draft-ietf-opsec-ip-options-filtering-01.txt   draft-ietf-opsec-ip-options-filtering-02.txt 
Operational Security Capabilities for F. Gont Operational Security Capabilities for F. Gont
IP Network Infrastructure (opsec) UTN-FRH / SI6 Networks IP Network Infrastructure (opsec) UTN-FRH / SI6 Networks
Internet-Draft R. Atkinson Internet-Draft R. Atkinson
Intended status: BCP Consultant Intended status: BCP Consultant
Expires: June 17, 2013 C. Pignataro Expires: July 31, 2013 C. Pignataro
Cisco Cisco
December 14, 2012 January 27, 2013
Recommendations on filtering of IPv4 packets containing IPv4 options Recommendations on filtering of IPv4 packets containing IPv4 options
draft-ietf-opsec-ip-options-filtering-01.txt draft-ietf-opsec-ip-options-filtering-02.txt
Abstract Abstract
This document document provides advice on the filtering of IPv4 This document document provides advice on the filtering of IPv4
packets based on the IPv4 options they contain. Additionally, it packets based on the IPv4 options they contain. Additionally, it
discusses the operational and interoperability implications of discusses the operational and interoperability implications of
dropping packets based on the IP options they contain. dropping packets based on the IP options they contain.
Status of this Memo Status of this Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 17, 2013. This Internet-Draft will expire on July 31, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology and Conventions Used in This Document . . . . 3 1.1. Terminology and Conventions Used in This Document . . . . 3
2. IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. General Security Implications of IP options . . . . . . . . . 5 3. General Security Implications of IP options . . . . . . . . . 5
3.1. Processing Requirements . . . . . . . . . . . . . . . . . 5 3.1. Processing Requirements . . . . . . . . . . . . . . . . . 5
4. Advice on the Handling of Packets with Specific IP Options . . 5 4. Advice on the Handling of Packets with Specific IP Options . . 6
4.1. End of Option List (Type = 0) . . . . . . . . . . . . . . 5 4.1. End of Option List (Type = 0) . . . . . . . . . . . . . . 6
4.2. No Operation (Type = 1) . . . . . . . . . . . . . . . . . 6 4.2. No Operation (Type = 1) . . . . . . . . . . . . . . . . . 7
4.3. Loose Source and Record Route (LSRR) (Type = 131) . . . . 7 4.3. Loose Source and Record Route (LSRR) (Type = 131) . . . . 7
4.4. Strict Source and Record Route (SSRR) (Type = 137) . . . . 8 4.4. Strict Source and Record Route (SSRR) (Type = 137) . . . . 9
4.5. Record Route (Type = 7) . . . . . . . . . . . . . . . . . 9 4.5. Record Route (Type = 7) . . . . . . . . . . . . . . . . . 10
4.6. Stream Identifier (Type = 136) (obsolete) . . . . . . . . 10 4.6. Stream Identifier (Type = 136) (obsolete) . . . . . . . . 11
4.7. Internet Timestamp (Type = 68) . . . . . . . . . . . . . . 11 4.7. Internet Timestamp (Type = 68) . . . . . . . . . . . . . . 12
4.8. Router Alert (Type = 148) . . . . . . . . . . . . . . . . 12 4.8. Router Alert (Type = 148) . . . . . . . . . . . . . . . . 13
4.9. Probe MTU (Type = 11) (obsolete) . . . . . . . . . . . . . 13 4.9. Probe MTU (Type = 11) (obsolete) . . . . . . . . . . . . . 14
4.10. Reply MTU (Type = 12) (obsolete) . . . . . . . . . . . . . 13 4.10. Reply MTU (Type = 12) (obsolete) . . . . . . . . . . . . . 14
4.11. Traceroute (Type = 82) . . . . . . . . . . . . . . . . . . 14 4.11. Traceroute (Type = 82) . . . . . . . . . . . . . . . . . . 15
4.12. DoD Basic Security Option (Type = 130) . . . . . . . . . . 14 4.12. DoD Basic Security Option (Type = 130) . . . . . . . . . . 16
4.13. DoD Extended Security Option (Type = 133) . . . . . . . . 16 4.13. DoD Extended Security Option (Type = 133) . . . . . . . . 17
4.14. Commercial IP Security Option (CIPSO) (Type = 134) . . . . 17 4.14. Commercial IP Security Option (CIPSO) (Type = 134) . . . . 19
4.15. VISA (Type = 142) . . . . . . . . . . . . . . . . . . . . 19 4.15. VISA (Type = 142) . . . . . . . . . . . . . . . . . . . . 20
4.16. Extended Internet Protocol (Type = 145) . . . . . . . . . 19 4.16. Extended Internet Protocol (Type = 145) . . . . . . . . . 20
4.17. Address Extension (Type = 147) . . . . . . . . . . . . . . 20 4.17. Address Extension (Type = 147) . . . . . . . . . . . . . . 21
4.18. Sender Directed Multi-Destination Delivery (Type = 149) . 20 4.18. Sender Directed Multi-Destination Delivery (Type = 149) . 22
4.19. Dynamic Packet State (Type = 151) . . . . . . . . . . . . 21 4.19. Dynamic Packet State (Type = 151) . . . . . . . . . . . . 22
4.20. Upstream Multicast Pkt. (Type = 152) . . . . . . . . . . . 21 4.20. Upstream Multicast Pkt. (Type = 152) . . . . . . . . . . . 23
4.21. Quick-Start (Type = 25) . . . . . . . . . . . . . . . . . 22 4.21. Quick-Start (Type = 25) . . . . . . . . . . . . . . . . . 23
4.22. RFC3692-style Experiment (Types = 30, 94, 158, and 222) . 23 4.22. RFC3692-style Experiment (Types = 30, 94, 158, and 222) . 25
4.23. Other IP Options . . . . . . . . . . . . . . . . . . . . . 24 4.23. Other IP Options . . . . . . . . . . . . . . . . . . . . . 25
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26
6. Security Considerations . . . . . . . . . . . . . . . . . . . 25 6. Security Considerations . . . . . . . . . . . . . . . . . . . 27
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 25 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 27
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27
8.1. Normative References . . . . . . . . . . . . . . . . . . . 25 8.1. Normative References . . . . . . . . . . . . . . . . . . . 27
8.2. Informative References . . . . . . . . . . . . . . . . . . 26 8.2. Informative References . . . . . . . . . . . . . . . . . . 28
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 31
1. Introduction 1. Introduction
This document document discusses the filtering of IPv4 packets based This document document discusses the filtering of IPv4 packets based
on the IPv4 options they contain. Since various protocols may use on the IPv4 options they contain. Since various protocols may use
IPv4 options to some extent, dropping packets based on the options IPv4 options to some extent, dropping packets based on the options
they contain may have implications on the proper functioning of the they contain may have implications on the proper functioning of the
protocol. Therefore, this document attempts to discuss the protocol. Therefore, this document attempts to discuss the
operational and interoperability implications of such dropping. operational and interoperability implications of such dropping.
