summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7126.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc7126.txt')
-rw-r--r--doc/rfc/rfc7126.txt2019
1 files changed, 2019 insertions, 0 deletions
diff --git a/doc/rfc/rfc7126.txt b/doc/rfc/rfc7126.txt
new file mode 100644
index 0000000..90a1b8c
--- /dev/null
+++ b/doc/rfc/rfc7126.txt
@@ -0,0 +1,2019 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) F. Gont
+Request for Comments: 7126 UTN-FRH / SI6 Networks
+BCP: 186 R. Atkinson
+Category: Best Current Practice Consultant
+ISSN: 2070-1721 C. Pignataro
+ Cisco
+ February 2014
+
+
+ Recommendations on Filtering of IPv4 Packets Containing IPv4 Options
+
+Abstract
+
+ This document provides advice on the filtering of IPv4 packets based
+ on the IPv4 options they contain. Additionally, it discusses the
+ operational and interoperability implications of dropping packets
+ based on the IP options they contain.
+
+Status of This Memo
+
+ This memo documents an Internet Best Current Practice.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It has been approved for publication by the Internet
+ Engineering Steering Group (IESG). Further information on BCPs is
+ available in Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7126.
+
+Copyright Notice
+
+ Copyright (c) 2014 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 1]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 1.1. Terminology and Conventions Used in This Document . . . . 3
+ 1.2. Operational Focus . . . . . . . . . . . . . . . . . . . . 4
+ 2. IP Options . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 3. General Security Implications of IP Options . . . . . . . . . 5
+ 3.1. Processing Requirements . . . . . . . . . . . . . . . . . 5
+ 4. Advice on the Handling of Packets with Specific IP Options . 7
+ 4.1. End of Option List (Type = 0) . . . . . . . . . . . . . . 7
+ 4.2. No Operation (Type = 1) . . . . . . . . . . . . . . . . . 7
+ 4.3. Loose Source and Record Route (LSRR) (Type = 131) . . . . 8
+ 4.4. Strict Source and Record Route (SSRR) (Type = 137) . . . 10
+ 4.5. Record Route (Type = 7) . . . . . . . . . . . . . . . . . 11
+ 4.6. Stream Identifier (Type = 136) (obsolete) . . . . . . . . 12
+ 4.7. Internet Timestamp (Type = 68) . . . . . . . . . . . . . 13
+ 4.8. Router Alert (Type = 148) . . . . . . . . . . . . . . . . 14
+ 4.9. Probe MTU (Type = 11) (obsolete) . . . . . . . . . . . . 15
+ 4.10. Reply MTU (Type = 12) (obsolete) . . . . . . . . . . . . 16
+ 4.11. Traceroute (Type = 82) . . . . . . . . . . . . . . . . . 16
+ 4.12. DoD Basic Security Option (Type = 130) . . . . . . . . . 17
+ 4.13. DoD Extended Security Option (Type = 133) . . . . . . . . 20
+ 4.14. Commercial IP Security Option (CIPSO) (Type = 134) . . . 22
+ 4.15. VISA (Type = 142) . . . . . . . . . . . . . . . . . . . . 23
+ 4.16. Extended Internet Protocol (Type = 145) . . . . . . . . . 24
+ 4.17. Address Extension (Type = 147) . . . . . . . . . . . . . 25
+ 4.18. Sender Directed Multi-Destination Delivery (Type = 149) . 25
+ 4.19. Dynamic Packet State (Type = 151) . . . . . . . . . . . . 26
+ 4.20. Upstream Multicast Pkt. (Type = 152) . . . . . . . . . . 26
+ 4.21. Quick-Start (Type = 25) . . . . . . . . . . . . . . . . . 27
+ 4.22. RFC3692-Style Experiment (Types = 30, 94, 158, and 222) . 28
+ 4.23. Other IP Options . . . . . . . . . . . . . . . . . . . . 29
+ 5. Security Considerations . . . . . . . . . . . . . . . . . . . 31
+ 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31
+ 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 31
+ 7.1. Normative References . . . . . . . . . . . . . . . . . . 31
+ 7.2. Informative References . . . . . . . . . . . . . . . . . 32
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 2]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+1. Introduction
+
+ This document discusses the filtering of IPv4 packets based on the
+ IPv4 options they contain. Since various protocols may use IPv4
+ options to some extent, dropping packets based on the options they
+ contain may have implications on the proper functioning of such
+ protocols. Therefore, this document attempts to discuss the
+ operational and interoperability implications of such dropping.
+ Additionally, it outlines what a network operator might do in typical
+ enterprise or Service Provider environments. This document also
+ draws and is partly derived from [RFC6274], which also received
+ review from the operational community.
+
+ We note that data seems to indicate that there is a current
+ widespread practice of blocking IPv4 optioned packets. There are
+ various plausible approaches to minimize the potential negative
+ effects of IPv4 optioned packets while allowing some option
+ semantics. One approach is to allow for specific options that are
+ expected or needed, and have a default deny. A different approach is
+ to deny unneeded options and have a default allow. Yet a third
+ possible approach is to allow for end-to-end semantics by ignoring
+ options and treating packets as un-optioned while in transit.
+ Experiments and currently available data tend to support the first or
+ third approaches as more realistic. Some results regarding the
+ current state of affairs with respect to dropping packets containing
+ IP options can be found in [MEDINA] and [FONSECA]. Additionally,
+ [BREMIER-BARR] points out that the deployed Internet already has many
+ routers that do not process IP options.
+
+ We also note that while this document provides advice on dropping
+ packets on a "per IP option type", not all devices (routers, security
+ gateways, and firewalls) may provide this capability with such
+ granularity. Additionally, even in cases in which such functionality
+ is provided, an operator might want to specify a dropping policy with
+ a coarser granularity (rather than on a "per IP option type"
+ granularity), as indicated above.
+
+ Finally, in scenarios in which processing of IP options by
+ intermediate systems is not required, a widespread approach is to
+ simply ignore IP options and process the corresponding packets as if
+ they do not contain any IP options.
+
+1.1. Terminology and Conventions Used in This Document
+
+ The terms "fast path", "slow path", and associated relative terms
+ ("faster path" and "slower path") are loosely defined as in Section 2
+ of [RFC6398].
+
+
+
+
+Gont, et al. Best Current Practice [Page 3]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+ Because of the security-oriented nature of this document, we are
+ deliberately including some historical citations. The goal is to
+ explicitly retain and show history, as well as remove ambiguity and
+ confusion.
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+1.2. Operational Focus
+
+ All of the recommendations in this document have been made in an
+ effort to optimize for operational community consensus, as best the
+ authors have been able to determine that. This has included not only
+ accepting feedback from public lists, but also accepting off-list
+ feedback from people at various network operators (e.g. Internet
+ Service Providers, content providers, educational institutions,
+ commercial firms).
+
+2. IP Options
+
+ IP options allow for the extension of the Internet Protocol. As
+ specified in [RFC0791], there are two cases for the format of an
+ option:
+
+ o Case 1: A single byte of option-type.
+
+ o Case 2: An option-type byte, an option-length byte, and the actual
+ option-data bytes.
+
+ IP options of Case 1 have the following syntax:
+
+ +-+-+-+-+-+-+-+-+- - - - - - - - -
+ | option-type | option-data
+ +-+-+-+-+-+-+-+-+- - - - - - - - -
+
+ The length of IP options of Case 1 is implicitly specified by the
+ option-type byte.
+
+ IP options of Case 2 have the following syntax:
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
+ | option-type | option-length | option-data
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
+
+ In this case, the option-length byte counts the option-type byte and
+ the option-length byte, as well as the actual option-data bytes.
+
+
+
+
+Gont, et al. Best Current Practice [Page 4]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+ All current and future options, except "End of Option List" (Type =
+ 0) and "No Operation" (Type = 1), are of Class 2.
+
+ The option-type has three fields:
+
+ o 1 bit: copied flag.
+
+ o 2 bits: option class.
+
+ o 5 bits: option number.
