-
Notifications
You must be signed in to change notification settings - Fork 0
/
diff-ip-options-filtering-03-04.html
1208 lines (1205 loc) · 245 KB
/
diff-ip-options-filtering-03-04.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Generated by rfcdiff 1.41: rfcdiff -->
<!-- <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional" > -->
<!-- System: Linux cabernet 2.6.32-3-amd64 #1 SMP Wed Feb 24 18:07:42 UTC 2010 x86_64 GNU/Linux -->
<!-- Using awk: /usr/bin/gawk: GNU Awk 3.1.8 -->
<!-- Using diff: /usr/bin/diff: diff (GNU diffutils) 3.2 -->
<!-- Using wdiff: /usr/bin/wdiff: wdiff (GNU wdiff) 0.6.5 -->
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<meta http-equiv="Content-Style-Type" content="text/css">
<title>Diff: draft-gont-opsec-ip-options-filtering-03.txt - draft-gont-opsec-ip-options-filtering-04.txt</title>
<style type="text/css">
body { margin: 0.4ex; margin-right: auto; }
tr { }
td { white-space: pre; font-family: monospace; vertical-align: top; font-size: 0.86em;}
th { font-size: 0.86em; }
.small { font-size: 0.6em; font-style: italic; font-family: Verdana, Helvetica, sans-serif; }
.left { background-color: #EEE; }
.right { background-color: #FFF; }
.diff { background-color: #CCF; }
.lblock { background-color: #BFB; }
.rblock { background-color: #FF8; }
.insert { background-color: #8FF; }
.delete { background-color: #ACF; }
.void { background-color: #FFB; }
.cont { background-color: #EEE; }
.linebr { background-color: #AAA; }
.lineno { color: red; background-color: #FFF; font-size: 0.7em; text-align: right; padding: 0 2px; }
.elipsis{ background-color: #AAA; }
.left .cont { background-color: #DDD; }
.right .cont { background-color: #EEE; }
.lblock .cont { background-color: #9D9; }
.rblock .cont { background-color: #DD6; }
.insert .cont { background-color: #0DD; }
.delete .cont { background-color: #8AD; }
.stats, .stats td, .stats th { background-color: #EEE; padding: 2px 0; }
</style>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0">
<tbody><tr bgcolor="orange"><th></th><th><a href="http://tools.ietf.org/rfcdiff?url2=draft-gont-opsec-ip-options-filtering-03.txt" style="color: rgb(0, 0, 136); text-decoration: none;"><</a> <a href="http://tools.ietf.org/html/draft-gont-opsec-ip-options-filtering-03.txt" style="color: rgb(0, 0, 136);">draft-gont-opsec-ip-options-filtering-03.txt</a> </th><th> </th><th> <a href="http://tools.ietf.org/html/draft-gont-opsec-ip-options-filtering-04.txt" style="color: rgb(0, 0, 136);">draft-gont-opsec-ip-options-filtering-04.txt</a> <a href="http://tools.ietf.org/rfcdiff?url1=draft-gont-opsec-ip-options-filtering-04.txt" style="color: rgb(0, 0, 136); text-decoration: none;">></a></th><th></th></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">Operational Security Capabilities for F. Gont</td><td> </td><td class="right">Operational Security Capabilities for F. Gont</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">IP Network Infrastructure (opsec) UTN-FRH / SI6 Networks</td><td> </td><td class="right">IP Network Infrastructure (opsec) UTN-FRH / SI6 Networks</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">Internet-Draft R. Atkinson</td><td> </td><td class="right">Internet-Draft R. Atkinson</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">Intended status: BCP Consultant</td><td> </td><td class="right">Intended status: BCP Consultant</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0001"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock">Expires: <span class="delete">August 20, 2012 </span> C. Pignataro</td><td> </td><td class="rblock">Expires: <span class="insert">September 9, 2012</span> C. Pignataro</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Cisco</td><td> </td><td class="right"> Cisco</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0002"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">February 17</span>, 2012</td><td> </td><td class="rblock"> <span class="insert"> March 8</span>, 2012</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Recommendations on filtering of IPv4 packets containing IPv4 options</td><td> </td><td class="right"> Recommendations on filtering of IPv4 packets containing IPv4 options</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0003"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> draft-gont-opsec-ip-options-filtering-0<span class="delete">3</span>.txt</td><td> </td><td class="rblock"> draft-gont-opsec-ip-options-filtering-0<span class="insert">4</span>.txt</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">Abstract</td><td> </td><td class="right">Abstract</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This document document provides advice on the filtering of IPv4</td><td> </td><td class="right"> This document document provides advice on the filtering of IPv4</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> packets based on the IPv4 options they contain. Additionally, it</td><td> </td><td class="right"> packets based on the IPv4 options they contain. Additionally, it</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0004"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> discusses the operational and interoperability implications of <span class="delete">such</span></td><td> </td><td class="rblock"> discusses the operational and interoperability implications of</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> filtering.</span></td><td> </td><td class="rblock"> <span class="insert">dropping packets based on the IP options they contain.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">Status of this Memo</td><td> </td><td class="right">Status of this Memo</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This Internet-Draft is submitted in full conformance with the</td><td> </td><td class="right"> This Internet-Draft is submitted in full conformance with the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> provisions of BCP 78 and BCP 79.</td><td> </td><td class="right"> provisions of BCP 78 and BCP 79.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Internet-Drafts are working documents of the Internet Engineering</td><td> </td><td class="right"> Internet-Drafts are working documents of the Internet Engineering</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Task Force (IETF). Note that other groups may also distribute</td><td> </td><td class="right"> Task Force (IETF). Note that other groups may also distribute</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> working documents as Internet-Drafts. The list of current Internet-</td><td> </td><td class="right"> working documents as Internet-Drafts. The list of current Internet-</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Drafts is at http://datatracker.ietf.org/drafts/current/.</td><td> </td><td class="right"> Drafts is at http://datatracker.ietf.org/drafts/current/.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Internet-Drafts are draft documents valid for a maximum of six months</td><td> </td><td class="right"> Internet-Drafts are draft documents valid for a maximum of six months</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> and may be updated, replaced, or obsoleted by other documents at any</td><td> </td><td class="right"> and may be updated, replaced, or obsoleted by other documents at any</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> time. It is inappropriate to use Internet-Drafts as reference</td><td> </td><td class="right"> time. It is inappropriate to use Internet-Drafts as reference</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> material or to cite them other than as "work in progress."</td><td> </td><td class="right"> material or to cite them other than as "work in progress."</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0005"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> This Internet-Draft will expire on <span class="delete">August 20</span>, 2012.</td><td> </td><td class="rblock"> This Internet-Draft will expire on <span class="insert">September 9</span>, 2012.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">Copyright Notice</td><td> </td><td class="right">Copyright Notice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Copyright (c) 2012 IETF Trust and the persons identified as the</td><td> </td><td class="right"> Copyright (c) 2012 IETF Trust and the persons identified as the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> document authors. All rights reserved.</td><td> </td><td class="right"> document authors. All rights reserved.