Additionally, it outlines what a network operator might do in a Additionally, it outlines what a network operator might do in a
skipping to change at page 5, line 26 skipping to change at page 5, line 26
Finally, the option number identifies the syntax of the rest of the Finally, the option number identifies the syntax of the rest of the
option. option.
The "IP OPTION NUMBERS" registry [IANA-IP] contains the list of the The "IP OPTION NUMBERS" registry [IANA-IP] contains the list of the
currently assigned IP option numbers. currently assigned IP option numbers.
3. General Security Implications of IP options 3. General Security Implications of IP options
3.1. Processing Requirements 3.1. Processing Requirements
Router architectures can perform IP option processing in a slower Historically, most IP routers used a general-purpose CPU to process
path. Unless protective measures are taken, this represents a IP packets and forward them towards their destination. This same CPU
potential Denial of Service (DoS) risk, as there is possibility for usually also processed network management traffic (e.g. SNMP),
the option processing to overwhelm the router's CPU or the protocols configuration commands (e.g. command line interface), and various
processed in the router's slow path. Additional considerations for routing protocols (e.g. RIP, OSPF, BGP, IS-IS) or other control
protecting the router control plane from IP optioned packets can be protocols (e.g. RSVP, ICMP). In such architectures it has been
found in [RFC6192]. common for the general-purpose CPU also to perform any packet
filtering that has been enabled on the router (or router interface).
An IP router built using this architecture often has a significant
(Distributed) Denial-of-Service (DDOS) attack risk if the router
control plane (e.g. CPU) is overwhelmed by a large number of IPv4
packets that contain IPv4 options
From about 1995 onwards, a growing number of IP routers have
incorporated specialized IP packet processing silicon (i.e. FPGA,
ASIC), thereby separating the IP packet forwarding function from the
other functions of the router. Such router architectures tend to be
more resilient to DDOS attacks that might be seen in the global
public Internet. Depending upon various implementation and
configuration details, routers with a silicon packet forwarding
engine can handle high volumes of IP packets containing IP Options
without any adverse impact on packet forwarding rates or on the
router's control plane (e.g. general-purpose CPU). Some
implementations have a configuration knob simply to forward all IP
packets containing IP Options at wire-speed in silicon as if the IP
packet did not contain an IP option ("ignore options & forward").
Other implementations support wire-speed silicon-based packet
filtering, thereby enabling packets containing certain IP options to
be selectively dropped ("drop"), packets containing certain other IP
options to have those IP options ignored ("ignore options &
forward"), and other packets containing different IP options to have
those options processed, either on a general-purpose CPU or using
custom logic (e.g. FPGA, ASIC), while the packet is being forwarded
("process option & forward").
Broadly speaking, any IP packet that requires processing by an IP
router's general-purpose CPU can be a DDOS risk to that router's
general-purpose CPU (and thence to the router itself). However, at
present, the particular architectural and engineering details of the
particular IP router being considered are important to understand
when evaluating the operational security risks associated with a
particular IP packet type or IP option type.
Operators are urged to consider IP option filtering and IP option
handling capabilities of potential IP routers as they make deployment
decisions in future.
Additional considerations for protecting the control plane from
packets containing IP Options can be found in [RFC6192].
4. Advice on the Handling of Packets with Specific IP Options 4. Advice on the Handling of Packets with Specific IP Options
The following subsections contain a description of each of the IP The following subsections contain a description of each of the IP
options that have so far been specified, a discussion of possible options that have so far been specified, a discussion of possible
interoperability implications if packets containing such options are interoperability implications if packets containing such options are
dropped, and specific advice on whether to drop packets containing dropped, and specific advice on whether to drop packets containing
these options in a typical enterprise or Service Provider these options in a typical enterprise or Service Provider
environment. environment.
skipping to change at page 6, line 11 skipping to change at page 7, line 7
This option is used to indicate the "end of options" in those cases This option is used to indicate the "end of options" in those cases
in which the end of options would not coincide with the end of the in which the end of options would not coincide with the end of the
Internet Protocol Header. Internet Protocol Header.
4.1.2. Option Specification 4.1.2. Option Specification
Specified in RFC 791 [RFC0791]. Specified in RFC 791 [RFC0791].
4.1.3. Threats 4.1.3. Threats
No security issues are known for this option, other than the general No specific security issues are known for this IPv4 option.
security implications of IP options discussed in Section 3.
4.1.4. Operational and Interoperability Impact if Blocked 4.1.4. Operational and Interoperability Impact if Blocked
Packets containing any IP options are likely to include an End of Packets containing any IP options are likely to include an End of
Option List. Therefore, if packets containing this option are Option List. Therefore, if packets containing this option are
dropped, it is very likely that legitimate traffic is blocked. dropped, it is very likely that legitimate traffic is blocked.
4.1.5. Advice 4.1.5. Advice
Routers, security gateways, and firewalls SHOULD NOT drop packets Routers, security gateways, and firewalls SHOULD NOT drop packets
skipping to change at page 6, line 39 skipping to change at page 7, line 34
The no-operation option is basically meant to allow the sending The no-operation option is basically meant to allow the sending
system to align subsequent options in, for example, 32-bit system to align subsequent options in, for example, 32-bit
boundaries. boundaries.
4.2.2. Option Specification 4.2.2. Option Specification
Specified in RFC 791 [RFC0791]. Specified in RFC 791 [RFC0791].
4.2.3. Threats 4.2.3. Threats
No security issues are known for this option, other than the general No specific security issues are known for this IPv4 option.
security implications of IP options discussed in Section 3.
