diff options
Diffstat (limited to 'doc/rfc/rfc6274.txt')
-rw-r--r-- | doc/rfc/rfc6274.txt | 4203 |
1 files changed, 4203 insertions, 0 deletions
diff --git a/doc/rfc/rfc6274.txt b/doc/rfc/rfc6274.txt new file mode 100644 index 0000000..fac11bf --- /dev/null +++ b/doc/rfc/rfc6274.txt @@ -0,0 +1,4203 @@ + + + + + + +Internet Engineering Task Force (IETF) F. Gont +Request for Comments: 6274 UK CPNI +Category: Informational July 2011 +ISSN: 2070-1721 + + + Security Assessment of the Internet Protocol Version 4 + +Abstract + + This document contains a security assessment of the IETF + specifications of the Internet Protocol version 4 and of a number of + mechanisms and policies in use by popular IPv4 implementations. It + is based on the results of a project carried out by the UK's Centre + for the Protection of National Infrastructure (CPNI). + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc6274. + +Copyright Notice + + Copyright (c) 2011 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + + + +Gont Informational [Page 1] + +RFC 6274 IPv4 Security Assessment July 2011 + + +Table of Contents + + 1. Preface .........................................................4 + 1.1. Introduction ...............................................4 + 1.2. Scope of This Document .....................................6 + 1.3. Organization of This Document ..............................7 + 2. The Internet Protocol ...........................................7 + 3. Internet Protocol Header Fields .................................8 + 3.1. Version ....................................................9 + 3.2. IHL (Internet Header Length) ..............................10 + 3.3. Type of Service (TOS) .....................................10 + 3.3.1. Original Interpretation ............................10 + 3.3.2. Standard Interpretation ............................12 + 3.3.2.1. Differentiated Services Field .............12 + 3.3.2.2. Explicit Congestion Notification (ECN) ....13 + 3.4. Total Length ..............................................14 + 3.5. Identification (ID) .......................................15 + 3.5.1. Some Workarounds Implemented by the Industry .......16 + 3.5.2. Possible Security Improvements .....................17 + 3.5.2.1. Connection-Oriented Transport Protocols ...17 + 3.5.2.2. Connectionless Transport Protocols ........18 + 3.6. Flags .....................................................19 + 3.7. Fragment Offset ...........................................21 + 3.8. Time to Live (TTL) ........................................22 + 3.8.1. Fingerprinting the Operating System in Use + by the Source Host .................................24 + 3.8.2. Fingerprinting the Physical Device from + which the Packets Originate ........................24 + 3.8.3. Mapping the Network Topology .......................24 + 3.8.4. Locating the Source Host in the Network Topology ...25 + 3.8.5. Evading Network Intrusion Detection Systems ........26 + 3.8.6. Improving the Security of Applications That + Make Use of the Internet Protocol (IP) .............27 + 3.8.7. Limiting Spread ....................................28 + 3.9. Protocol ..................................................28 + 3.10. Header Checksum ..........................................28 + 3.11. Source Address ...........................................29 + 3.12. Destination Address ......................................30 + 3.13. Options ..................................................30 + 3.13.1. General Issues with IP Options ....................31 + 3.13.1.1. Processing Requirements ..................31 + 3.13.1.2. Processing of the Options by the + Upper-Layer Protocol .....................32 + 3.13.1.3. General Sanity Checks on IP Options ......32 + 3.13.2. Issues with Specific Options ......................34 + 3.13.2.1. End of Option List (Type=0) ..............34 + 3.13.2.2. No Operation (Type=1) ....................34 + + + + +Gont Informational [Page 2] + +RFC 6274 IPv4 Security Assessment July 2011 + + + 3.13.2.3. Loose Source and Record Route + (LSRR) (Type=131) ........................34 + 3.13.2.4. Strict Source and Record Route + (SSRR) (Type=137) ........................37 + 3.13.2.5. Record Route (Type=7) ....................39 + 3.13.2.6. Stream Identifier (Type=136) .............40 + 3.13.2.7. Internet Timestamp (Type=68) .............40 + 3.13.2.8. Router Alert (Type=148) ..................43 + 3.13.2.9. Probe MTU (Type=11) (Obsolete) ...........44 + 3.13.2.10. Reply MTU (Type=12) (Obsolete) ..........44 + 3.13.2.11. Traceroute (Type=82) ....................44 + 3.13.2.12. Department of Defense (DoD) + Basic Security Option (Type=130) ........45 + 3.13.2.13. DoD Extended Security Option + (Type=133) ..............................46 + 3.13.2.14. Commercial IP Security Option + (CIPSO) (Type=134) ......................47 + 3.13.2.15. Sender Directed + Multi-Destination Delivery (Type=149) ...47 + 4. Internet Protocol Mechanisms ...................................48 + 4.1. Fragment Reassembly .......................................48 + 4.1.1. Security Implications of Fragment Reassembly .......49 + 4.1.1.1. Problems Related to Memory Allocation .....49 + 4.1.1.2. Problems That Arise from the + Length of the IP Identification Field .....51 + 4.1.1.3. Problems That Arise from the + Complexity of the Reassembly Algorithm ....52 + 4.1.1.4. Problems That Arise from the + Ambiguity of the Reassembly Process .......52 + 4.1.1.5. Problems That Arise from the Size + of the IP Fragments .......................53 + 4.1.2. Possible Security Improvements .....................53 + 4.1.2.1. Memory Allocation for Fragment + Reassembly ................................53 + 4.1.2.2. Flushing the Fragment Buffer ..............54 + 4.1.2.3. A More Selective Fragment Buffer + Flushing Strategy .........................55 + 4.1.2.4. Reducing the Fragment Timeout .............57 + 4.1.2.5. Countermeasure for Some NIDS + Evasion Techniques ........................58 + 4.1.2.6. Countermeasure for Firewall-Rules + Bypassing .................................58 + 4.2. Forwarding ................................................58 + 4.2.1. Precedence-Ordered Queue Service ...................58 + 4.2.2. Weak Type of Service ...............................59 + 4.2.3. Impact of Address Resolution on Buffer Management ..60 + 4.2.4. Dropping Packets ...................................61 + 4.3. Addressing ................................................61 + + + +Gont Informational [Page 3] + +RFC 6274 IPv4 Security Assessment July 2011 + + + 4.3.1. Unreachable Addresses ..............................61 + 4.3.2. Private Address Space ..............................61 + 4.3.3. Former Class D Addresses (224/4 Address Block) .....62 + 4.3.4. Former Class E Addresses (240/4 Address Block) .....62 + 4.3.5. Broadcast/Multicast Addresses and + Connection-Oriented Protocols ......................62 + 4.3.6. Broadcast and Network Addresses ....................63 + 4.3.7. Special Internet Addresses .........................63 + 5. Security Considerations ........................................65 + 6. Acknowledgements ...............................................65 + 7. References .....................................................66 + 7.1. Normative References ......................................66 + 7.2. Informative References ....................................68 + +1. Preface + +1.1. Introduction + + The TCP/IP protocols were conceived in an environment that was quite + different from the hostile environment in which they currently + operate. However, the effectiveness of the protocols led to their + early adoption in production environments, to the point that, to some + extent, the current world's economy depends on them. + + While many textbooks and articles have created the myth that the + Internet protocols were designed for warfare environments, the top + level goal for the Defense Advanced Research Projects Agency (DARPA) + Internet Program was the sharing of large service machines on the + ARPANET [Clark1988]. As a result, many protocol specifications focus + only on the operational aspects of the protocols they specify and + overlook their security implications. + + While the Internet technology evolved since its inception, the + Internet's building blocks are basically the same core protocols + adopted by the ARPANET more than two decades ago. During the last + twenty years, many vulnerabilities have been identified in the TCP/IP + stacks of a number of systems. Some of them were based on flaws in + some protocol implementations, affecting only a reduced number of + systems, while others were based on flaws in the protocols + themselves, affecting virtually every existing implementation + [Bellovin1989]. Even in the last couple of years, researchers were + still working on security problems in the core protocols [RFC5927] + [Watson2004] [NISCC2004] [NISCC2005]. + + The discovery of vulnerabilities in the TCP/IP protocols led to + reports being published by a number of CSIRTs (Computer Security + Incident Response Teams) and vendors, which helped to raise awareness + about the threats and the best mitigations known at the time the + + + +Gont Informational [Page 4] + +RFC 6274 IPv4 Security Assessment July 2011 + + + reports were published. Unfortunately, this also led to the + documentation of the discovered protocol vulnerabilities being spread + among a large number of documents, which are sometimes difficult to + identify. + + For some reason, much of the effort of the security community on the + Internet protocols did not result in official documents (RFCs) being + issued by the IETF (Internet Engineering Task Force). This basically + led to a situation in which "known" security problems have not always + been addressed by all vendors. In addition, in many cases, vendors + have implemented quick "fixes" to protocol flaws without a careful + analysis of their effectiveness and their impact on interoperability + [Silbersack2005]. + + The lack of adoption of these fixes by the IETF means that any system + built in the future according to the official TCP/IP specifications + will reincarnate security flaws that have already hit our + communication systems in the past. + + Nowadays, producing a secure TCP/IP implementation is a very + difficult task, in part because of the lack of a single document that + serves as a security roadmap for the protocols. Implementers are + faced with the hard task of identifying relevant documentation and + differentiating between that which provides correct advisory and that + which provides misleading advisory based on inaccurate or wrong + assumptions. + + There is a clear need for a companion document to the IETF + specifications; one that discusses the security aspects and + implications of the protocols, identifies the possible threats, + discusses the possible countermeasures, and analyzes their respective + effectiveness. + + This document is the result of an assessment of the IETF + specifications of the Internet Protocol version 4 (IPv4), from a + security point of view. Possible threats were identified and, where + possible, countermeasures were proposed. Additionally, many + implementation flaws that have led to security vulnerabilities have + been referenced in the hope that future implementations will not + incur the same problems. Furthermore, this document does not limit + itself to performing a security assessment of the relevant IETF + specifications, but also provides an assessment of common + implementation strategies found in the real world. + + Many IP implementations have also been subject of the so-called + "packet-of-death" vulnerabilities, in which a single specially + crafted packet causes the IP implementation to crash or otherwise + misbehave. In most cases, the attack packet is simply malformed; in + + + +Gont Informational [Page 5] + +RFC 6274 IPv4 Security Assessment July 2011 + + + other cases, the attack packet is well-formed, but exercises a little + used path through the IP stack. Well-designed IP implementations + should protect against these attacks, and therefore this document + describes a number of sanity checks that are expected to prevent most + of the aforementioned "packet-of-death" attack vectors. We note that + if an IP implementation is found to be vulnerable to one of these + attacks, administrators must resort to mitigating them by packet + filtering. + + Additionally, this document analyzes the security implications from + changes in the operational environment since the Internet Protocol + was designed. For example, it analyzes how the Internet Protocol + could be exploited to evade Network Intrusion Detection Systems + (NIDSs) or to circumvent firewalls. + + This document does not aim to be the final word on the security of + the Internet Protocol (IP). On the contrary, it aims to raise + awareness about many security threats based on the IP protocol that + have been faced in the past, those that we are currently facing, and + those we may still have to deal with in the future. It provides + advice for the secure implementation of the Internet Protocol (IP), + but also provides insights about the security aspects of the Internet + Protocol that may be of help to the Internet operations community. + + Feedback from the community is more than encouraged to help this + document be as accurate as possible and to keep it updated as new + threats are discovered. + + This document is heavily based on the "Security Assessment of the + Internet Protocol" [CPNI2008] released by the UK Centre for the + Protection of National Infrastructure (CPNI), available at + http://www.cpni.gov.uk/Products/technicalnotes/3677.aspx. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [RFC2119]. + +1.2. Scope of This Document + + While there are a number of protocols that affect the way in which IP + systems operate, this document focuses only on the specifications of + the Internet Protocol (IP). For example, routing and bootstrapping + protocols are considered out of the scope of this project. + + The following IETF RFCs were selected as the primary sources for the + assessment as part of this work: + + + + + +Gont Informational [Page 6] + +RFC 6274 IPv4 Security Assessment July 2011 + + + o RFC 791, "INTERNET PROTOCOL DARPA INTERNET PROGRAM PROTOCOL + SPECIFICATION" (45 pages). + + o RFC 815, "IP DATAGRAM REASSEMBLY ALGORITHMS" (9 pages). + + o RFC 919, "BROADCASTING INTERNET DATAGRAMS" (8 pages). + + o RFC 950, "Internet Standard Subnetting Procedure" (18 pages) + + o RFC 1112, "Host Extensions for IP Multicasting" (17 pages) + + o RFC 1122, "Requirements for Internet Hosts -- Communication + Layers" (116 pages). + + o RFC 1812, "Requirements for IP Version 4 Routers" (175 pages). + + o RFC 2474, "Definition of the Differentiated Services Field (DS + Field) in the IPv4 and IPv6 Headers" (20 pages). + + o RFC 2475, "An Architecture for Differentiated Services" (36 + pages). + + o RFC 3168, "The Addition of Explicit Congestion Notification (ECN) + to IP" (63 pages). + + o RFC 4632, "Classless Inter-domain Routing (CIDR): The Internet + Address Assignment and Aggregation Plan" (27 pages). + +1.3. Organization of This Document + + This document is basically organized in two parts: "Internet Protocol + header fields" and "Internet Protocol mechanisms". The former + contains an analysis of each of the fields of the Internet Protocol + header, identifies their security implications, and discusses + possible countermeasures for the identified threats. The latter + contains an analysis of the security implications of the mechanisms + implemented by the Internet Protocol. + +2. The Internet Protocol + + The Internet Protocol (IP) provides a basic data transfer function + for passing data blocks called "datagrams" from a source host to a + destination host, across the possible intervening networks. + Additionally, it provides some functions that are useful for the + interconnection of heterogeneous networks, such as fragmentation and + reassembly. + + + + + +Gont Informational [Page 7] + +RFC 6274 IPv4 Security Assessment July 2011 + + + The "datagram" has a number of characteristics that makes it + convenient for interconnecting systems [Clark1988]: + + o It eliminates the need of connection state within the network, + which improves the survivability characteristics of the network. + + o It provides a basic service of data transport that can be used as + a building block for other transport services (reliable data + transport services, etc.). + + o It represents the minimum network service assumption, which + enables IP to be run over virtually any network technology. + +3. Internet Protocol Header Fields + + The IETF specifications of the Internet Protocol define the syntax of + the protocol header, along with the semantics of each of its fields. + Figure 1 shows the format of an IP datagram, as specified in + [RFC0791]. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |Version| IHL |Type of Service| Total Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Identification |Flags| Fragment Offset | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Time to Live | Protocol | Header Checksum | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Source Address | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Destination Address | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | [ Options ] | [ Padding ] | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 1: Internet Protocol Header Format + + Even though the minimum IP header size is 20 bytes, an IP module + might be handed an (illegitimate) "datagram" of less than 20 bytes. + Therefore, before doing any processing of the IP header fields, the + following check should be performed by the IP module on the packets + handed by the link layer: + + LinkLayer.PayloadSize >= 20 + + where LinkLayer.PayloadSize is the length (in octets) of the datagram + passed from the link layer to the IP layer. + + + +Gont Informational [Page 8] + +RFC 6274 IPv4 Security Assessment July 2011 + + + If the packet does not pass this check, it should be dropped, and + this event should be logged (e.g., a counter could be incremented + reflecting the packet drop). + + The following subsections contain further sanity checks that should + be performed on IP packets. + +3.1. Version + + This is a 4-bit field that indicates the version of the Internet + Protocol (IP), and thus the syntax of the packet. For IPv4, this + field must be 4. + + When a link-layer protocol de-multiplexes a packet to an Internet + module, it does so based on a Protocol Type field in the data-link + packet header. + + In theory, different versions of IP could coexist on a network by + using the same Protocol Type at the link layer, but a different value + in the Version field of the IP header. Thus, a single IP module + could handle all versions of the Internet Protocol, differentiating + them by means of this field. + + However, in practice different versions of IP are identified by a + different Protocol Type (e.g., EtherType in the case of Ethernet) + number in the link-layer protocol header. For example, IPv4 + datagrams are encapsulated in Ethernet frames using an EtherType of + 0x0800, while IPv6 datagrams are encapsulated in Ethernet frames + using an EtherType of 0x86DD [IANA_ET]. + + Therefore, if an IPv4 module receives a packet, the Version field + must be checked to be 4. If this check fails, the packet should be + silently dropped, and this event should be logged (e.g., a counter + could be incremented reflecting the packet drop). If an + implementation does not perform this check, an attacker could use a + different value for the Version field, possibly evading NIDSs that + decide which pattern-matching rules to apply based on the Version + field. + + If the link-layer protocol employs a specific "Protocol Type" value + for encapsulating IPv4 packets (e.g., as is the case of Ethernet), a + node should check that IPv4 packets are de-multiplexed to the IPv4 + module when such value was used for the Protocol Type field of the + link-layer protocol. If a packet does not pass this check, it should + be silently dropped. + + + + + + +Gont Informational [Page 9] + +RFC 6274 IPv4 Security Assessment July 