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This document is subject to BCP 78 and the IETF Trust's Legal</td><td> </td><td class="right"> This document is subject to BCP 78 and the IETF Trust's Legal</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Provisions Relating to IETF Documents</td><td> </td><td class="right"> Provisions Relating to IETF Documents</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> (http://trustee.ietf.org/license-info) in effect on the date of</td><td> </td><td class="right"> (http://trustee.ietf.org/license-info) in effect on the date of</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> publication of this document. Please review these documents</td><td> </td><td class="right"> publication of this document. Please review these documents</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l2"><small>skipping to change at</small><em> page 2, line 19</em></a></th><th> </th><th><a name="part-r2"><small>skipping to change at</small><em> page 2, line 19</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3</td><td> </td><td class="right"> 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 1.1. Terminology and Conventions Used in This Document . . . . 3</td><td> </td><td class="right"> 1.1. Terminology and Conventions Used in This Document . . . . 3</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 2. IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . 4</td><td> </td><td class="right"> 2. IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . 4</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 3. General Security Implications of IP options . . . . . . . . . 5</td><td> </td><td class="right"> 3. General Security Implications of IP options . . . . . . . . . 5</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 3.1. Processing Requirements . . . . . . . . . . . . . . . . . 5</td><td> </td><td class="right"> 3.1. Processing Requirements . . . . . . . . . . . . . . . . . 5</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4. Advice on the Handling of Packets with Specific IP Options . . 5</td><td> </td><td class="right"> 4. Advice on the Handling of Packets with Specific IP Options . . 5</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.1. End of Option List (Type = 0) . . . . . . . . . . . . . . 5</td><td> </td><td class="right"> 4.1. End of Option List (Type = 0) . . . . . . . . . . . . . . 5</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.2. No Operation (Type = 1) . . . . . . . . . . . . . . . . . 6</td><td> </td><td class="right"> 4.2. No Operation (Type = 1) . . . . . . . . . . . . . . . . . 6</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.3. Loose Source and Record Route (LSRR) (Type = 131) . . . . 6</td><td> </td><td class="right"> 4.3. Loose Source and Record Route (LSRR) (Type = 131) . . . . 6</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.4. Strict Source and Record Route (SSRR) (Type = 137) . . . . 8</td><td> </td><td class="right"> 4.4. Strict Source and Record Route (SSRR) (Type = 137) . . . . 8</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0006"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.5. Record Route (Type = 7) . . . . . . . . . . . . . . . . . <span class="delete">8</span></td><td> </td><td class="rblock"> 4.5. Record Route (Type = 7) . . . . . . . . . . . . . . . . . <span class="insert">9</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.6. Stream Identifier (Type = 136) (obsolete) . . . . . . . . 9</td><td> </td><td class="right"> 4.6. Stream Identifier (Type = 136) (obsolete) . . . . . . . . 9</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.7. Internet Timestamp (Type = 68) . . . . . . . . . . . . . . 10</td><td> </td><td class="right"> 4.7. Internet Timestamp (Type = 68) . . . . . . . . . . . . . . 10</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.8. Router Alert (Type = 148) . . . . . . . . . . . . . . . . 11</td><td> </td><td class="right"> 4.8. Router Alert (Type = 148) . . . . . . . . . . . . . . . . 11</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0007"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.9. Probe MTU (Type = 11) (obsolete) . . . . . . . . . . . . . 1<span class="delete">1</span></td><td> </td><td class="rblock"> 4.9. Probe MTU (Type = 11) (obsolete) . . . . . . . . . . . . . 1<span class="insert">2</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.10. Reply MTU (Type = 12) (obsolete) . . . . . . . . . . . . . 12</td><td> </td><td class="right"> 4.10. Reply MTU (Type = 12) (obsolete) . . . . . . . . . . . . . 12</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.11. Traceroute (Type = 82) . . . . . . . . . . . . . . . . . . 13</td><td> </td><td class="right"> 4.11. Traceroute (Type = 82) . . . . . . . . . . . . . . . . . . 13</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0008"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.12. DoD Basic Security Option (Type = 130) . . . . . . . . . . <span class="delete">13</span></td><td> </td><td class="rblock"> 4.12. DoD Basic Security Option (Type = 130) . . . . . . . . . . <span class="insert">14</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.13. DoD Extended Security Option (Type = 133) . . . . . . . . <span class="delete">15</span></td><td> </td><td class="rblock"> 4.13. DoD Extended Security Option (Type = 133) . . . . . . . . <span class="insert">16</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.14. Commercial IP Security Option (CIPSO) (Type = 134) . . . . <span class="delete">16</span></td><td> </td><td class="rblock"> 4.14. Commercial IP Security Option (CIPSO) (Type = 134) . . . . <span class="insert">17</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.15. Sender Directed Multi-Destination Delivery (Type = 149) . <span class="delete">17</span></td><td> </td><td class="rblock"> 4.15. <span class="insert">VISA (Type = 142) . . . . . . . . . . . . . . . . . . . . 18</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> 4.16.</span> Quick-Start (Type = 25) . . . . . . . . . . . . . . . . . <span class="delete">18</span></td><td> </td><td class="rblock"><span class="insert"> 4.16. Extended Internet Protocol (Type = 145) . . . . . . . . . 19</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> 4.17.</span> RFC3692-style Experiment (Types = 30, 94, 158, and 222) . <span class="delete">18</span></td><td> </td><td class="rblock"><span class="insert"> 4.17. Address Extension (Type = 147) . . . . . . . . . . . . . . 19</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> 4.18.</span> Other IP Options . . . . . . . . . . . . . . . . . . . . . <span class="delete">19</span></td><td> </td><td class="rblock"><span class="insert"> 4.18.</span> Sender Directed Multi-Destination Delivery (Type = 149) . <span class="insert">20</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . <span class="delete">20</span></td><td> </td><td class="rblock"><span class="insert"> 4.19. Dynamic Packet State (Type = 151) . . . . . . . . . . . . 20</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 6. Security Considerations . . . . . . . . . . . . . . . . . . . <span class="delete">20</span></td><td> </td><td class="rblock"><span class="insert"> 4.20. Upstream Multicast Pkt. (Type = 152) . . . . . . . . . . . 21</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">20</span></td><td> </td><td class="rblock"><span class="insert"> 4.21.</span> Quick-Start (Type = 25) . . . . . . . . . . . . . . . . . <span class="insert">21</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">20</span></td><td> </td><td class="rblock"><span class="insert"> 4.22.</span> RFC3692-style Experiment (Types = 30, 94, 158, and 222) . <span class="insert">23</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 8.1. Normative References . . . . . . . . . . . . . . . . . . . <span class="delete">20</span></td><td> </td><td class="rblock"><span class="insert"> 4.23.