GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools

Problem, Formatting or Query -  Send Feedback

Was this page helpful?-10+1


rfc:rfc6274

Internet Engineering Task Force (IETF) F. Gont Request for Comments: 6274 UK CPNI Category: Informational July 2011 ISSN: 2070-1721

       Security Assessment of the Internet Protocol Version 4

Abstract

 This document contains a security assessment of the IETF
 specifications of the Internet Protocol version 4 and of a number of
 mechanisms and policies in use by popular IPv4 implementations.  It
 is based on the results of a project carried out by the UK's Centre
 for the Protection of National Infrastructure (CPNI).

Status of This Memo

 This document is not an Internet Standards Track specification; it is
 published for informational purposes.
 This document is a product of the Internet Engineering Task Force
 (IETF).  It represents the consensus of the IETF community.  It has
 received public review and has been approved for publication by the
 Internet Engineering Steering Group (IESG).  Not all documents
 approved by the IESG are a candidate for any level of Internet
 Standard; see Section 2 of RFC 5741.
 Information about the current status of this document, any errata,
 and how to provide feedback on it may be obtained at
 http://www.rfc-editor.org/info/rfc6274.

Copyright Notice

 Copyright (c) 2011 IETF Trust and the persons identified as the
 document authors.  All rights reserved.
 This document is subject to BCP 78 and the IETF Trust's Legal
 Provisions Relating to IETF Documents
 (http://trustee.ietf.org/license-info) in effect on the date of
 publication of this document.  Please review these documents
 carefully, as they describe your rights and restrictions with respect
 to this document.  Code Components extracted from this document must
 include Simplified BSD License text as described in Section 4.e of
 the Trust Legal Provisions and are provided without warranty as
 described in the Simplified BSD License.

Gont Informational [Page 1] RFC 6274 IPv4 Security Assessment July 2011

Table of Contents

 1. Preface .........................................................4
    1.1. Introduction ...............................................4
    1.2. Scope of This Document .....................................6
    1.3. Organization of This Document ..............................7
 2. The Internet Protocol ...........................................7
 3. Internet Protocol Header Fields .................................8
    3.1. Version ....................................................9
    3.2. IHL (Internet Header Length) ..............................10
    3.3. Type of Service (TOS) .....................................10
         3.3.1. Original Interpretation ............................10
         3.3.2. Standard Interpretation ............................12
                3.3.2.1. Differentiated Services Field .............12
                3.3.2.2. Explicit Congestion Notification (ECN) ....13
    3.4. Total Length ..............................................14
    3.5. Identification (ID) .......................................15
         3.5.1. Some Workarounds Implemented by the Industry .......16
         3.5.2. Possible Security Improvements .....................17
                3.5.2.1. Connection-Oriented Transport Protocols ...17
                3.5.2.2. Connectionless Transport Protocols ........18
    3.6. Flags .....................................................19
    3.7. Fragment Offset ...........................................21
    3.8. Time to Live (TTL) ........................................22
         3.8.1. Fingerprinting the Operating System in Use
                by the Source Host .................................24
         3.8.2. Fingerprinting the Physical Device from
                which the Packets Originate ........................24
         3.8.3. Mapping the Network Topology .......................24
         3.8.4. Locating the Source Host in the Network Topology ...25
         3.8.5. Evading Network Intrusion Detection Systems ........26
         3.8.6. Improving the Security of Applications That
                Make Use of the Internet Protocol (IP) .............27
         3.8.7. Limiting Spread ....................................28
    3.9. Protocol ..................................................28
    3.10. Header Checksum ..........................................28
    3.11. Source Address ...........................................29
    3.12. Destination Address ......................................30
    3.13. Options ..................................................30
         3.13.1. General Issues with IP Options ....................31
                3.13.1.1. Processing Requirements ..................31
                3.13.1.2. Processing of the Options by the
                          Upper-Layer Protocol .....................32
                3.13.1.3. General Sanity Checks on IP Options ......32
         3.13.2. Issues with Specific Options ......................34
                3.13.2.1. End of Option List (Type=0) ..............34
                3.13.2.2. No Operation (Type=1) ....................34

Gont Informational [Page 2] RFC 6274 IPv4 Security Assessment July 2011

                3.13.2.3. Loose Source and Record Route
                          (LSRR) (Type=131) ........................34
                3.13.2.4. Strict Source and Record Route
                          (SSRR) (Type=137) ........................37
                3.13.2.5. Record Route (Type=7) ....................39
                3.13.2.6. Stream Identifier (Type=136) .............40
                3.13.2.7. Internet Timestamp (Type=68) .............40
                3.13.2.8. Router Alert (Type=148) ..................43
                3.13.2.9. Probe MTU (Type=11) (Obsolete) ...........44
                3.13.2.10. Reply MTU (Type=12) (Obsolete) ..........44
                3.13.2.11. Traceroute (Type=82) ....................44
                3.13.2.12. Department of Defense (DoD)
                           Basic Security Option (Type=130) ........45
                3.13.2.13. DoD Extended Security Option
                           (Type=133) ..............................46
                3.13.2.14. Commercial IP Security Option
                           (CIPSO) (Type=134) ......................47
                3.13.2.15. Sender Directed
                           Multi-Destination Delivery (Type=149) ...47
 4. Internet Protocol Mechanisms ...................................48
    4.1. Fragment Reassembly .......................................48
         4.1.1. Security Implications of Fragment Reassembly .......49
                4.1.1.1. Problems Related to Memory Allocation .....49
                4.1.1.2. Problems That Arise from the
                         Length of the IP Identification Field .....51
                4.1.1.3. Problems That Arise from the
                         Complexity of the Reassembly Algorithm ....52
                4.1.1.4. Problems That Arise from the
                         Ambiguity of the Reassembly Process .......52
                4.1.1.5. Problems That Arise from the Size
                         of the IP Fragments .......................53
         4.1.2. Possible Security Improvements .....................53
                4.1.2.1. Memory Allocation for Fragment
                         Reassembly ................................53
                4.1.2.2. Flushing the Fragment Buffer ..............54
                4.1.2.3. A More Selective Fragment Buffer
                         Flushing Strategy .........................55
                4.1.2.4. Reducing the Fragment Timeout .............57
                4.1.2.5. Countermeasure for Some NIDS
                         Evasion Techniques ........................58
                4.1.2.6. Countermeasure for Firewall-Rules
                         Bypassing .................................58
    4.2. Forwarding ................................................58
         4.2.1. Precedence-Ordered Queue Service ...................58
         4.2.2. Weak Type of Service ...............................59
         4.2.3. Impact of Address Resolution on Buffer Management ..60
         4.2.4. Dropping Packets ...................................61
    4.3. Addressing ................................................61

Gont Informational [Page 3] RFC 6274 IPv4 Security Assessment July 2011

         4.3.1. Unreachable Addresses ..............................61
         4.3.2. Private Address Space ..............................61
         4.3.3. Former Class D Addresses (224/4 Address Block) .....62
         4.3.4. Former Class E Addresses (240/4 Address Block) .....62
         4.3.5. Broadcast/Multicast Addresses and
                Connection-Oriented Protocols ......................62
         4.3.6. Broadcast and Network Addresses ....................63
         4.3.7. Special Internet Addresses .........................63
 5. Security Considerations ........................................65
 6. Acknowledgements ...............................................65
 7. References .....................................................66
    7.1. Normative References ......................................66
    7.2. Informative References ....................................68

1. Preface

1.1. Introduction

 The TCP/IP protocols were conceived in an environment that was quite
 different from the hostile environment in which they currently
 operate.  However, the effectiveness of the protocols led to their
 early adoption in production environments, to the point that, to some
 extent, the current world's economy depends on them.
 While many textbooks and articles have created the myth that the
 Internet protocols were designed for warfare environments, the top
 level goal for the Defense Advanced Research Projects Agency (DARPA)
 Internet Program was the sharing of large service machines on the
 ARPANET [Clark1988].  As a result, many protocol specifications focus
 only on the operational aspects of the protocols they specify and
 overlook their security implications.
 While the Internet technology evolved since its inception, the
 Internet's building blocks are basically the same core protocols
 adopted by the ARPANET more than two decades ago.  During the last
 twenty years, many vulnerabilities have been identified in the TCP/IP
 stacks of a number of systems.  Some of them were based on flaws in
 some protocol implementations, affecting only a reduced number of
 systems, while others were based on flaws in the protocols
 themselves, affecting virtually every existing implementation
 [Bellovin1989].  Even in the last couple of years, researchers were
 still working on security problems in the core protocols [RFC5927]
 [Watson2004] [NISCC2004] [NISCC2005].
 The discovery of vulnerabilities in the TCP/IP protocols led to
 reports being published by a number of CSIRTs (Computer Security
 Incident Response Teams) and vendors, which helped to raise awareness
 about the threats and the best mitigations known at the time the

Gont Informational [Page 4] RFC 6274 IPv4 Security Assessment July 2011

 reports were published.  Unfortunately, this also led to the
 documentation of the discovered protocol vulnerabilities being spread
 among a large number of documents, which are sometimes difficult to
 identify.
 For some reason, much of the effort of the security community on the
 Internet protocols did not result in official documents (RFCs) being
 issued by the IETF (Internet Engineering Task Force).  This basically
 led to a situation in which "known" security problems have not always
 been addressed by all vendors.  In addition, in many cases, vendors
 have implemented quick "fixes" to protocol flaws without a careful
 analysis of their effectiveness and their impact on interoperability
 [Silbersack2005].
 The lack of adoption of these fixes by the IETF means that any system
 built in the future according to the official TCP/IP specifications
 will reincarnate security flaws that have already hit our
 communication systems in the past.
 Nowadays, producing a secure TCP/IP implementation is a very
 difficult task, in part because of the lack of a single document that
 serves as a security roadmap for the protocols.  Implementers are
 faced with the hard task of identifying relevant documentation and
 differentiating between that which provides correct advisory and that
 which provides misleading advisory based on inaccurate or wrong
 assumptions.
 There is a clear need for a companion document to the IETF
 specifications; one that discusses the security aspects and
 implications of the protocols, identifies the possible threats,
 discusses the possible countermeasures, and analyzes their respective
 effectiveness.
 This document is the result of an assessment of the IETF
 specifications of the Internet Protocol version 4 (IPv4), from a
 security point of view.  Possible threats were identified and, where
 possible, countermeasures were proposed.  Additionally, many
 implementation flaws that have led to security vulnerabilities have
 been referenced in the hope that future implementations will not
 incur the same problems.  Furthermore, this document does not limit
 itself to performing a security assessment of the relevant IETF
 specifications, but also provides an assessment of common
 implementation strategies found in the real world.
 Many IP implementations have also been subject of the so-called
 "packet-of-death" vulnerabilities, in which a single specially
 crafted packet causes the IP implementation to crash or otherwise
 misbehave.  In most cases, the attack packet is simply malformed; in

Gont Informational [Page 5] RFC 6274 IPv4 Security Assessment July 2011

 other cases, the attack packet is well-formed, but exercises a little
 used path through the IP stack.  Well-designed IP implementations
 should protect against these attacks, and therefore this document
 describes a number of sanity checks that are expected to prevent most
 of the aforementioned "packet-of-death" attack vectors.  We note that
 if an IP implementation is found to be vulnerable to one of these
 attacks, administrators must resort to mitigating them by packet
 filtering.
 Additionally, this document analyzes the security implications from
 changes in the operational environment since the Internet Protocol
 was designed.  For example, it analyzes how the Internet Protocol
 could be exploited to evade Network Intrusion Detection Systems
 (NIDSs) or to circumvent firewalls.
 This document does not aim to be the final word on the security of
 the Internet Protocol (IP).  On the contrary, it aims to raise
 awareness about many security threats based on the IP protocol that
 have been faced in the past, those that we are currently facing, and
 those we may still have to deal with in the future.  It provides
 advice for the secure implementation of the Internet Protocol (IP),
 but also provides insights about the security aspects of the Internet
 Protocol that may be of help to the Internet operations community.
 Feedback from the community is more than encouraged to help this
 document be as accurate as possible and to keep it updated as new
 threats are discovered.
 This document is heavily based on the "Security Assessment of the
 Internet Protocol" [CPNI2008] released by the UK Centre for the
 Protection of National Infrastructure (CPNI), available at
 http://www.cpni.gov.uk/Products/technicalnotes/3677.aspx.
 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
 document are to be interpreted as described in RFC 2119 [RFC2119].

1.2. Scope of This Document

 While there are a number of protocols that affect the way in which IP
 systems operate, this document focuses only on the specifications of
 the Internet Protocol (IP).  For example, routing and bootstrapping
 protocols are considered out of the scope of this project.
 The following IETF RFCs were selected as the primary sources for the
 assessment as part of this work:

Gont Informational [Page 6] RFC 6274 IPv4 Security Assessment July 2011

 o  RFC 791, "INTERNET PROTOCOL DARPA INTERNET PROGRAM PROTOCOL
    SPECIFICATION" (45 pages).
 o  RFC 815, "IP DATAGRAM REASSEMBLY ALGORITHMS" (9 pages).
 o  RFC 919, "BROADCASTING INTERNET DATAGRAMS" (8 pages).
 o  RFC 950, "Internet Standard Subnetting Procedure" (18 pages)
 o  RFC 1112, "Host Extensions for IP Multicasting" (17 pages)
 o  RFC 1122, "Requirements for Internet Hosts -- Communication
    Layers" (116 pages).
 o  RFC 1812, "Requirements for IP Version 4 Routers" (175 pages).
 o  RFC 2474, "Definition of the Differentiated Services Field (DS
    Field) in the IPv4 and IPv6 Headers" (20 pages).
 o  RFC 2475, "An Architecture for Differentiated Services" (36
    pages).
 o  RFC 3168, "The Addition of Explicit Congestion Notification (ECN)
    to IP" (63 pages).
 o  RFC 4632, "Classless Inter-domain Routing (CIDR): The Internet
    Address Assignment and Aggregation Plan" (27 pages).

1.3. Organization of This Document

 This document is basically organized in two parts: "Internet Protocol
 header fields" and "Internet Protocol mechanisms".  The former
 contains an analysis of each of the fields of the Internet Protocol
 header, identifies their security implications, and discusses
 possible countermeasures for the identified threats.  The latter
 contains an analysis of the security implications of the mechanisms
 implemented by the Internet Protocol.

2. The Internet Protocol

 The Internet Protocol (IP) provides a basic data transfer function
 for passing data blocks called "datagrams" from a source host to a
 destination host, across the possible intervening networks.
 Additionally, it provides some functions that are useful for the
 interconnection of heterogeneous networks, such as fragmentation and
 reassembly.

Gont Informational [Page 7] RFC 6274 IPv4 Security Assessment July 2011

 The "datagram" has a number of characteristics that makes it
 convenient for interconnecting systems [Clark1988]:
 o  It eliminates the need of connection state within the network,
    which improves the survivability characteristics of the network.
 o  It provides a basic service of data transport that can be used as
    a building block for other transport services (reliable data
    transport services, etc.).
 o  It represents the minimum network service assumption, which
    enables IP to be run over virtually any network technology.

3. Internet Protocol Header Fields

 The IETF specifications of the Internet Protocol define the syntax of
 the protocol header, along with the semantics of each of its fields.
 Figure 1 shows the format of an IP datagram, as specified in
 [RFC0791].
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |Version|  IHL  |Type of Service|          Total Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |         Identification        |Flags|      Fragment Offset    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Time to Live |    Protocol   |         Header Checksum       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Source Address                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Destination Address                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                  [ Options ]                  |  [ Padding ]  |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
               Figure 1: Internet Protocol Header Format
 Even though the minimum IP header size is 20 bytes, an IP module
 might be handed an (illegitimate) "datagram" of less than 20 bytes.
 Therefore, before doing any processing of the IP header fields, the
 following check should be performed by the IP module on the packets
 handed by the link layer:
                      LinkLayer.PayloadSize >= 20
 where LinkLayer.PayloadSize is the length (in octets) of the datagram
 passed from the link layer to the IP layer.

Gont Informational [Page 8] RFC 6274 IPv4 Security Assessment July 2011

 If the packet does not pass this check, it should be dropped, and
 this event should be logged (e.g., a counter could be incremented
 reflecting the packet drop).
 The following subsections contain further sanity checks that should
 be performed on IP packets.

3.1. Version

 This is a 4-bit field that indicates the version of the Internet
 Protocol (IP), and thus the syntax of the packet.  For IPv4, this
 field must be 4.
 When a link-layer protocol de-multiplexes a packet to an Internet
 module, it does so based on a Protocol Type field in the data-link
 packet header.
 In theory, different versions of IP could coexist on a network by
 using the same Protocol Type at the link layer, but a different value
 in the Version field of the IP header.  Thus, a single IP module
 could handle all versions of the Internet Protocol, differentiating
 them by means of this field.
 However, in practice different versions of IP are identified by a
 different Protocol Type (e.g., EtherType in the case of Ethernet)
 number in the link-layer protocol header.  For example, IPv4
 datagrams are encapsulated in Ethernet frames using an EtherType of
 0x0800, while IPv6 datagrams are encapsulated in Ethernet frames
 using an EtherType of 0x86DD [IANA_ET].
 Therefore, if an IPv4 module receives a packet, the Version field
 must be checked to be 4.  If this check fails, the packet should be
 silently dropped, and this event should be logged (e.g., a counter
 could be incremented reflecting the packet drop).  If an
 implementation does not perform this check, an attacker could use a
 different value for the Version field, possibly evading NIDSs that
 decide which pattern-matching rules to apply based on the Version
 field.
 If the link-layer protocol employs a specific "Protocol Type" value
 for encapsulating IPv4 packets (e.g., as is the case of Ethernet), a
 node should check that IPv4 packets are de-multiplexed to the IPv4
 module when such value was used for the Protocol Type field of the
 link-layer protocol.  If a packet does not pass this check, it should
 be silently dropped.

Gont Informational [Page 9] RFC 6274 IPv4 Security Assessment July 2011

    An attacker could encapsulate IPv4 packets using other link-layer
    "Protocol Type" values to try to subvert link-layer Access Control
    Lists (ACLs) and/or for tampering with NIDSs.