2011 + + + An attacker could encapsulate IPv4 packets using other link-layer + "Protocol Type" values to try to subvert link-layer Access Control + Lists (ACLs) and/or for tampering with NIDSs. + +3.2. IHL (Internet Header Length) + + The IHL (Internet Header Length) field indicates the length of the + Internet header in 32-bit words (4 bytes). The following paragraphs + describe a number of sanity checks to be performed on the IHL field, + such that possible packet-of-death vulnerabilities are avoided. + + As the minimum datagram size is 20 bytes, the minimum legal value for + this field is 5. Therefore, the following check should be enforced: + + IHL >= 5 + + If the packet does not pass this check, it should be dropped, and + this event should be logged (e.g., a counter could be incremented + reflecting the packet drop). + + For obvious reasons, the Internet header cannot be larger than the + whole Internet datagram of which it is part. Therefore, the + following check should be enforced: + + IHL * 4 <= Total Length + + This needs to refer to the size of the datagram as specified by + the sender in the Total Length field, since link layers might have + added some padding (see Section 3.4). + + If the packet does not pass this check, it should be dropped, and + this event should be logged (e.g., a counter could be incremented + reflecting the packet drop). + + The above check allows for Internet datagrams with no data bytes in + the payload that, while nonsensical for virtually every protocol that + runs over IP, are still legal. + +3.3. Type of Service (TOS) + +3.3.1. Original Interpretation + + Figure 2 shows the original syntax of the Type of Service field, as + defined by RFC 791 [RFC0791] and updated by RFC 1349 [RFC1349]. This + definition has been superseded long ago (see Sections 3.3.2.1 and + 3.3.2.2), but it is still assumed by some deployed implementations. + + + + + +Gont Informational [Page 10] + +RFC 6274 IPv4 Security Assessment July 2011 + + + 0 1 2 3 4 5 6 7 + +-----+-----+-----+-----+-----+-----+-----+-----+ + | PRECEDENCE | D | T | R | C | 0 | + +-----+-----+-----+-----+-----+-----+-----+-----+ + + Figure 2: Type of Service Field (Original Interpretation) + + +----------+----------------------------------------------+ + | Bits 0-2 | Precedence | + +----------+----------------------------------------------+ + | Bit 3 | 0 = Normal Delay, 1 = Low Delay | + +----------+----------------------------------------------+ + | Bit 4 | 0 = Normal Throughput, 1 = High Throughput | + +----------+----------------------------------------------+ + | Bit 5 | 0 = Normal Reliability, 1 = High Reliability | + +----------+----------------------------------------------+ + | Bit 6 | 0 = Normal Cost, 1 = Minimize Monetary Cost | + +----------+----------------------------------------------+ + | Bits 7 | Reserved for Future Use (must be zero) | + +----------+----------------------------------------------+ + + Table 1: Semantics of the TOS Bits + + +-----+-----------------+ + | 111 | Network Control | + +-----+-----------------+ + | 110 | Internetwork | + +-----+-----------------+ + | 101 | CRITIC/ECP | + +-----+-----------------+ + | 100 | Flash Override | + +-----+-----------------+ + | 011 | Flash | + +-----+-----------------+ + | 010 | Immediate | + +-----+-----------------+ + | 001 | Priority | + +-----+-----------------+ + | 000 | Routine | + +-----+-----------------+ + + Table 2: Semantics of the Possible Precedence Field Values + + The Type of Service field can be used to affect the way in which the + packet is treated by the systems of a network that process it. + Section 4.2.1 ("Precedence-Ordered Queue Service") and Section 4.2.2 + + + + + +Gont Informational [Page 11] + +RFC 6274 IPv4 Security Assessment July 2011 + + + ("Weak Type of Service") of this document describe the security + implications of the Type of Service field in the forwarding of + packets. + +3.3.2. Standard Interpretation + +3.3.2.1. Differentiated Services Field + + The Differentiated Services Architecture is intended to enable + scalable service discrimination in the Internet without the need for + per-flow state and signaling at every hop [RFC2475]. RFC 2474 + [RFC2474] redefined the IP "Type of Service" octet, introducing a + Differentiated Services Field (DS Field). Figure 3 shows the format + of the field. + + 0 1 2 3 4 5 6 7 + +---+---+---+---+---+---+---+---+ + | DSCP | CU | + +---+---+---+---+---+---+---+---+ + + Figure 3: Revised Structure of the Type of Service Field (RFC 2474) + + The DSCP ("Differentiated Services CodePoint") is used to select the + treatment the packet is to receive within the Differentiated Services + Domain. The CU ("Currently Unused") field was, at the time the + specification was issued, reserved for future use. The DSCP field is + used to select a PHB (Per-Hop Behavior), by matching against the + entire 6-bit field. + + Considering that the DSCP field determines how a packet is treated + within a Differentiated Services (DS) domain, an attacker could send + packets with a forged DSCP field to perform a theft of service or + even a Denial-of-Service (DoS) attack. In particular, an attacker + could forge packets with a codepoint of the type '11x000' which, + according to Section 4.2.2.2 of RFC 2474 [RFC2474], would give the + packets preferential forwarding treatment when compared with the PHB + selected by the codepoint '000000'. If strict priority queuing were + utilized, a continuous stream of such packets could cause a DoS to + other flows that have a DSCP of lower relative order. + + As the DS field is incompatible with the original Type of Service + field, both DS domains and networks using the original Type of + Service field should protect themselves by remarking the + corresponding field where appropriate, probably deploying remarking + boundary nodes. Nevertheless, care must be taken so that packets + received with an unrecognized DSCP do not cause the handling system + to malfunction. + + + + +Gont Informational [Page 12] + +RFC 6274 IPv4 Security Assessment July 2011 + + +3.3.2.2. Explicit Congestion Notification (ECN) + + RFC 3168 [RFC3168] specifies a mechanism for routers to signal + congestion to hosts exchanging IP packets, by marking the offending + packets rather than discarding them. RFC 3168 defines the ECN field, + which utilizes the CU field defined in RFC 2474 [RFC2474]. Figure 4 + shows the current syntax of the IP Type of Service field, with the + DSCP field used for Differentiated Services and the ECN field. + + 0 1 2 3 4 5 6 7 + +-----+-----+-----+-----+-----+-----+-----+-----+ + | DS FIELD, DSCP | ECN FIELD | + +-----+-----+-----+-----+-----+-----+-----+-----+ + + Figure 4: The Differentiated Services and ECN Fields in IP + + As such, the ECN field defines four codepoints: + + +-----------+-----------+ + | ECN field | Codepoint | + +-----------+-----------+ + | 00 | Not-ECT | + +-----------+-----------+ + | 01 | ECT(1) | + +-----------+-----------+ + | 10 | ECT(0) | + +-----------+-----------+ + | 11 | CE | + +-----------+-----------+ + + Table 3: ECN Codepoints + + ECN is an end-to-end transport protocol mechanism based on + notifications by routers through which a packet flow passes. To + allow this interaction to happen on the fast path of routers, the ECN + field is located at a fixed location in the IP header. However, its + use must be negotiated at the transport layer, and the accumulated + congestion notifications must be communicated back to the sending + node using transport protocol means. Thus, ECN support must be + specified per transport protocol. + + [RFC6040] specifies how the Explicit Congestion Notification (ECN) + field of the IP header should be constructed on entry to and exit + from any IP-in-IP tunnel. + + + + + + + +Gont Informational [Page 13] + +RFC 6274 IPv4 Security Assessment July 2011 + + + The security implications of ECN are discussed in detail in a number + of Sections of RFC 3168. Of the possible threats discussed in the + ECN specification, we believe that one that can be easily exploited + is that of a host falsely indicating ECN-Capability. + + An attacker could set the ECT codepoint in the packets it sends, to + signal the network that the endpoints of the transport protocol are + ECN-capable. Consequently, when experiencing moderate congestion, + routers using active queue management based on Random Early Detection + (RED) would mark the packets (with the CE codepoint) rather than + discard them. In this same scenario, packets of competing flows that + do not have the ECT codepoint set would be dropped. Therefore, an + attacker would get better network service than the competing flows. + + However, if this moderate congestion turned into heavy congestion, + routers should switch to drop packets, regardless of whether or not + the packets have the ECT codepoint set. + + A number of other threats could arise if an attacker was a man in the + middle (i.e., was in the middle of the path the packets travel to get + to the destination host). For a detailed discussion of those cases, + we urge the reader to consult Section 16 of RFC 3168. + + There is also ongoing work in the research community and the IETF to + define alternate semantics for the CU/ECN field of IP TOS octet (see + [RFC5559], [RFC5670], and [RFC5696]). The application of these + methods must be confined to tightly administered domains, and on exit + from such domains, all packets need to be (re-)marked with ECN + semantics. + +3.4. Total Length + + The Total Length field is the length of the datagram, measured in + bytes, including both the IP header and the IP payload. Being a + 16-bit field, it allows for datagrams of up to 65535 bytes. RFC 791 + [RFC0791] states that all hosts should be prepared to receive + datagrams of up to 576 bytes (whether they arrive as a whole, or in + fragments). However, most modern implementations can reassemble + datagrams of at least 9 Kbytes. + + Usually, a host will not send to a remote peer an IP datagram larger + than 576 bytes, unless it is explicitly signaled that the remote peer + is able to receive such "large" datagrams (for example, by means of + TCP's Maximum Segment Size (MSS) option). However, systems should + assume that they may receive datagrams larger than 576 bytes, + regardless of whether or not they signal their remote peers to do so. + In fact, it is common for Network File System (NFS) [RFC3530] + + + + +Gont Informational [Page 14] + +RFC 6274 IPv4 Security Assessment July 2011 + + + implementations to send datagrams larger than 576 bytes, even without + explicit signaling that the destination system can receive such + "large" datagram. + + Additionally, see the discussion in Section 4.1 ("Fragment + Reassembly") regarding the possible packet sizes resulting from + fragment reassembly. + + Implementations should be aware that the IP module could be handed a + packet larger than the value actually contained in the Total Length + field. Such a difference usually has to do with legitimate padding + bytes at the link-layer protocol, but it could also be the result of + malicious activity by an attacker. Furthermore, even when the + maximum length of an IP datagram is 65535 bytes, if the link-layer + technology in use allows for payloads larger than 65535 bytes, an + attacker could forge such a large link-layer packet, meaning it for + the IP module. If the IP module of the receiving system were not + prepared to handle such an oversized link-layer payload, an + unexpected failure might occur. Therefore, the memory buffer used by + the IP module to store the link-layer payload should be allocated + according to the payload size reported by the link layer, rather than + according to the Total Length field of the IP packet it contains. + + The IP module could also be handed a packet that is smaller than the + actual IP packet size claimed by the Total Length field. This could + be used, for example, to produce an information leakage. Therefore, + the following check should be performed: + + LinkLayer.PayloadSize >= Total Length + + If this check fails, the IP packet should be dropped, and this event + should be logged (e.g., a counter could be incremented reflecting the + packet drop). As the previous expression implies, the number of + bytes passed by the link layer to the IP module should contain at + least as many bytes as claimed by the Total Length field of the IP + header. + + [US-CERT2002] is an example of the exploitation of a forged IP + Total Length field to produce an information leakage attack. + +3.5. Identification (ID) + + The Identification field is set by the sending host to aid in the + reassembly of fragmented datagrams. At any time, it needs to be + unique for each set of {Source Address, Destination Address, + Protocol}. + + + + + +Gont Informational [Page 15] + +RFC 6274 IPv4 Security Assessment July 2011 + + + In many systems, the value used for this field is determined at the + IP layer, on a protocol-independent basis. Many of those systems + also simply increment the IP Identification field for each packet + they send. + + This implementation strategy is inappropriate for a number of + reasons. Firstly, if the Identification field is set on a protocol- + independent basis, it will wrap more often than necessary, and thus + the implementation will be more prone to the problems discussed in + [Kent1987] and [RFC4963]. Secondly, this implementation strategy + opens the door to an information leakage that can be exploited in a + number of ways. + + [Sanfilippo1998a] describes how the Identification field can be + leveraged to determine the packet rate at which a given system is + transmitting information. Later, [Sanfilippo1998b] described how a + system with such an implementation can be used to perform a stealth + port scan to a third (victim) host. [Sanfilippo1999] explained how + to exploit this implementation strategy to uncover the rules of a + number of firewalls. [Bellovin2002] explains how the IP + Identification field can be exploited to count the number of systems + behind a NAT. [Fyodor2004] is an entire paper on most (if not all) + of the ways to exploit the information provided by the Identification + field of the IP header. + + Section 4.1 contains a discussion of the security implications of + the IP fragment reassembly mechanism, which is the primary + "consumer" of this field. + +3.5.1. Some Workarounds Implemented by the Industry + + As the IP Identification field is only used for the reassembly of + datagrams, some operating systems (such as Linux) decided to set this + field to 0 in all packets that have the DF bit set. This would, in + principle, avoid any type of information leakage. However, it was + detected that some non-RFC-compliant middle-boxes fragmented packets + even if they had the DF bit set. In such a scenario, all datagrams + originally sent with the DF bit set would all result in fragments + with an Identification field of 0, which would lead to problems + ("collision" of the Identification number) in the reassembly process. + + Linux (and Solaris) later set the IP Identification field on a per- + IP-address basis. This avoids some of the security implications of + the IP Identification field, but not all. For example, systems + behind a load balancer can still be counted. + + + + + + +Gont Informational [Page 16] + +RFC 6274 IPv4 Security Assessment July 2011 + + +3.5.2. Possible Security Improvements + + Contrary to common wisdom, the IP Identification field does not need + to be system-wide unique for each packet, but has to be unique for + each {Source Address, Destination Address, Protocol} tuple. + + For instance, the TCP specification defines a generic send() + function that takes the IP ID as one of its arguments. + + We provide an analysis of the possible security improvements that + could be implemented, based on whether the protocol using the + services of IP is connection-oriented or connection-less. + +3.5.2.1. Connection-Oriented Transport Protocols + + To avoid the security implications of the information leakage + described above, a pseudo-random number generator (PRNG) could be + used to set the IP Identification field on a {Source Address, + Destination Address} basis (for each connection-oriented transport + protocol). + + [RFC4086] provides advice on the generation of pseudo-random + numbers. + + [Klein2007] is a security advisory that describes a weakness in + the pseudo-random number generator (PRNG) employed for the + generation of the IP Identification by a number of operating + systems. + + While in theory a pseudo-random number generator could lead to + scenarios in which a given Identification number is used more than + once in the same time span for datagrams that end up getting + fragmented (with the corresponding potential reassembly problems), in + practice, this is unlikely to cause trouble. + + By default, most implementations of connection-oriented protocols, + such as TCP, implement some mechanism for avoiding fragmentation + (such as the Path-MTU Discovery mechanism described in [RFC1191]). + Thus, fragmentation will only take place if a non-RFC-compliant + middle-box that still fragments packets even when the DF bit is set + is placed somewhere along the path that the packets travel to get to + the destination host. Once the sending system is signaled by the + middle-box (by means of an ICMP "fragmentation needed and DF bit set" + error message) that it should reduce the size of the packets it + sends, fragmentation would be avoided. Also, for reassembly problems + to arise, the same Identification value would need to be reused very + frequently, and either strong packet reordering or packet loss would + need to take place. + + + +Gont Informational [Page 17] + +RFC 6274 IPv4 Security Assessment July 2011 + + + Nevertheless, regardless of what policy is used for selecting the + Identification field, with the current link speeds fragmentation is + already bad enough (i.e., very likely to lead to fragment reassembly + errors) to rely on it. A mechanism for avoiding fragmentation (such + as [RFC1191] or [RFC4821] should be implemented, instead. + +3.5.2.2. Connectionless Transport Protocols + + Connectionless transport protocols often have these characteristics: + + o lack of flow-control mechanisms, + + o lack of packet sequencing mechanisms, and/or, + + o lack of reliability mechanisms (such as "timeout and retransmit"). + + This basically means that the scenarios and/or applications for which + connection-less transport protocols are used assume that: + + o Applications will be used in environments in which packet + reordering is very unlikely (such as Local Area Networks), as the + transport protocol itself does not provide data sequencing. + + o The data transfer rates will be low enough that flow control will + be unnecessary. + + o Packet loss is can be tolerated and/or is unlikely. + + With these assumptions in mind, the Identification field could still + be set according to a pseudo-random number generator (PRNG). + + [RFC4086] provides advice on the generation of pseudo-random + numbers. + + In the event a given Identification number was reused while the first + instance of the same number is still on the network, the first IP + datagram would be reassembled before the fragments of the second IP + datagram get to their destination. + + In the event this was not the case, the reassembly of fragments would + result in a corrupt datagram. While some existing work + [Silbersack2005] assumes that this error would be caught by some + upper-layer error detection code, the error detection code in + question (such as UDP's checksum) might not be able to reliably + detect data corruption arising from the replacement of a complete + data block (as is the case in corruption arising from collision of IP + Identification numbers). + + + + +Gont Informational [Page 18] + +RFC 6274 IPv4 Security Assessment July 2011 + + + In the case of UDP, unfortunately some systems have been known to + not enable the UDP checksum by default. For most applications, + packets containing errors should be dropped by the transport layer + and not delivered to the application. A small number of + applications may benefit from disabling the checksum; for