draft-ietf-opsec-ip-options-filtering-02.txt   draft-ietf-opsec-ip-options-filtering-03.txt 
Operational Security Capabilities for F. Gont Operational Security Capabilities for F. Gont
IP Network Infrastructure (opsec) UTN-FRH / SI6 Networks IP Network Infrastructure (opsec) UTN-FRH / SI6 Networks
Internet-Draft R. Atkinson Internet-Draft R. Atkinson
Intended status: BCP Consultant Intended status: BCP Consultant
Expires: July 31, 2013 C. Pignataro Expires: January 10, 2014 C. Pignataro
Cisco Cisco
January 27, 2013 July 9, 2013
Recommendations on filtering of IPv4 packets containing IPv4 options Recommendations on filtering of IPv4 packets containing IPv4 options.
draft-ietf-opsec-ip-options-filtering-02.txt draft-ietf-opsec-ip-options-filtering-03.txt
Abstract Abstract
This document document provides advice on the filtering of IPv4 This document provides advice on the filtering of IPv4 packets based
packets based on the IPv4 options they contain. Additionally, it on the IPv4 options they contain. Additionally, it discusses the
discusses the operational and interoperability implications of operational and interoperability implications of dropping packets
dropping packets based on the IP options they contain. based on the IP options they contain.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 31, 2013. This Internet-Draft will expire on January 10, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 27 skipping to change at page 2, line 27
4.3. Loose Source and Record Route (LSRR) (Type = 131) . . . . 7 4.3. Loose Source and Record Route (LSRR) (Type = 131) . . . . 7
4.4. Strict Source and Record Route (SSRR) (Type = 137) . . . . 9 4.4. Strict Source and Record Route (SSRR) (Type = 137) . . . . 9
4.5. Record Route (Type = 7) . . . . . . . . . . . . . . . . . 10 4.5. Record Route (Type = 7) . . . . . . . . . . . . . . . . . 10
4.6. Stream Identifier (Type = 136) (obsolete) . . . . . . . . 11 4.6. Stream Identifier (Type = 136) (obsolete) . . . . . . . . 11
4.7. Internet Timestamp (Type = 68) . . . . . . . . . . . . . . 12 4.7. Internet Timestamp (Type = 68) . . . . . . . . . . . . . . 12
4.8. Router Alert (Type = 148) . . . . . . . . . . . . . . . . 13 4.8. Router Alert (Type = 148) . . . . . . . . . . . . . . . . 13
4.9. Probe MTU (Type = 11) (obsolete) . . . . . . . . . . . . . 14 4.9. Probe MTU (Type = 11) (obsolete) . . . . . . . . . . . . . 14
4.10. Reply MTU (Type = 12) (obsolete) . . . . . . . . . . . . . 14 4.10. Reply MTU (Type = 12) (obsolete) . . . . . . . . . . . . . 14
4.11. Traceroute (Type = 82) . . . . . . . . . . . . . . . . . . 15 4.11. Traceroute (Type = 82) . . . . . . . . . . . . . . . . . . 15
4.12. DoD Basic Security Option (Type = 130) . . . . . . . . . . 16 4.12. DoD Basic Security Option (Type = 130) . . . . . . . . . . 16
4.13. DoD Extended Security Option (Type = 133) . . . . . . . . 17 4.13. DoD Extended Security Option (Type = 133) . . . . . . . . 18
4.14. Commercial IP Security Option (CIPSO) (Type = 134) . . . . 19 4.14. Commercial IP Security Option (CIPSO) (Type = 134) . . . . 20
4.15. VISA (Type = 142) . . . . . . . . . . . . . . . . . . . . 20 4.15. VISA (Type = 142) . . . . . . . . . . . . . . . . . . . . 21
4.16. Extended Internet Protocol (Type = 145) . . . . . . . . . 20 4.16. Extended Internet Protocol (Type = 145) . . . . . . . . . 21
4.17. Address Extension (Type = 147) . . . . . . . . . . . . . . 21 4.17. Address Extension (Type = 147) . . . . . . . . . . . . . . 22
4.18. Sender Directed Multi-Destination Delivery (Type = 149) . 22 4.18. Sender Directed Multi-Destination Delivery (Type = 149) . 23
4.19. Dynamic Packet State (Type = 151) . . . . . . . . . . . . 22 4.19. Dynamic Packet State (Type = 151) . . . . . . . . . . . . 23
4.20. Upstream Multicast Pkt. (Type = 152) . . . . . . . . . . . 23 4.20. Upstream Multicast Pkt. (Type = 152) . . . . . . . . . . . 24
4.21. Quick-Start (Type = 25) . . . . . . . . . . . . . . . . . 23 4.21. Quick-Start (Type = 25) . . . . . . . . . . . . . . . . . 24
4.22. RFC3692-style Experiment (Types = 30, 94, 158, and 222) . 25 4.22. RFC3692-style Experiment (Types = 30, 94, 158, and 222) . 25
4.23. Other IP Options . . . . . . . . . . . . . . . . . . . . . 25 4.23. Other IP Options . . . . . . . . . . . . . . . . . . . . . 26
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
6. Security Considerations . . . . . . . . . . . . . . . . . . . 27 6. Security Considerations . . . . . . . . . . . . . . . . . . . 27
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 27 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28
8.1. Normative References . . . . . . . . . . . . . . . . . . . 27 8.1. Normative References . . . . . . . . . . . . . . . . . . . 28
8.2. Informative References . . . . . . . . . . . . . . . . . . 28 8.2. Informative References . . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 31 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 32
1. Introduction 1. Introduction
This document document discusses the filtering of IPv4 packets based This document discusses the filtering of IPv4 packets based on the
on the IPv4 options they contain. Since various protocols may use IPv4 options they contain. Since various protocols may use IPv4
IPv4 options to some extent, dropping packets based on the options options to some extent, dropping packets based on the options they
they contain may have implications on the proper functioning of the contain may have implications on the proper functioning of the
protocol. Therefore, this document attempts to discuss the protocol. Therefore, this document attempts to discuss the
operational and interoperability implications of such dropping. operational and interoperability implications of such dropping.
Additionally, it outlines what a network operator might do in a Additionally, it outlines what a network operator might do in a
typical enterprise or Service Provider environments. typical enterprise or Service Provider environments.
We note that data seems to indicate that there is a current We note that data seems to indicate that there is a current
widespread practice of blocking IPv4 optioned packets. There are widespread practice of blocking IPv4 optioned packets. There are
various plausible approaches to minimize the potential negative various plausible approaches to minimize the potential negative
effects of IPv4 optioned packets while allowing some options effects of IPv4 optioned packets while allowing some options
semantics. One approach is to allow for specific options that are semantics. One approach is to allow for specific options that are
expected or needed, and a default deny. A different approach is to expected or needed, and a default deny. A different approach is to
deny unneeded options and a default allow. Yet a third possible deny unneeded options and a default allow. Yet a third possible
approach is to allow for end-to-end semantics by ignoring options and approach is to allow for end-to-end semantics by ignoring options and
treating packets as un-optioned while in transit. Experiments and treating packets as un-optioned while in transit. Experiments and
currently-available data tends to support the first or third currently-available data tends to support the first or third
approaches as more realistic. Some results of regarding the current approaches as more realistic. Some results of regarding the current
state of affairs with respect to dropping packets containing IP state of affairs with respect to dropping packets containing IP
options can be found in [MEDINA]. options can be found in [MEDINA] [FONSECA].