3.2. IHL (Internet Header Length)

 The IHL (Internet Header Length) field indicates the length of the
 Internet header in 32-bit words (4 bytes).  The following paragraphs
 describe a number of sanity checks to be performed on the IHL field,
 such that possible packet-of-death vulnerabilities are avoided.
 As the minimum datagram size is 20 bytes, the minimum legal value for
 this field is 5.  Therefore, the following check should be enforced:
                                IHL >= 5
 If the packet does not pass this check, it should be dropped, and
 this event should be logged (e.g., a counter could be incremented
 reflecting the packet drop).
 For obvious reasons, the Internet header cannot be larger than the
 whole Internet datagram of which it is part.  Therefore, the
 following check should be enforced:
                        IHL * 4 <= Total Length
    This needs to refer to the size of the datagram as specified by
    the sender in the Total Length field, since link layers might have
    added some padding (see Section 3.4).
 If the packet does not pass this check, it should be dropped, and
 this event should be logged (e.g., a counter could be incremented
 reflecting the packet drop).
 The above check allows for Internet datagrams with no data bytes in
 the payload that, while nonsensical for virtually every protocol that
 runs over IP, are still legal.

3.3. Type of Service (TOS)

3.3.1. Original Interpretation

 Figure 2 shows the original syntax of the Type of Service field, as
 defined by RFC 791 [RFC0791] and updated by RFC 1349 [RFC1349].  This
 definition has been superseded long ago (see Sections 3.3.2.1 and
 3.3.2.2), but it is still assumed by some deployed implementations.

Gont Informational [Page 10] RFC 6274 IPv4 Security Assessment July 2011

              0     1     2     3     4     5     6     7
           +-----+-----+-----+-----+-----+-----+-----+-----+
           |   PRECEDENCE    |  D  |  T  |  R  |  C  |  0  |
           +-----+-----+-----+-----+-----+-----+-----+-----+
       Figure 2: Type of Service Field (Original Interpretation)
      +----------+----------------------------------------------+
      | Bits 0-2 |                  Precedence                  |
      +----------+----------------------------------------------+
      | Bit 3    |        0 = Normal Delay, 1 = Low Delay       |
      +----------+----------------------------------------------+
      | Bit 4    |  0 = Normal Throughput, 1 = High Throughput  |
      +----------+----------------------------------------------+
      | Bit 5    | 0 = Normal Reliability, 1 = High Reliability |
      +----------+----------------------------------------------+
      | Bit 6    |  0 = Normal Cost, 1 = Minimize Monetary Cost |
      +----------+----------------------------------------------+
      | Bits 7   |    Reserved for Future Use (must be zero)    |
      +----------+----------------------------------------------+
                  Table 1: Semantics of the TOS Bits
                       +-----+-----------------+
                       | 111 | Network Control |
                       +-----+-----------------+
                       | 110 |   Internetwork  |
                       +-----+-----------------+
                       | 101 |    CRITIC/ECP   |
                       +-----+-----------------+
                       | 100 |  Flash Override |
                       +-----+-----------------+
                       | 011 |      Flash      |
                       +-----+-----------------+
                       | 010 |    Immediate    |
                       +-----+-----------------+
                       | 001 |     Priority    |
                       +-----+-----------------+
                       | 000 |     Routine     |
                       +-----+-----------------+
      Table 2: Semantics of the Possible Precedence Field Values
 The Type of Service field can be used to affect the way in which the
 packet is treated by the systems of a network that process it.
 Section 4.2.1 ("Precedence-Ordered Queue Service") and Section 4.2.2

Gont Informational [Page 11] RFC 6274 IPv4 Security Assessment July 2011

 ("Weak Type of Service") of this document describe the security
 implications of the Type of Service field in the forwarding of
 packets.

3.3.2. Standard Interpretation

3.3.2.1. Differentiated Services Field

 The Differentiated Services Architecture is intended to enable
 scalable service discrimination in the Internet without the need for
 per-flow state and signaling at every hop [RFC2475].  RFC 2474
 [RFC2474] redefined the IP "Type of Service" octet, introducing a
 Differentiated Services Field (DS Field).  Figure 3 shows the format
 of the field.
                     0   1   2   3   4   5   6   7
                   +---+---+---+---+---+---+---+---+
                   |         DSCP          |  CU   |
                   +---+---+---+---+---+---+---+---+
  Figure 3: Revised Structure of the Type of Service Field (RFC 2474)
 The DSCP ("Differentiated Services CodePoint") is used to select the
 treatment the packet is to receive within the Differentiated Services
 Domain.  The CU ("Currently Unused") field was, at the time the
 specification was issued, reserved for future use.  The DSCP field is
 used to select a PHB (Per-Hop Behavior), by matching against the
 entire 6-bit field.
 Considering that the DSCP field determines how a packet is treated
 within a Differentiated Services (DS) domain, an attacker could send
 packets with a forged DSCP field to perform a theft of service or
 even a Denial-of-Service (DoS) attack.  In particular, an attacker
 could forge packets with a codepoint of the type '11x000' which,
 according to Section 4.2.2.2 of RFC 2474 [RFC2474], would give the
 packets preferential forwarding treatment when compared with the PHB
 selected by the codepoint '000000'.  If strict priority queuing were
 utilized, a continuous stream of such packets could cause a DoS to
 other flows that have a DSCP of lower relative order.
 As the DS field is incompatible with the original Type of Service
 field, both DS domains and networks using the original Type of
 Service field should protect themselves by remarking the
 corresponding field where appropriate, probably deploying remarking
 boundary nodes.  Nevertheless, care must be taken so that packets
 received with an unrecognized DSCP do not cause the handling system
 to malfunction.

Gont Informational [Page 12] RFC 6274 IPv4 Security Assessment July 2011

3.3.2.2. Explicit Congestion Notification (ECN)

 RFC 3168 [RFC3168] specifies a mechanism for routers to signal
 congestion to hosts exchanging IP packets, by marking the offending
 packets rather than discarding them.  RFC 3168 defines the ECN field,
 which utilizes the CU field defined in RFC 2474 [RFC2474].  Figure 4
 shows the current syntax of the IP Type of Service field, with the
 DSCP field used for Differentiated Services and the ECN field.
              0     1     2     3     4     5     6     7
           +-----+-----+-----+-----+-----+-----+-----+-----+
           |          DS FIELD, DSCP           | ECN FIELD |
           +-----+-----+-----+-----+-----+-----+-----+-----+
      Figure 4: The Differentiated Services and ECN Fields in IP
 As such, the ECN field defines four codepoints:
                       +-----------+-----------+
                       | ECN field | Codepoint |
                       +-----------+-----------+
                       |     00    |  Not-ECT  |
                       +-----------+-----------+
                       |     01    |   ECT(1)  |
                       +-----------+-----------+
                       |     10    |   ECT(0)  |
                       +-----------+-----------+
                       |     11    |     CE    |
                       +-----------+-----------+
                        Table 3: ECN Codepoints
 ECN is an end-to-end transport protocol mechanism based on
 notifications by routers through which a packet flow passes.  To
 allow this interaction to happen on the fast path of routers, the ECN
 field is located at a fixed location in the IP header.  However, its
 use must be negotiated at the transport layer, and the accumulated
 congestion notifications must be communicated back to the sending
 node using transport protocol means.  Thus, ECN support must be
 specified per transport protocol.
    [RFC6040] specifies how the Explicit Congestion Notification (ECN)
    field of the IP header should be constructed on entry to and exit
    from any IP-in-IP tunnel.

Gont Informational [Page 13] RFC 6274 IPv4 Security Assessment July 2011

 The security implications of ECN are discussed in detail in a number
 of Sections of RFC 3168.  Of the possible threats discussed in the
 ECN specification, we believe that one that can be easily exploited
 is that of a host falsely indicating ECN-Capability.
 An attacker could set the ECT codepoint in the packets it sends, to
 signal the network that the endpoints of the transport protocol are
 ECN-capable.  Consequently, when experiencing moderate congestion,
 routers using active queue management based on Random Early Detection
 (RED) would mark the packets (with the CE codepoint) rather than
 discard them.  In this same scenario, packets of competing flows that
 do not have the ECT codepoint set would be dropped.  Therefore, an
 attacker would get better network service than the competing flows.
 However, if this moderate congestion turned into heavy congestion,
 routers should switch to drop packets, regardless of whether or not
 the packets have the ECT codepoint set.
 A number of other threats could arise if an attacker was a man in the
 middle (i.e., was in the middle of the path the packets travel to get
 to the destination host).  For a detailed discussion of those cases,
 we urge the reader to consult Section 16 of RFC 3168.
 There is also ongoing work in the research community and the IETF to
 define alternate semantics for the CU/ECN field of IP TOS octet (see
 [RFC5559], [RFC5670], and [RFC5696]).  The application of these
 methods must be confined to tightly administered domains, and on exit
 from such domains, all packets need to be (re-)marked with ECN
 semantics.

3.4. Total Length

 The Total Length field is the length of the datagram, measured in
 bytes, including both the IP header and the IP payload.  Being a
 16-bit field, it allows for datagrams of up to 65535 bytes.  RFC 791
 [RFC0791] states that all hosts should be prepared to receive
 datagrams of up to 576 bytes (whether they arrive as a whole, or in
 fragments).  However, most modern implementations can reassemble
 datagrams of at least 9 Kbytes.
 Usually, a host will not send to a remote peer an IP datagram larger
 than 576 bytes, unless it is explicitly signaled that the remote peer
 is able to receive such "large" datagrams (for example, by means of
 TCP's Maximum Segment Size (MSS) option).  However, systems should
 assume that they may receive datagrams larger than 576 bytes,
 regardless of whether or not they signal their remote peers to do so.
 In fact, it is common for Network File System (NFS) [RFC3530]

Gont Informational [Page 14] RFC 6274 IPv4 Security Assessment July 2011

 implementations to send datagrams larger than 576 bytes, even without
 explicit signaling that the destination system can receive such
 "large" datagram.
    Additionally, see the discussion in Section 4.1 ("Fragment
    Reassembly") regarding the possible packet sizes resulting from
    fragment reassembly.
 Implementations should be aware that the IP module could be handed a
 packet larger than the value actually contained in the Total Length
 field.  Such a difference usually has to do with legitimate padding
 bytes at the link-layer protocol, but it could also be the result of
 malicious activity by an attacker.  Furthermore, even when the
 maximum length of an IP datagram is 65535 bytes, if the link-layer
 technology in use allows for payloads larger than 65535 bytes, an
 attacker could forge such a large link-layer packet, meaning it for
 the IP module.  If the IP module of the receiving system were not
 prepared to handle such an oversized link-layer payload, an
 unexpected failure might occur.  Therefore, the memory buffer used by
 the IP module to store the link-layer payload should be allocated
 according to the payload size reported by the link layer, rather than
 according to the Total Length field of the IP packet it contains.
 The IP module could also be handed a packet that is smaller than the
 actual IP packet size claimed by the Total Length field.  This could
 be used, for example, to produce an information leakage.  Therefore,
 the following check should be performed:
                 LinkLayer.PayloadSize >= Total Length
 If this check fails, the IP packet should be dropped, and this event
 should be logged (e.g., a counter could be incremented reflecting the
 packet drop).  As the previous expression implies, the number of
 bytes passed by the link layer to the IP module should contain at
 least as many bytes as claimed by the Total Length field of the IP
 header.
    [US-CERT2002] is an example of the exploitation of a forged IP
    Total Length field to produce an information leakage attack.

3.5. Identification (ID)

 The Identification field is set by the sending host to aid in the
 reassembly of fragmented datagrams.  At any time, it needs to be
 unique for each set of {Source Address, Destination Address,
 Protocol}.

Gont Informational [Page 15] RFC 6274 IPv4 Security Assessment July 2011

 In many systems, the value used for this field is determined at the
 IP layer, on a protocol-independent basis.  Many of those systems
 also simply increment the IP Identification field for each packet
 they send.
 This implementation strategy is inappropriate for a number of
 reasons.  Firstly, if the Identification field is set on a protocol-
 independent basis, it will wrap more often than necessary, and thus
 the implementation will be more prone to the problems discussed in
 [Kent1987] and [RFC4963].  Secondly, this implementation strategy
 opens the door to an information leakage that can be exploited in a
 number of ways.
 [Sanfilippo1998a] describes how the Identification field can be
 leveraged to determine the packet rate at which a given system is
 transmitting information.  Later, [Sanfilippo1998b] described how a
 system with such an implementation can be used to perform a stealth
 port scan to a third (victim) host.  [Sanfilippo1999] explained how
 to exploit this implementation strategy to uncover the rules of a
 number of firewalls.  [Bellovin2002] explains how the IP
 Identification field can be exploited to count the number of systems
 behind a NAT.  [Fyodor2004] is an entire paper on most (if not all)
 of the ways to exploit the information provided by the Identification
 field of the IP header.
    Section 4.1 contains a discussion of the security implications of
    the IP fragment reassembly mechanism, which is the primary
    "consumer" of this field.

3.5.1. Some Workarounds Implemented by the Industry

 As the IP Identification field is only used for the reassembly of
 datagrams, some operating systems (such as Linux) decided to set this
 field to 0 in all packets that have the DF bit set.  This would, in
 principle, avoid any type of information leakage.  However, it was
 detected that some non-RFC-compliant middle-boxes fragmented packets
 even if they had the DF bit set.  In such a scenario, all datagrams
 originally sent with the DF bit set would all result in fragments
 with an Identification field of 0, which would lead to problems
 ("collision" of the Identification number) in the reassembly process.
 Linux (and Solaris) later set the IP Identification field on a per-
 IP-address basis.  This avoids some of the security implications of
 the IP Identification field, but not all.  For example, systems
 behind a load balancer can still be counted.

Gont Informational [Page 16] RFC 6274 IPv4 Security Assessment July 2011

3.5.2. Possible Security Improvements

 Contrary to common wisdom, the IP Identification field does not need
 to be system-wide unique for each packet, but has to be unique for
 each {Source Address, Destination Address, Protocol} tuple.
    For instance, the TCP specification defines a generic send()
    function that takes the IP ID as one of its arguments.
 We provide an analysis of the possible security improvements that
 could be implemented, based on whether the protocol using the
 services of IP is connection-oriented or connection-less.

3.5.2.1. Connection-Oriented Transport Protocols

 To avoid the security implications of the information leakage
 described above, a pseudo-random number generator (PRNG) could be
 used to set the IP Identification field on a {Source Address,
 Destination Address} basis (for each connection-oriented transport
 protocol).
    [RFC4086] provides advice on the generation of pseudo-random
    numbers.
    [Klein2007] is a security advisory that describes a weakness in
    the pseudo-random number generator (PRNG) employed for the
    generation of the IP Identification by a number of operating
    systems.
 While in theory a pseudo-random number generator could lead to
 scenarios in which a given Identification number is used more than
 once in the same time span for datagrams that end up getting
 fragmented (with the corresponding potential reassembly problems), in
 practice, this is unlikely to cause trouble.
 By default, most implementations of connection-oriented protocols,
 such as TCP, implement some mechanism for avoiding fragmentation
 (such as the Path-MTU Discovery mechanism described in [RFC1191]).
 Thus, fragmentation will only take place if a non-RFC-compliant
 middle-box that still fragments packets even when the DF bit is set
 is placed somewhere along the path that the packets travel to get to
 the destination host.  Once the sending system is signaled by the
 middle-box (by means of an ICMP "fragmentation needed and DF bit set"
 error message) that it should reduce the size of the packets it
 sends, fragmentation would be avoided.  Also, for reassembly problems
 to arise, the same Identification value would need to be reused very
 frequently, and either strong packet reordering or packet loss would
 need to take place.

Gont Informational [Page 17] RFC 6274 IPv4 Security Assessment July 2011

 Nevertheless, regardless of what policy is used for selecting the
 Identification field, with the current link speeds fragmentation is
 already bad enough (i.e., very likely to lead to fragment reassembly
 errors) to rely on it.  A mechanism for avoiding fragmentation (such
 as [RFC1191] or [RFC4821] should be implemented, instead.

3.5.2.2. Connectionless Transport Protocols

 Connectionless transport protocols often have these characteristics:
 o  lack of flow-control mechanisms,
 o  lack of packet sequencing mechanisms, and/or,
 o  lack of reliability mechanisms (such as "timeout and retransmit").
 This basically means that the scenarios and/or applications for which
 connection-less transport protocols are used assume that:
 o  Applications will be used in environments in which packet
    reordering is very unlikely (such as Local Area Networks), as the
    transport protocol itself does not provide data sequencing.
 o  The data transfer rates will be low enough that flow control will
    be unnecessary.
 o  Packet loss is can be tolerated and/or is unlikely.
 With these assumptions in mind, the Identification field could still
 be set according to a pseudo-random number generator (PRNG).
    [RFC4086] provides advice on the generation of pseudo-random
    numbers.
 In the event a given Identification number was reused while the first
 instance of the same number is still on the network, the first IP
 datagram would be reassembled before the fragments of the second IP
 datagram get to their destination.
 In the event this was not the case, the reassembly of fragments would
 result in a corrupt datagram.  While some existing work
 [Silbersack2005] assumes that this error would be caught by some
 upper-layer error detection code, the error detection code in
 question (such as UDP's checksum) might not be able to reliably
 detect data corruption arising from the replacement of a complete
 data block (as is the case in corruption arising from collision of IP
 Identification numbers).