</span> Other IP Options . . . . . . . . . . . . . . . . . . . . . <span class="insert">23</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 8.2. Informative References . . . . . . . . . . . . . . . . . . <span class="delete">21</span></td><td> </td><td class="rblock"> 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . <span class="insert">24</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">23</span></td><td> </td><td class="rblock"> 6. Security Considerations . . . . . . . . . . . . . . . . . . . <span class="insert">24</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">24</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">25</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> 8.1. Normative References . . . . . . . . . . . . . . . . . . . <span class="insert">25</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> 8.2. Informative References . . . . . . . . . . . . . . . . . . <span class="insert">25</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">28</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">1. Introduction</td><td> </td><td class="right">1. Introduction</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This document document discusses the filtering of IPv4 packets based</td><td> </td><td class="right"> This document document discusses the filtering of IPv4 packets based</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> on the IPv4 options they contain. Since various protocols may use</td><td> </td><td class="right"> on the IPv4 options they contain. Since various protocols may use</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0009"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> IPv4 options to some extent, <span class="delete">the filtering of</span> packets based on the</td><td> </td><td class="rblock"> IPv4 options to some extent, <span class="insert">dropping</span> packets based on the options</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> options they contain may have implications on the proper functioning</td><td> </td><td class="rblock"> they contain may have implications on the proper functioning of the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> of the protocol. Therefore, this document attempts to discuss the</td><td> </td><td class="rblock"> protocol. Therefore, this document attempts to discuss the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> operational and interoperability implications of such <span class="delete">filtering.</span></td><td> </td><td class="rblock"> operational and interoperability implications of such <span class="insert">dropping.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Additionally, it outlines what a network operator might do in a</td><td> </td><td class="right"> Additionally, it outlines what a network operator might do in a</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> typical enterprise or Service Provider environments.</td><td> </td><td class="right"> typical enterprise or Service Provider environments.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> We note that data seems to indicate that there is a current</td><td> </td><td class="right"> We note that data seems to indicate that there is a current</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> widespread practice of blocking IPv4 optioned packets. There are</td><td> </td><td class="right"> widespread practice of blocking IPv4 optioned packets. There are</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> various plausible approaches to minimize the potential negative</td><td> </td><td class="right"> various plausible approaches to minimize the potential negative</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> effects of IPv4 optioned packets while allowing some options</td><td> </td><td class="right"> effects of IPv4 optioned packets while allowing some options</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> semantics. One approach is to allow for specific options that are</td><td> </td><td class="right"> semantics. One approach is to allow for specific options that are</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> expected or needed, and a default deny. A different approach is to</td><td> </td><td class="right"> expected or needed, and a default deny. A different approach is to</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> deny unneeded options and a default allow. Yet a third possible</td><td> </td><td class="right"> deny unneeded options and a default allow. Yet a third possible</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> approach is to allow for end-to-end semantics by ignoring options and</td><td> </td><td class="right"> approach is to allow for end-to-end semantics by ignoring options and</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> treating packets as un-optioned while in transit. Experiments and</td><td> </td><td class="right"> treating packets as un-optioned while in transit. Experiments and</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> currently-available data tends to support the first or third</td><td> </td><td class="right"> currently-available data tends to support the first or third</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> approaches as more realistic. Some results of regarding the current</td><td> </td><td class="right"> approaches as more realistic. Some results of regarding the current</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0010"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> state of affairs with respect to <span class="delete">filtering of</span> packets containing IP</td><td> </td><td class="rblock"> state of affairs with respect to <span class="insert">dropping</span> packets containing IP</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> options can be found in [MEDINA].</td><td> </td><td class="right"> options can be found in [MEDINA].</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0011"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> We also note that while this document provides advice on <span class="delete">filtering</span></td><td> </td><td class="rblock"> We also note that while this document provides advice on <span class="insert">dropping</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> packets on a "per IP option type", not all devices may provide</td><td> </td><td class="rblock"> packets on a "per IP option type", not all devices may provide <span class="insert">this</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">filtering capabilities</span> with such granularity. Additionally, even in</td><td> </td><td class="rblock"><span class="insert"> capability</span> with such granularity. Additionally, even in cases in</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> cases in which such functionality is provided, the operator might</td><td> </td><td class="rblock"> which such functionality is provided, the operator might want to</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> want to specify a <span class="delete">filtering</span> policy with a coarser granularity (rather</td><td> </td><td class="rblock"> specify a <span class="insert">dropping</span> policy with a coarser granularity (rather than on</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> than on a "per IP option type" granularity), as indicated above.</td><td> </td><td class="rblock"> a "per IP option type" granularity), as indicated above.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Finally, in scenarios in which processing of IP options by</td><td> </td><td class="right"> Finally, in scenarios in which processing of IP options by</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> intermediate systems is not required, a widespread approach is to</td><td> </td><td class="right"> intermediate systems is not required, a widespread approach is to</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> simply ignore IP options, and process the corresponding packets as if</td><td> </td><td class="right"> simply ignore IP options, and process the corresponding packets as if</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> they do not contain any IP options.</td><td> </td><td class="right"> they do not contain any IP options.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">1.1. Terminology and Conventions Used in This Document</td><td> </td><td class="right">1.1. Terminology and Conventions Used in This Document</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> The terms "fast path", "slow path", and associated relative terms</td><td> </td><td class="right"> The terms "fast path", "slow path", and associated relative terms</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> ("faster path" and "slower path") are loosely defined as in Section 2</td><td> </td><td class="right"> ("faster path" and "slower path") are loosely defined as in Section 2</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l3"><small>skipping to change at</small><em> page 5, line 25</em></a></th><th> </th><th><a name="part-r3"><small>skipping to change at</small><em> page 5, line 25</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> the option processing to overwhelm the router's CPU or the protocols</td><td> </td><td class="right"> the option processing to overwhelm the router's CPU or the protocols</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> processed in the router's slow path. Additional considerations for</td><td> </td><td class="right"> processed in the router's slow path. Additional considerations for</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> protecting the router control plane from IP optioned packets can be</td><td> </td><td class="right"> protecting the router control plane from IP optioned packets can be</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> found in [RFC6192].