+
+ The copied flag indicates whether this option should be copied to all
+ fragments in the event the packet carrying it needs to be fragmented:
+
+ o 0 = not copied.
+
+ o 1 = copied.
+
+ The values for the option class are:
+
+ o 0 = control.
+
+ o 1 = reserved for future use.
+
+ o 2 = debugging and measurement.
+
+ o 3 = reserved for future use.
+
+ This format allows for the creation of new options for the extension
+ of the Internet Protocol (IP).
+
+ Finally, the option number identifies the syntax of the rest of the
+ option.
+
+ The "IP OPTION NUMBERS" registry [IANA-IP] contains the list of the
+ currently assigned IP option numbers.
+
+3. General Security Implications of IP Options
+
+3.1. Processing Requirements
+
+ Historically, most IP routers used a general-purpose CPU to process
+ IP packets and forward them towards their destinations. This same
+ CPU usually also processed network management traffic (e.g., SNMP),
+ configuration commands (e.g., command line interface), and various
+ routing protocols (e.g., RIP, OSPF, BGP, IS-IS) or other control
+ protocols (e.g., RSVP, ICMP). In such architectures, it has been
+ common for the general-purpose CPU also to perform any packet
+
+
+
+Gont, et al. Best Current Practice [Page 5]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+ filtering that has been enabled on the router (or router interface).
+ An IP router built using this architecture often has a significant
+ Distributed Denial-of-Service (DDoS) attack risk if the router
+ control plane (e.g., CPU) is overwhelmed by a large number of IPv4
+ packets that contain IPv4 options.
+
+ From about 1995 onwards, a growing number of IP routers have
+ incorporated silicon specialized for IP packet processing (i.e.,
+ Field-Programmable Gate Array (FPGA), Application-Specific Integrated
+ Circuit (ASIC)), thereby separating the function of IP packet
+ forwarding from the other functions of the router. Such router
+ architectures tend to be more resilient to DDoS attacks that might be
+ seen in the global public Internet. Depending upon various
+ implementation and configuration details, routers with a silicon
+ packet-forwarding engine can handle high volumes of IP packets
+ containing IP options without any adverse impact on packet-forwarding
+ rates or on the router's control plane (e.g., general-purpose CPU).
+ Some implementations have a configuration knob simply to forward all
+ IP packets containing IP options at wire-speed in silicon, as if the
+ IP packet did not contain any IP options ("ignore options &
+ forward"). Other implementations support wire-speed silicon-based
+ packet filtering, thereby enabling packets containing certain IP
+ options to be selectively dropped ("drop"), packets containing
+ certain other IP options to have those IP options ignored ("ignore
+ options & forward"), and other packets containing different IP
+ options to have those options processed, either on a general-purpose
+ CPU or using custom logic (e.g., FPGA, ASIC), while the packet is
+ being forwarded ("process option & forward").
+
+ Broadly speaking, any IP packet that requires processing by an IP
+ router's general-purpose CPU can be a DDoS risk to that router's
+ general-purpose CPU (and thus to the router itself). However, at
+ present, the particular architectural and engineering details of the
+ specific IP router being considered are important to understand when
+ evaluating the operational security risks associated with a
+ particular IP packet type or IP option type.
+
+ Operators are urged to consider the capabilities of potential IP
+ routers for IP option filtering and handling as they make deployment
+ decisions in the future.
+
+ Additional considerations for protecting the control plane from
+ packets containing IP options can be found in [RFC6192].
+
+ Finally, in addition to advice to operators, this document also
+ provides advice to router, security gateway, and firewall
+ implementers in terms of providing the capability to filter packets
+
+
+
+
+Gont, et al. Best Current Practice [Page 6]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+ with different granularities: both on a "per IP option type"
+ granularity (to maximize flexibility) as well as more coarse filters
+ (to minimize configuration complexity).
+
+4. Advice on the Handling of Packets with Specific IP Options
+
+ The following subsections contain a description of each of the IP
+ options that have so far been specified, a discussion of possible
+ interoperability implications if packets containing such options are
+ dropped, and specific advice on whether to drop packets containing
+ these options in a typical enterprise or Service Provider
+ environment.
+
+4.1. End of Option List (Type = 0)
+
+4.1.1. Uses
+
+ This option is used to indicate the "end of options" in those cases
+ in which the end of options would not coincide with the end of the
+ Internet Protocol header.
+
+4.1.2. Option Specification
+
+ Specified in RFC 791 [RFC0791].
+
+4.1.3. Threats
+
+ No specific security issues are known for this IPv4 option.
+
+4.1.4. Operational and Interoperability Impact if Blocked
+
+ Packets containing any IP options are likely to include an End of
+ Option List. Therefore, if packets containing this option are
+ dropped, it is very likely that legitimate traffic is blocked.
+
+4.1.5. Advice
+
+ Routers, security gateways, and firewalls SHOULD NOT drop packets
+ because they contain this option.
+
+4.2. No Operation (Type = 1)
+
+4.2.1. Uses
+
+ The no-operation option is basically meant to allow the sending
+ system to align subsequent options in, for example, 32-bit
+ boundaries.
+
+
+
+
+Gont, et al. Best Current Practice [Page 7]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+4.2.2. Option Specification
+
+ Specified in RFC 791 [RFC0791].
+
+4.2.3. Threats
+
+ No specific security issues are known for this IPv4 option.
+
+4.2.4. Operational and Interoperability Impact if Blocked
+
+ Packets containing any IP options are likely to include a No
+ Operation option. Therefore, if packets containing this option are
+ dropped, it is very likely that legitimate traffic is blocked.
+
+4.2.5. Advice
+
+ Routers, security gateways, and firewalls SHOULD NOT drop packets
+ because they contain this option.
+
+4.3. Loose Source and Record Route (LSRR) (Type = 131)
+
+ RFC 791 states that this option should appear at most once in a given
+ packet. Thus, if a packet contains more than one LSRR option, it
+ should be dropped, and this event should be logged (e.g., a counter
+ could be incremented to reflect the packet drop). Additionally,
+ packets containing a combination of LSRR and SSRR options should be
+ dropped, and this event should be logged (e.g., a counter could be
+ incremented to reflect the packet drop).
+
+4.3.1. Uses
+
+ This option lets the originating system specify a number of
+ intermediate systems a packet must pass through to get to the
+ destination host. Additionally, the route followed by the packet is
+ recorded in the option. The receiving host (end-system) must use the
+ reverse of the path contained in the received LSRR option.
+
+ The LSSR option can be of help in debugging some network problems.
+ Some Internet Service Provider (ISP) peering agreements require
+ support for this option in the routers within the peer of the ISP.
+
+4.3.2. Option Specification
+
+ Specified in RFC 791 [RFC0791].
+
+
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 8]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+4.3.3. Threats
+
+ The LSRR option has well-known security implications [RFC6274].
+ Among other things, the option can be used to:
+
+ o Bypass firewall rules.
+
+ o Reach otherwise unreachable internet systems.
+
+ o Establish TCP connections in a stealthy way.
+
+ o Learn about the topology of a network.
+
+ o Perform bandwidth-exhaustion attacks.
+
+ Of these attack vectors, the one that has probably received least
+ attention is the use of the LSRR option to perform bandwidth
+ exhaustion attacks. The LSRR option can be used as an amplification
+ method for performing bandwidth-exhaustion attacks, as an attacker
+ could make a packet bounce multiple times between a number of systems
+ by carefully crafting an LSRR option.
+
+ This is the IPv4 version of the IPv6 amplification attack that was
+ widely publicized in 2007 [Biondi2007]. The only difference is
+ that the maximum length of the IPv4 header (and hence the LSRR
+ option) limits the amplification factor when compared to the IPv6
+ counterpart.
+
+ Additionally, some implementations have been found to fail to include
+ proper sanity checks on the LSRR option, thus leading to security
+ issues. These specific issues are believed to be solved in all
+ modern implementations.
+
+ [Microsoft1999] is a security advisory about a vulnerability
+ arising from improper validation of the Pointer field of the LSRR
+ option.
