Operational Security Capabilities F. Gont
for IP Network Infrastructure UTN/FRH
(opsec) S. Fouant
Internet-Draft Shortest Path First
Intended status: BCP February 2010
Expires: August 5, 2010
IP Options Filtering Recommendations
draft-gont-opsec-ip-options-filtering-00.txt
Abstract
This document document provides advice on the filtering of packets
based on the IP options they contain. Additionally, it discusses the
operational and interoperability implications of such filtering.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 5, 2010.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
Gont & Fouant Expires August 5, 2010 [Page 1]
Internet-Draft IPv4 Security Assessment February 2010
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Processing requirements . . . . . . . . . . . . . . . . . . . 6
4. Advice on handling of specific IP Options . . . . . . . . . . 6
4.1. End of Option List (Type = 0) . . . . . . . . . . . . . . 6
4.1.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1.2. Option specification . . . . . . . . . . . . . . . . . 7
4.1.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 7
4.1.4. Operational/interoperability impact if blocked . . . . 7
4.1.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2. No Operation (Type = 1) . . . . . . . . . . . . . . . . . 7
4.2.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2.2. Option specification . . . . . . . . . . . . . . . . . 7
4.2.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 7
4.2.4. Operational/interoperability impact if blocked . . . . 7
4.2.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 7
4.3. Loose Source and Record Route (LSRR) (Type = 131) . . . . 7
4.3.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.3.2. Option specification . . . . . . . . . . . . . . . . . 8
4.3.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 8
4.3.4. Operational/interoperability impact if blocked . . . . 9
4.3.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 9
4.4. Strict Source and Record Route (SSRR) (Type = 137) . . . . 9
4.4.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.4.2. Option specification . . . . . . . . . . . . . . . . . 9
4.4.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 9
4.4.4. Operational/interoperability impact if blocked . . . . 9
4.4.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 9
4.5. Record Route (Type = 7) . . . . . . . . . . . . . . . . . 10
4.5.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.5.2. Option specification . . . . . . . . . . . . . . . . . 10
4.5.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 10
4.5.4. Operational/interoperability impact if blocked . . . . 10
4.5.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 10
4.6. Stream Identifier (Type = 136) . . . . . . . . . . . . . . 10
4.6.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.6.2. Option specification . . . . . . . . . . . . . . . . . 11
4.6.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 11
Gont & Fouant Expires August 5, 2010 [Page 2]
Internet-Draft IPv4 Security Assessment February 2010
4.6.4. Operational/interoperability impact if blocked . . . . 11
4.6.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 11
4.7. Internet Timestamp (Type = 68) . . . . . . . . . . . . . . 11
4.7.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.7.2. Option specification . . . . . . . . . . . . . . . . . 11
4.7.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 11
4.7.4. Operational/interoperability impact if blocked . . . . 12
4.7.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 12
4.8. Router Alert (Type = 148) . . . . . . . . . . . . . . . . 12
4.8.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.8.2. Option specification . . . . . . . . . . . . . . . . . 12
4.8.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 12
4.8.4. Operational/interoperability impact if blocked . . . . 12
4.8.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 12
4.9. Probe MTU (Type = 11) (obsolete) . . . . . . . . . . . . . 12
4.9.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.9.2. Option specification . . . . . . . . . . . . . . . . . 12
4.9.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 13
4.9.4. Operational/interoperability impact if blocked . . . . 13
4.9.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 13
4.10. Reply MTU (Type = 12) (obsolete) . . . . . . . . . . . . . 13
4.10.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.10.2. Option specification . . . . . . . . . . . . . . . . . 13
4.10.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 13
4.10.4. Operational/interoperability impact if blocked . . . . 13
4.10.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 13
4.11. Traceroute (Type = 82) . . . . . . . . . . . . . . . . . . 13
4.11.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.11.2. Option specification . . . . . . . . . . . . . . . . . 13
4.11.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 14
4.11.4. Operational/interoperability impact if blocked . . . . 14
4.11.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 14
4.12. DoD Basic Security Option (Type = 130) . . . . . . . . . . 14
4.12.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.12.2. Option specification . . . . . . . . . . . . . . . . . 14
4.12.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 15
4.12.4. Operational/interoperability impact if blocked . . . . 15
4.12.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 15
4.13. DoD Extended Security Option (Type = 133) . . . . . . . . 15
4.13.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.13.2. Option specification . . . . . . . . . . . . . . . . . 15
4.13.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 15
4.13.4. Operational/interoperability impact if blocked . . . . 15
4.13.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 15
4.14. Commercial IP Security Option (CIPSO) (Type = 134) . . . . 15
4.14.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.14.2. Option specification . . . . . . . . . . . . . . . . . 16
4.14.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 16
Gont & Fouant Expires August 5, 2010 [Page 3]
Internet-Draft IPv4 Security Assessment February 2010
4.14.4. Operational/interoperability impact if blocked . . . . 16
4.14.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 16
4.15. Sender Directed Multi-Destination Delivery (Type = 149) . 16
4.15.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.15.2. Option specification . . . . . . . . . . . . . . . . . 16
4.15.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 16
4.15.4. Operational/interoperability impact if blocked . . . . 16
4.15.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 16
5. Security Considerations . . . . . . . . . . . . . . . . . . . 16
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
7.1. Normative References . . . . . . . . . . . . . . . . . . . 17
7.2. Informative References . . . . . . . . . . . . . . . . . . 18
Appendix A. Changes from previous versions of the draft (to
be removed by the RFC Editor before publishing
this document as an RFC) . . . . . . . . . . . . . . 27
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27
Gont & Fouant Expires August 5, 2010 [Page 4]
Internet-Draft IPv4 Security Assessment February 2010
1. Introduction
This document document provides advice on the filtering of IP Options
within IPv4 headers. Various protocols may use IP Options to some
extent, therefore the filtering of such options may have implications
on proper functioning of the protocol. As such, this document
attempts to discuss the operational and interoperability implications
of such filtering. Additionaly, this document will outline what a
network operator might do in a typical enterprise or Service Provider
environment.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. IP Options
IP options allow for the extension of the Internet Protocol
There are two cases for the format of an option:
o Case 1: A single byte of option-type.
