draft-ietf-opsec-ip-options-filtering-07.txt   rfc7126.txt 
Operational Security Capabilities for F. Gont Internet Engineering Task Force (IETF) F. Gont
IP Network Infrastructure (opsec) UTN-FRH / SI6 Networks Request for Comments: 7126 UTN-FRH / SI6 Networks
Internet-Draft R. Atkinson BCP: 186 R. Atkinson
Intended status: BCP Consultant Category: Best Current Practice Consultant
Expires: June 12, 2014 C. Pignataro ISSN: 2070-1721 C. Pignataro
Cisco Cisco
December 9, 2013 February 2014
Recommendations on filtering of IPv4 packets containing IPv4 options. Recommendations on Filtering of IPv4 Packets Containing IPv4 Options
draft-ietf-opsec-ip-options-filtering-07
Abstract Abstract
This document provides advice on the filtering of IPv4 packets based This document provides advice on the filtering of IPv4 packets based
on the IPv4 options they contain. Additionally, it discusses the on the IPv4 options they contain. Additionally, it discusses the
operational and interoperability implications of dropping packets operational and interoperability implications of dropping packets
based on the IP options they contain. based on the IP options they contain.
Status of this Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering This memo documents an Internet Best Current Practice.
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It has been approved for publication by the Internet
time. It is inappropriate to use Internet-Drafts as reference Engineering Steering Group (IESG). Further information on BCPs is
material or to cite them other than as "work in progress." available in Section 2 of RFC 5741.
This Internet-Draft will expire on June 12, 2014. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7126.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology and Conventions Used in This Document . . . . 3 1.1. Terminology and Conventions Used in This Document . . . . 3
1.2. Operational Focus . . . . . . . . . . . . . . . . . . . . 4 1.2. Operational Focus . . . . . . . . . . . . . . . . . . . . 4
2. IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. IP Options . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. General Security Implications of IP options . . . . . . . . . 5 3. General Security Implications of IP Options . . . . . . . . . 5
3.1. Processing Requirements . . . . . . . . . . . . . . . . . 5 3.1. Processing Requirements . . . . . . . . . . . . . . . . . 5
4. Advice on the Handling of Packets with Specific IP Options . . 7 4. Advice on the Handling of Packets with Specific IP Options . 7
4.1. End of Option List (Type = 0) . . . . . . . . . . . . . . 7 4.1. End of Option List (Type = 0) . . . . . . . . . . . . . . 7
4.2. No Operation (Type = 1) . . . . . . . . . . . . . . . . . 7 4.2. No Operation (Type = 1) . . . . . . . . . . . . . . . . . 7
4.3. Loose Source and Record Route (LSRR) (Type = 131) . . . . 8 4.3. Loose Source and Record Route (LSRR) (Type = 131) . . . . 8
4.4. Strict Source and Record Route (SSRR) (Type = 137) . . . . 10 4.4. Strict Source and Record Route (SSRR) (Type = 137) . . . 10
4.5. Record Route (Type = 7) . . . . . . . . . . . . . . . . . 11 4.5. Record Route (Type = 7) . . . . . . . . . . . . . . . . . 11
4.6. Stream Identifier (Type = 136) (obsolete) . . . . . . . . 12 4.6. Stream Identifier (Type = 136) (obsolete) . . . . . . . . 12
4.7. Internet Timestamp (Type = 68) . . . . . . . . . . . . . . 13 4.7. Internet Timestamp (Type = 68) . . . . . . . . . . . . . 13
4.8. Router Alert (Type = 148) . . . . . . . . . . . . . . . . 14 4.8. Router Alert (Type = 148) . . . . . . . . . . . . . . . . 14
4.9. Probe MTU (Type = 11) (obsolete) . . . . . . . . . . . . . 15 4.9. Probe MTU (Type = 11) (obsolete) . . . . . . . . . . . . 15
4.10. Reply MTU (Type = 12) (obsolete) . . . . . . . . . . . . . 16 4.10. Reply MTU (Type = 12) (obsolete) . . . . . . . . . . . . 16
4.11. Traceroute (Type = 82) . . . . . . . . . . . . . . . . . . 16 4.11. Traceroute (Type = 82) . . . . . . . . . . . . . . . . . 16
4.12. DoD Basic Security Option (Type = 130) . . . . . . . . . . 17 4.12. DoD Basic Security Option (Type = 130) . . . . . . . . . 17
4.13. DoD Extended Security Option (Type = 133) . . . . . . . . 20 4.13. DoD Extended Security Option (Type = 133) . . . . . . . . 20
4.14. Commercial IP Security Option (CIPSO) (Type = 134) . . . . 22 4.14. Commercial IP Security Option (CIPSO) (Type = 134) . . . 22
4.15. VISA (Type = 142) . . . . . . . . . . . . . . . . . . . . 23 4.15. VISA (Type = 142) . . . . . . . . . . . . . . . . . . . . 23
4.16. Extended Internet Protocol (Type = 145) . . . . . . . . . 23 4.16. Extended Internet Protocol (Type = 145) . . . . . . . . . 24
4.17. Address Extension (Type = 147) . . . . . . . . . . . . . . 24 4.17. Address Extension (Type = 147) . . . . . . . . . . . . . 25
4.18. Sender Directed Multi-Destination Delivery (Type = 149) . 25 4.18. Sender Directed Multi-Destination Delivery (Type = 149) . 25
4.19. Dynamic Packet State (Type = 151) . . . . . . . . . . . . 25 4.19. Dynamic Packet State (Type = 151) . . . . . . . . . . . . 26
4.20. Upstream Multicast Pkt. (Type = 152) . . . . . . . . . . . 26 4.20. Upstream Multicast Pkt. (Type = 152) . . . . . . . . . . 26
4.21. Quick-Start (Type = 25) . . . . . . . . . . . . . . . . . 27 4.21. Quick-Start (Type = 25) . . . . . . . . . . . . . . . . . 27
4.22. RFC3692-style Experiment (Types = 30, 94, 158, and 222) . 28 4.22. RFC3692-Style Experiment (Types = 30, 94, 158, and 222) . 28
4.23. Other IP Options . . . . . . . . . . . . . . . . . . . . . 28 4.23. Other IP Options . . . . . . . . . . . . . . . . . . . . 29
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 5. Security Considerations . . . . . . . . . . . . . . . . . . . 31
6. Security Considerations . . . . . . . . . . . . . . . . . . . 30 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 30 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 31
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 31 7.1. Normative References . . . . . . . . . . . . . . . . . . 31
8.1. Normative References . . . . . . . . . . . . . . . . . . . 31 7.2. Informative References . . . . . . . . . . . . . . . . . 32
8.2. Informative References . . . . . . . . . . . . . . . . . . 31
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35
1. Introduction 1. Introduction
This document discusses the filtering of IPv4 packets based on the This document discusses the filtering of IPv4 packets based on the
IPv4 options they contain. Since various protocols may use IPv4 IPv4 options they contain. Since various protocols may use IPv4
options to some extent, dropping packets based on the options they options to some extent, dropping packets based on the options they
contain may have implications on the proper functioning of the contain may have implications on the proper functioning of such
protocol. Therefore, this document attempts to discuss the protocols. Therefore, this document attempts to discuss the
operational and interoperability implications of such dropping. operational and interoperability implications of such dropping.
Additionally, it outlines what a network operator might do in a Additionally, it outlines what a network operator might do in typical
typical enterprise or Service Provider environments. This document enterprise or Service Provider environments. This document also
also draws and is partly derifed from [RFC6274], which also received draws and is partly derived from [RFC6274], which also received
review from the operational community. review from the operational community.
We note that data seems to indicate that there is a current We note that data seems to indicate that there is a current
widespread practice of blocking IPv4 optioned packets. There are widespread practice of blocking IPv4 optioned packets. There are
various plausible approaches to minimize the potential negative various plausible approaches to minimize the potential negative
effects of IPv4 optioned packets while allowing some options effects of IPv4 optioned packets while allowing some option
semantics. One approach is to allow for specific options that are semantics. One approach is to allow for specific options that are
expected or needed, and a default deny. A different approach is to expected or needed, and have a default deny. A different approach is
deny unneeded options and a default allow. Yet a third possible to deny unneeded options and have a default allow. Yet a third
approach is to allow for end-to-end semantics by ignoring options and possible approach is to allow for end-to-end semantics by ignoring
treating packets as un-optioned while in transit. Experiments and options and treating packets as un-optioned while in transit.
currently-available data tends to support the first or third Experiments and currently available data tend to support the first or
approaches as more realistic. Some results of regarding the current third approaches as more realistic. Some results regarding the
state of affairs with respect to dropping packets containing IP current state of affairs with respect to dropping packets containing
options can be found in [MEDINA] [FONSECA]. Additionally, IP options can be found in [MEDINA] and [FONSECA]. Additionally,
[BREMIER-BARR] points out that the deployed Internet already has many [BREMIER-BARR] points out that the deployed Internet already has many
routers that do not process IP options. routers that do not process IP options.
We also note that while this document provides advice on dropping We also note that while this document provides advice on dropping
packets on a "per IP option type", not all devices (routers, security packets on a "per IP option type", not all devices (routers, security
gateways, and firewalls) may provide this capability with such gateways, and firewalls) may provide this capability with such
granularity. Additionally, even in cases in which such functionality granularity. Additionally, even in cases in which such functionality
is provided, the operator might want to specify a dropping policy is provided, an operator might want to specify a dropping policy with
with a coarser granularity (rather than on a "per IP option type" a coarser granularity (rather than on a "per IP option type"
granularity), as indicated above. granularity), as indicated above.
Finally, in scenarios in which processing of IP options by Finally, in scenarios in which processing of IP options by
intermediate systems is not required, a widespread approach is to intermediate systems is not required, a widespread approach is to
simply ignore IP options, and process the corresponding packets as if simply ignore IP options and process the corresponding packets as if
they do not contain any IP options. they do not contain any IP options.
1.1. Terminology and Conventions Used in This Document 1.1. Terminology and Conventions Used in This Document
The terms "fast path", "slow path", and associated relative terms The terms "fast path", "slow path", and associated relative terms
("faster path" and "slower path") are loosely defined as in Section 2 ("faster path" and "slower path") are loosely defined as in Section 2
of [RFC6398]. of [RFC6398].
Because of the security-oriented nature of this document, we are Because of the security-oriented nature of this document, we are
deliberately including some historical citations. This is deliberately including some historical citations. The goal is to
intentional, and has the goal of explicitly retaining and showing explicitly retain and show history, as well as remove ambiguity and
history, as well as removing ambiguity and confusion. confusion.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
1.2. Operational Focus 1.2. Operational Focus
All of the recommendations in this document have been made in an All of the recommendations in this document have been made in an
effort to optimise for operational community consensus, as best the effort to optimize for operational community consensus, as best the
editors have been able to determine that. This has included not only authors have been able to determine that. This has included not only
accepting feedback from public lists, but also accepting off-list accepting feedback from public lists, but also accepting off-list
feedback from people at various network operators (e.g. ISPs, feedback from people at various network operators (e.g. Internet
content providers, educational institutions, commercial firms). Service Providers, content providers, educational institutions,
commercial firms).
2. IP Options 2. IP Options
IP options allow for the extension of the Internet Protocol. As IP options allow for the extension of the Internet Protocol. As
specified in [RFC0791], there are two cases for the format of an specified in [RFC0791], there are two cases for the format of an
option: option:
o Case 1: A single byte of option-type. o Case 1: A single byte of option-type.
o Case 2: An option-type byte, an option-length byte, and the actual o Case 2: An option-type byte, an option-length byte, and the actual
skipping to change at page 5, line 5 skipping to change at page 5, line 5
IP options of Case 2 have the following syntax: IP options of Case 2 have the following syntax:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
| option-type | option-length | option-data | option-type | option-length | option-data
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
In this case, the option-length byte counts the option-type byte and In this case, the option-length byte counts the option-type byte and
the option-length byte, as well as the actual option-data bytes. the option-length byte, as well as the actual option-data bytes.
All current and future options except "End of Option List" (Type = 0) All current and future options, except "End of Option List" (Type =
and "No Operation" (Type = 1), are of Class 2. 0) and "No Operation" (Type = 1), are of Class 2.