+
+ Finally, we note that some systems were known for providing a system-
+ wide toggle to enable support for this option for those scenarios in
+ which this option is required. However, improper implementation of
+ such a system-wide toggle caused those systems to support the LSRR
+ option even when explicitly configured not to do so.
+
+ [OpenBSD1998] is a security advisory about an improper
+ implementation of such a system-wide toggle in 4.4BSD kernels.
+ This issue was resolved in later versions of the corresponding
+ operating system.
+
+
+
+
+Gont, et al. Best Current Practice [Page 9]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+4.3.4. Operational and Interoperability Impact if Blocked
+
+ Network troubleshooting techniques that may employ the LSRR option
+ (such as ping or traceroute with the appropriate arguments) would
+ break when using the LSRR option. (Ping and traceroute without IPv4
+ options are not impacted.) Nevertheless, it should be noted that it
+ is virtually impossible to use the LSRR option for troubleshooting,
+ due to widespread dropping of packets that contain the option.
+
+4.3.5. Advice
+
+ Routers, security gateways, and firewalls SHOULD implement an option-
+ specific configuration knob to select whether packets with this
+ option are dropped, packets with this IP option are forwarded as if
+ they did not contain this IP option, or packets with this option are
+ processed and forwarded as per [RFC0791]. The default setting for
+ this knob SHOULD be "drop", and the default setting MUST be
+ documented.
+
+ Please note that treating packets with LSRR as if they did not
+ contain this option can result in such packets being sent to a
+ different device than the initially intended destination. With
+ appropriate ingress filtering, this should not open an attack vector
+ into the infrastructure. Nonetheless, it could result in traffic
+ that would never reach the initially intended destination. Dropping
+ these packets prevents unnecessary network traffic and does not make
+ end-to-end communication any worse.
+
+4.4. Strict Source and Record Route (SSRR) (Type = 137)
+
+4.4.1. Uses
+
+ This option allows the originating system to specify a number of
+ intermediate systems a packet must pass through to get to the
+ destination host. Additionally, the route followed by the packet is
+ recorded in the option, and the destination host (end-system) must
+ use the reverse of the path contained in the received SSRR option.
+
+ This option is similar to the Loose Source and Record Route (LSRR)
+ option, with the only difference that in the case of SSRR, the route
+ specified in the option is the exact route the packet must take
+ (i.e., no other intervening routers are allowed to be in the route).
+
+ The SSRR option can be of help in debugging some network problems.
+ Some ISP peering agreements require support for this option in the
+ routers within the peer of the ISP.
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 10]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+4.4.2. Option Specification
+
+ Specified in RFC 791 [RFC0791].
+
+4.4.3. Threats
+
+ The SSRR option has the same security implications as the LSRR
+ option. Please refer to Section 4.3 for a discussion of such
+ security implications.
+
+4.4.4. Operational and Interoperability Impact if Blocked
+
+ Network troubleshooting techniques that may employ the SSRR option
+ (such as ping or traceroute with the appropriate arguments) would
+ break when using the SSRR option. (Ping and traceroute without IPv4
+ options are not impacted.) Nevertheless, it should be noted that it
+ is virtually impossible to use the SSRR option for trouble-shooting,
+ due to widespread dropping of packets that contain such option.
+
+4.4.5. Advice
+
+ Routers, security gateways, and firewalls SHOULD implement an option-
+ specific configuration knob to select whether packets with this
+ option are dropped, packets with this IP option are forwarded as if
+ they did not contain this IP option, or packets with this option are
+ processed and forwarded as per [RFC0791]. The default setting for
+ this knob SHOULD be "drop", and the default setting MUST be
+ documented.
+
+ Please note that treating packets with SSRR as if they did not
+ contain this option can result in such packets being sent to a
+ different device that the initially intended destination. With
+ appropriate ingress filtering this should not open an attack vector
+ into the infrastructure. Nonetheless, it could result in traffic
+ that would never reach the initially intended destination. Dropping
+ these packets prevents unnecessary network traffic, and does not make
+ end-to-end communication any worse.
+
+4.5. Record Route (Type = 7)
+
+4.5.1. Uses
+
+ This option provides a means to record the route that a given packet
+ follows.
+
+4.5.2. Option Specification
+
+ Specified in RFC 791 [RFC0791].
+
+
+
+Gont, et al. Best Current Practice [Page 11]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+4.5.3. Threats
+
+ This option can be exploited to map the topology of a network.
+ However, the limited space in the IP header limits the usefulness of
+ this option for that purpose.
+
+4.5.4. Operational and Interoperability Impact if Blocked
+
+ Network troubleshooting techniques that may employ the RR option
+ (such as ping with the RR option) would break when using the RR
+ option. (Ping without IPv4 options is not impacted.) Nevertheless,
+ it should be noted that it is virtually impossible to use such
+ techniques due to widespread dropping of packets that contain RR
+ options.
+
+4.5.5. Advice
+
+ Routers, security gateways, and firewalls SHOULD implement an option-
+ specific configuration knob to select whether packets with this
+ option are dropped, packets with this IP option are forwarded as if
+ they did not contain this IP option, or packets with this option are
+ processed and forwarded as per [RFC0791]. The default setting for
+ this knob SHOULD be "drop", and the default setting MUST be
+ documented.
+
+4.6. Stream Identifier (Type = 136) (obsolete)
+
+ The Stream Identifier option originally provided a means for the
+ 16-bit SATNET stream Identifier to be carried through networks that
+ did not support the stream concept.
+
+ However, as stated by Section 3.2.1.8 of RFC 1122 [RFC1122] and
+ Section 4.2.2.1 of RFC 1812 [RFC1812], this option is obsolete.
+ Therefore, it must be ignored by the processing systems. See also
+ [IANA-IP] and [RFC6814].
+
+ RFC 791 states that this option appears at most once in a given
+ datagram. Therefore, if a packet contains more than one instance of
+ this option, it should be dropped, and this event should be logged
+ (e.g., a counter could be incremented to reflect the packet drop).
+
+4.6.1. Uses
+
+ This option is obsolete. There is no current use for this option.
+
+
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 12]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+4.6.2. Option Specification
+
+ Specified in RFC 791 [RFC0791], and deprecated in RFC 1122 [RFC1122]
+ and RFC 1812 [RFC1812]. This option has been formally obsoleted by
+ [RFC6814].
+
+4.6.3. Threats
+
+ No specific security issues are known for this IPv4 option.
+
+4.6.4. Operational and Interoperability Impact if Blocked
+
+ None.
+
+4.6.5. Advice
+
+ Routers, security gateways, and firewalls SHOULD drop IP packets
+ containing a Stream Identifier option.
+
+4.7. Internet Timestamp (Type = 68)
+
+4.7.1. Uses
+
+ This option provides a means for recording the time at which each
+ system (or a specified set of systems) processed this datagram, and
+ it may optionally record the addresses of the systems providing the
+ timestamps.
+
+4.7.2. Option Specification
+
+ Specified by RFC 791 [RFC0791].
+
+4.7.3. Threats
+
+ The timestamp option has a number of security implications [RFC6274].
+ Among them are:
+
+ o It allows an attacker to obtain the current time of the systems
+ that process the packet, which the attacker may find useful in a
+ number of scenarios.
+
+ o It may be used to map the network topology in a similar way to the
+ IP Record Route option.
+
+ o It may be used to fingerprint the operating system in use by a
+ system processing the datagram.
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 13]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+ o It may be used to fingerprint physical devices by analyzing the
+ clock skew.
+
+ [Kohno2005] describes a technique for fingerprinting devices by
+ measuring the clock skew. It exploits, among other things, the
+ timestamps that can be obtained by means of the ICMP timestamp
+ request messages [RFC0791]. However, the same fingerprinting method
+ could be implemented with the aid of the Internet Timestamp option.
+
+4.7.4. Operational and Interoperability Impact if Blocked
+
+ Network troubleshooting techniques that may employ the Internet
+ Timestamp option (such as ping with the Timestamp option) would break
+ when using the Timestamp option. (Ping without IPv4 options is not
+ impacted.) Nevertheless, it should be noted that it is virtually
+ impossible to use such techniques due to widespread dropping of
+ packets that contain Internet Timestamp options.