o Case 2: An option-type byte, an option-length byte, and the actual
option-data bytes.
In the Case 2, the option-length byte counts the option-type byte and
the option-length byte, as well as the actual option-data bytes.
All current and future options except "End of Option List" (Type = 0)
and "No Operation" (Type = 1), are of Class 2.
The option-type has three fields:
o 1 bit: copied flag.
o 2 bits: option class.
o 5 bits: option number.
The copied flag indicates whether this option should be copied to all
fragments in the event the packet carrying it needs to be fragmented:
o 0 = not copied.
o 1 = copied.
Gont & Fouant Expires August 5, 2010 [Page 5]
Internet-Draft IPv4 Security Assessment February 2010
The values for the option class are:
o 0 = control.
o 1 = reserved for future use.
o 2 = debugging and measurement.
o 3 = reserved for future use.
This format allows for the creation of new options for the extension
of the Internet Protocol (IP).
Finally, the option number identifies the syntax of the rest of the
option.
[IANA2006b] contains the list of the currently assigned IP option
numbers.
3. Processing requirements
Router manufacturers tend to do IP option processing on the main
processor, rather than on line cards. Unless special care is taken,
this represents Denial of Service (DoS) risk, as there is potential
for overwhelming the router with option processing.
The following sections contain a description of each of the IP
options that have so far been specified, a discussion of possible
interoperability implications if packets containing such options are
filtered, and specific advice on whether to filter packets containing
these options in a typical enterprise or Service Provider
environment.
4. Advice on handling of specific IP Options
4.1. End of Option List (Type = 0)
4.1.1. Uses
This option is used to indicate the "end of options" in those cases
in which the end of options would not coincide with the end of the
Internet Protocol Header.
Gont & Fouant Expires August 5, 2010 [Page 6]
Internet-Draft IPv4 Security Assessment February 2010
4.1.2. Option specification
Specified in RFC 791 [RFC0791].
4.1.3. Threats
TBD
4.1.4. Operational/interoperability impact if blocked
Packets containing any IP options are likely to include an End of
Option List. Therefore, if packets containing this option are
filtered, it is very likely that legitimate traffic is filtered.
4.1.5. Advice
Do not filter packets containing this option.
4.2. No Operation (Type = 1)
4.2.1. Uses
The no-operation option is basically meant to allow the sending
system to align subsequent options in, for example, 32-bit
boundaries.
4.2.2. Option specification
Specified in RFC 791 [RFC0791].
4.2.3. Threats
TBD
4.2.4. Operational/interoperability impact if blocked
4.2.5. Advice
Do not filter packets containing this option.
4.3. Loose Source and Record Route (LSRR) (Type = 131)
RFC 791 states that this option should appear, at most, once in a
given packet. Thus, if a packet contains more than one LSRR option,
it should be dropped, and this event should be logged (e.g., a
counter could be incremented to reflect the packet drop).
Additionally, packets containing a combination of LSRR and SSRR
options should be dropped, and this event should be logged (e.g., a
Gont & Fouant Expires August 5, 2010 [Page 7]
Internet-Draft IPv4 Security Assessment February 2010
counter could be incremented to reflect the packet drop).
4.3.1. Uses
This option lets the originating system specify a number of
intermediate systems a packet must pass through to get to the
destination host. Additionally, the route followed by the packet is
recorded in the option. The receiving host (end-system) must use the
reverse of the path contained in the received LSRR option.
The LSSR option can be of help in debugging some network problems.
Some ISP (Internet Service Provider) peering agreements require
support for this option in the routers within the peer of the ISP.
4.3.2. Option specification
Specified in RFC 791 [RFC0791].