example, + streaming media where it is desired to avoid dropping a complete + sample for a single-bit error, and UDP tunneling applications + where the payload (i.e., the inner packet) is protected by its own + transport checksum or other error detection mechanism. + + In general, if IP Identification number collisions become an issue + for the application using the connection-less protocol, the + application designers should consider using a different transport + protocol (which hopefully avoids fragmentation). + + It must be noted that an attacker could intentionally exploit + collisions of IP Identification numbers to perform a DoS attack, by + sending forged fragments that would cause the reassembly process to + result in a corrupt datagram that either would be dropped by the + transport protocol or would incorrectly be handed to the + corresponding application. This issue is discussed in detail in + Section 4.1 ("Fragment Reassembly"). + +3.6. Flags + + The IP header contains 3 control bits, two of which are currently + used for the fragmentation and reassembly function. + + As described by RFC 791, their meaning is: + + o Bit 0: reserved, must be zero (i.e., reserved for future + standardization) + + o Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment + + o Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments + + The DF bit is usually set to implement the Path-MTU Discovery (PMTUD) + mechanism described in [RFC1191]. However, it can also be exploited + by an attacker to evade Network Intrusion Detection Systems. An + attacker could send a packet with the DF bit set to a system + monitored by a NIDS, and depending on the Path-MTU to the intended + recipient, the packet might be dropped by some intervening router + (because of being too big to be forwarded without fragmentation), + without the NIDS being aware of it. + + + + + + +Gont Informational [Page 19] + +RFC 6274 IPv4 Security Assessment July 2011 + + + +---+ + | H | + +---+ Victim host + | + Router A | MTU=1500 + | + +---+ +---+ +---+ + | R |-----| R |---------| R | + +---+ +---+ +---+ + | MTU=17914 Router B + +---+ | + | S |-----+ + +---+ | + | + NIDS Sensor | + | + _ ___/---\______ Attacker + / \_/ \_ +---+ + / Internet |---------| H | + \_ __/ +---+ + \__ __ ___/ <------ + \___/ \__/ 17914-byte packet + DF bit set + + Figure 5: NIDS Evasion by Means of the Internet Protocol DF Bit + + In Figure 3, an attacker sends a 17914-byte datagram meant for the + victim host in the same figure. The attacker's packet probably + contains an overlapping IP fragment or an overlapping TCP segment, + aiming at "confusing" the NIDS, as described in [Ptacek1998]. The + packet is screened by the NIDS sensor at the network perimeter, which + probably reassembles IP fragments and TCP segments for the purpose of + assessing the data transferred to and from the monitored systems. + However, as the attacker's packet should transit a link with an MTU + smaller than 17914 bytes (1500 bytes in this example), the router + that encounters that this packet cannot be forwarded without + fragmentation (Router B) discards the packet, and sends an ICMP + "fragmentation needed and DF bit set" error message to the source + host. In this scenario, the NIDS may remain unaware that the + screened packet never reached the intended destination, and thus get + an incorrect picture of the data being transferred to the monitored + systems. + + [Shankar2003] introduces a technique named "Active Mapping" that + prevents evasion of a NIDS by acquiring sufficient knowledge about + the network being monitored, to assess which packets will arrive + at the intended recipient, and how they will be interpreted by it. + + + + +Gont Informational [Page 20] + +RFC 6274 IPv4 Security Assessment July 2011 + + + Some firewalls are known to drop packets that have both the MF (More + Fragments) and the DF (Don't Fragment) bits set. While in principle + such a packet might seem nonsensical, there are a number of reasons + for which non-malicious packets with these two bits set can be found + in a network. First, they may exist as the result of some middle-box + processing a packet that was too large to be forwarded without + fragmentation. Instead of simply dropping the corresponding packet + and sending an ICMP error message to the source host, some middle- + boxes fragment the packet (copying the DF bit to each fragment), and + also send an ICMP error message to the originating system. Second, + some systems (notably Linux) set both the MF and the DF bits to + implement Path-MTU Discovery (PMTUD) for UDP. These scenarios should + be taken into account when configuring firewalls and/or tuning NIDSs. + + Section 4.1 contains a discussion of the security implications of the + IP fragment reassembly mechanism. + +3.7. Fragment Offset + + The Fragment Offset is used for the fragmentation and reassembly of + IP datagrams. It indicates where in the original datagram payload + the payload of the fragment belongs, and is measured in units of + eight bytes. As a consequence, all fragments (except the last one), + have to be aligned on an 8-byte boundary. Therefore, if a packet has + the MF flag set, the following check should be enforced: + + (Total Length - IHL * 4) % 8 == 0 + + If the packet does not pass this check, it should be dropped, and + this event should be logged (e.g., a counter could be incremented + reflecting the packet drop). + + Given that Fragment Offset is a 13-bit field, it can hold a value of + up to 8191, which would correspond to an offset 65528 bytes within + the original (non-fragmented) datagram. As such, it is possible for + a fragment to implicitly claim to belong to a datagram larger than + 65535 bytes (the maximum size for a legitimate IP datagram). Even + when the fragmentation mechanism would seem to allow fragments that + could reassemble into such large datagrams, the intent of the + specification is to allow for the transmission of datagrams of up to + 65535 bytes. Therefore, if a given fragment would reassemble into a + datagram of more than 65535 bytes, the resulting datagram should be + dropped, and this event should be logged (e.g., a counter could be + incremented reflecting the packet drop). To detect such a case, the + following check should be enforced on all packets for which the + Fragment Offset contains a non-zero value: + + + + + +Gont Informational [Page 21] + +RFC 6274 IPv4 Security Assessment July 2011 + + + Fragment Offset * 8 + (Total Length - IHL * 4) + IHL_FF * 4 <= 65535 + + where IHL_FF is the IHL field of the first fragment (the one with a + Fragment Offset of 0). + + If a fragment does not pass this check, it should be dropped. + + If IHL_FF is not yet available because the first fragment has not yet + arrived, for a preliminary, less rigid test, IHL_FF == IHL should be + assumed, and the test is simplified to: + + Fragment Offset * 8 + Total Length <= 65535 + + Once the first fragment is received, the full sanity check described + earlier should be applied, if that fragment contains "don't copy" + options. + + In the worst-case scenario, an attacker could craft IP fragments such + that the reassembled datagram reassembled into a datagram of 131043 + bytes. + + Such a datagram would result when the first fragment has a + Fragment Offset of 0 and a Total Length of 65532, and the second + (and last) fragment has a Fragment Offset of 8189 (65512 bytes), + and a Total Length of 65535. Assuming an IHL of 5 (i.e., a header + length of 20 bytes), the reassembled datagram would be 65532 + + (65535 - 20) = 131047 bytes. + + Additionally, the IP module should implement all the necessary + measures to be able to handle such illegitimate reassembled + datagrams, so as to avoid them from overflowing the buffer(s) used + for the reassembly function. + + [CERT1996c] and [Kenney1996] describe the exploitation of this + issue to perform a DoS attack. + + Section 4.1 contains a discussion of the security implications of the + IP fragment reassembly mechanism. + +3.8. Time to Live (TTL) + + The Time to Live (TTL) field has two functions: to bound the lifetime + of the upper-layer packets (e.g., TCP segments) and to prevent + packets from looping indefinitely in the network. + + Originally, this field was meant to indicate the maximum time a + datagram was allowed to remain in the Internet system, in units of + seconds. As every Internet module that processes a datagram must + + + +Gont Informational [Page 22] + +RFC 6274 IPv4 Security Assessment July 2011 + + + decrement the TTL by at least one, the original definition of the TTL + field became obsolete, and in practice it is interpreted as a hop + count (see Section 5.3.1 of [RFC1812]). + + Most systems allow the administrator to configure the TTL to be used + for the packets they originate, with the default value usually being + a power of 2, or 255 (e.g., see [Arkin2000]). The recommended value + for the TTL field, as specified by the IANA is 64 [IANA_IP_PARAM]. + This value reflects the assumed "diameter" of the Internet, plus a + margin to accommodate its growth. + + The TTL field has a number of properties that are interesting from a + security point of view. Given that the default value used for the + TTL is usually either a power of two, or 255, chances are that unless + the originating system has been explicitly tuned to use a non-default + value, if a packet arrives with a TTL of 60, the packet was + originally sent with a TTL of 64. In the same way, if a packet is + received with a TTL of 120, chances are that the original packet had + a TTL of 128. + + This discussion assumes there was no protocol scrubber, + transparent proxy, or some other middle-box that overwrites the + TTL field in a non-standard way, between the originating system + and the point of the network in which the packet was received. + + Determining the TTL with which a packet was originally sent by the + source system can help to obtain valuable information. Among other + things, it may help in: + + o Fingerprinting the originating operating system. + + o Fingerprinting the originating physical device. + + o Mapping the network topology. + + o Locating the source host in the network topology. + + o Evading Network Intrusion Detection Systems. + + However, it can also be used to perform important functions such as: + + o Improving the security of applications that make use of the + Internet Protocol (IP). + + o Limiting spread of packets. + + + + + + +Gont Informational [Page 23] + +RFC 6274 IPv4 Security Assessment July 2011 + + +3.8.1. Fingerprinting the Operating System in Use by the Source Host + + Different operating systems use a different default TTL for the + packets they send. Thus, asserting the TTL with which a packet was + originally sent will help heuristics to reduce the number of possible + operating systems in use by the source host. It should be noted that + since most systems use only a handful of different default values, + the granularity of OS fingerprinting that this technique provides is + negligible. Additionally, these defaults may be configurable + (system-wide or per protocol), and managed systems may employ such + opportunities for operational purposes and to defeat the capability + of fingerprinting heuristics. + +3.8.2. Fingerprinting the Physical Device from which the Packets + Originate + + When several systems are behind a middle-box such as a NAT or a load + balancer, the TTL may help to count the number of systems behind the + middle-box. If each of the systems behind the middle-box uses a + different default TTL value for the packets it sends, or each system + is located at different distances in the network topology, an + attacker could stimulate responses from the devices being + fingerprinted, and responses that arrive with different TTL values + could be assumed to come from a different devices. + + Of course, there are many other (and much more precise) techniques + to fingerprint physical devices. One weakness of this method is + that, while many systems differ in the default TTL value that they + use, there are also many implementations which use the same + default TTL value. Additionally, packets sent by a given device + may take different routes (e.g., due to load sharing or route + changes), and thus a given packet may incorrectly be presumed to + come from a different device, when in fact it just traveled a + different route. + + However, these defaults may be configurable (system-wide or per + protocol) and managed systems may employ such opportunities for + operational purposes and to defeat the capability of fingerprinting + heuristics. + +3.8.3. Mapping the Network Topology + + An originating host may set the TTL field of the packets it sends to + progressively increasing values in order to elicit an ICMP error + message from the routers that decrement the TTL of each packet to + zero, and thereby determine the IP addresses of the routers on the + path to the packet's destination. This procedure has been + traditionally employed by the traceroute tool. + + + +Gont Informational [Page 24] + +RFC 6274 IPv4 Security Assessment July 2011 + + +3.8.4. Locating the Source Host in the Network Topology + + The TTL field may also be used to locate the source system in the + network topology [Northcutt2000]. + + +---+ +---+ +---+ +---+ +---+ + | A |-----| R |------| R |----| R |-----| R | + +---+ +---+ +---+ +---+ +---+ + / | / \ + / | / \ + / | / +---+ + / +---+ +---+ +---+ | E | + / | R |----| R |------| R |-- +---+ + / +---+ +---+\ +---+ \ + / / / \ \ \ + / ---- / +---+ \ \+---+ + / / / | F | \ | D | + +---+ +---+ +---+ \ +---| + | R |----------| R |-- \ + +---+ +---+ \ \ + | \ / \ +---+| +---+ + | \ / ----| R |------| R | + | \ / +---+ +---+ + +---+ \ +---+ +---+ + | B | \| R |----| C | + +---+ +---+ +---+ + + Figure 6: Tracking a Host by Means of the TTL Field + + Consider network topology of Figure 6. Assuming that an attacker + ("F" in the figure) is performing some type of attack that requires + forging the Source Address (such as for a TCP-based DoS reflection + attack), and some of the involved hosts are willing to cooperate to + locate the attacking system. + + Assuming that: + + o All the packets A gets have a TTL of 61. + + o All the packets B gets have a TTL of 61. + + o All the packets C gets have a TTL of 61. + + o All the packets D gets have a TTL of 62. + + + + + + + +Gont Informational [Page 25] + +RFC 6274 IPv4 Security Assessment July 2011 + + + Based on this information, and assuming that the system's default + value was not overridden, it would be fair to assume that the + original TTL of the packets was 64. With this information, the + number of hops between the attacker and each of the aforementioned + hosts can be calculated. + + The attacker is: + + o Four hops away from A. + + o Four hops away from B. + + o Four hops away from C. + + o Four hops away from D. + + In the network setup of Figure 3, the only system that satisfies all + these conditions is the one marked as the "F". + + The scenario described above is for illustration purposes only. In + practice, there are a number of factors that may prevent this + technique from being successfully applied: + + o Unless there is a "large" number of cooperating systems, and the + attacker is assumed to be no more than a few hops away from these + systems, the number of "candidate" hosts will usually be too large + for the information to be useful. + + o The attacker may be using a non-default TTL value, or, what is + worse, using a pseudo-random value for the TTL of the packets it + sends. + + o The packets sent by the attacker may take different routes, as a + result of a change in network topology, load sharing, etc., and + thus may lead to an incorrect analysis. + +3.8.5. Evading Network Intrusion Detection Systems + + The TTL field can be used to evade Network Intrusion Detection + Systems. Depending on the position of a sensor relative to the + destination host of the examined packet, the NIDS may get a different + picture from that of the intended destination system. As an example, + a sensor may process a packet that will expire before getting to the + destination host. A general countermeasure for this type of attack + is to normalize the traffic that gets to an organizational network. + Examples of such traffic normalization can be found in [Paxson2001]. + OpenBSD Packet Filter is an example of a packet filter that includes + TTL-normalization functionality [OpenBSD-PF] + + + +Gont Informational [Page 26] + +RFC 6274 IPv4 Security Assessment July 2011 + + +3.8.6. Improving the Security of Applications That Make Use of the + Internet Protocol (IP) + + In some scenarios, the TTL field can be also used to improve the + security of an application, by restricting the hosts that can + communicate with the given application [RFC5082]. For example, there + are applications for which the communicating systems are typically in + the same network segment (i.e., there are no intervening routers). + Such an application is the BGP (Border Gateway Protocol) utilized by + two peer routers (usually on a shared link medium). + + If both systems use a TTL of 255 for all the packets they send to + each other, then a check could be enforced to require all packets + meant for the application in question to have a TTL of 255. + + As all packets sent by systems that are not in the same network + segment will have a TTL smaller than 255, those packets will not pass + the check enforced by these two cooperating peers. This check + reduces the set of systems that may perform attacks against the + protected application (BGP in this case), thus mitigating the attack + vectors described in [NISCC2004] and [Watson2004]. + + This same check is enforced for related ICMP error messages, with + the intent of mitigating the attack vectors described in + [NISCC2005] and [RFC5927]. + + The TTL field can be used in a similar way in scenarios in which the + cooperating systems are not in the same network segment (i.e., multi- + hop peering). In that case, the following check could be enforced: + + TTL >= 255 - DeltaHops + + This means that the set of hosts from which packets will be accepted + for the protected application will be reduced to those that are no + more than DeltaHops away. While for obvious reasons the level of + protection will be smaller than in the case of directly connected + peers, the use of the TTL field for protecting multi-hop peering + still reduces the set of hosts that could potentially perform a + number of attacks against the protected application. + + This use of the TTL field has been officially documented by the IETF + under the name "Generalized TTL Security Mechanism" (GTSM) in + [RFC5082]. + + + + + + + + +Gont Informational [Page 27] + +RFC 6274 IPv4 Security Assessment July 2011 + + + Some protocol scrubbers enforce a minimum value for the TTL field of + the packets they forward. It must be understood that depending on + the minimum TTL being enforced, and depending on the particular + network setup, the protocol scrubber may actually help attackers to + fool the GTSM, by "raising" the TTL of the attacking packets. + +3.8.7. Limiting Spread + + The originating host sets the TTL field to a small value (frequently + 1, for link-scope services) in order to artificially limit the + (topological) distance the packet is allowed to travel. This is + suggested in Section 4.2.2.9 of RFC 1812 [RFC1812]. Further + discussion of this technique can be found in RFC 1112 [RFC1112]. + +3.9. Protocol + + The Protocol field indicates the protocol encapsulated in the + Internet datagram. The Protocol field may not only contain a value + corresponding to a protocol implemented by the system processing the + packet, but also a value corresponding to a protocol not implemented, + or even a value not yet assigned by the IANA [IANA_PROT_NUM]. + + While in theory there should not be security implications from the + use of any value in the protocol field, there have been security + issues in the past with systems that had problems when handling + packets with some specific protocol numbers [Cisco2003] [CERT2003]. + + A host (i.e., end-system) that receives an IP packet encapsulating a + Protocol it does not support should drop the corresponding