We also note that while this document provides advice on dropping We also note that while this document provides advice on dropping
packets on a "per IP option type", not all devices may provide this packets on a "per IP option type", not all devices may provide this
capability with such granularity. Additionally, even in cases in capability with such granularity. Additionally, even in cases in
which such functionality is provided, the operator might want to which such functionality is provided, the operator might want to
specify a dropping policy with a coarser granularity (rather than on specify a dropping policy with a coarser granularity (rather than on
a "per IP option type" granularity), as indicated above. a "per IP option type" granularity), as indicated above.
Finally, in scenarios in which processing of IP options by Finally, in scenarios in which processing of IP options by
intermediate systems is not required, a widespread approach is to intermediate systems is not required, a widespread approach is to
skipping to change at page 5, line 28 skipping to change at page 5, line 30
The "IP OPTION NUMBERS" registry [IANA-IP] contains the list of the The "IP OPTION NUMBERS" registry [IANA-IP] contains the list of the
currently assigned IP option numbers. currently assigned IP option numbers.
3. General Security Implications of IP options 3. General Security Implications of IP options
3.1. Processing Requirements 3.1. Processing Requirements
Historically, most IP routers used a general-purpose CPU to process Historically, most IP routers used a general-purpose CPU to process
IP packets and forward them towards their destination. This same CPU IP packets and forward them towards their destination. This same CPU
usually also processed network management traffic (e.g. SNMP), usually also processed network management traffic (e.g., SNMP),
configuration commands (e.g. command line interface), and various configuration commands (e.g., command line interface), and various
routing protocols (e.g. RIP, OSPF, BGP, IS-IS) or other control routing protocols (e.g., RIP, OSPF, BGP, IS-IS) or other control
protocols (e.g. RSVP, ICMP). In such architectures it has been protocols (e.g., RSVP, ICMP). In such architectures it has been
common for the general-purpose CPU also to perform any packet common for the general-purpose CPU also to perform any packet
filtering that has been enabled on the router (or router interface). filtering that has been enabled on the router (or router interface).
An IP router built using this architecture often has a significant An IP router built using this architecture often has a significant
(Distributed) Denial-of-Service (DDOS) attack risk if the router (Distributed) Denial-of-Service (DDOS) attack risk if the router
control plane (e.g. CPU) is overwhelmed by a large number of IPv4 control plane (e.g., CPU) is overwhelmed by a large number of IPv4
packets that contain IPv4 options packets that contain IPv4 options.
From about 1995 onwards, a growing number of IP routers have From about 1995 onwards, a growing number of IP routers have
incorporated specialized IP packet processing silicon (i.e. FPGA, incorporated specialized IP packet processing silicon (i.e., FPGA,
ASIC), thereby separating the IP packet forwarding function from the ASIC), thereby separating the IP packet forwarding function from the
other functions of the router. Such router architectures tend to be other functions of the router. Such router architectures tend to be
more resilient to DDOS attacks that might be seen in the global more resilient to DDOS attacks that might be seen in the global
public Internet. Depending upon various implementation and public Internet. Depending upon various implementation and
configuration details, routers with a silicon packet forwarding configuration details, routers with a silicon packet forwarding
engine can handle high volumes of IP packets containing IP Options engine can handle high volumes of IP packets containing IP Options
without any adverse impact on packet forwarding rates or on the without any adverse impact on packet forwarding rates or on the
router's control plane (e.g. general-purpose CPU). Some router's control plane (e.g., general-purpose CPU). Some
implementations have a configuration knob simply to forward all IP implementations have a configuration knob simply to forward all IP
packets containing IP Options at wire-speed in silicon as if the IP packets containing IP Options at wire-speed in silicon as if the IP
packet did not contain an IP option ("ignore options & forward"). packet did not contain an IP option ("ignore options & forward").
Other implementations support wire-speed silicon-based packet Other implementations support wire-speed silicon-based packet
filtering, thereby enabling packets containing certain IP options to filtering, thereby enabling packets containing certain IP options to
be selectively dropped ("drop"), packets containing certain other IP be selectively dropped ("drop"), packets containing certain other IP
options to have those IP options ignored ("ignore options & options to have those IP options ignored ("ignore options &
forward"), and other packets containing different IP options to have forward"), and other packets containing different IP options to have
those options processed, either on a general-purpose CPU or using those options processed, either on a general-purpose CPU or using
custom logic (e.g. FPGA, ASIC), while the packet is being forwarded custom logic (e.g., FPGA, ASIC), while the packet is being forwarded
("process option & forward"). ("process option & forward").
Broadly speaking, any IP packet that requires processing by an IP Broadly speaking, any IP packet that requires processing by an IP
router's general-purpose CPU can be a DDOS risk to that router's router's general-purpose CPU can be a DDOS risk to that router's
general-purpose CPU (and thence to the router itself). However, at general-purpose CPU (and thence to the router itself). However, at
present, the particular architectural and engineering details of the present, the particular architectural and engineering details of the
particular IP router being considered are important to understand particular IP router being considered are important to understand
when evaluating the operational security risks associated with a when evaluating the operational security risks associated with a
particular IP packet type or IP option type. particular IP packet type or IP option type.
skipping to change at page 7, line 18 skipping to change at page 7, line 18
4.1.4. Operational and Interoperability Impact if Blocked 4.1.4. Operational and Interoperability Impact if Blocked
Packets containing any IP options are likely to include an End of Packets containing any IP options are likely to include an End of
Option List. Therefore, if packets containing this option are Option List. Therefore, if packets containing this option are
dropped, it is very likely that legitimate traffic is blocked. dropped, it is very likely that legitimate traffic is blocked.
4.1.5. Advice 4.1.5. Advice
Routers, security gateways, and firewalls SHOULD NOT drop packets Routers, security gateways, and firewalls SHOULD NOT drop packets
containing this option. because they contain this option.
4.2. No Operation (Type = 1) 4.2. No Operation (Type = 1)
4.2.1. Uses 4.2.1. Uses
The no-operation option is basically meant to allow the sending The no-operation option is basically meant to allow the sending
system to align subsequent options in, for example, 32-bit system to align subsequent options in, for example, 32-bit
boundaries. boundaries.
4.2.2. Option Specification 4.2.2. Option Specification
skipping to change at page 7, line 45 skipping to change at page 7, line 45
4.2.4. Operational and Interoperability Impact if Blocked 4.2.4. Operational and Interoperability Impact if Blocked
Packets containing any IP options are likely to include a No Packets containing any IP options are likely to include a No
Operation option. Therefore, if packets containing this option are Operation option. Therefore, if packets containing this option are
dropped, it is very likely that legitimate traffic is blocked. dropped, it is very likely that legitimate traffic is blocked.
4.2.5. Advice 4.2.5. Advice
Routers, security gateways, and firewalls SHOULD NOT drop packets Routers, security gateways, and firewalls SHOULD NOT drop packets
containing this option. because they contain this option.
4.3. Loose Source and Record Route (LSRR) (Type = 131) 4.3. Loose Source and Record Route (LSRR) (Type = 131)
RFC 791 states that this option should appear, at most, once in a RFC 791 states that this option should appear, at most, once in a
given packet. Thus, if a packet contains more than one LSRR option, given packet. Thus, if a packet contains more than one LSRR option,
it should be dropped, and this event should be logged (e.g., a it should be dropped, and this event should be logged (e.g., a
counter could be incremented to reflect the packet drop). counter could be incremented to reflect the packet drop).