4.3.3. Threats
The LSRR option has well-known security implications. Among other
things, the option can be used to:
o Bypass firewall rules
o Reach otherwise unreachable internet systems
o Establish TCP connections in a stealthy way
o Learn about the topology of a network
o Perform bandwidth-exhaustion attacks
Of these attack vectors, the one that has probably received least
attention is the use of the LSRR option to perform bandwidth
exhaustion attacks. The LSRR option can be used as an amplification
method for performing bandwidth-exhaustion attacks, as an attacker
could make a packet bounce multiple times between a number of systems
by carefully crafting an LSRR option.
This is the IPv4-version of the IPv6 amplification attack that was
widely publicized in 2007 [Biondi2007]. The only difference is
that the maximum length of the IPv4 header (and hence the LSRR
option) limits the amplification factor when compared to the IPv6
counter-part.
Gont & Fouant Expires August 5, 2010 [Page 8]
Internet-Draft IPv4 Security Assessment February 2010
4.3.4. Operational/interoperability impact if blocked
TBD
4.3.5. Advice
All systems should, by default, drop IP packets that contain an LSRR
option.
4.4. Strict Source and Record Route (SSRR) (Type = 137)
4.4.1. Uses
This option allows the originating system to specify a number of
intermediate systems a packet must pass through to get to the
destination host. Additionally, the route followed by the packet is
recorded in the option, and the destination host (end-system) must
use the reverse of the path contained in the received SSRR option.
This option is similar to the Loose Source and Record Route (LSRR)
option, with the only difference that in the case of SSRR, the route
specified in the option is the exact route the packet must take
(i.e., no other intervening routers are allowed to be in the route).
The SSSR option can be of help in debugging some network problems.
Some ISP (Internet Service Provider) peering agreements require
support for this option in the routers within the peer of the ISP.
4.4.2. Option specification
Specified in RFC 791 [RFC0791].
4.4.3. Threats
The SSRR option has the same security implications as the LSRR
option. Please refer to Section 4.3 for a discussion of such
security implications.
4.4.4. Operational/interoperability impact if blocked
TBD
4.4.5. Advice
All systems should, by default, drop IP packets that contain an SSRR
option.
Gont & Fouant Expires August 5, 2010 [Page 9]
Internet-Draft IPv4 Security Assessment February 2010
4.5. Record Route (Type = 7)
4.5.1. Uses
This option provides a means to record the route that a given packet
follows.
4.5.2. Option specification
Specified in RFC 791 [RFC0791].
4.5.3. Threats
This option can be exploited to map the topology of a network.
However, the limited space in the IP header limits the usefulness of
this option for that purpose.
4.5.4. Operational/interoperability impact if blocked
TBD
4.5.5. Advice
Drop IP packets that contain a Record Route option.
4.6. Stream Identifier (Type = 136)
The Stream Identifier option originally provided a means for the 16-
bit SATNET stream Identifier to be carried through networks that did
not support the stream concept.
However, as stated by Section 4.2.2.1 of RFC 1812 [RFC1812], this
option is obsolete. Therefore, it must be ignored by the processing
systems.
In the case of legacy systems still using this option, the length
field of the option should be checked to be 4. If the option does
not pass this check, it should be dropped, and this event should be
logged (e.g., a counter could be incremented to reflect the packet
drop).
RFC 791 states that this option appears at most once in a given
datagram. Therefore, if a packet contains more than one instance of
this option, it should be dropped, and this event should be logged
(e.g., a counter could be incremented to reflect the packet drop).
4.6.1. Uses
Gont & Fouant Expires August 5, 2010 [Page 10]
Internet-Draft IPv4 Security Assessment February 2010
4.6.2. Option specification
Specified in RFC 791 [RFC0791].
4.6.3. Threats
4.6.4. Operational/interoperability impact if blocked
4.6.5. Advice
4.7. Internet Timestamp (Type = 68)
4.7.1. Uses
This option provides a means for recording the time at which each
system processed this datagram.
4.7.2. Option specification
Specified by RFC 791 [RFC0791].
4.7.3. Threats
The timestamp option has a number of security implications. Among
them are:
o It allows an attacker to obtain the current time of the systems
that process the packet, which the attacker may find useful in a
number of scenarios.
o It may be used to map the network topology, in a similar way to
the IP Record Route option.
o It may be used to fingerprint the operating system in use by a
system processing the datagram.
o It may be used to fingerprint physical devices, by analyzing the
clock skew.
[Kohno2005] describes a technique for fingerprinting devices by
measuring the clock skew. It exploits, among other things, the
timestamps that can be obtained by means of the ICMP timestamp
request messages [RFC0791]. However, the same fingerprinting method
could be implemented with the aid of the Internet Timestamp option.
Gont & Fouant Expires August 5, 2010 [Page 11]
Internet-Draft IPv4 Security Assessment February 2010
4.7.4. Operational/interoperability impact if blocked
TBD.
4.7.5. Advice
Filter IP packets that contain an Internet Timestamp option.
4.8. Router Alert (Type = 148)
4.8.1. Uses
The Router Alert option has the semantic "routers should examine this
packet more closely, if they participate in the functionality denoted
by the Value of the option".
