datatracker.ietf.org
Sign in
Version 5.6.2.p2, 2014-07-24
Report a bug

The Security Flag in the IPv4 Header
RFC 3514

Document type: RFC - Informational (April 2003; No errata)
Document stream: Legacy
Last updated: 2013-03-02
Other versions: plain text, pdf, html

Legacy State: (None)
Document shepherd: No shepherd assigned

This information refers to IESG processing after the RFC was initially published:
IESG State: RFC 3514 (Informational)
Responsible AD: Steven Bellovin
Send notices to: No addresses provided

Network Working Group                                        S. Bellovin
Request for Comments: 3514                            AT&T Labs Research
Category: Informational                                     1 April 2003

                  The Security Flag in the IPv4 Header

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   Firewalls, packet filters, intrusion detection systems, and the like
   often have difficulty distinguishing between packets that have
   malicious intent and those that are merely unusual.  We define a
   security flag in the IPv4 header as a means of distinguishing the two
   cases.

1. Introduction

   Firewalls [CBR03], packet filters, intrusion detection systems, and
   the like often have difficulty distinguishing between packets that
   have malicious intent and those that are merely unusual.  The problem
   is that making such determinations is hard.  To solve this problem,
   we define a security flag, known as the "evil" bit, in the IPv4
   [RFC791] header.  Benign packets have this bit set to 0; those that
   are used for an attack will have the bit set to 1.

1.1. Terminology

   The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
   SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
   document, are to be interpreted as described in [RFC2119].

2. Syntax

   The high-order bit of the IP fragment offset field is the only unused
   bit in the IP header.  Accordingly, the selection of the bit position
   is not left to IANA.

Bellovin                     Informational                      [Page 1]
RFC 3514          The Security Flag in the IPv4 Header      1 April 2003

   The bit field is laid out as follows:

             0
            +-+
            |E|
            +-+

   Currently-assigned values are defined as follows:

   0x0  If the bit is set to 0, the packet has no evil intent.  Hosts,
        network elements, etc., SHOULD assume that the packet is
        harmless, and SHOULD NOT take any defensive measures.  (We note
        that this part of the spec is already implemented by many common
        desktop operating systems.)

   0x1  If the bit is set to 1, the packet has evil intent.  Secure
        systems SHOULD try to defend themselves against such packets.
        Insecure systems MAY chose to crash, be penetrated, etc.

3. Setting the Evil Bit

   There are a number of ways in which the evil bit may be set.  Attack
   applications may use a suitable API to request that it be set.
   Systems that do not have other mechanisms MUST provide such an API;
   attack programs MUST use it.

   Multi-level insecure operating systems may have special levels for
   attack programs; the evil bit MUST be set by default on packets
   emanating from programs running at such levels.  However, the system
   MAY provide an API to allow it to be cleared for non-malicious
   activity by users who normally engage in attack behavior.

   Fragments that by themselves are dangerous MUST have the evil bit
   set.  If a packet with the evil bit set is fragmented by an
   intermediate router and the fragments themselves are not dangerous,
   the evil bit MUST be cleared in the fragments, and MUST be turned
   back on in the reassembled packet.

   Intermediate systems are sometimes used to launder attack
   connections.  Packets to such systems that are intended to be relayed
   to a target SHOULD have the evil bit set.

   Some applications hand-craft their own packets.  If these packets are
   part of an attack, the application MUST set the evil bit by itself.

   In networks protected by firewalls, it is axiomatic that all
   attackers are on the outside of the firewall.  Therefore, hosts
   inside the firewall MUST NOT set the evil bit on any packets.

Bellovin                     Informational                      [Page 2]
RFC 3514          The Security Flag in the IPv4 Header      1 April 2003

   Because NAT [RFC3022] boxes modify packets, they SHOULD set the evil
   bit on such packets.  "Transparent" http and email proxies SHOULD set
   the evil bit on their reply packets to the innocent client host.

   Some hosts scan other hosts in a fashion that can alert intrusion
   detection systems.  If the scanning is part of a benign research
   project, the evil bit MUST NOT be set.  If the scanning per se is
   innocent, but the ultimate intent is evil and the destination site
   has such an intrusion detection system, the evil bit SHOULD be set.

[include full document text]