax of the packet. For IPv4, this 380 field must be 4. 382 When a Link-Layer protocol de-multiplexes a packet to an internet 383 module, it does so based on a "Protocol Type" field in the data-link 384 packet header. 386 In theory, different versions of IP could coexist on a network by 387 using the same "Protocol Type" at the Link-layer, but a different 388 value in the Version field of the IP header. Thus, a single IP 389 module could handle all versions of the Internet Protocol, 390 differentiating them by means of this field. 392 However, in practice different versions of IP are identified by a 393 different "Protocol Type" (e.g., "EtherType" in the case of Ethernet) 394 number in the link-layer protocol header. For example, IPv4 395 datagrams are encapsulated in Ethernet frames using an EtherType of 396 0x0800, while IPv6 datagrams are encapsulated in Ethernet frames 397 using an EtherType of 0x86DD [IANA2006a]. 399 Therefore, if an IPv4 module receives a packet, the Version field 400 must be checked to be 4. If this check fails, the packet should be 401 silently dropped, and this event should be logged (e.g., a counter 402 could be incremented reflecting the packet drop). 404 3.2. IHL (Internet Header Length) 406 The IHL (Internet Header Length) indicates the length of the internet 407 header in 32-bit words (4 bytes). As the minimum datagram size is 20 408 bytes, the minimum legal value for this field is 5. Therefore, the 409 following check should be enforced: 411 IHL >= 5 413 If the packet does not pass this check, it should be dropped, and 414 this event should be logged (e.g., a counter could be incremented 415 reflecting the packet drop). 417 For obvious reasons, the Internet header cannot be larger than the 418 whole Internet datagram it is part of. Therefore, the following 419 check should be enforced: 421 IHL * 4 <= Total Length 423 This needs to refer to the size of the datagram as specified by 424 the sender in the Total Length field, since link layers might have 425 added some padding (see Section 3.4). 427 If the packet does not pass this check, it should be dropped, and 428 this event should be logged (e.g., a counter could be incremented 429 reflecting the packet drop). 431 The above check allows for Internet datagrams with no data bytes in 432 the payload that, while nonsensical for virtually every protocol that 433 runs over IP, are is still legal. 435 3.3. Type of Service 437 3.3.1. Original Interpretation 439 Figure 2 shows the original syntax of the Type of Service field, as 440 defined by RFC 791 [RFC0791], and updated by RFC 1349 [RFC1349]. 441 This definition has been superseded long ago (see Section 3.3.2.1 and 442 Section 3.3.2.2), but it is still assumed by some deployed 443 implementations. 445 0 1 2 3 4 5 6 7 446 +-----+-----+-----+-----+-----+-----+-----+-----+ 447 | PRECEDENCE | D | T | R | C | 0 | 448 +-----+-----+-----+-----+-----+-----+-----+-----+ 450 Figure 2: Type of Service Field (Original Interpretation) 452 +----------+----------------------------------------------+ 453 | Bits 0-2 | Precedence | 454 +----------+----------------------------------------------+ 455 | Bit 3 | 0 = Normal Delay, 1 = Low Delay | 456 +----------+----------------------------------------------+ 457 | Bit 4 | 0 = Normal Throughput, 1 = High Throughput | 458 +----------+----------------------------------------------+ 459 | Bit 5 | 0 = Normal Reliability, 1 = High Reliability | 460 +----------+----------------------------------------------+ 461 | Bit 6 | 0 = Normal Cost, 1 = Minimize Monetary Cost | 462 +----------+----------------------------------------------+ 463 | Bits 7 | Reserved for Future Use (must be zero) | 464 +----------+----------------------------------------------+ 466 Table 1: TOS-bits Semantics 468 +-----+-----------------+ 469 | 111 | Network Control | 470 +-----+-----------------+ 471 | 110 | Internetwork | 472 +-----+-----------------+ 473 | 101 | CRITIC/ECP | 474 +-----+-----------------+ 475 | 100 | Flash Override | 476 +-----+-----------------+ 477 | 011 | Flash | 478 +-----+-----------------+ 479 | 010 | Immediate | 480 +-----+-----------------+ 481 | 001 | Priority | 482 | 000 | Routine | 483 +-----+-----------------+ 485 Table 2: Precedence Field Values 487 The Type of Service field can be used to affect the way in which the 488 packet is treated by the systems of a network that process it. 489 Section 4.2.1 ("Precedence-ordered queue service") and Section 4.2.3 490 ("Weak TOS") of this document describe the security implications of 491 the Type of Service field in the forwarding of packets. 493 3.3.2. Standard Interpretation 495 3.3.2.1. Differentiated Services field 497 The Differentiated Services Architecture is intended to enable 498 scalable service discrimination in the Internet without the need for 499 per-flow state and signaling at every hop [RFC2475]. RFC 2474 500 [RFC2474] redefined the IP "Type of Service" octet, introducing a 501 Differentiated Services Field (DS Field). Figure 3 shows the format 502 of the field. 504 0 1 2 3 4 5 6 7 505 +---+---+---+---+---+---+---+---+ 506 | DSCP | CU | 507 +---+---+---+---+---+---+---+---+ 509 Figure 3: Revised Structure of the Type of Service Field (RFC 2474) 511 The DSCP ("Differentiated Services CodePoint") is used to select the 512 treatment the packet is to receive within the Differentiated Services 513 Domain. The CU ("Currently Unused") field was, at the time the 514 specification was issued, reserved for future use. The DSCP field is 515 used to select a PHB (Per-Hop Behavior), by matching against the 516 entire 6-bit field. 518 Considering that the DSCP field determines how a packet is treated 519 within a Differentiated Services (DS) domain, an attacker could send 520 packets with a forged DSCP field to perform a theft of service or 521 even a Denial-of-Service attack. In particular, an attacker could 522 forge packets with a codepoint of the type '11x000' which, according 523 to Section 4.2.2.2 of RFC 2474 [RFC2474], would give the packets 524 preferential forwarding treatment when compared with the PHB selected 525 by the codepoint '000000'. If strict priority queuing were utilized, 526 a continuous stream of such packets could cause a Denial of Service 527 to other flows which have a DSCP of lower relative order. 529 As the DS field is incompatible with the original Type of Service 530 field, both DS domains and networks using the original Type of 531 Service field should protect themselves by remarking the 532 corresponding field where appropriate, probably deploying remarking 533 boundary nodes. Nevertheless, care must be taken so that packets 534 received with an unrecognized DSCP do not cause the handling system 535 to malfunction. 537 3.3.2.2. Explicit Congestion Notification (ECN) 539 RFC 3168 [RFC3168] specifies a mechanism for routers to signal 540 congestion to hosts exchanging IP packets, by marking the offending 541 packets, rather than discarding them. RFC 3168 defines the ECN 542 field, which utilizes the CU field defined in RFC 2474 [RFC2474]. 543 Figure 4 shows the current syntax of the IP Type of Service field, 544 with the DSCP field used for Differentiated Services and the ECN 545 field. 547 0 1 2 3 4 5 6 7 548 +-----+-----+-----+-----+-----+-----+-----+-----+ 549 | DS FIELD, DSCP | ECN FIELD | 550 +-----+-----+-----+-----+-----+-----+-----+-----+ 552 Figure 4: The Differentiated Services and ECN fields in IP 554 As such, the ECN field defines four codepoints: 556 +-----------+-----------+ 557 | ECN field | Codepoint | 558 +-----------+-----------+ 559 | 00 | Not-ECT | 560 +-----------+-----------+ 561 | 01 | ECT(1) | 562 +-----------+-----------+ 563 | 10 | ECT(0) | 564 +-----------+-----------+ 565 | 11 | CE | 566 +-----------+-----------+ 568 Table 3: ECN codepoints 570 ECN is an end-to-end transport protocol mechanism based on 571 notifications by routers through which a packet flow passes. To 572 allow this interaction to happen on the fast path of routers, the ECN 573 field is located at a fixed location in the IP header. However, its 574 use must be negotiated at the transport layer, and the accumulated 575 congestion notifications must be communicated back to the sending 576 node using transport protocol means. Thus, ECN support must be 577 specified per transport protocol. 579 The security implications of ECN are discussed in detail in a number 580 of Sections of RFC 3168. Of the possible threats discussed in the 581 ECN specification, we believe that one that can be easily exploited 582 is that of a host falsely indicating ECN-Capability. 584 An attacker could set the ECT codepoint in the packets it sends, to 585 signal the network that the endpoints of the transport protocol are 586 ECN-capable. Consequently, when experiencing moderate congestion, 587 routers using active queue management based on RED would mark the 588 packets (with the CE codepoint) rather than discard them. In this 589 same scenario, packets of competing flows that do not have the ECT 590 codepoint set would be dropped. Therefore, an attacker would get 591 better network service than the competing flows. 593 However, if this moderate congestion turned into heavy congestion, 594 routers should switch to drop packets, regardless of whether the 595 packets have the ECT codepoint set or not. 597 A number of other threats could arise if an attacker was a man in the 598 middle (i.e., was in the middle of the path the packets travel to get 599 to the destination host). For a detailed discussion of those cases, 600 we urge the reader to consult Section 16 of RFC 3168. 602 There also is ongoing work in the research community and the IETF to 603 define alternate semantics for the CU / ECN field of IP TOS octet 604 (see [RFC5559], [RFC5670], and [RFC5696]). The application of these 605 methods must be confined to tightly administered domains, and on exit 606 from such domains, all packets need to be (re-)marked with ECN 607 semantics. 609 3.4. Total Length 611 The Total Length field is the length of the datagram, measured in 612 bytes, including both the IP header and the IP payload. Being a 16- 613 bit field, it allows for datagrams of up to 65535 bytes. RFC 791 614 [RFC0791] states that all hosts should be prepared to receive 615 datagrams of up to 576 bytes (whether they arrive as a whole, or in 616 fragments). However, most modern implementations can reassemble 617 datagrams of at least 9 Kbytes. 619 Usually, a host will not send to a remote peer an IP datagram larger 620 than 576 bytes, unless it is explicitly signaled that the remote peer 621 is able to receive such "large" datagrams (for example, by means of 622 TCP's MSS option). However, systems should assume that they may 623 receive datagrams larger than 576 bytes, regardless of whether they 624 signal their remote peers to do so or not. In fact, it is common for 625 NFS [RFC3530] implementations to send datagrams larger than 576 626 bytes, even without explicit signaling that the destination system 627 can receive such "large" datagram. 629 Additionally, see the discussion in Section 4.1 ("Fragment 630 reassembly") regarding the possible packet sizes resulting from 631 fragment reassembly. 633 Implementations should be aware that the IP module could be handed a 634 packet larger than the value actually contained in the Total Length 635 field. Such a difference usually has to do with legitimate padding 636 bytes at the link-layer protocol, but it could also be the result of 637 malicious activity by an attacker. Furthermore, even when the 638 maximum length of an IP datagram is 65535 bytes, if the link-layer 639 technology in use allows for payloads larger than 65535 bytes, an 640 attacker could forge such a large link-layer packet, meaning it for 641 the IP module. If the IP module of the receiving system were not 642 prepared to handle such an oversized link-layer payload, an 643 unexpected failure might occur. Therefore, the memory buffer used by 644 the IP module to store the link-layer payload should be allocated 645 according to the payload size reported by the link-layer, rather than 646 according to the Total Length field of the IP packet it contains. 648 The IP module could also be handed a packet that is smaller than the 649 actual IP packet size claimed by the Total Length field. This could 650 be used, for example, to produce an information leakage. Therefore, 651 the following check should be performed: 653 LinkLayer.PayloadSize >= Total Length 655 If this check fails, the IP packet should be dropped, and this event 656 should be logged (e.g., a counter could be incremented reflecting the 657 packet drop). As the previous expression implies, the number of 658 bytes passed by the link-layer to the IP module should contain at 659 least as many bytes as claimed by the Total Length field of the IP 660 header. 662 [US-CERT2002] is an example of the exploitation of a forged IP 663 Total Length field to produce an information leakage attack. 665 3.5. Identification (ID) 667 The Identification field is set by the sending host to aid in the 668 reassembly of fragmented datagrams. At any time, it needs to be 669 unique for each set of {Source Address, Destination Address, 670 Protocol}. 672 In many systems, the value used for this field is determined at the 673 IP layer, on a protocol-independent basis. Many of those systems 674 also simply increment the IP Identification field for each packet 675 they send. 677 This implementation strategy is inappropriate for a number of 678 reasons. Firstly, if the Identification field is set on a protocol- 679 independent basis, it will wrap more often than necessary, and thus 680 the implementation will be more prone to the problems discussed in 681 [Kent1987] and [RFC4963]. Secondly, this implementation strategy 682 opens the door to an information leakage that can be exploited in a 683 number of ways. 685 [Sanfilippo1998a] examined to determine the packet rate at which a 686 given system is transmitting information. Later, [Sanfilippo1998b] 687 described how a system with such an implementation can be used to 688 perform a stealth port scan to a third (victim) host. 689 [Sanfilippo1999] explained how to exploit this implementation 690 strategy to uncover the rules of a number of firewalls. 691 [Bellovin2002] explains how the IP Identification field can be 692 exploited to count the number of systems behind a NAT. [Fyodor2004] 693 is an entire paper on most (if not all) the ways to exploit the 694 information provided by the Identification field of the IP header. 696 Section 4.1 contains a discussion of the security implications of 697 the IP fragment reassembly mechanism, which is the primary 698 "consumer" of this field. 700 3.5.1. Some Workarounds Implemented by the Industry 702 As the IP Identification field is only used for the reassembly of 703 datagrams, some operating systems (such as Linux) decided to set this 704 field to 0 in all packets that have the DF bit set. This would, in 705 principle, avoid any type of information leakage. However, it was 706 detected that some non-RFC-compliant middle-boxes fragmented packets 707 even if they had the DF bit set. In such a scenario, all datagrams 708 originally sent with the DF bit set would all result in fragments 709 with an Identification field of 0, which would lead to problems 710 ("collision" of the Identification number) in the reassembly process. 712 Linux (and Solaris) later set the IP Identification field on a per- 713 IP-address basis. This avoids some of the security implications of 714 the IP Identification field, but not all. For example, systems 715 behind a load balancer can still be counted. 717 3.5.2. Possible security improvements 719 Contrary to common wisdom, the IP Identification field does not need 720 to be system-wide unique for each packet, but has to be unique for 721 each {Source Address, Destination Address, Protocol} tuple. 723 For instance, the TCP specification defines a generic send() 724 function which takes the IP ID as one of its arguments. 726 We provide an analysis of the possible security improvements that 727 could be implemented, based on whether the protocol using the 728 services of IP is connection-oriented or connection-less. 730 3.5.2.1. Connection-Oriented Transport Protocols 732 To avoid the security implications of the information leakage 733 described above, a pseudo-random number generator (PRNG) could be 734 used to set the IP Identification field on a {Source Address, 735 Destination Address} basis (for each connection-oriented transport 736 protocol). 738 [Klein2007] is a security advisory that describes a weakness in 739 the pseudo random number generator (PRNG) in use for the 740 generation of the IP Identification by a number of operating 741 systems. 743 While in theory a pseudo-random number generator could lead to 744 scenarios in which a given Identification number is used more than 745 once in the same time-span for datagrams that end up getting 746 fragmented (with the corresponding potential reassembly problems), in 747 practice this is unlikely to cause trouble. 749 By default, most implementations of connection-oriented protocols, 750 such as TCP, implement some mechanism for avoiding fragmentation 751 (such as the Path-MTU Discovery mechanism described in [RFC1191]). 752 Thus, fragmentation will only take place if a non-RFC-compliant 753 middle-box that still fragments packets even when the DF bit is set 754 is placed somewhere along the path that the packets travel to get to 755 the destination host. Once the sending system is signaled by the 756 middle-box (by means of an ICMP "fragmentation needed and DF bit set" 757 error message) that it should reduce the size of the packets it 758 sends, fragmentation would be avoided. Also, for reassembly problems 759 to arise, the same Identification value would need to be reused very 760 frequently, and either strong packet reordering or packet loss would 761 need to take place. 