4.8.2. Option specification
The Router Alert option is defined in RFC 2113 [RFC2113] and later
updates to it have been clarified by RFC 5350 [RFC5350]. It contains
a 16-bit Value governed by an IANA registry (see [RFC5350]).
4.8.3. Threats
TBD.
4.8.4. Operational/interoperability impact if blocked
TBD
4.8.5. Advice
TBD
4.9. Probe MTU (Type = 11) (obsolete)
4.9.1. Uses
This option originally provided a mechanism to discover the Path-MTU.
It has been declared obsolete.
4.9.2. Option specification
This option was defined in RFC 1063 [RFC1063]. This option is
obsolete.
Gont & Fouant Expires August 5, 2010 [Page 12]
Internet-Draft IPv4 Security Assessment February 2010
4.9.3. Threats
None
4.9.4. Operational/interoperability impact if blocked
None
4.9.5. Advice
Filter IP packets that contain a Probe MTU option.
4.10. Reply MTU (Type = 12) (obsolete)
4.10.1. Uses
This option and originally provided a mechanism to discover the Path-
MTU. It is now obsolete.
4.10.2. Option specification
This option was originally specified by RFC 1063 [RFC1063], and is
now obsolete.
4.10.3. Threats
None.
4.10.4. Operational/interoperability impact if blocked
None
4.10.5. Advice
Filter IP packets that contain a Reply MTU option.
4.11. Traceroute (Type = 82)
4.11.1. Uses
This option originally provided a mechanism to trace the path to a
host.
4.11.2. Option specification
This option was originally specified by RFC 1393 [RFC1393]. It has
been declared obsolete.
Gont & Fouant Expires August 5, 2010 [Page 13]
Internet-Draft IPv4 Security Assessment February 2010
4.11.3. Threats
None
4.11.4. Operational/interoperability impact if blocked
None
4.11.5. Advice
Filter IP packets that contain a Traceroute option.
4.12. DoD Basic Security Option (Type = 130)
4.12.1. Uses
This option is used by Multi-Level-Secure (MLS) end-systems and
intermediate systems in specific environments to [RFC1108]:
o Transmit from source to destination in a network standard
representation the common security labels required by computer
security models,
o Validate the datagram as appropriate for transmission from the
source and delivery to the destination, and,
o Ensure that the route taken by the datagram is protected to the
level required by all protection authorities indicated on the
datagram.
The DoD Basic Security Option is currently implemented in a number of
operating systems (e.g., [IRIX2008], [SELinux2008], [Solaris2008],
and [Cisco2008]), and deployed in a number of high-security networks.
4.12.2. Option specification
It is specified by RFC 1108 [RFC1108] (which obsoletes RFC 1038
[RFC1038]).
RFC 791 [RFC0791] defined the "Security Option" (Type = 130),
which used the same option type as the DoD Basic Security option
discussed in this section. The "Security Option" specified in RFC
791 is considered obsolete by Section 3.2.1.8 of RFC 1122, and
therefore the discussion in this section is focused on the DoD
Basic Security option specified by RFC 1108 [RFC1108].
Section 4.2.2.1 of RFC 1812 states that routers "SHOULD implement
this option".
Gont & Fouant Expires August 5, 2010 [Page 14]
Internet-Draft IPv4 Security Assessment February 2010
4.12.3. Threats
TBD.
4.12.4. Operational/interoperability impact if blocked
TBD
4.12.5. Advice
TBD
4.13. DoD Extended Security Option (Type = 133)
4.13.1. Uses
This option permits additional security labeling information, beyond
that present in the Basic Security Option (Section 4.12), to be
supplied in an IP datagram to meet the needs of registered
authorities.
4.13.2. Option specification
This option is specified by RFC 1108 [RFC1108].
4.13.3. Threats
TBD
4.13.4. Operational/interoperability impact if blocked
TBD
4.13.5. Advice
TBD
4.14. Commercial IP Security Option (CIPSO) (Type = 134)
4.14.1. Uses
This option was proposed by the Trusted Systems Interoperability
Group (TSIG), with the intent of meeting trusted networking
requirements for the commercial trusted systems market place.
It is currently implemented in a number of operating systems (e.g.,
IRIX [IRIX2008], Security-Enhanced Linux [SELinux2008], and Solaris
[Solaris2008]), and deployed in a number of high-security networks.
Gont & Fouant Expires August 5, 2010 [Page 15]
Internet-Draft IPv4 Security Assessment February 2010
4.14.2. Option specification
This option is specified in [CIPSO1992] and [FIPS1994].
4.14.3. Threats
TBD
4.14.4. Operational/interoperability impact if blocked
TBD
4.14.5. Advice
TBD
4.15. Sender Directed Multi-Destination Delivery (Type = 149)
4.15.1. Uses
This option originally provided unreliable UDP delivery to a set of
addresses included in the option. It is currently obsolete.
4.15.2. Option specification
This option is defined in RFC 1770 [RFC1770].