The option-type has three fields: The option-type has three fields:
o 1 bit: copied flag. o 1 bit: copied flag.
o 2 bits: option class. o 2 bits: option class.
o 5 bits: option number. o 5 bits: option number.
The copied flag indicates whether this option should be copied to all The copied flag indicates whether this option should be copied to all
skipping to change at page 5, line 42 skipping to change at page 5, line 42
This format allows for the creation of new options for the extension This format allows for the creation of new options for the extension
of the Internet Protocol (IP). of the Internet Protocol (IP).
Finally, the option number identifies the syntax of the rest of the Finally, the option number identifies the syntax of the rest of the
option. option.
The "IP OPTION NUMBERS" registry [IANA-IP] contains the list of the The "IP OPTION NUMBERS" registry [IANA-IP] contains the list of the
currently assigned IP option numbers. currently assigned IP option numbers.
3. General Security Implications of IP options 3. General Security Implications of IP Options
3.1. Processing Requirements 3.1. Processing Requirements
Historically, most IP routers used a general-purpose CPU to process Historically, most IP routers used a general-purpose CPU to process
IP packets and forward them towards their destination. This same CPU IP packets and forward them towards their destinations. This same
usually also processed network management traffic (e.g., SNMP), CPU usually also processed network management traffic (e.g., SNMP),
configuration commands (e.g., command line interface), and various configuration commands (e.g., command line interface), and various
routing protocols (e.g., RIP, OSPF, BGP, IS-IS) or other control routing protocols (e.g., RIP, OSPF, BGP, IS-IS) or other control
protocols (e.g., RSVP, ICMP). In such architectures it has been protocols (e.g., RSVP, ICMP). In such architectures, it has been
common for the general-purpose CPU also to perform any packet common for the general-purpose CPU also to perform any packet
filtering that has been enabled on the router (or router interface). filtering that has been enabled on the router (or router interface).
An IP router built using this architecture often has a significant An IP router built using this architecture often has a significant
(Distributed) Denial-of-Service (DDOS) attack risk if the router Distributed Denial-of-Service (DDoS) attack risk if the router
control plane (e.g., CPU) is overwhelmed by a large number of IPv4 control plane (e.g., CPU) is overwhelmed by a large number of IPv4
packets that contain IPv4 options. packets that contain IPv4 options.
From about 1995 onwards, a growing number of IP routers have From about 1995 onwards, a growing number of IP routers have
incorporated specialized IP packet processing silicon (i.e., FPGA, incorporated silicon specialized for IP packet processing (i.e.,
ASIC), thereby separating the IP packet forwarding function from the Field-Programmable Gate Array (FPGA), Application-Specific Integrated
other functions of the router. Such router architectures tend to be Circuit (ASIC)), thereby separating the function of IP packet
more resilient to DDOS attacks that might be seen in the global forwarding from the other functions of the router. Such router
public Internet. Depending upon various implementation and architectures tend to be more resilient to DDoS attacks that might be
configuration details, routers with a silicon packet forwarding seen in the global public Internet. Depending upon various
engine can handle high volumes of IP packets containing IP Options implementation and configuration details, routers with a silicon
without any adverse impact on packet forwarding rates or on the packet-forwarding engine can handle high volumes of IP packets
router's control plane (e.g., general-purpose CPU). Some containing IP options without any adverse impact on packet-forwarding
implementations have a configuration knob simply to forward all IP rates or on the router's control plane (e.g., general-purpose CPU).
packets containing IP Options at wire-speed in silicon as if the IP Some implementations have a configuration knob simply to forward all
packet did not contain an IP option ("ignore options & forward"). IP packets containing IP options at wire-speed in silicon, as if the
Other implementations support wire-speed silicon-based packet IP packet did not contain any IP options ("ignore options &
filtering, thereby enabling packets containing certain IP options to forward"). Other implementations support wire-speed silicon-based
be selectively dropped ("drop"), packets containing certain other IP packet filtering, thereby enabling packets containing certain IP
options to have those IP options ignored ("ignore options & options to be selectively dropped ("drop"), packets containing
forward"), and other packets containing different IP options to have certain other IP options to have those IP options ignored ("ignore
those options processed, either on a general-purpose CPU or using options & forward"), and other packets containing different IP
custom logic (e.g., FPGA, ASIC), while the packet is being forwarded options to have those options processed, either on a general-purpose
("process option & forward"). CPU or using custom logic (e.g., FPGA, ASIC), while the packet is
being forwarded ("process option & forward").
Broadly speaking, any IP packet that requires processing by an IP Broadly speaking, any IP packet that requires processing by an IP
router's general-purpose CPU can be a DDOS risk to that router's router's general-purpose CPU can be a DDoS risk to that router's
general-purpose CPU (and thence to the router itself). However, at general-purpose CPU (and thus to the router itself). However, at
present, the particular architectural and engineering details of the present, the particular architectural and engineering details of the
particular IP router being considered are important to understand specific IP router being considered are important to understand when
when evaluating the operational security risks associated with a evaluating the operational security risks associated with a
particular IP packet type or IP option type. particular IP packet type or IP option type.
Operators are urged to consider IP option filtering and IP option Operators are urged to consider the capabilities of potential IP
handling capabilities of potential IP routers as they make deployment routers for IP option filtering and handling as they make deployment
decisions in future. decisions in the future.
Additional considerations for protecting the control plane from Additional considerations for protecting the control plane from
packets containing IP Options can be found in [RFC6192]. packets containing IP options can be found in [RFC6192].
Finally, in addition to advice to operators, this document also Finally, in addition to advice to operators, this document also
provides advice to router, security gateway, and firewall provides advice to router, security gateway, and firewall
implementers in terms of providing the capability to filter packets implementers in terms of providing the capability to filter packets
with different granularities: both on a "per IP option type" with different granularities: both on a "per IP option type"
granularity (to maximize flexibility) as well as more coarse filters granularity (to maximize flexibility) as well as more coarse filters
(to minimize configuration complexity). (to minimize configuration complexity).
4. Advice on the Handling of Packets with Specific IP Options 4. Advice on the Handling of Packets with Specific IP Options
skipping to change at page 7, line 22 skipping to change at page 7, line 23
dropped, and specific advice on whether to drop packets containing dropped, and specific advice on whether to drop packets containing
these options in a typical enterprise or Service Provider these options in a typical enterprise or Service Provider
environment. environment.
4.1. End of Option List (Type = 0) 4.1. End of Option List (Type = 0)
4.1.1. Uses 4.1.1. Uses
This option is used to indicate the "end of options" in those cases This option is used to indicate the "end of options" in those cases
in which the end of options would not coincide with the end of the in which the end of options would not coincide with the end of the
Internet Protocol Header. Internet Protocol header.
4.1.2. Option Specification 4.1.2. Option Specification
Specified in RFC 791 [RFC0791]. Specified in RFC 791 [RFC0791].
4.1.3. Threats 4.1.3. Threats
No specific security issues are known for this IPv4 option. No specific security issues are known for this IPv4 option.
4.1.4. Operational and Interoperability Impact if Blocked 4.1.4. Operational and Interoperability Impact if Blocked
skipping to change at page 8, line 43 skipping to change at page 8, line 43
4.3.1. Uses 4.3.1. Uses
This option lets the originating system specify a number of This option lets the originating system specify a number of
intermediate systems a packet must pass through to get to the intermediate systems a packet must pass through to get to the
destination host. Additionally, the route followed by the packet is destination host. Additionally, the route followed by the packet is
recorded in the option. The receiving host (end-system) must use the recorded in the option. The receiving host (end-system) must use the
reverse of the path contained in the received LSRR option. reverse of the path contained in the received LSRR option.
The LSSR option can be of help in debugging some network problems. The LSSR option can be of help in debugging some network problems.
Some ISP (Internet Service Provider) peering agreements require Some Internet Service Provider (ISP) peering agreements require
support for this option in the routers within the peer of the ISP. support for this option in the routers within the peer of the ISP.
4.3.2. Option Specification 4.3.2. Option Specification
Specified in RFC 791 [RFC0791]. Specified in RFC 791 [RFC0791].
4.3.3. Threats 4.3.3. Threats
The LSRR option has well-known security implications [RFC6274]. The LSRR option has well-known security implications [RFC6274].
Among other things, the option can be used to: Among other things, the option can be used to:
skipping to change at page 9, line 27 skipping to change at page 9, line 27
o Perform bandwidth-exhaustion attacks. o Perform bandwidth-exhaustion attacks.
Of these attack vectors, the one that has probably received least Of these attack vectors, the one that has probably received least
attention is the use of the LSRR option to perform bandwidth attention is the use of the LSRR option to perform bandwidth
exhaustion attacks. The LSRR option can be used as an amplification exhaustion attacks. The LSRR option can be used as an amplification
method for performing bandwidth-exhaustion attacks, as an attacker method for performing bandwidth-exhaustion attacks, as an attacker
could make a packet bounce multiple times between a number of systems could make a packet bounce multiple times between a number of systems
by carefully crafting an LSRR option. by carefully crafting an LSRR option.
This is the IPv4-version of the IPv6 amplification attack that was This is the IPv4 version of the IPv6 amplification attack that was
widely publicized in 2007 [Biondi2007]. The only difference is widely publicized in 2007 [Biondi2007]. The only difference is
that the maximum length of the IPv4 header (and hence the LSRR that the maximum length of the IPv4 header (and hence the LSRR
option) limits the amplification factor when compared to the IPv6 option) limits the amplification factor when compared to the IPv6
counter-part. counterpart.
Additionally, some implementations have been found to fail to include Additionally, some implementations have been found to fail to include
proper sanity checks on the LSRR option, thus leading to security proper sanity checks on the LSRR option, thus leading to security
issues. These specific issues are believed to be solved in all issues. These specific issues are believed to be solved in all
modern implementations. modern implementations.
[Microsoft1999] is a security advisory about a vulnerability [Microsoft1999] is a security advisory about a vulnerability
arising from improper validation of the Pointer field of the LSRR arising from improper validation of the Pointer field of the LSRR
option. option.
Finally, we note that some systems were known for providing a system- Finally, we note that some systems were known for providing a system-
wide toggle to enable support for this option for those scenarios in wide toggle to enable support for this option for those scenarios in
which this option is required. However, improper implementation of which this option is required. However, improper implementation of
such system-wide toggle caused those systems to support the LSRR such a system-wide toggle caused those systems to support the LSRR
option even when explicitly configured not to do so. option even when explicitly configured not to do so.
[OpenBSD1998] is a security advisory about an improper [OpenBSD1998] is a security advisory about an improper
implementation of such a system-wide toggle in 4.4BSD kernels. implementation of such a system-wide toggle in 4.4BSD kernels.
This issue was resolved in later versions of the corresponding This issue was resolved in later versions of the corresponding
operating system. operating system.
4.3.4. Operational and Interoperability Impact if Blocked 4.3.4. Operational and Interoperability Impact if Blocked
Network troubleshooting techniques that may employ the LSRR option Network troubleshooting techniques that may employ the LSRR option
(such as ping or traceroute with the appropriate arguments) would (such as ping or traceroute with the appropriate arguments) would
break when using the LSRR option (ping and traceroute without IPv4 break when using the LSRR option. (Ping and traceroute without IPv4
options are not impacted). Nevertheless, it should be noted that it options are not impacted.) Nevertheless, it should be noted that it
is virtually impossible to use the LSRR option for troubleshooting, is virtually impossible to use the LSRR option for troubleshooting,
due to widespread dropping of packets that contain such option. due to widespread dropping of packets that contain the option.
4.3.5. Advice 4.3.5. Advice
Routers, security gateways, and firewalls SHOULD implement an option- Routers, security gateways, and firewalls SHOULD implement an option-
specific configuration knob whether packets with this option are specific configuration knob to select whether packets with this
dropped, packets with this IP option are forwarded as if they did not option are dropped, packets with this IP option are forwarded as if
contain this IP option, or packets with this option are processed and they did not contain this IP option, or packets with this option are
forwarded as per [RFC0791]. The default setting for this knob SHOULD processed and forwarded as per [RFC0791]. The default setting for
be "drop", and the default setting MUST be documented. this knob SHOULD be "drop", and the default setting MUST be
documented.