763 Nevertheless, regardless of what policy is used for selecting the 764 Identification field, with the current link speeds fragmentation is 765 already bad enough (i.e., very likely to lead to fragment reassembly 766 errors) to rely on it. A mechanism for avoiding fragmentation (such 767 as [RFC1191] or [RFC4821] should be implemented, instead. 769 3.5.2.2. Connectionless Transport Protocols 771 Connectionless transport protocols often have these characteristics: 773 o lack of flow-control mechanisms, 775 o lack of packet sequencing mechanisms, and/or, 777 o lack of reliability mechanisms (such as "timeout and retransmit"). 779 This basically means that the scenarios and/or applications for which 780 connection-less transport protocols are used assume that: 782 o Applications will be used in environments in which packet 783 reordering is very unlikely (such as Local Area Networks), as the 784 transport protocol itself does not provide data sequencing. 786 o The data transfer rates will be low enough that flow control will 787 be unnecessary. 789 o Packet loss is can be tolerated and/or is unlikely. 791 With these assumptions in mind, the Identification field could still 792 be set according to a pseudo-random number generator (PRNG). In the 793 event a given Identification number was reused while the first 794 instance of the same number is still on the network, the first IP 795 datagram would be reassembled before the fragments of the second IP 796 datagram get to their destination. 798 In the event this was not the case, the reassembly of fragments would 799 result in a corrupt datagram. While some existing work 800 [Silbersack2005] assumes that this error would be caught by some 801 upper-layer error detection code, the error detection code in 802 question (such as UDP's checksum) might not be able to reliably 803 detect data corruption arising from the replacement of a complete 804 data block (as is the case in corruption arising from collision of IP 805 Identification numbers). 807 In the case of UDP, unfortunately some systems have been known to 808 not enable the UDP checksum by default. For most applications, 809 packets containing errors should be dropped. Probably the only 810 application that may benefit from disabling the checksum is 811 streaming media, to avoid dropping a complete sample for a single- 812 bit error. 814 In general, if IP Identification number collisions become an issue 815 for the application using the connection-less protocol, the 816 application designers should consider using a different transport 817 protocol (which hopefully avoids fragmentation). 819 It must be noted that an attacker could intentionally exploit 820 collisions of IP Identification numbers to perform a Denial-of- 821 Service attack, by sending forged fragments that would cause the 822 reassembly process to result in a corrupt datagram that would either 823 be dropped by the transport protocol, or would incorrectly be handed 824 to the corresponding application. This issue is discussed in detail 825 in section 4.1 ("Fragment Reassembly"). 827 3.6. Flags 829 The IP header contains 3 control bits, two of which are currently 830 used for the fragmentation and reassembly function. 832 As described by RFC 791, their meaning is: 834 o Bit 0: reserved, must be zero (i.e., reserved for future 835 standardization) 837 o Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment 839 o Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments 841 The DF bit is usually set to implement the Path-MTU Discovery (PMTUD) 842 mechanism described in [RFC1191]. However, it can also be exploited 843 by an attacker to evade Network Intrusion Detection Systems. An 844 attacker could send a packet with the DF bit set to a system 845 monitored by a NIDS, and depending on the Path-MTU to the intended 846 recipient, the packet might be dropped by some intervening router 847 (because of being too big to be forwarded without fragmentation), 848 without the NIDS being aware of it. 850 +---+ 851 | H | 852 +---+ Victim host 853 | 854 Router A | MTU=1500 855 | 856 +---+ +---+ +---+ 857 | R |-----| R |---------| R | 858 +---+ +---+ +---+ 859 | MTU=17914 Router B 860 +---+ | 861 | S |-----+ 862 +---+ | 863 | 864 NIDS Sensor | 865 | 866 _ ___/---\______ Attacker 867 / \_/ \_ +---+ 868 / Internet |---------| H | 869 \_ __/ +---+ 870 \__ __ ___/ <------ 871 \___/ \__/ 17914-byte packet 872 DF bit set 874 Figure 5: NIDS evasion by means of the Internet Protocol DF bit 876 In Figure 3, an attacker sends a 17914-byte datagram meant to the 877 victim host in the same figure. The attacker's packet probably 878 contains an overlapping IP fragment or an overlapping TCP segment, 879 aiming at "confusing" the NIDS, as described in [Ptacek1998]. The 880 packet is screened by the NIDS sensor at the network perimeter, which 881 probably reassembles IP fragments and TCP segments for the purpose of 882 assessing the data transferred to and from the monitored systems. 883 However, as the attacker's packet should transit a link with an MTU 884 smaller than 17914 bytes (1500 bytes in this example), the router 885 that encounters that this packet cannot be forwarded without 886 fragmentation (Router B) discards the packet, and sends an ICMP 887 "fragmentation needed and DF bit set" error message to the source 888 host. In this scenario, the NIDS may remain unaware that the 889 screened packet never reached the intended destination, and thus get 890 an incorrect picture of the data being transferred to the monitored 891 systems. 893 [Shankar2003] introduces a technique named "Active Mapping" that 894 prevents evasion of a NIDS by acquiring sufficient knowledge about 895 the network being monitored, to assess which packets will arrive 896 at the intended recipient, and how they will be interpreted by it. 898 Some firewalls are known to drop packets that have both the MF (More 899 Fragments) and the DF (Don't fragment) bits set. While in principle 900 such a packet might seem nonsensical, there are a number of reasons 901 for which non-malicious packets with these two bits set can be found 902 in a network. First, they may exist as the result of some middle-box 903 processing a packet that was too large to be forwarded without 904 fragmentation. Instead of simply dropping the corresponding packet 905 and sending an ICMP error message to the source host, some middle- 906 boxes fragment the packet (copying the DF bit to each fragment), and 907 also send an ICMP error message to the originating system. Second, 908 some systems (notably Linux) set both the MF and the DF bits to 909 implement Path-MTU Discovery (PMTUD) for UDP. These scenarios should 910 be taken into account when configuring firewalls and/or tuning 911 Network Intrusion Detection Systems (NIDS). 913 Section 4.1 contains a discussion of the security implications of the 914 IP fragment reassembly mechanism. 916 3.7. Fragment Offset 918 The Fragment Offset is used for the fragmentation and reassembly of 919 IP datagrams. It indicates where in the original datagram payload 920 the payload of the fragment belongs, and is measured in units of 921 eight bytes. As a consequence, all fragments (except the last one), 922 have to be aligned on an 8-byte boundary. Therefore, if a packet has 923 the MF flag set, the following check should be enforced: 925 (Total Length - IHL * 4) % 8 == 0 927 If the packet does not pass this check, it should be dropped, and 928 this event should be logged (e.g., a counter could be incremented 929 reflecting the packet drop). 931 Given that Fragment Offset is a 13-bit field, it can hold a value of 932 up to 8191, which would correspond to an offset 65528 bytes within 933 the original (non-fragmented) datagram. As such, it is possible for 934 a fragment to implicitly claim to belong to a datagram larger than 935 65535 bytes (the maximum size for a legitimate IP datagram). Even 936 when the fragmentation mechanism would seem to allow fragments that 937 could reassemble into such large datagrams, the intent of the 938 specification is to allow for the transmission of datagrams of up to 939 65535 bytes. Therefore, if a given fragment would reassemble into a 940 datagram of more than 65535 bytes, the resulting datagram should be 941 dropped, and this event should be logged (e.g., a counter could be 942 incremented reflecting the packet drop). To detect such a case, the 943 following check should be enforced on all packets for which the 944 Fragment Offset contains a non-zero value: 946 Fragment Offset * 8 + (Total Length - IHL * 4) + IHL_FF * 4 <= 65535 948 where IHL_FF is the IHL field of the first fragment (the one with a 949 Fragment Offset of 0). 951 If a fragment does not pass this check, it should be dropped. 953 If IHL_FF is not yet available because the first fragment has not yet 954 arrived, for a preliminary, less rigid test, IHL_FF == IHL should be 955 assumed, and the test is simplified to: 957 Fragment Offset * 8 + Total Length <= 65535 959 Once the first fragment is received, the full sanity check described 960 earlier should be applied, if that fragment contains "don't copy" 961 options. 963 In the worst-case scenario, an attacker could craft IP fragments such 964 that the reassembled datagram reassembled into a datagram of 131043 965 bytes. 967 Such a datagram would result when the first fragment has a 968 Fragment Offset of 0 and a Total Length of 65532, and the second 969 (and last) fragment has a Fragment Offset of 8189 (65512 bytes), 970 and a Total Length of 65535. Assuming an IHL of 5 (i.e., a header 971 length of 20 bytes), the reassembled datagram would be 65532 + 972 (65535 - 20) = 131047 bytes. 974 Additionally, the IP module should implement all the necessary 975 measures to be able to handle such illegitimate reassembled 976 datagrams, so as to avoid them from overflowing the buffer(s) used 977 for the reassembly function. 979 [CERT1996c] and [Kenney1996] describe the exploitation of this 980 issue to perform a Denial-of-Service (DoS) attack. 982 Section 4.1 contains a discussion of the security implications of the 983 IP fragment reassembly mechanism. 985 3.8. Time to Live (TTL) 987 The Time to Live (TTL) field has two functions: to bound the lifetime 988 of the upper-layer packets (e.g., TCP segments) and to prevent 989 packets from looping indefinitely in the network. 991 Originally, this field was meant to indicate the maximum time a 992 datagram was allowed to remain in the internet system, in units of 993 seconds. As every internet module that processes a datagram must 994 decrement the TTL by at least one, the original definition of the TTL 995 field became obsolete, and in practice it is interpreted as a hop 996 count (see Section 5.3.1 of [RFC1812]). 998 Most systems allow the administrator to configure the TTL to be used 999 for the packets they originate, with the default value usually being 1000 a power of 2, or 255 (see e.g. [Arkin2000]). The recommended value 1001 for the TTL field, as specified by the IANA is 64 [IANA2006b]. This 1002 value reflects the assumed "diameter" of the Internet, plus a margin 1003 to accommodate its growth. 1005 The TTL field has a number of properties that are interesting from a 1006 security point of view. Given that the default value used for the 1007 TTL is usually either a power of two, or 255, chances are that unless 1008 the originating system has been explicitly tuned to use a non-default 1009 value, if a packet arrives with a TTL of 60, the packet was 1010 originally sent with a TTL of 64. In the same way, if a packet is 1011 received with a TTL of 120, chances are that the original packet had 1012 a TTL of 128. 1014 This discussion assumes there was no protocol scrubber, 1015 transparent proxy, or some other middle-box that overwrites the 1016 TTL field in a non-standard way, between the originating system 1017 and the point of the network in which the packet was received. 1019 Determining the TTL with which a packet was originally sent by the 1020 source system can help to obtain valuable information. Among other 1021 things, it may help in: 1023 o Fingerprinting the originating operating system. 1025 o Fingerprinting the originating physical device. 1027 o Mapping the network topology. 1029 o Locating the source host in the network topology. 1031 o Evading Network Intrusion Detection Systems. 1033 However, it can also be used to perform important functions such as: 1035 o Improving the security of applications that make use of the 1036 Internet Protocol (IP). 1038 o Limiting spread of packets. 1040 3.8.1. Fingerprinting the operating system in use by the source host 1042 Different operating systems use a different default TTL for the 1043 packets they send. Thus, asserting the TTL with which a packet was 1044 originally sent will help heuristics to reduce the number of possible 1045 operating systems in use by the source host. 1047 However, these defaults may be configurable (system-wide or per 1048 protocol) and managed systems may employ such opportunities for 1049 operational purposes and to defeat the capability of fingerprinting 1050 heuristics. 1052 3.8.2. Fingerprinting the physical device from which the packets 1053 originate 1055 When several systems are behind a middle-box such as a NAT or a load 1056 balancer, the TTL may help to count the number of systems behind the 1057 middle-box. If each of the systems behind the middle-box uses a 1058 different default TTL value for the packets it sends, or each system 1059 is located at different distances in the network topology, an 1060 attacker could stimulate responses from the devices being 1061 fingerprinted, and responses that arrive with different TTL values 1062 could be assumed to come from a different devices. 1064 Of course, there are many other (and much more precise) techniques 1065 to fingerprint physical devices. One weakness of this method is 1066 that, while many systems differ in the default TTL value that they 1067 use, there are also many implementations which use the same 1068 default TTL value. Additionally, packets sent by a given device 1069 may take different routes (e.g., due to load sharing or route 1070 changes), and thus a given packet may incorrectly be presumed to 1071 come from a different device, when in fact it just traveled a 1072 different route. 1074 However, these defaults may be configurable (system-wide or per 1075 protocol) and managed systems may employ such opportunities for 1076 operational purposes and to defeat the capability of fingerprinting 1077 heuristics. 1079 3.8.3. Mapping the Network Topology 1081 An originating host may set the TTL field of the packets it sends to 1082 progressively increasing values in order to elicit an ICMP error 1083 message from the routers that decrement the TTL of each packet to 1084 zero, and thereby determine the IP addresses of the routers on the 1085 path to the packet's destination. This procedure has been 1086 traditionally employed by the traceroute tool. 1088 3.8.4. Locating the source host in the network topology 1090 The TTL field may also be used to locate the source system in the 1091 network topology [Northcutt2000]. 1093 +---+ +---+ +---+ +---+ +---+ 1094 | A |-----| R |------| R |----| R |-----| R | 1095 +---+ +---+ +---+ +---+ +---+ 1096 / | / \ 1097 / | / \ 1098 / | / +---+ 1099 / +---+ +---+ +---+ | E | 1100 / | R |----| R |------| R |-- +---+ 1101 / +---+ +---+\ +---+ \ 1102 / / / \ \ \ 1103 / ---- / +---+ \ \+---+ 1104 / / / | F | \ | D | 1105 +---+ +---+ +---+ \ +---| 1106 | R |----------| R |-- \ 1107 +---+ +---+ \ \ 1108 | \ / \ +---+| +---+ 1109 | \ / ----| R |------| R | 1110 | \ / +---+ +---+ 1111 +---+ \ +---+ +---+ 1112 | B | \| R |----| C | 1113 +---+ +---+ +---+ 1115 Figure 6: Tracking a host by means of the TTL field 1117 Consider network topology of Figure 6. Assuming that an attacker 1118 ("F" in the figure) is performing some type of attack that requires 1119 forging the Source Address (such as for a TCP-based DoS reflection 1120 attack), and some of the involved hosts are willing to cooperate to 1121 locate the attacking system. 1123 Assuming that: 1125 o All the packets A gets have a TTL of 61. 1127 o All the packets B gets have a TTL of 61. 1129 o All the packets C gets have a TTL of 61. 1131 o All the packets D gets have a TTL of 62. 1133 Based on this information, and assuming that the system's default 1134 value was not overridden, it would be fair to assume that the 1135 original TTL of the packets was 64. With this information, the 1136 number of hops between the attacker and each of the aforementioned 1137 hosts can be calculated. 1139 The attacker is: 1141 o Four hops away from A. 1143 o Four hops away from B. 1145 o Four hops away from C. 1147 o Four hops away from D. 1149 In the network setup of Figure 3, the only system that satisfies all 1150 these conditions is the one marked as the "F". 1152 The scenario described above is for illustration purposes only. In 1153 practice, there are a number of factors that may prevent this 1154 technique from being successfully applied: 1156 o Unless there is a "large" number of cooperating systems, and the 1157 attacker is assumed to be no more than a few hops away from these 1158 systems, the number of "candidate" hosts will usually be too large 1159 for the information to be useful. 1161 o The attacker may be using a non-default TTL value, or, what is 1162 worse, using a pseudo-random value for the TTL of the packets it 1163 sends. 1165 o The packets sent by the attacker may take different routes, as a 1166 result of a change in network topology, load sharing, etc., and 1167 thus may lead to an incorrect analysis. 1169 3.8.5. Evading Network Intrusion Detection Systems 1171 The TTL field can be used to evade Network Intrusion Detection 1172 Systems. Depending on the position of a sensor relative to the 1173 destination host of the examined packet, the NIDS may get a different 1174 picture from that of the intended destination system. As an example, 1175 a sensor may process a packet that will expire before getting to the 1176 destination host. A general countermeasure for this type of attack 1177 is to normalize the traffic that gets to an organizational network. 