4.15.3. Threats
TBD
4.15.4. Operational/interoperability impact if blocked
TBD
4.15.5. Advice
TBD
5. Security Considerations
This document provides advice on the filtering of IP packets that
contain IP options.
Gont & Fouant Expires August 5, 2010 [Page 16]
Internet-Draft IPv4 Security Assessment February 2010
6. Acknowledgements
Part of this document is based on the document &Security Assesment of
the Internet Protocol& [CPNI2008] that is the result of a project
carried out by Fernando Gont on behalf of UK CPNI (formerly NISCC).
Fernando Gont would like to thank UK CPNI (formerly NISCC) for their
continued support.
7. References
7.1. Normative References
[RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791,
September 1981.
[RFC0826] Plummer, D., "Ethernet Address Resolution Protocol: Or
converting network protocol addresses to 48.bit Ethernet
address for transmission on Ethernet hardware", STD 37,
RFC 826, November 1982.
[RFC1038] St. Johns, M., "Draft revised IP security option",
RFC 1038, January 1988.
[RFC1063] Mogul, J., Kent, C., Partridge, C., and K. McCloghrie, "IP
MTU discovery options", RFC 1063, July 1988.
[RFC1108] Kent, S., "U.S", RFC 1108, November 1991.
[RFC1112] Deering, S., "Host extensions for IP multicasting", STD 5,
RFC 1112, August 1989.
[RFC1122] Braden, R., "Requirements for Internet Hosts -
Communication Layers", STD 3, RFC 1122, October 1989.
[RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191,
November 1990.
[RFC1349] Almquist, P., "Type of Service in the Internet Protocol
Suite", RFC 1349, July 1992.
[RFC1393] Malkin, G., "Traceroute Using an IP Option", RFC 1393,
January 1993.
[RFC1770] Graff, C., "IPv4 Option for Sender Directed Multi-
Destination Delivery", RFC 1770, March 1995.
Gont & Fouant Expires August 5, 2010 [Page 17]
Internet-Draft IPv4 Security Assessment February 2010
[RFC1812] Baker, F., "Requirements for IP Version 4 Routers",
RFC 1812, June 1995.
[RFC2113] Katz, D., "IP Router Alert Option", RFC 2113,
February 1997.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black,
"Definition of the Differentiated Services Field (DS
Field) in the IPv4 and IPv6 Headers", RFC 2474,
December 1998.
[RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z.,
and W. Weiss, "An Architecture for Differentiated
Services", RFC 2475, December 1998.
[RFC2644] Senie, D., "Changing the Default for Directed Broadcasts
in Routers", BCP 34, RFC 2644, August 1999.
[RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic
Configuration of IPv4 Link-Local Addresses", RFC 3927,
May 2005.
[RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU
Discovery", RFC 4821, March 2007.
[RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses",
BCP 153, RFC 5735, January 2010.
7.2. Informative References
[Anderson2001]
Anderson, J., "An Analysis of Fragmentation Attacks",
Available at: http://www.ouah.org/fragma.html , 2001.
[Arkin2000]
Arkin, "IP TTL Field Value with ICMP (Oops - Identifying
Windows 2000 again and more)", http://
ofirarkin.files.wordpress.com/2008/11/
ofirarkin2000-06.pdf, 2000.
[Barisani2006]
Barisani, A., "FTester - Firewall and IDS testing tool",
Available at: http://dev.inversepath.com/trac/ftester ,
2001.
Gont & Fouant Expires August 5, 2010 [Page 18]
Internet-Draft IPv4 Security Assessment February 2010
[Bellovin1989]
Bellovin, S., "Security Problems in the TCP/IP Protocol
Suite", Computer Communication Review Vol. 19, No. 2, pp.
32-48, 1989.
[Bellovin2002]
Bellovin, S., "A Technique for Counting NATted Hosts",
IMW'02 Nov. 6-8, 2002, Marseille, France, 2002.
[Bendi1998]
Bendi, "Boink exploit", http://www.insecure.org/sploits/
95.NT.fragmentation.bonk.html , 1998.
[Biondi2007]
Biondi, P. and A. Ebalard, "IPv6 Routing Header Security",
CanSecWest 2007 Security Conference http://www.secdev.org/
conf/IPv6_RH_security-csw07.pdf, 2007.
[CERT1996a]
CERT, "CERT Advisory CA-1996-01: UDP Port Denial-of-
Service Attack",
http://www.cert.org/advisories/CA-1996-01.html, 1996.
[CERT1996b]
CERT, "CERT Advisory CA-1996-21: TCP SYN Flooding and IP
Spoofing Attacks",
http://www.cert.org/advisories/CA-1996-21.html, 1996.
[CERT1996c]
CERT, "CERT Advisory CA-1996-26: Denial-of-Service Attack
via ping",
http://www.cert.org/advisories/CA-1996-26.html, 1996.
[CERT1997]
CERT, "CERT Advisory CA-1997-28: IP Denial-of-Service
Attacks", http://www.cert.org/advisories/CA-1997-28.html,
1997.