Please note that treating packets with LSRR as if they did not Please note that treating packets with LSRR as if they did not
contain this option can result in such packets being sent to a contain this option can result in such packets being sent to a
different device that the initially intended destination. With different device than the initially intended destination. With
appropriate ingress filtering this should not open an attack vector appropriate ingress filtering, this should not open an attack vector
into the infrastructure. Nonetheless, it could result in traffic into the infrastructure. Nonetheless, it could result in traffic
that would never reach the initially intended destination. Dropping that would never reach the initially intended destination. Dropping
these packets prevents unnecessary network traffic, and does not make these packets prevents unnecessary network traffic and does not make
end-to-end communication any worse. end-to-end communication any worse.
4.4. Strict Source and Record Route (SSRR) (Type = 137) 4.4. Strict Source and Record Route (SSRR) (Type = 137)
4.4.1. Uses 4.4.1. Uses
This option allows the originating system to specify a number of This option allows the originating system to specify a number of
intermediate systems a packet must pass through to get to the intermediate systems a packet must pass through to get to the
destination host. Additionally, the route followed by the packet is destination host. Additionally, the route followed by the packet is
recorded in the option, and the destination host (end-system) must recorded in the option, and the destination host (end-system) must
use the reverse of the path contained in the received SSRR option. use the reverse of the path contained in the received SSRR option.
This option is similar to the Loose Source and Record Route (LSRR) This option is similar to the Loose Source and Record Route (LSRR)
option, with the only difference that in the case of SSRR, the route option, with the only difference that in the case of SSRR, the route
specified in the option is the exact route the packet must take specified in the option is the exact route the packet must take
(i.e., no other intervening routers are allowed to be in the route). (i.e., no other intervening routers are allowed to be in the route).
The SSSR option can be of help in debugging some network problems. The SSRR option can be of help in debugging some network problems.
Some ISP (Internet Service Provider) peering agreements require Some ISP peering agreements require support for this option in the
support for this option in the routers within the peer of the ISP. routers within the peer of the ISP.
4.4.2. Option Specification 4.4.2. Option Specification
Specified in RFC 791 [RFC0791]. Specified in RFC 791 [RFC0791].
4.4.3. Threats 4.4.3. Threats
The SSRR option has the same security implications as the LSRR The SSRR option has the same security implications as the LSRR
option. Please refer to Section 4.3 for a discussion of such option. Please refer to Section 4.3 for a discussion of such
security implications. security implications.
4.4.4. Operational and Interoperability Impact if Blocked 4.4.4. Operational and Interoperability Impact if Blocked
Network troubleshooting techniques that may employ the SSRR option Network troubleshooting techniques that may employ the SSRR option
(such as ping or traceroute with the appropriate arguments) would (such as ping or traceroute with the appropriate arguments) would
break when using the SSRR option (ping and traceroute without IPv4 break when using the SSRR option. (Ping and traceroute without IPv4
options are not impacted). Nevertheless, it should be noted that it options are not impacted.) Nevertheless, it should be noted that it
is virtually impossible to use the SSRR option for trouble-shooting, is virtually impossible to use the SSRR option for trouble-shooting,
due to widespread dropping of packets that contain such option. due to widespread dropping of packets that contain such option.
4.4.5. Advice 4.4.5. Advice
Routers, security gateways, and firewalls SHOULD implement an option- Routers, security gateways, and firewalls SHOULD implement an option-
specific configuration knob whether packets with this option are specific configuration knob to select whether packets with this
dropped, packets with this IP option are forwarded as if they did not option are dropped, packets with this IP option are forwarded as if
contain this IP option, or packets with this option are processed and they did not contain this IP option, or packets with this option are
forwarded as per [RFC0791]. The default setting for this knob SHOULD processed and forwarded as per [RFC0791]. The default setting for
be "drop", and the default setting MUST be documented. this knob SHOULD be "drop", and the default setting MUST be
documented.
Please note that treating packets with SSRR as if they did not Please note that treating packets with SSRR as if they did not
contain this option can result in such packets being sent to a contain this option can result in such packets being sent to a
different device that the initially intended destination. With different device that the initially intended destination. With
appropriate ingress filtering this should not open an attack vector appropriate ingress filtering this should not open an attack vector
into the infrastructure. Nonetheless, it could result in traffic into the infrastructure. Nonetheless, it could result in traffic
that would never reach the initially intended destination. Dropping that would never reach the initially intended destination. Dropping
these packets prevents unnecessary network traffic, and does not make these packets prevents unnecessary network traffic, and does not make
end-to-end communication any worse. end-to-end communication any worse.
skipping to change at page 12, line 15 skipping to change at page 12, line 15
4.5.3. Threats 4.5.3. Threats
This option can be exploited to map the topology of a network. This option can be exploited to map the topology of a network.
However, the limited space in the IP header limits the usefulness of However, the limited space in the IP header limits the usefulness of
this option for that purpose. this option for that purpose.
4.5.4. Operational and Interoperability Impact if Blocked 4.5.4. Operational and Interoperability Impact if Blocked
Network troubleshooting techniques that may employ the RR option Network troubleshooting techniques that may employ the RR option
(such as ping with the RR option) would break when using the RR (such as ping with the RR option) would break when using the RR
option (ping without IPv4 options is not impacted). Nevertheless, it option. (Ping without IPv4 options is not impacted.) Nevertheless,
should be noted that it is virtually impossible to use such it should be noted that it is virtually impossible to use such
techniques due to widespread dropping of packets that contain RR techniques due to widespread dropping of packets that contain RR
options. options.
4.5.5. Advice 4.5.5. Advice
Routers, security gateways, and firewalls SHOULD implement an option- Routers, security gateways, and firewalls SHOULD implement an option-
specific configuration knob whether packets with this option are specific configuration knob to select whether packets with this
dropped, packets with this IP option are forwarded as if they did not option are dropped, packets with this IP option are forwarded as if
contain this IP option, or packets with this option are processed and they did not contain this IP option, or packets with this option are
forwarded as per [RFC0791]. The default setting for this knob SHOULD processed and forwarded as per [RFC0791]. The default setting for
be "drop", and the default setting MUST be documented. this knob SHOULD be "drop", and the default setting MUST be
documented.
4.6. Stream Identifier (Type = 136) (obsolete) 4.6. Stream Identifier (Type = 136) (obsolete)
The Stream Identifier option originally provided a means for the 16- The Stream Identifier option originally provided a means for the
bit SATNET stream Identifier to be carried through networks that did 16-bit SATNET stream Identifier to be carried through networks that
not support the stream concept. did not support the stream concept.
However, as stated by Section 3.2.1.8 of RFC 1122 [RFC1122] and However, as stated by Section 3.2.1.8 of RFC 1122 [RFC1122] and
Section 4.2.2.1 of RFC 1812 [RFC1812], this option is obsolete. Section 4.2.2.1 of RFC 1812 [RFC1812], this option is obsolete.
Therefore, it must be ignored by the processing systems. See also Therefore, it must be ignored by the processing systems. See also
[IANA-IP] and [RFC6814]. [IANA-IP] and [RFC6814].
RFC 791 states that this option appears at most once in a given RFC 791 states that this option appears at most once in a given
datagram. Therefore, if a packet contains more than one instance of datagram. Therefore, if a packet contains more than one instance of
this option, it should be dropped, and this event should be logged this option, it should be dropped, and this event should be logged
(e.g., a counter could be incremented to reflect the packet drop). (e.g., a counter could be incremented to reflect the packet drop).
skipping to change at page 13, line 26 skipping to change at page 13, line 30
Routers, security gateways, and firewalls SHOULD drop IP packets Routers, security gateways, and firewalls SHOULD drop IP packets
containing a Stream Identifier option. containing a Stream Identifier option.
4.7. Internet Timestamp (Type = 68) 4.7. Internet Timestamp (Type = 68)
4.7.1. Uses 4.7.1. Uses
This option provides a means for recording the time at which each This option provides a means for recording the time at which each
system (or a specified set of systems) processed this datagram, and system (or a specified set of systems) processed this datagram, and
may optionally record the addresses of the systems providing the it may optionally record the addresses of the systems providing the
timestamps. timestamps.
4.7.2. Option Specification 4.7.2. Option Specification
Specified by RFC 791 [RFC0791]. Specified by RFC 791 [RFC0791].
4.7.3. Threats 4.7.3. Threats
The timestamp option has a number of security implications [RFC6274]. The timestamp option has a number of security implications [RFC6274].
Among them are: Among them are:
o It allows an attacker to obtain the current time of the systems o It allows an attacker to obtain the current time of the systems
that process the packet, which the attacker may find useful in a that process the packet, which the attacker may find useful in a
number of scenarios. number of scenarios.
o It may be used to map the network topology, in a similar way to o It may be used to map the network topology in a similar way to the
the IP Record Route option. IP Record Route option.
o It may be used to fingerprint the operating system in use by a o It may be used to fingerprint the operating system in use by a
system processing the datagram. system processing the datagram.
o It may be used to fingerprint physical devices, by analyzing the o It may be used to fingerprint physical devices by analyzing the
clock skew. clock skew.
[Kohno2005] describes a technique for fingerprinting devices by [Kohno2005] describes a technique for fingerprinting devices by
measuring the clock skew. It exploits, among other things, the measuring the clock skew. It exploits, among other things, the
timestamps that can be obtained by means of the ICMP timestamp timestamps that can be obtained by means of the ICMP timestamp
request messages [RFC0791]. However, the same fingerprinting method request messages [RFC0791]. However, the same fingerprinting method
could be implemented with the aid of the Internet Timestamp option. could be implemented with the aid of the Internet Timestamp option.
4.7.4. Operational and Interoperability Impact if Blocked 4.7.4. Operational and Interoperability Impact if Blocked
Network troubleshooting techniques that may employ the Internet Network troubleshooting techniques that may employ the Internet
Timestamp option (such as ping with the Timestamp option) would break Timestamp option (such as ping with the Timestamp option) would break
when using the Timestamp option (ping without IPv4 options is not when using the Timestamp option. (Ping without IPv4 options is not
impacted). Nevertheless, it should be noted that it is virtually impacted.) Nevertheless, it should be noted that it is virtually
impossible to use such techniques due to widespread dropping of impossible to use such techniques due to widespread dropping of
packets that contain Internet Timestamp options. packets that contain Internet Timestamp options.
4.7.5. Advice 4.7.5. Advice
Routers, security gateways, and firewalls SHOULD drop IP packets Routers, security gateways, and firewalls SHOULD drop IP packets
containing an Internet Timestamp option. containing an Internet Timestamp option.
4.8. Router Alert (Type = 148) 4.8. Router Alert (Type = 148)
skipping to change at page 14, line 40 skipping to change at page 14, line 46
4.8.2. Option Specification 4.8.2. Option Specification
The Router Alert option is defined in RFC 2113 [RFC2113] and later The Router Alert option is defined in RFC 2113 [RFC2113] and later
updates to it have been clarified by RFC 5350 [RFC5350]. It contains updates to it have been clarified by RFC 5350 [RFC5350]. It contains
a 16-bit Value governed by an IANA registry (see [RFC5350]). a 16-bit Value governed by an IANA registry (see [RFC5350]).
4.8.3. Threats 4.8.3. Threats
The security implications of the Router Alert option have been The security implications of the Router Alert option have been
discussed in detail in [RFC6398]. Basically, the Router Alert option discussed in detail in [RFC6398]. Basically, the Router Alert option
might be exploited to perform a Denial of Service (DoS) attack by might be exploited to perform a DoS attack by exhausting CPU
exhausting CPU resources at the processing routers. resources at the processing routers.
4.8.4. Operational and Interoperability Impact if Blocked 4.8.4. Operational and Interoperability Impact if Blocked
Applications that employ the Router Alert option (such as RSVP Applications that employ the Router Alert option (such as RSVP
[RFC2205]) would break. [RFC2205]) would break.
4.8.5. Advice 4.8.5. Advice
This option SHOULD be allowed only in controlled environments, where This option SHOULD be allowed only in controlled environments, where
the option can be used safely. [RFC6398] identifies some such the option can be used safely. [RFC6398] identifies some such
environments. In unsafe environments, packets containing this option environments. In unsafe environments, packets containing this option
SHOULD be dropped. SHOULD be dropped.