1178 Examples of such traffic normalization can be found in [Paxson2001]. 1179 OpenBSD Packet Filter is an example of a packet filter that includes 1180 TTL-normalization functionality [OpenBSD-PF] 1182 3.8.6. Improving the security of applications that make use of the 1183 Internet Protocol (IP) 1185 In some scenarios, the TTL field can be also used to improve the 1186 security of an application, by restricting the hosts that can 1187 communicate with the given application [RFC5082]. For example, there 1188 are applications for which the communicating systems are typically in 1189 the same network segment (i.e., there are no intervening routers). 1190 Such an application is the BGP (Border Gateway Protocol) utilized by 1191 two peer routers (usually on a shared link medium). 1193 If both systems use a TTL of 255 for all the packets they send to 1194 each other, then a check could be enforced to require all packets 1195 meant for the application in question to have a TTL of 255. 1197 As all packets sent by systems that are not in the same network 1198 segment will have a TTL smaller than 255, those packets will not pass 1199 the check enforced by these two cooperating peers. This check 1200 reduces the set of systems that may perform attacks against the 1201 protected application (BGP in this case), thus mitigating the attack 1202 vectors described in [NISCC2004] and [Watson2004]. 1204 This same check is enforced for related ICMP error messages, with 1205 the intent of mitigating the attack vectors described in 1206 [NISCC2005] and [I-D.ietf-tcpm-icmp-attacks]. 1208 The TTL field can be used in a similar way in scenarios in which the 1209 cooperating systems are not in the same network segment (i.e., multi- 1210 hop peering). In that case, the following check could be enforced: 1212 TTL >= 255 - DeltaHops 1214 This means that the set of hosts from which packets will be accepted 1215 for the protected application will be reduced to those that are no 1216 more than DeltaHops away. While for obvious reasons the level of 1217 protection will be smaller than in the case of directly-connected 1218 peers, the use of the TTL field for protecting multi-hop peering 1219 still reduces the set of hosts that could potentially perform a 1220 number of attacks against the protected application. 1222 This use of the TTL field has been officially documented by the IETF 1223 under the name "Generalized TTL Security Mechanism" (GTSM) in 1224 [RFC5082]. 1226 Some protocol scrubbers enforce a minimum value for the TTL field of 1227 the packets they forward. It must be understood that depending on 1228 the minimum TTL being enforced, and depending on the particular 1229 network setup, the protocol scrubber may actually help attackers to 1230 fool the GTSM, by "raising" the TTL of the attacking packets. 1232 3.8.7. Limiting spread 1234 The originating host sets the TTL field to a small value (frequently 1235 1, for link-scope services) in order to artifically limit the 1236 (topological) distance the packet is allowed to travel. This is 1237 suggested in Section 4.2.2.9 of RFC 1812 [RFC1812]. Further 1238 discussion of this technique can be found in in RFC 1112 [RFC1112]. 1240 3.9. Protocol 1242 The Protocol field indicates the protocol encapsulated in the 1243 internet datagram. The Protocol field may not only contain a value 1244 corresponding to a protocol implemented by the system processing the 1245 packet, but also a value corresponding to a protocol not implemented, 1246 or even a value not yet assigned by the IANA [IANA2006c]. 1248 While in theory there should not be security implications from the 1249 use of any value in the protocol field, there have been security 1250 issues in the past with systems that had problems when handling 1251 packets with some specific protocol numbers [Cisco2003] [CERT2003]. 1253 A host (i.e., end-system) that receives an IP packet encapsulating a 1254 Protocol it does not support should drop the corresponding packet, 1255 log the event, and possibly send an ICMP Protocol Unreachable (type 1256 3, code 2) error message. 1258 3.10. Header Checksum 1260 The Header Checksum field is an error detection mechanism meant to 1261 detect errors in the IP header. While in principle there should not 1262 be security implications arising from this field, it should be noted 1263 that due to non-RFC-compliant implementations, the Header Checksum 1264 might be exploited to detect firewalls and/or evade network intrusion 1265 detection systems (NIDS). 1267 [Ed3f2002] describes the exploitation of the TCP checksum for 1268 performing such actions. As there are internet routers known to not 1269 check the IP Header Checksum, and there might also be middle-boxes 1270 (NATs, firewalls, etc.) not checking the IP checksum allegedly due to 1271 performance reasons, similar malicious activity to the one described 1272 in [Ed3f2002] might be performed with the IP checksum. 1274 3.11. Source Address 1276 The Source Address of an IP datagram identifies the node from which 1277 the packet originated. 1279 Strictly speaking, the Source Address of an IP datagram identifies 1280 the interface of the sending system from which the packet was 1281 sent, (rather than the originating "system"), as in the Internet 1282 Architecture there's no concept of "node address". 1284 Unfortunately, it is trivial to forge the Source Address of an 1285 Internet datagram because of the apparent lack of consistent "egress 1286 filtering" near the edge of the network. This has been exploited in 1287 the past for performing a variety of DoS (Denial of Service) attacks 1288 [NISCC2004] [RFC4987] [CERT1996a] [CERT1996b] [CERT1998a], and to 1289 impersonate as other systems in scenarios in which authentication was 1290 based on the Source Address of the sending system [daemon91996]. 1292 The extent to which these attacks can be successfully performed in 1293 the Internet can be reduced through deployment of ingress/egress 1294 filtering in the internet routers. [NISCC2006] is a detailed guide 1295 on ingress and egress filtering. [RFC2827] and [RFC3704] discuss 1296 ingress filtering. [GIAC2000] discusses egress filtering. 1297 [SpooferProject] measures the Internet's susceptibility to forged 1298 Source Address IP packets. 1300 Even when the obvious field on which to perform checks for 1301 ingress/egress filtering is the Source Address and Destination 1302 Address fields of the IP header, there are other occurrences of IP 1303 addresses on which the same type of checks should be performed. 1304 One example is the IP addresses contained in the payload of ICMP 1305 error messages, as discussed in [I-D.ietf-tcpm-icmp-attacks] and 1306 [Gont2006]. 1308 There are a number of sanity checks that should be performed on the 1309 Source Address of an IP datagram. Details can be found in Section 1310 4.2 ("Addressing"). 1312 Additionally, there exist freely available tools that allow 1313 administrators to monitor which IP addresses are used with which MAC 1314 addresses [LBNL2006]. This functionality is also included in many 1315 Network Intrusion Detection Systems (NIDS). 1317 It is also very important to understand that authentication should 1318 never rely solely on the Source Address used by the communicating 1319 systems. 1321 3.12. Destination Address 1323 The Destination Address of an IP datagram identifies the destination 1324 host to which the packet is meant to be delivered. 1326 Strictly speaking, the Destination Address of an IP datagram 1327 identifies the interface of the destination network interface, 1328 rather than the destination "system", as in the Internet 1329 Architecture there's no concept of "node address". 1331 There are a number of sanity checks that should be performed on the 1332 Destination Address of an IP datagram. Details can be found in 1333 Section 4.2 ("Addressing"). 1335 3.13. Options 1337 According to RFC 791, IP options must be implemented by all IP 1338 modules, both in hosts and gateways (i.e., end-systems and 1339 intermediate-systems). This means that the general rules for 1340 assembling, parsing, and processing of IP options must be 1341 implemented. RFC 791 defines a set of options that "must be 1342 understood", but this set has been updated by RFC 1122 [RFC1122], RFC 1343 1812 [RFC1812], and other documents. Section 3.13.2 of this document 1344 describes for each option type the current understanding of the 1345 implementation requirements. IP systems are required to ignore 1346 options they do not implement. 1348 There are two cases for the format of an option: 1350 o Case 1: A single byte of option-type. 1352 o Case 2: An option-type byte, an option-length byte, and the actual 1353 option-data bytes. 1355 In Case 2, the option-length byte counts the option-type byte and the 1356 option-length byte, as well as the actual option-data bytes. 1358 All current and future options except "End of Option List" (Type = 0) 1359 and "No Operation" (Type = 1), are of Class 2. 1361 The option-type has three fields: 1363 o 1 bit: copied flag. 1365 o 2 bits: option class. 1367 o 5 bits: option number. 1369 This format allows for the creation of new options for the extension 1370 of the Internet Protocol (IP) and their transparent treatment on 1371 intermediate systems that do not "understand" them, under direction 1372 of the first three functional parts. 1374 The copied flag indicates whether this option should be copied to all 1375 fragments in the event the packet carrying it needs to be fragmented: 1377 o 0 = not copied. 1379 o 1 = copied. 1381 The values for the option class are: 1383 o 0 = control. 1385 o 1 = reserved for future use. 1387 o 2 = debugging and measurement. 1389 o 3 = reserved for future use. 1391 Finally, the option number identifies the syntax of the rest of the 1392 option. 1394 [IANA2006b] contains the list of the currently assigned IP option 1395 numbers. It should be noted that IP systems are required to ignore 1396 those options they do not implement. 1398 3.13.1. General issues with IP options 1400 The following subsections discuss security issues that apply to all 1401 IP options. The proposed checks should be performed in addition to 1402 any option-specific checks proposed in the next sections. 1404 3.13.1.1. Processing requirements 1406 Router manufacturers tend to do IP option processing on the main 1407 processor, rather than on line cards. Unless special care is taken, 1408 this represents Denial of Service (DoS) risk, as there is potential 1409 for overwhelming the router with option processing. 1411 To reduce the impact of these packets on the system performance, a 1412 few countermeasures could be implemented: 1414 o Rate-limit the number of packets with IP options that are 1415 processed by the system. 1417 o Enforce a limit on the maximum number of options to be accepted on 1418 a given internet datagram. 1420 The first check avoids a flow of packets with IP options to overwhelm 1421 the system in question. The second check avoids packets with many IP 1422 options to affect the performance of the system. 1424 3.13.1.2. Processing of the options by the upper layer protocol 1426 Section 3.2.1.8 of RFC 1122 [RFC1122] states that all the IP options 1427 received in IP datagrams must be passed to the transport layer (or to 1428 ICMP processing when the datagram is an ICMP message). Therefore, 1429 care in option processing must be taken not only at the internet 1430 layer, but also in every protocol module that may end up processing 1431 the options included in an IP datagram. 1433 3.13.1.3. General sanity checks on IP options 1435 There are a number of sanity checks that should be performed on IP 1436 options before further option processing is done. They help prevent 1437 a number of potential security problems, including buffer overflows. 1438 When these checks fail, the packet carrying the option should be 1439 dropped, and this event should be logged (e.g., a counter could be 1440 incremented to reflect the packet drop). 1442 RFC 1122 [RFC1122] recommends to send an ICMP "Parameter Problem" 1443 message to the originating system when a packet is dropped because of 1444 an invalid value in a field, such as the cases discussed in the 1445 following subsections. Sending such a message might help in 1446 debugging some network problems. However, it would also alert 1447 attackers about the system that is dropping packets because of the 1448 invalid values in the protocol fields. 1450 We advice that systems default to sending an ICMP "Parameter Problem" 1451 error message when a packet is dropped because of an invalid value in 1452 a protocol field (e.g., as a result of dropping a packet due to the 1453 sanity checks described in this section). However, we recommend that 1454 systems provide a system-wide toggle that allows an administrator to 1455 override the default behavior so that packets can be silently dropped 1456 when an invalid value in a protocol field is encountered. 1458 Option length 1460 Section 3.2.1.8 of RFC 1122 explicitly states that the IP layer 1461 must not crash as the result of an option length that is outside 1462 the possible range, and mentions that erroneous option lengths 1463 have been observed to put some IP implementations into infinite 1464 loops. 1466 For options that belong to the "Case 2" described in the previous 1467 section, the following check should be performed: 1469 option-length >= 2 1471 The value "2" accounts for the option-type byte, and the 1472 option-length byte. 1474 This check prevents, among other things, loops in option 1475 processing that may arise from incorrect option lengths. 1477 Additionally, while the option-length byte of IP options of 1478 "Case 2" allows for an option length of up to 255 bytes, there is 1479 a limit on legitimate option length imposed by the space available 1480 for options in the IP header. 1482 For all options of "Case 2", the following check should be 1483 enforced: 1485 option-offset + option-length <= IHL * 4 1487 Where option-offset is the offset of the first byte of the option 1488 within the IP header, with the first byte of the IP header being 1489 assigned an offset of 0. 1491 This check assures that the option does not claim to extend beyond 1492 the IP header. If the packet does not pass this check, it should 1493 be dropped, and this event should be logged (e.g., a counter could 1494 be incremented to reflect the packet drop). 1496 The aforementioned check is meant to detect forged option-length 1497 values that might make an option overlap with the IP payload. 1498 This would be particularly dangerous for those IP options which 1499 request the processing systems to write information into the 1500 option-data area (such as the Record Route option), as it would 1501 allow the generation of overflows. 1503 Data types 1505 Many IP options use pointer and length fields. Care must be taken 1506 as to the data type used for these fields in the implementation. 1507 For example, if an 8-bit signed data type were used to hold an 1508 8-bit pointer, then, pointer values larger than 128 might 1509 mistakenly be interpreted as negative numbers, and thus might lead 1510 to unpredictable results. 1512 3.13.2. Issues with specific options 1513 3.13.2.1. End of Option List (Type=0) 1515 This option is used to indicate the "end of options" in those cases 1516 in which the end of options would not coincide with the end of the 1517 Internet Protocol Header. Octets in the IP header following the "End 1518 of Option List" are to be regarded as padding (they should set to 0 1519 by the originator and must to be ignored by receiving nodes). 1521 However, an originating node could alternatively fill the remaining 1522 space in the Internet header with No Operation options (see 1523 Section 3.13.2.2). The End of Option List option allows slightly 1524 more efficient parsing on receiving nodes and should be preferred by 1525 packet originators. All IP systems are required to understand both 1526 encodings. 1528 3.13.2.2. No Operation (Type=1) 1530 The no-operation option is basically meant to allow the sending 1531 system to align subsequent options in, for example, 32-bit 1532 boundaries, but it can also be used at the end of the options (se 1533 Section Section 3.13.2.1). 1535 With a single exception (see Section 3.13.2.13 below), this option is 1536 the only IP option defined so far that can occur in multiple 1537 instances in a single IP packet. 1539 This option does not have security implications. 1541 3.13.2.3. Loose Source and Record Route (LSRR) (Type=131) 1543 This option lets the originating system specify a number of 1544 intermediate systems a packet must pass through to get to the 1545 destination host. Additionally, the route followed by the packet is 1546 recorded in the option. The receiving host (end-system) must use the 1547 reverse of the path contained in the received LSRR option. 1549 The LSSR option can be of help in debugging some network problems. 1550 Some ISP (Internet Service Provider) peering agreements require 1551 support for this option in the routers within the peer of the ISP. 1553 The LSRR option has well-known security implications. Among other 1554 things, the option can be used to: 1556 o Bypass firewall rules 1558 o Reach otherwise unreachable internet systems 1559 o Establish TCP connections in a stealthy way 1561 o Learn about the topology of a network 1563 o Perform bandwidth-exhaustion attacks 1565 Of these attack vectors, the one that has probably received least 1566 attention is the use of the LSRR option to perform bandwidth 1567 exhaustion attacks. The LSRR option can be used as an amplification 1568 method for performing bandwidth-exhaustion attacks, as an attacker 1569 could make a packet bounce multiple times between a number of systems 1570 by carefully crafting an LSRR option. 