[CERT1998a]
CERT, "CERT Advisory CA-1998-01: Smurf IP Denial-of-
Service Attacks",
http://www.cert.org/advisories/CA-1998-01.html, 1998.
[CERT1998b]
CERT, "CERT Advisory CA-1998-13: Vulnerability in Certain
TCP/IP Implementations",
http://www.cert.org/advisories/CA-1998-13.html, 1998.
Gont & Fouant Expires August 5, 2010 [Page 19]
Internet-Draft IPv4 Security Assessment February 2010
[CERT1999]
CERT, "CERT Advisory CA-1999-17: Denial-of-Service Tools",
http://www.cert.org/advisories/CA-1999-17.html, 1999.
[CERT2001]
CERT, "CERT Advisory CA-2001-09: Statistical Weaknesses in
TCP/IP Initial Sequence Numbers",
http://www.cert.org/advisories/CA-2001-09.html, 2001.
[CERT2003]
CERT, "CERT Advisory CA-2003-15 Cisco IOS Interface
Blocked by IPv4 Packet",
http://www.cert.org/advisories/CA-2003-15.html, 2003.
[CIPSO1992]
CIPSO, "COMMERCIAL IP SECURITY OPTION (CIPSO 2.2)", IETF
Internet-Draft (draft-ietf-cipso-ipsecurity-01.txt), work
in progress , 1992.
[CIPSOWG1994]
CIPSOWG, "Commercial Internet Protocol Security Option
(CIPSO) Working Group", http://www.ietf.org/proceedings/
94jul/charters/cipso-charter.html, 1994.
[CPNI2008]
Gont, F., "Security Assessment of the Internet Protocol",
http://www.cpni.gov.uk/Docs/InternetProtocol.pdf, 2008.
[Cerf1974]
Cerf, V. and R. Kahn, "A Protocol for Packet Network
Intercommunication", IEEE Transactions on
Communications Vol. 22, No. 5, May 1974, pp. 637-648,
1974.
[Cisco2003]
Cisco, "Cisco Security Advisory: Cisco IOS Interface
Blocked by IPv4 packet", http://www.cisco.com/en/US/
products/products_security_advisory09186a00801a34c2.shtml,
2003.
[Cisco2008]
Cisco, "Cisco IOS Security Configuration Guide, Release
12.2", http://www.cisco.com/en/US/docs/ios/12_2/security/
configuration/guide/scfipso.html, 2003.
[Clark1988]
Clark, D., "The Design Philosophy of the DARPA Internet
Protocols", Computer Communication Review Vol. 18, No. 4,
Gont & Fouant Expires August 5, 2010 [Page 20]
Internet-Draft IPv4 Security Assessment February 2010
1988.
[Ed3f2002]
Ed3f, "Firewall spotting and networks analisys with a
broken CRC", Phrack Magazine, Volume 0x0b, Issue 0x3c,
Phile #0x0c of 0x10 http://www.phrack.org/
issues.html?issue=60&id=12&mode=txt, 2002.
[FIPS1994]
FIPS, "Standard Security Label for Information Transfer",
Federal Information Processing Standards Publication. FIP
PUBS 188 http://csrc.nist.gov/publications/fips/fips188/
fips188.pdf, 1994.
[Fuller2008a]
Fuller, V., Lear, E., and D. Meyer, "240.0.0.0/4: The
Future Begins Now", Routing SIG Meeting, 25th APNIC Open
Policy Meeting, February 25 - 29 2008, Taipei, Taiwan http
://www.apnic.net/meetings/25/program/routing/
fuller-240-future.pdf, 2008.
[Fyodor2004]
Fyodor, "Idle scanning and related IP ID games",
http://www.insecure.org/nmap/idlescan.html, 2004.
[GIAC2000]
GIAC, "Egress Filtering v 0.2",
http://www.sans.org/y2k/egress.htm, 2000.
[Gont2006]
Gont, F., "Advanced ICMP packet filtering",
http://www.gont.com.ar/papers/icmp-filtering.html, 2006.
[Haddad2004]
Haddad, I. and M. Zakrzewski, "Security Distribution for
Linux Clusters", Linux
Journal http://www.linuxjournal.com/article/6943, 2004.
[Humble1998]
Gont, F., "Nestea exploit",
http://www.insecure.org/sploits/linux.PalmOS.nestea.html,
1998.
[I-D.fuller-240space]
Fuller, V., "Reclassifying 240/4 as usable unicast address
space", draft-fuller-240space-02 (work in progress),
March 2008.
Gont & Fouant Expires August 5, 2010 [Page 21]
Internet-Draft IPv4 Security Assessment February 2010
[I-D.ietf-tcpm-icmp-attacks]
Gont, F., "ICMP attacks against TCP",
draft-ietf-tcpm-icmp-attacks-11 (work in progress),
February 2010.
[I-D.templin-mtuassurance]
Templin, F., "Requirements for IP-in-IP Tunnel MTU
Assurance", draft-templin-mtuassurance-02 (work in
progress), October 2006.