A given router, security gateway, or firewall system has no way of A given router, security gateway, or firewall system has no way of
knowing a priori whether this option is valid in its operational knowing a priori whether this option is valid in its operational
environment. Therefore, routers, security gateways, and firewalls environment. Therefore, routers, security gateways, and firewalls
SHOULD, by default, ignore the Router Alert option. Additionally, SHOULD, by default, ignore the Router Alert option. Additionally,
Routers, security gateways, and firewalls SHOULD have a configuration routers, security gateways, and firewalls SHOULD have a configuration
setting that governs their reaction in the presence of packets setting that governs their reaction in the presence of packets
containing the Router Alert option. This configuration setting containing the Router Alert option. This configuration setting
SHOULD allow to honor and process the option, ignore the option, or SHOULD allow to honor and process the option, ignore the option, or
drop packets containing this option. drop packets containing this option.
4.9. Probe MTU (Type = 11) (obsolete) 4.9. Probe MTU (Type = 11) (obsolete)
4.9.1. Uses 4.9.1. Uses
This option originally provided a mechanism to discover the Path-MTU. This option originally provided a mechanism to discover the Path-MTU.
It has been declared obsolete. It has been declared obsolete.
4.9.2. Option Specification 4.9.2. Option Specification
This option was originally defined in RFC 1063 [RFC1063], and was This option was originally defined in RFC 1063 [RFC1063] and was
obsoleted with RFC 1191 [RFC1191]. This option is now obsolete, as obsoleted with RFC 1191 [RFC1191]. This option is now obsolete, as
RFC 1191 obsoletes RFC 1063 without using IP options. RFC 1191 obsoletes RFC 1063 without using IP options.
4.9.3. Threats 4.9.3. Threats
This option is obsolete. This option could have been exploited to This option is obsolete. This option could have been exploited to
cause a host to set its PMTU estimate to an inordinately low or an cause a host to set its Path MTU (PMTU) estimate to an inordinately
inordinately high value, thereby causing performance problems. low or an inordinately high value, thereby causing performance
problems.
4.9.4. Operational and Interoperability Impact if Blocked 4.9.4. Operational and Interoperability Impact if Blocked
None None
This option is NOT employed with the modern "Path MTU Discovery" This option is NOT employed with the modern "Path MTU Discovery"
(PMTUD) mechanism [RFC1191], which employs special ICMP messages (PMTUD) mechanism [RFC1191], which employs special ICMP messages
(Type 3, Code 4) in combination with the IP DF bit. PLPMTUD (Type 3, Code 4) in combination with the IP DF bit. Packetization
[RFC4821] can perform PMTUD without the need of any special Layer PMTUD (PLPMTUD) [RFC4821] can perform PMTUD without the need
packets. for any special packets.
4.9.5. Advice 4.9.5. Advice
Routers, security gateways, and firewalls SHOULD drop IP packets that Routers, security gateways, and firewalls SHOULD drop IP packets that
contain a Probe MTU option. contain a Probe MTU option.
4.10. Reply MTU (Type = 12) (obsolete) 4.10. Reply MTU (Type = 12) (obsolete)
4.10.1. Uses 4.10.1. Uses
This option and originally provided a mechanism to discover the Path- This option originally provided a mechanism to discover the Path-MTU.
MTU. It is now obsolete. It is now obsolete.
4.10.2. Option Specification 4.10.2. Option Specification
This option was originally defined in RFC 1063 [RFC1063], and was This option was originally defined in RFC 1063 [RFC1063] and was
obsoleted with RFC 1191 [RFC1191]. This option is now obsolete, as obsoleted with RFC 1191 [RFC1191]. This option is now obsolete, as
RFC 1191 obsoletes RFC 1063 without using IP options. RFC 1191 obsoletes RFC 1063 without using IP options.
4.10.3. Threats 4.10.3. Threats
This option is obsolete. This option could have been exploited to This option is obsolete. This option could have been exploited to
cause a host to set its PMTU estimate to an inordinately low or an cause a host to set its PMTU estimate to an inordinately low or an
inordinately high value, thereby causing performance problems. inordinately high value, thereby causing performance problems.
4.10.4. Operational and Interoperability Impact if Blocked 4.10.4. Operational and Interoperability Impact if Blocked
skipping to change at page 17, line 9 skipping to change at page 17, line 15
4.11.2. Option Specification 4.11.2. Option Specification
This option was originally specified by RFC 1393 [RFC1393] as This option was originally specified by RFC 1393 [RFC1393] as
"experimental", and it was never widely deployed on the public "experimental", and it was never widely deployed on the public
Internet. This option has been formally obsoleted by [RFC6814]. Internet. This option has been formally obsoleted by [RFC6814].
4.11.3. Threats 4.11.3. Threats
This option is obsolete. Because this option required each router in This option is obsolete. Because this option required each router in
the path both to provide special processing and to send an ICMP the path both to provide special processing and to send an ICMP
message, it could have been exploited to perform a Denial of Service message, it could have been exploited to perform a DoS attack by
(DoS) attack by exhausting CPU resources at the processing routers. exhausting CPU resources at the processing routers.
4.11.4. Operational and Interoperability Impact if Blocked 4.11.4. Operational and Interoperability Impact if Blocked
None None
4.11.5. Advice 4.11.5. Advice
Routers, security gateways, and firewalls SHOULD drop IP packets that Routers, security gateways, and firewalls SHOULD drop IP packets that
contain a Traceroute option. contain a Traceroute option.
4.12. DoD Basic Security Option (Type = 130) 4.12. DoD Basic Security Option (Type = 130)
4.12.1. Uses 4.12.1. Uses
This option is used by Multi-Level-Secure (MLS) end-systems and This option [RFC1108] is used by Multi-Level Secure (MLS) end-systems
intermediate systems in specific environments to [RFC1108]: and intermediate systems in specific environments to:
o Transmit from source to destination in a network standard o transmit from source to destination in a network standard
representation the common security labels required by computer representation the common security labels required by computer
security models [Landwehr81], security models [Landwehr81],
o validate the datagram as appropriate for transmission from the o validate the datagram as appropriate for transmission from the
source and delivery to the destination, and, source and delivery to the destination, and,
o ensure that the route taken by the datagram is protected to the o ensure that the route taken by the datagram is protected to the
level required by all protection authorities indicated on the level required by all protection authorities indicated on the
datagram. datagram.
skipping to change at page 17, line 46 skipping to change at page 18, line 4
level required by all protection authorities indicated on the level required by all protection authorities indicated on the
datagram. datagram.
The DoD Basic Security Option (BSO) was implemented in IRIX The DoD Basic Security Option (BSO) was implemented in IRIX
[IRIX2008] and is currently implemented in a number of operating [IRIX2008] and is currently implemented in a number of operating
systems (e.g., Security-Enhanced Linux [SELinux2008], Solaris systems (e.g., Security-Enhanced Linux [SELinux2008], Solaris
[Solaris2008], and Cisco IOS [Cisco-IPSO]). It is also currently [Solaris2008], and Cisco IOS [Cisco-IPSO]). It is also currently
deployed in a number of high-security networks. These networks are deployed in a number of high-security networks. These networks are
typically either in physically secure locations, protected by typically either in physically secure locations, protected by
military/governmental communications security equipment, or both. military/governmental communications security equipment, or both.
Such networks are typically built using commercial off-the-shelf Such networks are typically built using commercial off-the-shelf
(COTS) IP routers and Ethernet switches, but are not normally (COTS) IP routers and Ethernet switches, but they are not normally
interconnected with the global public Internet. Multi-Level Secure interconnected with the global public Internet. MLS systems are much
(MLS) systems are much more widely deployed now than they were at the more widely deployed now than they were at the time the then-IESG
time the then-IESG decided to remove IPSO (IP Security Options) from decided to remove IPSO (IP Security Options) from the IETF Standards
the IETF standards-track. Since nearly all MLS systems also support Track. Since nearly all MLS systems also support IPSO BSO and IPSO
IPSO BSO and IPSO ESO, this option is believed to have more ESO, this option is believed to have more deployment now than when
deployment now than when the IESG removed this option from the IETF the IESG removed this option from the IETF Standards Track.
standards-track. [RFC5570] describes a similar option recently [RFC5570] describes a similar option recently defined for IPv6 and
defined for IPv6 and has much more detailed explanations of how has much more detailed explanations of how sensitivity label options
sensitivity label options are used in real-world deployments. are used in real-world deployments.
4.12.2. Option Specification 4.12.2. Option Specification
It is specified by RFC 1108 [RFC1108]], which obsoleted RFC 1038 It is specified by RFC 1108 [RFC1108], which obsoleted RFC 1038
[RFC1038] (which in turn obsoleted the Security Option defined in RFC [RFC1038] (which in turn obsoleted the Security Option defined in RFC
791 [RFC0791]). 791 [RFC0791]).
RFC 791 [RFC0791] defined the "Security Option" (Type = 130), RFC 791 [RFC0791] defined the "Security Option" (Type = 130),
which used the same option type as the DoD Basic Security option which used the same option type as the DoD Basic Security option
discussed in this section. Later, RFC 1038 [RFC1038] revised the discussed in this section. Later, RFC 1038 [RFC1038] revised the
IP security options, and in turn was obsoleted by RFC 1108 IP security options, and in turn was obsoleted by RFC 1108
[RFC1108]. The "Security Option" specified in RFC 791 is [RFC1108]. The "Security Option" specified in RFC 791 is
considered obsolete by Section 3.2.1.8 of RFC 1122 [RFC1122] and considered obsolete by Section 3.2.1.8 of RFC 1122 [RFC1122] and
Section 4.2.2.1 of RFC 1812 [RFC1812], and therefore the Section 4.2.2.1 of RFC 1812 [RFC1812], and therefore the
discussion in this section is focused on the DoD Basic Security discussion in this section is focused on the DoD Basic Security
option specified by RFC 1108 [RFC1108]. option specified by RFC 1108 [RFC1108].
Section 4.2.2.1 of RFC 1812 states that routers "SHOULD implement Section 4.2.2.1 of RFC 1812 states that routers "SHOULD implement
this option". [this option]".
Some private IP networks consider IP router-based per-interface Some private IP networks consider IP router-based per-interface
selective filtering of packets based on (a) the presence of an selective filtering of packets based on (a) the presence of an
IPSO option (including BSO and ESO) and (b) based on the contents IPSO option (including BSO and ESO) and (b) the contents of that
of that IPSO option to be important for operational security IPSO option to be important for operational security reasons. The
reasons. The recent IPv6 CALIPSO option specification discusses recent IPv6 Common Architecture Label IPv6 Security Option
this in additional detail, albeit in an IPv6 context [RFC5570]. (CALIPSO) specification discusses this in additional detail,
albeit in an IPv6 context [RFC5570].
Such private IP networks commonly are built using both commercial Such private IP networks commonly are built using both commercial
and open-source products - for hosts, guards, firewalls, switches, and open-source products -- for hosts, guards, firewalls,
routers, etc. Some commercial IP routers support this option, as switches, routers, etc. Some commercial IP routers support this
do some IP routers which are built on top of Multi-Level Secure option, as do some IP routers that are built on top of MLS
(MLS) operating systems (e.g., on top of Trusted Solaris operating systems (e.g., on top of Trusted Solaris [Solaris2008]
[Solaris2008] or Security-Enhanced Linux [SELinux2008]). or Security-Enhanced Linux [SELinux2008]).
For example, many Cisco routers that run Cisco IOS include support For example, many Cisco routers that run Cisco IOS include support
for selectively filtering packets that contain the IP Security for selectively filtering packets that contain the IP Security
Options (IPSO) with per-interface granularity. This capability Options (IPSO) with per-interface granularity. This capability
has been present in many Cisco routers since the early 1990s has been present in many Cisco routers since the early 1990s
[Cisco-IPSO-Cmds]. Some government sector products reportedly [Cisco-IPSO-Cmds]. Some government-sector products reportedly
also support the IP Security Options (IPSO), for example CANEWARE also support the IP Security Options (IPSO), for example, CANEWARE
[RFC4949]. [RFC4949].