</td><td> </td><td class="right"> found in [RFC6192].</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4. Advice on the Handling of Packets with Specific IP Options</td><td> </td><td class="right">4. Advice on the Handling of Packets with Specific IP Options</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> The following subsections contain a description of each of the IP</td><td> </td><td class="right"> The following subsections contain a description of each of the IP</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> options that have so far been specified, a discussion of possible</td><td> </td><td class="right"> options that have so far been specified, a discussion of possible</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> interoperability implications if packets containing such options are</td><td> </td><td class="right"> interoperability implications if packets containing such options are</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0012"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">filtered, and specific advice on whether to filter</span> packets containing</td><td> </td><td class="rblock"> <span class="insert">dropped, and specific advice on whether to drop</span> packets containing</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> these options in a typical enterprise or Service Provider</td><td> </td><td class="right"> these options in a typical enterprise or Service Provider</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> environment.</td><td> </td><td class="right"> environment.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.1. End of Option List (Type = 0)</td><td> </td><td class="right">4.1. End of Option List (Type = 0)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.1.1. Uses</td><td> </td><td class="right">4.1.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option is used to indicate the "end of options" in those cases</td><td> </td><td class="right"> This option is used to indicate the "end of options" in those cases</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> in which the end of options would not coincide with the end of the</td><td> </td><td class="right"> in which the end of options would not coincide with the end of the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Internet Protocol Header.</td><td> </td><td class="right"> Internet Protocol Header.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l4"><small>skipping to change at</small><em> page 5, line 50</em></a></th><th> </th><th><a name="part-r4"><small>skipping to change at</small><em> page 5, line 50</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.1.3. Threats</td><td> </td><td class="right">4.1.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> No security issues are known for this option, other than the general</td><td> </td><td class="right"> No security issues are known for this option, other than the general</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> security implications of IP options discussed in Section 3.</td><td> </td><td class="right"> security implications of IP options discussed in Section 3.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.1.4. Operational and Interoperability Impact if Blocked</td><td> </td><td class="right">4.1.4. Operational and Interoperability Impact if Blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Packets containing any IP options are likely to include an End of</td><td> </td><td class="right"> Packets containing any IP options are likely to include an End of</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Option List. Therefore, if packets containing this option are</td><td> </td><td class="right"> Option List. Therefore, if packets containing this option are</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0013"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">filtered, it is very likely that legitimate traffic is filter</span>ed.</td><td> </td><td class="rblock"> <span class="insert">dropped, it is very likely that legitimate traffic is block</span>ed.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.1.5. Advice</td><td> </td><td class="right">4.1.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0014"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> Do not <span class="delete">filter</span> packets containing this option.</td><td> </td><td class="rblock"> Do not <span class="insert">drop</span> packets containing this option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.2. No Operation (Type = 1)</td><td> </td><td class="right">4.2. No Operation (Type = 1)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.2.1. Uses</td><td> </td><td class="right">4.2.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> The no-operation option is basically meant to allow the sending</td><td> </td><td class="right"> The no-operation option is basically meant to allow the sending</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> system to align subsequent options in, for example, 32-bit</td><td> </td><td class="right"> system to align subsequent options in, for example, 32-bit</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> boundaries.</td><td> </td><td class="right"> boundaries.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.2.2. Option Specification</td><td> </td><td class="right">4.2.2. Option Specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l5"><small>skipping to change at</small><em> page 6, line 30</em></a></th><th> </th><th><a name="part-r5"><small>skipping to change at</small><em> page 6, line 30</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.2.3. Threats</td><td> </td><td class="right">4.2.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> No security issues are known for this option, other than the general</td><td> </td><td class="right"> No security issues are known for this option, other than the general</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> security implications of IP options discussed in Section 3.</td><td> </td><td class="right"> security implications of IP options discussed in Section 3.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.2.4. Operational and Interoperability Impact if Blocked</td><td> </td><td class="right">4.2.4. Operational and Interoperability Impact if Blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Packets containing any IP options are likely to include a No</td><td> </td><td class="right"> Packets containing any IP options are likely to include a No</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Operation option. Therefore, if packets containing this option are</td><td> </td><td class="right"> Operation option. Therefore, if packets containing this option are</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0015"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">filtered, it is very likely that legitimate traffic is filter</span>ed.</td><td> </td><td class="rblock"> <span class="insert">dropped, it is very likely that legitimate traffic is block</span>ed.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.2.5. Advice</td><td> </td><td class="right">4.2.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0016"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> Do not <span class="delete">filter</span> packets containing this option.