1572 This is the IPv4-version of the IPv6 amplification attack that was 1573 widely publicized in 2007 [Biondi2007]. The only difference is 1574 that the maximum length of the IPv4 header (and hence the LSRR 1575 option) limits the amplification factor when compared to the IPv6 1576 counter-part. 1578 While the LSSR option may be of help in debugging some network 1579 problems, its security implications outweigh any legitimate use. 1581 All systems should, by default, drop IP packets that contain an LSRR 1582 option, and should log this event (e.g., a counter could be 1583 incremented to reflect the packet drop). However, they should 1584 provide a system-wide toggle to enable support for this option for 1585 those scenarios in which this option is required. Such system-wide 1586 toggle should default to "off" (or "disable"). 1588 [OpenBSD1998] is a security advisory about an improper 1589 implementation of such a system-wide toggle in 4.4BSD kernels. 1591 Section 3.3.5 of RFC 1122 [RFC1122] states that a host may be able to 1592 act as an intermediate hop in a source route, forwarding a source- 1593 routed datagram to the next specified hop. We strongly discourage 1594 host software from forwarding source-routed datagrams. 1596 If processing of source-routed datagrams is explicitly enabled in a 1597 system, the following sanity checks should be performed. 1599 RFC 791 states that this option should appear, at most, once in a 1600 given packet. Thus, if a packet contains more than one LSRR option, 1601 it should be dropped, and this event should be logged (e.g., a 1602 counter could be incremented to reflect the packet drop). 1603 Additionally, packets containing a combination of LSRR and SSRR 1604 options should be dropped, and this event should be logged (e.g., a 1605 counter could be incremented to reflect the packet drop). 1607 As all other IP options of "Case 2", the LSSR contains a Length field 1608 that indicates the length of the option. Given the format of the 1609 option, the Length field should be checked to have a minimum value of 1610 three and be 3 (3 + n*4): 1612 LSRR.Length % 4 == 3 && LSRR.Length != 0 1614 If the packet does not pass this check, it should be dropped, and 1615 this event should be logged (e.g., a counter could be incremented to 1616 reflect the packet drop). 1618 The Pointer is relative to this option. Thus, the minimum legal 1619 value is 4. Therefore, the following check should be performed. 1621 LSRR.Pointer >= 4 1623 If the packet does not pass this check, it should be dropped, and 1624 this event should be logged (e.g., a counter could be incremented to 1625 reflect the packet drop). Additionally, the Pointer field should be 1626 a multiple of 4. Consequently, the following check should be 1627 performed: 1629 LSRR.Pointer % 4 == 0 1631 If a packet does not pass this check, it should be dropped, and this 1632 event should be logged (e.g., a counter could be incremented to 1633 reflect the packet drop). 1635 When a system receives an IP packet with the LSRR option passing the 1636 above checks, it should check whether the source route is empty or 1637 not. The option is empty if: 1639 LSRR.Pointer > LSRR.Length 1641 In that case, routing should be based on the Destination Address 1642 field, and no further processing should be done on the LSRR option. 1644 [Microsoft1999] is a security advisory about a vulnerability 1645 arising from improper validation of the LSRR.Pointer field. 1647 If the address in the Destination Address field has been reached, and 1648 the option is not empty, the next address in the source route 1649 replaces the address in the Destination Address field, and the IP 1650 address of the interface that will be used to forward this datagram 1651 is recorded in its place in the LSRR.Data field. Then, the 1652 LSRR.Pointer. is incremented by 4. 1654 Note that the sanity checks for the LSRR.Length and the 1655 LSRR.Pointer fields described above ensure that if the option is 1656 not empty, there will be (4*n) octets in the option. That is, 1657 there will be at least one IP address to read, and enough room to 1658 record the IP address of the interface that will be used to 1659 forward this datagram. 1661 The LSRR must be copied on fragmentation. This means that if a 1662 packet that carries the LSRR is fragmented, each of the fragments 1663 will have to go through the list of systems specified in the LSRR 1664 option. 1666 3.13.2.4. Strict Source and Record Route (SSRR) (Type=137) 1668 This option allows the originating system to specify a number of 1669 intermediate systems a packet must pass through to get to the 1670 destination host. Additionally, the route followed by the packet is 1671 recorded in the option, and the destination host (end-system) must 1672 use the reverse of the path contained in the received SSRR option. 1674 This option is similar to the Loose Source and Record Route (LSRR) 1675 option, with the only difference that in the case of SSRR, the route 1676 specified in the option is the exact route the packet must take 1677 (i.e., no other intervening routers are allowed to be in the route). 1679 The SSSR option can be of help in debugging some network problems. 1680 Some ISP (Internet Service Provider) peering agreements require 1681 support for this option in the routers within the peer of the ISP. 1683 The SSRR option has the same security implications as the LSRR 1684 option. Please refer to Section 3.13.2.3 for a discussion of such 1685 security implications. 1687 As with the LSRR, while the SSSR option may be of help in debugging 1688 some network problems, its security implications outweigh any 1689 legitimate use of it. 1691 All systems should, by default, drop IP packets that contain an SSRR 1692 option, and should log this event (e.g., a counter could be 1693 incremented to reflect the packet drop). However, they should 1694 provide a system-wide toggle to enable support for this option for 1695 those scenarios in which this option is required. Such system-wide 1696 toggle should default to "off" (or "disable"). 1698 [OpenBSD1998] is a security advisory about an improper 1699 implementation of such a system-wide toggle in 4.4BSD kernels. 1701 In the event processing of the SSRR option were explicitly enabled, 1702 the same sanity checks described for the LSRR option in 1703 Section 3.13.2.3 should be performed on the SSRR option. Namely, 1704 sanity checks shoudl be performed on the option length (SSRR.Length) 1705 and the pointer field (SSRR.Pointer). 1707 If the packet passes the aforementioned sanity checks, the receiving 1708 system should determine whether the Destination Address of the packet 1709 corresponds to one of its IP addresses. If does not, it should be 1710 dropped, and this event should be logged (e.g., a counter could be 1711 incremented to reflect the packet drop). 1713 Contrary to the IP Loose Source and Record Route (LSRR) option, 1714 the SSRR option does not allow in the route other routers than 1715 those contained in the option. If the system implements the weak 1716 end-system model, it is allowed for the system to receive a packet 1717 destined to any of its IP addresses, on any of its interfaces. If 1718 the system implements the strong end-system model, a packet 1719 destined to it can be received only on the interface that 1720 corresponds to the IP address contained in the Destination Address 1721 field [RFC1122]. 1723 If the packet passes this check, the receiving system should 1724 determine whether the source route is empty or not. The option is 1725 empty if: 1727 SSRR.Pointer > SSRR.Length 1729 In that case, if the address in the destination field has not been 1730 reached, the packet should be dropped, and this event should be 1731 logged (e.g., a counter could be incremented to reflect the packet 1732 drop). 1734 [Microsoft1999] is a security advisory about a vulnerability 1735 arising from improper validation of the SSRR.Pointer field. 1737 If the option is not empty, and the address in the Destination 1738 Address field has been reached, the next address in the source route 1739 replaces the address in the Destination Address field, and the IP 1740 address of the interface that will be used to forward this datagram 1741 is recorded in its place in the source route (SSRR.Data field). 1742 Then, the SSRR.Pointer is incremented by 4. 1744 Note that the sanity checks for the SSRR.Length and the 1745 SSRR.Pointer fields described above ensure that if the option is 1746 not empty, there will be (4*n) octets in the option. That is, 1747 there will be at least one IP address to read, and enough room to 1748 record the IP address of the interface that will be used to 1749 forward this datagram. 1751 The SSRR option must be copied on fragmentation. This means that if 1752 a packet that carries the SSRR is fragmented, each of the fragments 1753 will have to go through the list of systems specified in the SSRR 1754 option. 1756 3.13.2.5. Record Route (Type=7) 1758 This option provides a means to record the route that a given packet 1759 follows. 1761 The option begins with an 8-bit option code, which is equal to 7. 1762 The second byte is the option length, which includes the option-type 1763 byte, the option-length byte, the pointer byte, and the actual 1764 option-data. The third byte is a pointer into the route data, 1765 indicating the first byte of the area in which to store the next 1766 route data. The pointer is relative to the option start. 1768 RFC 791 states that this option should appear, at most, once in a 1769 given packet. Therefore, if a packet has more than one instance of 1770 this option, it should be dropped, and this event should be logged 1771 (e.g., a counter could be incremented to reflect the packet drop). 1773 The same sanity checks performed for the Length field and the Pointer 1774 field of the LSRR and the SSRR options should be performed on the 1775 Length field (RR.Length) and the Pointer field (RR.Pointer) of the RR 1776 option. As with the LSRR and SSRR options, if the packet does not 1777 pass these checks it should be dropped, and this event should be 1778 logged (e.g., a counter could be incremented to reflect the packet 1779 drop). 1781 When a system receives an IP packet with the Record Route option that 1782 passes the above checks, it should check whether there is space in 1783 the option to store route information. The option is full if: 1785 RR.Pointer > RR.Length 1787 If the option is full, the datagram should be forwarded without 1788 further processing of this option. 1790 If the option is not full (i.e., RR.Pointer <= RR.Length), the IP 1791 address of the interface that will be used to forward this datagram 1792 should be recorded into the area pointed to by the RR.Pointer, and 1793 RR.Pointer should then incremented by 4. 1795 This option is not copied on fragmentation, and thus appears in the 1796 first fragment only. If a fragment other than the one with offset 0 1797 contains the Record Route option, it should be dropped, and this 1798 event should be logged (e.g., a counter could be incremented to 1799 reflect the packet drop). 1801 The Record Route option can be exploited to learn about the topology 1802 of a network. However, the limited space in the IP header limits the 1803 usefulness of this option for that purpose if the target network is 1804 several hops away. 1806 3.13.2.6. Stream Identifier (Type=136) 1808 The Stream Identifier option originally provided a means for the 16- 1809 bit SATNET stream Identifier to be carried through networks that did 1810 not support the stream concept. 1812 However, as stated by Section 4.2.2.1 of RFC 1812 [RFC1812], this 1813 option is obsolete. Therefore, it must be ignored by the processing 1814 systems. 1816 In the case of legacy systems still using this option, the length 1817 field of the option should be checked to be 4. If the option does 1818 not pass this check, it should be dropped, and this event should be 1819 logged (e.g., a counter could be incremented to reflect the packet 1820 drop). 1822 RFC 791 states that this option appears at most once in a given 1823 datagram. Therefore, if a packet contains more than one instance of 1824 this option, it should be dropped, and this event should be logged 1825 (e.g., a counter could be incremented to reflect the packet drop). 1827 3.13.2.7. Internet Timestamp (Type=68) 1829 This option provides a means for recording the time at which each 1830 system processed this datagram. The timestamp option has a number of 1831 security implications. Among them are: 1833 o It allows an attacker to obtain the current time of the systems 1834 that process the packet, which the attacker may find useful in a 1835 number of scenarios. 1837 o It may be used to map the network topology, in a similar way to 1838 the IP Record Route option. 1840 o It may be used to fingerprint the operating system in use by a 1841 system processing the datagram. 1843 o It may be used to fingerprint physical devices, by analyzing the 1844 clock skew. 1846 Therefore, by default, the timestamp option should be ignored. 1848 For those systems that have been explicitly configured to honor this 1849 option, the rest of this subsection describes some sanity checks that 1850 should be enforced on the option before further processing. 1852 The option begins with an option-type byte, which must be equal to 1853 68. The second byte is the option-length, which includes the option- 1854 type byte, the option-length byte, the pointer, and the overflow/flag 1855 byte. The minimum legal value for the option-length byte is 4, which 1856 corresponds to an Internet Timestamp option that is empty (no space 1857 to store timestamps). Therefore, upon receipt of a packet that 1858 contains an Internet Timestamp option, the following check should be 1859 performed: 1861 IT.Length >= 4 1863 If the packet does not pass this check, it should be dropped, and 1864 this event should be logged (e.g., a counter could be incremented to 1865 reflect the packet drop). 1867 The Pointer is an index within this option, counting the option type 1868 octet as octet #1. It points to the first byte of the area in which 1869 the next timestamp data should be stored and thus, the minimum legal 1870 value is 5. Since the only change of the Pointer allowed by RFC 791 1871 is incrementing it by 4 or 8, the following checks should be 1872 performed on the Internet Timestamp option, depending on the Flag 1873 value (see below). 1875 If IT.Flag is equal to 0, the following check should be performed: 1877 IT.Pointer %4 == 1 && IT.Pointer != 1 1879 If the packet does not pass this check, it should be dropped, and 1880 this event should be logged (e.g., a counter could be incremented to 1881 reflect the packet drop). 1883 Otherwise, the following sanity check should be performed on the 1884 option: 1886 IT.Pointer % 8 == 5 1888 If the packet does not pass this check, it should be dropped, and 1889 this event should be logged (e.g., a counter could be incremented to 1890 reflect the packet drop). 1892 The flag field has three possible legal values: 1894 o 0: Record time stamps only, stored in consecutive 32-bit words. 1896 o 1: Record each timestamp preceded with the internet address of the 1897 registering entity. 1899 o 3: The internet address fields of the option are pre-specified. 1900 An IP module only registers its timestamp if it matches its own 1901 address with the next specified internet address. 1903 Therefore the following check should be performed: 1905 IT.Flag == 0 || IT.Flag == 1 || IT.Flag == 3 1907 If the packet does not pass this check, it should be dropped, and 1908 this event should be logged (e.g., a counter could be incremented to 1909 reflect the packet drop). 1911 The timestamp field is a right-justified 32-bit timestamp in 1912 milliseconds since UTC. If the time is not available in 1913 milliseconds, or cannot be provided with respect to UTC, then any 1914 time may be inserted as a timestamp, provided the high order bit of 1915 the timestamp is set, to indicate this non-standard value. 1917 According to RFC 791, the initial contents of the timestamp area must 1918 be initialized to zero, or internet address/zero pairs. However, 1919 internet systems should be able to handle non-zero values, possibly 1920 discarding the offending datagram. 1922 When an internet system receives a packet with an Internet Timestamp 1923 option, it decides whether it should record its timestamp in the 1924 option. If it determines that it should, it should then determine 1925 whether the timestamp data area is full, by means of the following 1926 check: 1928 IT.Pointer > IT.Length 1930 If this condition is true, the timestamp data area is full. If not, 1931 there is room in the timestamp data area. 1933 If the timestamp data area is full, the overflow byte should be 1934 incremented, and the packet should be forwarded without inserting the 1935 timestamp. If the overflow byte itself overflows, the packet should 1936 be dropped, and this event should be logged (e.g., a counter could be 1937 incremented to reflect the packet drop). 1939 If the timestamp data area is not full, then processing continues as 1940 follows (note that the above checks on IT.Pointer ensure that there 1941 is room for another entry in the option): 1943 o If IT.Flag is 0, then the system's 32-bit timestamp is stored into 1944 the area pointed to by the pointer byte and the pointer byte is 1945 incremented by 4. 1947 o If IT.Flag is 1, then the IP address of the system is stored into 1948 the area pointed to by the pointer byte, followed by the 32-bit 1949 system timestamp, and the pointer byte is incremented by 8. 1951 o Otherwise (IT.Flag is 3), if the IP address in the first 4 bytes 1952 pointed to by IT.Pointer matches one of the IP addresses assigned 1953 to an interface of the system, then the system's timestamp is 1954 stored into the area pointed to by IT.Pointer + 4, and the pointer 1955 byte is incremented by 8. 1957 [Kohno2005] describes a technique for fingerprinting devices by 1958 measuring the clock skew. It exploits, among other things, the 1959 timestamps that can be obtained by means of the ICMP timestamp 1960 request messages [RFC0791]. However, the same fingerprinting method 1961 could be implemented with the aid of the Internet Timestamp option. 