Support for the IPSO Basic Security Option also is included in the Support for the IPSO Basic Security Option also is included in the
"IPsec Configuration Policy Information Model" [RFC3585] and in "IPsec Configuration Policy Information Model" [RFC3585] and in
the "IPsec Security Policy Database Configuration MIB" [RFC4807]. the "IPsec Security Policy Database Configuration MIB" [RFC4807].
Section 4.6.1 of the IP Security Domain of Interpretation Section 4.6.1 of the IP Security Domain of Interpretation
[RFC2407] includes support for labeled IPsec security associations [RFC2407] includes support for labeled IPsec security associations
compatible with the IP Security Options. compatible with the IP Security Options. (Note: RFC 2407 was
obsoleted by [RFC4306], which was obsoleted by [RFC5996].)
4.12.3. Threats 4.12.3. Threats
Presence of this option in a packet does not by itself create any Presence of this option in a packet does not by itself create any
specific new threat. Packets with this option ought not normally be specific new threat. Packets with this option ought not normally be
seen on the global public Internet. seen on the global public Internet.
4.12.4. Operational and Interoperability Impact if Blocked 4.12.4. Operational and Interoperability Impact if Blocked
If packets with this option are blocked or if the option is stripped If packets with this option are blocked or if the option is stripped
from the packet during transmission from source to destination, then from the packet during transmission from source to destination, then
the packet itself is likely to be dropped by the receiver because it the packet itself is likely to be dropped by the receiver because it
isn't properly labeled. In some cases, the receiver might receive is not properly labeled. In some cases, the receiver might receive
the packet but associate an incorrect sensitivity label with the the packet but associate an incorrect sensitivity label with the
received data from the packet whose BSO was stripped by an received data from the packet whose BSO was stripped by an
intermediate router or firewall. Associating an incorrect intermediate router or firewall. Associating an incorrect
sensitivity label can cause the received information either to be sensitivity label can cause the received information either to be
handled as more sensitive than it really is ("upgrading") or as less handled as more sensitive than it really is ("upgrading") or as less
sensitive than it really is ("downgrading"), either of which is sensitive than it really is ("downgrading"), either of which is
problematic. problematic.
4.12.5. Advice 4.12.5. Advice
skipping to change at page 19, line 51 skipping to change at page 20, line 16
is needed if either the option is dropped or IP packets containing is needed if either the option is dropped or IP packets containing
this option are dropped, but no harm results if the option is carried this option are dropped, but no harm results if the option is carried
in environments where it is not needed, the default configuration in environments where it is not needed, the default configuration
SHOULD NOT (a) modify or remove this IP option or (b) drop an IP SHOULD NOT (a) modify or remove this IP option or (b) drop an IP
packet because the IP packet contains this option. packet because the IP packet contains this option.
A given IP router, security gateway, or firewall MAY be configured to A given IP router, security gateway, or firewall MAY be configured to
drop this option or to drop IP packets containing this option in an drop this option or to drop IP packets containing this option in an
environment known to not use this option. environment known to not use this option.
For auditing reasons, Routers, security gateways, and firewalls For auditing reasons, routers, security gateways, and firewalls
SHOULD be capable of logging the numbers of packets containing the SHOULD be capable of logging the numbers of packets containing the
BSO on a per-interface basis. Also, Routers, security gateways, and BSO on a per-interface basis. Also, routers, security gateways, and
firewalls SHOULD be capable of dropping packets based on the BSO firewalls SHOULD be capable of dropping packets based on the BSO
presence as well as the BSO values. presence as well as the BSO values.
4.13. DoD Extended Security Option (Type = 133) 4.13. DoD Extended Security Option (Type = 133)
4.13.1. Uses 4.13.1. Uses
This option permits additional security labeling information, beyond This option permits additional security labeling information, beyond
that present in the Basic Security Option (Section 4.12), to be that present in the Basic Security Option (Section 4.12), to be
supplied in an IP datagram to meet the needs of registered supplied in an IP datagram to meet the needs of registered
skipping to change at page 20, line 30 skipping to change at page 20, line 44
[RFC1108]. [RFC1108].
Some private IP networks consider IP router-based per-interface Some private IP networks consider IP router-based per-interface
selective filtering of packets based on (a) the presence of an selective filtering of packets based on (a) the presence of an
IPSO option (including BSO and ESO) and (b) based on the contents IPSO option (including BSO and ESO) and (b) based on the contents
of that IPSO option to be important for operational security of that IPSO option to be important for operational security
reasons. The recent IPv6 CALIPSO option specification discusses reasons. The recent IPv6 CALIPSO option specification discusses
this in additional detail, albeit in an IPv6 context [RFC5570]. this in additional detail, albeit in an IPv6 context [RFC5570].
Such private IP networks commonly are built using both commercial Such private IP networks commonly are built using both commercial
and open-source products - for hosts, guards, firewalls, switches, and open-source products -- for hosts, guards, firewalls,
routers, etc. Some commercial IP routers support this option, as switches, routers, etc. Some commercial IP routers support this
do some IP routers which are built on top of Multi-Level Secure option, as do some IP routers that are built on top of MLS
(MLS) operating systems (e.g., on top of Trusted Solaris operating systems (e.g., on top of Trusted Solaris [Solaris2008]
[Solaris2008] or Security-Enhanced Linux [SELinux2008]). or Security-Enhanced Linux [SELinux2008]).
For example, many Cisco routers that run Cisco IOS include support For example, many Cisco routers that run Cisco IOS include support
for selectively filtering packets that contain the IP Security for selectively filtering packets that contain the IP Security
Options (IPSO) with per-interface granularity. This capability Options (IPSO) with per-interface granularity. This capability
has been present in many Cisco routers since the early 1990s has been present in many Cisco routers since the early 1990s
[Cisco-IPSO-Cmds]. Some government sector products reportedly [Cisco-IPSO-Cmds]. Some government sector products reportedly
also support the IP Security Options (IPSO), for example CANEWARE also support the IP Security Options (IPSO), for example, CANEWARE
[RFC4949]. [RFC4949].
Support for the IPSO Extended Security Option also is included in Support for the IPSO Extended Security Option also is included in
the "IPsec Configuration Policy Information Model" [RFC3585] and the "IPsec Configuration Policy Information Model" [RFC3585] and
in the "IPsec Security Policy Database Configuration MIB" in the "IPsec Security Policy Database Configuration MIB"
[RFC4807]. Section 4.6.1 of the IP Security Domain of [RFC4807]. Section 4.6.1 of the IP Security Domain of
Interpretation [RFC2407] includes support for labeled IPsec Interpretation [RFC2407] includes support for labeled IPsec
security associations compatible with the IP Security Options. security associations compatible with the IP Security Options.
4.13.3. Threats 4.13.3. Threats
Presence of this option in a packet does not by itself create any Presence of this option in a packet does not by itself create any
specific new threat. Packets with this option ought not normally be specific new threat. Packets with this option ought not normally be
seen on the global public Internet. seen on the global public Internet.
4.13.4. Operational and Interoperability Impact if Blocked 4.13.4. Operational and Interoperability Impact if Blocked
If packets with this option are blocked or if the option is stripped If packets with this option are blocked or if the option is stripped
from the packet during transmission from source to destination, then from the packet during transmission from source to destination, then
the packet itself is likely to be dropped by the receiver because it the packet itself is likely to be dropped by the receiver because it
isn't properly labeled. In some cases, the receiver might receive is not properly labeled. In some cases, the receiver might receive
the packet but associate an incorrect sensitivity label with the the packet but associate an incorrect sensitivity label with the
received data from the packet whose ESO was stripped by an received data from the packet whose ESO was stripped by an
intermediate router or firewall. Associating an incorrect intermediate router or firewall. Associating an incorrect
sensitivity label can cause the received information either to be sensitivity label can cause the received information either to be
handled as more sensitive than it really is ("upgrading") or as less handled as more sensitive than it really is ("upgrading") or as less
sensitive than it really is ("downgrading"), either of which is sensitive than it really is ("downgrading"), either of which is
problematic. problematic.
4.13.5. Advice 4.13.5. Advice
skipping to change at page 21, line 44 skipping to change at page 22, line 9
is needed if either the option is dropped or IP packets containing is needed if either the option is dropped or IP packets containing
this option are dropped, but no harm results if the option is carried this option are dropped, but no harm results if the option is carried
in environments where it is not needed, the default configuration in environments where it is not needed, the default configuration
SHOULD NOT (a) modify or remove this IP option or (b) drop an IP SHOULD NOT (a) modify or remove this IP option or (b) drop an IP
packet because the IP packet contains this option. packet because the IP packet contains this option.
A given IP router, security gateway, or firewall MAY be configured to A given IP router, security gateway, or firewall MAY be configured to
drop this option or to drop IP packets containing this option in an drop this option or to drop IP packets containing this option in an
environment known to not use this option. environment known to not use this option.
For auditing reasons, Routers, security gateways, and firewalls For auditing reasons, routers, security gateways, and firewalls
SHOULD be capable of logging the numbers of packets containing the SHOULD be capable of logging the numbers of packets containing the
ESO on a per-interface basis. Also, Routers, security gateways, and ESO on a per-interface basis. Also, routers, security gateways, and
firewalls SHOULD be capable of dropping packets based on the ESO firewalls SHOULD be capable of dropping packets based on the ESO
presence as well as the ESO values. presence as well as the ESO values.
4.14. Commercial IP Security Option (CIPSO) (Type = 134) 4.14. Commercial IP Security Option (CIPSO) (Type = 134)
4.14.1. Uses 4.14.1. Uses
This option was proposed by the Trusted Systems Interoperability This option was proposed by the Trusted Systems Interoperability
Group (TSIG), with the intent of meeting trusted networking Group (TSIG), with the intent of meeting trusted networking
requirements for the commercial trusted systems market place. requirements for the commercial trusted systems marketplace.
It was implemented in IRIX [IRIX2008] and is currently implemented in It was implemented in IRIX [IRIX2008] and is currently implemented in
a number of operating systems (e.g., Security-Enhanced Linux a number of operating systems (e.g., Security-Enhanced Linux
[SELinux2008], and Solaris [Solaris2008]). It is also currently [SELinux2008] and Solaris [Solaris2008]). It is also currently
deployed in a number of high-security networks. deployed in a number of high-security networks.
4.14.2. Option Specification 4.14.2. Option Specification
This option is specified in [I-D.ietf-cipso-ipsecurity] and This option is specified in [CIPSO] and [FIPS1994]. There are zero
[FIPS1994]. There are zero known IP router implementations of CIPSO. known IP router implementations of CIPSO. Several MLS operating
Several MLS operating systems support CIPSO, generally the same MLS systems support CIPSO, generally the same MLS operating systems that
operating systems that support IPSO. support IPSO.
The TSIG proposal was taken to the Commercial Internet Security The TSIG proposal was taken to the Commercial Internet Security
Option (CIPSO) Working Group of the IETF [CIPSOWG1994], and an Option (CIPSO) Working Group of the IETF [CIPSOWG1994], and an
Internet-Draft was produced [I-D.ietf-cipso-ipsecurity]. The Internet-Draft was produced [CIPSO]. The Internet-Draft was never
Internet-Draft was never published as an RFC, but the proposal was published as an RFC, but the proposal was later standardized by
later standardized by the U.S. National Institute of Standards and the U.S. National Institute of Standards and Technology (NIST) as
Technology (NIST) as "Federal Information Processing Standard "Federal Information Processing Standard Publication 188"
Publication 188" [FIPS1994]. [FIPS1994].
4.14.3. Threats 4.14.3. Threats
Presence of this option in a packet does not by itself create any Presence of this option in a packet does not by itself create any
specific new threat. Packets with this option ought not normally be specific new threat. Packets with this option ought not normally be
seen on the global public Internet. seen on the global public Internet.