packet, + log the event, and possibly send an ICMP Protocol Unreachable (type + 3, code 2) error message. + +3.10. Header Checksum + + The Header Checksum field is an error-detection mechanism meant to + detect errors in the IP header. While in principle there should not + be security implications arising from this field, it should be noted + that due to non-RFC-compliant implementations, the Header Checksum + might be exploited to detect firewalls and/or evade NIDSs. + + [Ed3f2002] describes the exploitation of the TCP checksum for + performing such actions. As there are Internet routers known to not + check the IP Header Checksum, and there might also be middle-boxes + (NATs, firewalls, etc.) not checking the IP checksum allegedly due to + performance reasons, similar malicious activity to the one described + in [Ed3f2002] might be performed with the IP checksum. + + + + + +Gont Informational [Page 28] + +RFC 6274 IPv4 Security Assessment July 2011 + + +3.11. Source Address + + The Source Address of an IP datagram identifies the node from which + the packet originated. + + Strictly speaking, the Source Address of an IP datagram identifies + the interface of the sending system from which the packet was + sent, (rather than the originating "system"), as in the Internet + Architecture there's no concept of "node address". + + Unfortunately, it is trivial to forge the Source Address of an + Internet datagram because of the apparent lack of consistent "egress + filtering" near the edge of the network. This has been exploited in + the past for performing a variety of DoS attacks [NISCC2004] + [RFC4987] [CERT1996a] [CERT1996b] [CERT1998a] and for impersonating + other systems in scenarios in which authentication was based on the + Source Address of the sending system [daemon91996]. + + The extent to which these attacks can be successfully performed in + the Internet can be reduced through deployment of ingress/egress + filtering in the Internet routers. [NISCC2006] is a detailed guide + on ingress and egress filtering. [RFC2827] and [RFC3704] discuss + ingress filtering. [GIAC2000] discusses egress filtering. + [SpooferProject] measures the Internet's susceptibility to forged + Source Address IP packets. + + Even when the obvious field on which to perform checks for + ingress/egress filtering is the Source Address and Destination + Address fields of the IP header, there are other occurrences of IP + addresses on which the same type of checks should be performed. + One example is the IP addresses contained in the payload of ICMP + error messages, as discussed in [RFC5927] and [Gont2006]. + + There are a number of sanity checks that should be performed on the + Source Address of an IP datagram. Details can be found in + Section 4.3 ("Addressing"). + + Additionally, there exist freely available tools that allow + administrators to monitor which IP addresses are used with which MAC + addresses [LBNL2006]. This functionality is also included in many + NIDSs. + + It is also very important to understand that authentication should + never rely solely on the Source Address used by the communicating + systems. + + + + + + +Gont Informational [Page 29] + +RFC 6274 IPv4 Security Assessment July 2011 + + +3.12. Destination Address + + The Destination Address of an IP datagram identifies the destination + host to which the packet is meant to be delivered. + + Strictly speaking, the Destination Address of an IP datagram + identifies the interface of the destination network interface, + rather than the destination "system", as in the Internet + Architecture there's no concept of "node address". + + There are a number of sanity checks that should be performed on the + Destination Address of an IP datagram. Details can be found in + Section 4.3 ("Addressing"). + +3.13. Options + + According to RFC 791, IP options must be implemented by all IP + modules, both in hosts and gateways (i.e., end-systems and + intermediate-systems). This means that the general rules for + assembling, parsing, and processing of IP options must be + implemented. RFC 791 defines a set of options that "must be + understood", but this set has been updated by RFC 1122 [RFC1122], RFC + 1812 [RFC1812], and other documents. Section 3.13.2 of this document + describes for each option type the current understanding of the + implementation requirements. IP systems are required to ignore + options they do not implement. + + It should be noted that while a number of IP options have been + specified, they are generally only used for troubleshooting + purposes (except for the Router Alert option and the different + Security options). + + There are two cases for the format of an option: + + o Case 1: A single byte of option-type. + + o Case 2: An option-type byte, an option-length byte, and the actual + option-data bytes. + + In Case 2, the option-length byte counts the option-type byte and the + option-length byte, as well as the actual option-data bytes. + + All current and future options except End of Option List (Type = 0) + and No Operation (Type = 1), are of Class 2. + + The option-type has three fields: + + o 1 bit: copied flag. + + + +Gont Informational [Page 30] + +RFC 6274 IPv4 Security Assessment July 2011 + + + o 2 bits: option class. + + o 5 bits: option number. + + This format allows for the creation of new options for the extension + of the Internet Protocol (IP) and their transparent treatment on + intermediate-systems that do not "understand" them, under direction + of the first three functional parts. + + The copied flag indicates whether this option should be copied to all + fragments in the event the packet carrying it needs to be fragmented: + + o 0 = not copied. + + o 1 = copied. + + The values for the option class are: + + o 0 = control. + + o 1 = reserved for future use. + + o 2 = debugging and measurement. + + o 3 = reserved for future use. + + Finally, the option number identifies the syntax of the rest of the + option. + + [IANA_IP_PARAM] contains the list of the currently assigned IP option + numbers. It should be noted that IP systems are required to ignore + those options they do not implement. + +3.13.1. General Issues with IP Options + + The following subsections discuss security issues that apply to all + IP options. The proposed checks should be performed in addition to + any option-specific checks proposed in the next sections. + +3.13.1.1. Processing Requirements + + Router manufacturers tend to do IP option processing on the main + processor, rather than on line cards. Unless special care is taken, + this represents DoS risk, as there is potential for overwhelming the + router with option processing. + + To reduce the impact of these packets on the system performance, a + few countermeasures could be implemented: + + + +Gont Informational [Page 31] + +RFC 6274 IPv4 Security Assessment July 2011 + + + o Rate-limit the number of packets with IP options that are + processed by the system. + + o Enforce a limit on the maximum number of options to be accepted on + a given Internet datagram. + + The first check avoids a flow of packets with IP options to overwhelm + the system in question. The second check avoids packets with many IP + options to affect the performance of the system. + +3.13.1.2. Processing of the Options by the Upper-Layer Protocol + + Section 3.2.1.8 of RFC 1122 [RFC1122] states that all the IP options + received in IP datagrams must be passed to the transport layer (or to + ICMP processing when the datagram is an ICMP message). Therefore, + care in option processing must be taken not only at the Internet + layer but also in every protocol module that may end up processing + the options included in an IP datagram. + +3.13.1.3. General Sanity Checks on IP Options + + There are a number of sanity checks that should be performed on IP + options before further option processing is done. They help prevent + a number of potential security problems, including buffer overflows. + When these checks fail, the packet carrying the option should be + dropped, and this event should be logged (e.g., a counter could be + incremented to reflect the packet drop). + + RFC 1122 [RFC1122] recommends to send an ICMP "Parameter Problem" + message to the originating system when a packet is dropped because of + an invalid value in a field, such as the cases discussed in the + following subsections. Sending such a message might help in + debugging some network problems. However, it would also alert + attackers about the system that is dropping packets because of the + invalid values in the protocol fields. + + We advice that systems default to sending an ICMP "Parameter Problem" + error message when a packet is dropped because of an invalid value in + a protocol field (e.g., as a result of dropping a packet due to the + sanity checks described in this section). However, we recommend that + systems provide a system-wide toggle that allows an administrator to + override the default behavior so that packets can be silently dropped + when an invalid value in a protocol field is encountered. + + + + + + + + +Gont Informational [Page 32] + +RFC 6274 IPv4 Security Assessment July 2011 + + + Option length + + Section 3.2.1.8 of RFC 1122 explicitly states that the IP layer + must not crash as the result of an option length that is outside + the possible range, and mentions that erroneous option lengths + have been observed to put some IP implementations into infinite + loops. + + For options that belong to the "Case 2" described in the previous + section, the following check should be performed: + + option-length >= 2 + + The value "2" accounts for the option-type byte and the option- + length byte. + + This check prevents, among other things, loops in option + processing that may arise from incorrect option lengths. + + Additionally, while the option-length byte of IP options of + "Case 2" allows for an option length of up to 255 bytes, there is + a limit on legitimate option length imposed by the space available + for options in the IP header. + + For all options of "Case 2", the following check should be + enforced: + + option-offset + option-length <= IHL * 4 + + Where option-offset is the offset of the first byte of the option + within the IP header, with the first byte of the IP header being + assigned an offset of 0. + + This check assures that the option does not claim to extend beyond + the IP header. If the packet does not pass this check, it should + be dropped, and this event should be logged (e.g., a counter could + be incremented to reflect the packet drop). + + The aforementioned check is meant to detect forged option-length + values that might make an option overlap with the IP payload. + This would be particularly dangerous for those IP options that + request the processing systems to write information into the + option-data area (such as the Record Route option), as it would + allow the generation of overflows. + + + + + + + +Gont Informational [Page 33] + +RFC 6274 IPv4 Security Assessment July 2011 + + + Data types + + Many IP options use pointer and length fields. Care must be taken + as to the data type used for these fields in the implementation. + For example, if an 8-bit signed data type were used to hold an + 8-bit pointer, then, pointer values larger than 128 might + mistakenly be interpreted as negative numbers, and thus might lead + to unpredictable results. + +3.13.2. Issues with Specific Options + +3.13.2.1. End of Option List (Type=0) + + This option is used to indicate the "end of options" in those cases + in which the end of options would not coincide with the end of the + Internet Protocol header. Octets in the IP header following the "End + of Option List" are to be regarded as padding (they should set to 0 + by the originator and must to be ignored by receiving nodes). + + However, an originating node could alternatively fill the remaining + space in the Internet header with No Operation options (see + Section 3.13.2.2). The End of Option List option allows slightly + more efficient parsing on receiving nodes and should be preferred by + packet originators. All IP systems are required to understand both + encodings. + +3.13.2.2. No Operation (Type=1) + + The No Operation option is basically meant to allow the sending + system to align subsequent options in, for example, 32-bit + boundaries, but it can also be used at the end of the options (see + Section 3.13.2.1). + + With a single exception (see Section 3.13.2.13), this option is the + only IP option defined so far that can occur in multiple instances in + a single IP packet. + + This option does not have security implications. + +3.13.2.3. Loose Source and Record Route (LSRR) (Type=131) + + This option lets the originating system specify a number of + intermediate-systems a packet must pass through to get to the + destination host. Additionally, the route followed by the packet is + recorded in the option. The receiving host (end-system) must use the + reverse of the path contained in the received LSRR option. + + + + + +Gont Informational [Page 34] + +RFC 6274 IPv4 Security Assessment July 2011 + + + The LSSR option can be of help in debugging some network problems. + Some ISP (Internet Service Provider) peering agreements require + support for this option in the routers within the peer of the ISP. + + The LSRR option has well-known security implications. Among other + things, the option can be used to: + + o Bypass firewall rules + + o Reach otherwise unreachable Internet systems + + o Establish TCP connections in a stealthy way + + o Learn about the topology of a network + + o Perform bandwidth-exhaustion attacks + + Of these attack vectors, the one that has probably received the least + attention is the use of the LSRR option to perform bandwidth + exhaustion attacks. The LSRR option can be used as an amplification + method for performing bandwidth-exhaustion attacks, as an attacker + could make a packet bounce multiple times between a number of systems + by carefully crafting an LSRR option. + + This is the IPv4-version of the IPv6 amplification attack that was + widely publicized in 2007 [Biondi2007]. The only difference is + that the maximum length of the IPv4 header (and hence the LSRR + option) limits the amplification factor when compared to the IPv6 + counterpart. + + While the LSSR option may be of help in debugging some network + problems, its security implications outweigh any legitimate use. + + All systems should, by default, drop IP packets that contain an LSRR + option, and should log this event (e.g., a counter could be + incremented to reflect the packet drop). However, they should + provide a system-wide toggle to enable support for this option for + those scenarios in which this option is required. Such system-wide + toggle should default to "off" (or "disable"). + + [OpenBSD1998] is a security advisory about an improper + implementation of such a system-wide toggle in 4.4BSD kernels. + + Section 3.3.5 of RFC 1122 [RFC1122] states that a host may be able to + act as an intermediate hop in a source route, forwarding a source- + routed datagram to the next specified hop. We strongly discourage + host software from forwarding source-routed datagrams. + + + + +Gont Informational [Page 35] + +RFC 6274 IPv4 Security Assessment July 2011 + + + If processing of source-routed datagrams is explicitly enabled in a + system, the following sanity checks should be performed. + + RFC 791 states that this option should appear, at most, once in a + given packet. Thus, if a packet contains more than one LSRR option, + it should be dropped, and this event should be logged (e.g., a + counter could be incremented to reflect the packet drop). + Additionally, packets containing a combination of LSRR and SSRR + options should be dropped, and this event should be logged (e.g., a + counter could be incremented to reflect the packet drop). + + As all other IP options of "Case 2", the LSSR contains a Length field + that indicates the length of the option. Given the format of the + option, the Length field should be checked to have a minimum value of + three and be 3 (3 + n*4): + + LSRR.Length % 4 == 3 && LSRR.Length != 0 + + If the packet does not pass this check, it should be dropped, and + this event should be logged (e.g., a counter could be incremented to + reflect the packet drop). + + The Pointer is relative to this option. Thus, the minimum legal + value is 4. Therefore, the following check should be performed. + + LSRR.Pointer >= 4 + + If the packet does not pass this check, it should be dropped, and + this event should be logged (e.g., a counter could be incremented to + reflect the packet drop). Additionally, the Pointer field should be + a multiple of 4. Consequently, the following check should be + performed: + + LSRR.Pointer % 4 == 0 + + If a packet does not pass this check, it should be dropped, and this + event should be logged (e.g., a counter could be incremented to + reflect the packet drop). + + When a system receives an IP packet with the LSRR option passing the + above checks, it should check whether or not the source route is + empty. The option is empty if: + + LSRR.Pointer > LSRR.Length + + In that case, routing should be based on the Destination Address + field, and no further processing should be done on the LSRR option. + + + + +Gont Informational [Page 36] + +RFC 6274 IPv4 Security Assessment July 2011 + + + [Microsoft1999] is a security advisory about a vulnerability + arising from improper validation of the LSRR.Pointer field. + + If the address in the Destination Address field has been reached, and + the option is not empty, the next address in the source route + replaces the address in the Destination Address field, and the IP + address of the interface that will be used to forward this datagram + is recorded in its place in the LSRR.Data field. Then, the + LSRR.Pointer. is incremented by 4. + + Note that the sanity checks for the LSRR.Length and the + LSRR.Pointer fields described above ensure that if the option is + not empty, there will be (4*n) octets in the option. That is, + there will be at least one IP address to read and enough room to + record the IP address of the interface that will be used to + forward this datagram. + + The LSRR must be copied on fragmentation. This means that if a + packet that carries the LSRR is fragmented, each of the fragments + will have to go through the list of systems specified in the LSRR + option. + +3.13.2.4. Strict Source and Record Route (SSRR) (Type=137) + + This option allows the originating system to specify a number of + intermediate-systems a packet must pass through to get to the + destination host. Additionally, the route followed by the packet is + recorded in the option, and the destination host (end-system) must + use the reverse of the path contained in the received SSRR option. + + This option is similar to the Loose Source and Record Route (LSRR) + option, with the only difference that in the case of SSRR, the route + specified in the option is the exact route the packet must take + (i.e., no other intervening routers are allowed to be in the route). + + The SSSR option can be of help in debugging some network problems. + Some ISP (Internet Service Provider) peering agreements require + support for this option in the routers within the peer of the ISP. + + The SSRR option has the same security implications as the LSRR + option. Please refer to Section 3.13.2.3 for a discussion of such + security implications. + + As with the LSRR, while the SSSR option may be of help in debugging + some network problems, its security implications outweigh any + legitimate use of it. + + + + + +Gont Informational [Page 37] + +RFC 6274 IPv4 Security Assessment July 2011 + + + All systems should, by default, drop IP packets that contain an SSRR + option, and should log this event (e.g., a counter could be + incremented to reflect the packet drop). However, they should + provide a system-wide toggle to enable support for this option for + those scenarios in which this option is required. Such system-wide + toggle should default to "off" (or "disable"). + + [OpenBSD1998] is a security advisory about an improper + implementation of such a system-wide toggle in 4.4BSD kernels. + + In the event processing