[I-D.wilson-class-e]
Wilson, P., Michaelson, G., and G. Huston, "Redesignation
of 240/4 from "Future Use" to "Private Use"",
draft-wilson-class-e-02 (work in progress),
September 2008.
[IANA2006a]
Ether Types,
"http://www.iana.org/assignments/ethernet-numbers".
[IANA2006b]
IP Parameters,
"http://www.iana.org/assignments/ip-parameters".
[IANA2006c]
Protocol Numbers,
"http://www.iana.org/assignments/protocol-numbers".
[IRIX2008]
IRIX, "IRIX 6.5 trusted_networking(7) manual page", http:
//techpubs.sgi.com/library/tpl/cgi-bin/
getdoc.cgi?coll=0650&db=man&fname=/usr/share/catman/a_man/
cat7/trusted_networking.z, 2008.
[Jones2002]
Jones, R., "A Method Of Selecting Values For the
Parameters Controlling IP Fragment Reassembly", ftp://
ftp.cup.hp.com/dist/networking/briefs/ip_reass_tuning.txt,
2002.
[Kenney1996]
Kenney, M., "The Ping of Death Page",
http://www.insecure.org/sploits/ping-o-death.html, 1996.
[Kent1987]
Kent, C. and J. Mogul, "Fragmentation considered harmful",
Proc. SIGCOMM '87 Vol. 17, No. 5, October 1987, 1987.
Gont & Fouant Expires August 5, 2010 [Page 22]
Internet-Draft IPv4 Security Assessment February 2010
[Klein2007]
Klein, A., "OpenBSD DNS Cache Poisoning and Multiple O/S
Predictable IP ID Vulnerability", http://
www.trusteer.com/files/
OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP
_ID_Vulnerability.pdf, 2007.
[Kohno2005]
Kohno, T., Broido, A., and kc. Claffy, "Remote Physical
Device Fingerprinting", IEEE Transactions on Dependable
and Secure Computing Vol. 2, No. 2, 2005.
[LBNL2006]
LBNL/NRG, "arpwatch tool", http://ee.lbl.gov/, 2006.
[Linux2006]
The Linux Project, "http://www.kernel.org".
[Microsoft1999]
Microsoft, "Microsoft Security Program: Microsoft Security
Bulletin (MS99-038). Patch Available for "Spoofed Route
Pointer" Vulnerability", http://www.microsoft.com/
technet/security/bulletin/ms99-038.mspx, 1999.
[NISCC2004]
NISCC, "NISCC Vulnerability Advisory 236929: Vulnerability
Issues in TCP",
http://www.uniras.gov.uk/niscc/docs/
re-20040420-00391.pdf, 2004.
[NISCC2005]
NISCC, "NISCC Vulnerability Advisory 532967/NISCC/ICMP:
Vulnerability Issues in ICMP packets with TCP payloads",
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf,
2005.
[NISCC2006]
NISCC, "NISCC Technical Note 01/2006: Egress and Ingress
Filtering", http://www.niscc.gov.uk/niscc/docs/
re-20060420-00294.pdf?lang=en, 2006.
[Northcutt2000]
Northcut, S. and Novak, "Network Intrusion Detection - An
Analyst's Handbook", Second Edition New Riders Publishing,
2000.
[Novak2005]
Novak, "Target-Based Fragmentation Reassembly",
Gont & Fouant Expires August 5, 2010 [Page 23]
Internet-Draft IPv4 Security Assessment February 2010
http://www.snort.org/reg/docs/target_based_frag.pdf,
2005.
[OpenBSD-PF]
Sanfilippo, S., "PF: Scrub (Packet Normalization)",
http://www.openbsd.org/faq/pf/scrub.html, 2010.
[OpenBSD1998]
OpenBSD, "OpenBSD Security Advisory: IP Source Routing
Problem",
http://www.openbsd.org/advisories/sourceroute.txt, 1998.
[Paxson2001]
Paxson, V., Handley, M., and C. Kreibich, "Network
Intrusion Detection: Evasion, Traffic Normalization, and
End-to-End Protocol Semantics", USENIX Conference, 2001,
2001.
[Ptacek1998]
Ptacek, T. and T. Newsham, "Insertion, Evasion and Denial
of Service: Eluding Network Intrusion Detection",
http://www.aciri.org/vern/Ptacek-Newsham-Evasion-98.ps,
1998.
[RFC0815] Clark, D., "IP datagram reassembly algorithms", RFC 815,
July 1982.
[RFC1858] Ziemba, G., Reed, D., and P. Traina, "Security
Considerations for IP Fragment Filtering", RFC 1858,
October 1995.
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, February 1996.
[RFC2544] Bradner, S. and J. McQuaid, "Benchmarking Methodology for
Network Interconnect Devices", RFC 2544, March 1999.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, May 2000.
[RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains
via IPv4 Clouds", RFC 3056, February 2001.
[RFC3128] Miller, I., "Protection Against a Variant of the Tiny
Fragment Attack (RFC 1858)", RFC 3128, June 2001.