Gont Informational [Page 18] RFC 6274 IPv4 Security Assessment July 2011

    In the case of UDP, unfortunately some systems have been known to
    not enable the UDP checksum by default.  For most applications,
    packets containing errors should be dropped by the transport layer
    and not delivered to the application.  A small number of
    applications may benefit from disabling the checksum; for example,
    streaming media where it is desired to avoid dropping a complete
    sample for a single-bit error, and UDP tunneling applications
    where the payload (i.e., the inner packet) is protected by its own
    transport checksum or other error detection mechanism.
 In general, if IP Identification number collisions become an issue
 for the application using the connection-less protocol, the
 application designers should consider using a different transport
 protocol (which hopefully avoids fragmentation).
 It must be noted that an attacker could intentionally exploit
 collisions of IP Identification numbers to perform a DoS attack, by
 sending forged fragments that would cause the reassembly process to
 result in a corrupt datagram that either would be dropped by the
 transport protocol or would incorrectly be handed to the
 corresponding application.  This issue is discussed in detail in
 Section 4.1 ("Fragment Reassembly").

3.6. Flags

 The IP header contains 3 control bits, two of which are currently
 used for the fragmentation and reassembly function.
 As described by RFC 791, their meaning is:
 o  Bit 0: reserved, must be zero (i.e., reserved for future
    standardization)
 o  Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment
 o  Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments
 The DF bit is usually set to implement the Path-MTU Discovery (PMTUD)
 mechanism described in [RFC1191].  However, it can also be exploited
 by an attacker to evade Network Intrusion Detection Systems.  An
 attacker could send a packet with the DF bit set to a system
 monitored by a NIDS, and depending on the Path-MTU to the intended
 recipient, the packet might be dropped by some intervening router
 (because of being too big to be forwarded without fragmentation),
 without the NIDS being aware of it.

Gont Informational [Page 19] RFC 6274 IPv4 Security Assessment July 2011

                                        +---+
                                        | H |
                                        +---+  Victim host
                                          |
               Router A                   |  MTU=1500
                                          |
                +---+     +---+         +---+
                | R |-----| R |---------| R |
                +---+     +---+         +---+
                  |            MTU=17914      Router B
        +---+     |
        | S |-----+
        +---+     |
                  |
    NIDS Sensor   |
                  |
         _   ___/---\______                  Attacker
        / \_/              \_          +---+
       /       Internet      |---------| H |
       \_                  __/         +---+
         \__     __    ___/    <------
            \___/  \__/         17914-byte packet
                                DF bit set
    Figure 5: NIDS Evasion by Means of the Internet Protocol DF Bit
 In Figure 3, an attacker sends a 17914-byte datagram meant for the
 victim host in the same figure.  The attacker's packet probably
 contains an overlapping IP fragment or an overlapping TCP segment,
 aiming at "confusing" the NIDS, as described in [Ptacek1998].  The
 packet is screened by the NIDS sensor at the network perimeter, which
 probably reassembles IP fragments and TCP segments for the purpose of
 assessing the data transferred to and from the monitored systems.
 However, as the attacker's packet should transit a link with an MTU
 smaller than 17914 bytes (1500 bytes in this example), the router
 that encounters that this packet cannot be forwarded without
 fragmentation (Router B) discards the packet, and sends an ICMP
 "fragmentation needed and DF bit set" error message to the source
 host.  In this scenario, the NIDS may remain unaware that the
 screened packet never reached the intended destination, and thus get
 an incorrect picture of the data being transferred to the monitored
 systems.
    [Shankar2003] introduces a technique named "Active Mapping" that
    prevents evasion of a NIDS by acquiring sufficient knowledge about
    the network being monitored, to assess which packets will arrive
    at the intended recipient, and how they will be interpreted by it.

Gont Informational [Page 20] RFC 6274 IPv4 Security Assessment July 2011

 Some firewalls are known to drop packets that have both the MF (More
 Fragments) and the DF (Don't Fragment) bits set.  While in principle
 such a packet might seem nonsensical, there are a number of reasons
 for which non-malicious packets with these two bits set can be found
 in a network.  First, they may exist as the result of some middle-box
 processing a packet that was too large to be forwarded without
 fragmentation.  Instead of simply dropping the corresponding packet
 and sending an ICMP error message to the source host, some middle-
 boxes fragment the packet (copying the DF bit to each fragment), and
 also send an ICMP error message to the originating system.  Second,
 some systems (notably Linux) set both the MF and the DF bits to
 implement Path-MTU Discovery (PMTUD) for UDP.  These scenarios should
 be taken into account when configuring firewalls and/or tuning NIDSs.
 Section 4.1 contains a discussion of the security implications of the
 IP fragment reassembly mechanism.

3.7. Fragment Offset

 The Fragment Offset is used for the fragmentation and reassembly of
 IP datagrams.  It indicates where in the original datagram payload
 the payload of the fragment belongs, and is measured in units of
 eight bytes.  As a consequence, all fragments (except the last one),
 have to be aligned on an 8-byte boundary.  Therefore, if a packet has
 the MF flag set, the following check should be enforced:
                   (Total Length - IHL * 4) % 8 == 0
 If the packet does not pass this check, it should be dropped, and
 this event should be logged (e.g., a counter could be incremented
 reflecting the packet drop).
 Given that Fragment Offset is a 13-bit field, it can hold a value of
 up to 8191, which would correspond to an offset 65528 bytes within
 the original (non-fragmented) datagram.  As such, it is possible for
 a fragment to implicitly claim to belong to a datagram larger than
 65535 bytes (the maximum size for a legitimate IP datagram).  Even
 when the fragmentation mechanism would seem to allow fragments that
 could reassemble into such large datagrams, the intent of the
 specification is to allow for the transmission of datagrams of up to
 65535 bytes.  Therefore, if a given fragment would reassemble into a
 datagram of more than 65535 bytes, the resulting datagram should be
 dropped, and this event should be logged (e.g., a counter could be
 incremented reflecting the packet drop).  To detect such a case, the
 following check should be enforced on all packets for which the
 Fragment Offset contains a non-zero value:

Gont Informational [Page 21] RFC 6274 IPv4 Security Assessment July 2011

  Fragment Offset * 8 + (Total Length - IHL * 4) + IHL_FF * 4 <= 65535
 where IHL_FF is the IHL field of the first fragment (the one with a
 Fragment Offset of 0).
 If a fragment does not pass this check, it should be dropped.
 If IHL_FF is not yet available because the first fragment has not yet
 arrived, for a preliminary, less rigid test, IHL_FF == IHL should be
 assumed, and the test is simplified to:
              Fragment Offset * 8 + Total Length <= 65535
 Once the first fragment is received, the full sanity check described
 earlier should be applied, if that fragment contains "don't copy"
 options.
 In the worst-case scenario, an attacker could craft IP fragments such
 that the reassembled datagram reassembled into a datagram of 131043
 bytes.
    Such a datagram would result when the first fragment has a
    Fragment Offset of 0 and a Total Length of 65532, and the second
    (and last) fragment has a Fragment Offset of 8189 (65512 bytes),
    and a Total Length of 65535.  Assuming an IHL of 5 (i.e., a header
    length of 20 bytes), the reassembled datagram would be 65532 +
    (65535 - 20) = 131047 bytes.
 Additionally, the IP module should implement all the necessary
 measures to be able to handle such illegitimate reassembled
 datagrams, so as to avoid them from overflowing the buffer(s) used
 for the reassembly function.
    [CERT1996c] and [Kenney1996] describe the exploitation of this
    issue to perform a DoS attack.
 Section 4.1 contains a discussion of the security implications of the
 IP fragment reassembly mechanism.

3.8. Time to Live (TTL)

 The Time to Live (TTL) field has two functions: to bound the lifetime
 of the upper-layer packets (e.g., TCP segments) and to prevent
 packets from looping indefinitely in the network.
 Originally, this field was meant to indicate the maximum time a
 datagram was allowed to remain in the Internet system, in units of
 seconds.  As every Internet module that processes a datagram must

Gont Informational [Page 22] RFC 6274 IPv4 Security Assessment July 2011

 decrement the TTL by at least one, the original definition of the TTL
 field became obsolete, and in practice it is interpreted as a hop
 count (see Section 5.3.1 of [RFC1812]).
 Most systems allow the administrator to configure the TTL to be used
 for the packets they originate, with the default value usually being
 a power of 2, or 255 (e.g., see [Arkin2000]).  The recommended value
 for the TTL field, as specified by the IANA is 64 [IANA_IP_PARAM].
 This value reflects the assumed "diameter" of the Internet, plus a
 margin to accommodate its growth.
 The TTL field has a number of properties that are interesting from a
 security point of view.  Given that the default value used for the
 TTL is usually either a power of two, or 255, chances are that unless
 the originating system has been explicitly tuned to use a non-default
 value, if a packet arrives with a TTL of 60, the packet was
 originally sent with a TTL of 64.  In the same way, if a packet is
 received with a TTL of 120, chances are that the original packet had
 a TTL of 128.
    This discussion assumes there was no protocol scrubber,
    transparent proxy, or some other middle-box that overwrites the
    TTL field in a non-standard way, between the originating system
    and the point of the network in which the packet was received.
 Determining the TTL with which a packet was originally sent by the
 source system can help to obtain valuable information.  Among other
 things, it may help in:
 o  Fingerprinting the originating operating system.
 o  Fingerprinting the originating physical device.
 o  Mapping the network topology.
 o  Locating the source host in the network topology.
 o  Evading Network Intrusion Detection Systems.
 However, it can also be used to perform important functions such as:
 o  Improving the security of applications that make use of the
    Internet Protocol (IP).
 o  Limiting spread of packets.

Gont Informational [Page 23] RFC 6274 IPv4 Security Assessment July 2011

3.8.1. Fingerprinting the Operating System in Use by the Source Host

 Different operating systems use a different default TTL for the
 packets they send.  Thus, asserting the TTL with which a packet was
 originally sent will help heuristics to reduce the number of possible
 operating systems in use by the source host.  It should be noted that
 since most systems use only a handful of different default values,
 the granularity of OS fingerprinting that this technique provides is
 negligible.  Additionally, these defaults may be configurable
 (system-wide or per protocol), and managed systems may employ such
 opportunities for operational purposes and to defeat the capability
 of fingerprinting heuristics.

3.8.2. Fingerprinting the Physical Device from which the Packets

      Originate
 When several systems are behind a middle-box such as a NAT or a load
 balancer, the TTL may help to count the number of systems behind the
 middle-box.  If each of the systems behind the middle-box uses a
 different default TTL value for the packets it sends, or each system
 is located at different distances in the network topology, an
 attacker could stimulate responses from the devices being
 fingerprinted, and responses that arrive with different TTL values
 could be assumed to come from a different devices.
    Of course, there are many other (and much more precise) techniques
    to fingerprint physical devices.  One weakness of this method is
    that, while many systems differ in the default TTL value that they
    use, there are also many implementations which use the same
    default TTL value.  Additionally, packets sent by a given device
    may take different routes (e.g., due to load sharing or route
    changes), and thus a given packet may incorrectly be presumed to
    come from a different device, when in fact it just traveled a
    different route.
 However, these defaults may be configurable (system-wide or per
 protocol) and managed systems may employ such opportunities for
 operational purposes and to defeat the capability of fingerprinting
 heuristics.

3.8.3. Mapping the Network Topology

 An originating host may set the TTL field of the packets it sends to
 progressively increasing values in order to elicit an ICMP error
 message from the routers that decrement the TTL of each packet to
 zero, and thereby determine the IP addresses of the routers on the
 path to the packet's destination.  This procedure has been
 traditionally employed by the traceroute tool.

Gont Informational [Page 24] RFC 6274 IPv4 Security Assessment July 2011

3.8.4. Locating the Source Host in the Network Topology

 The TTL field may also be used to locate the source system in the
 network topology [Northcutt2000].
           +---+     +---+      +---+    +---+     +---+
           | A |-----| R |------| R |----| R |-----| R |
           +---+     +---+      +---+    +---+     +---+
                      /           |               /   \
                     /            |              /     \
                    /             |             /       +---+
                   /   +---+    +---+      +---+        | E |
                  /    | R |----| R |------| R |--      +---+
                 /     +---+    +---+\     +---+  \
                /     /          /    \       \    \
               /  ----          /      +---+   \    \+---+
              /  /             /       | F |    \    | D |
           +---+          +---+        +---+     \   +---|
           | R |----------| R |--                 \
           +---+          +---+  \                 \
             |  \         /       \    +---+|     +---+
             |   \       /         ----| R |------| R |
             |    \     /              +---+      +---+
           +---+   \ +---+    +---+
           | B |    \| R |----| C |
           +---+     +---+    +---+
          Figure 6: Tracking a Host by Means of the TTL Field
 Consider network topology of Figure 6.  Assuming that an attacker
 ("F" in the figure) is performing some type of attack that requires
 forging the Source Address (such as for a TCP-based DoS reflection
 attack), and some of the involved hosts are willing to cooperate to
 locate the attacking system.
 Assuming that:
 o  All the packets A gets have a TTL of 61.
 o  All the packets B gets have a TTL of 61.
 o  All the packets C gets have a TTL of 61.
 o  All the packets D gets have a TTL of 62.

Gont Informational [Page 25] RFC 6274 IPv4 Security Assessment July 2011

 Based on this information, and assuming that the system's default
 value was not overridden, it would be fair to assume that the
 original TTL of the packets was 64.  With this information, the
 number of hops between the attacker and each of the aforementioned
 hosts can be calculated.
 The attacker is:
 o  Four hops away from A.
 o  Four hops away from B.
 o  Four hops away from C.
 o  Four hops away from D.
 In the network setup of Figure 3, the only system that satisfies all
 these conditions is the one marked as the "F".
 The scenario described above is for illustration purposes only.  In
 practice, there are a number of factors that may prevent this
 technique from being successfully applied:
 o  Unless there is a "large" number of cooperating systems, and the
    attacker is assumed to be no more than a few hops away from these
    systems, the number of "candidate" hosts will usually be too large
    for the information to be useful.
 o  The attacker may be using a non-default TTL value, or, what is
    worse, using a pseudo-random value for the TTL of the packets it
    sends.
 o  The packets sent by the attacker may take different routes, as a
    result of a change in network topology, load sharing, etc., and
    thus may lead to an incorrect analysis.

3.8.5. Evading Network Intrusion Detection Systems

 The TTL field can be used to evade Network Intrusion Detection
 Systems.  Depending on the position of a sensor relative to the
 destination host of the examined packet, the NIDS may get a different
 picture from that of the intended destination system.  As an example,
 a sensor may process a packet that will expire before getting to the
 destination host.  A general countermeasure for this type of attack
 is to normalize the traffic that gets to an organizational network.
 Examples of such traffic normalization can be found in [Paxson2001].
 OpenBSD Packet Filter is an example of a packet filter that includes
 TTL-normalization functionality [OpenBSD-PF]

Gont Informational [Page 26] RFC 6274 IPv4 Security Assessment July 2011

3.8.6. Improving the Security of Applications That Make Use of the

      Internet Protocol (IP)
 In some scenarios, the TTL field can be also used to improve the
 security of an application, by restricting the hosts that can
 communicate with the given application [RFC5082].  For example, there
 are applications for which the communicating systems are typically in
 the same network segment (i.e., there are no intervening routers).
 Such an application is the BGP (Border Gateway Protocol) utilized by
 two peer routers (usually on a shared link medium).
 If both systems use a TTL of 255 for all the packets they send to
 each other, then a check could be enforced to require all packets
 meant for the application in question to have a TTL of 255.
 As all packets sent by systems that are not in the same network
 segment will have a TTL smaller than 255, those packets will not pass
 the check enforced by these two cooperating peers.  This check
 reduces the set of systems that may perform attacks against the
 protected application (BGP in this case), thus mitigating the attack
 vectors described in [NISCC2004] and [Watson2004].
    This same check is enforced for related ICMP error messages, with
    the intent of mitigating the attack vectors described in
    [NISCC2005] and [RFC5927].
 The TTL field can be used in a similar way in scenarios in which the
 cooperating systems are not in the same network segment (i.e., multi-
 hop peering).  In that case, the following check could be enforced:
                         TTL >= 255 - DeltaHops
 This means that the set of hosts from which packets will be accepted
 for the protected application will be reduced to those that are no
 more than DeltaHops away.  While for obvious reasons the level of
 protection will be smaller than in the case of directly connected
 peers, the use of the TTL field for protecting multi-hop peering
 still reduces the set of hosts that could potentially perform a
 number of attacks against the protected application.
 This use of the TTL field has been officially documented by the IETF
 under the name "Generalized TTL Security Mechanism" (GTSM) in
 [RFC5082].

Gont Informational [Page 27] RFC 6274 IPv4 Security Assessment July 2011

 Some protocol scrubbers enforce a minimum value for the TTL field of
 the packets they forward.  It must be understood that depending on
 the minimum TTL being enforced, and depending on the particular
 network setup, the protocol scrubber may actually help attackers to
 fool the GTSM, by "raising" the TTL of the attacking packets.

3.8.7. Limiting Spread

 The originating host sets the TTL field to a small value (frequently
 1, for link-scope services) in order to artificially limit the
 (topological) distance the packet is allowed to travel.  This is
 suggested in Section 4.2.2.9 of RFC 1812 [RFC1812].  Further
 discussion of this technique can be found in RFC 1112 [RFC1112].

3.9. Protocol

 The Protocol field indicates the protocol encapsulated in the
 Internet datagram.  The Protocol field may not only contain a value
 corresponding to a protocol implemented by the system processing the
 packet, but also a value corresponding to a protocol not implemented,
 or even a value not yet assigned by the IANA [IANA_PROT_NUM].
 While in theory there should not be security implications from the
 use of any value in the protocol field, there have been security
 issues in the past with systems that had problems when handling
 packets with some specific protocol numbers [Cisco2003] [CERT2003].
 A host (i.e., end-system) that receives an IP packet encapsulating a
 Protocol it does not support should drop the corresponding packet,
 log the event, and possibly send an ICMP Protocol Unreachable (type
 3, code 2) error message.

3.10. Header Checksum

 The Header Checksum field is an error-detection mechanism meant to
 detect errors in the IP header.  While in principle there should not
 be security implications arising from this field, it should be noted
 that due to non-RFC-compliant implementations, the Header Checksum
 might be exploited to detect firewalls and/or evade NIDSs.
 [Ed3f2002] describes the exploitation of the TCP checksum for
 performing such actions.  As there are Internet routers known to not
 check the IP Header Checksum, and there might also be middle-boxes
 (NATs, firewalls, etc.) not checking the IP checksum allegedly due to
 performance reasons, similar malicious activity to the one described
 in [Ed3f2002] might be performed with the IP checksum.