+
+4.7.5. Advice
+
+ Routers, security gateways, and firewalls SHOULD drop IP packets
+ containing an Internet Timestamp option.
+
+4.8. Router Alert (Type = 148)
+
+4.8.1. Uses
+
+ The Router Alert option has the semantic "routers should examine this
+ packet more closely, if they participate in the functionality denoted
+ by the Value of the option".
+
+4.8.2. Option Specification
+
+ The Router Alert option is defined in RFC 2113 [RFC2113] and later
+ updates to it have been clarified by RFC 5350 [RFC5350]. It contains
+ a 16-bit Value governed by an IANA registry (see [RFC5350]).
+
+4.8.3. Threats
+
+ The security implications of the Router Alert option have been
+ discussed in detail in [RFC6398]. Basically, the Router Alert option
+ might be exploited to perform a DoS attack by exhausting CPU
+ resources at the processing routers.
+
+4.8.4. Operational and Interoperability Impact if Blocked
+
+ Applications that employ the Router Alert option (such as RSVP
+ [RFC2205]) would break.
+
+
+
+Gont, et al. Best Current Practice [Page 14]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+4.8.5. Advice
+
+ This option SHOULD be allowed only in controlled environments, where
+ the option can be used safely. [RFC6398] identifies some such
+ environments. In unsafe environments, packets containing this option
+ SHOULD be dropped.
+
+ A given router, security gateway, or firewall system has no way of
+ knowing a priori whether this option is valid in its operational
+ environment. Therefore, routers, security gateways, and firewalls
+ SHOULD, by default, ignore the Router Alert option. Additionally,
+ routers, security gateways, and firewalls SHOULD have a configuration
+ setting that governs their reaction in the presence of packets
+ containing the Router Alert option. This configuration setting
+ SHOULD allow to honor and process the option, ignore the option, or
+ drop packets containing this option.
+
+4.9. Probe MTU (Type = 11) (obsolete)
+
+4.9.1. Uses
+
+ This option originally provided a mechanism to discover the Path-MTU.
+ It has been declared obsolete.
+
+4.9.2. Option Specification
+
+ This option was originally defined in RFC 1063 [RFC1063] and was
+ obsoleted with RFC 1191 [RFC1191]. This option is now obsolete, as
+ RFC 1191 obsoletes RFC 1063 without using IP options.
+
+4.9.3. Threats
+
+ This option is obsolete. This option could have been exploited to
+ cause a host to set its Path MTU (PMTU) estimate to an inordinately
+ low or an inordinately high value, thereby causing performance
+ problems.
+
+4.9.4. Operational and Interoperability Impact if Blocked
+
+ None
+
+ This option is NOT employed with the modern "Path MTU Discovery"
+ (PMTUD) mechanism [RFC1191], which employs special ICMP messages
+ (Type 3, Code 4) in combination with the IP DF bit. Packetization
+ Layer PMTUD (PLPMTUD) [RFC4821] can perform PMTUD without the need
+ for any special packets.
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 15]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+4.9.5. Advice
+
+ Routers, security gateways, and firewalls SHOULD drop IP packets that
+ contain a Probe MTU option.
+
+4.10. Reply MTU (Type = 12) (obsolete)
+
+4.10.1. Uses
+
+ This option originally provided a mechanism to discover the Path-MTU.
+ It is now obsolete.
+
+4.10.2. Option Specification
+
+ This option was originally defined in RFC 1063 [RFC1063] and was
+ obsoleted with RFC 1191 [RFC1191]. This option is now obsolete, as
+ RFC 1191 obsoletes RFC 1063 without using IP options.
+
+4.10.3. Threats
+
+ This option is obsolete. This option could have been exploited to
+ cause a host to set its PMTU estimate to an inordinately low or an
+ inordinately high value, thereby causing performance problems.
+
+4.10.4. Operational and Interoperability Impact if Blocked
+
+ None
+
+ This option is NOT employed with the modern "Path MTU Discovery"
+ (PMTUD) mechanism [RFC1191], which employs special ICMP messages
+ (Type 3, Code 4) in combination with the IP DF bit. PLPMTUD
+ [RFC4821] can perform PMTUD without the need of any special
+ packets.
+
+4.10.5. Advice
+
+ Routers, security gateways, and firewalls SHOULD drop IP packets that
+ contain a Reply MTU option.
+
+4.11. Traceroute (Type = 82)
+
+4.11.1. Uses
+
+ This option originally provided a mechanism to trace the path to a
+ host.
+
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 16]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+4.11.2. Option Specification
+
+ This option was originally specified by RFC 1393 [RFC1393] as
+ "experimental", and it was never widely deployed on the public
+ Internet. This option has been formally obsoleted by [RFC6814].
+
+4.11.3. Threats
+
+ This option is obsolete. Because this option required each router in
+ the path both to provide special processing and to send an ICMP
+ message, it could have been exploited to perform a DoS attack by
+ exhausting CPU resources at the processing routers.
+
+4.11.4. Operational and Interoperability Impact if Blocked
+
+ None
+
+4.11.5. Advice
+
+ Routers, security gateways, and firewalls SHOULD drop IP packets that
+ contain a Traceroute option.
+
+4.12. DoD Basic Security Option (Type = 130)
+
+4.12.1. Uses
+
+ This option [RFC1108] is used by Multi-Level Secure (MLS) end-systems
+ and intermediate systems in specific environments to:
+
+ o transmit from source to destination in a network standard
+ representation the common security labels required by computer
+ security models [Landwehr81],
+
+ o validate the datagram as appropriate for transmission from the
+ source and delivery to the destination, and,
+
+ o ensure that the route taken by the datagram is protected to the
+ level required by all protection authorities indicated on the
+ datagram.
+
+ The DoD Basic Security Option (BSO) was implemented in IRIX
+ [IRIX2008] and is currently implemented in a number of operating
+ systems (e.g., Security-Enhanced Linux [SELinux2008], Solaris
+ [Solaris2008], and Cisco IOS [Cisco-IPSO]). It is also currently
+ deployed in a number of high-security networks. These networks are
+ typically either in physically secure locations, protected by
+ military/governmental communications security equipment, or both.
+
+
+
+
+Gont, et al. Best Current Practice [Page 17]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+ Such networks are typically built using commercial off-the-shelf
+ (COTS) IP routers and Ethernet switches, but they are not normally
+ interconnected with the global public Internet. MLS systems are much
+ more widely deployed now than they were at the time the then-IESG
+ decided to remove IPSO (IP Security Options) from the IETF Standards
+ Track. Since nearly all MLS systems also support IPSO BSO and IPSO
+ ESO, this option is believed to have more deployment now than when
+ the IESG removed this option from the IETF Standards Track.
+ [RFC5570] describes a similar option recently defined for IPv6 and
+ has much more detailed explanations of how sensitivity label options
+ are used in real-world deployments.
+
+4.12.2. Option Specification
+
+ It is specified by RFC 1108 [RFC1108], which obsoleted RFC 1038
+ [RFC1038] (which in turn obsoleted the Security Option defined in RFC
+ 791 [RFC0791]).
+
+ RFC 791 [RFC0791] defined the "Security Option" (Type = 130),
+ which used the same option type as the DoD Basic Security option
+ discussed in this section. Later, RFC 1038 [RFC1038] revised the
+ IP security options, and in turn was obsoleted by RFC 1108
+ [RFC1108]. The "Security Option" specified in RFC 791 is
+ considered obsolete by Section 3.2.1.8 of RFC 1122 [RFC1122] and
+ Section 4.2.2.1 of RFC 1812 [RFC1812], and therefore the
+ discussion in this section is focused on the DoD Basic Security
+ option specified by RFC 1108 [RFC1108].
+
+ Section 4.2.2.1 of RFC 1812 states that routers "SHOULD implement
+ [this option]".