Gont & Fouant Expires August 5, 2010 [Page 24]
Internet-Draft IPv4 Security Assessment February 2010
[RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition
of Explicit Congestion Notification (ECN) to IP",
RFC 3168, September 2001.
[RFC3530] Shepler, S., Callaghan, B., Robinson, D., Thurlow, R.,
Beame, C., Eisler, M., and D. Noveck, "Network File System
(NFS) version 4 Protocol", RFC 3530, April 2003.
[RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed
Networks", BCP 84, RFC 3704, March 2004.
[RFC4459] Savola, P., "MTU and Fragmentation Issues with In-the-
Network Tunneling", RFC 4459, April 2006.
[RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing
(CIDR): The Internet Address Assignment and Aggregation
Plan", BCP 122, RFC 4632, August 2006.
[RFC4963] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly
Errors at High Data Rates", RFC 4963, July 2007.
[RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common
Mitigations", RFC 4987, August 2007.
[RFC5082] Gill, V., Heasley, J., Meyer, D., Savola, P., and C.
Pignataro, "The Generalized TTL Security Mechanism
(GTSM)", RFC 5082, October 2007.
[RFC5350] Manner, J. and A. McDonald, "IANA Considerations for the
IPv4 and IPv6 Router Alert Options", RFC 5350,
September 2008.
[RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common
Architecture Label IPv6 Security Option (CALIPSO)",
RFC 5570, July 2009.
[SELinux2008]
Security Enhanced Linux, "http://www.nsa.gov/selinux/".
[Sanfilippo1998a]
Sanfilippo, S., "about the ip header id", Post to Bugtraq
mailing-list, Mon Dec 14
1998 http://www.kyuzz.org/antirez/papers/ipid.html, 1998.
[Sanfilippo1998b]
Sanfilippo, S., "Idle scan", Post to Bugtraq mailing-
list http://www.kyuzz.org/antirez/papers/dumbscan.html,
1998.
Gont & Fouant Expires August 5, 2010 [Page 25]
Internet-Draft IPv4 Security Assessment February 2010
[Sanfilippo1999]
Sanfilippo, S., "more ip id", Post to Bugtraq mailing-
list http://www.kyuzz.org/antirez/papers/moreipid.html,
1999.
[Shankar2003]
Shankar, U. and V. Paxson, "Active Mapping: Resisting NIDS
Evasion Without Altering Traffic",
http://www.icir.org/vern/papers/activemap-oak03.pdf,
2003.
[Shannon2001]
Shannon, C., Moore, D., and K. Claffy, "Characteristics of
Fragmented IP Traffic on Internet Links", 2001.
[Silbersack2005]
Silbersack, M., "Improving TCP/IP security through
randomization without sacrificing interoperability",
EuroBSDCon 2005 Conference http://www.silby.com/
eurobsdcon05/eurobsdcon_slides.pdf, 2005.
[Solaris2008]
Solaris Trusted Extensions - Labeled Security for Absolute
Protection, "http://www.sun.com/software/solaris/ds/
trusted_extensions.jsp#3", 2008.
[Song1999]
Song, D., "Frag router tool",
http://www.anzen.com/research/nidsbench/.
[US-CERT2001]
US-CERT, "US-CERT Vulnerability Note VU#446689: Check
Point FireWall-1 allows fragmented packets through
firewall if Fast Mode is enabled",
http://www.kb.cert.org/vuls/id/446689, 2001.
[US-CERT2002]
US-CERT, "US-CERT Vulnerability Note VU#310387: Cisco IOS
discloses fragments of previous packets when Express
Forwarding is enabled",
http://www.kb.cert.org/vuls/id/310387, 2002.
[Watson2004]
Watson, P., "Slipping in the Window: TCP Reset Attacks",
2004 CanSecWest Conference , 2004.
[Zakrzewski2002]
Zakrzewski, M. and I. Haddad, "Linux Distributed Security
Gont & Fouant Expires August 5, 2010 [Page 26]
Internet-Draft IPv4 Security Assessment February 2010
Module", http://www.linuxjournal.com/article/6215, 2002.
[daemon91996]
daemon9, route, and infinity, "IP-spoofing Demystified
(Trust-Relationship Exploitation)", Phrack Magazine,
Volume Seven, Issue Forty-Eight, File 14 of
18 http://www.phrack.org/phrack/48/P48-14 , 1988.
Appendix A. Changes from previous versions of the draft (to be removed
by the RFC Editor before publishing this document as an
RFC)
Authors' Addresses
Fernando Gont
Universidad Tecnologica Nacional / Facultad Regional Haedo
Evaristo Carriego 2644
Haedo, Provincia de Buenos Aires 1706
Argentina
Phone: +54 11 4650 8472
Email: fernando@gont.com.ar
URI: http://www.gont.com.ar
Stefan Fouant
Shortest Path First
Email: sfouant@shortestpathfirst.net
URI: http://www.shortestpathfirst.net
Gont & Fouant Expires August 5, 2010 [Page 27]