1963 3.13.2.8. Router Alert (Type=148) 1965 The Router Alert option is defined in RFC 2113 [RFC2113] and later 1966 updates to it have been clarified by RFC 5350 [RFC5350]. It contains 1967 a 16-bit Value governed by an IANA registry (see [RFC5350]). The 1968 Router Alert option has the semantic "routers should examine this 1969 packet more closely, if they participate in the functionality denoted 1970 by the Value of the option". 1972 According to the syntax of the option as defined in RFC 2113, the 1973 following check should be enforced, if the router supports this 1974 option: 1976 RA.Length == 4 1978 If the packet does not pass this check, it should be dropped, and 1979 this event should be logged (e.g., a counter could be incremented to 1980 reflect the packet drop). 1982 A packet that contains a Router Alert option with an option value 1983 corresponding to functionality supported by an active module in the 1984 router will not go through the router's fast-path but will be 1985 processed in the slow path of the router, handing it over for closer 1986 inspection to the modules that has registered the matching option 1987 value. Therefore, this option may impact the performance of the 1988 systems that handle the packet carrying it. 1990 As explained in RFC 2113 [RFC2113], hosts should ignore this option. 1992 3.13.2.9. Probe MTU (Type=11) (obsolete) 1994 This option was defined in RFC 1063 [RFC1063], and originally 1995 provided a mechanism to discover the Path-MTU. 1997 This option is obsolete, and therefore any packet that is received 1998 containing this option should be dropped, and this event should be 1999 logged (e.g., a counter could be incremented to reflect the packet 2000 drop). 2002 3.13.2.10. Reply MTU (Type=12) (obsolete) 2004 This option is defined in RFC 1063 [RFC1063], and originally provided 2005 a mechanism to discover the Path-MTU. 2007 This option is obsolete, and therefore any packet that is received 2008 containing this option should be dropped, and this event should be 2009 logged (e.g., a counter could be incremented to reflect the packet 2010 drop). 2012 3.13.2.11. Traceroute (Type=82) 2014 This option is defined in RFC 1393 [RFC1393], and originally provided 2015 a mechanism to trace the path to a host. 2017 This option is obsolete, and therefore any packet that is received 2018 containing this option should be dropped, and this event should be 2019 logged (e.g., a counter could be incremented to reflect the packet 2020 drop). 2022 3.13.2.12. DoD Basic Security Option (Type=130) 2024 This option is used by Multi-Level-Secure (MLS) end-systems and 2025 intermediate systems in specific environments to [RFC1108]: 2027 o Transmit from source to destination in a network standard 2028 representation the common security labels required by computer 2029 security models, 2031 o Validate the datagram as appropriate for transmission from the 2032 source and delivery to the destination, and, 2034 o Ensure that the route taken by the datagram is protected to the 2035 level required by all protection authorities indicated on the 2036 datagram. 2038 It is specified by RFC 1108 [RFC1108] (which obsoletes RFC 1038 2039 [RFC1038]). 2041 RFC 791 [RFC0791] defined the "Security Option" (Type=130), which 2042 used the same option type as the DoD Basic Security option 2043 discussed in this section. The "Security Option" specified in RFC 2044 791 is considered obsolete by Section 3.2.1.8 of RFC 1122, and 2045 therefore the discussion in this section is focused on the DoD 2046 Basic Security option specified by RFC 1108 [RFC1108]. 2048 Section 4.2.2.1 of RFC 1812 states that routers "SHOULD implement 2049 this option". 2051 The DoD Basic Security Option is currently implemented in a number of 2052 operating systems (e.g., [IRIX2008], [SELinux2008], [Solaris2008], 2053 and [Cisco2008]), and deployed in a number of high-security networks. 2055 Systems that belong to networks in which this option is in use should 2056 process the DoD Basic Security option contained in each packet as 2057 specified in [RFC1108]. 2059 RFC 1108 states that the option should appear at most once in a 2060 datagram. Therefore, if more than one DoD Basic Security option 2061 (BSO) appears in a given datagram, the corresponding datagram should 2062 be dropped, and this event should be logged (e.g., a counter could be 2063 incremented to reflect the packet drop). 2065 RFC 1108 states that the option Length is variable, with a minimum 2066 option Length of 3 bytes. Therefore, the following check should be 2067 performed: 2069 BSO.Length >= 3 2071 If the packet does not pass this check, it should be dropped, and 2072 this event should be logged (e.g., a counter could be incremented to 2073 reflect the packet drop). 2075 Current deployments of the security options described in this 2076 section and the two subsequent sections have motivated the 2077 proposal of a "Common Architecture Label IPv6 Security Option 2078 (CALIPSO)" for the IPv6 protocol. [RFC5570]. 2080 3.13.2.13. DoD Extended Security Option (Type=133) 2082 This option permits additional security labeling information, beyond 2083 that present in the Basic Security Option (Section 3.13.2.12), to be 2084 supplied in an IP datagram to meet the needs of registered 2085 authorities. It is specified by RFC 1108 [RFC1108]. 2087 This option may be present only in conjunction with the DoD Basic 2088 Security option. Therefore, if a packet contains a DoD Extended 2089 Security option (ESO), but does not contain a DoD Basic Security 2090 option, it should be dropped, and this event should be logged (e.g., 2091 a counter could be incremented to reflect the packet drop). It 2092 should be noted that, unlike the DoD Basic Security option, this 2093 option may appear multiple times in a single IP header. 2095 Systems that belong to networks in which this option is in use, 2096 should process the DoD Extended Security option contained in each 2097 packet as specified in RFC 1108 [RFC1108]. 2099 RFC 1108 states that the option Length is variable, with a minimum 2100 option Length of 3 bytes. Therefore, the following check should be 2101 performed: 2103 ESO.Length >= 3 2105 If the packet does not pass this check, it should be dropped, and 2106 this event should be logged (e.g., a counter could be incremented to 2107 reflect the packet drop). 2109 3.13.2.14. Commercial IP Security Option (CIPSO) (Type=134) 2111 This option was proposed by the Trusted Systems Interoperability 2112 Group (TSIG), with the intent of meeting trusted networking 2113 requirements for the commercial trusted systems market place. It is 2114 specified in [CIPSO1992] and [FIPS1994]. 2116 The TSIG proposal was taken to the Commercial Internet Security 2117 Option (CIPSO) Working Group of the IETF [CIPSOWG1994], and an 2118 Internet-Draft was produced [CIPSO1992]. The Internet-Draft was 2119 never published as an RFC, but the proposal was later standardized 2120 by the U.S. National Institute of Standards and Technology (NIST) 2121 as "Federal Information Processing Standard Publication 188" 2122 [FIPS1994]. 2124 It is currently implemented in a number of operating systems (e.g., 2125 IRIX [IRIX2008], Security-Enhanced Linux [SELinux2008], and Solaris 2126 [Solaris2008]), and deployed in a number of high-security networks. 2128 [Zakrzewski2002] and [Haddad2004] provide an overview of a Linux 2129 implementation. 2131 Systems that belong to networks in which this option is in use should 2132 process the CIPSO option contained in each packet as specified in 2133 [CIPSO1992]. 2135 According to the option syntax specified in [CIPSO1992] the following 2136 validation check should be performed: 2138 CIPSO.Length >= 6 2140 If a packet does not pass this check, it should be dropped, and this 2141 event should be logged (e.g., a counter could be incremented to 2142 reflect the packet drop). 2144 3.13.2.15. Sender Directed Multi-Destination Delivery (Type=149) 2146 This option is defined in RFC 1770 [RFC1770], and originally provided 2147 unreliable UDP delivery to a set of addresses included in the option. 2149 This option is obsolete. If a received packet contains this option, 2150 it should be dropped, and this event should be logged (e.g., a 2151 counter could be incremented to reflect the packet drop). 2153 4. Internet Protocol Mechanisms 2155 4.1. Fragment reassembly 2157 To accommodate networks with different Maximum Transmission Units 2158 (MTUs), the Internet Protocol provides a mechanism for the 2159 fragmentation of IP packets by end-systems (hosts) and/or 2160 intermediate systems (routers). Reassembly of fragments is performed 2161 only by the end-systems. 2163 [Cerf1974] provides the rationale for why packet reassembly is not 2164 performed by intermediate systems. 2166 During the last few decades, IP fragmentation and reassembly has been 2167 exploited in a number of ways, to perform actions such as evading 2168 Network Intrusion Detection Systems (NIDS), bypassing firewall rules, 2169 and performing Denial of Service (DoS) attacks. 2171 [Bendi1998] and [Humble1998] are examples of the exploitation of 2172 these issues for performing Denial of Service (DoS) attacks. 2173 [CERT1997] and [CERT1998b] document these issues. [Anderson2001] 2174 is a survey of fragmentation attacks. [US-CERT2001] is an example 2175 of the exploitation of IP fragmentation to bypass firewall rules. 2176 [CERT1999] describes the implementation of fragmentation attacks 2177 in Distributed Denial of Service (DDoS) attack tools. 2179 The problem with IP fragment reassembly basically has to do with the 2180 complexity of the function, in a number of aspects: 2182 o Fragment reassembly is a stateful operation for a stateless 2183 protocol (IP). The IP module at the host performing the 2184 reassembly function must allocate memory buffers both for 2185 temporarily storing the received fragments, and to perform the 2186 reassembly function. Attackers can exploit this fact to exhaust 2187 memory buffers at the system performing the fragment reassembly. 2189 o The fragmentation and reassembly mechanisms were designed at a 2190 time in which the available bandwidths were very different from 2191 the bandwidths available nowadays. With the current available 2192 bandwidths, a number of interoperability problems may arise, and 2193 these issues may be intentionally exploited by attackers to 2194 perform Denial of Service (DoS) attacks. 2196 o Fragment reassembly must usually be performed without any 2197 knowledge of the properties of the path the fragments follow. 2198 Without this information, hosts cannot make any educated guess on 2199 how long they should wait for missing fragments to arrive. 2201 o The fragment reassembly algorithm, as described by the IETF 2202 specifications, is ambiguous, and allows for a number of 2203 interpretations, each of which has found place in different TCP/IP 2204 stack implementations. 2206 o The reassembly process is somewhat complex. Fragments may arrive 2207 out of order, duplicated, overlapping each other, etc. This 2208 complexity has lead to numerous bugs in different implementations 2209 of the IP protocol. 2211 4.1.1. Security Implications of Fragment Reassembly 2213 4.1.1.1. Problems related with memory allocation 2215 When an IP datagram is received by an end-system, it will be 2216 temporarily stored in system memory, until the IP module processes it 2217 and hands it to the protocol machine that corresponds to the 2218 encapsulated protocol. 2220 In the case of fragmented IP packets, while the IP module may perform 2221 preliminary processing of the IP header (such as checking the header 2222 for errors and processing IP options), fragments must be kept in 2223 system buffers until all fragments are received and are reassembled 2224 into a complete internet datagram. 2226 As mentioned above, because the internet layer will not usually have 2227 information about the characteristics of the path between the system 2228 and the remote host, no educated guess can be made on the amount of 2229 time that should be waited for the other fragments to arrive. 2230 Therefore, the specifications recommend to wait for a period of time 2231 that is acceptable for virtually all the possible network scenarios 2232 in which the protocols might operate. After that time has elapsed, 2233 all the received fragments for the corresponding incomplete packet 2234 are discarded. 2236 The original IP Specification, RFC 791 [RFC0791], states that 2237 systems should wait for at least 15 seconds for the missing 2238 fragments to arrive. Systems that follow the "Example Reassembly 2239 Procedure" described in Section 3.2 of RFC 791 may end up using a 2240 reassembly timer of up to 4.25 minutes, with a minimum of 15 2241 seconds. Section 3.3.2 ("Reassembly") of RFC 1122 corrected this 2242 advice, stating that the reassembly timeout should be a fixed 2243 value between 60 and 120 seconds. 2245 However, the longer the system waits for the missing fragments to 2246 arrive, the longer the corresponding system resources must be tied to 2247 the corresponding packet. The amount of system memory is finite, and 2248 even with today's systems, it can still be considered a scarce 2249 resource. 2251 An attacker could take advantage of the uncomfortable situation the 2252 system performing fragment reassembly is in, by sending forged 2253 fragments that will never reassemble into a complete datagram. That 2254 is, an attacker would send many different fragments, with different 2255 IP IDs, without ever sending all the necessary fragments that would 2256 be needed to reassemble them into a full IP datagram. For each of 2257 the fragments, the IP module would allocate resources and tie them to 2258 the corresponding fragment, until the reassembly timer for the 2259 corresponding packet expires. 2261 There are some implementation strategies which could increase the 2262 impact of this attack. For example, upon receipt of a fragment, some 2263 systems allocate a memory buffer that will be large enough to 2264 reassemble the whole datagram. While this might be beneficial in 2265 legitimate cases, this just amplifies the impact of the possible 2266 attacks, as a single small fragment could tie up memory buffers for 2267 the size of an extremely large (and unlikely) datagram. The 2268 implementation strategy suggested in RFC 815 [RFC0815] leads to such 2269 an implementation. 2271 The impact of the aforementioned attack may vary depending on some 2272 specific implementation details: 2274 o If the system does not enforce limits on the amount of memory that 2275 can be allocated by the IP module, then an attacker could tie all 2276 system memory to fragments, at which point the system would become 2277 unusable, perhaps crashing. 2279 o If the system enforces limits on the amount of memory that can be 2280 allocated by the IP module as a whole, then, when this limit is 2281 reached, all further IP packets that arrive would be discarded, 2282 until some fragments time out and free memory is available again. 2284 o If the system enforces limits on the amount memory that can be 2285 allocated for the reassembly of fragments, then, when this limit 2286 is reached, all further fragments that arrive would be discarded, 2287 until some fragment(s) time out and free memory is available 2288 again. 2290 4.1.1.2. Problems that arise from the length of the IP Identification 2291 field 2293 The Internet Protocols are currently being used in environments that 2294 are quite different from the ones in which they were conceived. For 2295 instance, the availability of bandwidth at the time the Internet 2296 Protocol was designed was completely different from the availability 2297 of bandwidth in today's networks. 2299 The Identification field is a 16-bit field that is used for the 2300 fragmentation and reassembly function. In the event a datagram gets 2301 fragmented, all the corresponding fragments will share the same 2302 {Source Address, Destination Address, Protocol, Identification 2303 number} four-tuple. Thus, the system receiving the fragments will be 2304 able to uniquely identify them as fragments that correspond to the 2305 same IP datagram. At a given point in time, there must be at most 2306 only one packet in the network with a given four-tuple. If not, an 2307 Identification number "collision" might occur, and the receiving 2308 system might end up "mixing" fragments that correspond to different 2309 IP datagrams which simply reused the same Identification number. 2311 For example, sending over a 1 Gbit/s path a continuous stream of 2312 (UDP) packets of roughly 1 kb size that all get fragmented into 2313 two equally sized fragments of 576 octets each (minimum reasesmbly 2314 buffer size) would repeat the IP Identification values within less 2315 than 0.65 seconds (assuming roughly 10% link layer overhead); with 2316 shorter packets that still get fragmented, this figure could 2317 easily drop below 0.4 seconds. With a single IP packet dropped in 2318 this short timeframe, packets would start to be reassembled 2319 wrongly and continuously once in such interval until an error 2320 detection and recovery algorithm at an upper layer lets the 2321 application back out. 2323 For each group of fragments whose Identification numbers "collide", 2324 the fragment reassembly will lead to corrupted packets. The IP 2325 payload of the reassembled datagram will be handed to the 2326 corresponding upper layer protocol, where the error will (hopefully) 2327 be detected by some error detecting code (such as the TCP checksum) 2328 and the packet will be discarded. 2330 An attacker could exploit this fact to intentionally cause a system 2331 to discard all or part of the fragmented traffic it gets, thus 2332 performing a Denial-of-Service attack. Such an attacker would simply 2333 establish a flow of fragments with different IP Identification 2334 numbers, to trash all or part of the IP Identification space. As a 2335 result, the receiving system would use the attacker's fragments for 2336 the reassembly of legitimate datagrams, leading to corrupted packets 2337 which would later (and hopefully) get dropped. 