4.2.4. Operational and Interoperability Impact if Blocked 4.2.4. Operational and Interoperability Impact if Blocked
Packets containing any IP options are likely to include a No Packets containing any IP options are likely to include a No
Operation option. Therefore, if packets containing this option are Operation option. Therefore, if packets containing this option are
dropped, it is very likely that legitimate traffic is blocked. dropped, it is very likely that legitimate traffic is blocked.
4.2.5. Advice 4.2.5. Advice
Routers, security gateways, and firewalls SHOULD NOT drop packets Routers, security gateways, and firewalls SHOULD NOT drop packets
skipping to change at page 7, line 33 skipping to change at page 8, line 27
The LSSR option can be of help in debugging some network problems. The LSSR option can be of help in debugging some network problems.
Some ISP (Internet Service Provider) peering agreements require Some ISP (Internet Service Provider) peering agreements require
support for this option in the routers within the peer of the ISP. support for this option in the routers within the peer of the ISP.
4.3.2. Option Specification 4.3.2. Option Specification
Specified in RFC 791 [RFC0791]. Specified in RFC 791 [RFC0791].
4.3.3. Threats 4.3.3. Threats
The LSRR option has well-known security implications. Among other The LSRR option has well-known security implications [RFC6274].
things, the option can be used to: Among other things, the option can be used to:
o Bypass firewall rules o Bypass firewall rules
o Reach otherwise unreachable internet systems o Reach otherwise unreachable internet systems
o Establish TCP connections in a stealthy way o Establish TCP connections in a stealthy way
o Learn about the topology of a network o Learn about the topology of a network
o Perform bandwidth-exhaustion attacks o Perform bandwidth-exhaustion attacks
skipping to change at page 8, line 13 skipping to change at page 9, line 7
by carefully crafting an LSRR option. by carefully crafting an LSRR option.
This is the IPv4-version of the IPv6 amplification attack that was This is the IPv4-version of the IPv6 amplification attack that was
widely publicized in 2007 [Biondi2007]. The only difference is widely publicized in 2007 [Biondi2007]. The only difference is
that the maximum length of the IPv4 header (and hence the LSRR that the maximum length of the IPv4 header (and hence the LSRR
option) limits the amplification factor when compared to the IPv6 option) limits the amplification factor when compared to the IPv6
counter-part. counter-part.
Additionally, some implementations have been found to fail to include Additionally, some implementations have been found to fail to include
proper sanity checks on the LSRR option, thus leading to security proper sanity checks on the LSRR option, thus leading to security
issues. issues. These specific issues are believed to be solved in all
modern implementations.
[Microsoft1999] is a security advisory about a vulnerability [Microsoft1999] is a security advisory about a vulnerability
arising from improper validation of the Pointer field of the LSRR arising from improper validation of the Pointer field of the LSRR
option. option.
Finally, we note that some systems were known for providing a system- Finally, we note that some systems were known for providing a system-
wide toggle to enable support for this option for those scenarios in wide toggle to enable support for this option for those scenarios in
which this option is required. However, improper implementation of which this option is required. However, improper implementation of
such system-wide toggle caused those systems to support the LSRR such system-wide toggle caused those systems to support the LSRR
option even when explicitly configured not to do so. option even when explicitly configured not to do so.
[OpenBSD1998] is a security advisory about an improper [OpenBSD1998] is a security advisory about an improper
implementation of such a system-wide toggle in 4.4BSD kernels. implementation of such a system-wide toggle in 4.4BSD kernels.
This issue was resolved in later versions of the corresponding
operating system.
4.3.4. Operational and Interoperability Impact if Blocked 4.3.4. Operational and Interoperability Impact if Blocked
Network troubleshooting techniques that may employ the LSRR option Network troubleshooting techniques that may employ the LSRR option
(such as ping or traceroute) would break. Nevertheless, it should be (such as ping or traceroute) would break. Nevertheless, it should be
noted that it is virtually impossible to use the LSRR option for noted that it is virtually impossible to use the LSRR option for
troubleshooting, due to widespread dropping of packets that contain troubleshooting, due to widespread dropping of packets that contain
such option. such option.
4.3.5. Advice 4.3.5. Advice
Routers, security gateways, and firewalls SHOULD, by default, drop IP Routers, security gateways, and firewalls SHOULD implement an option-
packets that contain an LSRR option. specific configuration knob whether packets with this option are
dropped, packets with this IP option are forwarded as if they did not
contain this IP option, or packets with this option are processed and
forwarded as per [RFC0791]. The default setting for this knob SHOULD
be "drop", and the default setting MUST be documented.
4.4. Strict Source and Record Route (SSRR) (Type = 137) 4.4. Strict Source and Record Route (SSRR) (Type = 137)
4.4.1. Uses 4.4.1. Uses
This option allows the originating system to specify a number of This option allows the originating system to specify a number of
intermediate systems a packet must pass through to get to the intermediate systems a packet must pass through to get to the
destination host. Additionally, the route followed by the packet is destination host. Additionally, the route followed by the packet is
recorded in the option, and the destination host (end-system) must recorded in the option, and the destination host (end-system) must
use the reverse of the path contained in the received SSRR option. use the reverse of the path contained in the received SSRR option.
skipping to change at page 9, line 25 skipping to change at page 10, line 26
4.4.3. Threats 4.4.3. Threats
The SSRR option has the same security implications as the LSRR The SSRR option has the same security implications as the LSRR
option. Please refer to Section 4.3 for a discussion of such option. Please refer to Section 4.3 for a discussion of such
security implications. security implications.
4.4.4. Operational and Interoperability Impact if Blocked 4.4.4. Operational and Interoperability Impact if Blocked
Network troubleshooting techniques that may employ the SSRR option Network troubleshooting techniques that may employ the SSRR option
(such as ping or traceroute) would break. Nevertheless, it should be (such as ping or traceroute) would break. Nevertheless, it should be
noted that it is virtually impossible to use the SSR option for noted that it is virtually impossible to use the SSSR option for
trouble-shooting, due to widespread dropping of packets that contain trouble-shooting, due to widespread dropping of packets that contain
such option. such option.
4.4.5. Advice 4.4.5. Advice
Routers, security gateways, and firewalls SHOULD, by default, drop IP Routers, security gateways, and firewalls SHOULD implement an option-
packets that contain an SSRR option. specific configuration knob whether packets with this option are
dropped, packets with this IP option are forwarded as if they did not
contain this IP option, or packets with this option are processed and
forwarded as per [RFC0791]. The default setting for this knob SHOULD
be "drop", and the default setting MUST be documented.