+
+ Some private IP networks consider IP router-based per-interface
+ selective filtering of packets based on (a) the presence of an
+ IPSO option (including BSO and ESO) and (b) the contents of that
+ IPSO option to be important for operational security reasons. The
+ recent IPv6 Common Architecture Label IPv6 Security Option
+ (CALIPSO) specification discusses this in additional detail,
+ albeit in an IPv6 context [RFC5570].
+
+ Such private IP networks commonly are built using both commercial
+ and open-source products -- for hosts, guards, firewalls,
+ switches, routers, etc. Some commercial IP routers support this
+ option, as do some IP routers that are built on top of MLS
+ operating systems (e.g., on top of Trusted Solaris [Solaris2008]
+ or Security-Enhanced Linux [SELinux2008]).
+
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 18]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+ For example, many Cisco routers that run Cisco IOS include support
+ for selectively filtering packets that contain the IP Security
+ Options (IPSO) with per-interface granularity. This capability
+ has been present in many Cisco routers since the early 1990s
+ [Cisco-IPSO-Cmds]. Some government-sector products reportedly
+ also support the IP Security Options (IPSO), for example, CANEWARE
+ [RFC4949].
+
+ Support for the IPSO Basic Security Option also is included in the
+ "IPsec Configuration Policy Information Model" [RFC3585] and in
+ the "IPsec Security Policy Database Configuration MIB" [RFC4807].
+ Section 4.6.1 of the IP Security Domain of Interpretation
+ [RFC2407] includes support for labeled IPsec security associations
+ compatible with the IP Security Options. (Note: RFC 2407 was
+ obsoleted by [RFC4306], which was obsoleted by [RFC5996].)
+
+4.12.3. Threats
+
+ Presence of this option in a packet does not by itself create any
+ specific new threat. Packets with this option ought not normally be
+ seen on the global public Internet.
+
+4.12.4. Operational and Interoperability Impact if Blocked
+
+ If packets with this option are blocked or if the option is stripped
+ from the packet during transmission from source to destination, then
+ the packet itself is likely to be dropped by the receiver because it
+ is not properly labeled. In some cases, the receiver might receive
+ the packet but associate an incorrect sensitivity label with the
+ received data from the packet whose BSO was stripped by an
+ intermediate router or firewall. Associating an incorrect
+ sensitivity label can cause the received information either to be
+ handled as more sensitive than it really is ("upgrading") or as less
+ sensitive than it really is ("downgrading"), either of which is
+ problematic.
+
+4.12.5. Advice
+
+ A given IP router, security gateway, or firewall has no way to know a
+ priori what environment it has been deployed into. Even closed IP
+ deployments generally use exactly the same commercial routers,
+ security gateways, and firewalls that are used in the public
+ Internet.
+
+
+
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 19]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+ Since operational problems result in environments where this option
+ is needed if either the option is dropped or IP packets containing
+ this option are dropped, but no harm results if the option is carried
+ in environments where it is not needed, the default configuration
+ SHOULD NOT (a) modify or remove this IP option or (b) drop an IP
+ packet because the IP packet contains this option.
+
+ A given IP router, security gateway, or firewall MAY be configured to
+ drop this option or to drop IP packets containing this option in an
+ environment known to not use this option.
+
+ For auditing reasons, routers, security gateways, and firewalls
+ SHOULD be capable of logging the numbers of packets containing the
+ BSO on a per-interface basis. Also, routers, security gateways, and
+ firewalls SHOULD be capable of dropping packets based on the BSO
+ presence as well as the BSO values.
+
+4.13. DoD Extended Security Option (Type = 133)
+
+4.13.1. Uses
+
+ This option permits additional security labeling information, beyond
+ that present in the Basic Security Option (Section 4.12), to be
+ supplied in an IP datagram to meet the needs of registered
+ authorities.
+
+4.13.2. Option Specification
+
+ The DoD Extended Security Option (ESO) is specified by RFC 1108
+ [RFC1108].
+
+ Some private IP networks consider IP router-based per-interface
+ selective filtering of packets based on (a) the presence of an
+ IPSO option (including BSO and ESO) and (b) based on the contents
+ of that IPSO option to be important for operational security
+ reasons. The recent IPv6 CALIPSO option specification discusses
+ this in additional detail, albeit in an IPv6 context [RFC5570].
+
+ Such private IP networks commonly are built using both commercial
+ and open-source products -- for hosts, guards, firewalls,
+ switches, routers, etc. Some commercial IP routers support this
+ option, as do some IP routers that are built on top of MLS
+ operating systems (e.g., on top of Trusted Solaris [Solaris2008]
+ or Security-Enhanced Linux [SELinux2008]).
+
+ For example, many Cisco routers that run Cisco IOS include support
+ for selectively filtering packets that contain the IP Security
+ Options (IPSO) with per-interface granularity. This capability
+
+
+
+Gont, et al. Best Current Practice [Page 20]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+ has been present in many Cisco routers since the early 1990s
+ [Cisco-IPSO-Cmds]. Some government sector products reportedly
+ also support the IP Security Options (IPSO), for example, CANEWARE
+ [RFC4949].
+
+ Support for the IPSO Extended Security Option also is included in
+ the "IPsec Configuration Policy Information Model" [RFC3585] and
+ in the "IPsec Security Policy Database Configuration MIB"
+ [RFC4807]. Section 4.6.1 of the IP Security Domain of
+ Interpretation [RFC2407] includes support for labeled IPsec
+ security associations compatible with the IP Security Options.
+
+4.13.3. Threats
+
+ Presence of this option in a packet does not by itself create any
+ specific new threat. Packets with this option ought not normally be
+ seen on the global public Internet.
+
+4.13.4. Operational and Interoperability Impact if Blocked
+
+ If packets with this option are blocked or if the option is stripped
+ from the packet during transmission from source to destination, then
+ the packet itself is likely to be dropped by the receiver because it
+ is not properly labeled. In some cases, the receiver might receive
+ the packet but associate an incorrect sensitivity label with the
+ received data from the packet whose ESO was stripped by an
+ intermediate router or firewall. Associating an incorrect
+ sensitivity label can cause the received information either to be
+ handled as more sensitive than it really is ("upgrading") or as less
+ sensitive than it really is ("downgrading"), either of which is
+ problematic.
+
+4.13.5. Advice
+
+ A given IP router, security gateway, or firewall has no way to know a
+ priori what environment it has been deployed into. Even closed IP
+ deployments generally use exactly the same commercial routers,
+ security gateways, and firewalls that are used in the public
+ Internet.
+
+ Since operational problems result in environments where this option
+ is needed if either the option is dropped or IP packets containing
+ this option are dropped, but no harm results if the option is carried
+ in environments where it is not needed, the default configuration
+ SHOULD NOT (a) modify or remove this IP option or (b) drop an IP
+ packet because the IP packet contains this option.
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 21]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+ A given IP router, security gateway, or firewall MAY be configured to
+ drop this option or to drop IP packets containing this option in an
+ environment known to not use this option.
+
+ For auditing reasons, routers, security gateways, and firewalls
+ SHOULD be capable of logging the numbers of packets containing the
+ ESO on a per-interface basis. Also, routers, security gateways, and
+ firewalls SHOULD be capable of dropping packets based on the ESO
+ presence as well as the ESO values.
+
+4.14. Commercial IP Security Option (CIPSO) (Type = 134)
+
+4.14.1. Uses
+
+ This option was proposed by the Trusted Systems Interoperability
+ Group (TSIG), with the intent of meeting trusted networking
+ requirements for the commercial trusted systems marketplace.
+
+ It was implemented in IRIX [IRIX2008] and is currently implemented in
+ a number of operating systems (e.g., Security-Enhanced Linux
+ [SELinux2008] and Solaris [Solaris2008]). It is also currently
+ deployed in a number of high-security networks.
+
+4.14.2. Option Specification
+
+ This option is specified in [CIPSO] and [FIPS1994]. There are zero
+ known IP router implementations of CIPSO. Several MLS operating
+ systems support CIPSO, generally the same MLS operating systems that
+ support IPSO.