Gont Informational [Page 28] RFC 6274 IPv4 Security Assessment July 2011

3.11. Source Address

 The Source Address of an IP datagram identifies the node from which
 the packet originated.
    Strictly speaking, the Source Address of an IP datagram identifies
    the interface of the sending system from which the packet was
    sent, (rather than the originating "system"), as in the Internet
    Architecture there's no concept of "node address".
 Unfortunately, it is trivial to forge the Source Address of an
 Internet datagram because of the apparent lack of consistent "egress
 filtering" near the edge of the network.  This has been exploited in
 the past for performing a variety of DoS attacks [NISCC2004]
 [RFC4987] [CERT1996a] [CERT1996b] [CERT1998a] and for impersonating
 other systems in scenarios in which authentication was based on the
 Source Address of the sending system [daemon91996].
 The extent to which these attacks can be successfully performed in
 the Internet can be reduced through deployment of ingress/egress
 filtering in the Internet routers.  [NISCC2006] is a detailed guide
 on ingress and egress filtering.  [RFC2827] and [RFC3704] discuss
 ingress filtering.  [GIAC2000] discusses egress filtering.
 [SpooferProject] measures the Internet's susceptibility to forged
 Source Address IP packets.
    Even when the obvious field on which to perform checks for
    ingress/egress filtering is the Source Address and Destination
    Address fields of the IP header, there are other occurrences of IP
    addresses on which the same type of checks should be performed.
    One example is the IP addresses contained in the payload of ICMP
    error messages, as discussed in [RFC5927] and [Gont2006].
 There are a number of sanity checks that should be performed on the
 Source Address of an IP datagram.  Details can be found in
 Section 4.3 ("Addressing").
 Additionally, there exist freely available tools that allow
 administrators to monitor which IP addresses are used with which MAC
 addresses [LBNL2006].  This functionality is also included in many
 NIDSs.
 It is also very important to understand that authentication should
 never rely solely on the Source Address used by the communicating
 systems.

Gont Informational [Page 29] RFC 6274 IPv4 Security Assessment July 2011

3.12. Destination Address

 The Destination Address of an IP datagram identifies the destination
 host to which the packet is meant to be delivered.
    Strictly speaking, the Destination Address of an IP datagram
    identifies the interface of the destination network interface,
    rather than the destination "system", as in the Internet
    Architecture there's no concept of "node address".
 There are a number of sanity checks that should be performed on the
 Destination Address of an IP datagram.  Details can be found in
 Section 4.3 ("Addressing").

3.13. Options

 According to RFC 791, IP options must be implemented by all IP
 modules, both in hosts and gateways (i.e., end-systems and
 intermediate-systems).  This means that the general rules for
 assembling, parsing, and processing of IP options must be
 implemented.  RFC 791 defines a set of options that "must be
 understood", but this set has been updated by RFC 1122 [RFC1122], RFC
 1812 [RFC1812], and other documents.  Section 3.13.2 of this document
 describes for each option type the current understanding of the
 implementation requirements.  IP systems are required to ignore
 options they do not implement.
    It should be noted that while a number of IP options have been
    specified, they are generally only used for troubleshooting
    purposes (except for the Router Alert option and the different
    Security options).
 There are two cases for the format of an option:
 o  Case 1: A single byte of option-type.
 o  Case 2: An option-type byte, an option-length byte, and the actual
    option-data bytes.
 In Case 2, the option-length byte counts the option-type byte and the
 option-length byte, as well as the actual option-data bytes.
 All current and future options except End of Option List (Type = 0)
 and No Operation (Type = 1), are of Class 2.
 The option-type has three fields:
 o  1 bit: copied flag.

Gont Informational [Page 30] RFC 6274 IPv4 Security Assessment July 2011

 o  2 bits: option class.
 o  5 bits: option number.
 This format allows for the creation of new options for the extension
 of the Internet Protocol (IP) and their transparent treatment on
 intermediate-systems that do not "understand" them, under direction
 of the first three functional parts.
 The copied flag indicates whether this option should be copied to all
 fragments in the event the packet carrying it needs to be fragmented:
 o  0 = not copied.
 o  1 = copied.
 The values for the option class are:
 o  0 = control.
 o  1 = reserved for future use.
 o  2 = debugging and measurement.
 o  3 = reserved for future use.
 Finally, the option number identifies the syntax of the rest of the
 option.
 [IANA_IP_PARAM] contains the list of the currently assigned IP option
 numbers.  It should be noted that IP systems are required to ignore
 those options they do not implement.

3.13.1. General Issues with IP Options

 The following subsections discuss security issues that apply to all
 IP options.  The proposed checks should be performed in addition to
 any option-specific checks proposed in the next sections.

3.13.1.1. Processing Requirements

 Router manufacturers tend to do IP option processing on the main
 processor, rather than on line cards.  Unless special care is taken,
 this represents DoS risk, as there is potential for overwhelming the
 router with option processing.
 To reduce the impact of these packets on the system performance, a
 few countermeasures could be implemented:

Gont Informational [Page 31] RFC 6274 IPv4 Security Assessment July 2011

 o  Rate-limit the number of packets with IP options that are
    processed by the system.
 o  Enforce a limit on the maximum number of options to be accepted on
    a given Internet datagram.
 The first check avoids a flow of packets with IP options to overwhelm
 the system in question.  The second check avoids packets with many IP
 options to affect the performance of the system.

3.13.1.2. Processing of the Options by the Upper-Layer Protocol

 Section 3.2.1.8 of RFC 1122 [RFC1122] states that all the IP options
 received in IP datagrams must be passed to the transport layer (or to
 ICMP processing when the datagram is an ICMP message).  Therefore,
 care in option processing must be taken not only at the Internet
 layer but also in every protocol module that may end up processing
 the options included in an IP datagram.

3.13.1.3. General Sanity Checks on IP Options

 There are a number of sanity checks that should be performed on IP
 options before further option processing is done.  They help prevent
 a number of potential security problems, including buffer overflows.
 When these checks fail, the packet carrying the option should be
 dropped, and this event should be logged (e.g., a counter could be
 incremented to reflect the packet drop).
 RFC 1122 [RFC1122] recommends to send an ICMP "Parameter Problem"
 message to the originating system when a packet is dropped because of
 an invalid value in a field, such as the cases discussed in the
 following subsections.  Sending such a message might help in
 debugging some network problems.  However, it would also alert
 attackers about the system that is dropping packets because of the
 invalid values in the protocol fields.
 We advice that systems default to sending an ICMP "Parameter Problem"
 error message when a packet is dropped because of an invalid value in
 a protocol field (e.g., as a result of dropping a packet due to the
 sanity checks described in this section).  However, we recommend that
 systems provide a system-wide toggle that allows an administrator to
 override the default behavior so that packets can be silently dropped
 when an invalid value in a protocol field is encountered.

Gont Informational [Page 32] RFC 6274 IPv4 Security Assessment July 2011

 Option length
    Section 3.2.1.8 of RFC 1122 explicitly states that the IP layer
    must not crash as the result of an option length that is outside
    the possible range, and mentions that erroneous option lengths
    have been observed to put some IP implementations into infinite
    loops.
    For options that belong to the "Case 2" described in the previous
    section, the following check should be performed:
                           option-length >= 2
       The value "2" accounts for the option-type byte and the option-
       length byte.
    This check prevents, among other things, loops in option
    processing that may arise from incorrect option lengths.
    Additionally, while the option-length byte of IP options of
    "Case 2" allows for an option length of up to 255 bytes, there is
    a limit on legitimate option length imposed by the space available
    for options in the IP header.
    For all options of "Case 2", the following check should be
    enforced:
                option-offset + option-length <= IHL * 4
 Where option-offset is the offset of the first byte of the option
 within the IP header, with the first byte of the IP header being
 assigned an offset of 0.
    This check assures that the option does not claim to extend beyond
    the IP header.  If the packet does not pass this check, it should
    be dropped, and this event should be logged (e.g., a counter could
    be incremented to reflect the packet drop).
    The aforementioned check is meant to detect forged option-length
    values that might make an option overlap with the IP payload.
    This would be particularly dangerous for those IP options that
    request the processing systems to write information into the
    option-data area (such as the Record Route option), as it would
    allow the generation of overflows.

Gont Informational [Page 33] RFC 6274 IPv4 Security Assessment July 2011

 Data types
    Many IP options use pointer and length fields.  Care must be taken
    as to the data type used for these fields in the implementation.
    For example, if an 8-bit signed data type were used to hold an
    8-bit pointer, then, pointer values larger than 128 might
    mistakenly be interpreted as negative numbers, and thus might lead
    to unpredictable results.

3.13.2. Issues with Specific Options

3.13.2.1. End of Option List (Type=0)

 This option is used to indicate the "end of options" in those cases
 in which the end of options would not coincide with the end of the
 Internet Protocol header.  Octets in the IP header following the "End
 of Option List" are to be regarded as padding (they should set to 0
 by the originator and must to be ignored by receiving nodes).
 However, an originating node could alternatively fill the remaining
 space in the Internet header with No Operation options (see
 Section 3.13.2.2).  The End of Option List option allows slightly
 more efficient parsing on receiving nodes and should be preferred by
 packet originators.  All IP systems are required to understand both
 encodings.

3.13.2.2. No Operation (Type=1)

 The No Operation option is basically meant to allow the sending
 system to align subsequent options in, for example, 32-bit
 boundaries, but it can also be used at the end of the options (see
 Section 3.13.2.1).
 With a single exception (see Section 3.13.2.13), this option is the
 only IP option defined so far that can occur in multiple instances in
 a single IP packet.
 This option does not have security implications.

3.13.2.3. Loose Source and Record Route (LSRR) (Type=131)

 This option lets the originating system specify a number of
 intermediate-systems a packet must pass through to get to the
 destination host.  Additionally, the route followed by the packet is
 recorded in the option.  The receiving host (end-system) must use the
 reverse of the path contained in the received LSRR option.

Gont Informational [Page 34] RFC 6274 IPv4 Security Assessment July 2011

 The LSSR option can be of help in debugging some network problems.
 Some ISP (Internet Service Provider) peering agreements require
 support for this option in the routers within the peer of the ISP.
 The LSRR option has well-known security implications.  Among other
 things, the option can be used to:
 o  Bypass firewall rules
 o  Reach otherwise unreachable Internet systems
 o  Establish TCP connections in a stealthy way
 o  Learn about the topology of a network
 o  Perform bandwidth-exhaustion attacks
 Of these attack vectors, the one that has probably received the least
 attention is the use of the LSRR option to perform bandwidth
 exhaustion attacks.  The LSRR option can be used as an amplification
 method for performing bandwidth-exhaustion attacks, as an attacker
 could make a packet bounce multiple times between a number of systems
 by carefully crafting an LSRR option.
    This is the IPv4-version of the IPv6 amplification attack that was
    widely publicized in 2007 [Biondi2007].  The only difference is
    that the maximum length of the IPv4 header (and hence the LSRR
    option) limits the amplification factor when compared to the IPv6
    counterpart.
 While the LSSR option may be of help in debugging some network
 problems, its security implications outweigh any legitimate use.
 All systems should, by default, drop IP packets that contain an LSRR
 option, and should log this event (e.g., a counter could be
 incremented to reflect the packet drop).  However, they should
 provide a system-wide toggle to enable support for this option for
 those scenarios in which this option is required.  Such system-wide
 toggle should default to "off" (or "disable").
    [OpenBSD1998] is a security advisory about an improper
    implementation of such a system-wide toggle in 4.4BSD kernels.
 Section 3.3.5 of RFC 1122 [RFC1122] states that a host may be able to
 act as an intermediate hop in a source route, forwarding a source-
 routed datagram to the next specified hop.  We strongly discourage
 host software from forwarding source-routed datagrams.

Gont Informational [Page 35] RFC 6274 IPv4 Security Assessment July 2011

 If processing of source-routed datagrams is explicitly enabled in a
 system, the following sanity checks should be performed.
 RFC 791 states that this option should appear, at most, once in a
 given packet.  Thus, if a packet contains more than one LSRR option,
 it should be dropped, and this event should be logged (e.g., a
 counter could be incremented to reflect the packet drop).
 Additionally, packets containing a combination of LSRR and SSRR
 options should be dropped, and this event should be logged (e.g., a
 counter could be incremented to reflect the packet drop).
 As all other IP options of "Case 2", the LSSR contains a Length field
 that indicates the length of the option.  Given the format of the
 option, the Length field should be checked to have a minimum value of
 three and be 3 (3 + n*4):
                LSRR.Length % 4 == 3 && LSRR.Length != 0
 If the packet does not pass this check, it should be dropped, and
 this event should be logged (e.g., a counter could be incremented to
 reflect the packet drop).
 The Pointer is relative to this option.  Thus, the minimum legal
 value is 4.  Therefore, the following check should be performed.
                           LSRR.Pointer >= 4
 If the packet does not pass this check, it should be dropped, and
 this event should be logged (e.g., a counter could be incremented to
 reflect the packet drop).  Additionally, the Pointer field should be
 a multiple of 4.  Consequently, the following check should be
 performed:
                         LSRR.Pointer % 4 == 0
 If a packet does not pass this check, it should be dropped, and this
 event should be logged (e.g., a counter could be incremented to
 reflect the packet drop).
 When a system receives an IP packet with the LSRR option passing the
 above checks, it should check whether or not the source route is
 empty.  The option is empty if:
                       LSRR.Pointer > LSRR.Length
 In that case, routing should be based on the Destination Address
 field, and no further processing should be done on the LSRR option.

Gont Informational [Page 36] RFC 6274 IPv4 Security Assessment July 2011

    [Microsoft1999] is a security advisory about a vulnerability
    arising from improper validation of the LSRR.Pointer field.
 If the address in the Destination Address field has been reached, and
 the option is not empty, the next address in the source route
 replaces the address in the Destination Address field, and the IP
 address of the interface that will be used to forward this datagram
 is recorded in its place in the LSRR.Data field.  Then, the
 LSRR.Pointer. is incremented by 4.
    Note that the sanity checks for the LSRR.Length and the
    LSRR.Pointer fields described above ensure that if the option is
    not empty, there will be (4*n) octets in the option.  That is,
    there will be at least one IP address to read and enough room to
    record the IP address of the interface that will be used to
    forward this datagram.
 The LSRR must be copied on fragmentation.  This means that if a
 packet that carries the LSRR is fragmented, each of the fragments
 will have to go through the list of systems specified in the LSRR
 option.

3.13.2.4. Strict Source and Record Route (SSRR) (Type=137)

 This option allows the originating system to specify a number of
 intermediate-systems a packet must pass through to get to the
 destination host.  Additionally, the route followed by the packet is
 recorded in the option, and the destination host (end-system) must
 use the reverse of the path contained in the received SSRR option.
 This option is similar to the Loose Source and Record Route (LSRR)
 option, with the only difference that in the case of SSRR, the route
 specified in the option is the exact route the packet must take
 (i.e., no other intervening routers are allowed to be in the route).
 The SSSR option can be of help in debugging some network problems.
 Some ISP (Internet Service Provider) peering agreements require
 support for this option in the routers within the peer of the ISP.
 The SSRR option has the same security implications as the LSRR
 option.  Please refer to Section 3.13.2.3 for a discussion of such
 security implications.
 As with the LSRR, while the SSSR option may be of help in debugging
 some network problems, its security implications outweigh any
 legitimate use of it.

Gont Informational [Page 37] RFC 6274 IPv4 Security Assessment July 2011

 All systems should, by default, drop IP packets that contain an SSRR
 option, and should log this event (e.g., a counter could be
 incremented to reflect the packet drop).  However, they should
 provide a system-wide toggle to enable support for this option for
 those scenarios in which this option is required.  Such system-wide
 toggle should default to "off" (or "disable").
    [OpenBSD1998] is a security advisory about an improper
    implementation of such a system-wide toggle in 4.4BSD kernels.
 In the event processing of the SSRR option were explicitly enabled,
 the same sanity checks described for the LSRR option in
 Section 3.13.2.3 should be performed on the SSRR option.  Namely,
 sanity checks should be performed on the option length (SSRR.Length)
 and the pointer field (SSRR.Pointer).
 If the packet passes the aforementioned sanity checks, the receiving
 system should determine whether the Destination Address of the packet
 corresponds to one of its IP addresses.  If does not, it should be
 dropped, and this event should be logged (e.g., a counter could be
 incremented to reflect the packet drop).
    Contrary to the IP Loose Source and Record Route (LSRR) option,
    the SSRR option does not allow in the route other routers than
    those contained in the option.  If the system implements the weak
    end-system model, it is allowed for the system to receive a packet
    destined to any of its IP addresses, on any of its interfaces.  If
    the system implements the strong end-system model, a packet
    destined to it can be received only on the interface that
    corresponds to the IP address contained in the Destination Address
    field [RFC1122].
 If the packet passes this check, the receiving system should
 determine whether the source route is empty or not.  The option is
 empty if:
                       SSRR.Pointer > SSRR.Length
 In that case, if the address in the destination field has not been
 reached, the packet should be dropped, and this event should be
 logged (e.g., a counter could be incremented to reflect the packet
 drop).
    [Microsoft1999] is a security advisory about a vulnerability
    arising from improper validation of the SSRR.Pointer field.

Gont Informational [Page 38] RFC 6274 IPv4 Security Assessment July 2011

 If the option is not empty, and the address in the Destination
 Address field has been reached, the next address in the source route
 replaces the address in the Destination Address field, and the IP
 address of the interface that will be used to forward this datagram
 is recorded in its place in the source route (SSRR.Data field).
 Then, the SSRR.Pointer is incremented by 4.
    Note that the sanity checks for the SSRR.Length and the
    SSRR.Pointer fields described above ensure that if the option is
    not empty, there will be (4*n) octets in the option.  That is,
    there will be at least one IP address to read, and enough room to
    record the IP address of the interface that will be used to
    forward this datagram.
 The SSRR option must be copied on fragmentation.  This means that if
 a packet that carries the SSRR is fragmented, each of the fragments
 will have to go through the list of systems specified in the SSRR
 option.