Additionally, packets containing a combination of LSRR and SSRR Additionally, packets containing a combination of LSRR and SSRR
options should be dropped, and this event should be logged (e.g., a options should be dropped, and this event should be logged (e.g., a
skipping to change at page 8, line 30 skipping to change at page 8, line 30
4.3.2. Option Specification 4.3.2. Option Specification
Specified in RFC 791 [RFC0791]. Specified in RFC 791 [RFC0791].
4.3.3. Threats 4.3.3. Threats
The LSRR option has well-known security implications [RFC6274]. The LSRR option has well-known security implications [RFC6274].
Among other things, the option can be used to: Among other things, the option can be used to:
o Bypass firewall rules o Bypass firewall rules.
o Reach otherwise unreachable internet systems o Reach otherwise unreachable internet systems.
o Establish TCP connections in a stealthy way o Establish TCP connections in a stealthy way.
o Learn about the topology of a network o Learn about the topology of a network.
o Perform bandwidth-exhaustion attacks o Perform bandwidth-exhaustion attacks.
Of these attack vectors, the one that has probably received least Of these attack vectors, the one that has probably received least
attention is the use of the LSRR option to perform bandwidth attention is the use of the LSRR option to perform bandwidth
exhaustion attacks. The LSRR option can be used as an amplification exhaustion attacks. The LSRR option can be used as an amplification
method for performing bandwidth-exhaustion attacks, as an attacker method for performing bandwidth-exhaustion attacks, as an attacker
could make a packet bounce multiple times between a number of systems could make a packet bounce multiple times between a number of systems
by carefully crafting an LSRR option. by carefully crafting an LSRR option.
This is the IPv4-version of the IPv6 amplification attack that was This is the IPv4-version of the IPv6 amplification attack that was
widely publicized in 2007 [Biondi2007]. The only difference is widely publicized in 2007 [Biondi2007]. The only difference is
skipping to change at page 9, line 28 skipping to change at page 9, line 28
option even when explicitly configured not to do so. option even when explicitly configured not to do so.
[OpenBSD1998] is a security advisory about an improper [OpenBSD1998] is a security advisory about an improper
implementation of such a system-wide toggle in 4.4BSD kernels. implementation of such a system-wide toggle in 4.4BSD kernels.
This issue was resolved in later versions of the corresponding This issue was resolved in later versions of the corresponding
operating system. operating system.
4.3.4. Operational and Interoperability Impact if Blocked 4.3.4. Operational and Interoperability Impact if Blocked
Network troubleshooting techniques that may employ the LSRR option Network troubleshooting techniques that may employ the LSRR option
(such as ping or traceroute) would break. Nevertheless, it should be (such as ping or traceroute with the appropriate arguments) would
noted that it is virtually impossible to use the LSRR option for break when using the LSRR option (ping and traceroute without IPv4
troubleshooting, due to widespread dropping of packets that contain options are not impacted). Nevertheless, it should be noted that it
such option. is virtually impossible to use the LSRR option for troubleshooting,
due to widespread dropping of packets that contain such option.
4.3.5. Advice 4.3.5. Advice
Routers, security gateways, and firewalls SHOULD implement an option- Routers, security gateways, and firewalls SHOULD implement an option-
specific configuration knob whether packets with this option are specific configuration knob whether packets with this option are
dropped, packets with this IP option are forwarded as if they did not dropped, packets with this IP option are forwarded as if they did not
contain this IP option, or packets with this option are processed and contain this IP option, or packets with this option are processed and
forwarded as per [RFC0791]. The default setting for this knob SHOULD forwarded as per [RFC0791]. The default setting for this knob SHOULD
be "drop", and the default setting MUST be documented. be "drop", and the default setting MUST be documented.
skipping to change at page 10, line 25 skipping to change at page 10, line 27
4.4.3. Threats 4.4.3. Threats
The SSRR option has the same security implications as the LSRR The SSRR option has the same security implications as the LSRR
option. Please refer to Section 4.3 for a discussion of such option. Please refer to Section 4.3 for a discussion of such
security implications. security implications.
4.4.4. Operational and Interoperability Impact if Blocked 4.4.4. Operational and Interoperability Impact if Blocked
Network troubleshooting techniques that may employ the SSRR option Network troubleshooting techniques that may employ the SSRR option
(such as ping or traceroute) would break. Nevertheless, it should be (such as ping or traceroute with the appropriate arguments) would
noted that it is virtually impossible to use the SSSR option for break when using the SSRR option (ping and traceroute without IPv4
trouble-shooting, due to widespread dropping of packets that contain options are not impacted). Nevertheless, it should be noted that it
such option. is virtually impossible to use the SSRR option for trouble-shooting,
due to widespread dropping of packets that contain such option.
4.4.5. Advice 4.4.5. Advice
Routers, security gateways, and firewalls SHOULD implement an option- Routers, security gateways, and firewalls SHOULD implement an option-
specific configuration knob whether packets with this option are specific configuration knob whether packets with this option are
dropped, packets with this IP option are forwarded as if they did not dropped, packets with this IP option are forwarded as if they did not
contain this IP option, or packets with this option are processed and contain this IP option, or packets with this option are processed and
forwarded as per [RFC0791]. The default setting for this knob SHOULD forwarded as per [RFC0791]. The default setting for this knob SHOULD
be "drop", and the default setting MUST be documented. be "drop", and the default setting MUST be documented.
skipping to change at page 11, line 14 skipping to change at page 11, line 14
4.5.3. Threats 4.5.3. Threats
This option can be exploited to map the topology of a network. This option can be exploited to map the topology of a network.
However, the limited space in the IP header limits the usefulness of However, the limited space in the IP header limits the usefulness of
this option for that purpose. this option for that purpose.
4.5.4. Operational and Interoperability Impact if Blocked 4.5.4. Operational and Interoperability Impact if Blocked
Network troubleshooting techniques that may employ the RR option Network troubleshooting techniques that may employ the RR option
(such as ping with the RR option) would break. Nevertheless, it (such as ping with the RR option) would break when using the RR
option (ping without IPv4 options is not impacted). Nevertheless, it
should be noted that it is virtually impossible to use such should be noted that it is virtually impossible to use such
techniques due to widespread dropping of packets that contain RR techniques due to widespread dropping of packets that contain RR
options. options.
4.5.5. Advice 4.5.5. Advice
Routers, security gateways, and firewalls SHOULD implement an option- Routers, security gateways, and firewalls SHOULD implement an option-
specific configuration knob whether packets with this option are specific configuration knob whether packets with this option are
dropped, packets with this IP option are forwarded as if they did not dropped, packets with this IP option are forwarded as if they did not
contain this IP option, or packets with this option are processed and contain this IP option, or packets with this option are processed and
skipping to change at page 13, line 52 skipping to change at page 14, line 5
This option SHOULD be allowed only in controlled environments, where This option SHOULD be allowed only in controlled environments, where
the option can be used safely. [RFC6398] identifies some such the option can be used safely. [RFC6398] identifies some such
environments. In unsafe environments, packets containing this option environments. In unsafe environments, packets containing this option
SHOULD be dropped. SHOULD be dropped.
A given router, security gateway, or firewall system has no way of A given router, security gateway, or firewall system has no way of
knowing a priori whether this option is valid in its operational knowing a priori whether this option is valid in its operational
environment. Therefore, routers, security gateways, and firewalls environment. Therefore, routers, security gateways, and firewalls
SHOULD, by default, ignore the Router Alert option. Additionally, SHOULD, by default, ignore the Router Alert option. Additionally,
Routers, security gateways, and firewalls SHOULD have a configuration Routers, security gateways, and firewalls SHOULD have a configuration
setting that indicates whether they should react react on the Router setting that governs their reaction in the presence of packets
Alert option as indicated in the corresponding specification or containing the Router Alert option. This configuration setting
ignore the option, or whether packets containing this option should SHOULD allow to honor and process the option, ignore the option, or
be dropped (with the default configuration being to ignore the Router drop packets containing this option. The default configuration is to
Alert option). ignore the Router Alert option.