4.14.4. Operational and Interoperability Impact if Blocked 4.14.4. Operational and Interoperability Impact if Blocked
If packets with this option are blocked or if the option is stripped If packets with this option are blocked or if the option is stripped
from the packet during transmission from source to destination, then from the packet during transmission from source to destination, then
the packet itself is likely to be dropped by the receiver because it the packet itself is likely to be dropped by the receiver because it
isn't properly labeled. In some cases, the receiver might receive is not properly labeled. In some cases, the receiver might receive
the packet but associate an incorrect sensitivity label with the the packet but associate an incorrect sensitivity label with the
received data from the packet whose CIPSO was stripped by an received data from the packet whose CIPSO was stripped by an
intermediate router or firewall. Associating an incorrect intermediate router or firewall. Associating an incorrect
sensitivity label can cause the received information either to be sensitivity label can cause the received information either to be
handled as more sensitive than it really is ("upgrading") or as less handled as more sensitive than it really is ("upgrading") or as less
sensitive than it really is ("downgrading"), either of which is sensitive than it really is ("downgrading"), either of which is
problematic. problematic.
4.14.5. Advice 4.14.5. Advice
Because of the design of this option, with variable syntax and Because of the design of this option, with variable syntax and
variable length, it is not practical to support specialized filtering variable length, it is not practical to support specialized filtering
using the CIPSO information. No routers or firewalls are known to using the CIPSO information. No routers or firewalls are known to
support this option. However, Routers, security gateways, and support this option. However, routers, security gateways, and
firewalls SHOULD NOT by default modify or remove this option from IP firewalls SHOULD NOT by default modify or remove this option from IP
packets and SHOULD NOT by default drop packets because they contain packets and SHOULD NOT by default drop packets because they contain
this option. For auditing reasons, routers, security gateways, and this option. For auditing reasons, routers, security gateways, and
firewalls SHOULD be capable of logging the numbers of packets firewalls SHOULD be capable of logging the numbers of packets
containing the CIPSO on a per-interface basis. Also, Routers, containing the CIPSO on a per-interface basis. Also, routers,
security gateways, and firewalls SHOULD be capable of dropping security gateways, and firewalls SHOULD be capable of dropping
packets based on the CIPSO presence. packets based on the CIPSO presence.
4.15. VISA (Type = 142) 4.15. VISA (Type = 142)
4.15.1. Uses 4.15.1. Uses
This options was part of an experiment at USC and was never widely This options was part of an experiment at the University of Southern
deployed. California (USC) and was never widely deployed.
4.15.2. Option Specification 4.15.2. Option Specification
The original option specification is not publicly available. This The original option specification is not publicly available. This
option has been formally obsoleted by [RFC6814]. option has been formally obsoleted by [RFC6814].
4.15.3. Threats 4.15.3. Threats
Not possible to determine (other the general security implications of Not possible to determine (other than the general security
IP options discussed in Section 3), since the corresponding implications of IP options discussed in Section 3), since the
specification is not publicly available. corresponding specification is not publicly available.
4.15.4. Operational and Interoperability Impact if Blocked 4.15.4. Operational and Interoperability Impact if Blocked
None. None.
4.15.5. Advice 4.15.5. Advice
Routers, security gateways, and firewalls SHOULD drop IP packets that Routers, security gateways, and firewalls SHOULD drop IP packets that
contain this option. contain this option.
4.16. Extended Internet Protocol (Type = 145) 4.16. Extended Internet Protocol (Type = 145)
4.16.1. Uses 4.16.1. Uses
The EIP option was introduced by one of the proposals submitted The EIP option was introduced by one of the proposals submitted
during the IPng efforts to address the problem of IPv4 address during the IP Next Generation (IPng) efforts to address the problem
exhaustion. of IPv4 address exhaustion.
4.16.2. Option Specification 4.16.2. Option Specification
Specified in [RFC1385]. This option has been formally obsoleted by Specified in [RFC1385]. This option has been formally obsoleted by
[RFC6814]. [RFC6814].
4.16.3. Threats 4.16.3. Threats
This option is obsolete. This option was used (or was intended to be This option is obsolete. This option was used (or was intended to be
used) to signal that a packet superficially similar to an IPv4 packet used) to signal that a packet superficially similar to an IPv4 packet
actually containted a different protocol, opening up the possibility actually contained a different protocol, opening up the possibility
that an IPv4 node that simply ignored this option would process a that an IPv4 node that simply ignored this option would process a
received packet in a manner inconsistent with the intent of the received packet in a manner inconsistent with the intent of the
sender. There are no know threats arising from this option, other sender. There are no known threats arising from this option, other
than the general security implications of IP options discussed in than the general security implications of IP options discussed in
Section 3. Section 3.
4.16.4. Operational and Interoperability Impact if Blocked 4.16.4. Operational and Interoperability Impact if Blocked
None. None.
4.16.5. Advice 4.16.5. Advice
Routers, security gateways, and firewalls SHOULD drop packets that Routers, security gateways, and firewalls SHOULD drop packets that
skipping to change at page 24, line 45 skipping to change at page 25, line 20
submitted during the IPng efforts to address the problem of IPv4 submitted during the IPng efforts to address the problem of IPv4
address exhaustion. address exhaustion.
4.17.2. Option Specification 4.17.2. Option Specification
Specified in [RFC1475]. This option has been formally obsoleted by Specified in [RFC1475]. This option has been formally obsoleted by
[RFC6814]. [RFC6814].
4.17.3. Threats 4.17.3. Threats
There are no know threats arising from this option, other than the There are no known threats arising from this option, other than the
general security implications of IP options discussed in Section 3. general security implications of IP options discussed in Section 3.
4.17.4. Operational and Interoperability Impact if Blocked 4.17.4. Operational and Interoperability Impact if Blocked
None. None.
4.17.5. Advice 4.17.5. Advice
Routers, security gateways, and firewalls SHOULD drop packets that Routers, security gateways, and firewalls SHOULD drop packets that
contain this option. contain this option.
skipping to change at page 25, line 25 skipping to change at page 25, line 47
addresses included in the option. addresses included in the option.
4.18.2. Option Specification 4.18.2. Option Specification
This option is specified in RFC 1770 [RFC1770]. It has been formally This option is specified in RFC 1770 [RFC1770]. It has been formally
obsoleted by [RFC6814]. obsoleted by [RFC6814].
4.18.3. Threats 4.18.3. Threats
This option could have been exploited for bandwidth-amplification in This option could have been exploited for bandwidth-amplification in
Denial of Service (DoS) attacks. DoS attacks.
4.18.4. Operational and Interoperability Impact if Blocked 4.18.4. Operational and Interoperability Impact if Blocked
None. None.
4.18.5. Advice 4.18.5. Advice
Routers, security gateways, and firewalls SHOULD drop IP packets that Routers, security gateways, and firewalls SHOULD drop IP packets that
contain a Sender Directed Multi-Destination Delivery option. contain a Sender Directed Multi-Destination Delivery option.
4.19. Dynamic Packet State (Type = 151) 4.19. Dynamic Packet State (Type = 151)
4.19.1. Uses 4.19.1. Uses
The Dynamic Packet State option was used to specify specified Dynamic The Dynamic Packet State option was used to specify the Dynamic
Packet State (DPS) in the context of the differentiated service Packet State (DPS) in the context of the differentiated services
architecture. architecture.
4.19.2. Option Specification 4.19.2. Option Specification
The Dynamic Packet State option was specified in The Dynamic Packet State option was specified in [DIFFSERV-DPS]. The
[I-D.stoica-diffserv-dps]. The aforementioned document was meant to aforementioned document was meant to be published as "Experimental",
be published as "Experimental", but never made it into an RFC. This but never made it into an RFC. This option has been formally
option has been formally obsoleted by [RFC6814]. obsoleted by [RFC6814].
4.19.3. Threats 4.19.3. Threats
Possible threats include theft of service and Denial of Service. Possible threats include theft of service and denial of service.
However, we note that is option has never been widely implemented or However, we note that this option has never been widely implemented
deployed. or deployed.
4.19.4. Operational and Interoperability Impact if Blocked 4.19.4. Operational and Interoperability Impact if Blocked
None. None.
4.19.5. Advice 4.19.5. Advice
Routers, security gateways, and firewalls SHOULD drop packets that Routers, security gateways, and firewalls SHOULD drop packets that
contain this option. contain this option.
4.20. Upstream Multicast Pkt. (Type = 152) 4.20. Upstream Multicast Pkt. (Type = 152)
4.20.1. Uses 4.20.1. Uses
This option was meant to solve the problem of doing upstream This option was meant to solve the problem of doing upstream
forwarding of multicast packets on a multi-access LAN. forwarding of multicast packets on a multi-access LAN.
4.20.2. Option Specification 4.20.2. Option Specification
This option was originally specified in [I-D.farinacci-bidir-pim]. This option was originally specified in [BIDIR-TREES]. It was never
It was never formally standardized in the RFC series, and was never formally standardized in the RFC series and was never widely
widely implemented and deployed. Its use was obsoleted by [RFC5015], implemented and deployed. Its use was obsoleted by [RFC5015], which
which employs a control plane mechanism to solve the problem of doing employs a control-plane mechanism to solve the problem of doing
upstream forwarding of multicast packets on a multi-access LAN. This upstream forwarding of multicast packets on a multi-access LAN. This
option has been formally obsoleted by [RFC6814]. option has been formally obsoleted by [RFC6814].
4.20.3. Threats 4.20.3. Threats
This option is obsolete. A router that ignored this option instead This option is obsolete. A router that ignored this option instead
of processing it as specified in [I-D.farinacci-bidir-pim] could have of processing it as specified in [BIDIR-TREES] could have forwarded
forwarded multicast packets to an unintended destination. multicast packets to an unintended destination.
4.20.4. Operational and Interoperability Impact if Blocked 4.20.4. Operational and Interoperability Impact if Blocked
None. None.
4.20.5. Advice 4.20.5. Advice
Routers, security gateways, and firewalls SHOULD drop packets that Routers, security gateways, and firewalls SHOULD drop packets that
contain this option. contain this option.
skipping to change at page 27, line 24 skipping to change at page 27, line 42
4.21.2. Option Specification 4.21.2. Option Specification
Specified in RFC 4782 [RFC4782], on the "Experimental" track. Specified in RFC 4782 [RFC4782], on the "Experimental" track.
4.21.3. Threats 4.21.3. Threats
Section 9.6 of [RFC4782] notes that Quick-Start is vulnerable to two Section 9.6 of [RFC4782] notes that Quick-Start is vulnerable to two
kinds of attacks: kinds of attacks:
o Attacks to increase the routers' processing and state load, and, o attacks to increase the routers' processing and state load, and,
o attacks with bogus Quick-Start Requests to temporarily tie up o attacks with bogus Quick-Start Requests to temporarily tie up
available Quick-Start bandwidth, preventing routers from approving available Quick-Start bandwidth, preventing routers from approving
Quick-Start Requests from other connections. Quick-Start Requests from other connections.
4.21.4. Operational and Interoperability Impact if Blocked 4.21.4. Operational and Interoperability Impact if Blocked
The Quick-Start functionality would be disabled, and additional The Quick-Start functionality would be disabled, and additional
delays in e.g., TCP's connection establishment could be introduced delays in TCP's connection establishment (for example) could be
(please see Section 4.7.2 of [RFC4782]. We note, however, that introduced. (Please see Section 4.7.2 of [RFC4782].) We note,
Quick-Start has been proposed as mechanism that could be of use in however, that Quick-Start has been proposed as a mechanism that could
controlled environments, and not as a mechanism that would be be of use in controlled environments, and not as a mechanism that
intended or appropriate for ubiquitous deployment in the global would be intended or appropriate for ubiquitous deployment in the
Internet [RFC4782]. global Internet [RFC4782].
4.21.5. Advice 4.21.5. Advice
A given router, security gateway, or firewall system has no way of A given router, security gateway, or firewall system has no way of
knowing a priori whether this option is valid in its operational knowing a priori whether this option is valid in its operational
environment. Therefore, routers, security gateways, and firewalls environment. Therefore, routers, security gateways, and firewalls
SHOULD, by default, ignore the Quick Start option. Additionally, SHOULD, by default, ignore the Quick-Start option. Additionally,
Routers, security gateways, and firewalls SHOULD have a configuration routers, security gateways, and firewalls SHOULD have a configuration
setting that governs their reaction in the presence of packets setting that governs their reaction in the presence of packets
containing the Quick Start option. This configuration setting SHOULD containing the Quick-Start option. This configuration setting SHOULD
allow to honor and process the option, ignore the option, or drop allow to honor and process the option, ignore the option, or drop
packets containing this option. The default configuration is to packets containing this option. The default configuration is to
ignore the Quick Start option. ignore the Quick-Start option.