4.5. Record Route (Type = 7) 4.5. Record Route (Type = 7)
4.5.1. Uses 4.5.1. Uses
This option provides a means to record the route that a given packet This option provides a means to record the route that a given packet
follows. follows.
4.5.2. Option Specification 4.5.2. Option Specification
skipping to change at page 10, line 15 skipping to change at page 11, line 21
4.5.4. Operational and Interoperability Impact if Blocked 4.5.4. Operational and Interoperability Impact if Blocked
Network troubleshooting techniques that may employ the RR option Network troubleshooting techniques that may employ the RR option
(such as ping with the RR option) would break. Nevertheless, it (such as ping with the RR option) would break. Nevertheless, it
should be noted that it is virtually impossible to use such should be noted that it is virtually impossible to use such
techniques due to widespread dropping of packets that contain RR techniques due to widespread dropping of packets that contain RR
options. options.
4.5.5. Advice 4.5.5. Advice
Routers, security gateways, and firewalls SHOULD drop IP packets Routers, security gateways, and firewalls SHOULD implement an option-
containing a Record Route option. specific configuration knob whether packets with this option are
dropped, packets with this IP option are forwarded as if they did not
contain this IP option, or packets with this option are processed and
forwarded as per [RFC0791]. The default setting for this knob SHOULD
be "drop", and the default setting MUST be documented.
4.6. Stream Identifier (Type = 136) (obsolete) 4.6. Stream Identifier (Type = 136) (obsolete)
The Stream Identifier option originally provided a means for the 16- The Stream Identifier option originally provided a means for the 16-
bit SATNET stream Identifier to be carried through networks that did bit SATNET stream Identifier to be carried through networks that did
not support the stream concept. not support the stream concept.
However, as stated by Section 3.2.1.8 of RFC 1122 [RFC1122] and However, as stated by Section 3.2.1.8 of RFC 1122 [RFC1122] and
Section 4.2.2.1 of RFC 1812 [RFC1812], this option is obsolete. Section 4.2.2.1 of RFC 1812 [RFC1812], this option is obsolete.
Therefore, it must be ignored by the processing systems. See also Therefore, it must be ignored by the processing systems. See also
skipping to change at page 10, line 40 skipping to change at page 11, line 50
datagram. Therefore, if a packet contains more than one instance of datagram. Therefore, if a packet contains more than one instance of
this option, it should be dropped, and this event should be logged this option, it should be dropped, and this event should be logged
(e.g., a counter could be incremented to reflect the packet drop). (e.g., a counter could be incremented to reflect the packet drop).
4.6.1. Uses 4.6.1. Uses
This option is obsolete. There is no current use for this option. This option is obsolete. There is no current use for this option.
4.6.2. Option Specification 4.6.2. Option Specification
Specified in RFC 791 [RFC0791], and obsoleted in RFC 1122 [RFC1122] Specified in RFC 791 [RFC0791], and deprecated in RFC 1122 [RFC1122]
and RFC 1812 [RFC1812]. and RFC 1812 [RFC1812]. This option has been formally obsoleted by
[RFC6814].
4.6.3. Threats 4.6.3. Threats
No security issues are known for this option, other than the general No specific security issues are known for this IPv4 option.
security implications of IP options discussed in Section 3.
4.6.4. Operational and Interoperability Impact if Blocked 4.6.4. Operational and Interoperability Impact if Blocked
None. None.
4.6.5. Advice 4.6.5. Advice
Routers, security gateways, and firewalls SHOULD drop IP packets Routers, security gateways, and firewalls SHOULD drop IP packets
containing a Stream Identifier option. containing a Stream Identifier option.
skipping to change at page 11, line 23 skipping to change at page 12, line 31
This option provides a means for recording the time at which each This option provides a means for recording the time at which each
system processed this datagram. system processed this datagram.
4.7.2. Option Specification 4.7.2. Option Specification
Specified by RFC 791 [RFC0791]. Specified by RFC 791 [RFC0791].
4.7.3. Threats 4.7.3. Threats
The timestamp option has a number of security implications. Among The timestamp option has a number of security implications [RFC6274].
them are: Among them are:
o It allows an attacker to obtain the current time of the systems o It allows an attacker to obtain the current time of the systems
that process the packet, which the attacker may find useful in a that process the packet, which the attacker may find useful in a
number of scenarios. number of scenarios.
o It may be used to map the network topology, in a similar way to o It may be used to map the network topology, in a similar way to
the IP Record Route option. the IP Record Route option.
o It may be used to fingerprint the operating system in use by a o It may be used to fingerprint the operating system in use by a
system processing the datagram. system processing the datagram.
skipping to change at page 11, line 47 skipping to change at page 13, line 7
clock skew. clock skew.
[Kohno2005] describes a technique for fingerprinting devices by [Kohno2005] describes a technique for fingerprinting devices by
measuring the clock skew. It exploits, among other things, the measuring the clock skew. It exploits, among other things, the
timestamps that can be obtained by means of the ICMP timestamp timestamps that can be obtained by means of the ICMP timestamp
request messages [RFC0791]. However, the same fingerprinting method request messages [RFC0791]. However, the same fingerprinting method
could be implemented with the aid of the Internet Timestamp option. could be implemented with the aid of the Internet Timestamp option.
4.7.4. Operational and Interoperability Impact if Blocked 4.7.4. Operational and Interoperability Impact if Blocked
No security issues are known for this option, other than the general None.
security implications of IP options discussed in Section 3.
4.7.5. Advice 4.7.5. Advice
Routers, security gateways, and firewalls SHOULD drop IP packets Routers, security gateways, and firewalls SHOULD drop IP packets
containing an Internet Timestamp option. containing an Internet Timestamp option.
4.8. Router Alert (Type = 148) 4.8. Router Alert (Type = 148)
4.8.1. Uses 4.8.1. Uses
skipping to change at page 12, line 48 skipping to change at page 13, line 52
This option SHOULD be allowed only in controlled environments, where This option SHOULD be allowed only in controlled environments, where
the option can be used safely. [RFC6398] identifies some such the option can be used safely. [RFC6398] identifies some such
environments. In unsafe environments, packets containing this option environments. In unsafe environments, packets containing this option
SHOULD be dropped. SHOULD be dropped.