4.9. Probe MTU (Type = 11) (obsolete) 4.9. Probe MTU (Type = 11) (obsolete)
4.9.1. Uses 4.9.1. Uses
This option originally provided a mechanism to discover the Path-MTU. This option originally provided a mechanism to discover the Path-MTU.
It has been declared obsolete. It has been declared obsolete.
4.9.2. Option Specification 4.9.2. Option Specification
skipping to change at page 16, line 16 skipping to change at page 16, line 21
4.12.1. Uses 4.12.1. Uses
This option is used by Multi-Level-Secure (MLS) end-systems and This option is used by Multi-Level-Secure (MLS) end-systems and
intermediate systems in specific environments to [RFC1108]: intermediate systems in specific environments to [RFC1108]:
o Transmit from source to destination in a network standard o Transmit from source to destination in a network standard
representation the common security labels required by computer representation the common security labels required by computer
security models [Landwehr81], security models [Landwehr81],
o Validate the datagram as appropriate for transmission from the o validate the datagram as appropriate for transmission from the
source and delivery to the destination, and, source and delivery to the destination, and,
o Ensure that the route taken by the datagram is protected to the o ensure that the route taken by the datagram is protected to the
level required by all protection authorities indicated on the level required by all protection authorities indicated on the
datagram. datagram.
The DoD Basic Security Option (BSO) is currently implemented in a The DoD Basic Security Option (BSO) is currently implemented in a
number of operating systems (e.g., [IRIX2008], [SELinux2008], number of operating systems (e.g., [IRIX2008], [SELinux2008],
[Solaris2008], and [Cisco-IPSO]), and deployed in a number of high- [Solaris2008], and [Cisco-IPSO]), and deployed in a number of high-
security networks. These networks are typically either in physically security networks. These networks are typically either in physically
secure locations, protected by military/governmental communications secure locations, protected by military/governmental communications
security equipment, or both. Such networks are typically built using security equipment, or both. Such networks are typically built using
commercial off-the-shelf (COTS) IP routers and Ethernet switches, but commercial off-the-shelf (COTS) IP routers and Ethernet switches, but
skipping to change at page 17, line 8 skipping to change at page 17, line 12
IP security options, and in turn was obsoleted by RFC 1108 IP security options, and in turn was obsoleted by RFC 1108
[RFC1108]. The "Security Option" specified in RFC 791 is [RFC1108]. The "Security Option" specified in RFC 791 is
considered obsolete by Section 3.2.1.8 of RFC 1122 [RFC1122] and considered obsolete by Section 3.2.1.8 of RFC 1122 [RFC1122] and
Section 4.2.2.1 of RFC 1812 [RFC1812], and therefore the Section 4.2.2.1 of RFC 1812 [RFC1812], and therefore the
discussion in this section is focused on the DoD Basic Security discussion in this section is focused on the DoD Basic Security
option specified by RFC 1108 [RFC1108]. option specified by RFC 1108 [RFC1108].
Section 4.2.2.1 of RFC 1812 states that routers "SHOULD implement Section 4.2.2.1 of RFC 1812 states that routers "SHOULD implement
this option". this option".
Many Cisco routers that run Cisco IOS include support dropping Some private IP networks consider IP router-based per-interface
packets that contain this option with per-interface granularity. selective filtering of packets based on (a) the presence of an
This capability has been present in many Cisco routers since the IPSO option (including BSO and ESO) and (b) based on the contents
early 1990s [Cisco-IPSO-Cmds]. Some governmental products of that IPSO option to be important for operational security
reportedly support BSO, notably CANEWARE [RFC4949]. Support for reasons. The recent IPv6 CALIPSO option specification discusses
BSO is included in the "IPsec Configuration Policy Information this in additional detail, albeit in an IPv6 context [RFC5570].
Model" [RFC3585] and in the "IPsec Security Policy Database
Configuration MIB" [RFC4807]. Such private IP networks commonly are built using both commercial
and open-source products - for hosts, guards, firewalls, switches,
routers, etc. Some commercial IP routers support this option, as
do some IP routers which are built on top of Multi-Level Secure
(MLS) operating systems (e.g., on top of Trusted Solaris
[Solaris2008] or Security-Enhanced Linux [SELinux2008]).
For example, many Cisco routers that run Cisco IOS include support
for selectively filtering packets that contain the IP Security
Options (IPSO) with per-interface granularity. This capability
has been present in many Cisco routers since the early 1990s
[Cisco-IPSO-Cmds]. Some government sector products reportedly
also support the IP Security Options (IPSO), for example CANEWARE
[RFC4949].
Support for the IPSO Basic Security Option also is included in the
"IPsec Configuration Policy Information Model" [RFC3585] and in
the "IPsec Security Policy Database Configuration MIB" [RFC4807].
Section 4.6.1 of the IP Security Domain of Interpretation
[RFC2407] includes support for labeled IPsec security associations
compatible with the IP Security Options.
4.12.3. Threats 4.12.3. Threats
Presence of this option in a packet does not by itself create any Presence of this option in a packet does not by itself create any
specific new threat. Packets with this option ought not normally be specific new threat. Packets with this option ought not normally be
seen on the global public Internet. seen on the global public Internet.
4.12.4. Operational and Interoperability Impact if Blocked 4.12.4. Operational and Interoperability Impact if Blocked
If packets with this option are blocked or if the option is stripped If packets with this option are blocked or if the option is stripped
from the packet during transmission from source to destination, then from the packet during transmission from source to destination, then
the packet itself is likely to be dropped by the receiver because it the packet itself is likely to be dropped by the receiver because it
isn't properly labelled. In some cases, the receiver might receive isn't properly labeled. In some cases, the receiver might receive
the packet but associate an incorrect sensitivity label with the the packet but associate an incorrect sensitivity label with the
received data from the packet whose BSO was stripped by an received data from the packet whose BSO was stripped by an
intermediate router or firewall. Associating an incorrect intermediate router or firewall. Associating an incorrect
sensitivity label can cause the received information either to be sensitivity label can cause the received information either to be
handled as more sensitive than it really is ("upgrading") or as less handled as more sensitive than it really is ("upgrading") or as less
sensitive than it really is ("downgrading"), either of which is sensitive than it really is ("downgrading"), either of which is
problematic. problematic.
4.12.5. Advice 4.12.5. Advice
Routers, security gateways, and firewalls SHOULD NOT by default Routers, security gateways, and firewalls SHOULD NOT by default
modify or remove this option from IP packets and SHOULD NOT by modify or remove this option from IP packets and SHOULD NOT by
default drop packets containing this option. For auditing reasons, default drop packets because they contain this option. For auditing
Routers, security gateways, and firewalls SHOULD be capable of reasons, Routers, security gateways, and firewalls SHOULD be capable
logging the numbers of packets containing the BSO on a per-interface of logging the numbers of packets containing the BSO on a per-
basis. Also, Routers, security gateways, and firewalls SHOULD be interface basis. Also, Routers, security gateways, and firewalls
capable of dropping packets based on the BSO presence as well as the SHOULD be capable of dropping packets based on the BSO presence as
BSO values. well as the BSO values.