We note that if routers in a given environment do not implement We note that if routers in a given environment do not implement
and enable the Quick-Start mechanism, only the general security and enable the Quick-Start mechanism, only the general security
implications of IP options (discussed in Section 3) would apply. implications of IP options (discussed in Section 3) would apply.
4.22. RFC3692-style Experiment (Types = 30, 94, 158, and 222) 4.22. RFC3692-Style Experiment (Types = 30, 94, 158, and 222)
Section 2.5 of RFC 4727 [RFC4727] allocates an option number with all Section 2.5 of RFC 4727 [RFC4727] allocates an option number with all
defined values of the "copy" and "class" fields for RFC3692-style defined values of the "copy" and "class" fields for RFC3692-style
experiments. This results in four distinct option type codes: 30, experiments. This results in four distinct option type codes: 30,
94, 158, and 222. 94, 158, and 222.
4.22.1. Uses 4.22.1. Uses
It is only appropriate to use these values in explicitly configured It is only appropriate to use these values in explicitly configured
experiments; they MUST NOT be shipped as defaults in implementations. experiments; they MUST NOT be shipped as defaults in implementations.
skipping to change at page 28, line 38 skipping to change at page 29, line 13
No specific security issues are known for this IPv4 option. No specific security issues are known for this IPv4 option.
4.22.4. Operational and Interoperability Impact if Blocked 4.22.4. Operational and Interoperability Impact if Blocked
None. None.
4.22.5. Advice 4.22.5. Advice
Routers, security gateways, and firewalls SHOULD have configuration Routers, security gateways, and firewalls SHOULD have configuration
knobs for IP packets that contain RFC3692-style Experiment options to knobs for IP packets that contain RFC3692-style Experiment options to
select between "ignore & forward" and "drop & log"). Otherwise, no select between "ignore & forward" and "drop & log". Otherwise, no
legitimate experiment using these options will be able to traverse legitimate experiment using these options will be able to traverse
any IP router. any IP router.
Special care needs to be taken in the case of "drop & log". Devices Special care needs to be taken in the case of "drop & log". Devices
SHOULD count the number of packets dropped, but the logging of drop SHOULD count the number of packets dropped, but the logging of drop
events SHOULD be limited to not overburden device resources. events SHOULD be limited so as to not overburden device resources.
The aforementioned configuration knob SHOULD default to "drop & log". The aforementioned configuration knob SHOULD default to "drop & log".
4.23. Other IP Options 4.23. Other IP Options
4.23.1. Specification 4.23.1. Specification
Unrecognized IP Options are to be ignored. Section 3.2.1.8 of RFC Unrecognized IP options are to be ignored. Section 3.2.1.8 of RFC
1122 [RFC1122] and Section 4.2.2.6 of RFC 1812 [RFC1812] specify this 1122 [RFC1122] specifies this behavior as follows:
behavior as follows:
RFC 1122: "The IP and transport layer MUST each interpret those IP The IP and transport layer MUST each interpret those IP options
options that they understand and silently ignore the that they understand and silently ignore the others.
others."
RFC 1812: "A router MUST ignore IP options which it does not Additionally, Section 4.2.2.6 of RFC 1812 [RFC1812] specifies it as
recognize." follows:
This document adds that unrecognized IP Options MAY also be logged. A router MUST ignore IP options which it does not recognize.
This document adds that unrecognized IP options MAY also be logged.
Further, routers, security gateways, and firewalls MUST provide the Further, routers, security gateways, and firewalls MUST provide the
ability to log drop events of IP packets containing unrecognized or ability to log drop events of IP packets containing unrecognized or
obsolete options. obsolete options.
A number of additional options are listed in the "IP OPTIONS NUMBERS" A number of additional options are listed in the "IP OPTION NUMBERS"
IANA registry [IANA-IP] as of the time this document was last edited. IANA registry [IANA-IP] as of the time this document was last edited.
Specifically: Specifically:
Copy Class Number Value Name Copy Class Number Value Name
---- ----- ------ ----- ------------------------------------------- ---- ----- ------ ----- -------------------------------------------
0 0 10 10 ZSU - Experimental Measurement 0 0 10 10 ZSU - Experimental Measurement
1 2 13 205 FINN - Experimental Flow Control 1 2 13 205 FINN - Experimental Flow Control
0 0 15 15 ENCODE - ??? 0 0 15 15 ENCODE - ???
1 0 16 144 IMITD - IMI Traffic Descriptor 1 0 16 144 IMITD - IMI Traffic Descriptor
1 0 22 150 - Unassigned (Released 18 Oct. 2005) 1 0 22 150 - Unassigned (Released 18 Oct. 2005)
skipping to change at page 30, line 4 skipping to change at page 30, line 34
4.23.3. Operational and Interoperability Impact if Blocked 4.23.3. Operational and Interoperability Impact if Blocked
The lack of open specifications for these options makes it impossible The lack of open specifications for these options makes it impossible
to evaluate the operational and interoperability impact if packets to evaluate the operational and interoperability impact if packets
containing these options are blocked. containing these options are blocked.
4.23.4. Advice 4.23.4. Advice
Routers, security gateways, and firewalls SHOULD have configuration Routers, security gateways, and firewalls SHOULD have configuration
knobs for IP packets containing these options (or other options not knobs for IP packets containing these options (or other options not
recognized) to select between "ignore & forward" and "drop & log"). recognized) to select between "ignore & forward" and "drop & log".
Section 4.23.1 points out that [RFC1122] and [RFC1812] specify that Section 4.23.1 points out that [RFC1122] and [RFC1812] specify that
unrecognized IP options MUST be ignored. However, the previous unrecognized IP options MUST be ignored. However, the previous
paragraph states that routers, security gateways, and firewalls paragraph states that routers, security gateways, and firewalls
SHOULD have a configuration option for dropping and logging IP SHOULD have a configuration option for dropping and logging IP
packets containing unrecognized options. While is is acknowledged packets containing unrecognized options. While it is acknowledged
that this advice contradicts the previous RFC requirements, the that this advice contradicts the previous RFCs' requirements, the
advice in this document reflects current operational reality. advice in this document reflects current operational reality.
Special care needs to be taken in the case of "drop & log". Devices Special care needs to be taken in the case of "drop & log". Devices
SHOULD count the number of packets dropped, but the logging of drop SHOULD count the number of packets dropped, but the logging of drop
events SHOULD be limited to not overburden device resources. events SHOULD be limited so as to not overburden device resources.
5. IANA Considerations
This document has no actions for IANA.
6. Security Considerations 5. Security Considerations
This document provides advice on the filtering of IP packets that This document provides advice on the filtering of IP packets that
contain IP options. Dropping such packets can help to mitigate the contain IP options. Dropping such packets can help to mitigate the
security issues that arise from use of different IP options. Many of security issues that arise from use of different IP options. Many of
the IPv4 options listed in this document are deprecated and cause no the IPv4 options listed in this document are deprecated and cause no
operational impact if dropped. However, dropping packets containing operational impact if dropped. However, dropping packets containing
IPv4 options that are in use can cause real operational problems in IPv4 options that are in use can cause real operational problems in
deployed networks. Therefore, the practice of dropping all IPv4 deployed networks. Therefore, the practice of dropping all IPv4
packets containing one or more IPv4 options without careful packets containing one or more IPv4 options without careful
consideration is not recommended. consideration is not recommended.
7. Acknowledgements 6. Acknowledgements
The authors would like to thank (in alphabetical order) Ron Bonica, The authors would like to thank (in alphabetical order) Ron Bonica,
C. M. Heard, Merike Kaeo, Panos Kampanakis, Suresh Krishnan, Arturo C. M. Heard, Merike Kaeo, Panos Kampanakis, Suresh Krishnan, Arturo
Servin, SM, and Donald Smith for providing thorough reviews and Servin, SM, and Donald Smith for providing thorough reviews and
valuable comments. Merike Kaeo also contributed text used in this valuable comments. Merike Kaeo also contributed text used in this
document. document.
The authors also wish to thank various network operations folks who The authors also wish to thank various network operations folks who
supplied feedback on earlier versions of this document, but did not supplied feedback on earlier versions of this document but did not
wish to be named explicitly in this document. wish to be named explicitly in this document.
Part of this document is initially based on the document "Security Part of this document is initially based on the document "Security
Assessment of the Internet Protocol" [CPNI2008] that is the result of Assessment of the Internet Protocol" [CPNI2008] that is the result of
a project carried out by Fernando Gont on behalf of UK CPNI (formerly a project carried out by Fernando Gont on behalf of UK CPNI (formerly
NISCC). Fernando Gont would like to thank UK CPNI (formerly NISCC) NISCC). Fernando Gont would like to thank UK CPNI (formerly NISCC)
for their continued support. for their continued support.
8. References 7. References
8.1. Normative References 7.1. Normative References
[RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, September
September 1981. 1981.
[RFC1122] Braden, R., "Requirements for Internet Hosts - [RFC1122] Braden, R., "Requirements for Internet Hosts -
Communication Layers", STD 3, RFC 1122, October 1989. Communication Layers", STD 3, RFC 1122, October 1989.
[RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191,
November 1990. November 1990.
[RFC1812] Baker, F., "Requirements for IP Version 4 Routers", [RFC1812] Baker, F., "Requirements for IP Version 4 Routers", RFC
RFC 1812, June 1995. 1812, June 1995.
[RFC2113] Katz, D., "IP Router Alert Option", RFC 2113, [RFC2113] Katz, D., "IP Router Alert Option", RFC 2113, February
February 1997. 1997.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4, [RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4,
ICMPv6, UDP, and TCP Headers", RFC 4727, November 2006. ICMPv6, UDP, and TCP Headers", RFC 4727, November 2006.
[RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU
Discovery", RFC 4821, March 2007. Discovery", RFC 4821, March 2007.
[RFC5015] Handley, M., Kouvelas, I., Speakman, T., and L. Vicisano, [RFC5015] Handley, M., Kouvelas, I., Speakman, T., and L. Vicisano,
"Bidirectional Protocol Independent Multicast (BIDIR- "Bidirectional Protocol Independent Multicast (BIDIR-
PIM)", RFC 5015, October 2007. PIM)", RFC 5015, October 2007.
[RFC6398] Le Faucheur, F., "IP Router Alert Considerations and [RFC6398] Le Faucheur, F., "IP Router Alert Considerations and
Usage", BCP 168, RFC 6398, October 2011. Usage", BCP 168, RFC 6398, October 2011.
[RFC6814] Pignataro, C. and F. Gont, "Formally Deprecating Some IPv4 [RFC6814] Pignataro, C. and F. Gont, "Formally Deprecating Some IPv4
Options", RFC 6814, November 2012. Options", RFC 6814, November 2012.
8.2. Informative References 7.2. Informative References
[BIDIR-TREES]
Estrin, D. and D. Farinacci, "Bi-Directional Shared Trees
in PIM-SM", Work in Progress, May 1999.
[BREMIER-BARR] [BREMIER-BARR]
Bremier-Barr, A. and H. Levy, "Spoofing prevention Bremier-Barr, A. and H. Levy, "Spoofing prevention
method", Proceedings of IEEE InfoCom 2005 Volume 1, pp. method", Proceedings of IEEE InfoCom 2005, Volume 1, pp.
536-547, IEEE, March 2005. 536-547, March 2005.
[Biondi2007] [Biondi2007]
Biondi, P. and A. Ebalard, "IPv6 Routing Header Security", Biondi, P. and A. Ebalard, "IPv6 Routing Header Security",
CanSecWest 2007 Security Conference <http:// CanSecWest 2007 Security Conference, 2007,
www.secdev.org/conf/IPv6_RH_security-csw07.pdf>, 2007. <http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf>.