A given router, security gateway, or firewall system has no way of A given router, security gateway, or firewall system has no way of
knowing a priori whether this option is valid in its operational knowing a priori whether this option is valid in its operational
environment. Therefore, routers, security gateways, and firewalls environment. Therefore, routers, security gateways, and firewalls
SHOULD, by default, ignore the Router Alert option. Additionally, SHOULD, by default, ignore the Router Alert option. Additionally,
Routers, security gateways, and firewalls SHOULD have a configuration Routers, security gateways, and firewalls SHOULD have a configuration
setting that indicates whether they should react act on the Router setting that indicates whether they should react react on the Router
Alert option as indicated in the corresponding specification or Alert option as indicated in the corresponding specification or
ignore the option, or whether packets containing this option should ignore the option, or whether packets containing this option should
be dropped (with the default configuration being to ignore the Router be dropped (with the default configuration being to ignore the Router
Alert option). Alert option).
4.9. Probe MTU (Type = 11) (obsolete) 4.9. Probe MTU (Type = 11) (obsolete)
4.9.1. Uses 4.9.1. Uses
This option originally provided a mechanism to discover the Path-MTU. This option originally provided a mechanism to discover the Path-MTU.
It has been declared obsolete. It has been declared obsolete.
4.9.2. Option Specification 4.9.2. Option Specification
This option was originally defined in RFC 1063 [RFC1063], and was This option was originally defined in RFC 1063 [RFC1063], and was
obsoleted with RFC 1191 [RFC1191]. This option is now obsolete, as obsoleted with RFC 1191 [RFC1191]. This option is now obsolete, as
RFC 1191 obsoletes RFC 1063 without using IP options. RFC 1191 obsoletes RFC 1063 without using IP options.
4.9.3. Threats 4.9.3. Threats
No security issues are known for this option, other than the general No specific security issues are known for this IPv4 option.
security implications of IP options discussed in Section 3.
4.9.4. Operational and Interoperability Impact if Blocked 4.9.4. Operational and Interoperability Impact if Blocked
None None
This option is NOT employed with the modern "Path MTU Discovery"
(PMTUD) mechanism [RFC1191], which employs special ICMP messages
(Type 3, Code 4) in combination with the IP DF bit. PLPMTUD
[RFC4821] can perform PMTUD without the need of any special
packets.
4.9.5. Advice 4.9.5. Advice
Routers, security gateways, and firewalls SHOULD drop IP packets that Routers, security gateways, and firewalls SHOULD drop IP packets that
contain a Probe MTU option. contain a Probe MTU option.
4.10. Reply MTU (Type = 12) (obsolete) 4.10. Reply MTU (Type = 12) (obsolete)
4.10.1. Uses 4.10.1. Uses
This option and originally provided a mechanism to discover the Path- This option and originally provided a mechanism to discover the Path-
MTU. It is now obsolete. MTU. It is now obsolete.
4.10.2. Option Specification 4.10.2. Option Specification
This option was originally defined in RFC 1063 [RFC1063], and was This option was originally defined in RFC 1063 [RFC1063], and was
obsoleted with RFC 1191 [RFC1191]. This option is now obsolete, as obsoleted with RFC 1191 [RFC1191]. This option is now obsolete, as
RFC 1191 obsoletes RFC 1063 without using IP options. RFC 1191 obsoletes RFC 1063 without using IP options.
4.10.3. Threats 4.10.3. Threats
No security issues are known for this option, other than the general No specific security issues are known for this IPv4 option.
security implications of IP options discussed in Section 3.
4.10.4. Operational and Interoperability Impact if Blocked 4.10.4. Operational and Interoperability Impact if Blocked
None None
This option is NOT employed with the modern "Path MTU Discovery"
(PMTUD) mechanism [RFC1191], which employs special ICMP messages
(Type 3, Code 4) in combination with the IP DF bit. PLPMTUD
[RFC4821] can perform PMTUD without the need of any special
packets.
4.10.5. Advice 4.10.5. Advice
Routers, security gateways, and firewalls SHOULD drop IP packets that Routers, security gateways, and firewalls SHOULD drop IP packets that
contain a Reply MTU option. contain a Reply MTU option.
4.11. Traceroute (Type = 82) 4.11. Traceroute (Type = 82)
4.11.1. Uses 4.11.1. Uses
This option originally provided a mechanism to trace the path to a This option originally provided a mechanism to trace the path to a
host. host.
4.11.2. Option Specification 4.11.2. Option Specification
This option was originally specified by RFC 1393 [RFC1393]. The This option was originally specified by RFC 1393 [RFC1393] as
Traceroute option is defined as "experimental" and it was never "experimental", and it was never widely deployed on the public
widely deployed on the public Internet. Internet. This option has been formally obsoleted by [RFC6814].
4.11.3. Threats 4.11.3. Threats
No security issues are known for this option, other than the general No specific security issues are known for this IPv4 option.
security implications of IP options discussed in Section 3.
4.11.4. Operational and Interoperability Impact if Blocked 4.11.4. Operational and Interoperability Impact if Blocked
None None
4.11.5. Advice 4.11.5. Advice
Routers, security gateways, and firewalls SHOULD drop IP packets that Routers, security gateways, and firewalls SHOULD drop IP packets that
contain a Traceroute option. contain a Traceroute option.
skipping to change at page 16, line 8 skipping to change at page 17, line 20
This capability has been present in many Cisco routers since the This capability has been present in many Cisco routers since the
early 1990s [Cisco-IPSO-Cmds]. Some governmental products early 1990s [Cisco-IPSO-Cmds]. Some governmental products
reportedly support BSO, notably CANEWARE [RFC4949]. Support for reportedly support BSO, notably CANEWARE [RFC4949]. Support for
BSO is included in the "IPsec Configuration Policy Information BSO is included in the "IPsec Configuration Policy Information
Model" [RFC3585] and in the "IPsec Security Policy Database Model" [RFC3585] and in the "IPsec Security Policy Database
Configuration MIB" [RFC4807]. Configuration MIB" [RFC4807].
4.12.3. Threats 4.12.3. Threats
Presence of this option in a packet does not by itself create any Presence of this option in a packet does not by itself create any
specific new threat (other than the usual generic issues that might specific new threat. Packets with this option ought not normally be
be created if packets with options are forwarded via the "slow seen on the global public Internet.
path"). Packets with this option ought not normally be seen on the
global public Internet.