of the SSRR option were explicitly enabled, + the same sanity checks described for the LSRR option in + Section 3.13.2.3 should be performed on the SSRR option. Namely, + sanity checks should be performed on the option length (SSRR.Length) + and the pointer field (SSRR.Pointer). + + If the packet passes the aforementioned sanity checks, the receiving + system should determine whether the Destination Address of the packet + corresponds to one of its IP addresses. If does not, it should be + dropped, and this event should be logged (e.g., a counter could be + incremented to reflect the packet drop). + + Contrary to the IP Loose Source and Record Route (LSRR) option, + the SSRR option does not allow in the route other routers than + those contained in the option. If the system implements the weak + end-system model, it is allowed for the system to receive a packet + destined to any of its IP addresses, on any of its interfaces. If + the system implements the strong end-system model, a packet + destined to it can be received only on the interface that + corresponds to the IP address contained in the Destination Address + field [RFC1122]. + + If the packet passes this check, the receiving system should + determine whether the source route is empty or not. The option is + empty if: + + SSRR.Pointer > SSRR.Length + + In that case, if the address in the destination field has not been + reached, the packet should be dropped, and this event should be + logged (e.g., a counter could be incremented to reflect the packet + drop). + + [Microsoft1999] is a security advisory about a vulnerability + arising from improper validation of the SSRR.Pointer field. + + + + + + +Gont Informational [Page 38] + +RFC 6274 IPv4 Security Assessment July 2011 + + + If the option is not empty, and the address in the Destination + Address field has been reached, the next address in the source route + replaces the address in the Destination Address field, and the IP + address of the interface that will be used to forward this datagram + is recorded in its place in the source route (SSRR.Data field). + Then, the SSRR.Pointer is incremented by 4. + + Note that the sanity checks for the SSRR.Length and the + SSRR.Pointer fields described above ensure that if the option is + not empty, there will be (4*n) octets in the option. That is, + there will be at least one IP address to read, and enough room to + record the IP address of the interface that will be used to + forward this datagram. + + The SSRR option must be copied on fragmentation. This means that if + a packet that carries the SSRR is fragmented, each of the fragments + will have to go through the list of systems specified in the SSRR + option. + +3.13.2.5. Record Route (Type=7) + + This option provides a means to record the route that a given packet + follows. + + The option begins with an 8-bit option code, which is equal to 7. + The second byte is the option length, which includes the option-type + byte, the option-length byte, the pointer byte, and the actual + option-data. The third byte is a pointer into the route data, + indicating the first byte of the area in which to store the next + route data. The pointer is relative to the option start. + + RFC 791 states that this option should appear, at most, once in a + given packet. Therefore, if a packet has more than one instance of + this option, it should be dropped, and this event should be logged + (e.g., a counter could be incremented to reflect the packet drop). + + The same sanity checks performed for the Length field and the Pointer + field of the LSRR and the SSRR options should be performed on the + Length field (RR.Length) and the Pointer field (RR.Pointer) of the RR + option. As with the LSRR and SSRR options, if the packet does not + pass these checks it should be dropped, and this event should be + logged (e.g., a counter could be incremented to reflect the packet + drop). + + When a system receives an IP packet with the Record Route option that + passes the above checks, it should check whether there is space in + the option to store route information. The option is full if: + + + + +Gont Informational [Page 39] + +RFC 6274 IPv4 Security Assessment July 2011 + + + RR.Pointer > RR.Length + + If the option is full, the datagram should be forwarded without + further processing of this option. + + If the option is not full (i.e., RR.Pointer <= RR.Length), the IP + address of the interface that will be used to forward this datagram + should be recorded into the area pointed to by the RR.Pointer, and + RR.Pointer should then incremented by 4. + + This option is not copied on fragmentation, and thus appears in the + first fragment only. If a fragment other than the one with offset 0 + contains the Record Route option, it should be dropped, and this + event should be logged (e.g., a counter could be incremented to + reflect the packet drop). + + The Record Route option can be exploited to learn about the topology + of a network. However, the limited space in the IP header limits the + usefulness of this option for that purpose if the target network is + several hops away. + +3.13.2.6. Stream Identifier (Type=136) + + The Stream Identifier option originally provided a means for the + 16-bit SATNET stream Identifier to be carried through networks that + did not support the stream concept. + + However, as stated by Section 4.2.2.1 of RFC 1812 [RFC1812], this + option is obsolete. Therefore, it must be ignored by the processing + systems. + + In the case of legacy systems still using this option, the length + field of the option should be checked to be 4. If the option does + not pass this check, it should be dropped, and this event should be + logged (e.g., a counter could be incremented to reflect the packet + drop). + + RFC 791 states that this option appears at most once in a given + datagram. Therefore, if a packet contains more than one instance of + this option, it should be dropped, and this event should be logged + (e.g., a counter could be incremented to reflect the packet drop). + +3.13.2.7. Internet Timestamp (Type=68) + + This option provides a means for recording the time at which each + system processed this datagram. The timestamp option has a number of + security implications. Among them are the following: + + + + +Gont Informational [Page 40] + +RFC 6274 IPv4 Security Assessment July 2011 + + + o It allows an attacker to obtain the current time of the systems + that process the packet, which the attacker may find useful in a + number of scenarios. + + o It may be used to map the network topology, in a similar way to + the IP Record Route option. + + o It may be used to fingerprint the operating system in use by a + system processing the datagram. + + o It may be used to fingerprint physical devices by analyzing the + clock skew. + + Therefore, by default, the timestamp option should be ignored. + + For those systems that have been explicitly configured to honor this + option, the rest of this subsection describes some sanity checks that + should be enforced on the option before further processing. + + The option begins with an option-type byte, which must be equal to + 68. The second byte is the option-length, which includes the option- + type byte, the option-length byte, the pointer, and the overflow/flag + byte. The minimum legal value for the option-length byte is 4, which + corresponds to an Internet Timestamp option that is empty (no space + to store timestamps). Therefore, upon receipt of a packet that + contains an Internet Timestamp option, the following check should be + performed: + + IT.Length >= 4 + + If the packet does not pass this check, it should be dropped, and + this event should be logged (e.g., a counter could be incremented to + reflect the packet drop). + + The Pointer is an index within this option, counting the option type + octet as octet #1. It points to the first byte of the area in which + the next timestamp data should be stored and thus, the minimum legal + value is 5. Since the only change of the Pointer allowed by RFC 791 + is incrementing it by 4 or 8, the following checks should be + performed on the Internet Timestamp option, depending on the Flag + value (see below). + + If IT.Flag is equal to 0, the following check should be performed: + + IT.Pointer %4 == 1 && IT.Pointer != 1 + + + + + + +Gont Informational [Page 41] + +RFC 6274 IPv4 Security Assessment July 2011 + + + If the packet does not pass this check, it should be dropped, and + this event should be logged (e.g., a counter could be incremented to + reflect the packet drop). + + Otherwise, the following sanity check should be performed on the + option: + + IT.Pointer % 8 == 5 + + If the packet does not pass this check, it should be dropped, and + this event should be logged (e.g., a counter could be incremented to + reflect the packet drop). + + The flag field has three possible legal values: + + o 0: Record time stamps only, stored in consecutive 32-bit words. + + o 1: Record each timestamp preceded with the Internet address of the + registering entity. + + o 3: The internet address fields of the option are pre-specified. + An IP module only registers its timestamp if it matches its own + address with the next specified Internet address. + + Therefore the following check should be performed: + + IT.Flag == 0 || IT.Flag == 1 || IT.Flag == 3 + + If the packet does not pass this check, it should be dropped, and + this event should be logged (e.g., a counter could be incremented to + reflect the packet drop). + + The timestamp field is a right-justified 32-bit timestamp in + milliseconds since UTC. If the time is not available in + milliseconds, or cannot be provided with respect to UTC, then any + time may be inserted as a timestamp, provided the high-order bit of + the timestamp is set, to indicate this non-standard value. + + According to RFC 791, the initial contents of the timestamp area must + be initialized to zero, or Internet address/zero pairs. However, + Internet systems should be able to handle non-zero values, possibly + discarding the offending datagram. + + When an Internet system receives a packet with an Internet Timestamp + option, it decides whether it should record its timestamp in the + option. If it determines that it should, it should then determine + whether the timestamp data area is full, by means of the following + check: + + + +Gont Informational [Page 42] + +RFC 6274 IPv4 Security Assessment July 2011 + + + IT.Pointer > IT.Length + + If this condition is true, the timestamp data area is full. If not, + there is room in the timestamp data area. + + If the timestamp data area is full, the overflow byte should be + incremented, and the packet should be forwarded without inserting the + timestamp. If the overflow byte itself overflows, the packet should + be dropped, and this event should be logged (e.g., a counter could be + incremented to reflect the packet drop). + + If the timestamp data area is not full, then processing continues as + follows (note that the above checks on IT.Pointer ensure that there + is room for another entry in the option): + + o If IT.Flag is 0, then the system's 32-bit timestamp is stored into + the area pointed to by the pointer byte and the pointer byte is + incremented by 4. + + o If IT.Flag is 1, then the IP address of the system is stored into + the area pointed to by the pointer byte, followed by the 32-bit + system timestamp, and the pointer byte is incremented by 8. + + o Otherwise (IT.Flag is 3), if the IP address in the first 4 bytes + pointed to by IT.Pointer matches one of the IP addresses assigned + to an interface of the system, then the system's timestamp is + stored into the area pointed to by IT.Pointer + 4, and the pointer + byte is incremented by 8. + + [Kohno2005] describes a technique for fingerprinting devices by + measuring the clock skew. It exploits, among other things, the + timestamps that can be obtained by means of the ICMP timestamp + request messages [RFC0791]. However, the same fingerprinting method + could be implemented with the aid of the Internet Timestamp option. + +3.13.2.8. Router Alert (Type=148) + + The Router Alert option is defined in RFC 2113 [RFC2113] and later + updates to it have been clarified by RFC 5350 [RFC5350]. It contains + a 16-bit Value governed by an IANA registry (see [RFC5350]). The + Router Alert option has the semantic "routers should examine this + packet more closely, if they participate in the functionality denoted + by the Value of the option". + + According to the syntax of the option as defined in RFC 2113, the + following check should be enforced, if the router supports this + option: + + + + +Gont Informational [Page 43] + +RFC 6274 IPv4 Security Assessment July 2011 + + + RA.Length == 4 + + If the packet does not pass this check, it should be dropped, and + this event should be logged (e.g., a counter could be incremented to + reflect the packet drop). + + A packet that contains a Router Alert option with an option value + corresponding to functionality supported by an active module in the + router will not go through the router's fast-path but will be + processed in the slow path of the router, handing it over for closer + inspection to the modules that has registered the matching option + value. Therefore, this option may impact the performance of the + systems that handle the packet carrying it. + + [ROUTER-ALERT] analyzes the security implications of the Router + Alert option, and identifies controlled environments in which the + Router Alert option can be used safely. + + As explained in RFC 2113 [RFC2113], hosts should ignore this option. + +3.13.2.9. Probe MTU (Type=11) (Obsolete) + + This option was defined in RFC 1063 [RFC1063] and originally provided + a mechanism to discover the Path-MTU. + + This option is obsolete, and therefore any packet that is received + containing this option should be dropped, and this event should be + logged (e.g., a counter could be incremented to reflect the packet + drop). + +3.13.2.10. Reply MTU (Type=12) (Obsolete) + + This option is defined in RFC 1063 [RFC1063], and originally provided + a mechanism to discover the Path-MTU. + + This option is obsolete, and therefore any packet that is received + containing this option should be dropped, and this event should be + logged (e.g., a counter could be incremented to reflect the packet + drop). + +3.13.2.11. Traceroute (Type=82) + + This option is defined in RFC 1393 [RFC1393], and originally provided + a mechanism to trace the path to a host. + + + + + + + +Gont Informational [Page 44] + +RFC 6274 IPv4 Security Assessment July 2011 + + + The Traceroute option was specified as "experimental", and it was + never deployed on the public Internet. Therefore, any packet that is + received containing this option should be dropped, and this event + should be logged (e.g., a counter could be incremented to reflect the + packet drop). + +3.13.2.12. Department of Defense (DoD) Basic Security Option (Type=130) + + This option is used by Multi-Level-Secure (MLS) end-systems and + intermediate-systems in specific environments to [RFC1108]: + + o Transmit from source to destination in a network standard + representation the common security labels required by computer + security models, + + o Validate the datagram as appropriate for transmission from the + source and delivery to the destination, and + + o Ensure that the route taken by the datagram is protected to the + level required by all protection authorities indicated on the + datagram. + + It is specified by RFC 1108 [RFC1108] (which obsoletes RFC 1038 + [RFC1038]). + + RFC 791 [RFC0791] defined the "Security Option" (Type=130), which + used the same option type as the DoD Basic Security option + discussed in this section. The "Security Option" specified in RFC + 791 is considered obsolete by Section 3.2.1.8 of RFC 1122, and + therefore the discussion in this section is focused on the DoD + Basic Security option specified by RFC 1108 [RFC1108]. + + Section 4.2.2.1 of RFC 1812 states that routers "SHOULD implement + this option". + + The DoD Basic Security option is currently implemented in a number of + operating systems (e.g., [IRIX2008], [SELinux2009], [Solaris2007], + and [Cisco2008]), and deployed in a number of high-security networks. + + Systems that belong to networks in which this option is in use should + process the DoD Basic Security option contained in each packet as + specified in [RFC1108]. + + RFC 1108 states that the option should appear at most once in a + datagram. Therefore, if more than one DoD Basic Security option + (BSO) appears in a given datagram, the corresponding datagram should + be dropped, and this event should be logged (e.g., a counter could be + incremented to reflect the packet drop). + + + +Gont Informational [Page 45] + +RFC 6274 IPv4 Security Assessment July 2011 + + + RFC 1108 states that the option Length is variable, with a minimum + option Length of 3 bytes. Therefore, the following check should be + performed: + + BSO.Length >= 3 + + If the packet does not pass this check, it should be dropped, and + this event should be logged (e.g., a counter could be incremented to + reflect the packet drop). + + Current deployments of the security options described in this + section and the two subsequent sections have motivated the + specification of a "Common Architecture Label IPv6 Security Option + (CALIPSO)" for the IPv6 protocol [RFC5570]. + +3.13.2.13. DoD Extended Security Option (Type=133) + + This option permits additional security labeling information, beyond + that present in the Basic Security option (Section 3.13.2.13), to be + supplied in an IP datagram to meet the needs of registered + authorities. It is specified by RFC 1108 [RFC1108]. + + This option may be present only in conjunction with the DoD Basic + Security option. Therefore, if a packet contains a DoD Extended + Security option (ESO), but does not contain a DoD Basic Security + option, it should be dropped, and this event should be logged (e.g., + a counter could be incremented to reflect the packet drop). It + should be noted that, unlike the DoD Basic Security option, this + option may appear multiple times in a single IP header. + + Systems that belong to networks in which this option is in use, + should process the DoD Extended Security option contained in each + packet as specified in RFC 1108 [RFC1108]. + + RFC 1108 states that the option Length is variable, with a minimum + option Length of 3 bytes. Therefore, the following check should be + performed: + + ESO.Length >= 3 + + If the packet does not pass this check, it should be dropped, and + this event should be logged (e.g., a counter could be incremented to + reflect the packet drop). + + + + + + + + +Gont Informational [Page 46] + +RFC 6274 IPv4 Security Assessment July 2011 + + +3.13.2.14. Commercial IP Security Option (CIPSO) (Type=134) + + This option was proposed by the Trusted Systems Interoperability + Group (TSIG), with the intent of meeting trusted networking + requirements for the commercial trusted systems market place. It is + specified in [CIPSO1992] and [FIPS1994]. + + The TSIG proposal was taken to the Commercial Internet Security + Option (CIPSO) Working Group of the IETF [CIPSOWG1994], and an + Internet-Draft was produced [CIPSO1992]. The Internet-Draft was + never published as an RFC, but the proposal was later standardized + by the U.S. National Institute of Standards and Technology (NIST) + as "Federal Information Processing Standard Publication 188" + [FIPS1994]. + + It is currently implemented in a number of operating systems (e.g., + IRIX [IRIX2008], Security-Enhanced Linux [SELinux2009], and Solaris + [Solaris2007]), and deployed in a number of high-security networks. + + [Zakrzewski2002] and [Haddad2004] provide an overview of a Linux + implementation. + + Systems that belong to networks in which this option is in use should + process the CIPSO option contained in each packet as specified in + [CIPSO1992]. + + According to the option syntax specified in [CIPSO1992], the + following validation check should be performed: + + CIPSO.Length >= 6 + + If a packet does not pass this check, it should be dropped, and this + event should be logged (e.g., a counter could be incremented