+
+ The TSIG proposal was taken to the Commercial Internet Security
+ Option (CIPSO) Working Group of the IETF [CIPSOWG1994], and an
+ Internet-Draft was produced [CIPSO]. The Internet-Draft was never
+ published as an RFC, but the proposal was later standardized by
+ the U.S. National Institute of Standards and Technology (NIST) as
+ "Federal Information Processing Standard Publication 188"
+ [FIPS1994].
+
+4.14.3. Threats
+
+ Presence of this option in a packet does not by itself create any
+ specific new threat. Packets with this option ought not normally be
+ seen on the global public Internet.
+
+
+
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 22]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+4.14.4. Operational and Interoperability Impact if Blocked
+
+ If packets with this option are blocked or if the option is stripped
+ from the packet during transmission from source to destination, then
+ the packet itself is likely to be dropped by the receiver because it
+ is not properly labeled. In some cases, the receiver might receive
+ the packet but associate an incorrect sensitivity label with the
+ received data from the packet whose CIPSO was stripped by an
+ intermediate router or firewall. Associating an incorrect
+ sensitivity label can cause the received information either to be
+ handled as more sensitive than it really is ("upgrading") or as less
+ sensitive than it really is ("downgrading"), either of which is
+ problematic.
+
+4.14.5. Advice
+
+ Because of the design of this option, with variable syntax and
+ variable length, it is not practical to support specialized filtering
+ using the CIPSO information. No routers or firewalls are known to
+ support this option. However, routers, security gateways, and
+ firewalls SHOULD NOT by default modify or remove this option from IP
+ packets and SHOULD NOT by default drop packets because they contain
+ this option. For auditing reasons, routers, security gateways, and
+ firewalls SHOULD be capable of logging the numbers of packets
+ containing the CIPSO on a per-interface basis. Also, routers,
+ security gateways, and firewalls SHOULD be capable of dropping
+ packets based on the CIPSO presence.
+
+4.15. VISA (Type = 142)
+
+4.15.1. Uses
+
+ This options was part of an experiment at the University of Southern
+ California (USC) and was never widely deployed.
+
+4.15.2. Option Specification
+
+ The original option specification is not publicly available. This
+ option has been formally obsoleted by [RFC6814].
+
+4.15.3. Threats
+
+ Not possible to determine (other than the general security
+ implications of IP options discussed in Section 3), since the
+ corresponding specification is not publicly available.
+
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 23]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+4.15.4. Operational and Interoperability Impact if Blocked
+
+ None.
+
+4.15.5. Advice
+
+ Routers, security gateways, and firewalls SHOULD drop IP packets that
+ contain this option.
+
+4.16. Extended Internet Protocol (Type = 145)
+
+4.16.1. Uses
+
+ The EIP option was introduced by one of the proposals submitted
+ during the IP Next Generation (IPng) efforts to address the problem
+ of IPv4 address exhaustion.
+
+4.16.2. Option Specification
+
+ Specified in [RFC1385]. This option has been formally obsoleted by
+ [RFC6814].
+
+4.16.3. Threats
+
+ This option is obsolete. This option was used (or was intended to be
+ used) to signal that a packet superficially similar to an IPv4 packet
+ actually contained a different protocol, opening up the possibility
+ that an IPv4 node that simply ignored this option would process a
+ received packet in a manner inconsistent with the intent of the
+ sender. There are no known threats arising from this option, other
+ than the general security implications of IP options discussed in
+ Section 3.
+
+4.16.4. Operational and Interoperability Impact if Blocked
+
+ None.
+
+4.16.5. Advice
+
+ Routers, security gateways, and firewalls SHOULD drop packets that
+ contain this option.
+
+
+
+
+
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 24]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+4.17. Address Extension (Type = 147)
+
+4.17.1. Uses
+
+ The Address Extension option was introduced by one of the proposals
+ submitted during the IPng efforts to address the problem of IPv4
+ address exhaustion.
+
+4.17.2. Option Specification
+
+ Specified in [RFC1475]. This option has been formally obsoleted by
+ [RFC6814].
+
+4.17.3. Threats
+
+ There are no known threats arising from this option, other than the
+ general security implications of IP options discussed in Section 3.
+
+4.17.4. Operational and Interoperability Impact if Blocked
+
+ None.
+
+4.17.5. Advice
+
+ Routers, security gateways, and firewalls SHOULD drop packets that
+ contain this option.
+
+4.18. Sender Directed Multi-Destination Delivery (Type = 149)
+
+4.18.1. Uses
+
+ This option originally provided unreliable UDP delivery to a set of
+ addresses included in the option.
+
+4.18.2. Option Specification
+
+ This option is specified in RFC 1770 [RFC1770]. It has been formally
+ obsoleted by [RFC6814].
+
+4.18.3. Threats
+
+ This option could have been exploited for bandwidth-amplification in
+ DoS attacks.
+
+4.18.4. Operational and Interoperability Impact if Blocked
+
+ None.
+
+
+
+
+Gont, et al. Best Current Practice [Page 25]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+4.18.5. Advice
+
+ Routers, security gateways, and firewalls SHOULD drop IP packets that
+ contain a Sender Directed Multi-Destination Delivery option.
+
+4.19. Dynamic Packet State (Type = 151)
+
+4.19.1. Uses
+
+ The Dynamic Packet State option was used to specify the Dynamic
+ Packet State (DPS) in the context of the differentiated services
+ architecture.
+
+4.19.2. Option Specification
+
+ The Dynamic Packet State option was specified in [DIFFSERV-DPS]. The
+ aforementioned document was meant to be published as "Experimental",
+ but never made it into an RFC. This option has been formally
+ obsoleted by [RFC6814].
+
+4.19.3. Threats
+
+ Possible threats include theft of service and denial of service.
+ However, we note that this option has never been widely implemented
+ or deployed.
+
+4.19.4. Operational and Interoperability Impact if Blocked
+
+ None.
+
+4.19.5. Advice
+
+ Routers, security gateways, and firewalls SHOULD drop packets that
+ contain this option.
+
+4.20. Upstream Multicast Pkt. (Type = 152)
+
+4.20.1. Uses
+
+ This option was meant to solve the problem of doing upstream
+ forwarding of multicast packets on a multi-access LAN.
+
+4.20.2. Option Specification
+
+ This option was originally specified in [BIDIR-TREES]. It was never
+ formally standardized in the RFC series and was never widely
+ implemented and deployed. Its use was obsoleted by [RFC5015], which
+
+
+
+
+Gont, et al. Best Current Practice [Page 26]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+ employs a control-plane mechanism to solve the problem of doing
+ upstream forwarding of multicast packets on a multi-access LAN. This
+ option has been formally obsoleted by [RFC6814].
+
+4.20.3. Threats
+
+ This option is obsolete. A router that ignored this option instead
+ of processing it as specified in [BIDIR-TREES] could have forwarded
+ multicast packets to an unintended destination.
+
+4.20.4. Operational and Interoperability Impact if Blocked
+
+ None.
+
+4.20.5. Advice
+
+ Routers, security gateways, and firewalls SHOULD drop packets that
+ contain this option.
+
+4.21. Quick-Start (Type = 25)
+
+4.21.1. Uses
+
+ This IP Option is used in the specification of Quick-Start for TCP
+ and IP, which is an experimental mechanism that allows transport
+ protocols, in cooperation with routers, to determine an allowed
+ sending rate at the start and, at times, in the middle of a data
+ transfer (e.g., after an idle period) [RFC4782].
+
+4.21.2. Option Specification
+
+ Specified in RFC 4782 [RFC4782], on the "Experimental" track.
+
+4.21.3. Threats
+
+ Section 9.6 of [RFC4782] notes that Quick-Start is vulnerable to two
+ kinds of attacks:
+
+ o attacks to increase the routers' processing and state load, and,
+
+ o attacks with bogus Quick-Start Requests to temporarily tie up
+ available Quick-Start bandwidth, preventing routers from approving
+ Quick-Start Requests from other connections.