2339 In most cases, use of a long fragment timeout will benefit the 2340 attacker, as forged fragments will keep the IP Identification space 2341 trashed for a longer period of time. 2343 4.1.1.3. Problems that arise from the complexity of the reassembly 2344 algorithm 2346 As IP packets can be duplicated by the network, and each packet may 2347 take a different path to get to the destination host, fragments may 2348 arrive not only out of order and/or duplicated, but also overlapping. 2349 This means that the reassembly process can be somewhat complex, with 2350 the corresponding implementation being not specifically trivial. 2352 [Shannon2001] analyzes the causes and attributes of fragment traffic 2353 measured in several types of WANs. 2355 During the years, a number of attacks have exploited bugs in the 2356 reassembly function of several operating systems, producing buffer 2357 overflows that have led, in most cases, to a crash of the attacked 2358 system. 2360 4.1.1.4. Problems that arise from the ambiguity of the reassembly 2361 process 2363 Network Intrusion Detection Systems (NIDSs) typically monitor the 2364 traffic on a given network with the intent of identifying traffic 2365 patterns that might indicate network intrusions. 2367 In the presence of IP fragments, in order to detect illegitimate 2368 activity at the transport or application layers (i.e., any protocol 2369 layer above the network layer), a NIDS must perform IP fragment 2370 reassembly. 2372 In order to correctly assess the traffic, the result of the 2373 reassembly function performed by the NIDS should be the same as that 2374 of the reassembly function performed by the intended recipient of the 2375 packets. 2377 However, a number of factors make the result of the reassembly 2378 process ambiguous: 2380 o The IETF specifications are ambiguous as to what should be done in 2381 the event overlapping fragments were received. Thus, in the 2382 presence of overlapping data, the system performing the reassembly 2383 function is free to either honor the first set of data received, 2384 the latest copy received, or any other copy received in between. 2386 o As the specifications do not enforce any specific fragment timeout 2387 value, different systems may choose different values for the 2388 fragment timeout. This means that given a set of fragments 2389 received at some specified time intervals, some systems will 2390 reassemble the fragments into a full datagram, while others may 2391 timeout the fragments and therefore drop them. 2393 o As mentioned before, as the fragment buffers get full, a Denial of 2394 Service (DoS) condition will occur unless some action is taken. 2395 Many systems flush part of the fragment buffers when some 2396 threshold is reached. Thus, depending on fragment load, timing 2397 issues, and flushing policy, a NIDS may get incorrect assumptions 2398 about how (and if) fragments are being reassembled by their 2399 intended recipient. 2401 As originally discussed by [Ptacek1998], these issues can be 2402 exploited by attackers to evade intrusion detection systems. 2404 There exist freely available tools to forcefully fragment IP 2405 datagrams so as to help evade Intrusion Detection Systems. Frag 2406 router [Song1999] is an example of such a tool; it allows an attacker 2407 to perform all the evasion techniques described in [Ptacek1998]. 2408 Ftester [Barisani2006] is a tool that helps to audit systems 2409 regarding fragmentation issues. 2411 4.1.1.5. Problems that arise from the size of the IP fragments 2413 One approach to fragment filtering involves keeping track of the 2414 results of applying filter rules to the first fragment (i.e., the 2415 fragment with a Fragment Offset of 0), and applying them to 2416 subsequent fragments of the same packet. The filtering module would 2417 maintain a list of packets indexed by the Source Address, Destination 2418 Address, Protocol, and Identification number. When the initial 2419 fragment is seen, if the MF bit is set, a list item would be 2420 allocated to hold the result of filter access checks. When packets 2421 with a non-zero Fragment Offset come in, look up the list element 2422 with a matching Source Address/Destination Address/Protocol/ 2423 Identification and apply the stored result (pass or block). When a 2424 fragment with a zero MF bit is seen, free the list element. 2425 Unfortunately, the rules of this type of packet filter can usually be 2426 bypassed. [RFC1858] describes the details of the involved technique. 2428 4.1.2. Possible security improvements 2430 4.1.2.1. Memory allocation for fragment reassembly 2432 A design choice usually has to be made as to how to allocate memory 2433 to reassemble the fragments of a given packet. There are basically 2434 two options: 2436 o Upon receipt of the first fragment, allocate a buffer that will be 2437 large enough to concatenate the payload of each fragment. 2439 o Upon receipt of the first fragment, create the first node of a 2440 linked list to which each of the following fragments will be 2441 linked. When all fragments have been received, copy the IP 2442 payload of each of the fragments (in the correct order) to a 2443 separate buffer that will be handed to the protocol being 2444 encapsulated in the IP payload. 2446 While the first of the choices might seem to be the most straight- 2447 forward, it implies that even when a single small fragment of a given 2448 packet is received, the amount of memory that will be allocated for 2449 that fragment will account for the size of the complete IP datagram, 2450 thus using more system resources than what is actually needed. 2452 Furthermore, the only situation in which the actual size of the whole 2453 datagram will be known is when the last fragment of the packet is 2454 received first, as that is the only packet from which the total size 2455 of the IP datagram can be asserted. Otherwise, memory should be 2456 allocated for the largest possible packet size (65535 bytes). 2458 The IP module should also enforce a limit on the amount of memory 2459 that can be allocated for IP fragments, as well as a limit on the 2460 number of fragments that at any time will be allowed in the system. 2461 This will basically limit the resources spent on the reassembly 2462 process, and prevent an attacker from trashing the whole system 2463 memory. 2465 Furthermore, the IP module should keep a different buffer for IP 2466 fragments than for complete IP datagrams. This will basically 2467 separate the effects of fragment attacks on non-fragmented traffic. 2468 Most TCP/IP implementations, such as that in Linux and those in BSD- 2469 derived systems, already implement this. 2471 [Jones2002] analyzes the amount of memory that may be needed for the 2472 fragment reassembly buffer depending on a number of network 2473 characteristics. 2475 4.1.2.2. Flushing the fragment buffer 2477 In the case of those attacks that aim to consume the memory buffers 2478 used for fragments, and those that aim to cause a collision of IP 2479 Identification numbers, there are a number of countermeasures that 2480 can be implemented. 2482 Even with these countermeasures in place, there is still the issue of 2483 what to do when the buffer pool used for IP fragments gets full. 2484 Basically, if the fragment buffer is full, no instance of 2485 communication that relies on fragmentation will be able to progress. 2487 Unfortunately, there are not many options for reacting to this 2488 situation. If nothing is done, all the instances of communication 2489 that rely on fragmentation will experience a denial of service. 2490 Thus, the only thing that can be done is flush all or part of the 2491 fragment buffer, on the premise that legitimate traffic will be able 2492 to make use of the freed buffer space to allow communication flows to 2493 progress. 2495 There are a number of factors that should be taken into consideration 2496 when flushing the fragment buffers. First, if a fragment of a given 2497 packet (i.e., fragment with a given Identification number) is 2498 flushed, all the other fragments that correspond to the same datagram 2499 should be flushed. As in order for a packet to be reassembled all of 2500 its fragments must be received by the system performing the 2501 reassembly function, flushing only a subset of the fragments of a 2502 given packet would keep the corresponding buffers tied to fragments 2503 that would never reassemble into a complete datagram. Additionally, 2504 care must be taken so that, in the event that subsequent buffer 2505 flushes need to be performed, it is not always the same set of 2506 fragments that get dropped, as such a behavior would probably cause a 2507 selective Denial of Service (DoS) to the traffic flows to which that 2508 set of fragments belongs. 2510 Many TCP/IP implementations define a threshold for the number of 2511 fragments that, when reached, triggers a fragment-buffer flush. Some 2512 systems flush 1/2 of the fragment buffer when the threshold is 2513 reached. As mentioned before, the idea of flushing the buffer is to 2514 create some free space in the fragment buffer, on the premise that 2515 this will allow for new and legitimate fragments to be processed by 2516 the IP module, thus letting communication survive the overwhelming 2517 situation. On the other hand, the idea of flushing a somewhat large 2518 portion of the buffer is to avoid flushing always the same set of 2519 packets. 2521 4.1.2.3. A more selective fragment buffer flushing strategy 2523 One of the difficulties in implementing countermeasures for the 2524 fragmentation attacks described in throughout Section 4.1 is that it 2525 is difficult to perform validation checks on the received fragments. 2526 For instance, the fragment on which validity checks could be 2527 performed, the first fragment, may be not the first fragment to 2528 arrive at the destination host. 2530 Fragments can not only arrive out of order because of packet 2531 reordering performed by the network, but also because the system (or 2532 systems) that fragmented the IP datagram may indeed transmit the 2533 fragments out of order. A notable example of this is the Linux 2534 TCP/IP stack, which transmits the fragments in reverse order. 2536 This means that we cannot enforce checks on the fragments for which 2537 we allocate reassembly resources, as the first fragment we receive 2538 for a given packet may be some other fragment than the first one (the 2539 one with an Fragment Offset of 0). 2541 However, at the point in which we decide to free some space in the 2542 fragment buffer, some refinements can be done to the flushing policy. 2543 The first thing we would like to do is to stop different types of 2544 traffic from interfering with each other. This means, in principle, 2545 that we do not want fragmented UDP traffic to interfere with 2546 fragmented TCP traffic. In order to implement this traffic 2547 separation for the different protocols, a different fragment buffer 2548 pool would be needed, in principle, for each of the 256 different 2549 protocols that can be encapsulated in an IP datagram. 2551 We believe a tradeoff is to implement two separate fragment buffers: 2552 one for IP datagrams that encapsulate IPsec packets, and another for 2553 the rest of the traffic. This basically means that traffic not 2554 protected by IPsec will not interfere with those flows of 2555 communication that are being protected by IPsec. 2557 The processing of each of these two different fragment buffer pools 2558 would be completely independent from each other. In the case of the 2559 IPsec fragment buffer pool, when the buffers needs to be flushed, the 2560 following refined policy could be applied: 2562 o First, for each packet for which the IPsec header has been 2563 received, check that the SPI field of the IPsec header corresponds 2564 to an existing IPsec Security Association (SA), and probably also 2565 check that the IPsec sequence number is valid. If the check 2566 fails, drop all the fragments that correspond to this packet. 2568 o Second, if still more fragment buffers need to be flushed, drop 2569 all the fragments that correspond to packets for which the full 2570 IPsec header has not yet been received. The number of packets for 2571 which this flushing is performed depends on the amount of free 2572 space that needs to be created. 2574 o Third, if after flushing packets with invalid IPsec information 2575 (First step), and packets on which validation checks could not be 2576 performed (Second step), there is still not enough space in the 2577 fragment buffer, drop all the fragments that correspond to packets 2578 that passed the checks of the first step, until the necessary free 2579 space is created. 2581 The rationale behind this policy is that, at the point of flushing 2582 fragment buffers, we prefer to keep those packets on which we could 2583 successfully perform a number of validation checks, over those 2584 packets on which those checks failed, or the checks could not even be 2585 performed. 2587 By checking both the IPsec SPI and the IPsec sequence number, it is 2588 virtually impossible for an attacker that is off-path to perform a 2589 Denial-of-Service attack to communication flows being protected by 2590 IPsec. 2592 Unfortunately, some IP implementations (such as that in Linux 2593 [Linux2006]), when performing fragmentation, send the corresponding 2594 fragments in reverse order. In such cases, at the point of flushing 2595 the fragment buffer, legitimate fragments will receive the same 2596 treatment as the possible forged fragments. 2598 This refined flushing policy provides an increased level of 2599 protection against this type of resource exhaustion attack, while not 2600 making the situation of out-of-order IPsec-secured traffic worse than 2601 with the simplified flushing policy described in the previous 2602 section. 2604 4.1.2.4. Reducing the fragment timeout 2606 RFC 1122 [RFC1122] states that the reassembly timeout should be a 2607 fixed value between 60 and 120 seconds. The rationale behind these 2608 long timeout values is that they should accommodate any path 2609 characteristics, such as long-delay paths. However, it must be noted 2610 that this timer is really measuring inter-fragment delays, or, more 2611 specifically, fragment jitter. 2613 If all fragments take paths of similar characteristics, the inter- 2614 fragment delay will usually be, at most, a few seconds. 2615 Nevertheless, even if fragments take different paths of different 2616 characteristics, the recommended 60 to 120 seconds are, in practice, 2617 excessive. 2619 Some systems have already reduced the fragment timeout to 30 seconds 2620 [Linux2006]. The fragment timeout could probably be further reduced 2621 to approximately 15 seconds; although further research on this issue 2622 is necessary. 2624 It should be noted that in network scenarios of long-delay and high- 2625 bandwidth (usually referred to as "Long-Fat Networks"), using a long 2626 fragment timeout would likely increase the probability of collision 2627 of IP ID numbers. Therefore, in such scenarios it is highly 2628 desirable to avoid the use of fragmentation with techniques such as 2629 PMTUD [RFC1191] or PLPMTUD [RFC4821]. 2631 4.1.2.5. Countermeasure for some IDS evasion techniques 2633 [Shankar2003] introduces a technique named "Active Mapping" that 2634 prevents evasion of a NIDS by acquiring sufficient knowledge about 2635 the network being monitored, to assess which packets will arrive at 2636 the intended recipient, and how they will be interpreted by it. 2637 [Novak2005] describes some techniques that are applied by the Snort 2638 NIDS to avoid evasion. 2640 4.1.2.6. Countermeasure for firewall-rules bypassing 2642 One of the classical techniques to bypass firewall rules involves 2643 sending packets in which the header of the encapsulated protocol is 2644 fragmented. Even when it would be legal (as far as the IETF 2645 specifications are concerned) to receive such a packets, the MTUs of 2646 the network technologies used in practice are not that small to 2647 require the header of the encapsulated protocol to be fragmented. 2648 Therefore, the system performing reassembly should drop all packets 2649 which fragment the upper-layer protocol header, and this event should 2650 be logged (e.g., a counter could be incremented to reflect the packet 2651 drop). 2653 Additionally, given that many middle-boxes such as firewalls create 2654 state according to the contents of the first fragment of a given 2655 packet, it is best that, in the event an end-system receives 2656 overlapping fragments, it honors the information contained in the 2657 fragment that was received first. 2659 RFC 1858 [RFC1858] describes the abuse of IP fragmentation to bypass 2660 firewall rules. RFC 3128 [RFC3128] corrects some errors in RFC 1858. 2662 4.2. Forwarding 2664 4.2.1. Precedence-ordered queue service 2666 Section 5.3.3.1 of RFC 1812 [RFC1812] states that routers should 2667 implement precedence-ordered queue service. This means that when a 2668 packet is selected for output on a (logical) link, the packet of 2669 highest precedence that has been queued for that link is sent. 2670 Section 5.3.3.2 of RFC 1812 advices routers to default to maintaining 2671 strict precedence-ordered service. 2673 Unfortunately, given that it is trivial to forge the IP precedence 2674 field of the IP header, an attacker could simply forge a high 2675 precedence number in the packets it sends, to illegitimately get 2676 better network service. If precedence-ordered queued service is not 2677 required in a particular network infrastructure, it should be 2678 disabled, and thus all packets would receive the same type of 2679 service, despite the values in their Type of Service or 2680 Differentiated Services fields. 