4.12.4. Operational and Interoperability Impact if Blocked 4.12.4. Operational and Interoperability Impact if Blocked
If packets with this option are blocked or if the option is stripped If packets with this option are blocked or if the option is stripped
from the packet during transmission from source to destination, then from the packet during transmission from source to destination, then
the packet itself is likely to be dropped by the receiver because it the packet itself is likely to be dropped by the receiver because it
isn't properly labelled. In some cases, the receiver might receive isn't properly labelled. In some cases, the receiver might receive
the packet but associate an incorrect sensitivity label with the the packet but associate an incorrect sensitivity label with the
received data from the packet whose BSO was stripped by an received data from the packet whose BSO was stripped by an
intermediate router or firewall. Associating an incorrect intermediate router or firewall. Associating an incorrect
skipping to change at page 17, line 17 skipping to change at page 18, line 28
This capability has been present in many Cisco routers since the This capability has been present in many Cisco routers since the
early 1990s [Cisco-IPSO-Cmds]. Some governmental products early 1990s [Cisco-IPSO-Cmds]. Some governmental products
reportedly support ESO, notably CANEWARE [RFC4949]. Support for reportedly support ESO, notably CANEWARE [RFC4949]. Support for
ESO is included in the "IPsec Configuration Policy Information ESO is included in the "IPsec Configuration Policy Information
Model" [RFC3585] and in the "IPsec Security Policy Database Model" [RFC3585] and in the "IPsec Security Policy Database
Configuration MIB" [RFC4807]. Configuration MIB" [RFC4807].
4.13.3. Threats 4.13.3. Threats
Presence of this option in a packet does not by itself create any Presence of this option in a packet does not by itself create any
specific new threat (other than the usual generic issues that might specific new threat. Packets with this option ought not normally be
be created if packets with options are forwarded via the "slow seen on the global public Internet
path"). Packets with this option ought not normally be seen on the
global public Internet
4.13.4. Operational and Interoperability Impact if Blocked 4.13.4. Operational and Interoperability Impact if Blocked
If packets with this option are blocked or if the option is stripped If packets with this option are blocked or if the option is stripped
from the packet during transmission from source to destination, then from the packet during transmission from source to destination, then
the packet itself is likely to be dropped by the receiver because it the packet itself is likely to be dropped by the receiver because it
isn't properly labelled. In some cases, the receiver might receive isn't properly labelled. In some cases, the receiver might receive
the packet but associate an incorrect sensitivity label with the the packet but associate an incorrect sensitivity label with the
received data from the packet whose ESO was stripped by an received data from the packet whose ESO was stripped by an
intermediate router or firewall. Associating an incorrect intermediate router or firewall. Associating an incorrect
skipping to change at page 18, line 28 skipping to change at page 19, line 38
Option (CIPSO) Working Group of the IETF [CIPSOWG1994], and an Option (CIPSO) Working Group of the IETF [CIPSOWG1994], and an
Internet-Draft was produced [CIPSO1992]. The Internet-Draft was Internet-Draft was produced [CIPSO1992]. The Internet-Draft was
never published as an RFC, but the proposal was later standardized never published as an RFC, but the proposal was later standardized
by the U.S. National Institute of Standards and Technology (NIST) by the U.S. National Institute of Standards and Technology (NIST)
as "Federal Information Processing Standard Publication 188" as "Federal Information Processing Standard Publication 188"
[FIPS1994]. [FIPS1994].
4.14.3. Threats 4.14.3. Threats
Presence of this option in a packet does not by itself create any Presence of this option in a packet does not by itself create any
specific new threat (other than the usual generic issues that might specific new threat. Packets with this option ought not normally be
be created if packets with options are forwarded via the "slow seen on the global public Internet.
path"). Packets with this option ought not normally be seen on the
global public Internet.
4.14.4. Operational and Interoperability Impact if Blocked 4.14.4. Operational and Interoperability Impact if Blocked
If packets with this option are blocked or if the option is stripped If packets with this option are blocked or if the option is stripped
from the packet during transmission from source to destination, then from the packet during transmission from source to destination, then
the packet itself is likely to be dropped by the receiver because it the packet itself is likely to be dropped by the receiver because it
isn't properly labelled. In some cases, the receiver might receive isn't properly labelled. In some cases, the receiver might receive
the packet but associate an incorrect sensitivity label with the the packet but associate an incorrect sensitivity label with the
received data from the packet whose CIPSO was stripped by an received data from the packet whose CIPSO was stripped by an
intermediate router or firewall. Associating an incorrect intermediate router or firewall. Associating an incorrect
skipping to change at page 19, line 7 skipping to change at page 20, line 15
problematic. problematic.
4.14.5. Advice 4.14.5. Advice
Because of the design of this option, with variable syntax and Because of the design of this option, with variable syntax and
variable length, it is not practical to support specialized filtering variable length, it is not practical to support specialized filtering
using the CIPSO information. No routers or firewalls are known to using the CIPSO information. No routers or firewalls are known to
support this option. However, Routers, security gateways, and support this option. However, Routers, security gateways, and
firewalls SHOULD NOT by default modify or remove this option from IP firewalls SHOULD NOT by default modify or remove this option from IP
packets and SHOULD NOT by default drop packets containing this packets and SHOULD NOT by default drop packets containing this
option. option. For auditing reasons, routers, security gateways, and
firewalls SHOULD be capable of logging the numbers of packets
containing the CIPSO on a per-interface basis. Also, Routers,
security gateways, and firewalls SHOULD be capable of dropping
packets based on the CIPSO presence.
4.15. VISA (Type = 142) 4.15. VISA (Type = 142)
4.15.1. Uses 4.15.1. Uses
This options was part of an experiment at USC and was never widely This options was part of an experiment at USC and was never widely
deployed. deployed.
4.15.2. Option Specification 4.15.2. Option Specification
Not publicly available. The original option specification is not publicly available. This
option has been formally obsoleted by [RFC6814].
4.15.3. Threats 4.15.3. Threats
Not possible to determine (other the general security implications of Not possible to determine (other the general security implications of
IP options discussed in Section 3), since the corresponding IP options discussed in Section 3), since the corresponding
specification is not publicly available. specification is not publicly available.