+
+
+
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 27]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+4.21.4. Operational and Interoperability Impact if Blocked
+
+ The Quick-Start functionality would be disabled, and additional
+ delays in TCP's connection establishment (for example) could be
+ introduced. (Please see Section 4.7.2 of [RFC4782].) We note,
+ however, that Quick-Start has been proposed as a mechanism that could
+ be of use in controlled environments, and not as a mechanism that
+ would be intended or appropriate for ubiquitous deployment in the
+ global Internet [RFC4782].
+
+4.21.5. Advice
+
+ A given router, security gateway, or firewall system has no way of
+ knowing a priori whether this option is valid in its operational
+ environment. Therefore, routers, security gateways, and firewalls
+ SHOULD, by default, ignore the Quick-Start option. Additionally,
+ routers, security gateways, and firewalls SHOULD have a configuration
+ setting that governs their reaction in the presence of packets
+ containing the Quick-Start option. This configuration setting SHOULD
+ allow to honor and process the option, ignore the option, or drop
+ packets containing this option. The default configuration is to
+ ignore the Quick-Start option.
+
+ We note that if routers in a given environment do not implement
+ and enable the Quick-Start mechanism, only the general security
+ implications of IP options (discussed in Section 3) would apply.
+
+4.22. RFC3692-Style Experiment (Types = 30, 94, 158, and 222)
+
+ Section 2.5 of RFC 4727 [RFC4727] allocates an option number with all
+ defined values of the "copy" and "class" fields for RFC3692-style
+ experiments. This results in four distinct option type codes: 30,
+ 94, 158, and 222.
+
+4.22.1. Uses
+
+ It is only appropriate to use these values in explicitly configured
+ experiments; they MUST NOT be shipped as defaults in implementations.
+
+4.22.2. Option Specification
+
+ Specified in RFC 4727 [RFC4727] in the context of RFC3692-style
+ experiments.
+
+4.22.3. Threats
+
+ No specific security issues are known for this IPv4 option.
+
+
+
+
+Gont, et al. Best Current Practice [Page 28]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+4.22.4. Operational and Interoperability Impact if Blocked
+
+ None.
+
+4.22.5. Advice
+
+ Routers, security gateways, and firewalls SHOULD have configuration
+ knobs for IP packets that contain RFC3692-style Experiment options to
+ select between "ignore & forward" and "drop & log". Otherwise, no
+ legitimate experiment using these options will be able to traverse
+ any IP router.
+
+ Special care needs to be taken in the case of "drop & log". Devices
+ SHOULD count the number of packets dropped, but the logging of drop
+ events SHOULD be limited so as to not overburden device resources.
+
+ The aforementioned configuration knob SHOULD default to "drop & log".
+
+4.23. Other IP Options
+
+4.23.1. Specification
+
+ Unrecognized IP options are to be ignored. Section 3.2.1.8 of RFC
+ 1122 [RFC1122] specifies this behavior as follows:
+
+ The IP and transport layer MUST each interpret those IP options
+ that they understand and silently ignore the others.
+
+ Additionally, Section 4.2.2.6 of RFC 1812 [RFC1812] specifies it as
+ follows:
+
+ A router MUST ignore IP options which it does not recognize.
+
+ This document adds that unrecognized IP options MAY also be logged.
+
+ Further, routers, security gateways, and firewalls MUST provide the
+ ability to log drop events of IP packets containing unrecognized or
+ obsolete options.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 29]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+ A number of additional options are listed in the "IP OPTION NUMBERS"
+ IANA registry [IANA-IP] as of the time this document was last edited.
+ Specifically:
+
+ Copy Class Number Value Name
+ ---- ----- ------ ----- -------------------------------------------
+ 0 0 10 10 ZSU - Experimental Measurement
+ 1 2 13 205 FINN - Experimental Flow Control
+ 0 0 15 15 ENCODE - ???
+ 1 0 16 144 IMITD - IMI Traffic Descriptor
+ 1 0 22 150 - Unassigned (Released 18 Oct. 2005)
+
+ The ENCODE option (type 15) has been formally obsoleted by [RFC6814].
+
+4.23.2. Threats
+
+ The lack of open specifications for these options makes it impossible
+ to evaluate their security implications.
+
+4.23.3. Operational and Interoperability Impact if Blocked
+
+ The lack of open specifications for these options makes it impossible
+ to evaluate the operational and interoperability impact if packets
+ containing these options are blocked.
+
+4.23.4. Advice
+
+ Routers, security gateways, and firewalls SHOULD have configuration
+ knobs for IP packets containing these options (or other options not
+ recognized) to select between "ignore & forward" and "drop & log".
+
+ Section 4.23.1 points out that [RFC1122] and [RFC1812] specify that
+ unrecognized IP options MUST be ignored. However, the previous
+ paragraph states that routers, security gateways, and firewalls
+ SHOULD have a configuration option for dropping and logging IP
+ packets containing unrecognized options. While it is acknowledged
+ that this advice contradicts the previous RFCs' requirements, the
+ advice in this document reflects current operational reality.
+
+ Special care needs to be taken in the case of "drop & log". Devices
+ SHOULD count the number of packets dropped, but the logging of drop
+ events SHOULD be limited so as to not overburden device resources.
+
+
+
+
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 30]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+5. Security Considerations
+
+ This document provides advice on the filtering of IP packets that
+ contain IP options. Dropping such packets can help to mitigate the
+ security issues that arise from use of different IP options. Many of
+ the IPv4 options listed in this document are deprecated and cause no
+ operational impact if dropped. However, dropping packets containing
+ IPv4 options that are in use can cause real operational problems in
+ deployed networks. Therefore, the practice of dropping all IPv4
+ packets containing one or more IPv4 options without careful
+ consideration is not recommended.
+
+6. Acknowledgements
+
+ The authors would like to thank (in alphabetical order) Ron Bonica,
+ C. M. Heard, Merike Kaeo, Panos Kampanakis, Suresh Krishnan, Arturo
+ Servin, SM, and Donald Smith for providing thorough reviews and
+ valuable comments. Merike Kaeo also contributed text used in this
+ document.
+
+ The authors also wish to thank various network operations folks who
+ supplied feedback on earlier versions of this document but did not
+ wish to be named explicitly in this document.
+
+ Part of this document is initially based on the document "Security
+ Assessment of the Internet Protocol" [CPNI2008] that is the result of
+ a project carried out by Fernando Gont on behalf of UK CPNI (formerly
+ NISCC). Fernando Gont would like to thank UK CPNI (formerly NISCC)
+ for their continued support.
+
+7. References
+
+7.1. Normative References
+
+ [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, September
+ 1981.
+
+ [RFC1122] Braden, R., "Requirements for Internet Hosts -
+ Communication Layers", STD 3, RFC 1122, October 1989.
+
+ [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191,
+ November 1990.
+
+ [RFC1812] Baker, F., "Requirements for IP Version 4 Routers", RFC
+ 1812, June 1995.
+
+ [RFC2113] Katz, D., "IP Router Alert Option", RFC 2113, February
+ 1997.
+
+
+
+Gont, et al. Best Current Practice [Page 31]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4,
+ ICMPv6, UDP, and TCP Headers", RFC 4727, November 2006.
+
+ [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU
+ Discovery", RFC 4821, March 2007.
+
+ [RFC5015] Handley, M., Kouvelas, I., Speakman, T., and L. Vicisano,
+ "Bidirectional Protocol Independent Multicast (BIDIR-
+ PIM)", RFC 5015, October 2007.
+
+ [RFC6398] Le Faucheur, F., "IP Router Alert Considerations and
+ Usage", BCP 168, RFC 6398, October 2011.
+
+ [RFC6814] Pignataro, C. and F. Gont, "Formally Deprecating Some IPv4
+ Options", RFC 6814, November 2012.
+
+7.2. Informative References
+
+ [BIDIR-TREES]
+ Estrin, D. and D. Farinacci, "Bi-Directional Shared Trees
+ in PIM-SM", Work in Progress, May 1999.
