draft-ietf-opsec-ip-options-filtering-04.txt   draft-ietf-opsec-ip-options-filtering-05.txt 
Operational Security Capabilities for F. Gont Operational Security Capabilities for F. Gont
IP Network Infrastructure (opsec) UTN-FRH / SI6 Networks IP Network Infrastructure (opsec) UTN-FRH / SI6 Networks
Internet-Draft R. Atkinson Internet-Draft R. Atkinson
Intended status: BCP Consultant Intended status: BCP Consultant
Expires: January 12, 2014 C. Pignataro Expires: March 20, 2014 C. Pignataro
Cisco Cisco
July 11, 2013 September 16, 2013
Recommendations on filtering of IPv4 packets containing IPv4 options. Recommendations on filtering of IPv4 packets containing IPv4 options.
draft-ietf-opsec-ip-options-filtering-04.txt draft-ietf-opsec-ip-options-filtering-05.txt
Abstract Abstract
This document provides advice on the filtering of IPv4 packets based This document provides advice on the filtering of IPv4 packets based
on the IPv4 options they contain. Additionally, it discusses the on the IPv4 options they contain. Additionally, it discusses the
operational and interoperability implications of dropping packets operational and interoperability implications of dropping packets
based on the IP options they contain. based on the IP options they contain.
Status of this Memo Status of this Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 12, 2014. This Internet-Draft will expire on March 20, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 17 skipping to change at page 2, line 17
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology and Conventions Used in This Document . . . . 3 1.1. Terminology and Conventions Used in This Document . . . . 3
2. IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. General Security Implications of IP options . . . . . . . . . 5 3. General Security Implications of IP options . . . . . . . . . 5
3.1. Processing Requirements . . . . . . . . . . . . . . . . . 5 3.1. Processing Requirements . . . . . . . . . . . . . . . . . 5
4. Advice on the Handling of Packets with Specific IP Options . . 6 4. Advice on the Handling of Packets with Specific IP Options . . 6
4.1. End of Option List (Type = 0) . . . . . . . . . . . . . . 6 4.1. End of Option List (Type = 0) . . . . . . . . . . . . . . 6
4.2. No Operation (Type = 1) . . . . . . . . . . . . . . . . . 7 4.2. No Operation (Type = 1) . . . . . . . . . . . . . . . . . 7
4.3. Loose Source and Record Route (LSRR) (Type = 131) . . . . 7 4.3. Loose Source and Record Route (LSRR) (Type = 131) . . . . 8
4.4. Strict Source and Record Route (SSRR) (Type = 137) . . . . 9 4.4. Strict Source and Record Route (SSRR) (Type = 137) . . . . 9
4.5. Record Route (Type = 7) . . . . . . . . . . . . . . . . . 10 4.5. Record Route (Type = 7) . . . . . . . . . . . . . . . . . 11
4.6. Stream Identifier (Type = 136) (obsolete) . . . . . . . . 11 4.6. Stream Identifier (Type = 136) (obsolete) . . . . . . . . 11
4.7. Internet Timestamp (Type = 68) . . . . . . . . . . . . . . 12 4.7. Internet Timestamp (Type = 68) . . . . . . . . . . . . . . 12
4.8. Router Alert (Type = 148) . . . . . . . . . . . . . . . . 13 4.8. Router Alert (Type = 148) . . . . . . . . . . . . . . . . 13
4.9. Probe MTU (Type = 11) (obsolete) . . . . . . . . . . . . . 14 4.9. Probe MTU (Type = 11) (obsolete) . . . . . . . . . . . . . 14
4.10. Reply MTU (Type = 12) (obsolete) . . . . . . . . . . . . . 14 4.10. Reply MTU (Type = 12) (obsolete) . . . . . . . . . . . . . 15
4.11. Traceroute (Type = 82) . . . . . . . . . . . . . . . . . . 15 4.11. Traceroute (Type = 82) . . . . . . . . . . . . . . . . . . 15
4.12. DoD Basic Security Option (Type = 130) . . . . . . . . . . 16 4.12. DoD Basic Security Option (Type = 130) . . . . . . . . . . 16
4.13. DoD Extended Security Option (Type = 133) . . . . . . . . 18 4.13. DoD Extended Security Option (Type = 133) . . . . . . . . 18
4.14. Commercial IP Security Option (CIPSO) (Type = 134) . . . . 20 4.14. Commercial IP Security Option (CIPSO) (Type = 134) . . . . 20
4.15. VISA (Type = 142) . . . . . . . . . . . . . . . . . . . . 21 4.15. VISA (Type = 142) . . . . . . . . . . . . . . . . . . . . 21
4.16. Extended Internet Protocol (Type = 145) . . . . . . . . . 21 4.16. Extended Internet Protocol (Type = 145) . . . . . . . . . 22
4.17. Address Extension (Type = 147) . . . . . . . . . . . . . . 22 4.17. Address Extension (Type = 147) . . . . . . . . . . . . . . 22
4.18. Sender Directed Multi-Destination Delivery (Type = 149) . 23 4.18. Sender Directed Multi-Destination Delivery (Type = 149) . 23
4.19. Dynamic Packet State (Type = 151) . . . . . . . . . . . . 23 4.19. Dynamic Packet State (Type = 151) . . . . . . . . . . . . 23
4.20. Upstream Multicast Pkt. (Type = 152) . . . . . . . . . . . 24 4.20. Upstream Multicast Pkt. (Type = 152) . . . . . . . . . . . 24
4.21. Quick-Start (Type = 25) . . . . . . . . . . . . . . . . . 24 4.21. Quick-Start (Type = 25) . . . . . . . . . . . . . . . . . 25
4.22. RFC3692-style Experiment (Types = 30, 94, 158, and 222) . 25 4.22. RFC3692-style Experiment (Types = 30, 94, 158, and 222) . 26