4.13. DoD Extended Security Option (Type = 133) 4.13. DoD Extended Security Option (Type = 133)
4.13.1. Uses 4.13.1. Uses
This option permits additional security labeling information, beyond This option permits additional security labeling information, beyond
that present in the Basic Security Option (Section 4.12), to be that present in the Basic Security Option (Section 4.12), to be
supplied in an IP datagram to meet the needs of registered supplied in an IP datagram to meet the needs of registered
authorities. authorities.
4.13.2. Option Specification 4.13.2. Option Specification
The DoD Extended Security Option (ESO) is specified by RFC 1108 The DoD Extended Security Option (ESO) is specified by RFC 1108
skipping to change at page 18, line 16 skipping to change at page 18, line 38
This option permits additional security labeling information, beyond This option permits additional security labeling information, beyond
that present in the Basic Security Option (Section 4.12), to be that present in the Basic Security Option (Section 4.12), to be
supplied in an IP datagram to meet the needs of registered supplied in an IP datagram to meet the needs of registered
authorities. authorities.
4.13.2. Option Specification 4.13.2. Option Specification
The DoD Extended Security Option (ESO) is specified by RFC 1108 The DoD Extended Security Option (ESO) is specified by RFC 1108
[RFC1108]. [RFC1108].
Many Cisco routers that run Cisco IOS include support for dropping Some private IP networks consider IP router-based per-interface
packets that contain this option with a per-interface granularity. selective filtering of packets based on (a) the presence of an
This capability has been present in many Cisco routers since the IPSO option (including BSO and ESO) and (b) based on the contents
early 1990s [Cisco-IPSO-Cmds]. Some governmental products of that IPSO option to be important for operational security
reportedly support ESO, notably CANEWARE [RFC4949]. Support for reasons. The recent IPv6 CALIPSO option specification discusses
ESO is included in the "IPsec Configuration Policy Information this in additional detail, albeit in an IPv6 context [RFC5570].
Model" [RFC3585] and in the "IPsec Security Policy Database
Configuration MIB" [RFC4807]. Such private IP networks commonly are built using both commercial
and open-source products - for hosts, guards, firewalls, switches,
routers, etc. Some commercial IP routers support this option, as
do some IP routers which are built on top of Multi-Level Secure
(MLS) operating systems (e.g., on top of Trusted Solaris
[Solaris2008] or Security-Enhanced Linux [SELinux2008]).
For example, many Cisco routers that run Cisco IOS include support
for selectively filtering packets that contain the IP Security
Options (IPSO) with per-interface granularity. This capability
has been present in many Cisco routers since the early 1990s
[Cisco-IPSO-Cmds]. Some government sector products reportedly
also support the IP Security Options (IPSO), for example CANEWARE
[RFC4949].
Support for the IPSO Extended Security Option also is included in
the "IPsec Configuration Policy Information Model" [RFC3585] and
in the "IPsec Security Policy Database Configuration MIB"
[RFC4807]. Section 4.6.1 of the IP Security Domain of
Interpretation [RFC2407] includes support for labeled IPsec
security associations compatible with the IP Security Options.
4.13.3. Threats 4.13.3. Threats
Presence of this option in a packet does not by itself create any Presence of this option in a packet does not by itself create any
specific new threat. Packets with this option ought not normally be specific new threat. Packets with this option ought not normally be
seen on the global public Internet seen on the global public Internet.
4.13.4. Operational and Interoperability Impact if Blocked 4.13.4. Operational and Interoperability Impact if Blocked
If packets with this option are blocked or if the option is stripped If packets with this option are blocked or if the option is stripped
from the packet during transmission from source to destination, then from the packet during transmission from source to destination, then
the packet itself is likely to be dropped by the receiver because it the packet itself is likely to be dropped by the receiver because it
isn't properly labelled. In some cases, the receiver might receive isn't properly labeled. In some cases, the receiver might receive
the packet but associate an incorrect sensitivity label with the the packet but associate an incorrect sensitivity label with the
received data from the packet whose ESO was stripped by an received data from the packet whose ESO was stripped by an
intermediate router or firewall. Associating an incorrect intermediate router or firewall. Associating an incorrect
sensitivity label can cause the received information either to be sensitivity label can cause the received information either to be
handled as more sensitive than it really is ("upgrading") or as less handled as more sensitive than it really is ("upgrading") or as less
sensitive than it really is ("downgrading"), either of which is sensitive than it really is ("downgrading"), either of which is
problematic. problematic.
4.13.5. Advice 4.13.5. Advice
Routers, security gateways, and firewalls SHOULD NOT by default Routers, security gateways, and firewalls SHOULD NOT by default
modify or remove this option from IP packets and SHOULD NOT by modify or remove this option from IP packets and SHOULD NOT by
default drop packets containing this option. For auditing reasons, default drop packets because they contain this option. For auditing
Routers, security gateways, and firewalls SHOULD be capable of reasons, Routers, security gateways, and firewalls SHOULD be capable
logging the numbers of packets containing the ESO on a per-interface of logging the numbers of packets containing the ESO on a per-
basis. Also, Routers, security gateways, and firewalls SHOULD be interface basis. Also, Routers, security gateways, and firewalls
capable of dropping packets based on the ESO presence as well as the SHOULD be capable of dropping packets based on the ESO presence as
ESO values. well as the ESO values.
4.14. Commercial IP Security Option (CIPSO) (Type = 134) 4.14. Commercial IP Security Option (CIPSO) (Type = 134)
4.14.1. Uses 4.14.1. Uses
This option was proposed by the Trusted Systems Interoperability This option was proposed by the Trusted Systems Interoperability
Group (TSIG), with the intent of meeting trusted networking Group (TSIG), with the intent of meeting trusted networking
requirements for the commercial trusted systems market place. requirements for the commercial trusted systems market place.
It is currently implemented in a number of operating systems (e.g., It is currently implemented in a number of operating systems (e.g.,
IRIX [IRIX2008], Security-Enhanced Linux [SELinux2008], and Solaris IRIX [IRIX2008], Security-Enhanced Linux [SELinux2008], and Solaris
[Solaris2008]), and deployed in a number of high-security networks. [Solaris2008]), and deployed in a number of high-security networks.
4.14.2. Option Specification 4.14.2. Option Specification
This option is specified in [CIPSO1992] and [FIPS1994]. There are This option is specified in [I-D.ietf-cipso-ipsecurity] and
zero known IP router implementations of CIPSO. Several MLS operating [FIPS1994]. There are zero known IP router implementations of CIPSO.
systems support CIPSO, generally the same MLS operating systems that Several MLS operating systems support CIPSO, generally the same MLS
support IPSO. operating systems that support IPSO.
The TSIG proposal was taken to the Commercial Internet Security The TSIG proposal was taken to the Commercial Internet Security
Option (CIPSO) Working Group of the IETF [CIPSOWG1994], and an Option (CIPSO) Working Group of the IETF [CIPSOWG1994], and an
Internet-Draft was produced [CIPSO1992]. The Internet-Draft was Internet-Draft was produced [I-D.ietf-cipso-ipsecurity]. The
never published as an RFC, but the proposal was later standardized Internet-Draft was never published as an RFC, but the proposal was
by the U.S. National Institute of Standards and Technology (NIST) later standardized by the U.S. National Institute of Standards and
as "Federal Information Processing Standard Publication 188" Technology (NIST) as "Federal Information Processing Standard
[FIPS1994]. Publication 188" [FIPS1994].
4.14.3. Threats 4.14.3. Threats
Presence of this option in a packet does not by itself create any Presence of this option in a packet does not by itself create any
specific new threat. Packets with this option ought not normally be specific new threat. Packets with this option ought not normally be
seen on the global public Internet. seen on the global public Internet.