+
+ [BREMIER-BARR]
+ Bremier-Barr, A. and H. Levy, "Spoofing prevention
+ method", Proceedings of IEEE InfoCom 2005, Volume 1, pp.
+ 536-547, March 2005.
+
+ [Biondi2007]
+ Biondi, P. and A. Ebalard, "IPv6 Routing Header Security",
+ CanSecWest 2007 Security Conference, 2007,
+ <http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf>.
+
+ [CIPSOWG1994]
+ IETF CIPSO Working Group, "Commercial Internet Protocol
+ Security Option (CIPSO) Charter", 1994,
+ <http://www.ietf.org/proceedings/94jul/charters/
+ cipso-charter.html>.
+
+ [CIPSO] IETF CIPSO Working Group, "COMMERCIAL IP SECURITY OPTION
+ (CIPSO 2.2)", Work in Progress, 1992.
+
+ [CPNI2008] Gont, F., "Security Assessment of the Internet Protocol",
+ 2008,
+ <http://www.gont.com.ar/papers/InternetProtocol.pdf>.
+
+
+
+
+Gont, et al. Best Current Practice [Page 32]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+ [Cisco-IPSO-Cmds]
+ Cisco Systems, Inc., "IP Security Options Commands", Cisco
+ IOS Security Command Reference, Release 12.2,
+ <http://www.cisco.com/en/US/docs/ios/12_2/security/
+ command/reference/srfipso.html>.
+
+ [Cisco-IPSO]
+ Cisco Systems, Inc., "Configuring IP Security Options",
+ Cisco IOS Security Configuration Guide, Release 12.2,
+ 2006, <http://www.cisco.com/en/US/docs/ios/12_2/security/
+ configuration/guide/scfipso.html>.
+
+ [DIFFSERV-DPS]
+ Stoica, I., Zhang, H., Venkitaram, N., and J. Mysore, "Per
+ Hop Behaviors Based on Dynamic Packet State", Work in
+ Progress, October 2002.
+
+ [FIPS1994]
+ FIPS, "Standard Security Label for Information Transfer",
+ Federal Information Processing Standards Publication, FIP
+ PUBS 188, 1994, <http://csrc.nist.gov/publications/fips/
+ fips188/fips188.pdf>.
+
+ [FONSECA] Fonseca, R., Porter, G., Katz, R., Shenker, S., and I.
+ Stoica, "IP Options are not an option", EECS Department,
+ University of California, Berkeley, December 2005,
+ <http://www.eecs.berkeley.edu/Pubs/TechRpts/2005/
+ EECS-2005-24.html>.
+
+ [IANA-IP] IANA, "IP OPTION NUMBERS",
+ <http://www.iana.org/assignments/ip-parameters>.
+
+ [IRIX2008] IRIX, "IRIX 6.5 trusted_networking(7) manual page", 2008,
+ <http://techpubs.sgi.com/library/tpl/cgi-bin/
+ getdoc.cgi?coll=0650&db=man&fname=/usr/share/catman/a_man/
+ cat7/trusted_networking.z>.
+
+ [Kohno2005]
+ Kohno, T., Broido, A., and kc. Claffy, "Remote Physical
+ Device Fingerprinting", IEEE Transactions on Dependable
+ and Secure Computing, Vol. 2, No. 2, 2005.
+
+ [Landwehr81]
+ Landwehr, C., "Formal Models for Computer Security", ACM
+ Computing Surveys, Vol. 13, No. 3, Association for
+ Computing Machinery, New York, NY, USA, September 1981.
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 33]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+ [MEDINA] Medina, A., Allman, M., and S. Floyd, "Measuring
+ Interactions Between Transport Protocols and Middleboxes",
+ Proc. 4th ACM SIGCOMM/USENIX Conference on Internet
+ Measurement, October 2004.
+
+ [Microsoft1999]
+ Microsoft, "Microsoft Security Program: Microsoft Security
+ Bulletin (MS99-038). Patch Available for "Spoofed Route
+ Pointer" Vulnerability", September 1999,
+ <http://www.microsoft.com/technet/security/bulletin/
+ ms99-038.mspx>.
+
+ [OpenBSD1998]
+ OpenBSD, "OpenBSD Security Advisory: IP Source Routing
+ Problem", February 1998,
+ <http://www.openbsd.org/advisories/sourceroute.txt>.
+
+ [RFC1038] St. Johns, M., "Draft revised IP security option", RFC
+ 1038, January 1988.
+
+ [RFC1063] Mogul, J., Kent, C., Partridge, C., and K. McCloghrie, "IP
+ MTU discovery options", RFC 1063, July 1988.
+
+ [RFC1108] Kent, S., "U.S. Department of Defense Security Options for
+ the Internet Protocol", RFC 1108, November 1991.
+
+ [RFC1385] Wang, Z., "EIP: The Extended Internet Protocol", RFC 1385,
+ November 1992.
+
+ [RFC1393] Malkin, G., "Traceroute Using an IP Option", RFC 1393,
+ January 1993.
+
+ [RFC1475] Ullmann, R., "TP/IX: The Next Internet", RFC 1475, June
+ 1993.
+
+ [RFC1770] Graff, C., "IPv4 Option for Sender Directed Multi-
+ Destination Delivery", RFC 1770, March 1995.
+
+ [RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S.
+ Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1
+ Functional Specification", RFC 2205, September 1997.
+
+ [RFC2407] Piper, D., "The Internet IP Security Domain of
+ Interpretation for ISAKMP", RFC 2407, November 1998.
+
+ [RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec
+ Configuration Policy Information Model", RFC 3585, August
+ 2003.
+
+
+
+Gont, et al. Best Current Practice [Page 34]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+ [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC
+ 4306, December 2005.
+
+ [RFC4782] Floyd, S., Allman, M., Jain, A., and P. Sarolahti, "Quick-
+ Start for TCP and IP", RFC 4782, January 2007.
+
+ [RFC4807] Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
+ Wang, "IPsec Security Policy Database Configuration MIB",
+ RFC 4807, March 2007.
+
+ [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC
+ 4949, August 2007.
+
+ [RFC5350] Manner, J. and A. McDonald, "IANA Considerations for the
+ IPv4 and IPv6 Router Alert Options", RFC 5350, September
+ 2008.
+
+ [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common
+ Architecture Label IPv6 Security Option (CALIPSO)", RFC
+ 5570, July 2009.
+
+ [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
+ "Internet Key Exchange Protocol Version 2 (IKEv2)", RFC
+ 5996, September 2010.
+
+ [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
+ Router Control Plane", RFC 6192, March 2011.
+
+ [RFC6274] Gont, F., "Security Assessment of the Internet Protocol
+ Version 4", RFC 6274, July 2011.
+
+ [SELinux2008]
+ National Security Agency (United States), "Security-
+ Enhanced Linux - NSA/CSS", January 2009,
+ <http://www.nsa.gov/research/selinux/index.shtml>.
+
+ [Solaris2008]
+ "Solaris Trusted Extensions: Labeled Security for Absolute
+ Protection", 2008,
+ <http://www.oracle.com/technetwork/server-storage/
+ solaris10/overview/trusted-extensions-149944.pdf>.
+
+
+
+
+
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 35]
+
+RFC 7126 Filtering of IP-Optioned Packets February 2014
+
+
+Authors' Addresses
+
+ Fernando Gont
+ UTN-FRH / SI6 Networks
+ Evaristo Carriego 2644
+ Haedo, Provincia de Buenos Aires 1706
+ Argentina
+
+ Phone: +54 11 4650 8472
+ EMail: fgont@si6networks.com
+ URI: http://www.si6networks.com
+
+
+ RJ Atkinson
+ Consultant
+ McLean, VA 22103
+ USA
+
+ EMail: rja.lists@gmail.com
+
+
+ Carlos Pignataro
+ Cisco Systems, Inc.
+ 7200-12 Kit Creek Road
+ Research Triangle Park, NC 27709
+ USA
+
+ EMail: cpignata@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gont, et al. Best Current Practice [Page 36]
+