2682 When Precedence-ordered queue service is required in the network 2683 infrastructure, in order to mitigate the attack vector discussed in 2684 the previous paragraph, edge routers or switches should be configured 2685 to police and remark the Type of Service or Differentiated Services 2686 values, according to the type of service at which each end-system has 2687 been allowed to send packets. 2689 Bullet 4 of Section 5.3.3.3 of RFC 1812 states that routers "MUST NOT 2690 change precedence settings on packets it did not originate". 2691 However, given the security implications of the Precedence field, it 2692 is fair for routers, switches or other middle-boxes, particularly 2693 those in the network edge, to overwrite the Type of Service (or 2694 Differentiated Services) field of the packets they are forwarding, 2695 according to a configured network policy (this is the specified 2696 behavior for DS domains [RFC2475]). 2698 Section 5.3.3.1 and Section 5.3.6 of RFC 1812 states that if 2699 precedence-ordered queue service is implemented and enabled, the 2700 router "MUST NOT discard a packet whose precedence is higher than 2701 that of a packet that is not discarded". While this recommendation 2702 makes sense given the semantics of the Precedence field, it is 2703 important to note that it would be simple for an attacker to send 2704 packets with forged high Precedence value to congest some internet 2705 router(s), and cause all (or most) traffic with a lower Precedence 2706 value to be discarded. 2708 4.2.2. Weak Type of Service 2710 Section 5.2.4.3 of RFC 1812 describes the algorithm for determining 2711 the next-hop address (i.e., the forwarding algorithm). Bullet 3, 2712 "Weak TOS", addresses the case in which routes contain a "type of 2713 service" attribute. It states that in case a packet contains a non- 2714 default TOS (i.e., 0000), only routes with the same TOS or with the 2715 default TOS should be considered for forwarding that packet. 2716 However, this means that if among the longest match routes for a 2717 given packet are routes with some TOS other than the one contained in 2718 the received packet, and no routes with the default TOS, the 2719 corresponding packet would be dropped. This may or may not be a 2720 desired behavior. 2722 An alternative for the case in which among the "longest match" routes 2723 there are only routes with non-default type of service which do not 2724 match the TOS contained in the received packet, would be to use a 2725 route with any other TOS. While this route would most likely not be 2726 able to address the type of service requested by packet, it would, at 2727 least, provide a "best effort" service. 2729 It must be noted that Section 5.3.2 of RFC 1812 allows routers to not 2730 honor the TOS field. Therefore, the proposed alternative behavior is 2731 still compliant with the IETF specifications. 2733 While officially specified in the RFC series, TOS-based routing is 2734 not widely deployed in the Internet. 2736 4.2.3. Impact of Address Resolution on Buffer Management 2738 In the case of broadcast link-layer technologies, in order for a 2739 system to transfer an IP datagram it must usually first map an IP 2740 address to the corresponding link-layer address (for example, by 2741 means of the ARP protocol [RFC0826]) . This means that while this 2742 operation is being performed, the packets that would require such a 2743 mapping would need to be kept in memory. This may happen both in the 2744 case of hosts and in the case of routers. 2746 This situation might be exploited by an attacker, which could send a 2747 large amount of packets to a non-existent host which would supposedly 2748 be directly connected to the attacked router. While trying to map 2749 the corresponding IP address into a link-layer address, the attacked 2750 router would keep in memory all the packets that would need to make 2751 use of that link-layer address. At the point in which the mapping 2752 function times out, depending on the policy implemented by the 2753 attacked router, only the packet that triggered the call to the 2754 mapping function might be dropped. In that case, the same operation 2755 would be repeated for every packet destined to the non-existent host. 2756 Depending on the timeout value for the mapping function, this 2757 situation might lead the router to run out of free buffer space, with 2758 the consequence that incoming legitimate packets would have to be 2759 dropped, or that legitimate packets already stored in the router's 2760 buffers might get dropped. Both of these situations would lead 2761 either to a complete Denial of Service, or to a degradation of the 2762 network service. 2764 One countermeasure to this problem would be to drop, at the point the 2765 mapping function times out, all the packets destined to the address 2766 that timed out. In addition, a "negative cache entry" might be kept 2767 in the module performing the matching function, so that for some 2768 amount of time, the mapping function would return an error when the 2769 IP module requests to perform a mapping for some address for which 2770 the mapping has recently timed out. 2772 A common implementation strategy for routers is that when a packet 2773 is received that requires an ARP resolution to be performed before 2774 the packet can be forwarded, the packet is dropped and the router 2775 is then engaged in the ARP procedure. 2777 4.2.4. Dropping packets 2779 In some scenarios, it may be necessary for a host or router to drop 2780 packets from the output queue. In the event one of such packets 2781 happens to be an IP fragment, and there were other fragments of the 2782 same packet in the queue, those other fragments should also be 2783 dropped. The rationale for this policy is that it is nonsensical to 2784 spend system resources on those other fragments, because, as long as 2785 one fragment is missing, it will be impossible for the receiving 2786 system to reassemble them into a complete IP datagram. 2788 Some systems have been known to drop just a subset of fragments of a 2789 given datagram, leading to a denial of service condition, as only a 2790 subset of all the fragments of the packets were actually transferred 2791 to the next hop. 2793 4.3. Addressing 2794 4.3.1. Unreachable addresses 2796 It is important to understand that while there are some addresses 2797 that are supposed to be unreachable from the public Internet (such as 2798 the private IP addresses described in RFC 1918 [RFC1918], or the 2799 "loopback" address), there are a number of tricks an attacker can 2800 perform to reach those IP addresses that would otherwise be 2801 unreachable (e.g., exploit the LSRR or SSRR IP options). Therefore, 2802 when applicable, packet filtering should be performed at private 2803 network boundary to assure that those addresses will be unreachable. 2805 Similarly, link-local unicast addresses [RFC3927] and multicast 2806 addresses with limited scope (link- and site-local addresses) should 2807 not be accessible from outside the proper network boundaries and not 2808 be passed across these boundaries. 2810 [RFC5735] provides a summary of special use IPv4 addresses. 2812 4.3.2. Private address space 2814 The Internet Assigned Numbers Authority (IANA) has reserved the 2815 following three blocks of the IP address space for private internets: 2817 o 10.0.0.0 - 10.255.255.255 (10/8 prefix) 2819 o 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 2821 o 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) 2823 Use of these address blocks is described in RFC 1918 [RFC1918]. 2825 Where applicable, packet filtering should be performed at the 2826 organizational perimeter to assure that these addresses are not 2827 reachable from outside the private network where such addresses are 2828 employed. 2830 4.3.3. Former Class D Addresses (224/4 Address Block) 2832 The former Class D addresses correspond to the 224/4 address block, 2833 and are used for Internet multicast. Therefore, if a packet is 2834 received with a "Class D" address as the Source Address, it should be 2835 dropped, and this event should be logged (e.g., a counter could be 2836 incremented to reflect the packet drop). Additionally, if an IP 2837 packet with a multicast Destination Address is received for a 2838 connection-oriented protocol (e.g., TCP), the packet should be 2839 dropped (see Section 4.3.5), and this event should be logged (e.g., a 2840 counter could be incremented to reflect the packet drop). 2842 4.3.4. Former Class E Addresses (240/4 Address Block) 2844 The former Class E addresses correspond to the 240/4 address block, 2845 and are currently reserved for experimental use. As a result, a 2846 number of implementations discard packets that contain a "Class" E 2847 address as the Source Address or Destination Address. 2849 However, there exists ongoing work to reclassify the former Class E 2850 (240/4) address block as usable unicast address spaces [Fuller2008a] 2851 [I-D.fuller-240space] [I-D.wilson-class-e]. Therefore, we recommend 2852 implementations to accept addresses in the 240/4 block as valid 2853 addresses for the Source Address and Destination Address. 2855 It should be noted that the broadcast address 255.255.255.255 still 2856 must be treated as indicated in Section 4.3.7 of this document. 2858 4.3.5. Broadcast/Multicast addresses, and Connection-Oriented Protocols 2860 For connection-oriented protocols, such as TCP, shared state is 2861 maintained between only two endpoints at a time. Therefore, if an IP 2862 packet with a multicast (or broadcast) Destination Address is 2863 received for a connection-oriented protocol (e.g., TCP), the packet 2864 should be dropped, and this event should be logged (e.g., a counter 2865 could be incremented to reflect the packet drop). 2867 4.3.6. Broadcast and network addresses 2869 Originally, the IETF specifications did not permit IP addresses to 2870 have the value 0 or -1 (shorthand for all bits set to 1) for any of 2871 the Host number, network number, or subnet number fields, except for 2872 the cases indicated in Section 4.3.7. However, this changed 2873 fundamentally with the deployment of Classless Inter-Domain Routing 2874 (CIDR) [RFC4632], as with CIDR a system cannot know a priori what the 2875 subnet mask is for a particular IP address. 2877 Many systems now allow administrators to use the values 0 or -1 for 2878 those fields. Despite that according to the original IETF 2879 specifications these addresses are illegal, modern IP implementations 2880 should consider these addresses to be valid. 2882 4.3.7. Special Internet addresses 2884 RFC 1812 [RFC1812] discusses the use of some special internet 2885 addresses, which is of interest to perform some sanity checks on the 2886 Source Address and Destination Address fields of an IP packet. It 2887 uses the following notation for an IP address: 2889 { , } 2890 where the length of the network prefix is generally implied by the 2891 network mask assigned to the IP interface under consideration. 2893 RFC 1122 [RFC1122] contained a similar discussion of special 2894 internet addresses, including some of the form { , 2895 , }. However, as explained in 2896 Section 4.2.2.11 of RFC 1812, in a CIDR world, the subnet number 2897 is clearly an extension of the network prefix and cannot be 2898 distinguished from the remainder of the prefix. 2900 {0, 0} 2902 This address means "this host on this network". It is meant to be 2903 used only during the initialization procedure, by which the host 2904 learns its own IP address. 2906 If a packet is received with 0.0.0.0 as the Source Address for any 2907 purpose other than bootstrapping, the corresponding packet should be 2908 silently dropped, and this event should be logged (e.g., a counter 2909 could be incremented to reflect the packet drop). If a packet is 2910 received with 0.0.0.0 as the Destination Address, it should be 2911 silently dropped, and this event should be logged (e.g., a counter 2912 could be incremented to reflect the packet drop). 2914 {0, Host number} 2916 This address means "the specified host, in this network". As in the 2917 previous case, it is meant to be used only during the initialization 2918 procedure by which the host learns its own IP address. If a packet 2919 is received with such an address as the Source Address for any 2920 purpose other than bootstrapping, it should be dropped, and this 2921 event should be logged (e.g., a counter could be incremented to 2922 reflect the packet drop). If a packet is received with such an 2923 address as the Destination Address, it should be dropped, and this 2924 event should be logged (e.g., a counter could be incremented to 2925 reflect the packet drop). 2927 {-1, -1} 2929 This address is the local broadcast address. It should not be used 2930 as a source IP address. If a packet is received with 255.255.255.255 2931 as the Source Address, it should be dropped, and this event should be 2932 logged (e.g., a counter could be incremented to reflect the packet 2933 drop). 2935 Some systems, when receiving an ICMP echo request, for example, 2936 will use the Destination Address in the ICMP echo request packet 2937 as the Source Address of the response they send (in this case, an 2938 ICMP echo reply). Thus, when such systems receive a request sent 2939 to a broadcast address, the Source Address of the response will 2940 contain a broadcast address. This should be considered a bug, 2941 rather than a malicious use of the limited broadcast address. 2943 {Network number, -1} 2945 This is the directed broadcast to the specified network. As 2946 recommended by RFC 2644 [RFC2644], routers should not forward 2947 network-directed broadcasts. This avoids the corresponding network 2948 from being utilized as, for example, a "smurf amplifier" [CERT1998a]. 2950 As noted in Section 4.3.6 of this document, many systems now allow 2951 administrators to configure these addresses as unicast addresses for 2952 network interfaces. In such scenarios, routers should forward these 2953 addresses as if they were traditional unicast addresses. 2955 In some scenarios a host may have knowledge about a particular IP 2956 address being a network-directed broadcast address, rather than a 2957 unicast address (e.g., that IP address is configured on the local 2958 system as a "broadcast address"). In such scenarios, if a system can 2959 infer that the Source Address of a received packet is a network- 2960 directed broadcast address, the packet should be dropped, and this 2961 event should be logged (e.g., a counter could be incremented to 2962 reflect the packet drop). 2964 As noted in Section 4.3.6 of this document, with the deployment of 2965 CIDR [RFC4632], it may be difficult for a system to infer whether a 2966 particular IP address that does not belong to a directly attached 2967 subnet is a broadcast address. 2969 {127.0.0.0/8, any} 2971 This is the internal host loopback address. Any packet that arrives 2972 on any physical interface containing this address as the Source 2973 Address, the Destination Address, or as part of a source route 2974 (either LSRR or SSRR), should be dropped. 2976 For example, packets with a Destination Address in the 127.0.0.0/8 2977 address block that are received on an interface other than loopback 2978 should be silently dropped. Packets received on any interface other 2979 than loopback with a Source Address corresponding to the system 2980 receiving the packet should also be dropped. 2982 In all the above cases, when a packet is dropped, this event should 2983 be logged (e.g., a counter could be incremented to reflect the packet 2984 drop). 2986 5. Security Considerations 2988 This document discusses the security implications of the Internet 2989 Protocol (IP) and a number of implementation strategies that help to 2990 mitigate a number of vulnerabilities found in the protocol during the 2991 last 25 years or so. 2993 6. Acknowledgements 2995 The author wishes to thank Alfred Hoenes for providing very thorough 2996 reviews of earlier versions of this document, thus leading to 2997 numerous improvements. 2999 The author would like to thank Joel Jaeggli, Warren Kumari, Bruno 3000 Rohee, and Andrew Yourtchenko for providing valuable comments on 3001 earlier versions of this document. 3003 This document was written by Fernando Gont on behalf of the UK CPNI 3004 (United Kingdom's Centre for the Protection of National 3005 Infrastructure), and is heavily based on the "Security Assessment of 3006 the Internet Protocol" [CPNI2008] published by the UK CPNI in 2008. 3008 The author would like to thank Randall Atkinson, John Day, Juan 3009 Fraschini, Roque Gagliano, Guillermo Gont, Martin Marino, Pekka 3010 Savola, and Christos Zoulas for providing valuable comments on 3011 earlier versions of [CPNI2008], on which this document is based. 3013 The author would like to thank Randall Atkinson and Roque Gagliano, 3014 who generously answered a number of questions. 3016 Finally, the author would like to thank UK CPNI (formerly NISCC) for 3017 their continued support. 3019 7. References 3021 7.1. Normative References 3023 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 3024 September 1981. 3026 [RFC0826] Plummer, D., "Ethernet Address Resolution Protocol: Or 3027 converting network protocol addresses to 48.bit Ethernet 3028 address for transmission on Ethernet hardware", STD 37, 3029 RFC 826, November 1982. 3031 [RFC1038] St. Johns, M., "Draft revised IP security option", 3032 RFC 1038, January 1988. 3034 [RFC1063] Mogul, J., Kent, C., Partridge, C., and K. McCloghrie, "IP 3035 MTU discovery options", RFC 1063, July 1988. 3037 [RFC1108] Kent, S., "U.S", RFC 1108, November 1991. 3039 [RFC1112] Deering, S., "Host extensions for IP multicasting", STD 5, 3040 RFC 1112, August 1989. 3042 [RFC1122] Braden, R., "Requirements for Internet Hosts - 3043 Communication Layers", STD 3, RFC 1122, October 1989. 3045 [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, 3046 November 1990. 3048 [RFC1349] Almquist, P., "Type of Service in the Internet Protocol 3049 Suite", RFC 1349, July 1992. 