3.13.2.5. Record Route (Type=7)

 This option provides a means to record the route that a given packet
 follows.
 The option begins with an 8-bit option code, which is equal to 7.
 The second byte is the option length, which includes the option-type
 byte, the option-length byte, the pointer byte, and the actual
 option-data.  The third byte is a pointer into the route data,
 indicating the first byte of the area in which to store the next
 route data.  The pointer is relative to the option start.
 RFC 791 states that this option should appear, at most, once in a
 given packet.  Therefore, if a packet has more than one instance of
 this option, it should be dropped, and this event should be logged
 (e.g., a counter could be incremented to reflect the packet drop).
 The same sanity checks performed for the Length field and the Pointer
 field of the LSRR and the SSRR options should be performed on the
 Length field (RR.Length) and the Pointer field (RR.Pointer) of the RR
 option.  As with the LSRR and SSRR options, if the packet does not
 pass these checks it should be dropped, and this event should be
 logged (e.g., a counter could be incremented to reflect the packet
 drop).
 When a system receives an IP packet with the Record Route option that
 passes the above checks, it should check whether there is space in
 the option to store route information.  The option is full if:

Gont Informational [Page 39] RFC 6274 IPv4 Security Assessment July 2011

                         RR.Pointer > RR.Length
 If the option is full, the datagram should be forwarded without
 further processing of this option.
 If the option is not full (i.e., RR.Pointer <= RR.Length), the IP
 address of the interface that will be used to forward this datagram
 should be recorded into the area pointed to by the RR.Pointer, and
 RR.Pointer should then incremented by 4.
 This option is not copied on fragmentation, and thus appears in the
 first fragment only.  If a fragment other than the one with offset 0
 contains the Record Route option, it should be dropped, and this
 event should be logged (e.g., a counter could be incremented to
 reflect the packet drop).
 The Record Route option can be exploited to learn about the topology
 of a network.  However, the limited space in the IP header limits the
 usefulness of this option for that purpose if the target network is
 several hops away.

3.13.2.6. Stream Identifier (Type=136)

 The Stream Identifier option originally provided a means for the
 16-bit SATNET stream Identifier to be carried through networks that
 did not support the stream concept.
 However, as stated by Section 4.2.2.1 of RFC 1812 [RFC1812], this
 option is obsolete.  Therefore, it must be ignored by the processing
 systems.
 In the case of legacy systems still using this option, the length
 field of the option should be checked to be 4.  If the option does
 not pass this check, it should be dropped, and this event should be
 logged (e.g., a counter could be incremented to reflect the packet
 drop).
 RFC 791 states that this option appears at most once in a given
 datagram.  Therefore, if a packet contains more than one instance of
 this option, it should be dropped, and this event should be logged
 (e.g., a counter could be incremented to reflect the packet drop).

3.13.2.7. Internet Timestamp (Type=68)

 This option provides a means for recording the time at which each
 system processed this datagram.  The timestamp option has a number of
 security implications.  Among them are the following:

Gont Informational [Page 40] RFC 6274 IPv4 Security Assessment July 2011

 o  It allows an attacker to obtain the current time of the systems
    that process the packet, which the attacker may find useful in a
    number of scenarios.
 o  It may be used to map the network topology, in a similar way to
    the IP Record Route option.
 o  It may be used to fingerprint the operating system in use by a
    system processing the datagram.
 o  It may be used to fingerprint physical devices by analyzing the
    clock skew.
 Therefore, by default, the timestamp option should be ignored.
 For those systems that have been explicitly configured to honor this
 option, the rest of this subsection describes some sanity checks that
 should be enforced on the option before further processing.
 The option begins with an option-type byte, which must be equal to
 68.  The second byte is the option-length, which includes the option-
 type byte, the option-length byte, the pointer, and the overflow/flag
 byte.  The minimum legal value for the option-length byte is 4, which
 corresponds to an Internet Timestamp option that is empty (no space
 to store timestamps).  Therefore, upon receipt of a packet that
 contains an Internet Timestamp option, the following check should be
 performed:
                             IT.Length >= 4
 If the packet does not pass this check, it should be dropped, and
 this event should be logged (e.g., a counter could be incremented to
 reflect the packet drop).
 The Pointer is an index within this option, counting the option type
 octet as octet #1.  It points to the first byte of the area in which
 the next timestamp data should be stored and thus, the minimum legal
 value is 5.  Since the only change of the Pointer allowed by RFC 791
 is incrementing it by 4 or 8, the following checks should be
 performed on the Internet Timestamp option, depending on the Flag
 value (see below).
 If IT.Flag is equal to 0, the following check should be performed:
                 IT.Pointer %4 == 1 && IT.Pointer != 1

Gont Informational [Page 41] RFC 6274 IPv4 Security Assessment July 2011

 If the packet does not pass this check, it should be dropped, and
 this event should be logged (e.g., a counter could be incremented to
 reflect the packet drop).
 Otherwise, the following sanity check should be performed on the
 option:
                          IT.Pointer % 8 == 5
 If the packet does not pass this check, it should be dropped, and
 this event should be logged (e.g., a counter could be incremented to
 reflect the packet drop).
 The flag field has three possible legal values:
 o  0: Record time stamps only, stored in consecutive 32-bit words.
 o  1: Record each timestamp preceded with the Internet address of the
    registering entity.
 o  3: The internet address fields of the option are pre-specified.
    An IP module only registers its timestamp if it matches its own
    address with the next specified Internet address.
 Therefore the following check should be performed:
              IT.Flag == 0 || IT.Flag == 1 || IT.Flag == 3
 If the packet does not pass this check, it should be dropped, and
 this event should be logged (e.g., a counter could be incremented to
 reflect the packet drop).
 The timestamp field is a right-justified 32-bit timestamp in
 milliseconds since UTC.  If the time is not available in
 milliseconds, or cannot be provided with respect to UTC, then any
 time may be inserted as a timestamp, provided the high-order bit of
 the timestamp is set, to indicate this non-standard value.
 According to RFC 791, the initial contents of the timestamp area must
 be initialized to zero, or Internet address/zero pairs.  However,
 Internet systems should be able to handle non-zero values, possibly
 discarding the offending datagram.
 When an Internet system receives a packet with an Internet Timestamp
 option, it decides whether it should record its timestamp in the
 option.  If it determines that it should, it should then determine
 whether the timestamp data area is full, by means of the following
 check:

Gont Informational [Page 42] RFC 6274 IPv4 Security Assessment July 2011

                         IT.Pointer > IT.Length
 If this condition is true, the timestamp data area is full.  If not,
 there is room in the timestamp data area.
 If the timestamp data area is full, the overflow byte should be
 incremented, and the packet should be forwarded without inserting the
 timestamp.  If the overflow byte itself overflows, the packet should
 be dropped, and this event should be logged (e.g., a counter could be
 incremented to reflect the packet drop).
 If the timestamp data area is not full, then processing continues as
 follows (note that the above checks on IT.Pointer ensure that there
 is room for another entry in the option):
 o  If IT.Flag is 0, then the system's 32-bit timestamp is stored into
    the area pointed to by the pointer byte and the pointer byte is
    incremented by 4.
 o  If IT.Flag is 1, then the IP address of the system is stored into
    the area pointed to by the pointer byte, followed by the 32-bit
    system timestamp, and the pointer byte is incremented by 8.
 o  Otherwise (IT.Flag is 3), if the IP address in the first 4 bytes
    pointed to by IT.Pointer matches one of the IP addresses assigned
    to an interface of the system, then the system's timestamp is
    stored into the area pointed to by IT.Pointer + 4, and the pointer
    byte is incremented by 8.
 [Kohno2005] describes a technique for fingerprinting devices by
 measuring the clock skew.  It exploits, among other things, the
 timestamps that can be obtained by means of the ICMP timestamp
 request messages [RFC0791].  However, the same fingerprinting method
 could be implemented with the aid of the Internet Timestamp option.

3.13.2.8. Router Alert (Type=148)

 The Router Alert option is defined in RFC 2113 [RFC2113] and later
 updates to it have been clarified by RFC 5350 [RFC5350].  It contains
 a 16-bit Value governed by an IANA registry (see [RFC5350]).  The
 Router Alert option has the semantic "routers should examine this
 packet more closely, if they participate in the functionality denoted
 by the Value of the option".
 According to the syntax of the option as defined in RFC 2113, the
 following check should be enforced, if the router supports this
 option:

Gont Informational [Page 43] RFC 6274 IPv4 Security Assessment July 2011

                             RA.Length == 4
 If the packet does not pass this check, it should be dropped, and
 this event should be logged (e.g., a counter could be incremented to
 reflect the packet drop).
 A packet that contains a Router Alert option with an option value
 corresponding to functionality supported by an active module in the
 router will not go through the router's fast-path but will be
 processed in the slow path of the router, handing it over for closer
 inspection to the modules that has registered the matching option
 value.  Therefore, this option may impact the performance of the
 systems that handle the packet carrying it.
    [ROUTER-ALERT] analyzes the security implications of the Router
    Alert option, and identifies controlled environments in which the
    Router Alert option can be used safely.
 As explained in RFC 2113 [RFC2113], hosts should ignore this option.

3.13.2.9. Probe MTU (Type=11) (Obsolete)

 This option was defined in RFC 1063 [RFC1063] and originally provided
 a mechanism to discover the Path-MTU.
 This option is obsolete, and therefore any packet that is received
 containing this option should be dropped, and this event should be
 logged (e.g., a counter could be incremented to reflect the packet
 drop).

3.13.2.10. Reply MTU (Type=12) (Obsolete)

 This option is defined in RFC 1063 [RFC1063], and originally provided
 a mechanism to discover the Path-MTU.
 This option is obsolete, and therefore any packet that is received
 containing this option should be dropped, and this event should be
 logged (e.g., a counter could be incremented to reflect the packet
 drop).

3.13.2.11. Traceroute (Type=82)

 This option is defined in RFC 1393 [RFC1393], and originally provided
 a mechanism to trace the path to a host.

Gont Informational [Page 44] RFC 6274 IPv4 Security Assessment July 2011

 The Traceroute option was specified as "experimental", and it was
 never deployed on the public Internet.  Therefore, any packet that is
 received containing this option should be dropped, and this event
 should be logged (e.g., a counter could be incremented to reflect the
 packet drop).

3.13.2.12. Department of Defense (DoD) Basic Security Option (Type=130)

 This option is used by Multi-Level-Secure (MLS) end-systems and
 intermediate-systems in specific environments to [RFC1108]:
 o  Transmit from source to destination in a network standard
    representation the common security labels required by computer
    security models,
 o  Validate the datagram as appropriate for transmission from the
    source and delivery to the destination, and
 o  Ensure that the route taken by the datagram is protected to the
    level required by all protection authorities indicated on the
    datagram.
 It is specified by RFC 1108 [RFC1108] (which obsoletes RFC 1038
 [RFC1038]).
    RFC 791 [RFC0791] defined the "Security Option" (Type=130), which
    used the same option type as the DoD Basic Security option
    discussed in this section.  The "Security Option" specified in RFC
    791 is considered obsolete by Section 3.2.1.8 of RFC 1122, and
    therefore the discussion in this section is focused on the DoD
    Basic Security option specified by RFC 1108 [RFC1108].
 Section 4.2.2.1 of RFC 1812 states that routers "SHOULD implement
 this option".
 The DoD Basic Security option is currently implemented in a number of
 operating systems (e.g., [IRIX2008], [SELinux2009], [Solaris2007],
 and [Cisco2008]), and deployed in a number of high-security networks.
 Systems that belong to networks in which this option is in use should
 process the DoD Basic Security option contained in each packet as
 specified in [RFC1108].
 RFC 1108 states that the option should appear at most once in a
 datagram.  Therefore, if more than one DoD Basic Security option
 (BSO) appears in a given datagram, the corresponding datagram should
 be dropped, and this event should be logged (e.g., a counter could be
 incremented to reflect the packet drop).

Gont Informational [Page 45] RFC 6274 IPv4 Security Assessment July 2011

 RFC 1108 states that the option Length is variable, with a minimum
 option Length of 3 bytes.  Therefore, the following check should be
 performed:
                            BSO.Length >= 3
 If the packet does not pass this check, it should be dropped, and
 this event should be logged (e.g., a counter could be incremented to
 reflect the packet drop).
    Current deployments of the security options described in this
    section and the two subsequent sections have motivated the
    specification of a "Common Architecture Label IPv6 Security Option
    (CALIPSO)" for the IPv6 protocol [RFC5570].

3.13.2.13. DoD Extended Security Option (Type=133)

 This option permits additional security labeling information, beyond
 that present in the Basic Security option (Section 3.13.2.13), to be
 supplied in an IP datagram to meet the needs of registered
 authorities.  It is specified by RFC 1108 [RFC1108].
 This option may be present only in conjunction with the DoD Basic
 Security option.  Therefore, if a packet contains a DoD Extended
 Security option (ESO), but does not contain a DoD Basic Security
 option, it should be dropped, and this event should be logged (e.g.,
 a counter could be incremented to reflect the packet drop).  It
 should be noted that, unlike the DoD Basic Security option, this
 option may appear multiple times in a single IP header.
 Systems that belong to networks in which this option is in use,
 should process the DoD Extended Security option contained in each
 packet as specified in RFC 1108 [RFC1108].
 RFC 1108 states that the option Length is variable, with a minimum
 option Length of 3 bytes.  Therefore, the following check should be
 performed:
                            ESO.Length >= 3
 If the packet does not pass this check, it should be dropped, and
 this event should be logged (e.g., a counter could be incremented to
 reflect the packet drop).

Gont Informational [Page 46] RFC 6274 IPv4 Security Assessment July 2011

3.13.2.14. Commercial IP Security Option (CIPSO) (Type=134)

 This option was proposed by the Trusted Systems Interoperability
 Group (TSIG), with the intent of meeting trusted networking
 requirements for the commercial trusted systems market place.  It is
 specified in [CIPSO1992] and [FIPS1994].
    The TSIG proposal was taken to the Commercial Internet Security
    Option (CIPSO) Working Group of the IETF [CIPSOWG1994], and an
    Internet-Draft was produced [CIPSO1992].  The Internet-Draft was
    never published as an RFC, but the proposal was later standardized
    by the U.S. National Institute of Standards and Technology (NIST)
    as "Federal Information Processing Standard Publication 188"
    [FIPS1994].
 It is currently implemented in a number of operating systems (e.g.,
 IRIX [IRIX2008], Security-Enhanced Linux [SELinux2009], and Solaris
 [Solaris2007]), and deployed in a number of high-security networks.
    [Zakrzewski2002] and [Haddad2004] provide an overview of a Linux
    implementation.
 Systems that belong to networks in which this option is in use should
 process the CIPSO option contained in each packet as specified in
 [CIPSO1992].
 According to the option syntax specified in [CIPSO1992], the
 following validation check should be performed:
                           CIPSO.Length >= 6
 If a packet does not pass this check, it should be dropped, and this
 event should be logged (e.g., a counter could be incremented to
 reflect the packet drop).

3.13.2.15. Sender Directed Multi-Destination Delivery (Type=149)

 This option is defined in RFC 1770 [RFC1770] and originally provided
 unreliable UDP delivery to a set of addresses included in the option.
 This option is obsolete.  If a received packet contains this option,
 it should be dropped, and this event should be logged (e.g., a
 counter could be incremented to reflect the packet drop).

Gont Informational [Page 47] RFC 6274 IPv4 Security Assessment July 2011

4. Internet Protocol Mechanisms

4.1. Fragment Reassembly

 To accommodate networks with different Maximum Transmission Units
 (MTUs), the Internet Protocol provides a mechanism for the
 fragmentation of IP packets by end-systems (hosts) and/or
 intermediate-systems (routers).  Reassembly of fragments is performed
 only by the end-systems.
    [Cerf1974] provides the rationale for why packet reassembly is not
    performed by intermediate-systems.
 During the last few decades, IP fragmentation and reassembly has been
 exploited in a number of ways, to perform actions such as evading
 NIDSs, bypassing firewall rules, and performing DoS attacks.
    [Bendi1998] and [Humble1998] are examples of the exploitation of
    these issues for performing DoS attacks.  [CERT1997] and
    [CERT1998b] document these issues.  [Anderson2001] is a survey of
    fragmentation attacks.  [US-CERT2001] is an example of the
    exploitation of IP fragmentation to bypass firewall rules.
    [CERT1999] describes the implementation of fragmentation attacks
    in Distributed Denial-of-Service (DDoS) attack tools.
 The problem with IP fragment reassembly basically has to do with the
 complexity of the function, in a number of aspects:
 o  Fragment reassembly is a stateful operation for a stateless
    protocol (IP).  The IP module at the host performing the
    reassembly function must allocate memory buffers both for
    temporarily storing the received fragments and to perform the
    reassembly function.  Attackers can exploit this fact to exhaust
    memory buffers at the system performing the fragment reassembly.
 o  The fragmentation and reassembly mechanisms were designed at a
    time in which the available bandwidths were very different from
    the bandwidths available nowadays.  With the current available
    bandwidths, a number of interoperability problems may arise, and
    these issues may be intentionally exploited by attackers to
    perform DoS attacks.
 o  Fragment reassembly must usually be performed without any
    knowledge of the properties of the path the fragments follow.
    Without this information, hosts cannot make any educated guess on
    how long they should wait for missing fragments to arrive.

Gont Informational [Page 48] RFC 6274 IPv4 Security Assessment July 2011

 o  The fragment reassembly algorithm, as described by the IETF
    specifications, is ambiguous, and allows for a number of
    interpretations, each of which has found place in different TCP/IP
    stack implementations.
 o  The reassembly process is somewhat complex.  Fragments may arrive
    out of order, duplicated, overlapping each other, etc.  This
    complexity has lead to numerous bugs in different implementations
    of the IP protocol.