4.15.4. Operational and Interoperability Impact if Blocked 4.15.4. Operational and Interoperability Impact if Blocked
None. None.
skipping to change at page 20, line 50 skipping to change at page 22, line 19
4.18. Sender Directed Multi-Destination Delivery (Type = 149) 4.18. Sender Directed Multi-Destination Delivery (Type = 149)
4.18.1. Uses 4.18.1. Uses
This option originally provided unreliable UDP delivery to a set of This option originally provided unreliable UDP delivery to a set of
addresses included in the option. addresses included in the option.
4.18.2. Option Specification 4.18.2. Option Specification
This option is defined in RFC 1770 [RFC1770]. This option is specified in RFC 1770 [RFC1770]. It has been formally
obsoleted by [RFC6814].
4.18.3. Threats 4.18.3. Threats
This option could have been exploited for bandwidth-amplification in This option could have been exploited for bandwidth-amplification in
Denial of Service (DoS) attacks. Denial of Service (DoS) attacks.
4.18.4. Operational and Interoperability Impact if Blocked 4.18.4. Operational and Interoperability Impact if Blocked
None. None.
skipping to change at page 22, line 4 skipping to change at page 23, line 21
4.19.4. Operational and Interoperability Impact if Blocked 4.19.4. Operational and Interoperability Impact if Blocked
None. None.
4.19.5. Advice 4.19.5. Advice
Routers, security gateways, and firewalls SHOULD drop packets that Routers, security gateways, and firewalls SHOULD drop packets that
contain this option. contain this option.
4.20. Upstream Multicast Pkt. (Type = 152) 4.20. Upstream Multicast Pkt. (Type = 152)
4.20.1. Uses 4.20.1. Uses
This option was meant to solve the problem of doing upstream This option was meant to solve the problem of doing upstream
forwarding of multicast packets on a multi-access LAN. forwarding of multicast packets on a multi-access LAN.
4.20.2. Option Specification 4.20.2. Option Specification
This option was originally specified in [draft-farinacci-bidir-pim]. This option was originally specified in [draft-farinacci-bidir-pim].
Its use was obsoleted by [RFC5015], which employs a control plane It was was never formally standardized in the RFC series, and was
mechanism to solve the problem of doing upstream forwarding of never widely implemented and deployed. Its use was obsoleted by
multicast packets on a multi-access LAN. This option has been [RFC5015], which employs a control plane mechanism to solve the
formally obsoleted by [RFC6814]. problem of doing upstream forwarding of multicast packets on a multi-
access LAN. This option has been formally obsoleted by [RFC6814].
4.20.3. Threats 4.20.3. Threats
TBD. None.
4.20.4. Operational and Interoperability Impact if Blocked 4.20.4. Operational and Interoperability Impact if Blocked
None. None.
4.20.5. Advice 4.20.5. Advice
Routers, security gateways, and firewalls SHOULD drop packets that Routers, security gateways, and firewalls SHOULD drop packets that
contain this option. contain this option.
skipping to change at page 23, line 25 skipping to change at page 24, line 44
intended or appropriate for ubiquitous deployment in the global intended or appropriate for ubiquitous deployment in the global
Internet [RFC4782]. Internet [RFC4782].
4.21.5. Advice 4.21.5. Advice
A given router, security gateway, or firewall system has no way of A given router, security gateway, or firewall system has no way of
knowing a priori whether this option is valid in its operational knowing a priori whether this option is valid in its operational
environment. Therefore, routers, security gateways, and firewalls environment. Therefore, routers, security gateways, and firewalls
SHOULD, by default, ignore the Quick Start option. Additionally, SHOULD, by default, ignore the Quick Start option. Additionally,
routers, security gateways, and firewalls SHOULD have a configuration routers, security gateways, and firewalls SHOULD have a configuration
setting that indicates whether they should react act on the Quick setting that indicates whether they should react on the Quick Start
Start option as indicated in the corresponding specification or option as indicated in the corresponding specification or ignore the
ignore the option, or whether packets containing this option should option, or whether packets containing this option should be dropped
be dropped (with the default configuration being to ignore the Quick (with the default configuration being to ignore the Quick Start
Start option). option).
We note that if routers in a given environment do not implement We note that if routers in a given environment do not implement
and enable the Quick-Start mechanism, only the general security and enable the Quick-Start mechanism, only the general security
implications of IP options (discussed in Section 3) would apply. implications of IP options (discussed in Section 3) would apply.
4.22. RFC3692-style Experiment (Types = 30, 94, 158, and 222) 4.22. RFC3692-style Experiment (Types = 30, 94, 158, and 222)
Section 2.5 of RFC 4727 [RFC4727] allocates an option number with all Section 2.5 of RFC 4727 [RFC4727] allocates an option number with all
defined values of the "copy" and "class" fields for RFC3692-style defined values of the "copy" and "class" fields for RFC3692-style
experiments. This results in four distinct option type codes: 30, experiments. This results in four distinct option type codes: 30,
skipping to change at page 24, line 7 skipping to change at page 25, line 28
It is only appropriate to use these values in explicitly-configured It is only appropriate to use these values in explicitly-configured
experiments; they MUST NOT be shipped as defaults in implementations. experiments; they MUST NOT be shipped as defaults in implementations.
4.22.2. Option Specification 4.22.2. Option Specification
Specified in RFC 4727 [RFC4727] in the context of RFC3692-style Specified in RFC 4727 [RFC4727] in the context of RFC3692-style
experiments. experiments.
4.22.3. Threats 4.22.3. Threats
No security issues are known for this option, other than the general No specific security issues are known for this IPv4 option.
security implications of IP options discussed in Section 3.
4.22.4. Operational and Interoperability Impact if Blocked 4.22.4. Operational and Interoperability Impact if Blocked
None. None.
4.22.5. Advice 4.22.5. Advice
Routers, security gateways, and firewalls SHOULD drop IP packets that Routers, security gateways, and firewalls SHOULD have configuration
contain RFC3692-style Experiment options. knobs for IP packets that contain RFC3692-style Experiment options to
select between "ignore & forward" and "drop packet & log event").
Otherwise, no legitimate experiment using these options will be
able to traverse any IP router.
The aforementioned configuration knob SHOULD default to "drop packet
& log event".
4.23. Other IP Options 4.23. Other IP Options
4.23.1. Specification
Unrecognized IP Options are to be ignored. Section 3.2.1.8 of RFC Unrecognized IP Options are to be ignored. Section 3.2.1.8 of RFC
1122 [RFC1122] and Section 4.2.2.6 of RFC 1812 [RFC1812] specify this 1122 [RFC1122] and Section 4.2.2.6 of RFC 1812 [RFC1812] specify this
behavior as follows: behavior as follows:
RFC 1122: "The IP and transport layer MUST each interpret those IP RFC 1122: "The IP and transport layer MUST each interpret those IP
options that they understand and silently ignore the options that they understand and silently ignore the
others." others."