to + reflect the packet drop). + +3.13.2.15. Sender Directed Multi-Destination Delivery (Type=149) + + This option is defined in RFC 1770 [RFC1770] and originally provided + unreliable UDP delivery to a set of addresses included in the option. + + This option is obsolete. If a received packet contains this option, + it should be dropped, and this event should be logged (e.g., a + counter could be incremented to reflect the packet drop). + + + + + + + + +Gont Informational [Page 47] + +RFC 6274 IPv4 Security Assessment July 2011 + + +4. Internet Protocol Mechanisms + +4.1. Fragment Reassembly + + To accommodate networks with different Maximum Transmission Units + (MTUs), the Internet Protocol provides a mechanism for the + fragmentation of IP packets by end-systems (hosts) and/or + intermediate-systems (routers). Reassembly of fragments is performed + only by the end-systems. + + [Cerf1974] provides the rationale for why packet reassembly is not + performed by intermediate-systems. + + During the last few decades, IP fragmentation and reassembly has been + exploited in a number of ways, to perform actions such as evading + NIDSs, bypassing firewall rules, and performing DoS attacks. + + [Bendi1998] and [Humble1998] are examples of the exploitation of + these issues for performing DoS attacks. [CERT1997] and + [CERT1998b] document these issues. [Anderson2001] is a survey of + fragmentation attacks. [US-CERT2001] is an example of the + exploitation of IP fragmentation to bypass firewall rules. + [CERT1999] describes the implementation of fragmentation attacks + in Distributed Denial-of-Service (DDoS) attack tools. + + The problem with IP fragment reassembly basically has to do with the + complexity of the function, in a number of aspects: + + o Fragment reassembly is a stateful operation for a stateless + protocol (IP). The IP module at the host performing the + reassembly function must allocate memory buffers both for + temporarily storing the received fragments and to perform the + reassembly function. Attackers can exploit this fact to exhaust + memory buffers at the system performing the fragment reassembly. + + o The fragmentation and reassembly mechanisms were designed at a + time in which the available bandwidths were very different from + the bandwidths available nowadays. With the current available + bandwidths, a number of interoperability problems may arise, and + these issues may be intentionally exploited by attackers to + perform DoS attacks. + + o Fragment reassembly must usually be performed without any + knowledge of the properties of the path the fragments follow. + Without this information, hosts cannot make any educated guess on + how long they should wait for missing fragments to arrive. + + + + + +Gont Informational [Page 48] + +RFC 6274 IPv4 Security Assessment July 2011 + + + o The fragment reassembly algorithm, as described by the IETF + specifications, is ambiguous, and allows for a number of + interpretations, each of which has found place in different TCP/IP + stack implementations. + + o The reassembly process is somewhat complex. Fragments may arrive + out of order, duplicated, overlapping each other, etc. This + complexity has lead to numerous bugs in different implementations + of the IP protocol. + +4.1.1. Security Implications of Fragment Reassembly + +4.1.1.1. Problems Related to Memory Allocation + + When an IP datagram is received by an end-system, it will be + temporarily stored in system memory, until the IP module processes it + and hands it to the protocol machine that corresponds to the + encapsulated protocol. + + In the case of fragmented IP packets, while the IP module may perform + preliminary processing of the IP header (such as checking the header + for errors and processing IP options), fragments must be kept in + system buffers until all fragments are received and are reassembled + into a complete Internet datagram. + + As mentioned above, because the Internet layer will not usually have + information about the characteristics of the path between the system + and the remote host, no educated guess can be made on the amount of + time that should be waited for the other fragments to arrive. + Therefore, the specifications recommend to wait for a period of time + that is acceptable for virtually all the possible network scenarios + in which the protocols might operate. After that time has elapsed, + all the received fragments for the corresponding incomplete packet + are discarded. + + The original IP Specification, RFC 791 [RFC0791], states that + systems should wait for at least 15 seconds for the missing + fragments to arrive. Systems that follow the "Example Reassembly + Procedure" described in Section 3.2 of RFC 791 may end up using a + reassembly timer of up to 4.25 minutes, with a minimum of 15 + seconds. Section 3.3.2 ("Reassembly") of RFC 1122 corrected this + advice, stating that the reassembly timeout should be a fixed + value between 60 and 120 seconds. + + + + + + + + +Gont Informational [Page 49] + +RFC 6274 IPv4 Security Assessment July 2011 + + + However, the longer the system waits for the missing fragments to + arrive, the longer the corresponding system resources must be tied to + the corresponding packet. The amount of system memory is finite, and + even with today's systems, it can still be considered a scarce + resource. + + An attacker could take advantage of the uncomfortable situation the + system performing fragment reassembly is in, by sending forged + fragments that will never reassemble into a complete datagram. That + is, an attacker would send many different fragments, with different + IP IDs, without ever sending all the necessary fragments that would + be needed to reassemble them into a full IP datagram. For each of + the fragments, the IP module would allocate resources and tie them to + the corresponding fragment, until the reassembly timer for the + corresponding packet expires. + + There are some implementation strategies which could increase the + impact of this attack. For example, upon receipt of a fragment, some + systems allocate a memory buffer that will be large enough to + reassemble the whole datagram. While this might be beneficial in + legitimate cases, this just amplifies the impact of the possible + attacks, as a single small fragment could tie up memory buffers for + the size of an extremely large (and unlikely) datagram. The + implementation strategy suggested in RFC 815 [RFC0815] leads to such + an implementation. + + The impact of the aforementioned attack may vary depending on some + specific implementation details: + + o If the system does not enforce limits on the amount of memory that + can be allocated by the IP module, then an attacker could tie all + system memory to fragments, at which point the system would become + unusable, perhaps crashing. + + o If the system enforces limits on the amount of memory that can be + allocated by the IP module as a whole, then, when this limit is + reached, all further IP packets that arrive would be discarded, + until some fragments time out and free memory is available again. + + o If the system enforces limits on the amount memory that can be + allocated for the reassembly of fragments, then, when this limit + is reached, all further fragments that arrive would be discarded, + until some fragment(s) time out and free memory is available + again. + + + + + + + +Gont Informational [Page 50] + +RFC 6274 IPv4 Security Assessment July 2011 + + +4.1.1.2. Problems That Arise from the Length of the IP Identification + Field + + The Internet Protocols are currently being used in environments that + are quite different from the ones in which they were conceived. For + instance, the availability of bandwidth at the time the Internet + Protocol was designed was completely different from the availability + of bandwidth in today's networks. + + The Identification field is a 16-bit field that is used for the + fragmentation and reassembly function. In the event a datagram gets + fragmented, all the corresponding fragments will share the same + {Source Address, Destination Address, Protocol, Identification + number} four-tuple. Thus, the system receiving the fragments will be + able to uniquely identify them as fragments that correspond to the + same IP datagram. At a given point in time, there must be at most + only one packet in the network with a given four-tuple. If not, an + Identification number "collision" might occur, and the receiving + system might end up "mixing" fragments that correspond to different + IP datagrams which simply reused the same Identification number. + + For example, sending over a 1 Gbit/s path a continuous stream of + (UDP) packets of roughly 1 kb size that all get fragmented into + two equally sized fragments of 576 octets each (minimum reassembly + buffer size) would repeat the IP Identification values within less + than 0.65 seconds (assuming roughly 10% link layer overhead); with + shorter packets that still get fragmented, this figure could + easily drop below 0.4 seconds. With a single IP packet dropped in + this short time frame, packets would start to be reassembled + wrongly and continuously once in such interval until an error + detection and recovery algorithm at an upper layer lets the + application back out. + + For each group of fragments whose Identification numbers "collide", + the fragment reassembly will lead to corrupted packets. The IP + payload of the reassembled datagram will be handed to the + corresponding upper-layer protocol, where the error will (hopefully) + be detected by some error detecting code (such as the TCP checksum) + and the packet will be discarded. + + An attacker could exploit this fact to intentionally cause a system + to discard all or part of the fragmented traffic it gets, thus + performing a DoS attack. Such an attacker would simply establish a + flow of fragments with different IP Identification numbers, to trash + all or part of the IP Identification space. As a result, the + receiving system would use the attacker's fragments for the + reassembly of legitimate datagrams, leading to corrupted packets + which would later (and hopefully) get dropped. + + + +Gont Informational [Page 51] + +RFC 6274 IPv4 Security Assessment July 2011 + + + In most cases, use of a long fragment timeout will benefit the + attacker, as forged fragments will keep the IP Identification space + trashed for a longer period of time. + +4.1.1.3. Problems That Arise from the Complexity of the Reassembly + Algorithm + + As IP packets can be duplicated by the network, and each packet may + take a different path to get to the destination host, fragments may + arrive not only out of order and/or duplicated but also overlapping. + This means that the reassembly process can be somewhat complex, with + the corresponding implementation being not specifically trivial. + + [Shannon2001] analyzes the causes and attributes of fragment traffic + measured in several types of WANs. + + During the years, a number of attacks have exploited bugs in the + reassembly function of several operating systems, producing buffer + overflows that have led, in most cases, to a crash of the attacked + system. + +4.1.1.4. Problems That Arise from the Ambiguity of the Reassembly + Process + + Network Intrusion Detection Systems (NIDSs) typically monitor the + traffic on a given network with the intent of identifying traffic + patterns that might indicate network intrusions. + + In the presence of IP fragments, in order to detect illegitimate + activity at the transport or application layers (i.e., any protocol + layer above the network layer), a NIDS must perform IP fragment + reassembly. + + In order to correctly assess the traffic, the result of the + reassembly function performed by the NIDS should be the same as that + of the reassembly function performed by the intended recipient of the + packets. + + However, a number of factors make the result of the reassembly + process ambiguous: + + o The IETF specifications are ambiguous as to what should be done in + the event overlapping fragments were received. Thus, in the + presence of overlapping data, the system performing the reassembly + function is free to honor either the first set of data received, + the latest copy received, or any other copy received in between. + + + + + +Gont Informational [Page 52] + +RFC 6274 IPv4 Security Assessment July 2011 + + + o As the specifications do not enforce any specific fragment timeout + value, different systems may choose different values for the + fragment timeout. This means that given a set of fragments + received at some specified time intervals, some systems will + reassemble the fragments into a full datagram, while others may + timeout the fragments and therefore drop them. + + o As mentioned before, as the fragment buffers get full, a DoS + condition will occur unless some action is taken. Many systems + flush part of the fragment buffers when some threshold is reached. + Thus, depending on fragment load, timing issues, and flushing + policy, a NIDS may get incorrect assumptions about how (and if) + fragments are being reassembled by their intended recipient. + + As originally discussed by [Ptacek1998], these issues can be + exploited by attackers to evade intrusion detection systems. + + There exist freely available tools to forcefully fragment IP + datagrams so as to help evade Intrusion Detection Systems. Frag + router [Song1999] is an example of such a tool; it allows an attacker + to perform all the evasion techniques described in [Ptacek1998]. + Ftester [Barisani2006] is a tool that helps to audit systems + regarding fragmentation issues. + +4.1.1.5. Problems That Arise from the Size of the IP Fragments + + One approach to fragment filtering involves keeping track of the + results of applying filter rules to the first fragment (i.e., the + fragment with a Fragment Offset of 0), and applying them to + subsequent fragments of the same packet. The filtering module would + maintain a list of packets indexed by the Source Address, Destination + Address, Protocol, and Identification number. When the initial + fragment is seen, if the MF bit is set, a list item would be + allocated to hold the result of filter access checks. When packets + with a non-zero Fragment Offset come in, look up the list element + with a matching Source Address/Destination Address/Protocol/ + Identification and apply the stored result (pass or block). When a + fragment with a zero MF bit is seen, free the list element. + Unfortunately, the rules of this type of packet filter can usually be + bypassed. [RFC1858] describes the details of the involved technique. + +4.1.2. Possible Security Improvements + +4.1.2.1. Memory Allocation for Fragment Reassembly + + A design choice usually has to be made as to how to allocate memory + to reassemble the fragments of a given packet. There are basically + two options: + + + +Gont Informational [Page 53] + +RFC 6274 IPv4 Security Assessment July 2011 + + + o Upon receipt of the first fragment, allocate a buffer that will be + large enough to concatenate the payload of each fragment. + + o Upon receipt of the first fragment, create the first node of a + linked list to which each of the following fragments will be + linked. When all fragments have been received, copy the IP + payload of each of the fragments (in the correct order) to a + separate buffer that will be handed to the protocol being + encapsulated in the IP payload. + + While the first of the choices might seem to be the most + straightforward, it implies that even when a single small fragment of + a given packet is received, the amount of memory that will be + allocated for that fragment will account for the size of the complete + IP datagram, thus using more system resources than what is actually + needed. + + Furthermore, the only situation in which the actual size of the whole + datagram will be known is when the last fragment of the packet is + received first, as that is the only packet from which the total size + of the IP datagram can be asserted. Otherwise, memory should be + allocated for the largest possible packet size (65535 bytes). + + The IP module should also enforce a limit on the amount of memory + that can be allocated for IP fragments, as well as a limit on the + number of fragments that at any time will be allowed in the system. + This will basically limit the resources spent on the reassembly + process, and prevent an attacker from trashing the whole system + memory. + + Furthermore, the IP module should keep a different buffer for IP + fragments than for complete IP datagrams. This will basically + separate the effects of fragment attacks on non-fragmented traffic. + Most TCP/IP implementations, such as that in Linux and those in BSD- + derived systems, already implement this. + + [Jones2002] analyzes the amount of memory that may be needed for the + fragment reassembly buffer depending on a number of network + characteristics. + +4.1.2.2. Flushing the Fragment Buffer + + In the case of those attacks that aim to consume the memory buffers + used for fragments, and those that aim to cause a collision of IP + Identification numbers, there are a number of countermeasures that + can be implemented. + + + + + +Gont Informational [Page 54] + +RFC 6274 IPv4 Security Assessment July 2011 + + + Even with these countermeasures in place, there is still the issue of + what to do when the buffer pool used for IP fragments gets full. + Basically, if the fragment buffer is full, no instance of + communication that relies on fragmentation will be able to progress. + + Unfortunately, there are not many options for reacting to this + situation. If nothing is done, all the instances of communication + that rely on fragmentation will experience a denial of service. + Thus, the only thing that can be done is flush all or part of the + fragment buffer, on the premise that legitimate traffic will be able + to make use of the freed buffer space to allow communication flows to + progress. + + There are a number of factors that should be taken into consideration + when flushing the fragment buffers. First, if a fragment of a given + packet (i.e., fragment with a given Identification number) is + flushed, all the other fragments that correspond to the same datagram + should be flushed. As in order for a packet to be reassembled all of + its fragments must be received by the system performing the + reassembly function, flushing only a subset of the fragments of a + given packet would keep the corresponding buffers tied to fragments + that would never reassemble into a complete datagram. Additionally, + care must be taken so that, in the event that subsequent buffer + flushes need to be performed, it is not always the same set of + fragments that get dropped, as such a behavior would probably cause a + selective DoS to the traffic flows to which that set of fragments + belongs. + + Many TCP/IP implementations define a threshold for the number of + fragments that, when reached, triggers a fragment-buffer flush. Some + systems flush 1/2 of the fragment buffer when the threshold is + reached. As mentioned before, the idea of flushing the buffer is to + create some free space in the fragment buffer, on the premise that + this will allow for new and legitimate fragments to be processed by + the IP module, thus letting communication survive the overwhelming + situation. On the other hand, the idea of flushing a somewhat large + portion of the buffer is to avoid flushing always the same set of + packets. + +4.1.2.3. A More Selective Fragment Buffer Flushing Strategy + + One of the difficulties in implementing countermeasures for the + fragmentation attacks described throughout Section 4.1 is that it is + difficult to perform validation checks on the received fragments. + For instance, the fragment on which validity checks could be + performed, the first fragment, may be not the first fragment to + arrive at the destination host. + + + + +Gont Informational [Page 55] + +RFC 6274 IPv4 Security Assessment July 2011 + + + Fragments cannot only arrive out of order because of packet + reordering performed by the network, but also because the system (or + systems) that fragmented the IP datagram may indeed transmit