4.1.1. Security Implications of Fragment Reassembly

4.1.1.1. Problems Related to Memory Allocation

 When an IP datagram is received by an end-system, it will be
 temporarily stored in system memory, until the IP module processes it
 and hands it to the protocol machine that corresponds to the
 encapsulated protocol.
 In the case of fragmented IP packets, while the IP module may perform
 preliminary processing of the IP header (such as checking the header
 for errors and processing IP options), fragments must be kept in
 system buffers until all fragments are received and are reassembled
 into a complete Internet datagram.
 As mentioned above, because the Internet layer will not usually have
 information about the characteristics of the path between the system
 and the remote host, no educated guess can be made on the amount of
 time that should be waited for the other fragments to arrive.
 Therefore, the specifications recommend to wait for a period of time
 that is acceptable for virtually all the possible network scenarios
 in which the protocols might operate.  After that time has elapsed,
 all the received fragments for the corresponding incomplete packet
 are discarded.
    The original IP Specification, RFC 791 [RFC0791], states that
    systems should wait for at least 15 seconds for the missing
    fragments to arrive.  Systems that follow the "Example Reassembly
    Procedure" described in Section 3.2 of RFC 791 may end up using a
    reassembly timer of up to 4.25 minutes, with a minimum of 15
    seconds.  Section 3.3.2 ("Reassembly") of RFC 1122 corrected this
    advice, stating that the reassembly timeout should be a fixed
    value between 60 and 120 seconds.

Gont Informational [Page 49] RFC 6274 IPv4 Security Assessment July 2011

 However, the longer the system waits for the missing fragments to
 arrive, the longer the corresponding system resources must be tied to
 the corresponding packet.  The amount of system memory is finite, and
 even with today's systems, it can still be considered a scarce
 resource.
 An attacker could take advantage of the uncomfortable situation the
 system performing fragment reassembly is in, by sending forged
 fragments that will never reassemble into a complete datagram.  That
 is, an attacker would send many different fragments, with different
 IP IDs, without ever sending all the necessary fragments that would
 be needed to reassemble them into a full IP datagram.  For each of
 the fragments, the IP module would allocate resources and tie them to
 the corresponding fragment, until the reassembly timer for the
 corresponding packet expires.
 There are some implementation strategies which could increase the
 impact of this attack.  For example, upon receipt of a fragment, some
 systems allocate a memory buffer that will be large enough to
 reassemble the whole datagram.  While this might be beneficial in
 legitimate cases, this just amplifies the impact of the possible
 attacks, as a single small fragment could tie up memory buffers for
 the size of an extremely large (and unlikely) datagram.  The
 implementation strategy suggested in RFC 815 [RFC0815] leads to such
 an implementation.
 The impact of the aforementioned attack may vary depending on some
 specific implementation details:
 o  If the system does not enforce limits on the amount of memory that
    can be allocated by the IP module, then an attacker could tie all
    system memory to fragments, at which point the system would become
    unusable, perhaps crashing.
 o  If the system enforces limits on the amount of memory that can be
    allocated by the IP module as a whole, then, when this limit is
    reached, all further IP packets that arrive would be discarded,
    until some fragments time out and free memory is available again.
 o  If the system enforces limits on the amount memory that can be
    allocated for the reassembly of fragments, then, when this limit
    is reached, all further fragments that arrive would be discarded,
    until some fragment(s) time out and free memory is available
    again.

Gont Informational [Page 50] RFC 6274 IPv4 Security Assessment July 2011

4.1.1.2. Problems That Arise from the Length of the IP Identification

        Field
 The Internet Protocols are currently being used in environments that
 are quite different from the ones in which they were conceived.  For
 instance, the availability of bandwidth at the time the Internet
 Protocol was designed was completely different from the availability
 of bandwidth in today's networks.
 The Identification field is a 16-bit field that is used for the
 fragmentation and reassembly function.  In the event a datagram gets
 fragmented, all the corresponding fragments will share the same
 {Source Address, Destination Address, Protocol, Identification
 number} four-tuple.  Thus, the system receiving the fragments will be
 able to uniquely identify them as fragments that correspond to the
 same IP datagram.  At a given point in time, there must be at most
 only one packet in the network with a given four-tuple.  If not, an
 Identification number "collision" might occur, and the receiving
 system might end up "mixing" fragments that correspond to different
 IP datagrams which simply reused the same Identification number.
    For example, sending over a 1 Gbit/s path a continuous stream of
    (UDP) packets of roughly 1 kb size that all get fragmented into
    two equally sized fragments of 576 octets each (minimum reassembly
    buffer size) would repeat the IP Identification values within less
    than 0.65 seconds (assuming roughly 10% link layer overhead); with
    shorter packets that still get fragmented, this figure could
    easily drop below 0.4 seconds.  With a single IP packet dropped in
    this short time frame, packets would start to be reassembled
    wrongly and continuously once in such interval until an error
    detection and recovery algorithm at an upper layer lets the
    application back out.
 For each group of fragments whose Identification numbers "collide",
 the fragment reassembly will lead to corrupted packets.  The IP
 payload of the reassembled datagram will be handed to the
 corresponding upper-layer protocol, where the error will (hopefully)
 be detected by some error detecting code (such as the TCP checksum)
 and the packet will be discarded.
 An attacker could exploit this fact to intentionally cause a system
 to discard all or part of the fragmented traffic it gets, thus
 performing a DoS attack.  Such an attacker would simply establish a
 flow of fragments with different IP Identification numbers, to trash
 all or part of the IP Identification space.  As a result, the
 receiving system would use the attacker's fragments for the
 reassembly of legitimate datagrams, leading to corrupted packets
 which would later (and hopefully) get dropped.

Gont Informational [Page 51] RFC 6274 IPv4 Security Assessment July 2011

 In most cases, use of a long fragment timeout will benefit the
 attacker, as forged fragments will keep the IP Identification space
 trashed for a longer period of time.

4.1.1.3. Problems That Arise from the Complexity of the Reassembly

        Algorithm
 As IP packets can be duplicated by the network, and each packet may
 take a different path to get to the destination host, fragments may
 arrive not only out of order and/or duplicated but also overlapping.
 This means that the reassembly process can be somewhat complex, with
 the corresponding implementation being not specifically trivial.
 [Shannon2001] analyzes the causes and attributes of fragment traffic
 measured in several types of WANs.
 During the years, a number of attacks have exploited bugs in the
 reassembly function of several operating systems, producing buffer
 overflows that have led, in most cases, to a crash of the attacked
 system.

4.1.1.4. Problems That Arise from the Ambiguity of the Reassembly

        Process
 Network Intrusion Detection Systems (NIDSs) typically monitor the
 traffic on a given network with the intent of identifying traffic
 patterns that might indicate network intrusions.
 In the presence of IP fragments, in order to detect illegitimate
 activity at the transport or application layers (i.e., any protocol
 layer above the network layer), a NIDS must perform IP fragment
 reassembly.
 In order to correctly assess the traffic, the result of the
 reassembly function performed by the NIDS should be the same as that
 of the reassembly function performed by the intended recipient of the
 packets.
 However, a number of factors make the result of the reassembly
 process ambiguous:
 o  The IETF specifications are ambiguous as to what should be done in
    the event overlapping fragments were received.  Thus, in the
    presence of overlapping data, the system performing the reassembly
    function is free to honor either the first set of data received,
    the latest copy received, or any other copy received in between.

Gont Informational [Page 52] RFC 6274 IPv4 Security Assessment July 2011

 o  As the specifications do not enforce any specific fragment timeout
    value, different systems may choose different values for the
    fragment timeout.  This means that given a set of fragments
    received at some specified time intervals, some systems will
    reassemble the fragments into a full datagram, while others may
    timeout the fragments and therefore drop them.
 o  As mentioned before, as the fragment buffers get full, a DoS
    condition will occur unless some action is taken.  Many systems
    flush part of the fragment buffers when some threshold is reached.
    Thus, depending on fragment load, timing issues, and flushing
    policy, a NIDS may get incorrect assumptions about how (and if)
    fragments are being reassembled by their intended recipient.
 As originally discussed by [Ptacek1998], these issues can be
 exploited by attackers to evade intrusion detection systems.
 There exist freely available tools to forcefully fragment IP
 datagrams so as to help evade Intrusion Detection Systems.  Frag
 router [Song1999] is an example of such a tool; it allows an attacker
 to perform all the evasion techniques described in [Ptacek1998].
 Ftester [Barisani2006] is a tool that helps to audit systems
 regarding fragmentation issues.

4.1.1.5. Problems That Arise from the Size of the IP Fragments

 One approach to fragment filtering involves keeping track of the
 results of applying filter rules to the first fragment (i.e., the
 fragment with a Fragment Offset of 0), and applying them to
 subsequent fragments of the same packet.  The filtering module would
 maintain a list of packets indexed by the Source Address, Destination
 Address, Protocol, and Identification number.  When the initial
 fragment is seen, if the MF bit is set, a list item would be
 allocated to hold the result of filter access checks.  When packets
 with a non-zero Fragment Offset come in, look up the list element
 with a matching Source Address/Destination Address/Protocol/
 Identification and apply the stored result (pass or block).  When a
 fragment with a zero MF bit is seen, free the list element.
 Unfortunately, the rules of this type of packet filter can usually be
 bypassed.  [RFC1858] describes the details of the involved technique.

4.1.2. Possible Security Improvements

4.1.2.1. Memory Allocation for Fragment Reassembly

 A design choice usually has to be made as to how to allocate memory
 to reassemble the fragments of a given packet.  There are basically
 two options:

Gont Informational [Page 53] RFC 6274 IPv4 Security Assessment July 2011

 o  Upon receipt of the first fragment, allocate a buffer that will be
    large enough to concatenate the payload of each fragment.
 o  Upon receipt of the first fragment, create the first node of a
    linked list to which each of the following fragments will be
    linked.  When all fragments have been received, copy the IP
    payload of each of the fragments (in the correct order) to a
    separate buffer that will be handed to the protocol being
    encapsulated in the IP payload.
 While the first of the choices might seem to be the most
 straightforward, it implies that even when a single small fragment of
 a given packet is received, the amount of memory that will be
 allocated for that fragment will account for the size of the complete
 IP datagram, thus using more system resources than what is actually
 needed.
 Furthermore, the only situation in which the actual size of the whole
 datagram will be known is when the last fragment of the packet is
 received first, as that is the only packet from which the total size
 of the IP datagram can be asserted.  Otherwise, memory should be
 allocated for the largest possible packet size (65535 bytes).
 The IP module should also enforce a limit on the amount of memory
 that can be allocated for IP fragments, as well as a limit on the
 number of fragments that at any time will be allowed in the system.
 This will basically limit the resources spent on the reassembly
 process, and prevent an attacker from trashing the whole system
 memory.
 Furthermore, the IP module should keep a different buffer for IP
 fragments than for complete IP datagrams.  This will basically
 separate the effects of fragment attacks on non-fragmented traffic.
 Most TCP/IP implementations, such as that in Linux and those in BSD-
 derived systems, already implement this.
 [Jones2002] analyzes the amount of memory that may be needed for the
 fragment reassembly buffer depending on a number of network
 characteristics.

4.1.2.2. Flushing the Fragment Buffer

 In the case of those attacks that aim to consume the memory buffers
 used for fragments, and those that aim to cause a collision of IP
 Identification numbers, there are a number of countermeasures that
 can be implemented.

Gont Informational [Page 54] RFC 6274 IPv4 Security Assessment July 2011

 Even with these countermeasures in place, there is still the issue of
 what to do when the buffer pool used for IP fragments gets full.
 Basically, if the fragment buffer is full, no instance of
 communication that relies on fragmentation will be able to progress.
 Unfortunately, there are not many options for reacting to this
 situation.  If nothing is done, all the instances of communication
 that rely on fragmentation will experience a denial of service.
 Thus, the only thing that can be done is flush all or part of the
 fragment buffer, on the premise that legitimate traffic will be able
 to make use of the freed buffer space to allow communication flows to
 progress.
 There are a number of factors that should be taken into consideration
 when flushing the fragment buffers.  First, if a fragment of a given
 packet (i.e., fragment with a given Identification number) is
 flushed, all the other fragments that correspond to the same datagram
 should be flushed.  As in order for a packet to be reassembled all of
 its fragments must be received by the system performing the
 reassembly function, flushing only a subset of the fragments of a
 given packet would keep the corresponding buffers tied to fragments
 that would never reassemble into a complete datagram.  Additionally,
 care must be taken so that, in the event that subsequent buffer
 flushes need to be performed, it is not always the same set of
 fragments that get dropped, as such a behavior would probably cause a
 selective DoS to the traffic flows to which that set of fragments
 belongs.
 Many TCP/IP implementations define a threshold for the number of
 fragments that, when reached, triggers a fragment-buffer flush.  Some
 systems flush 1/2 of the fragment buffer when the threshold is
 reached.  As mentioned before, the idea of flushing the buffer is to
 create some free space in the fragment buffer, on the premise that
 this will allow for new and legitimate fragments to be processed by
 the IP module, thus letting communication survive the overwhelming
 situation.  On the other hand, the idea of flushing a somewhat large
 portion of the buffer is to avoid flushing always the same set of
 packets.

4.1.2.3. A More Selective Fragment Buffer Flushing Strategy

 One of the difficulties in implementing countermeasures for the
 fragmentation attacks described throughout Section 4.1 is that it is
 difficult to perform validation checks on the received fragments.
 For instance, the fragment on which validity checks could be
 performed, the first fragment, may be not the first fragment to
 arrive at the destination host.

Gont Informational [Page 55] RFC 6274 IPv4 Security Assessment July 2011

 Fragments cannot only arrive out of order because of packet
 reordering performed by the network, but also because the system (or
 systems) that fragmented the IP datagram may indeed transmit the
 fragments out of order.  A notable example of this is the Linux
 TCP/IP stack, which transmits the fragments in reverse order.
 This means that we cannot enforce checks on the fragments for which
 we allocate reassembly resources, as the first fragment we receive
 for a given packet may be some other fragment than the first one (the
 one with an Fragment Offset of 0).
 However, at the point in which we decide to free some space in the
 fragment buffer, some refinements can be done to the flushing policy.
 The first thing we would like to do is to stop different types of
 traffic from interfering with each other.  This means, in principle,
 that we do not want fragmented UDP traffic to interfere with
 fragmented TCP traffic.  In order to implement this traffic
 separation for the different protocols, a different fragment buffer
 pool would be needed, in principle, for each of the 256 different
 protocols that can be encapsulated in an IP datagram.
 We believe a trade-off is to implement two separate fragment buffers:
 one for IP datagrams that encapsulate IPsec packets and another for
 the rest of the traffic.  This basically means that traffic not
 protected by IPsec will not interfere with those flows of
 communication that are being protected by IPsec.
 The processing of each of these two different fragment buffer pools
 would be completely independent from each other.  In the case of the
 IPsec fragment buffer pool, when the buffers needs to be flushed, the
 following refined policy could be applied:
 o  First, for each packet for which the IPsec header has been
    received, check that the Security Parameters Index (SPI) field of
    the IPsec header corresponds to an existing IPsec Security
    Association (SA), and probably also check that the IPsec sequence
    number is valid.  If the check fails, drop all the fragments that
    correspond to this packet.
 o  Second, if still more fragment buffers need to be flushed, drop
    all the fragments that correspond to packets for which the full
    IPsec header has not yet been received.  The number of packets for
    which this flushing is performed depends on the amount of free
    space that needs to be created.
 o  Third, if after flushing packets with invalid IPsec information
    (First step), and packets on which validation checks could not be
    performed (Second step), there is still not enough space in the

Gont Informational [Page 56] RFC 6274 IPv4 Security Assessment July 2011

    fragment buffer, drop all the fragments that correspond to packets
    that passed the checks of the first step, until the necessary free
    space is created.
 The rationale behind this policy is that, at the point of flushing
 fragment buffers, we prefer to keep those packets on which we could
 successfully perform a number of validation checks, over those
 packets on which those checks failed, or the checks could not even be
 performed.
 By checking both the IPsec SPI and the IPsec sequence number, it is
 virtually impossible for an attacker that is off-path to perform a
 DoS attack to communication flows being protected by IPsec.
 Unfortunately, some IP implementations (such as that in Linux
 [Linux]), when performing fragmentation, send the corresponding
 fragments in reverse order.  In such cases, at the point of flushing
 the fragment buffer, legitimate fragments will receive the same
 treatment as the possible forged fragments.
 This refined flushing policy provides an increased level of
 protection against this type of resource exhaustion attack, while not
 making the situation of out-of-order IPsec-secured traffic worse than
 with the simplified flushing policy described in the previous
 section.

4.1.2.4. Reducing the Fragment Timeout

 RFC 1122 [RFC1122] states that the reassembly timeout should be a
 fixed value between 60 and 120 seconds.  The rationale behind these
 long timeout values is that they should accommodate any path
 characteristics, such as long-delay paths.  However, it must be noted
 that this timer is really measuring inter-fragment delays, or, more
 specifically, fragment jitter.
 If all fragments take paths of similar characteristics, the inter-
 fragment delay will usually be, at most, a few seconds.
 Nevertheless, even if fragments take different paths of different
 characteristics, the recommended 60 to 120 seconds are, in practice,
 excessive.
 Some systems have already reduced the fragment timeout to 30 seconds
 [Linux].  The fragment timeout could probably be further reduced to
 approximately 15 seconds; although further research on this issue is
 necessary.

Gont Informational [Page 57] RFC 6274 IPv4 Security Assessment July 2011

 It should be noted that in network scenarios of long-delay and high-
 bandwidth (usually referred to as "Long-Fat Networks"), using a long
 fragment timeout would likely increase the probability of collision
 of IP ID numbers.  Therefore, in such scenarios it is highly
 desirable to avoid the use of fragmentation with techniques such as
 PMTUD [RFC1191] or PLPMTUD [RFC4821].