[CIPSOWG1994] [CIPSOWG1994]
CIPSOWG, "Commercial Internet Protocol Security Option IETF CIPSO Working Group, "Commercial Internet Protocol
(CIPSO) Working Group", 1994, <http://www.ietf.org/ Security Option (CIPSO) Charter", 1994,
proceedings/94jul/charters/cipso-charter.html>. <http://www.ietf.org/proceedings/94jul/charters/
cipso-charter.html>.
[CPNI2008] [CIPSO] IETF CIPSO Working Group, "COMMERCIAL IP SECURITY OPTION
Gont, F., "Security Assessment of the Internet Protocol", (CIPSO 2.2)", Work in Progress, 1992.
<http://www.cpni.gov.uk/Docs/InternetProtocol.pdf>, 2008.
[Cisco-IPSO] [CPNI2008] Gont, F., "Security Assessment of the Internet Protocol",
Cisco Systems, Inc., "Cisco IOS Security Configuration 2008,
Guide, Release 12.2 - Configuring IP Security Options", <http://www.gont.com.ar/papers/InternetProtocol.pdf>.
2006, <http://www.cisco.com/en/US/docs/ios/12_2/security/
configuration/guide/scfipso.html>.
[Cisco-IPSO-Cmds] [Cisco-IPSO-Cmds]
Cisco Systems, Inc., "Cisco IOS Security Command Cisco Systems, Inc., "IP Security Options Commands", Cisco
Reference, Release 12.2 - IP Security Options Commands", IOS Security Command Reference, Release 12.2,
<http://www.cisco.com/en/US/docs/ios/12_2/security/ <http://www.cisco.com/en/US/docs/ios/12_2/security/
command/reference/srfipso.html>. command/reference/srfipso.html>.
[Cisco-IPSO]
Cisco Systems, Inc., "Configuring IP Security Options",
Cisco IOS Security Configuration Guide, Release 12.2,
2006, <http://www.cisco.com/en/US/docs/ios/12_2/security/
configuration/guide/scfipso.html>.
[DIFFSERV-DPS]
Stoica, I., Zhang, H., Venkitaram, N., and J. Mysore, "Per
Hop Behaviors Based on Dynamic Packet State", Work in
Progress, October 2002.
[FIPS1994] [FIPS1994]
FIPS, "Standard Security Label for Information Transfer", FIPS, "Standard Security Label for Information Transfer",
Federal Information Processing Standards Publication. FIP Federal Information Processing Standards Publication, FIP
PUBS 188, <http://csrc.nist.gov/publications/fips/fips188/ PUBS 188, 1994, <http://csrc.nist.gov/publications/fips/
fips188.pdf>, 1994. fips188/fips188.pdf>.
[FONSECA] Fonseca, R., Porter, G., Katz, R., Shenker, S., and I. [FONSECA] Fonseca, R., Porter, G., Katz, R., Shenker, S., and I.
Stoica, "IP Options are not an option", December 2005. Stoica, "IP Options are not an option", EECS Department,
University of California, Berkeley, December 2005,
[I-D.farinacci-bidir-pim] <http://www.eecs.berkeley.edu/Pubs/TechRpts/2005/
Estrin, D. and D. Farinacci, "Bi-Directional Shared Trees EECS-2005-24.html>.
in PIM-SM", draft-farinacci-bidir-pim (work in progress),
May 1999.
[I-D.ietf-cipso-ipsecurity]
IETF CIPSO Working Group, "COMMERCIAL IP SECURITY OPTION
(CIPSO 2.2)", draft-ietf-cipso-ipsecurity-01 (work in
progress), 1992.
[I-D.stoica-diffserv-dps]
Stoica, I., Zhang, H., Baker, F., and Y. Bernet, "Per Hop
Behaviors Based on Dynamic Packet State",
draft-stoica-diffserv-dps-02 (work in progress),
October 2002.
[IANA-IP] Internet Assigned Numbers Authority, "IP OPTION NUMBERS", [IANA-IP] IANA, "IP OPTION NUMBERS",
April 2011,
<http://www.iana.org/assignments/ip-parameters>. <http://www.iana.org/assignments/ip-parameters>.
[IRIX2008] [IRIX2008] IRIX, "IRIX 6.5 trusted_networking(7) manual page", 2008,
IRIX, "IRIX 6.5 trusted_networking(7) manual page", 2008,
<http://techpubs.sgi.com/library/tpl/cgi-bin/ <http://techpubs.sgi.com/library/tpl/cgi-bin/
getdoc.cgi?coll=0650&db=man&fname=/usr/share/catman/a_man/ getdoc.cgi?coll=0650&db=man&fname=/usr/share/catman/a_man/
cat7/trusted_networking.z>. cat7/trusted_networking.z>.
[Kohno2005] [Kohno2005]
Kohno, T., Broido, A., and kc. Claffy, "Remote Physical Kohno, T., Broido, A., and kc. Claffy, "Remote Physical
Device Fingerprinting", IEEE Transactions on Dependable Device Fingerprinting", IEEE Transactions on Dependable
and Secure Computing Vol. 2, No. 2, 2005. and Secure Computing, Vol. 2, No. 2, 2005.
[Landwehr81] [Landwehr81]
Landwehr, C., "Formal Models for Computer Security", ACM Landwehr, C., "Formal Models for Computer Security", ACM
Computing Surveys Vol 13, No 3, September 1981, Assoc for Computing Surveys, Vol. 13, No. 3, Association for
Computing Machinery, New York, NY, USA, 1981. Computing Machinery, New York, NY, USA, September 1981.
[MEDINA] Medina, A., Allman, M., and S. Floyd, "Measuring [MEDINA] Medina, A., Allman, M., and S. Floyd, "Measuring
Interactions Between Transport Protocols and Middleboxes", Interactions Between Transport Protocols and Middleboxes",
Proc. 4th ACM SIGCOMM/USENIX Conference on Proc. 4th ACM SIGCOMM/USENIX Conference on Internet
Internet Measurement, October 2004. Measurement, October 2004.
[Microsoft1999] [Microsoft1999]
Microsoft, "Microsoft Security Program: Microsoft Security Microsoft, "Microsoft Security Program: Microsoft Security
Bulletin (MS99-038). Patch Available for "Spoofed Route Bulletin (MS99-038). Patch Available for "Spoofed Route
Pointer" Vulnerability", 1999, <http://www.microsoft.com/ Pointer" Vulnerability", September 1999,
technet/security/bulletin/ms99-038.mspx>. <http://www.microsoft.com/technet/security/bulletin/
ms99-038.mspx>.
[OpenBSD1998] [OpenBSD1998]
OpenBSD, "OpenBSD Security Advisory: IP Source Routing OpenBSD, "OpenBSD Security Advisory: IP Source Routing
Problem", 1998, Problem", February 1998,
<http://www.openbsd.org/advisories/sourceroute.txt>. <http://www.openbsd.org/advisories/sourceroute.txt>.
[RFC1038] St. Johns, M., "Draft revised IP security option", [RFC1038] St. Johns, M., "Draft revised IP security option", RFC
RFC 1038, January 1988. 1038, January 1988.
[RFC1063] Mogul, J., Kent, C., Partridge, C., and K. McCloghrie, "IP [RFC1063] Mogul, J., Kent, C., Partridge, C., and K. McCloghrie, "IP
MTU discovery options", RFC 1063, July 1988. MTU discovery options", RFC 1063, July 1988.
[RFC1108] Kent, S., "U.S", RFC 1108, November 1991. [RFC1108] Kent, S., "U.S. Department of Defense Security Options for
the Internet Protocol", RFC 1108, November 1991.
[RFC1385] Wang, Z., "EIP: The Extended Internet Protocol", RFC 1385, [RFC1385] Wang, Z., "EIP: The Extended Internet Protocol", RFC 1385,
November 1992. November 1992.
[RFC1393] Malkin, G., "Traceroute Using an IP Option", RFC 1393, [RFC1393] Malkin, G., "Traceroute Using an IP Option", RFC 1393,
January 1993. January 1993.
[RFC1475] Ullmann, R., "TP/IX: The Next Internet", RFC 1475, [RFC1475] Ullmann, R., "TP/IX: The Next Internet", RFC 1475, June
June 1993. 1993.
[RFC1770] Graff, C., "IPv4 Option for Sender Directed Multi- [RFC1770] Graff, C., "IPv4 Option for Sender Directed Multi-
Destination Delivery", RFC 1770, March 1995. Destination Delivery", RFC 1770, March 1995.
[RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S. [RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S.
Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1
Functional Specification", RFC 2205, September 1997. Functional Specification", RFC 2205, September 1997.
[RFC2407] Piper, D., "The Internet IP Security Domain of [RFC2407] Piper, D., "The Internet IP Security Domain of
Interpretation for ISAKMP", RFC 2407, November 1998. Interpretation for ISAKMP", RFC 2407, November 1998.
[RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec [RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec
Configuration Policy Information Model", RFC 3585, Configuration Policy Information Model", RFC 3585, August
August 2003. 2003.
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC
4306, December 2005.
[RFC4782] Floyd, S., Allman, M., Jain, A., and P. Sarolahti, "Quick- [RFC4782] Floyd, S., Allman, M., Jain, A., and P. Sarolahti, "Quick-
Start for TCP and IP", RFC 4782, January 2007. Start for TCP and IP", RFC 4782, January 2007.
[RFC4807] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. [RFC4807] Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
Wang, "IPsec Security Policy Database Configuration MIB", Wang, "IPsec Security Policy Database Configuration MIB",
RFC 4807, March 2007. RFC 4807, March 2007.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC
RFC 4949, August 2007. 4949, August 2007.
[RFC5350] Manner, J. and A. McDonald, "IANA Considerations for the [RFC5350] Manner, J. and A. McDonald, "IANA Considerations for the
IPv4 and IPv6 Router Alert Options", RFC 5350, IPv4 and IPv6 Router Alert Options", RFC 5350, September
September 2008. 2008.
[RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common
Architecture Label IPv6 Security Option (CALIPSO)", Architecture Label IPv6 Security Option (CALIPSO)", RFC
RFC 5570, July 2009. 5570, July 2009.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)", RFC
5996, September 2010.
[RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
Router Control Plane", RFC 6192, March 2011. Router Control Plane", RFC 6192, March 2011.
[RFC6274] Gont, F., "Security Assessment of the Internet Protocol [RFC6274] Gont, F., "Security Assessment of the Internet Protocol
Version 4", RFC 6274, July 2011. Version 4", RFC 6274, July 2011.
[SELinux2008] [SELinux2008]
National Security Agency, "Security-Enhanced Linux - NSA/ National Security Agency (United States), "Security-
CSS", January 2009, Enhanced Linux - NSA/CSS", January 2009,
<http://www.nsa.gov/research/selinux/index.shtml>. <http://www.nsa.gov/research/selinux/index.shtml>.
[Solaris2008] [Solaris2008]
"Solaris Trusted Extensions - Labeled Security for "Solaris Trusted Extensions: Labeled Security for Absolute
Absolute Protection", 2008, <http://www.sun.com/software/ Protection", 2008,
solaris/ds/trusted_extensions.jsp#3>. <http://www.oracle.com/technetwork/server-storage/
solaris10/overview/trusted-extensions-149944.pdf>.
Authors' Addresses Authors' Addresses
Fernando Gont Fernando Gont
UTN-FRH / SI6 Networks UTN-FRH / SI6 Networks
Evaristo Carriego 2644 Evaristo Carriego 2644
Haedo, Provincia de Buenos Aires 1706 Haedo, Provincia de Buenos Aires 1706
Argentina Argentina
Phone: +54 11 4650 8472 Phone: +54 11 4650 8472
Email: fgont@si6networks.com EMail: fgont@si6networks.com
URI: http://www.si6networks.com URI: http://www.si6networks.com
RJ Atkinson RJ Atkinson
Consultant Consultant
McLean, VA 22103 McLean, VA 22103
USA USA
Email: rja.lists@gmail.com EMail: rja.lists@gmail.com
Carlos Pignataro Carlos Pignataro
Cisco Systems, Inc. Cisco Systems, Inc.
7200-12 Kit Creek Road 7200-12 Kit Creek Road
Research Triangle Park, NC 27709 Research Triangle Park, NC 27709
US USA
Email: cpignata@cisco.com EMail: cpignata@cisco.com
 End of changes. 148 change blocks. 
367 lines changed or deleted 374 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/