4.23. Other IP Options . . . . . . . . . . . . . . . . . . . . . 26 4.23. Other IP Options . . . . . . . . . . . . . . . . . . . . . 27
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28
6. Security Considerations . . . . . . . . . . . . . . . . . . . 27 6. Security Considerations . . . . . . . . . . . . . . . . . . . 28
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28
8.1. Normative References . . . . . . . . . . . . . . . . . . . 28 8.1. Normative References . . . . . . . . . . . . . . . . . . . 28
8.2. Informative References . . . . . . . . . . . . . . . . . . 29 8.2. Informative References . . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 32 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 32
1. Introduction 1. Introduction
This document discusses the filtering of IPv4 packets based on the This document discusses the filtering of IPv4 packets based on the
IPv4 options they contain. Since various protocols may use IPv4 IPv4 options they contain. Since various protocols may use IPv4
skipping to change at page 3, line 48 skipping to change at page 3, line 48
intermediate systems is not required, a widespread approach is to intermediate systems is not required, a widespread approach is to
simply ignore IP options, and process the corresponding packets as if simply ignore IP options, and process the corresponding packets as if
they do not contain any IP options. they do not contain any IP options.
1.1. Terminology and Conventions Used in This Document 1.1. Terminology and Conventions Used in This Document
The terms "fast path", "slow path", and associated relative terms The terms "fast path", "slow path", and associated relative terms
("faster path" and "slower path") are loosely defined as in Section 2 ("faster path" and "slower path") are loosely defined as in Section 2
of [RFC6398]. of [RFC6398].
Because of the security-oriented nature of this document, we are
deliberately including some historical citations. This is
intentional, and has the goal of explicitly retaining and showing
history, as well as removing ambiguity and confusion.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. IP Options 2. IP Options
IP options allow for the extension of the Internet Protocol. As IP options allow for the extension of the Internet Protocol. As
specified in [RFC0791], there are two cases for the format of an specified in [RFC0791], there are two cases for the format of an
option: option:
skipping to change at page 16, line 28 skipping to change at page 16, line 37
representation the common security labels required by computer representation the common security labels required by computer
security models [Landwehr81], security models [Landwehr81],
o validate the datagram as appropriate for transmission from the o validate the datagram as appropriate for transmission from the
source and delivery to the destination, and, source and delivery to the destination, and,
o ensure that the route taken by the datagram is protected to the o ensure that the route taken by the datagram is protected to the
level required by all protection authorities indicated on the level required by all protection authorities indicated on the
datagram. datagram.
The DoD Basic Security Option (BSO) is currently implemented in a The DoD Basic Security Option (BSO) was implemented in IRIX
number of operating systems (e.g., [IRIX2008], [SELinux2008], [IRIX2008] and is currently implemented in a number of operating
[Solaris2008], and [Cisco-IPSO]), and deployed in a number of high- systems (e.g., Security-Enhanced Linux [SELinux2008], Solaris
security networks. These networks are typically either in physically [Solaris2008], and Cisco IOS [Cisco-IPSO]). It is also currently
secure locations, protected by military/governmental communications deployed in a number of high-security networks. These networks are
security equipment, or both. Such networks are typically built using typically either in physically secure locations, protected by
commercial off-the-shelf (COTS) IP routers and Ethernet switches, but military/governmental communications security equipment, or both.
are not normally interconnected with the global public Internet. Such networks are typically built using commercial off-the-shelf
This option probably has more deployment now than when the IESG (COTS) IP routers and Ethernet switches, but are not normally
removed this option from the IETF standards-track. [RFC5570] interconnected with the global public Internet. This option probably
describes a similar option recently defined for IPv6 and has much has more deployment now than when the IESG removed this option from
more detailed explanations of how sensitivity label options are used the IETF standards-track. [RFC5570] describes a similar option
in real-world deployments. recently defined for IPv6 and has much more detailed explanations of
how sensitivity label options are used in real-world deployments.