the + fragments out of order. A notable example of this is the Linux + TCP/IP stack, which transmits the fragments in reverse order. + + This means that we cannot enforce checks on the fragments for which + we allocate reassembly resources, as the first fragment we receive + for a given packet may be some other fragment than the first one (the + one with an Fragment Offset of 0). + + However, at the point in which we decide to free some space in the + fragment buffer, some refinements can be done to the flushing policy. + The first thing we would like to do is to stop different types of + traffic from interfering with each other. This means, in principle, + that we do not want fragmented UDP traffic to interfere with + fragmented TCP traffic. In order to implement this traffic + separation for the different protocols, a different fragment buffer + pool would be needed, in principle, for each of the 256 different + protocols that can be encapsulated in an IP datagram. + + We believe a trade-off is to implement two separate fragment buffers: + one for IP datagrams that encapsulate IPsec packets and another for + the rest of the traffic. This basically means that traffic not + protected by IPsec will not interfere with those flows of + communication that are being protected by IPsec. + + The processing of each of these two different fragment buffer pools + would be completely independent from each other. In the case of the + IPsec fragment buffer pool, when the buffers needs to be flushed, the + following refined policy could be applied: + + o First, for each packet for which the IPsec header has been + received, check that the Security Parameters Index (SPI) field of + the IPsec header corresponds to an existing IPsec Security + Association (SA), and probably also check that the IPsec sequence + number is valid. If the check fails, drop all the fragments that + correspond to this packet. + + o Second, if still more fragment buffers need to be flushed, drop + all the fragments that correspond to packets for which the full + IPsec header has not yet been received. The number of packets for + which this flushing is performed depends on the amount of free + space that needs to be created. + + o Third, if after flushing packets with invalid IPsec information + (First step), and packets on which validation checks could not be + performed (Second step), there is still not enough space in the + + + +Gont Informational [Page 56] + +RFC 6274 IPv4 Security Assessment July 2011 + + + fragment buffer, drop all the fragments that correspond to packets + that passed the checks of the first step, until the necessary free + space is created. + + The rationale behind this policy is that, at the point of flushing + fragment buffers, we prefer to keep those packets on which we could + successfully perform a number of validation checks, over those + packets on which those checks failed, or the checks could not even be + performed. + + By checking both the IPsec SPI and the IPsec sequence number, it is + virtually impossible for an attacker that is off-path to perform a + DoS attack to communication flows being protected by IPsec. + + Unfortunately, some IP implementations (such as that in Linux + [Linux]), when performing fragmentation, send the corresponding + fragments in reverse order. In such cases, at the point of flushing + the fragment buffer, legitimate fragments will receive the same + treatment as the possible forged fragments. + + This refined flushing policy provides an increased level of + protection against this type of resource exhaustion attack, while not + making the situation of out-of-order IPsec-secured traffic worse than + with the simplified flushing policy described in the previous + section. + +4.1.2.4. Reducing the Fragment Timeout + + RFC 1122 [RFC1122] states that the reassembly timeout should be a + fixed value between 60 and 120 seconds. The rationale behind these + long timeout values is that they should accommodate any path + characteristics, such as long-delay paths. However, it must be noted + that this timer is really measuring inter-fragment delays, or, more + specifically, fragment jitter. + + If all fragments take paths of similar characteristics, the inter- + fragment delay will usually be, at most, a few seconds. + Nevertheless, even if fragments take different paths of different + characteristics, the recommended 60 to 120 seconds are, in practice, + excessive. + + Some systems have already reduced the fragment timeout to 30 seconds + [Linux]. The fragment timeout could probably be further reduced to + approximately 15 seconds; although further research on this issue is + necessary. + + + + + + +Gont Informational [Page 57] + +RFC 6274 IPv4 Security Assessment July 2011 + + + It should be noted that in network scenarios of long-delay and high- + bandwidth (usually referred to as "Long-Fat Networks"), using a long + fragment timeout would likely increase the probability of collision + of IP ID numbers. Therefore, in such scenarios it is highly + desirable to avoid the use of fragmentation with techniques such as + PMTUD [RFC1191] or PLPMTUD [RFC4821]. + +4.1.2.5. Countermeasure for Some NIDS Evasion Techniques + + [Shankar2003] introduces a technique named "Active Mapping" that + prevents evasion of a NIDS by acquiring sufficient knowledge about + the network being monitored, to assess which packets will arrive at + the intended recipient, and how they will be interpreted by it. + [Novak2005] describes some techniques that are applied by the Snort + [Snort] NIDS to avoid evasion. + +4.1.2.6. Countermeasure for Firewall-Rules Bypassing + + One of the classical techniques to bypass firewall rules involves + sending packets in which the header of the encapsulated protocol is + fragmented. Even when it would be legal (as far as the IETF + specifications are concerned) to receive such a packets, the MTUs of + the network technologies used in practice are not that small to + require the header of the encapsulated protocol to be fragmented + (e.g., see [RFC2544]). Therefore, the system performing reassembly + should drop all packets which fragment the upper-layer protocol + header, and this event should be logged (e.g., a counter could be + incremented to reflect the packet drop). + + Additionally, given that many middle-boxes such as firewalls create + state according to the contents of the first fragment of a given + packet, it is best that, in the event an end-system receives + overlapping fragments, it honors the information contained in the + fragment that was received first. + + RFC 1858 [RFC1858] describes the abuse of IP fragmentation to bypass + firewall rules. RFC 3128 [RFC3128] corrects some errors in RFC 1858. + +4.2. Forwarding + +4.2.1. Precedence-Ordered Queue Service + + Section 5.3.3.1 of RFC 1812 [RFC1812] states that routers should + implement precedence-ordered queue service. This means that when a + packet is selected for output on a (logical) link, the packet of + highest precedence that has been queued for that link is sent. + Section 5.3.3.2 of RFC 1812 advises routers to default to maintaining + strict precedence-ordered service. + + + +Gont Informational [Page 58] + +RFC 6274 IPv4 Security Assessment July 2011 + + + Unfortunately, given that it is trivial to forge the IP precedence + field of the IP header, an attacker could simply forge a high + precedence number in the packets it sends to illegitimately get + better network service. If precedence-ordered queued service is not + required in a particular network infrastructure, it should be + disabled, and thus all packets would receive the same type of + service, despite the values in their Type of Service or + Differentiated Services fields. + + When precedence-ordered queue service is required in the network + infrastructure, in order to mitigate the attack vector discussed in + the previous paragraph, edge routers or switches should be configured + to police and remark the Type of Service or Differentiated Services + values, according to the type of service at which each end-system has + been allowed to send packets. + + Bullet 4 of Section 5.3.3.3 of RFC 1812 states that routers "MUST NOT + change precedence settings on packets it did not originate". + However, given the security implications of the Precedence field, it + is fair for routers, switches, or other middle-boxes, particularly + those in the network edge, to overwrite the Type of Service (or + Differentiated Services) field of the packets they are forwarding, + according to a configured network policy (this is the specified + behavior for DS domains [RFC2475]). + + Sections 5.3.3.1 and 5.3.6 of RFC 1812 state that if precedence- + ordered queue service is implemented and enabled, the router "MUST + NOT discard a packet whose precedence is higher than that of a packet + that is not discarded". While this recommendation makes sense given + the semantics of the Precedence field, it is important to note that + it would be simple for an attacker to send packets with forged high + Precedence value to congest some internet router(s), and cause all + (or most) traffic with a lower Precedence value to be discarded. + +4.2.2. Weak Type of Service + + Section 5.2.4.3 of RFC 1812 describes the algorithm for determining + the next-hop address (i.e., the forwarding algorithm). Bullet 3, + "Weak TOS", addresses the case in which routes contain a "type of + service" attribute. It states that in case a packet contains a non- + default TOS (i.e., 0000), only routes with the same TOS or with the + default TOS should be considered for forwarding that packet. + However, this means that if among the longest match routes for a + given packet are routes with some TOS other than the one contained in + the received packet, and no routes with the default TOS, the + corresponding packet would be dropped. This may or may not be a + desired behavior. + + + + +Gont Informational [Page 59] + +RFC 6274 IPv4 Security Assessment July 2011 + + + An alternative for the case in which among the "longest match" routes + there are only routes with non-default type of service that do not + match the TOS contained in the received packet, would be to use a + route with any other TOS. While this route would most likely not be + able to address the type of service requested by packet, it would, at + least, provide a "best effort" service. + + It must be noted that Section 5.3.2 of RFC 1812 allows routers to not + honor the TOS field. Therefore, the proposed alternative behavior is + still compliant with the IETF specifications. + + While officially specified in the RFC series, TOS-based routing is + not widely deployed in the Internet. + +4.2.3. Impact of Address Resolution on Buffer Management + + In the case of broadcast link-layer technologies, in order for a + system to transfer an IP datagram it must usually first map an IP + address to the corresponding link-layer address (for example, by + means of the Address Resolution Protocol (ARP) [RFC0826]) . This + means that while this operation is being performed, the packets that + would require such a mapping would need to be kept in memory. This + may happen both in the case of hosts and in the case of routers. + + This situation might be exploited by an attacker, which could send a + large amount of packets to a non-existent host that would supposedly + be directly connected to the attacked router. While trying to map + the corresponding IP address into a link-layer address, the attacked + router would keep in memory all the packets that would need to make + use of that link-layer address. At the point in which the mapping + function times out, depending on the policy implemented by the + attacked router, only the packet that triggered the call to the + mapping function might be dropped. In that case, the same operation + would be repeated for every packet destined to the non-existent host. + Depending on the timeout value for the mapping function, this + situation might lead the router to run out of free buffer space, with + the consequence that incoming legitimate packets would have to be + dropped, or that legitimate packets already stored in the router's + buffers might get dropped. Both of these situations would lead + either to a complete DoS or to a degradation of the network service. + + One countermeasure to this problem would be to drop, at the point the + mapping function times out, all the packets destined to the address + that timed out. In addition, a "negative cache entry" might be kept + in the module performing the matching function, so that for some + amount of time, the mapping function would return an error when the + IP module requests to perform a mapping for some address for which + the mapping has recently timed out. + + + +Gont Informational [Page 60] + +RFC 6274 IPv4 Security Assessment July 2011 + + + A common implementation strategy for routers is that when a packet + is received that requires an ARP resolution to be performed before + the packet can be forwarded, the packet is dropped and the router + is then engaged in the ARP procedure. + +4.2.4. Dropping Packets + + In some scenarios, it may be necessary for a host or router to drop + packets from the output queue. In the event that one of such packets + happens to be an IP fragment, and there were other fragments of the + same packet in the queue, those other fragments should also be + dropped. The rationale for this policy is that it is nonsensical to + spend system resources on those other fragments, because, as long as + one fragment is missing, it will be impossible for the receiving + system to reassemble them into a complete IP datagram. + + Some systems have been known to drop just a subset of fragments of a + given datagram, leading to a denial-of-service condition, as only a + subset of all the fragments of the packets were actually transferred + to the next hop. + +4.3. Addressing + +4.3.1. Unreachable Addresses + + It is important to understand that while there are some addresses + that are supposed to be unreachable from the public Internet (such as + the private IP addresses described in RFC 1918 [RFC1918], or the + "loopback" address), there are a number of tricks an attacker can + perform to reach those IP addresses that would otherwise be + unreachable (e.g., exploit the LSRR or SSRR IP options). Therefore, + when applicable, packet filtering should be performed at the private + network boundary to assure that those addresses will be unreachable. + + Similarly, link-local unicast addresses [RFC3927] and multicast + addresses with limited scope (link- and site-local addresses) should + not be accessible from outside the proper network boundaries and not + be passed across these boundaries. + + [RFC5735] provides a summary of special use IPv4 addresses. + +4.3.2. Private Address Space + + The Internet Assigned Numbers Authority (IANA) has reserved the + following three blocks of the IP address space for private internets: + + o 10.0.0.0 - 10.255.255.255 (10/8 prefix) + + + + +Gont Informational [Page 61] + +RFC 6274 IPv4 Security Assessment July 2011 + + + o 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) + + o 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) + + Use of these address blocks is described in RFC 1918 [RFC1918]. + + Where applicable, packet filtering should be performed at the + organizational perimeter to assure that these addresses are not + reachable from outside the private network where such addresses are + employed. + +4.3.3. Former Class D Addresses (224/4 Address Block) + + The former Class D addresses correspond to the 224/4 address block + and are used for Internet multicast. Therefore, if a packet is + received with a "Class D" address as the Source Address, it should be + dropped, and this event should be logged (e.g., a counter could be + incremented to reflect the packet drop). Additionally, if an IP + packet with a multicast Destination Address is received for a + connection-oriented protocol (e.g., TCP), the packet should be + dropped (see Section 4.3.5), and this event should be logged (e.g., a + counter could be incremented to reflect the packet drop). + +4.3.4. Former Class E Addresses (240/4 Address Block) + + The former Class E addresses correspond to the 240/4 address block, + and are currently reserved for experimental use. As a result, a most + routers discard packets that contain a "Class" E address as the + Source Address or Destination Address. If a packet is received with + a 240/4 address as the Source Address and/or the Destination Address, + the packet should be dropped and this event should be logged (e.g., a + counter could be incremented to reflect the packet drop). + + It should be noted that the broadcast address 255.255.255.255 still + must be treated as indicated in Section 4.3.7 of this document. + +4.3.5. Broadcast/Multicast Addresses and Connection-Oriented Protocols + + For connection-oriented protocols, such as TCP, shared state is + maintained between only two endpoints at a time. Therefore, if an IP + packet with a multicast (or broadcast) Destination Address is + received for a connection-oriented protocol (e.g., TCP), the packet + should be dropped, and this event should be logged (e.g., a counter + could be incremented to reflect the packet drop). + + + + + + + +Gont Informational [Page 62] + +RFC 6274 IPv4 Security Assessment July 2011 + + +4.3.6. Broadcast and Network Addresses + + Originally, the IETF specifications did not permit IP addresses to + have the value 0 or -1 (shorthand for all bits set to 1) for any of + the Host number, network number, or subnet number fields, except for + the cases indicated in Section 4.3.7. However, this changed + fundamentally with the deployment of Classless Inter-Domain Routing + (CIDR) [RFC4632], as with CIDR a system cannot know a priori what the + subnet mask is for a particular IP address. + + Many systems now allow administrators to use the values 0 or -1 for + those fields. Despite that according to the original IETF + specifications these addresses are illegal, modern IP implementations + should consider these addresses to be valid. + +4.3.7. Special Internet Addresses + + RFC 1812 [RFC1812] discusses the use of some special Internet + addresses, which is of interest to perform some sanity checks on the + Source Address and Destination Address fields of an IP packet. It + uses the following notation for an IP address: + + { <Network-prefix>, <Host-number> } + + where the length of the network prefix is generally implied by the + network mask assigned to the IP interface under consideration. + + RFC 1122 [RFC1122] contained a similar discussion of special + Internet addresses, including some of the form { <Network-prefix>, + <Subnet-number>, <Host-number> }. However, as explained in + Section 4.2.2.11 of RFC 1812, in a CIDR world, the subnet number + is clearly an extension of the network prefix and cannot be + distinguished from the remainder of the prefix. + + {0, 0} + + This address means "this host on this network". It is meant to be + used only during the initialization procedure, by which the host + learns its own IP address. + + If a packet is received with 0.0.0.0 as the Source Address for any + purpose other than bootstrapping, the corresponding packet should be + silently dropped, and this event should be logged (e.g., a counter + could be incremented to reflect the packet drop). If a packet is + received with 0.0.0.0 as the Destination Address, it should be + silently dropped, and this event should be logged (e.g., a counter + could be incremented to reflect the packet drop). + + + + +Gont Informational [Page 63] + +RFC 6274 IPv4 Security Assessment July 2011 + + + {0, Host number} + + This address means "the specified host, in this network". As in the + previous case, it is meant to be used only during the initialization + procedure by which the host learns its own IP address. If a packet + is received with such an address as the Source Address for any + purpose other than bootstrapping, it should be dropped, and this + event should be logged (e.g., a counter could be incremented to + reflect the packet drop). If a packet is received with such an + address as the Destination Address, it should be dropped, and this + event should be logged (e.g., a counter could be incremented to + reflect the packet drop). + + {-1, -1} + + This address is the local broadcast address. It should not be used + as a source IP address. If a packet is received with 255.255.255.255 + as the Source Address, it should be dropped, and this event should be + logged (e.g., a counter could be incremented to reflect the packet + drop). + + Some systems, when receiving an ICMP echo request, for example, + will use the Destination Address in the ICMP echo request packet + as the Source Address of the response they send (in this case, an + ICMP echo reply). Thus, when such systems receive a request sent + to a broadcast address, the Source Address of the response will + contain a broadcast address. This should be considered a bug, + rather than a malicious use of the limited broadcast address. + + {Network number, -1} + + This is the directed broadcast to the specified network. As + recommended by RFC 2644 [RFC2644], routers should not forward + network-directed broadcasts. This avoids the corresponding network + from being utilized as, for example, a "smurf amplifier" [CERT1998a]. + + As noted in Section 4.3.6 of this document, many systems now allow + administrators to configure these addresses as unicast addresses for + network interfaces. In such scenarios, routers should forward these + addresses as if they were traditional unicast addresses. + + In some scenarios, a host may have knowledge about a particular IP + address being a network-directed broadcast address, rather than a + unicast address (e.g., that IP address is configured on the local + system as a "broadcast address"). In such scenarios, if a system can + infer that the Source Address of a received packet is a network- + + + + + +Gont Informational [Page 64] + +RFC 6274 IPv4 Security Assessment July 2011 + + + directed broadcast address, the packet should be dropped, and this + event should be logged (e.g., a counter could be incremented to + reflect the packet drop). + + As noted in Section 4.3.6 of this document, with the deployment of + CIDR [RFC4632], it may be difficult for a system to infer whether a + particular IP address that does not belong to a directly attached + subnet is a broadcast address. + + {127.0.0.0/8, any} + + This is the internal host loopback address. Any packet that arrives + on any physical interface containing this address as the Source + Address, the Destination Address, or as part of a source route + (either LSRR or SSRR), should be dropped. + + For example, packets with a Destination Address in the 127.0.0.0/8 + address block that are received on an interface other than loopback + should be silently dropped. Packets received on any interface other + than loopback with a Source Address corresponding to the system + receiving the packet should also be dropped. + + In all the above cases, when a packet is dropped, this event should + be logged (e.g., a counter could be incremented to reflect the packet + drop). + +5. Security Considerations + + This document discusses the security implications of the Internet + Protocol (IP) and a number of implementation strategies that help to + mitigate a number of vulnerabilities found in the protocol during the + last 25 years or so. + +6. Acknowledgements + + The author wishes to thank Alfred Hoenes for providing very thorough + reviews of earlier versions of this document, thus leading to + numerous improvements. + + The author would like to thank Jari Arkko, Ron Bonica, Stewart + Bryant, Adrian Farrel, Joel Jaeggli, Warren Kumari, Bruno Rohee, and + Andrew Yourtchenko for providing valuable comments on earlier + versions of this document. + + This document was written by Fernando Gont on behalf of the UK CPNI + (United Kingdom's Centre for the Protection of National + Infrastructure), and is heavily based on the "Security Assessment of + the Internet Protocol" [CPNI2008] published by the UK CPNI in 2008. + + + +Gont Informational [Page 65] + +RFC 6274 IPv4 Security Assessment July 2011 + + + The author would like to thank Randall Atkinson, John Day, Juan + Fraschini, Roque Gagliano, Guillermo Gont, Martin Marino, Pekka + Savola, and Christos Zoulas for providing valuable comments on + earlier versions of [CPNI2008], on which this document is based. + + The author would like to thank Randall Atkinson and Roque Gagliano, + who generously answered a number of questions. + + Finally, the author would like to thank UK CPNI (formerly NISCC) for + their continued support. + +7. References + +7.1. Normative References + + [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, + September 1981. + + [RFC0826] Plummer, D., "Ethernet Address Resolution Protocol: Or + converting network protocol addresses to 48.bit Ethernet + address for transmission on Ethernet hardware", STD 37, + RFC 826, November 1982. + + [RFC1038] St. Johns, M., "Draft revised IP security option", + RFC 1038, January 1988. + + [RFC1063] Mogul, J., Kent, C., Partridge, C., and K. McCloghrie, "IP + MTU discovery options", RFC 1063, July 1988. + + [RFC1108] Kent, S., "U.S", RFC 1108, November 1991. + + [RFC1112] Deering, S., "Host extensions for IP multicasting", STD 5, + RFC 1112, August 1989. + + [RFC1122] Braden, R., "Requirements for Internet Hosts - + Communication Layers", STD 3, RFC 1122, October 1989. + + [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, + November 1990. + + [RFC1349] Almquist, P., "Type of Service in the Internet Protocol + Suite", RFC 1349, July 1992. + + [RFC1393] Malkin, G., "Traceroute Using an IP Option", RFC 1393, + January 1993. + + [RFC1770] Graff, C., "IPv4 Option for Sender Directed Multi- + Destination Delivery", RFC 1770, March 1995. + + + +Gont Informational [Page 66] + +RFC 6274 IPv4 Security Assessment July 2011 + + + [RFC1812] Baker, F., "Requirements for IP Version 4 Routers", + RFC 1812, June 1995. + + [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and + E. Lear, "Address Allocation for Private Internets", + BCP 5, RFC 1918, February 1996. + + [RFC2113] Katz, D., "IP Router Alert Option", RFC 2113, + February 1997. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, + "Definition of the Differentiated Services Field (DS + Field) in the IPv4 and IPv6 Headers", RFC 2474, + December 1998. + + [RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z., + and W. Weiss, "An Architecture for Differentiated + Services", RFC 2475, December 1998. + + [RFC2644] Senie, D., "Changing the Default for Directed Broadcasts + in Routers", BCP 34, RFC 2644, August 1999. + + [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: + Defeating Denial of Service Attacks which employ IP Source + Address Spoofing", BCP 38, RFC 2827, May 2000. + + [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition + of Explicit Congestion Notification (ECN) to IP", + RFC 3168, September 2001. + + [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed + Networks", BCP 84, RFC 3704, March 2004. + + [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic + Configuration of IPv4 Link-Local Addresses", RFC 3927, + May 2005. + + [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness + Requirements for Security", BCP 106, RFC 4086, June 2005. + + [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing + (CIDR): The Internet Address Assignment and Aggregation + Plan", BCP 122, RFC 4632, August 2006. + + + + + +Gont Informational [Page 67] + +RFC 6274 IPv4 Security Assessment July 2011 + + + [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU + Discovery", RFC 4821, March 2007. + + [RFC5082] Gill, V., Heasley, J., Meyer, D., Savola, P., and C. + Pignataro, "The Generalized TTL Security Mechanism + (GTSM)", RFC 5082, October 2007. + + [RFC5350] Manner, J. and A. McDonald, "IANA Considerations for the + IPv4 and IPv6 Router Alert Options", RFC 5350, + September 2008. + + [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses", + BCP 153, RFC 5735, January 2010. + + [RFC6040] Briscoe, B., "Tunnelling of Explicit Congestion + Notification", RFC 6040, November 2010. + +7.2. Informative References + + [Anderson2001] + Anderson, J., "An Analysis of Fragmentation Attacks", + 2001, <http://www.ouah.org/fragma.html>. + + [Arkin2000] + Arkin, "IP TTL Field Value with ICMP (Oops - Identifying + Windows 2000 again and more)", 2000, + <http://ofirarkin.files.wordpress.com/2008/11/ + ofirarkin2000-06.pdf>. + + [Barisani2006] + Barisani, A., "FTester - Firewall and IDS testing tool", + 2001, <http://dev.inversepath.com/trac/ftester>. + + [Bellovin1989] + Bellovin, S., "Security Problems in the TCP/IP Protocol + Suite", Computer Communication Review Vol. 19, No. 2, pp. + 32-48, 1989. + + [Bellovin2002] + Bellovin, S., "A Technique for Counting NATted Hosts", + IMW'02 Nov. 6-8, 2002, Marseille, France, 2002. + + [Bendi1998] + Bendi, "Bonk exploit", 1998, + <http://www.insecure.org/sploits/ + 95.NT.fragmentation.bonk.html>. + + + + + +Gont Informational [Page 68] + +RFC 6274 IPv4 Security Assessment July 2011 + + + [Biondi2007] + Biondi, P. and A. Ebalard, "IPv6 Routing Header Security", + CanSecWest 2007 Security Conference, 2007, + <http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf>. + + [CERT1996a] + CERT, "CERT Advisory CA-1996-01: UDP Port Denial-of- + Service Attack", 1996, + <http://www.cert.org/advisories/CA-1996-01.html>. + + [CERT1996b] + CERT, "CERT Advisory CA-1996-21: TCP SYN Flooding and IP + Spoofing Attacks", 1996, + <http://www.cert.org/advisories/CA-1996-21.html>. + + [CERT1996c] + CERT, "CERT Advisory CA-1996-26: Denial-of-Service Attack + via ping", 1996, + <http://www.cert.org/advisories/CA-1996-26.html>. + + [CERT1997] CERT, "CERT Advisory CA-1997-28: IP Denial-of-Service + Attacks", 1997, + <http://www.cert.org/advisories/CA-1997-28.html>. + + [CERT1998a] + CERT, "CERT Advisory CA-1998-01: Smurf IP Denial-of- + Service Attacks", 1998, + <http://www.cert.org/advisories/CA-1998-01.html>. + + [CERT1998b] + CERT, "CERT Advisory CA-1998-13: Vulnerability in Certain + TCP/IP Implementations", 1998, + <http://www.cert.org/advisories/CA-1998-13.html>. + + [CERT1999] CERT, "CERT Advisory CA-1999-17: Denial-of-Service Tools", + 1999, <http://www.cert.org/advisories/CA-1999-17.html>. + + [CERT2003] CERT, "CERT Advisory CA-2003-15: Cisco IOS Interface + Blocked by IPv4 Packet", 2003, + <http://www.cert.org/advisories/CA-2003-15.html>. + + [CIPSO1992] + CIPSO, "COMMERCIAL IP SECURITY OPTION (CIPSO 2.2)", Work + in Progress, 1992. + + + + + + + +Gont Informational [Page 69] + +RFC 6274 IPv4 Security Assessment July 2011 + + + [CIPSOWG1994] + CIPSOWG, "Commercial Internet Protocol Security Option + (CIPSO) Working Group", 1994, <http://www.ietf.org/ + proceedings/94jul/charters/cipso-charter.html>. + + [CPNI2008] Gont, F., "Security Assessment of the Internet Protocol", + 2008, <http://www.cpni.gov.uk/Docs/InternetProtocol.pdf>. + + [Cerf1974] Cerf, V. and R. Kahn, "A Protocol for Packet Network + Intercommunication", IEEE Transactions on + Communications Vol. 22, No. 5, May 1974, pp. 637-648, + 1974. + + [Cisco2003] + Cisco, "Cisco Security Advisory: Cisco IOS Interface + Blocked by IPv4 packet", 2003, <http://www.cisco.com/en/ + US/products/ + products_security_advisory09186a00801a34c2.shtml>. + + [Cisco2008] + Cisco, "Cisco IOS Security Configuration Guide, Release + 12.2", 2003, <http://www.cisco.com/en/US/docs/ios/12_2/ + security/configuration/guide/scfipso.html>. + + [Clark1988] + Clark, D., "The Design Philosophy of the DARPA Internet + Protocols", Computer Communication Review Vol. 18, No. 4, + 1988. + + [Ed3f2002] Ed3f, "Firewall spotting and networks analysis with a + broken CRC", Phrack Magazine, Volume 0x0b, Issue + 0x3c, Phile #0x0c of 0x10, 2002, <http://www.phrack.org/ + issues.html?issue=60&id=12&mode=txt>. + + [FIPS1994] FIPS, "Standard Security Label for Information Transfer", + Federal Information Processing Standards Publication. FIP + PUBS 188, 1994, <http://csrc.nist.gov/publications/fips/ + fips188/fips188.pdf>. + + [Fyodor2004] + Fyodor, "Idle scanning and related IP ID games", 2004, + <http://www.insecure.org/nmap/idlescan.html>. + + [GIAC2000] GIAC, "Egress Filtering v 0.2", 2000, + <http://www.sans.org/y2k/egress.htm>. + + [Gont2006] Gont, F., "Advanced ICMP packet filtering", 2006, + <http://www.gont.com.ar/papers/icmp-filtering.html>. + + + +Gont Informational [Page 70] + +RFC 6274 IPv4 Security Assessment July 2011 + + + [Haddad2004] + Haddad, I. and M. Zakrzewski, "Security Distribution for + Linux Clusters", Linux Journal, 2004, + <http://www.linuxjournal.com/article/6943>. + + [Humble1998] + Humble, "Nestea exploit", 1998, + <http://www.insecure.org/sploits/ + linux.PalmOS.nestea.html>. + + [IANA_ET] IANA, "Ether Types", + <http://www.iana.org/assignments/ethernet-numbers>. + + [IANA_IP_PARAM] + IANA, "IP Parameters", + <http://www.iana.org/assignments/ip-parameters>. + + [IANA_PROT_NUM] + IANA, "Protocol Numbers", + <http://www.iana.org/assignments/protocol-numbers>. + + [IRIX2008] IRIX, "IRIX 6.5 trusted_networking(7) manual page", 2008, + <http://techpubs.sgi.com/library/tpl/cgi-bin/ + getdoc.cgi?coll=0650&db=man&fname=/usr/share/catman/a_man/ + cat7/trusted_networking.z>. + + [Jones2002] + Jones, R., "A Method Of Selecting Values For the + Parameters Controlling IP Fragment Reassembly", 2002, + <ftp://ftp.cup.hp.com/dist/networking/briefs/ + ip_reass_tuning.txt>. + + [Kenney1996] + Kenney, M., "The Ping of Death Page", 1996, + <http://www.insecure.org/sploits/ping-o-death.html>. + + [Kent1987] Kent, C. and J. Mogul, "Fragmentation considered harmful", + Proc. SIGCOMM '87 Vol. 17, No. 5, October 1987, 1987. + + [Klein2007] + Klein, A., "OpenBSD DNS Cache Poisoning and Multiple O/S + Predictable IP ID Vulnerability", 2007, + <http://www.trusteer.com/files/ + OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP + _ID_Vulnerability.pdf>. + + + + + + +Gont Informational [Page 71] + +RFC 6274 IPv4 Security Assessment July 2011 + + + [Kohno2005] + Kohno, T., Broido, A., and kc. Claffy, "Remote Physical + Device Fingerprinting", IEEE Transactions on Dependable + and Secure Computing Vol. 2, No. 2, 2005. + + [LBNL2006] LBNL/NRG, "arpwatch tool", 2006, <http://ee.lbl.gov/>. + + [Linux] Linux Kernel Organization, "The Linux Kernel Archives", + <http://www.kernel.org>. + + [Microsoft1999] + Microsoft, "Microsoft Security Program: Microsoft Security + Bulletin (MS99-038). Patch Available for "Spoofed Route + Pointer" Vulnerability", 1999, <http://www.microsoft.com/ + technet/security/bulletin/ms99-038.mspx>. + + [NISCC2004] + NISCC, "NISCC Vulnerability Advisory 236929: Vulnerability + Issues in TCP", 2004, <http://www.cpni.gov.uk>. + + [NISCC2005] + NISCC, "NISCC Vulnerability Advisory 532967/NISCC/ICMP: + Vulnerability Issues in ICMP packets with TCP payloads", + 2005, <http://www.gont.com.ar/advisories/index.html>. + + [NISCC2006] + NISCC, "NISCC Technical Note 01/2006: Egress and Ingress + Filtering", 2006, <http://www.cpni.gov.uk>. + + [Northcutt2000] + Northcut, S. and Novak, "Network Intrusion Detection - An + Analyst's Handbook", Second Edition New Riders Publishing, + 2000. + + [Novak2005] + Novak, "Target-Based Fragmentation Reassembly", 2005, + <http://www.snort.org/assets/165/target_based_frag.pdf>. + + [OpenBSD-PF] + Sanfilippo, S., "PF: Scrub (Packet Normalization)", 2010, + <ftp://ftp.openbsd.org/pub/OpenBSD/doc/pf-faq.pdf>. + + [OpenBSD1998] + OpenBSD, "OpenBSD Security Advisory: IP Source Routing + Problem", 1998, + <http://www.openbsd.org/advisories/sourceroute.txt>. + + + + + +Gont Informational [Page 72] + +RFC 6274 IPv4 Security Assessment July 2011 + + + [Paxson2001] + Paxson, V., Handley, M., and C. Kreibich, "Network + Intrusion Detection: Evasion, Traffic Normalization, and + End-to-End Protocol Semantics", USENIX Conference, 2001. + + [Ptacek1998] + Ptacek, T. and T. Newsham, "Insertion, Evasion and Denial + of Service: Eluding Network Intrusion Detection", 1998, + <http://www.aciri.org/vern/Ptacek-Newsham-Evasion-98.ps>. + + [RFC0815] Clark, D., "IP datagram reassembly algorithms", RFC 815, + July 1982. + + [RFC1858] Ziemba, G., Reed, D., and P. Traina, "Security + Considerations for IP Fragment Filtering", RFC 1858, + October 1995. + + [RFC2544] Bradner, S. and J. McQuaid, "Benchmarking Methodology for + Network Interconnect Devices", RFC 2544, March 1999. + + [RFC3128] Miller, I., "Protection Against a Variant of the Tiny + Fragment Attack (RFC 1858)", RFC 3128, June 2001. + + [RFC3530] Shepler, S., Callaghan, B., Robinson, D., Thurlow, R., + Beame, C., Eisler, M., and D. Noveck, "Network File System + (NFS) version 4 Protocol", RFC 3530, April 2003. + + [RFC4963] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly + Errors at High Data Rates", RFC 4963, July 2007. + + [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common + Mitigations", RFC 4987, August 2007. + + [RFC5559] Eardley, P., "Pre-Congestion Notification (PCN) + Architecture", RFC 5559, June 2009. + + [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common + Architecture Label IPv6 Security Option (CALIPSO)", + RFC 5570, July 2009. + + [RFC5670] Eardley, P., "Metering and Marking Behaviour of PCN- + Nodes", RFC 5670, November 2009. + + [RFC5696] Moncaster, T., Briscoe, B., and M. Menth, "Baseline + Encoding and Transport of Pre-Congestion Information", + RFC 5696, November 2009. + + [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, July 2010. + + + +Gont Informational [Page 73] + +RFC 6274 IPv4 Security Assessment July 2011 + + + [ROUTER-ALERT] + Le Faucheur, F., Ed., "IP Router Alert Considerations and + Usage", Work in Progress, June 2011. + + [SELinux2009] + NSA, "Security-Enhanced Linux", + <http://www.nsa.gov/research/selinux/>. + + [Sanfilippo1998a] + Sanfilippo, S., "about the ip header id", Post to Bugtraq + mailing-list, Mon Dec 14 1998, + <http://www.kyuzz.org/antirez/papers/ipid.html>. + + [Sanfilippo1998b] + Sanfilippo, S., "Idle scan", Post to Bugtraq mailing-list, + 1998, <http://www.kyuzz.org/antirez/papers/dumbscan.html>. + + [Sanfilippo1999] + Sanfilippo, S., "more ip id", Post to Bugtraq mailing- + list, 1999, + <http://www.kyuzz.org/antirez/papers/moreipid.html>. + + [Shankar2003] + Shankar, U. and V. Paxson, "Active Mapping: Resisting NIDS + Evasion Without Altering Traffic", 2003, + <http://www.icir.org/vern/papers/activemap-oak03.pdf>. + + [Shannon2001] + Shannon, C., Moore, D., and K. Claffy, "Characteristics of + Fragmented IP Traffic on Internet Links", 2001. + + [Silbersack2005] + Silbersack, M., "Improving TCP/IP security through + randomization without sacrificing interoperability", + EuroBSDCon 2005 Conference, 2005, + <http://www.silby.com/eurobsdcon05/eurobsdcon_slides.pdf>. + + [Snort] Sourcefire, Inc., "Snort", <http://www.snort.org>. + + [Solaris2007] + Oracle, "ORACLE SOLARIS WITH TRUSTED EXTENSIONS", 2007, <h + ttp://www.oracle.com/us/products/servers-storage/solaris/ + solaris-trusted-ext-ds-075583.pdf>. + + [Song1999] Song, D., "Frag router tool", + <http://www.monkey.org/~dugsong/fragroute/>. + + + + + +Gont Informational [Page 74] + +RFC 6274 IPv4 Security Assessment July 2011 + + + [SpooferProject] + MIT ANA, "Spoofer Project", 2010, + <http://spoofer.csail.mit.edu/index.php>. + + [US-CERT2001] + US-CERT, "US-CERT Vulnerability Note VU#446689: Check + Point FireWall-1 allows fragmented packets through + firewall if Fast Mode is enabled", 2001, + <http://www.kb.cert.org/vuls/id/446689>. + + [US-CERT2002] + US-CERT, "US-CERT Vulnerability Note VU#310387: Cisco IOS + discloses fragments of previous packets when Express + Forwarding is enabled", 2002. + + [Watson2004] + Watson, P., "Slipping in the Window: TCP Reset Attacks", + CanSecWest Conference, 2004. + + [Zakrzewski2002] + Zakrzewski, M. and I. Haddad, "Linux Distributed Security + Module", 2002, <http://www.linuxjournal.com/article/6215>. + + [daemon91996] + daemon9, route, and infinity, "IP-spoofing Demystified + (Trust-Relationship Exploitation)", Phrack Magazine, + Volume Seven, Issue Forty-Eight, File 14 of 18, 1988, <htt + p://www.phrack.org/issues.html?issue=48&id=14&mode=txt>. + +Author's Address + + Fernando Gont + UK Centre for the Protection of National Infrastructure + + EMail: fernando@gont.com.ar + URI: http://www.cpni.gov.uk + + + + + + + + + + + + + + + +Gont Informational [Page 75] + |