4.1.2.5. Countermeasure for Some NIDS Evasion Techniques

 [Shankar2003] introduces a technique named "Active Mapping" that
 prevents evasion of a NIDS by acquiring sufficient knowledge about
 the network being monitored, to assess which packets will arrive at
 the intended recipient, and how they will be interpreted by it.
 [Novak2005] describes some techniques that are applied by the Snort
 [Snort] NIDS to avoid evasion.

4.1.2.6. Countermeasure for Firewall-Rules Bypassing

 One of the classical techniques to bypass firewall rules involves
 sending packets in which the header of the encapsulated protocol is
 fragmented.  Even when it would be legal (as far as the IETF
 specifications are concerned) to receive such a packets, the MTUs of
 the network technologies used in practice are not that small to
 require the header of the encapsulated protocol to be fragmented
 (e.g., see [RFC2544]).  Therefore, the system performing reassembly
 should drop all packets which fragment the upper-layer protocol
 header, and this event should be logged (e.g., a counter could be
 incremented to reflect the packet drop).
 Additionally, given that many middle-boxes such as firewalls create
 state according to the contents of the first fragment of a given
 packet, it is best that, in the event an end-system receives
 overlapping fragments, it honors the information contained in the
 fragment that was received first.
 RFC 1858 [RFC1858] describes the abuse of IP fragmentation to bypass
 firewall rules.  RFC 3128 [RFC3128] corrects some errors in RFC 1858.

4.2. Forwarding

4.2.1. Precedence-Ordered Queue Service

 Section 5.3.3.1 of RFC 1812 [RFC1812] states that routers should
 implement precedence-ordered queue service.  This means that when a
 packet is selected for output on a (logical) link, the packet of
 highest precedence that has been queued for that link is sent.
 Section 5.3.3.2 of RFC 1812 advises routers to default to maintaining
 strict precedence-ordered service.

Gont Informational [Page 58] RFC 6274 IPv4 Security Assessment July 2011

 Unfortunately, given that it is trivial to forge the IP precedence
 field of the IP header, an attacker could simply forge a high
 precedence number in the packets it sends to illegitimately get
 better network service.  If precedence-ordered queued service is not
 required in a particular network infrastructure, it should be
 disabled, and thus all packets would receive the same type of
 service, despite the values in their Type of Service or
 Differentiated Services fields.
 When precedence-ordered queue service is required in the network
 infrastructure, in order to mitigate the attack vector discussed in
 the previous paragraph, edge routers or switches should be configured
 to police and remark the Type of Service or Differentiated Services
 values, according to the type of service at which each end-system has
 been allowed to send packets.
 Bullet 4 of Section 5.3.3.3 of RFC 1812 states that routers "MUST NOT
 change precedence settings on packets it did not originate".
 However, given the security implications of the Precedence field, it
 is fair for routers, switches, or other middle-boxes, particularly
 those in the network edge, to overwrite the Type of Service (or
 Differentiated Services) field of the packets they are forwarding,
 according to a configured network policy (this is the specified
 behavior for DS domains [RFC2475]).
 Sections 5.3.3.1 and 5.3.6 of RFC 1812 state that if precedence-
 ordered queue service is implemented and enabled, the router "MUST
 NOT discard a packet whose precedence is higher than that of a packet
 that is not discarded".  While this recommendation makes sense given
 the semantics of the Precedence field, it is important to note that
 it would be simple for an attacker to send packets with forged high
 Precedence value to congest some internet router(s), and cause all
 (or most) traffic with a lower Precedence value to be discarded.

4.2.2. Weak Type of Service

 Section 5.2.4.3 of RFC 1812 describes the algorithm for determining
 the next-hop address (i.e., the forwarding algorithm).  Bullet 3,
 "Weak TOS", addresses the case in which routes contain a "type of
 service" attribute.  It states that in case a packet contains a non-
 default TOS (i.e., 0000), only routes with the same TOS or with the
 default TOS should be considered for forwarding that packet.
 However, this means that if among the longest match routes for a
 given packet are routes with some TOS other than the one contained in
 the received packet, and no routes with the default TOS, the
 corresponding packet would be dropped.  This may or may not be a
 desired behavior.

Gont Informational [Page 59] RFC 6274 IPv4 Security Assessment July 2011

 An alternative for the case in which among the "longest match" routes
 there are only routes with non-default type of service that do not
 match the TOS contained in the received packet, would be to use a
 route with any other TOS.  While this route would most likely not be
 able to address the type of service requested by packet, it would, at
 least, provide a "best effort" service.
 It must be noted that Section 5.3.2 of RFC 1812 allows routers to not
 honor the TOS field.  Therefore, the proposed alternative behavior is
 still compliant with the IETF specifications.
    While officially specified in the RFC series, TOS-based routing is
    not widely deployed in the Internet.

4.2.3. Impact of Address Resolution on Buffer Management

 In the case of broadcast link-layer technologies, in order for a
 system to transfer an IP datagram it must usually first map an IP
 address to the corresponding link-layer address (for example, by
 means of the Address Resolution Protocol (ARP) [RFC0826]) .  This
 means that while this operation is being performed, the packets that
 would require such a mapping would need to be kept in memory.  This
 may happen both in the case of hosts and in the case of routers.
 This situation might be exploited by an attacker, which could send a
 large amount of packets to a non-existent host that would supposedly
 be directly connected to the attacked router.  While trying to map
 the corresponding IP address into a link-layer address, the attacked
 router would keep in memory all the packets that would need to make
 use of that link-layer address.  At the point in which the mapping
 function times out, depending on the policy implemented by the
 attacked router, only the packet that triggered the call to the
 mapping function might be dropped.  In that case, the same operation
 would be repeated for every packet destined to the non-existent host.
 Depending on the timeout value for the mapping function, this
 situation might lead the router to run out of free buffer space, with
 the consequence that incoming legitimate packets would have to be
 dropped, or that legitimate packets already stored in the router's
 buffers might get dropped.  Both of these situations would lead
 either to a complete DoS or to a degradation of the network service.
 One countermeasure to this problem would be to drop, at the point the
 mapping function times out, all the packets destined to the address
 that timed out.  In addition, a "negative cache entry" might be kept
 in the module performing the matching function, so that for some
 amount of time, the mapping function would return an error when the
 IP module requests to perform a mapping for some address for which
 the mapping has recently timed out.

Gont Informational [Page 60] RFC 6274 IPv4 Security Assessment July 2011

    A common implementation strategy for routers is that when a packet
    is received that requires an ARP resolution to be performed before
    the packet can be forwarded, the packet is dropped and the router
    is then engaged in the ARP procedure.

4.2.4. Dropping Packets

 In some scenarios, it may be necessary for a host or router to drop
 packets from the output queue.  In the event that one of such packets
 happens to be an IP fragment, and there were other fragments of the
 same packet in the queue, those other fragments should also be
 dropped.  The rationale for this policy is that it is nonsensical to
 spend system resources on those other fragments, because, as long as
 one fragment is missing, it will be impossible for the receiving
 system to reassemble them into a complete IP datagram.
 Some systems have been known to drop just a subset of fragments of a
 given datagram, leading to a denial-of-service condition, as only a
 subset of all the fragments of the packets were actually transferred
 to the next hop.

4.3. Addressing

4.3.1. Unreachable Addresses

 It is important to understand that while there are some addresses
 that are supposed to be unreachable from the public Internet (such as
 the private IP addresses described in RFC 1918 [RFC1918], or the
 "loopback" address), there are a number of tricks an attacker can
 perform to reach those IP addresses that would otherwise be
 unreachable (e.g., exploit the LSRR or SSRR IP options).  Therefore,
 when applicable, packet filtering should be performed at the private
 network boundary to assure that those addresses will be unreachable.
 Similarly, link-local unicast addresses [RFC3927] and multicast
 addresses with limited scope (link- and site-local addresses) should
 not be accessible from outside the proper network boundaries and not
 be passed across these boundaries.
 [RFC5735] provides a summary of special use IPv4 addresses.

4.3.2. Private Address Space

 The Internet Assigned Numbers Authority (IANA) has reserved the
 following three blocks of the IP address space for private internets:
 o  10.0.0.0 - 10.255.255.255 (10/8 prefix)

Gont Informational [Page 61] RFC 6274 IPv4 Security Assessment July 2011

 o  172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
 o  192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
 Use of these address blocks is described in RFC 1918 [RFC1918].
 Where applicable, packet filtering should be performed at the
 organizational perimeter to assure that these addresses are not
 reachable from outside the private network where such addresses are
 employed.

4.3.3. Former Class D Addresses (224/4 Address Block)

 The former Class D addresses correspond to the 224/4 address block
 and are used for Internet multicast.  Therefore, if a packet is
 received with a "Class D" address as the Source Address, it should be
 dropped, and this event should be logged (e.g., a counter could be
 incremented to reflect the packet drop).  Additionally, if an IP
 packet with a multicast Destination Address is received for a
 connection-oriented protocol (e.g., TCP), the packet should be
 dropped (see Section 4.3.5), and this event should be logged (e.g., a
 counter could be incremented to reflect the packet drop).

4.3.4. Former Class E Addresses (240/4 Address Block)

 The former Class E addresses correspond to the 240/4 address block,
 and are currently reserved for experimental use.  As a result, a most
 routers discard packets that contain a "Class" E address as the
 Source Address or Destination Address.  If a packet is received with
 a 240/4 address as the Source Address and/or the Destination Address,
 the packet should be dropped and this event should be logged (e.g., a
 counter could be incremented to reflect the packet drop).
 It should be noted that the broadcast address 255.255.255.255 still
 must be treated as indicated in Section 4.3.7 of this document.

4.3.5. Broadcast/Multicast Addresses and Connection-Oriented Protocols

 For connection-oriented protocols, such as TCP, shared state is
 maintained between only two endpoints at a time.  Therefore, if an IP
 packet with a multicast (or broadcast) Destination Address is
 received for a connection-oriented protocol (e.g., TCP), the packet
 should be dropped, and this event should be logged (e.g., a counter
 could be incremented to reflect the packet drop).

Gont Informational [Page 62] RFC 6274 IPv4 Security Assessment July 2011

4.3.6. Broadcast and Network Addresses

 Originally, the IETF specifications did not permit IP addresses to
 have the value 0 or -1 (shorthand for all bits set to 1) for any of
 the Host number, network number, or subnet number fields, except for
 the cases indicated in Section 4.3.7.  However, this changed
 fundamentally with the deployment of Classless Inter-Domain Routing
 (CIDR) [RFC4632], as with CIDR a system cannot know a priori what the
 subnet mask is for a particular IP address.
 Many systems now allow administrators to use the values 0 or -1 for
 those fields.  Despite that according to the original IETF
 specifications these addresses are illegal, modern IP implementations
 should consider these addresses to be valid.

4.3.7. Special Internet Addresses

 RFC 1812 [RFC1812] discusses the use of some special Internet
 addresses, which is of interest to perform some sanity checks on the
 Source Address and Destination Address fields of an IP packet.  It
 uses the following notation for an IP address:
 { <Network-prefix>, <Host-number> }
 where the length of the network prefix is generally implied by the
 network mask assigned to the IP interface under consideration.
    RFC 1122 [RFC1122] contained a similar discussion of special
    Internet addresses, including some of the form { <Network-prefix>,
    <Subnet-number>, <Host-number> }.  However, as explained in
    Section 4.2.2.11 of RFC 1812, in a CIDR world, the subnet number
    is clearly an extension of the network prefix and cannot be
    distinguished from the remainder of the prefix.
 {0, 0}
 This address means "this host on this network".  It is meant to be
 used only during the initialization procedure, by which the host
 learns its own IP address.
 If a packet is received with 0.0.0.0 as the Source Address for any
 purpose other than bootstrapping, the corresponding packet should be
 silently dropped, and this event should be logged (e.g., a counter
 could be incremented to reflect the packet drop).  If a packet is
 received with 0.0.0.0 as the Destination Address, it should be
 silently dropped, and this event should be logged (e.g., a counter
 could be incremented to reflect the packet drop).

Gont Informational [Page 63] RFC 6274 IPv4 Security Assessment July 2011

 {0, Host number}
 This address means "the specified host, in this network".  As in the
 previous case, it is meant to be used only during the initialization
 procedure by which the host learns its own IP address.  If a packet
 is received with such an address as the Source Address for any
 purpose other than bootstrapping, it should be dropped, and this
 event should be logged (e.g., a counter could be incremented to
 reflect the packet drop).  If a packet is received with such an
 address as the Destination Address, it should be dropped, and this
 event should be logged (e.g., a counter could be incremented to
 reflect the packet drop).
 {-1, -1}
 This address is the local broadcast address.  It should not be used
 as a source IP address.  If a packet is received with 255.255.255.255
 as the Source Address, it should be dropped, and this event should be
 logged (e.g., a counter could be incremented to reflect the packet
 drop).
    Some systems, when receiving an ICMP echo request, for example,
    will use the Destination Address in the ICMP echo request packet
    as the Source Address of the response they send (in this case, an
    ICMP echo reply).  Thus, when such systems receive a request sent
    to a broadcast address, the Source Address of the response will
    contain a broadcast address.  This should be considered a bug,
    rather than a malicious use of the limited broadcast address.
 {Network number, -1}
 This is the directed broadcast to the specified network.  As
 recommended by RFC 2644 [RFC2644], routers should not forward
 network-directed broadcasts.  This avoids the corresponding network
 from being utilized as, for example, a "smurf amplifier" [CERT1998a].
 As noted in Section 4.3.6 of this document, many systems now allow
 administrators to configure these addresses as unicast addresses for
 network interfaces.  In such scenarios, routers should forward these
 addresses as if they were traditional unicast addresses.
 In some scenarios, a host may have knowledge about a particular IP
 address being a network-directed broadcast address, rather than a
 unicast address (e.g., that IP address is configured on the local
 system as a "broadcast address").  In such scenarios, if a system can
 infer that the Source Address of a received packet is a network-

Gont Informational [Page 64] RFC 6274 IPv4 Security Assessment July 2011

 directed broadcast address, the packet should be dropped, and this
 event should be logged (e.g., a counter could be incremented to
 reflect the packet drop).
 As noted in Section 4.3.6 of this document, with the deployment of
 CIDR [RFC4632], it may be difficult for a system to infer whether a
 particular IP address that does not belong to a directly attached
 subnet is a broadcast address.
 {127.0.0.0/8, any}
 This is the internal host loopback address.  Any packet that arrives
 on any physical interface containing this address as the Source
 Address, the Destination Address, or as part of a source route
 (either LSRR or SSRR), should be dropped.
 For example, packets with a Destination Address in the 127.0.0.0/8
 address block that are received on an interface other than loopback
 should be silently dropped.  Packets received on any interface other
 than loopback with a Source Address corresponding to the system
 receiving the packet should also be dropped.
 In all the above cases, when a packet is dropped, this event should
 be logged (e.g., a counter could be incremented to reflect the packet
 drop).

5. Security Considerations

 This document discusses the security implications of the Internet
 Protocol (IP) and a number of implementation strategies that help to
 mitigate a number of vulnerabilities found in the protocol during the
 last 25 years or so.

6. Acknowledgements

 The author wishes to thank Alfred Hoenes for providing very thorough
 reviews of earlier versions of this document, thus leading to
 numerous improvements.
 The author would like to thank Jari Arkko, Ron Bonica, Stewart
 Bryant, Adrian Farrel, Joel Jaeggli, Warren Kumari, Bruno Rohee, and
 Andrew Yourtchenko for providing valuable comments on earlier
 versions of this document.
 This document was written by Fernando Gont on behalf of the UK CPNI
 (United Kingdom's Centre for the Protection of National
 Infrastructure), and is heavily based on the "Security Assessment of
 the Internet Protocol" [CPNI2008] published by the UK CPNI in 2008.

Gont Informational [Page 65] RFC 6274 IPv4 Security Assessment July 2011

 The author would like to thank Randall Atkinson, John Day, Juan
 Fraschini, Roque Gagliano, Guillermo Gont, Martin Marino, Pekka
 Savola, and Christos Zoulas for providing valuable comments on
 earlier versions of [CPNI2008], on which this document is based.
 The author would like to thank Randall Atkinson and Roque Gagliano,
 who generously answered a number of questions.
 Finally, the author would like to thank UK CPNI (formerly NISCC) for
 their continued support.

7. References

7.1. Normative References

 [RFC0791]  Postel, J., "Internet Protocol", STD 5, RFC 791,
            September 1981.
 [RFC0826]  Plummer, D., "Ethernet Address Resolution Protocol: Or
            converting network protocol addresses to 48.bit Ethernet
            address for transmission on Ethernet hardware", STD 37,
            RFC 826, November 1982.
 [RFC1038]  St. Johns, M., "Draft revised IP security option",
            RFC 1038, January 1988.
 [RFC1063]  Mogul, J., Kent, C., Partridge, C., and K. McCloghrie, "IP
            MTU discovery options", RFC 1063, July 1988.
 [RFC1108]  Kent, S., "U.S", RFC 1108, November 1991.
 [RFC1112]  Deering, S., "Host extensions for IP multicasting", STD 5,
            RFC 1112, August 1989.
 [RFC1122]  Braden, R., "Requirements for Internet Hosts -
            Communication Layers", STD 3, RFC 1122, October 1989.
 [RFC1191]  Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191,
            November 1990.
 [RFC1349]  Almquist, P., "Type of Service in the Internet Protocol
            Suite", RFC 1349, July 1992.
 [RFC1393]  Malkin, G., "Traceroute Using an IP Option", RFC 1393,
            January 1993.
 [RFC1770]  Graff, C., "IPv4 Option for Sender Directed Multi-
            Destination Delivery", RFC 1770, March 1995.