</td><td> </td><td class="rblock"> Do not <span class="insert">drop</span> packets containing this option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.3. Loose Source and Record Route (LSRR) (Type = 131)</td><td> </td><td class="right">4.3. Loose Source and Record Route (LSRR) (Type = 131)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> RFC 791 states that this option should appear, at most, once in a</td><td> </td><td class="right"> RFC 791 states that this option should appear, at most, once in a</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> given packet. Thus, if a packet contains more than one LSRR option,</td><td> </td><td class="right"> given packet. Thus, if a packet contains more than one LSRR option,</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> it should be dropped, and this event should be logged (e.g., a</td><td> </td><td class="right"> it should be dropped, and this event should be logged (e.g., a</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> counter could be incremented to reflect the packet drop).</td><td> </td><td class="right"> counter could be incremented to reflect the packet drop).</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Additionally, packets containing a combination of LSRR and SSRR</td><td> </td><td class="right"> Additionally, packets containing a combination of LSRR and SSRR</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> options should be dropped, and this event should be logged (e.g., a</td><td> </td><td class="right"> options should be dropped, and this event should be logged (e.g., a</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> counter could be incremented to reflect the packet drop).</td><td> </td><td class="right"> counter could be incremented to reflect the packet drop).</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l6"><small>skipping to change at</small><em> page 7, line 41</em></a></th><th> </th><th><a name="part-r6"><small>skipping to change at</small><em> page 7, line 41</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> method for performing bandwidth-exhaustion attacks, as an attacker</td><td> </td><td class="right"> method for performing bandwidth-exhaustion attacks, as an attacker</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> could make a packet bounce multiple times between a number of systems</td><td> </td><td class="right"> could make a packet bounce multiple times between a number of systems</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> by carefully crafting an LSRR option.</td><td> </td><td class="right"> by carefully crafting an LSRR option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This is the IPv4-version of the IPv6 amplification attack that was</td><td> </td><td class="right"> This is the IPv4-version of the IPv6 amplification attack that was</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> widely publicized in 2007 [Biondi2007]. The only difference is</td><td> </td><td class="right"> widely publicized in 2007 [Biondi2007]. The only difference is</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> that the maximum length of the IPv4 header (and hence the LSRR</td><td> </td><td class="right"> that the maximum length of the IPv4 header (and hence the LSRR</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> option) limits the amplification factor when compared to the IPv6</td><td> </td><td class="right"> option) limits the amplification factor when compared to the IPv6</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> counter-part.</td><td> </td><td class="right"> counter-part.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0017"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> <span class="insert">Additionally, some implementations have been found to fail to include</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> proper sanity checks on the LSRR option, thus leading to security</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> issues.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> [Microsoft1999] is a security advisory about a vulnerability</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> arising from improper validation of the Pointer field of the LSRR</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> option.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Finally, we note that some systems were known for providing a system-</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> wide toggle to enable support for this option for those scenarios in</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> which this option is required. However, improper implementation of</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> such system-wide toggle caused those systems to support the LSRR</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> option even when explicitly configured not to do so.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> [OpenBSD1998] is a security advisory about an improper</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> implementation of such a system-wide toggle in 4.4BSD kernels.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> </td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.3.4. Operational and Interoperability Impact if Blocked</td><td> </td><td class="right">4.3.4. Operational and Interoperability Impact if Blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Network troubleshooting techniques that may employ the LSRR option</td><td> </td><td class="right"> Network troubleshooting techniques that may employ the LSRR option</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> (such as ping or traceroute) would break. Nevertheless, it should be</td><td> </td><td class="right"> (such as ping or traceroute) would break. Nevertheless, it should be</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> noted that it is virtually impossible to use such techniques due to</td><td> </td><td class="right"> noted that it is virtually impossible to use such techniques due to</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0018"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> widespread <span class="delete">filtering of the</span> LSRR option.</td><td> </td><td class="rblock"> widespread <span class="insert">dropping of packets that contain an</span> LSRR option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.3.5. Advice</td><td> </td><td class="right">4.3.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> All systems should, by default, drop IP packets that contain an LSRR</td><td> </td><td class="right"> All systems should, by default, drop IP packets that contain an LSRR</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> option.</td><td> </td><td class="right"> option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.4. Strict Source and Record Route (SSRR) (Type = 137)</td><td> </td><td class="right">4.4. Strict Source and Record Route (SSRR) (Type = 137)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.4.1. Uses</td><td> </td><td class="right">4.4.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l7"><small>skipping to change at</small><em> page 8, line 39</em></a></th><th> </th><th><a name="part-r7"><small>skipping to change at</small><em> page 9, line 10</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> The SSRR option has the same security implications as the LSRR</td><td> </td><td class="right"> The SSRR option has the same security implications as the LSRR</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> option. Please refer to Section 4.3 for a discussion of such</td><td> </td><td class="right"> option. Please refer to Section 4.3 for a discussion of such</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> security implications.</td><td> </td><td class="right"> security implications.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.4.4. Operational and Interoperability Impact if Blocked</td><td> </td><td class="right">4.4.4. Operational and Interoperability Impact if Blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Network troubleshooting techniques that may employ the SSRR option</td><td> </td><td class="right"> Network troubleshooting techniques that may employ the SSRR option</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> (such as ping or traceroute) would break. Nevertheless, it should be</td><td> </td><td class="right"> (such as ping or traceroute) would break. Nevertheless, it should be</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> noted that it is virtually impossible to use such techniques due to</td><td> </td><td class="right"> noted that it is virtually impossible to use such techniques due to</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0019"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> widespread <span class="delete">filtering of the SSRR option</span>.