4.14.4. Operational and Interoperability Impact if Blocked 4.14.4. Operational and Interoperability Impact if Blocked
If packets with this option are blocked or if the option is stripped If packets with this option are blocked or if the option is stripped
from the packet during transmission from source to destination, then from the packet during transmission from source to destination, then
the packet itself is likely to be dropped by the receiver because it the packet itself is likely to be dropped by the receiver because it
isn't properly labelled. In some cases, the receiver might receive isn't properly labeled. In some cases, the receiver might receive
the packet but associate an incorrect sensitivity label with the the packet but associate an incorrect sensitivity label with the
received data from the packet whose CIPSO was stripped by an received data from the packet whose CIPSO was stripped by an
intermediate router or firewall. Associating an incorrect intermediate router or firewall. Associating an incorrect
sensitivity label can cause the received information either to be sensitivity label can cause the received information either to be
handled as more sensitive than it really is ("upgrading") or as less handled as more sensitive than it really is ("upgrading") or as less
sensitive than it really is ("downgrading"), either of which is sensitive than it really is ("downgrading"), either of which is
problematic. problematic.
4.14.5. Advice 4.14.5. Advice
Because of the design of this option, with variable syntax and Because of the design of this option, with variable syntax and
variable length, it is not practical to support specialized filtering variable length, it is not practical to support specialized filtering
using the CIPSO information. No routers or firewalls are known to using the CIPSO information. No routers or firewalls are known to
support this option. However, Routers, security gateways, and support this option. However, Routers, security gateways, and
firewalls SHOULD NOT by default modify or remove this option from IP firewalls SHOULD NOT by default modify or remove this option from IP
packets and SHOULD NOT by default drop packets containing this packets and SHOULD NOT by default drop packets because they contain
option. For auditing reasons, routers, security gateways, and this option. For auditing reasons, routers, security gateways, and
firewalls SHOULD be capable of logging the numbers of packets firewalls SHOULD be capable of logging the numbers of packets
containing the CIPSO on a per-interface basis. Also, Routers, containing the CIPSO on a per-interface basis. Also, Routers,
security gateways, and firewalls SHOULD be capable of dropping security gateways, and firewalls SHOULD be capable of dropping
packets based on the CIPSO presence. packets based on the CIPSO presence.
4.15. VISA (Type = 142) 4.15. VISA (Type = 142)
4.15.1. Uses 4.15.1. Uses
This options was part of an experiment at USC and was never widely This options was part of an experiment at USC and was never widely
skipping to change at page 23, line 29 skipping to change at page 24, line 23
4.20. Upstream Multicast Pkt. (Type = 152) 4.20. Upstream Multicast Pkt. (Type = 152)
4.20.1. Uses 4.20.1. Uses
This option was meant to solve the problem of doing upstream This option was meant to solve the problem of doing upstream
forwarding of multicast packets on a multi-access LAN. forwarding of multicast packets on a multi-access LAN.
4.20.2. Option Specification 4.20.2. Option Specification
This option was originally specified in [draft-farinacci-bidir-pim]. This option was originally specified in [I-D.farinacci-bidir-pim].
It was was never formally standardized in the RFC series, and was It was never formally standardized in the RFC series, and was never
never widely implemented and deployed. Its use was obsoleted by widely implemented and deployed. Its use was obsoleted by [RFC5015],
[RFC5015], which employs a control plane mechanism to solve the which employs a control plane mechanism to solve the problem of doing
problem of doing upstream forwarding of multicast packets on a multi- upstream forwarding of multicast packets on a multi-access LAN. This
access LAN. This option has been formally obsoleted by [RFC6814]. option has been formally obsoleted by [RFC6814].
4.20.3. Threats 4.20.3. Threats
None. None.
4.20.4. Operational and Interoperability Impact if Blocked 4.20.4. Operational and Interoperability Impact if Blocked
None. None.
4.20.5. Advice 4.20.5. Advice
skipping to change at page 24, line 21 skipping to change at page 25, line 14
4.21.2. Option Specification 4.21.2. Option Specification
Specified in RFC 4782 [RFC4782], on the "Experimental" track. Specified in RFC 4782 [RFC4782], on the "Experimental" track.
4.21.3. Threats 4.21.3. Threats
Section 9.6 of [RFC4782] notes that Quick-Start is vulnerable to two Section 9.6 of [RFC4782] notes that Quick-Start is vulnerable to two
kinds of attacks: kinds of attacks:
o attacks to increase the routers' processing and state load, and, o Attacks to increase the routers' processing and state load, and,
o attacks with bogus Quick-Start Requests to temporarily tie up o attacks with bogus Quick-Start Requests to temporarily tie up
available Quick-Start bandwidth, preventing routers from approving available Quick-Start bandwidth, preventing routers from approving
Quick-Start Requests from other connections Quick-Start Requests from other connections.
4.21.4. Operational and Interoperability Impact if Blocked 4.21.4. Operational and Interoperability Impact if Blocked
The Quick-Start functionality would be disabled, and additional The Quick-Start functionality would be disabled, and additional
delays in e.g. TCP's connection establishment could be introduced delays in e.g., TCP's connection establishment could be introduced
(please see Section 4.7.2 of [RFC4782]. We note, however, that (please see Section 4.7.2 of [RFC4782]. We note, however, that
Quick-Start has been proposed as mechanism that could be of use in Quick-Start has been proposed as mechanism that could be of use in
controlled environments, and not as a mechanism that would be controlled environments, and not as a mechanism that would be
intended or appropriate for ubiquitous deployment in the global intended or appropriate for ubiquitous deployment in the global
Internet [RFC4782]. Internet [RFC4782].
4.21.5. Advice 4.21.5. Advice
A given router, security gateway, or firewall system has no way of A given router, security gateway, or firewall system has no way of
knowing a priori whether this option is valid in its operational knowing a priori whether this option is valid in its operational
environment. Therefore, routers, security gateways, and firewalls environment. Therefore, routers, security gateways, and firewalls
SHOULD, by default, ignore the Quick Start option. Additionally, SHOULD, by default, ignore the Quick Start option. Additionally,
routers, security gateways, and firewalls SHOULD have a configuration Routers, security gateways, and firewalls SHOULD have a configuration
setting that indicates whether they should react on the Quick Start setting that governs their reaction in the presence of packets
option as indicated in the corresponding specification or ignore the containing the Quick Start option. This configuration setting SHOULD
option, or whether packets containing this option should be dropped allow to honor and process the option, ignore the option, or drop
(with the default configuration being to ignore the Quick Start packets containing this option. The default configuration is to
option). ignore the Quick Start option.
We note that if routers in a given environment do not implement We note that if routers in a given environment do not implement
and enable the Quick-Start mechanism, only the general security and enable the Quick-Start mechanism, only the general security
implications of IP options (discussed in Section 3) would apply. implications of IP options (discussed in Section 3) would apply.
4.22. RFC3692-style Experiment (Types = 30, 94, 158, and 222) 4.22. RFC3692-style Experiment (Types = 30, 94, 158, and 222)
Section 2.5 of RFC 4727 [RFC4727] allocates an option number with all Section 2.5 of RFC 4727 [RFC4727] allocates an option number with all
defined values of the "copy" and "class" fields for RFC3692-style defined values of the "copy" and "class" fields for RFC3692-style
experiments. This results in four distinct option type codes: 30, experiments. This results in four distinct option type codes: 30,
94, 158, and 222. 94, 158, and 222.