4.12.2. Option Specification 4.12.2. Option Specification
It is specified by RFC 1108 [RFC1108]], which obsoleted RFC 1038 It is specified by RFC 1108 [RFC1108]], which obsoleted RFC 1038
[RFC1038] (which in turn obsoleted the Security Option defined in RFC [RFC1038] (which in turn obsoleted the Security Option defined in RFC
791 [RFC0791]). 791 [RFC0791]).
RFC 791 [RFC0791] defined the "Security Option" (Type = 130), RFC 791 [RFC0791] defined the "Security Option" (Type = 130),
which used the same option type as the DoD Basic Security option which used the same option type as the DoD Basic Security option
discussed in this section. Later, RFC 1038 [RFC1038] revised the discussed in this section. Later, RFC 1038 [RFC1038] revised the
skipping to change at page 20, line 13 skipping to change at page 20, line 24
well as the ESO values. well as the ESO values.
4.14. Commercial IP Security Option (CIPSO) (Type = 134) 4.14. Commercial IP Security Option (CIPSO) (Type = 134)
4.14.1. Uses 4.14.1. Uses
This option was proposed by the Trusted Systems Interoperability This option was proposed by the Trusted Systems Interoperability
Group (TSIG), with the intent of meeting trusted networking Group (TSIG), with the intent of meeting trusted networking
requirements for the commercial trusted systems market place. requirements for the commercial trusted systems market place.
It is currently implemented in a number of operating systems (e.g., It was implemented in IRIX [IRIX2008] and is currently implemented in
IRIX [IRIX2008], Security-Enhanced Linux [SELinux2008], and Solaris a number of operating systems (e.g., Security-Enhanced Linux
[Solaris2008]), and deployed in a number of high-security networks. [SELinux2008], and Solaris [Solaris2008]). It is also currently
deployed in a number of high-security networks.
4.14.2. Option Specification 4.14.2. Option Specification
This option is specified in [I-D.ietf-cipso-ipsecurity] and This option is specified in [I-D.ietf-cipso-ipsecurity] and
[FIPS1994]. There are zero known IP router implementations of CIPSO. [FIPS1994]. There are zero known IP router implementations of CIPSO.
Several MLS operating systems support CIPSO, generally the same MLS Several MLS operating systems support CIPSO, generally the same MLS
operating systems that support IPSO. operating systems that support IPSO.
The TSIG proposal was taken to the Commercial Internet Security The TSIG proposal was taken to the Commercial Internet Security
Option (CIPSO) Working Group of the IETF [CIPSOWG1994], and an Option (CIPSO) Working Group of the IETF [CIPSOWG1994], and an
skipping to change at page 27, line 6 skipping to change at page 27, line 23
RFC 1122: "The IP and transport layer MUST each interpret those IP RFC 1122: "The IP and transport layer MUST each interpret those IP
options that they understand and silently ignore the options that they understand and silently ignore the
others." others."
RFC 1812: "A router MUST ignore IP options which it does not RFC 1812: "A router MUST ignore IP options which it does not
recognize." recognize."
This document adds that unrecognized IP Options MAY also be logged. This document adds that unrecognized IP Options MAY also be logged.
A number of additional options are listed in the "IP OPTIONS NUMBERS" A number of additional options are listed in the "IP OPTIONS NUMBERS"
IANA registry [IANA-IP]. Specifically: IANA registry [IANA-IP] as of the time this document was last edited.
Specifically:
Copy Class Number Value Name Reference Copy Class Number Value Name
---- ----- ------ ----- ------------------------------- ------------ ---- ----- ------ ----- -------------------------------------------
0 0 10 10 ZSU - Experimental Measurement [ZSu] 0 0 10 10 ZSU - Experimental Measurement
1 2 13 205 FINN - Experimental Flow Control [Finn] 1 2 13 205 FINN - Experimental Flow Control
0 0 15 15 ENCODE - ??? [VerSteeg] 0 0 15 15 ENCODE - ???
1 0 16 144 IMITD - IMI Traffic Descriptor [Lee] 1 0 16 144 IMITD - IMI Traffic Descriptor
1 0 22 150 - Unassigned (Released 18 Oct. 2005) 1 0 22 150 - Unassigned (Released 18 Oct. 2005)
The ENCODE option (type 15) has been formally obsoleted by [RFC6814]. The ENCODE option (type 15) has been formally obsoleted by [RFC6814].
4.23.2. Threats 4.23.2. Threats
The lack of open specifications for these options makes it impossible The lack of open specifications for these options makes it impossible
to evaluate their security implications. to evaluate their security implications.
4.23.3. Operational and Interoperability Impact if Blocked 4.23.3. Operational and Interoperability Impact if Blocked
 End of changes. 14 change blocks. 
36 lines changed or deleted 44 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/