</td><td> </td><td class="rblock"> widespread <span class="insert">dropping of packets that contain SSRR options</span>.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.4.5. Advice</td><td> </td><td class="right">4.4.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> All systems should, by default, drop IP packets that contain an SSRR</td><td> </td><td class="right"> All systems should, by default, drop IP packets that contain an SSRR</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> option.</td><td> </td><td class="right"> option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.5. Record Route (Type = 7)</td><td> </td><td class="right">4.5. Record Route (Type = 7)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.5.1. Uses</td><td> </td><td class="right">4.5.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l8"><small>skipping to change at</small><em> page 9, line 20</em></a></th><th> </th><th><a name="part-r8"><small>skipping to change at</small><em> page 9, line 39</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option can be exploited to map the topology of a network.</td><td> </td><td class="right"> This option can be exploited to map the topology of a network.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> However, the limited space in the IP header limits the usefulness of</td><td> </td><td class="right"> However, the limited space in the IP header limits the usefulness of</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> this option for that purpose.</td><td> </td><td class="right"> this option for that purpose.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.5.4. Operational and Interoperability Impact if Blocked</td><td> </td><td class="right">4.5.4. Operational and Interoperability Impact if Blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Network troubleshooting techniques that may employ the RR option</td><td> </td><td class="right"> Network troubleshooting techniques that may employ the RR option</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> (such as ping with the RR option) would break. Nevertheless, it</td><td> </td><td class="right"> (such as ping with the RR option) would break. Nevertheless, it</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> should be noted that it is virtually impossible to use such</td><td> </td><td class="right"> should be noted that it is virtually impossible to use such</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0020"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> techniques due to widespread <span class="delete">filtering</span> of <span class="delete">the</span> RR <span class="delete">option.</span></td><td> </td><td class="rblock"> techniques due to widespread <span class="insert">dropping</span> of <span class="insert">packets that contain</span> RR</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> <span class="insert">options.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.5.5. Advice</td><td> </td><td class="right">4.5.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Drop IP packets that contain a Record Route option.</td><td> </td><td class="right"> Drop IP packets that contain a Record Route option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.6. Stream Identifier (Type = 136) (obsolete)</td><td> </td><td class="right">4.6. Stream Identifier (Type = 136) (obsolete)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> The Stream Identifier option originally provided a means for the 16-</td><td> </td><td class="right"> The Stream Identifier option originally provided a means for the 16-</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> bit SATNET stream Identifier to be carried through networks that did</td><td> </td><td class="right"> bit SATNET stream Identifier to be carried through networks that did</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> not support the stream concept.</td><td> </td><td class="right"> not support the stream concept.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l9"><small>skipping to change at</small><em> page 10, line 16</em></a></th><th> </th><th><a name="part-r9"><small>skipping to change at</small><em> page 10, line 33</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> No security issues are known for this option, other than the general</td><td> </td><td class="right"> No security issues are known for this option, other than the general</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> security implications of IP options discussed in Section 3.</td><td> </td><td class="right"> security implications of IP options discussed in Section 3.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.6.4. Operational and Interoperability Impact if Blocked</td><td> </td><td class="right">4.6.4. Operational and Interoperability Impact if Blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> None.</td><td> </td><td class="right"> None.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.6.5. Advice</td><td> </td><td class="right">4.6.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0021"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">Filter</span> IP packets that contain a Stream Identifier option.</td><td> </td><td class="rblock"> <span class="insert">Drop</span> IP packets that contain a Stream Identifier option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.7. Internet Timestamp (Type = 68)</td><td> </td><td class="right">4.7. Internet Timestamp (Type = 68)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.7.1. Uses</td><td> </td><td class="right">4.7.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option provides a means for recording the time at which each</td><td> </td><td class="right"> This option provides a means for recording the time at which each</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> system processed this datagram.</td><td> </td><td class="right"> system processed this datagram.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.7.2. Option Specification</td><td> </td><td class="right">4.7.2. Option Specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l10"><small>skipping to change at</small><em> page 11, line 12</em></a></th><th> </th><th><a name="part-r10"><small>skipping to change at</small><em> page 11, line 31</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> request messages [RFC0791]. However, the same fingerprinting method</td><td> </td><td class="right"> request messages [RFC0791]. However, the same fingerprinting method</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> could be implemented with the aid of the Internet Timestamp option.</td><td> </td><td class="right"> could be implemented with the aid of the Internet Timestamp option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.7.4. Operational and Interoperability Impact if Blocked</td><td> </td><td class="right">4.7.4. Operational and Interoperability Impact if Blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> No security issues are known for this option, other than the general</td><td> </td><td class="right"> No security issues are known for this option, other than the general</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> security implications of IP options discussed in Section 3.</td><td> </td><td class="right"> security implications of IP options discussed in Section 3.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.7.5. Advice</td><td> </td><td class="right">4.7.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0022"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">Filter</span> IP packets that contain an Internet Timestamp option.</td><td> </td><td class="rblock"> <span class="insert">Drop</span> IP packets that contain an Internet Timestamp option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.8. Router Alert (Type = 148)</td><td> </td><td class="right">4.8. Router Alert (Type = 148)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.8.1. Uses</td><td> </td><td class="right">4.8.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> The Router Alert option has the semantic "routers should examine this</td><td> </td><td class="right"> The Router Alert option has the semantic "routers should examine this</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> packet more closely, if they participate in the functionality denoted</td><td> </td><td class="right"> packet more closely, if they participate in the functionality denoted</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> by the Value of the option".