3051 [RFC1393] Malkin, G., "Traceroute Using an IP Option", RFC 1393, 3052 January 1993. 3054 [RFC1770] Graff, C., "IPv4 Option for Sender Directed Multi- 3055 Destination Delivery", RFC 1770, March 1995. 3057 [RFC1812] Baker, F., "Requirements for IP Version 4 Routers", 3058 RFC 1812, June 1995. 3060 [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and 3061 E. Lear, "Address Allocation for Private Internets", 3062 BCP 5, RFC 1918, February 1996. 3064 [RFC2113] Katz, D., "IP Router Alert Option", RFC 2113, 3065 February 1997. 3067 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3068 Requirement Levels", BCP 14, RFC 2119, March 1997. 3070 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, 3071 "Definition of the Differentiated Services Field (DS 3072 Field) in the IPv4 and IPv6 Headers", RFC 2474, 3073 December 1998. 3075 [RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z., 3076 and W. Weiss, "An Architecture for Differentiated 3077 Services", RFC 2475, December 1998. 3079 [RFC2644] Senie, D., "Changing the Default for Directed Broadcasts 3080 in Routers", BCP 34, RFC 2644, August 1999. 3082 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: 3083 Defeating Denial of Service Attacks which employ IP Source 3084 Address Spoofing", BCP 38, RFC 2827, May 2000. 3086 [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition 3087 of Explicit Congestion Notification (ECN) to IP", 3088 RFC 3168, September 2001. 3090 [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed 3091 Networks", BCP 84, RFC 3704, March 2004. 3093 [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic 3094 Configuration of IPv4 Link-Local Addresses", RFC 3927, 3095 May 2005. 3097 [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing 3098 (CIDR): The Internet Address Assignment and Aggregation 3099 Plan", BCP 122, RFC 4632, August 2006. 3101 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 3102 Discovery", RFC 4821, March 2007. 3104 [RFC5082] Gill, V., Heasley, J., Meyer, D., Savola, P., and C. 3105 Pignataro, "The Generalized TTL Security Mechanism 3106 (GTSM)", RFC 5082, October 2007. 3108 [RFC5350] Manner, J. and A. McDonald, "IANA Considerations for the 3109 IPv4 and IPv6 Router Alert Options", RFC 5350, 3110 September 2008. 3112 [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses", 3113 BCP 153, RFC 5735, January 2010. 3115 7.2. Informative References 3117 [Anderson2001] 3118 Anderson, J., "An Analysis of Fragmentation Attacks", 3119 Available at: http://www.ouah.org/fragma.html , 2001. 3121 [Arkin2000] 3122 Arkin, "IP TTL Field Value with ICMP (Oops - Identifying 3123 Windows 2000 again and more)", http:// 3124 ofirarkin.files.wordpress.com/2008/11/ 3125 ofirarkin2000-06.pdf, 2000. 3127 [Barisani2006] 3128 Barisani, A., "FTester - Firewall and IDS testing tool", 3129 Available at: http://dev.inversepath.com/trac/ftester , 3130 2001. 3132 [Bellovin1989] 3133 Bellovin, S., "Security Problems in the TCP/IP Protocol 3134 Suite", Computer Communication Review Vol. 19, No. 2, pp. 3135 32-48, 1989. 3137 [Bellovin2002] 3138 Bellovin, S., "A Technique for Counting NATted Hosts", 3139 IMW'02 Nov. 6-8, 2002, Marseille, France, 2002. 3141 [Bendi1998] 3142 Bendi, "Bonk exploit", http://www.insecure.org/sploits/ 3143 95.NT.fragmentation.bonk.html , 1998. 3145 [Biondi2007] 3146 Biondi, P. and A. Ebalard, "IPv6 Routing Header Security", 3147 CanSecWest 2007 Security Conference http://www.secdev.org/ 3148 conf/IPv6_RH_security-csw07.pdf, 2007. 3150 [CERT1996a] 3151 CERT, "CERT Advisory CA-1996-01: UDP Port Denial-of- 3152 Service Attack", 3153 http://www.cert.org/advisories/CA-1996-01.html, 1996. 3155 [CERT1996b] 3156 CERT, "CERT Advisory CA-1996-21: TCP SYN Flooding and IP 3157 Spoofing Attacks", 3158 http://www.cert.org/advisories/CA-1996-21.html, 1996. 3160 [CERT1996c] 3161 CERT, "CERT Advisory CA-1996-26: Denial-of-Service Attack 3162 via ping", 3163 http://www.cert.org/advisories/CA-1996-26.html, 1996. 3165 [CERT1997] 3166 CERT, "CERT Advisory CA-1997-28: IP Denial-of-Service 3167 Attacks", http://www.cert.org/advisories/CA-1997-28.html, 3168 1997. 3170 [CERT1998a] 3171 CERT, "CERT Advisory CA-1998-01: Smurf IP Denial-of- 3172 Service Attacks", 3173 http://www.cert.org/advisories/CA-1998-01.html, 1998. 3175 [CERT1998b] 3176 CERT, "CERT Advisory CA-1998-13: Vulnerability in Certain 3177 TCP/IP Implementations", 3178 http://www.cert.org/advisories/CA-1998-13.html, 1998. 3180 [CERT1999] 3181 CERT, "CERT Advisory CA-1999-17: Denial-of-Service Tools", 3182 http://www.cert.org/advisories/CA-1999-17.html, 1999. 3184 [CERT2001] 3185 CERT, "CERT Advisory CA-2001-09: Statistical Weaknesses in 3186 TCP/IP Initial Sequence Numbers", 3187 http://www.cert.org/advisories/CA-2001-09.html, 2001. 3189 [CERT2003] 3190 CERT, "CERT Advisory CA-2003-15: Cisco IOS Interface 3191 Blocked by IPv4 Packet", 3192 http://www.cert.org/advisories/CA-2003-15.html, 2003. 3194 [CIPSO1992] 3195 CIPSO, "COMMERCIAL IP SECURITY OPTION (CIPSO 2.2)", IETF 3196 Internet-Draft (draft-ietf-cipso-ipsecurity-01.txt), work 3197 in progress , 1992. 3199 [CIPSOWG1994] 3200 CIPSOWG, "Commercial Internet Protocol Security Option 3201 (CIPSO) Working Group", http://www.ietf.org/proceedings/ 3202 94jul/charters/cipso-charter.html, 1994. 3204 [CPNI2008] 3205 Gont, F., "Security Assessment of the Internet Protocol", 3206 http://www.cpni.gov.uk/Docs/InternetProtocol.pdf, 2008. 3208 [Cerf1974] 3209 Cerf, V. and R. Kahn, "A Protocol for Packet Network 3210 Intercommunication", IEEE Transactions on 3211 Communications Vol. 22, No. 5, May 1974, pp. 637-648, 3212 1974. 3214 [Cisco2003] 3215 Cisco, "Cisco Security Advisory: Cisco IOS Interface 3216 Blocked by IPv4 packet", http://www.cisco.com/en/US/ 3217 products/products_security_advisory09186a00801a34c2.shtml, 3218 2003. 3220 [Cisco2008] 3221 Cisco, "Cisco IOS Security Configuration Guide, Release 3222 12.2", http://www.cisco.com/en/US/docs/ios/12_2/security/ 3223 configuration/guide/scfipso.html, 2003. 3225 [Clark1988] 3226 Clark, D., "The Design Philosophy of the DARPA Internet 3227 Protocols", Computer Communication Review Vol. 18, No. 4, 3228 1988. 3230 [Ed3f2002] 3231 Ed3f, "Firewall spotting and networks analisys with a 3232 broken CRC", Phrack Magazine, Volume 0x0b, Issue 0x3c, 3233 Phile #0x0c of 0x10 http://www.phrack.org/ 3234 issues.html?issue=60&id=12&mode=txt, 2002. 3236 [FIPS1994] 3237 FIPS, "Standard Security Label for Information Transfer", 3238 Federal Information Processing Standards Publication. FIP 3239 PUBS 188 http://csrc.nist.gov/publications/fips/fips188/ 3240 fips188.pdf, 1994. 3242 [Fuller2008a] 3243 Fuller, V., Lear, E., and D. Meyer, "240.0.0.0/4: The 3244 Future Begins Now", Routing SIG Meeting, 25th APNIC Open 3245 Policy Meeting, February 25 - 29 2008, Taipei, Taiwan http 3246 ://www.apnic.net/meetings/25/program/routing/ 3247 fuller-240-future.pdf, 2008. 3249 [Fyodor2004] 3250 Fyodor, "Idle scanning and related IP ID games", 3251 http://www.insecure.org/nmap/idlescan.html, 2004. 3253 [GIAC2000] 3254 GIAC, "Egress Filtering v 0.2", 3255 http://www.sans.org/y2k/egress.htm, 2000. 3257 [Gont2006] 3258 Gont, F., "Advanced ICMP packet filtering", 3259 http://www.gont.com.ar/papers/icmp-filtering.html, 2006. 3261 [Haddad2004] 3262 Haddad, I. and M. Zakrzewski, "Security Distribution for 3263 Linux Clusters", Linux 3264 Journal http://www.linuxjournal.com/article/6943, 2004. 3266 [Humble1998] 3267 Humble, "Nestea exploit", 3268 http://www.insecure.org/sploits/linux.PalmOS.nestea.html, 3269 1998. 3271 [I-D.fuller-240space] 3272 Fuller, V., "Reclassifying 240/4 as usable unicast address 3273 space", draft-fuller-240space-02 (work in progress), 3274 March 2008. 3276 [I-D.ietf-tcpm-icmp-attacks] 3277 Gont, F., "ICMP attacks against TCP", 3278 draft-ietf-tcpm-icmp-attacks-12 (work in progress), 3279 March 2010. 3281 [I-D.templin-mtuassurance] 3282 Templin, F., "Requirements for IP-in-IP Tunnel MTU 3283 Assurance", draft-templin-mtuassurance-02 (work in 3284 progress), October 2006. 3286 [I-D.wilson-class-e] 3287 Wilson, P., Michaelson, G., and G. Huston, "Redesignation 3288 of 240/4 from "Future Use" to "Private Use"", 3289 draft-wilson-class-e-02 (work in progress), 3290 September 2008. 3292 [IANA2006a] 3293 Ether Types, 3294 "http://www.iana.org/assignments/ethernet-numbers". 3296 [IANA2006b] 3297 IP Parameters, 3298 "http://www.iana.org/assignments/ip-parameters". 3300 [IANA2006c] 3301 Protocol Numbers, 3302 "http://www.iana.org/assignments/protocol-numbers". 3304 [IRIX2008] 3305 IRIX, "IRIX 6.5 trusted_networking(7) manual page", http: 3306 //techpubs.sgi.com/library/tpl/cgi-bin/ 3307 getdoc.cgi?coll=0650&db=man&fname=/usr/share/catman/a_man/ 3308 cat7/trusted_networking.z, 2008. 3310 [Jones2002] 3311 Jones, R., "A Method Of Selecting Values For the 3312 Parameters Controlling IP Fragment Reassembly", ftp:// 3313 ftp.cup.hp.com/dist/networking/briefs/ip_reass_tuning.txt, 3314 2002. 3316 [Kenney1996] 3317 Kenney, M., "The Ping of Death Page", 3318 http://www.insecure.org/sploits/ping-o-death.html, 1996. 3320 [Kent1987] 3321 Kent, C. and J. Mogul, "Fragmentation considered harmful", 3322 Proc. SIGCOMM '87 Vol. 17, No. 5, October 1987, 1987. 3324 [Klein2007] 3325 Klein, A., "OpenBSD DNS Cache Poisoning and Multiple O/S 3326 Predictable IP ID Vulnerability", http:// 3327 www.trusteer.com/files/ 3328 OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP 3329 _ID_Vulnerability.pdf, 2007. 3331 [Kohno2005] 3332 Kohno, T., Broido, A., and kc. Claffy, "Remote Physical 3333 Device Fingerprinting", IEEE Transactions on Dependable 3334 and Secure Computing Vol. 2, No. 2, 2005. 3336 [LBNL2006] 3337 LBNL/NRG, "arpwatch tool", http://ee.lbl.gov/, 2006. 3339 [Linux2006] 3340 The Linux Project, "http://www.kernel.org". 3342 [Microsoft1999] 3343 Microsoft, "Microsoft Security Program: Microsoft Security 3344 Bulletin (MS99-038). Patch Available for "Spoofed Route 3345 Pointer" Vulnerability", http://www.microsoft.com/ 3346 technet/security/bulletin/ms99-038.mspx, 1999. 3348 [NISCC2004] 3349 NISCC, "NISCC Vulnerability Advisory 236929: Vulnerability 3350 Issues in TCP", 3351 http://www.uniras.gov.uk/niscc/docs/ 3352 re-20040420-00391.pdf, 2004. 3354 [NISCC2005] 3355 NISCC, "NISCC Vulnerability Advisory 532967/NISCC/ICMP: 3356 Vulnerability Issues in ICMP packets with TCP payloads", 3357 http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf, 3358 2005. 3360 [NISCC2006] 3361 NISCC, "NISCC Technical Note 01/2006: Egress and Ingress 3362 Filtering", http://www.niscc.gov.uk/niscc/docs/ 3363 re-20060420-00294.pdf?lang=en, 2006. 3365 [Northcutt2000] 3366 Northcut, S. and Novak, "Network Intrusion Detection - An 3367 Analyst's Handbook", Second Edition New Riders Publishing, 3368 2000. 3370 [Novak2005] 3371 Novak, "Target-Based Fragmentation Reassembly", 3372 http://www.snort.org/reg/docs/target_based_frag.pdf, 3373 2005. 3375 [OpenBSD-PF] 3376 Sanfilippo, S., "PF: Scrub (Packet Normalization)", 3377 http://www.openbsd.org/faq/pf/scrub.html, 2010. 3379 [OpenBSD1998] 3380 OpenBSD, "OpenBSD Security Advisory: IP Source Routing 3381 Problem", 3382 http://www.openbsd.org/advisories/sourceroute.txt, 1998. 3384 [Paxson2001] 3385 Paxson, V., Handley, M., and C. Kreibich, "Network 3386 Intrusion Detection: Evasion, Traffic Normalization, and 3387 End-to-End Protocol Semantics", USENIX Conference, 2001, 3388 2001. 3390 [Ptacek1998] 3391 Ptacek, T. and T. Newsham, "Insertion, Evasion and Denial 3392 of Service: Eluding Network Intrusion Detection", 3393 http://www.aciri.org/vern/Ptacek-Newsham-Evasion-98.ps, 3394 1998. 3396 [RFC0815] Clark, D., "IP datagram reassembly algorithms", RFC 815, 3397 July 1982. 3399 [RFC1858] Ziemba, G., Reed, D., and P. Traina, "Security 3400 Considerations for IP Fragment Filtering", RFC 1858, 3401 October 1995. 3403 [RFC2544] Bradner, S. and J. McQuaid, "Benchmarking Methodology for 3404 Network Interconnect Devices", RFC 2544, March 1999. 3406 [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains 3407 via IPv4 Clouds", RFC 3056, February 2001. 3409 [RFC3128] Miller, I., "Protection Against a Variant of the Tiny 3410 Fragment Attack (RFC 1858)", RFC 3128, June 2001. 3412 [RFC3530] Shepler, S., Callaghan, B., Robinson, D., Thurlow, R., 3413 Beame, C., Eisler, M., and D. Noveck, "Network File System 3414 (NFS) version 4 Protocol", RFC 3530, April 2003. 3416 [RFC4459] Savola, P., "MTU and Fragmentation Issues with In-the- 3417 Network Tunneling", RFC 4459, April 2006. 3419 [RFC4963] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly 3420 Errors at High Data Rates", RFC 4963, July 2007. 3422 [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common 3423 Mitigations", RFC 4987, August 2007. 3425 [RFC5559] Eardley, P., "Pre-Congestion Notification (PCN) 3426 Architecture", RFC 5559, June 2009. 3428 [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common 3429 Architecture Label IPv6 Security Option (CALIPSO)", 3430 RFC 5570, July 2009. 3432 [RFC5670] Eardley, P., "Metering and Marking Behaviour of PCN- 3433 Nodes", RFC 5670, November 2009. 3435 [RFC5696] Moncaster, T., Briscoe, B., and M. Menth, "Baseline 3436 Encoding and Transport of Pre-Congestion Information", 3437 RFC 5696, November 2009. 3439 [SELinux2008] 3440 Security Enhanced Linux, "http://www.nsa.gov/selinux/". 3442 [Sanfilippo1998a] 3443 Sanfilippo, S., "about the ip header id", Post to Bugtraq 3444 mailing-list, Mon Dec 14 3445 1998 http://www.kyuzz.org/antirez/papers/ipid.html, 1998. 3447 [Sanfilippo1998b] 3448 Sanfilippo, S., "Idle scan", Post to Bugtraq mailing- 3449 list http://www.kyuzz.org/antirez/papers/dumbscan.html, 3450 1998. 3452 [Sanfilippo1999] 3453 Sanfilippo, S., "more ip id", Post to Bugtraq mailing- 3454 list http://www.kyuzz.org/antirez/papers/moreipid.html, 3455 1999. 3457 [Shankar2003] 3458 Shankar, U. and V. Paxson, "Active Mapping: Resisting NIDS 3459 Evasion Without Altering Traffic", 3460 http://www.icir.org/vern/papers/activemap-oak03.pdf, 3462 2003. 3464 [Shannon2001] 3465 Shannon, C., Moore, D., and K. Claffy, "Characteristics of 3466 Fragmented IP Traffic on Internet Links", 2001. 3468 [Silbersack2005] 3469 Silbersack, M., "Improving TCP/IP security through 3470 randomization without sacrificing interoperability", 3471 EuroBSDCon 2005 Conference http://www.silby.com/ 3472 eurobsdcon05/eurobsdcon_slides.pdf, 2005. 3474 [Solaris2008] 3475 Solaris Trusted Extensions - Labeled Security for Absolute 3476 Protection, "http://www.sun.com/software/solaris/ds/ 3477 trusted_extensions.jsp#3", 2008. 3479 [Song1999] 3480 Song, D., "Frag router tool", 3481 http://www.anzen.com/research/nidsbench/. 3483 [SpooferProject] 3484 MIT ANA, "The MIT ANA Spoofer project", 3485 http://spoofer.csail.mit.edu/index.php, 2010. 3487 [US-CERT2001] 3488 US-CERT, "US-CERT Vulnerability Note VU#446689: Check 3489 Point FireWall-1 allows fragmented packets through 3490 firewall if Fast Mode is enabled", 3491 http://www.kb.cert.org/vuls/id/446689, 2001. 3493 [US-CERT2002] 3494 US-CERT, "US-CERT Vulnerability Note VU#310387: Cisco IOS 3495 discloses fragments of previous packets when Express 3496 Forwarding is enabled", 3497 http://www.kb.cert.org/vuls/id/310387, 2002. 3499 [Watson2004] 3500 Watson, P., "Slipping in the Window: TCP Reset Attacks", 3501 CanSecWest Conference , 2004. 3503 [Zakrzewski2002] 3504 Zakrzewski, M. and I. Haddad, "Linux Distributed Security 3505 Module", http://www.linuxjournal.com/article/6215, 2002. 3507 [daemon91996] 3508 daemon9, route, and infinity, "IP-spoofing Demystified 3509 (Trust-Relationship Exploitation)", Phrack Magazine, 3510 Volume Seven, Issue Forty-Eight, File 14 of 18 http:// 3511 www.phrack.org/issues.html?issue=48&id=14&mode=txt, 1988. 3513 Appendix A. Advice and guidance to vendors 3515 Vendors are urged to contact CPNI (vulteam@cpni.gsi.gov.uk) if they 3516 think they may be affected by the issues described in this document. 3517 As the lead coordination center for these issues, CPNI is well placed 3518 to give advice and guidance as required. 3520 CPNI works extensively with government departments and agencies, 3521 commercial organizations and the academic community to research 3522 vulnerabilities and potential threats to IT systems especially where 3523 they may have an impact on Critical National Infrastructure's (CNI). 3525 Other ways to contact CPNI, plus CPNI's PGP public key, are available 3526 at http://www.cpni.gov.uk . 3528 Appendix B. Changes from previous versions of the draft 3530 This whole appendix should be removed by the RFC Editor before 3531 publishing this document as an RFC. 3533 B.1. Changes from draft-ietf-opsec-ip-security-03 3535 o Addresses feedback received off-list by Warren Kumari. 3537 B.2. Changes from draft-ietf-opsec-ip-security-02 3539 o Addresses a very thorough review by Alfred Hoenes (sent off-list) 3541 o Miscellaneous edits (centers expressions, fills missing graphics 3542 with ASCII-art, etc.) 3544 B.3. Changes from draft-ietf-opsec-ip-security-01 3546 o Addresses rest of the feedback received from Andrew Yourtchenko 3547 (http://www.ietf.org/mail-archive/web/opsec/current/msg00417.html) 3549 o Addresses a very thorough review by Alfred Hoenes (sent off-list) 3551 o Addresses feedback submitted by Joel Jaeggli (off-list) 3553 o Addresses feedback submitted (off-list) by Bruno Rohee. 3555 o Miscellaneous edits (centers expressions, fills missing graphics 3556 with ASCII-art, etc.) 3558 B.4. Changes from draft-ietf-opsec-ip-security-00 3560 o Addresses part of the feedback received from Andrew Yourtchenko 3561 (http://www.ietf.org/mail-archive/web/opsec/current/msg00417.html) 3563 B.5. Changes from draft-gont-opsec-ip-security-01 3565 o Draft resubmitted as draft-ietf, as a result of wg consensus on 3566 adopting the document as an opsec wg item. 3568 B.6. Changes from draft-gont-opsec-ip-security-00 3570 o Fixed author's affiliation. 3572 o Added Figure 6. 3574 o Fixed a few typos. 3576 o (no technical changes) 3578 Author's Address 3580 Fernando Gont 3581 UK Centre for the Protection of National Infrastructure 3583 Email: fernando@gont.com.ar 3584 URI: http://www.cpni.gov.uk