4.22.1. Uses 4.22.1. Uses
It is only appropriate to use these values in explicitly-configured It is only appropriate to use these values in explicitly configured
experiments; they MUST NOT be shipped as defaults in implementations. experiments; they MUST NOT be shipped as defaults in implementations.
4.22.2. Option Specification 4.22.2. Option Specification
Specified in RFC 4727 [RFC4727] in the context of RFC3692-style Specified in RFC 4727 [RFC4727] in the context of RFC3692-style
experiments. experiments.
4.22.3. Threats 4.22.3. Threats
No specific security issues are known for this IPv4 option. No specific security issues are known for this IPv4 option.
4.22.4. Operational and Interoperability Impact if Blocked 4.22.4. Operational and Interoperability Impact if Blocked
None. None.
4.22.5. Advice 4.22.5. Advice
Routers, security gateways, and firewalls SHOULD have configuration Routers, security gateways, and firewalls SHOULD have configuration
knobs for IP packets that contain RFC3692-style Experiment options to knobs for IP packets that contain RFC3692-style Experiment options to
select between "ignore & forward" and "drop packet & log event"). select between "ignore & forward" and "drop & log"). Otherwise, no
legitimate experiment using these options will be able to traverse
any IP router.
Otherwise, no legitimate experiment using these options will be Special care needs to be taken in the case of "drop & log". Devices
able to traverse any IP router. SHOULD count the number of packets dropped, but the logging of drop
events SHOULD be limited to not overburden device resources.
The aforementioned configuration knob SHOULD default to "drop packet The aforementioned configuration knob SHOULD default to "drop & log".
& log event".
4.23. Other IP Options 4.23. Other IP Options
4.23.1. Specification 4.23.1. Specification
Unrecognized IP Options are to be ignored. Section 3.2.1.8 of RFC Unrecognized IP Options are to be ignored. Section 3.2.1.8 of RFC
1122 [RFC1122] and Section 4.2.2.6 of RFC 1812 [RFC1812] specify this 1122 [RFC1122] and Section 4.2.2.6 of RFC 1812 [RFC1812] specify this
behavior as follows: behavior as follows:
RFC 1122: "The IP and transport layer MUST each interpret those IP RFC 1122: "The IP and transport layer MUST each interpret those IP
skipping to change at page 26, line 42 skipping to change at page 27, line 33
4.23.3. Operational and Interoperability Impact if Blocked 4.23.3. Operational and Interoperability Impact if Blocked
The lack of open specifications for these options makes it impossible The lack of open specifications for these options makes it impossible
to evaluate the operational and interoperability impact if packets to evaluate the operational and interoperability impact if packets
containing these options are blocked. containing these options are blocked.
4.23.4. Advice 4.23.4. Advice
Routers, security gateways, and firewalls SHOULD have configuration Routers, security gateways, and firewalls SHOULD have configuration
knobs for IP packets containing these options (or other options not knobs for IP packets containing these options (or other options not
recognized) to select between "ignore & forward" and "drop packet & recognized) to select between "ignore & forward" and "drop & log").
log event").
Special care needs to be taken in the case of "drop & log". Devices
SHOULD count the number of packets dropped, but the logging of drop
events SHOULD be limited to not overburden device resources.
5. IANA Considerations 5. IANA Considerations
This document has no actions for IANA. This document has no actions for IANA.
6. Security Considerations 6. Security Considerations
This document provides advice on the filtering of IP packets that This document provides advice on the filtering of IP packets that
contain IP options. Dropping such packets can help to mitigate the contain IP options. Dropping such packets can help to mitigate the
security issues that arise from use of different IP options. security issues that arise from use of different IP options. Many of
However, dropping packets containing IP options can cause real the IPv4 options listed in this document are deprecated and cause no
operational problems in deployed networks. Therefore, the practice operational impact if dropped. However, dropping packets containing
of dropping all IPv4 packets containing one or more IPv4 options IPv4 options that are in use can cause real operational problems in
without careful consideration is not recommended. deployed networks. Therefore, the practice of dropping all IPv4
packets containing one or more IPv4 options without careful
consideration is not recommended.
7. Acknowledgements 7. Acknowledgements
The authors would like to thank Panos Kampanakis and Donald Smith for The authors would like to thank Panos Kampanakis, Donald Smith, Ron
providing valuable comments on earlier versions of this document. Bonica, Arturo Servin, and Merike Kaeo for providing thorough reviews
and valuable comments.
Part of this document is based on the document "Security Assessment
of the Internet Protocol" [CPNI2008] that is the result of a project
carried out by Fernando Gont on behalf of UK CPNI (formerly NISCC).
Fernando Gont would like to thank UK CPNI (formerly NISCC) for their Part of this document is initially based on the document "Security
continued support. Assessment of the Internet Protocol" [CPNI2008] that is the result of
a project carried out by Fernando Gont on behalf of UK CPNI (formerly
NISCC). Fernando Gont would like to thank UK CPNI (formerly NISCC)
for their continued support.
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791,
September 1981. September 1981.
[RFC1122] Braden, R., "Requirements for Internet Hosts - [RFC1122] Braden, R., "Requirements for Internet Hosts -
Communication Layers", STD 3, RFC 1122, October 1989. Communication Layers", STD 3, RFC 1122, October 1989.
skipping to change at page 28, line 19 skipping to change at page 29, line 13
"Bidirectional Protocol Independent Multicast (BIDIR- "Bidirectional Protocol Independent Multicast (BIDIR-
PIM)", RFC 5015, October 2007. PIM)", RFC 5015, October 2007.
8.2. Informative References 8.2. Informative References
[Biondi2007] [Biondi2007]
Biondi, P. and A. Ebalard, "IPv6 Routing Header Security", Biondi, P. and A. Ebalard, "IPv6 Routing Header Security",
CanSecWest 2007 Security Conference <http:// CanSecWest 2007 Security Conference <http://
www.secdev.org/conf/IPv6_RH_security-csw07.pdf>, 2007. www.secdev.org/conf/IPv6_RH_security-csw07.pdf>, 2007.
[CIPSO1992]
CIPSO, "COMMERCIAL IP SECURITY OPTION (CIPSO 2.2)",
draft-ietf-cipso-ipsecurity-01 (work in progress), 1992.
[CIPSOWG1994] [CIPSOWG1994]
CIPSOWG, "Commercial Internet Protocol Security Option CIPSOWG, "Commercial Internet Protocol Security Option
(CIPSO) Working Group", 1994, <http://www.ietf.org/ (CIPSO) Working Group", 1994, <http://www.ietf.org/
proceedings/94jul/charters/cipso-charter.html>. proceedings/94jul/charters/cipso-charter.html>.
[CPNI2008] [CPNI2008]
Gont, F., "Security Assessment of the Internet Protocol", Gont, F., "Security Assessment of the Internet Protocol",
<http://www.cpni.gov.uk/Docs/InternetProtocol.pdf>, 2008. <http://www.cpni.gov.uk/Docs/InternetProtocol.pdf>, 2008.
[Cisco-IPSO] [Cisco-IPSO]
Cisco Systems, Inc., "Cisco IOS Security Configuration Cisco Systems, Inc., "Cisco IOS Security Configuration
Guide, Release 12.2 - Configuring IP Security Options", < Guide, Release 12.2 - Configuring IP Security Options",
http://www.cisco.com/en/US/docs/ios/12_2/security/ 2006, <http://www.cisco.com/en/US/docs/ios/12_2/security/
configuration/guide/scfipso.html>, 2006. configuration/guide/scfipso.html>.