</td><td> </td><td class="right"> by the Value of the option".</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.8.2. Option Specification</td><td> </td><td class="right">4.8.2. Option Specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l11"><small>skipping to change at</small><em> page 11, line 42</em></a></th><th> </th><th><a name="part-r11"><small>skipping to change at</small><em> page 12, line 12</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> might be exploited to perform a Denial of Service (DoS) attack by</td><td> </td><td class="right"> might be exploited to perform a Denial of Service (DoS) attack by</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> exhausting CPU resources at the processing routers.</td><td> </td><td class="right"> exhausting CPU resources at the processing routers.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.8.4. Operational and Interoperability Impact if Blocked</td><td> </td><td class="right">4.8.4. Operational and Interoperability Impact if Blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Applications that employ the Router Alert option (such as RSVP</td><td> </td><td class="right"> Applications that employ the Router Alert option (such as RSVP</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [RFC2205]) would break.</td><td> </td><td class="right"> [RFC2205]) would break.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.8.5. Advice</td><td> </td><td class="right">4.8.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0023"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> This option <span class="delete">should</span> be allowed only <span class="delete">on</span> controlled environments, where</td><td> </td><td class="rblock"> This option <span class="insert">SHOULD</span> be allowed only <span class="insert">in</span> controlled environments, where</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> the option can be used <span class="delete">safely ([RFC6398]</span> identifies such</td><td> </td><td class="rblock"> the option can be used <span class="insert">safely. [RFC6398]</span> identifies <span class="insert">some</span> such</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">environments).</span> In <span class="delete">other</span> environments, packets containing this option</td><td> </td><td class="rblock"> <span class="insert">environments.</span> In <span class="insert">unsafe</span> environments, packets containing this option</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">should</span> be dropped.</td><td> </td><td class="rblock"> <span class="insert">SHOULD</span> be dropped.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> </td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> <span class="insert">A given router, security gateway, or firewall system has no way of</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> knowing a priori whether this option is valid in its operational</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> environment. So, systems SHOULD have a configuration setting that</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> indicates whether packets containing this option are dropped or not,</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> with the default configuration being to NOT DROP such packets.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.9. Probe MTU (Type = 11) (obsolete)</td><td> </td><td class="right">4.9. Probe MTU (Type = 11) (obsolete)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.9.1. Uses</td><td> </td><td class="right">4.9.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option originally provided a mechanism to discover the Path-MTU.</td><td> </td><td class="right"> This option originally provided a mechanism to discover the Path-MTU.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> It has been declared obsolete.</td><td> </td><td class="right"> It has been declared obsolete.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.9.2. Option Specification</td><td> </td><td class="right">4.9.2. Option Specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l12"><small>skipping to change at</small><em> page 12, line 22</em></a></th><th> </th><th><a name="part-r12"><small>skipping to change at</small><em> page 12, line 47</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> No security issues are known for this option, other than the general</td><td> </td><td class="right"> No security issues are known for this option, other than the general</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> security implications of IP options discussed in Section 3.</td><td> </td><td class="right"> security implications of IP options discussed in Section 3.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.9.4. Operational and Interoperability Impact if Blocked</td><td> </td><td class="right">4.9.4. Operational and Interoperability Impact if Blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> None</td><td> </td><td class="right"> None</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.9.5. Advice</td><td> </td><td class="right">4.9.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0024"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">Filter</span> IP packets that contain a Probe MTU option.</td><td> </td><td class="rblock"> <span class="insert">Drop</span> IP packets that contain a Probe MTU option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.10. Reply MTU (Type = 12) (obsolete)</td><td> </td><td class="right">4.10. Reply MTU (Type = 12) (obsolete)</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0025"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> </span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.10.1. Uses</td><td> </td><td class="right">4.10.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option and originally provided a mechanism to discover the Path-</td><td> </td><td class="right"> This option and originally provided a mechanism to discover the Path-</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> MTU. It is now obsolete.</td><td> </td><td class="right"> MTU. It is now obsolete.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.10.2. Option Specification</td><td> </td><td class="right">4.10.2. Option Specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option was originally defined in RFC 1063 [RFC1063], and was</td><td> </td><td class="right"> This option was originally defined in RFC 1063 [RFC1063], and was</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> obsoleted with RFC 1191 [RFC1191]. This option is now obsolete, as</td><td> </td><td class="right"> obsoleted with RFC 1191 [RFC1191]. This option is now obsolete, as</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> RFC 1191 obsoletes RFC 1063 without using IP options.</td><td> </td><td class="right"> RFC 1191 obsoletes RFC 1063 without using IP options.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l13"><small>skipping to change at</small><em> page 12, line 48</em></a></th><th> </th><th><a name="part-r13"><small>skipping to change at</small><em> page 13, line 26</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> No security issues are known for this option, other than the general</td><td> </td><td class="right"> No security issues are known for this option, other than the general</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> security implications of IP options discussed in Section 3.</td><td> </td><td class="right"> security implications of IP options discussed in Section 3.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.10.4. Operational and Interoperability Impact if Blocked</td><td> </td><td class="right">4.10.4. Operational and Interoperability Impact if Blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> None</td><td> </td><td class="right"> None</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.10.5. Advice</td><td> </td><td class="right">4.10.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0026"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">Filter</span> IP packets that contain a Reply MTU option.</td><td> </td><td class="rblock"> <span class="insert">Drop</span> IP packets that contain a Reply MTU option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.11. Traceroute (Type = 82)</td><td> </td><td class="right">4.11. Traceroute (Type = 82)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.11.1. Uses</td><td> </td><td class="right">4.11.