Gont Informational [Page 66] RFC 6274 IPv4 Security Assessment July 2011

 [RFC1812]  Baker, F., "Requirements for IP Version 4 Routers",
            RFC 1812, June 1995.
 [RFC1918]  Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
            E. Lear, "Address Allocation for Private Internets",
            BCP 5, RFC 1918, February 1996.
 [RFC2113]  Katz, D., "IP Router Alert Option", RFC 2113,
            February 1997.
 [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
            Requirement Levels", BCP 14, RFC 2119, March 1997.
 [RFC2474]  Nichols, K., Blake, S., Baker, F., and D. Black,
            "Definition of the Differentiated Services Field (DS
            Field) in the IPv4 and IPv6 Headers", RFC 2474,
            December 1998.
 [RFC2475]  Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z.,
            and W. Weiss, "An Architecture for Differentiated
            Services", RFC 2475, December 1998.
 [RFC2644]  Senie, D., "Changing the Default for Directed Broadcasts
            in Routers", BCP 34, RFC 2644, August 1999.
 [RFC2827]  Ferguson, P. and D. Senie, "Network Ingress Filtering:
            Defeating Denial of Service Attacks which employ IP Source
            Address Spoofing", BCP 38, RFC 2827, May 2000.
 [RFC3168]  Ramakrishnan, K., Floyd, S., and D. Black, "The Addition
            of Explicit Congestion Notification (ECN) to IP",
            RFC 3168, September 2001.
 [RFC3704]  Baker, F. and P. Savola, "Ingress Filtering for Multihomed
            Networks", BCP 84, RFC 3704, March 2004.
 [RFC3927]  Cheshire, S., Aboba, B., and E. Guttman, "Dynamic
            Configuration of IPv4 Link-Local Addresses", RFC 3927,
            May 2005.
 [RFC4086]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
            Requirements for Security", BCP 106, RFC 4086, June 2005.
 [RFC4632]  Fuller, V. and T. Li, "Classless Inter-domain Routing
            (CIDR): The Internet Address Assignment and Aggregation
            Plan", BCP 122, RFC 4632, August 2006.

Gont Informational [Page 67] RFC 6274 IPv4 Security Assessment July 2011

 [RFC4821]  Mathis, M. and J. Heffner, "Packetization Layer Path MTU
            Discovery", RFC 4821, March 2007.
 [RFC5082]  Gill, V., Heasley, J., Meyer, D., Savola, P., and C.
            Pignataro, "The Generalized TTL Security Mechanism
            (GTSM)", RFC 5082, October 2007.
 [RFC5350]  Manner, J. and A. McDonald, "IANA Considerations for the
            IPv4 and IPv6 Router Alert Options", RFC 5350,
            September 2008.
 [RFC5735]  Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses",
            BCP 153, RFC 5735, January 2010.
 [RFC6040]  Briscoe, B., "Tunnelling of Explicit Congestion
            Notification", RFC 6040, November 2010.

7.2. Informative References

 [Anderson2001]
            Anderson, J., "An Analysis of Fragmentation Attacks",
            2001, <http://www.ouah.org/fragma.html>.
 [Arkin2000]
            Arkin, "IP TTL Field Value with ICMP (Oops - Identifying
            Windows 2000 again and more)", 2000,
            <http://ofirarkin.files.wordpress.com/2008/11/
            ofirarkin2000-06.pdf>.
 [Barisani2006]
            Barisani, A., "FTester - Firewall and IDS testing tool",
            2001, <http://dev.inversepath.com/trac/ftester>.
 [Bellovin1989]
            Bellovin, S., "Security Problems in the TCP/IP Protocol
            Suite", Computer Communication Review Vol. 19, No. 2, pp.
            32-48, 1989.
 [Bellovin2002]
            Bellovin, S., "A Technique for Counting NATted Hosts",
            IMW'02 Nov. 6-8, 2002, Marseille, France, 2002.
 [Bendi1998]
            Bendi, "Bonk exploit", 1998,
            <http://www.insecure.org/sploits/
            95.NT.fragmentation.bonk.html>.

Gont Informational [Page 68] RFC 6274 IPv4 Security Assessment July 2011

 [Biondi2007]
            Biondi, P. and A. Ebalard, "IPv6 Routing Header Security",
            CanSecWest 2007 Security Conference, 2007,
            <http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf>.
 [CERT1996a]
            CERT, "CERT Advisory CA-1996-01: UDP Port Denial-of-
            Service Attack", 1996,
            <http://www.cert.org/advisories/CA-1996-01.html>.
 [CERT1996b]
            CERT, "CERT Advisory CA-1996-21: TCP SYN Flooding and IP
            Spoofing Attacks", 1996,
            <http://www.cert.org/advisories/CA-1996-21.html>.
 [CERT1996c]
            CERT, "CERT Advisory CA-1996-26: Denial-of-Service Attack
            via ping", 1996,
            <http://www.cert.org/advisories/CA-1996-26.html>.
 [CERT1997] CERT, "CERT Advisory CA-1997-28: IP Denial-of-Service
            Attacks", 1997,
            <http://www.cert.org/advisories/CA-1997-28.html>.
 [CERT1998a]
            CERT, "CERT Advisory CA-1998-01: Smurf IP Denial-of-
            Service Attacks", 1998,
            <http://www.cert.org/advisories/CA-1998-01.html>.
 [CERT1998b]
            CERT, "CERT Advisory CA-1998-13: Vulnerability in Certain
            TCP/IP Implementations", 1998,
            <http://www.cert.org/advisories/CA-1998-13.html>.
 [CERT1999] CERT, "CERT Advisory CA-1999-17: Denial-of-Service Tools",
            1999, <http://www.cert.org/advisories/CA-1999-17.html>.
 [CERT2003] CERT, "CERT Advisory CA-2003-15: Cisco IOS Interface
            Blocked by IPv4 Packet", 2003,
            <http://www.cert.org/advisories/CA-2003-15.html>.
 [CIPSO1992]
            CIPSO, "COMMERCIAL IP SECURITY OPTION (CIPSO 2.2)", Work
            in Progress, 1992.

Gont Informational [Page 69] RFC 6274 IPv4 Security Assessment July 2011

 [CIPSOWG1994]
            CIPSOWG, "Commercial Internet Protocol Security Option
            (CIPSO) Working Group", 1994, <http://www.ietf.org/
            proceedings/94jul/charters/cipso-charter.html>.
 [CPNI2008] Gont, F., "Security Assessment of the Internet Protocol",
            2008, <http://www.cpni.gov.uk/Docs/InternetProtocol.pdf>.
 [Cerf1974] Cerf, V. and R. Kahn, "A Protocol for Packet Network
            Intercommunication", IEEE Transactions on
            Communications Vol. 22, No. 5, May 1974, pp. 637-648,
            1974.
 [Cisco2003]
            Cisco, "Cisco Security Advisory: Cisco IOS Interface
            Blocked by IPv4 packet", 2003, <http://www.cisco.com/en/
            US/products/
            products_security_advisory09186a00801a34c2.shtml>.
 [Cisco2008]
            Cisco, "Cisco IOS Security Configuration Guide, Release
            12.2", 2003, <http://www.cisco.com/en/US/docs/ios/12_2/
            security/configuration/guide/scfipso.html>.
 [Clark1988]
            Clark, D., "The Design Philosophy of the DARPA Internet
            Protocols", Computer Communication Review Vol. 18, No. 4,
            1988.
 [Ed3f2002] Ed3f, "Firewall spotting and networks analysis with a
            broken CRC", Phrack Magazine, Volume 0x0b, Issue
            0x3c, Phile #0x0c of 0x10, 2002, <http://www.phrack.org/
            issues.html?issue=60&id=12&mode=txt>.
 [FIPS1994] FIPS, "Standard Security Label for Information Transfer",
            Federal Information Processing Standards Publication. FIP
            PUBS 188, 1994, <http://csrc.nist.gov/publications/fips/
            fips188/fips188.pdf>.
 [Fyodor2004]
            Fyodor, "Idle scanning and related IP ID games", 2004,
            <http://www.insecure.org/nmap/idlescan.html>.
 [GIAC2000] GIAC, "Egress Filtering v 0.2", 2000,
            <http://www.sans.org/y2k/egress.htm>.
 [Gont2006] Gont, F., "Advanced ICMP packet filtering", 2006,
            <http://www.gont.com.ar/papers/icmp-filtering.html>.

Gont Informational [Page 70] RFC 6274 IPv4 Security Assessment July 2011

 [Haddad2004]
            Haddad, I. and M. Zakrzewski, "Security Distribution for
            Linux Clusters", Linux Journal, 2004,
            <http://www.linuxjournal.com/article/6943>.
 [Humble1998]
            Humble, "Nestea exploit", 1998,
            <http://www.insecure.org/sploits/
            linux.PalmOS.nestea.html>.
 [IANA_ET]  IANA, "Ether Types",
            <http://www.iana.org/assignments/ethernet-numbers>.
 [IANA_IP_PARAM]
            IANA, "IP Parameters",
            <http://www.iana.org/assignments/ip-parameters>.
 [IANA_PROT_NUM]
            IANA, "Protocol Numbers",
            <http://www.iana.org/assignments/protocol-numbers>.
 [IRIX2008] IRIX, "IRIX 6.5 trusted_networking(7) manual page", 2008,
            <http://techpubs.sgi.com/library/tpl/cgi-bin/
            getdoc.cgi?coll=0650&db=man&fname=/usr/share/catman/a_man/
            cat7/trusted_networking.z>.
 [Jones2002]
            Jones, R., "A Method Of Selecting Values For the
            Parameters Controlling IP Fragment Reassembly", 2002,
            <ftp://ftp.cup.hp.com/dist/networking/briefs/
            ip_reass_tuning.txt>.
 [Kenney1996]
            Kenney, M., "The Ping of Death Page", 1996,
            <http://www.insecure.org/sploits/ping-o-death.html>.
 [Kent1987] Kent, C. and J. Mogul, "Fragmentation considered harmful",
            Proc. SIGCOMM '87 Vol. 17, No. 5, October 1987, 1987.
 [Klein2007]
            Klein, A., "OpenBSD DNS Cache Poisoning and Multiple O/S
            Predictable IP ID Vulnerability", 2007,
            <http://www.trusteer.com/files/
            OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP
            _ID_Vulnerability.pdf>.

Gont Informational [Page 71] RFC 6274 IPv4 Security Assessment July 2011

 [Kohno2005]
            Kohno, T., Broido, A., and kc. Claffy, "Remote Physical
            Device Fingerprinting", IEEE Transactions on Dependable
            and Secure Computing Vol. 2, No. 2, 2005.
 [LBNL2006] LBNL/NRG, "arpwatch tool", 2006, <http://ee.lbl.gov/>.
 [Linux]    Linux Kernel Organization, "The Linux Kernel Archives",
            <http://www.kernel.org>.
 [Microsoft1999]
            Microsoft, "Microsoft Security Program: Microsoft Security
            Bulletin (MS99-038). Patch Available for "Spoofed Route
            Pointer" Vulnerability", 1999, <http://www.microsoft.com/
            technet/security/bulletin/ms99-038.mspx>.
 [NISCC2004]
            NISCC, "NISCC Vulnerability Advisory 236929: Vulnerability
            Issues in TCP", 2004, <http://www.cpni.gov.uk>.
 [NISCC2005]
            NISCC, "NISCC Vulnerability Advisory 532967/NISCC/ICMP:
            Vulnerability Issues in ICMP packets with TCP payloads",
            2005, <http://www.gont.com.ar/advisories/index.html>.
 [NISCC2006]
            NISCC, "NISCC Technical Note 01/2006: Egress and Ingress
            Filtering", 2006, <http://www.cpni.gov.uk>.
 [Northcutt2000]
            Northcut, S. and Novak, "Network Intrusion Detection - An
            Analyst's Handbook", Second Edition New Riders Publishing,
            2000.
 [Novak2005]
            Novak, "Target-Based Fragmentation Reassembly", 2005,
            <http://www.snort.org/assets/165/target_based_frag.pdf>.
 [OpenBSD-PF]
            Sanfilippo, S., "PF: Scrub (Packet Normalization)", 2010,
            <ftp://ftp.openbsd.org/pub/OpenBSD/doc/pf-faq.pdf>.
 [OpenBSD1998]
            OpenBSD, "OpenBSD Security Advisory: IP Source Routing
            Problem", 1998,
            <http://www.openbsd.org/advisories/sourceroute.txt>.

Gont Informational [Page 72] RFC 6274 IPv4 Security Assessment July 2011

 [Paxson2001]
            Paxson, V., Handley, M., and C. Kreibich, "Network
            Intrusion Detection: Evasion, Traffic Normalization, and
            End-to-End Protocol Semantics", USENIX Conference, 2001.
 [Ptacek1998]
            Ptacek, T. and T. Newsham, "Insertion, Evasion and Denial
            of Service: Eluding Network Intrusion Detection", 1998,
            <http://www.aciri.org/vern/Ptacek-Newsham-Evasion-98.ps>.
 [RFC0815]  Clark, D., "IP datagram reassembly algorithms", RFC 815,
            July 1982.
 [RFC1858]  Ziemba, G., Reed, D., and P. Traina, "Security
            Considerations for IP Fragment Filtering", RFC 1858,
            October 1995.
 [RFC2544]  Bradner, S. and J. McQuaid, "Benchmarking Methodology for
            Network Interconnect Devices", RFC 2544, March 1999.
 [RFC3128]  Miller, I., "Protection Against a Variant of the Tiny
            Fragment Attack (RFC 1858)", RFC 3128, June 2001.
 [RFC3530]  Shepler, S., Callaghan, B., Robinson, D., Thurlow, R.,
            Beame, C., Eisler, M., and D. Noveck, "Network File System
            (NFS) version 4 Protocol", RFC 3530, April 2003.
 [RFC4963]  Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly
            Errors at High Data Rates", RFC 4963, July 2007.
 [RFC4987]  Eddy, W., "TCP SYN Flooding Attacks and Common
            Mitigations", RFC 4987, August 2007.
 [RFC5559]  Eardley, P., "Pre-Congestion Notification (PCN)
            Architecture", RFC 5559, June 2009.
 [RFC5570]  StJohns, M., Atkinson, R., and G. Thomas, "Common
            Architecture Label IPv6 Security Option (CALIPSO)",
            RFC 5570, July 2009.
 [RFC5670]  Eardley, P., "Metering and Marking Behaviour of PCN-
            Nodes", RFC 5670, November 2009.
 [RFC5696]  Moncaster, T., Briscoe, B., and M. Menth, "Baseline
            Encoding and Transport of Pre-Congestion Information",
            RFC 5696, November 2009.
 [RFC5927]  Gont, F., "ICMP Attacks against TCP", RFC 5927, July 2010.

Gont Informational [Page 73] RFC 6274 IPv4 Security Assessment July 2011

 [ROUTER-ALERT]
            Le Faucheur, F., Ed., "IP Router Alert Considerations and
            Usage", Work in Progress, June 2011.
 [SELinux2009]
            NSA, "Security-Enhanced Linux",
            <http://www.nsa.gov/research/selinux/>.
 [Sanfilippo1998a]
            Sanfilippo, S., "about the ip header id", Post to Bugtraq
            mailing-list, Mon Dec 14 1998,
            <http://www.kyuzz.org/antirez/papers/ipid.html>.
 [Sanfilippo1998b]
            Sanfilippo, S., "Idle scan", Post to Bugtraq mailing-list,
            1998, <http://www.kyuzz.org/antirez/papers/dumbscan.html>.
 [Sanfilippo1999]
            Sanfilippo, S., "more ip id", Post to Bugtraq mailing-
            list, 1999,
            <http://www.kyuzz.org/antirez/papers/moreipid.html>.
 [Shankar2003]
            Shankar, U. and V. Paxson, "Active Mapping: Resisting NIDS
            Evasion Without Altering Traffic", 2003,
            <http://www.icir.org/vern/papers/activemap-oak03.pdf>.
 [Shannon2001]
            Shannon, C., Moore, D., and K. Claffy, "Characteristics of
            Fragmented IP Traffic on Internet Links", 2001.
 [Silbersack2005]
            Silbersack, M., "Improving TCP/IP security through
            randomization without sacrificing interoperability",
            EuroBSDCon 2005 Conference, 2005,
            <http://www.silby.com/eurobsdcon05/eurobsdcon_slides.pdf>.
 [Snort]    Sourcefire, Inc., "Snort", <http://www.snort.org>.
 [Solaris2007]
            Oracle, "ORACLE SOLARIS WITH TRUSTED EXTENSIONS", 2007, <h
            ttp://www.oracle.com/us/products/servers-storage/solaris/
            solaris-trusted-ext-ds-075583.pdf>.
 [Song1999] Song, D., "Frag router tool",
            <http://www.monkey.org/~dugsong/fragroute/>.

Gont Informational [Page 74] RFC 6274 IPv4 Security Assessment July 2011

 [SpooferProject]
            MIT ANA, "Spoofer Project", 2010,
            <http://spoofer.csail.mit.edu/index.php>.
 [US-CERT2001]
            US-CERT, "US-CERT Vulnerability Note VU#446689: Check
            Point FireWall-1 allows fragmented packets through
            firewall if Fast Mode is enabled", 2001,
            <http://www.kb.cert.org/vuls/id/446689>.
 [US-CERT2002]
            US-CERT, "US-CERT Vulnerability Note VU#310387: Cisco IOS
            discloses fragments of previous packets when Express
            Forwarding is enabled", 2002.
 [Watson2004]
            Watson, P., "Slipping in the Window: TCP Reset Attacks",
            CanSecWest Conference, 2004.
 [Zakrzewski2002]
            Zakrzewski, M. and I. Haddad, "Linux Distributed Security
            Module", 2002, <http://www.linuxjournal.com/article/6215>.
 [daemon91996]
            daemon9, route, and infinity, "IP-spoofing Demystified
            (Trust-Relationship Exploitation)", Phrack Magazine,
            Volume Seven, Issue Forty-Eight, File 14 of 18, 1988, <htt
            p://www.phrack.org/issues.html?issue=48&id=14&mode=txt>.

Author's Address

 Fernando Gont
 UK Centre for the Protection of National Infrastructure
 EMail: fernando@gont.com.ar
 URI:   http://www.cpni.gov.uk

Gont Informational [Page 75]

/data/webs/external/dokuwiki/data/pages/rfc/rfc6274.txt · Last modified: 2011/07/05 16:44 (external edit)