[Cisco-IPSO-Cmds] [Cisco-IPSO-Cmds]
Cisco Systems, Inc., "Cisco IOS Security Command Cisco Systems, Inc., "Cisco IOS Security Command
Reference, Release 12.2 - IP Security Options Commands", Reference, Release 12.2 - IP Security Options Commands",
<http://www.cisco.com/en/US/docs/ios/12_2/security/ <http://www.cisco.com/en/US/docs/ios/12_2/security/
command/reference/srfipso.html>. command/reference/srfipso.html>.
[FIPS1994] [FIPS1994]
FIPS, "Standard Security Label for Information Transfer", FIPS, "Standard Security Label for Information Transfer",
Federal Information Processing Standards Publication. FIP Federal Information Processing Standards Publication. FIP
PUBS 188, <http://csrc.nist.gov/publications/fips/ PUBS 188, <http://csrc.nist.gov/publications/fips/fips188/
fips188/fips188.pdf>, 1994. fips188.pdf>, 1994.
[FONSECA] Fonseca, R., Porter, G., Katz, R., Shenker, S., and I.
Stoica, "IP Options are not an option", December 2005.
[I-D.farinacci-bidir-pim]
Estrin, D. and D. Farinacci, "Bi-Directional Shared Trees
in PIM-SM", draft-farinacci-bidir-pim (work in progress),
May 1999.
[I-D.ietf-cipso-ipsecurity]
IETF CIPSO Working Group, "COMMERCIAL IP SECURITY OPTION
(CIPSO 2.2)", draft-ietf-cipso-ipsecurity-01 (work in
progress), 1992.
[I-D.stoica-diffserv-dps] [I-D.stoica-diffserv-dps]
Stoica, I., Zhang, H., Baker, F., and Y. Bernet, "Per Hop Stoica, I., Zhang, H., Baker, F., and Y. Bernet, "Per Hop
Behaviors Based on Dynamic Packet State", Behaviors Based on Dynamic Packet State",
draft-stoica-diffserv-dps-02 (work in progress), draft-stoica-diffserv-dps-02 (work in progress),
October 2002. October 2002.
[IANA-IP] Internet Assigned Numbers Authority, "IP OPTION NUMBERS", [IANA-IP] Internet Assigned Numbers Authority, "IP OPTION NUMBERS",
April 2011, April 2011,
<http://www.iana.org/assignments/ip-parameters>. <http://www.iana.org/assignments/ip-parameters>.
[IRIX2008] [IRIX2008]
IRIX, "IRIX 6.5 trusted_networking(7) manual page", <http IRIX, "IRIX 6.5 trusted_networking(7) manual page", 2008,
://techpubs.sgi.com/library/tpl/cgi-bin/ <http://techpubs.sgi.com/library/tpl/cgi-bin/
getdoc.cgi?coll=0650&db=man&fname=/usr/share/catman/a_man/ getdoc.cgi?coll=0650&db=man&fname=/usr/share/catman/a_man/
cat7/trusted_networking.z>, 2008. cat7/trusted_networking.z>.
[Kohno2005] [Kohno2005]
Kohno, T., Broido, A., and kc. Claffy, "Remote Physical Kohno, T., Broido, A., and kc. Claffy, "Remote Physical
Device Fingerprinting", IEEE Transactions on Dependable Device Fingerprinting", IEEE Transactions on Dependable
and Secure Computing Vol. 2, No. 2, 2005. and Secure Computing Vol. 2, No. 2, 2005.
[Landwehr81] [Landwehr81]
Landwehr, C., "Formal Models for Computer Security", ACM Landwehr, C., "Formal Models for Computer Security", ACM
Computing Surveys Vol 13, No 3, September 1981, Assoc for Computing Surveys Vol 13, No 3, September 1981, Assoc for
Computing Machinery, New York, NY, USA, 1981. Computing Machinery, New York, NY, USA, 1981.
skipping to change at page 30, line 19 skipping to change at page 31, line 23
[RFC1475] Ullmann, R., "TP/IX: The Next Internet", RFC 1475, [RFC1475] Ullmann, R., "TP/IX: The Next Internet", RFC 1475,
June 1993. June 1993.
[RFC1770] Graff, C., "IPv4 Option for Sender Directed Multi- [RFC1770] Graff, C., "IPv4 Option for Sender Directed Multi-
Destination Delivery", RFC 1770, March 1995. Destination Delivery", RFC 1770, March 1995.
[RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S. [RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S.
Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1
Functional Specification", RFC 2205, September 1997. Functional Specification", RFC 2205, September 1997.
[RFC2407] Piper, D., "The Internet IP Security Domain of
Interpretation for ISAKMP", RFC 2407, November 1998.
[RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec [RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec
Configuration Policy Information Model", RFC 3585, Configuration Policy Information Model", RFC 3585,
August 2003. August 2003.
[RFC4782] Floyd, S., Allman, M., Jain, A., and P. Sarolahti, "Quick- [RFC4782] Floyd, S., Allman, M., Jain, A., and P. Sarolahti, "Quick-
Start for TCP and IP", RFC 4782, January 2007. Start for TCP and IP", RFC 4782, January 2007.
[RFC4807] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. [RFC4807] Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
Wang, "IPsec Security Policy Database Configuration MIB", Wang, "IPsec Security Policy Database Configuration MIB",
RFC 4807, March 2007. RFC 4807, March 2007.
skipping to change at page 31, line 6 skipping to change at page 32, line 12
[RFC6274] Gont, F., "Security Assessment of the Internet Protocol [RFC6274] Gont, F., "Security Assessment of the Internet Protocol
Version 4", RFC 6274, July 2011. Version 4", RFC 6274, July 2011.
[RFC6398] Le Faucheur, F., "IP Router Alert Considerations and [RFC6398] Le Faucheur, F., "IP Router Alert Considerations and
Usage", BCP 168, RFC 6398, October 2011. Usage", BCP 168, RFC 6398, October 2011.
[RFC6814] Pignataro, C. and F. Gont, "Formally Deprecating Some IPv4 [RFC6814] Pignataro, C. and F. Gont, "Formally Deprecating Some IPv4
Options", RFC 6814, November 2012. Options", RFC 6814, November 2012.
[SELinux2008] [SELinux2008]
Security Enhanced Linux, "http://www.nsa.gov/selinux/". National Security Agency, "Security-Enhanced Linux - NSA/
CSS", January 2009,
<http://www.nsa.gov/research/selinux/index.shtml>.
[Solaris2008] [Solaris2008]
Solaris Trusted Extensions - Labeled Security for Absolute "Solaris Trusted Extensions - Labeled Security for
Protection, "http://www.sun.com/software/solaris/ds/ Absolute Protection", 2008, <http://www.sun.com/software/
trusted_extensions.jsp#3", 2008. solaris/ds/trusted_extensions.jsp#3>.
[draft-farinacci-bidir-pim]
Estrin, D. and D. Farinacci, "Bi-Directional Shared Trees
in PIM-SM", IETF Internet Draft,
draft-farinacci-bidir-pim, work in progress, May 1999.
Authors' Addresses Authors' Addresses
Fernando Gont Fernando Gont
UTN-FRH / SI6 Networks UTN-FRH / SI6 Networks
Evaristo Carriego 2644 Evaristo Carriego 2644
Haedo, Provincia de Buenos Aires 1706 Haedo, Provincia de Buenos Aires 1706
Argentina Argentina
Phone: +54 11 4650 8472 Phone: +54 11 4650 8472
 End of changes. 62 change blocks. 
163 lines changed or deleted 222 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/