RFC 1812: "A router MUST ignore IP options which it does not RFC 1812: "A router MUST ignore IP options which it does not
recognize." recognize."
This document adds that unrecognized IP Options MAY also be logged. This document adds that unrecognized IP Options MAY also be logged.
A number of additional options are specified in the "IP OPTIONS A number of additional options are listed in the "IP OPTIONS NUMBERS"
NUMBERS" IANA registry [IANA-IP]. Specifically: IANA registry [IANA-IP]. Specifically:
Copy Class Number Value Name Reference Copy Class Number Value Name Reference
---- ----- ------ ----- ------------------------------- ------------ ---- ----- ------ ----- ------------------------------- ------------
0 0 10 10 ZSU - Experimental Measurement [ZSu] 0 0 10 10 ZSU - Experimental Measurement [ZSu]
1 2 13 205 FINN - Experimental Flow Control [Finn] 1 2 13 205 FINN - Experimental Flow Control [Finn]
0 0 15 15 ENCODE - ??? [VerSteeg] 0 0 15 15 ENCODE - ??? [VerSteeg]
1 0 16 144 IMITD - IMI Traffic Descriptor [Lee] 1 0 16 144 IMITD - IMI Traffic Descriptor [Lee]
1 0 22 150 - Unassigned (Released 18 Oct. 2005) 1 0 22 150 - Unassigned (Released 18 Oct. 2005)
The ENCODE option (type 15) has been formally obsoleted by [RFC6814].
4.23.2. Threats
The lack of open specifications for these options makes it impossible
to evaluate their security implications.
4.23.3. Operational and Interoperability Impact if Blocked
The lack of open specifications for these options makes it impossible
to evaluate the operational and interoperability impact if packets
containing these options are blocked.
4.23.4. Advice
Routers, security gateways, and firewalls SHOULD have configuration
knobs for IP packets containing these options (or other options not
recognized) to select between "ignore & forward" and "drop packet &
log event").
5. IANA Considerations 5. IANA Considerations
This document has no actions for IANA. This document has no actions for IANA.
6. Security Considerations 6. Security Considerations
This document provides advice on the filtering of IP packets that This document provides advice on the filtering of IP packets that
contain IP options. Dropping such packets can help to mitigate the contain IP options. Dropping such packets can help to mitigate the
security issues that arise from use of different IP options. security issues that arise from use of different IP options.
However, dropping packets containing IP options can cause real
operational problems in deployed networks. Therefore, the practice
of dropping all IPv4 packets containing one or more IPv4 options
without careful consideration is not recommended.
7. Acknowledgements 7. Acknowledgements
The authors would like to thank Panos Kampanakis and Donald Smith for The authors would like to thank Panos Kampanakis and Donald Smith for
providing valuable comments on earlier versions of this document. providing valuable comments on earlier versions of this document.
Part of this document is based on the document "Security Assessment Part of this document is based on the document "Security Assessment
of the Internet Protocol" [CPNI2008] that is the result of a project of the Internet Protocol" [CPNI2008] that is the result of a project
carried out by Fernando Gont on behalf of UK CPNI (formerly NISCC). carried out by Fernando Gont on behalf of UK CPNI (formerly NISCC).
skipping to change at page 25, line 48 skipping to change at page 28, line 5
[RFC2113] Katz, D., "IP Router Alert Option", RFC 2113, [RFC2113] Katz, D., "IP Router Alert Option", RFC 2113,
February 1997. February 1997.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4, [RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4,
ICMPv6, UDP, and TCP Headers", RFC 4727, November 2006. ICMPv6, UDP, and TCP Headers", RFC 4727, November 2006.
[RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU
Discovery", RFC 4821, March 2007.
[RFC5015] Handley, M., Kouvelas, I., Speakman, T., and L. Vicisano, [RFC5015] Handley, M., Kouvelas, I., Speakman, T., and L. Vicisano,
"Bidirectional Protocol Independent Multicast (BIDIR- "Bidirectional Protocol Independent Multicast (BIDIR-
PIM)", RFC 5015, October 2007. PIM)", RFC 5015, October 2007.
8.2. Informative References 8.2. Informative References
[Biondi2007] [Biondi2007]
Biondi, P. and A. Ebalard, "IPv6 Routing Header Security", Biondi, P. and A. Ebalard, "IPv6 Routing Header Security",
CanSecWest 2007 Security Conference <http:// CanSecWest 2007 Security Conference <http://
www.secdev.org/conf/IPv6_RH_security-csw07.pdf>, 2007. www.secdev.org/conf/IPv6_RH_security-csw07.pdf>, 2007.
skipping to change at page 28, line 37 skipping to change at page 30, line 44
IPv4 and IPv6 Router Alert Options", RFC 5350, IPv4 and IPv6 Router Alert Options", RFC 5350,
September 2008. September 2008.
[RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common
Architecture Label IPv6 Security Option (CALIPSO)", Architecture Label IPv6 Security Option (CALIPSO)",
RFC 5570, July 2009. RFC 5570, July 2009.
[RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
Router Control Plane", RFC 6192, March 2011. Router Control Plane", RFC 6192, March 2011.
[RFC6274] Gont, F., "Security Assessment of the Internet Protocol
Version 4", RFC 6274, July 2011.
[RFC6398] Le Faucheur, F., "IP Router Alert Considerations and [RFC6398] Le Faucheur, F., "IP Router Alert Considerations and
Usage", BCP 168, RFC 6398, October 2011. Usage", BCP 168, RFC 6398, October 2011.
[RFC6814] Pignataro, C. and F. Gont, "Formally Deprecating Some IPv4 [RFC6814] Pignataro, C. and F. Gont, "Formally Deprecating Some IPv4
Options", RFC 6814, November 2012. Options", RFC 6814, November 2012.
[SELinux2008] [SELinux2008]
Security Enhanced Linux, "http://www.nsa.gov/selinux/". Security Enhanced Linux, "http://www.nsa.gov/selinux/".
[Solaris2008] [Solaris2008]
 End of changes. 46 change blocks. 
105 lines changed or deleted 209 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/