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option originally provided a mechanism to trace the path to a</td><td> </td><td class="right"> This option originally provided a mechanism to trace the path to a</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> host.</td><td> </td><td class="right"> host.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.11.2. Option Specification</td><td> </td><td class="right">4.11.2. Option Specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option was originally specified by RFC 1393 [RFC1393]. The</td><td> </td><td class="right"> This option was originally specified by RFC 1393 [RFC1393]. The</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Traceroute option is defined as "experimental" and it was never</td><td> </td><td class="right"> Traceroute option is defined as "experimental" and it was never</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0027"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> deployed on the public Internet.</td><td> </td><td class="rblock"> <span class="insert">widely </span>deployed on the public Internet.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.11.3. Threats</td><td> </td><td class="right">4.11.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> No security issues are known for this option, other than the general</td><td> </td><td class="right"> No security issues are known for this option, other than the general</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> security implications of IP options discussed in Section 3.</td><td> </td><td class="right"> security implications of IP options discussed in Section 3.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.11.4. Operational and Interoperability Impact if Blocked</td><td> </td><td class="right">4.11.4. Operational and Interoperability Impact if Blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> None</td><td> </td><td class="right"> None</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.11.5. Advice</td><td> </td><td class="right">4.11.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0028"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">Filter</span> IP packets that contain a Traceroute option.</td><td> </td><td class="rblock"> <span class="insert">Drop</span> IP packets that contain a Traceroute option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.12. DoD Basic Security Option (Type = 130)</td><td> </td><td class="right">4.12. DoD Basic Security Option (Type = 130)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.12.1. Uses</td><td> </td><td class="right">4.12.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option is used by Multi-Level-Secure (MLS) end-systems and</td><td> </td><td class="right"> This option is used by Multi-Level-Secure (MLS) end-systems and</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> intermediate systems in specific environments to [RFC1108]:</td><td> </td><td class="right"> intermediate systems in specific environments to [RFC1108]:</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> o Transmit from source to destination in a network standard</td><td> </td><td class="right"> o Transmit from source to destination in a network standard</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> representation the common security labels required by computer</td><td> </td><td class="right"> representation the common security labels required by computer</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l14"><small>skipping to change at</small><em> page 14, line 16</em></a></th><th> </th><th><a name="part-r14"><small>skipping to change at</small><em> page 14, line 43</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> commercial off-the-shelf (COTS) IP routers and Ethernet switches, but</td><td> </td><td class="right"> commercial off-the-shelf (COTS) IP routers and Ethernet switches, but</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> are not normally interconnected with the global public Internet.</td><td> </td><td class="right"> are not normally interconnected with the global public Internet.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option probably has more deployment now than when the IESG</td><td> </td><td class="right"> This option probably has more deployment now than when the IESG</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> removed this option from the IETF standards-track. [RFC5570]</td><td> </td><td class="right"> removed this option from the IETF standards-track. [RFC5570]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> describes a similar option recently defined for IPv6 and has much</td><td> </td><td class="right"> describes a similar option recently defined for IPv6 and has much</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> more detailed explanations of how sensitivity label options are used</td><td> </td><td class="right"> more detailed explanations of how sensitivity label options are used</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> in real-world deployments.</td><td> </td><td class="right"> in real-world deployments.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.12.2. Option Specification</td><td> </td><td class="right">4.12.2. Option Specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0029"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> It is specified by RFC 1108 <span class="delete">[RFC1108].</span></td><td> </td><td class="rblock"> It is specified by RFC 1108 <span class="insert">[RFC1108]], which obsoleted RFC 1038</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> [RFC1038] (which in turn obsoleted the Security Option defined in RFC</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> 791 [RFC0791]).</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> RFC 791 [RFC0791] defined the "Security Option" (Type = 130),</td><td> </td><td class="right"> RFC 791 [RFC0791] defined the "Security Option" (Type = 130),</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> which used the same option type as the DoD Basic Security option</td><td> </td><td class="right"> which used the same option type as the DoD Basic Security option</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> discussed in this section. Later, RFC 1038 [RFC1038] revised the</td><td> </td><td class="right"> discussed in this section. Later, RFC 1038 [RFC1038] revised the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> IP security options, and in turn was obsoleted by RFC 1108</td><td> </td><td class="right"> IP security options, and in turn was obsoleted by RFC 1108</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [RFC1108]. The "Security Option" specified in RFC 791 is</td><td> </td><td class="right"> [RFC1108]. The "Security Option" specified in RFC 791 is</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> considered obsolete by Section 3.2.1.8 of RFC 1122 [RFC1122] and</td><td> </td><td class="right"> considered obsolete by Section 3.2.1.8 of RFC 1122 [RFC1122] and</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Section 4.2.2.1 of RFC 1812 [RFC1812], and therefore the</td><td> </td><td class="right"> Section 4.2.2.1 of RFC 1812 [RFC1812], and therefore the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> discussion in this section is focused on the DoD Basic Security</td><td> </td><td class="right"> discussion in this section is focused on the DoD Basic Security</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> option specified by RFC 1108 [RFC1108].</td><td> </td><td class="right"> option specified by RFC 1108 [RFC1108].</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Section 4.2.2.1 of RFC 1812 states that routers "SHOULD implement</td><td> </td><td class="right"> Section 4.2.2.1 of RFC 1812 states that routers "SHOULD implement</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> this option".</td><td> </td><td class="right"> this option".</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0030"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> Many Cisco routers that run Cisco IOS include support <span class="delete">for per-</span></td><td> </td><td class="rblock"> Many Cisco routers that run Cisco IOS include support <span class="insert">dropping</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> interface packet filtering of IP</span> packets <span class="delete">containing</span> this <span class="delete">option.</span></td><td> </td><td class="rblock"> packets <span class="insert">that contain</span> this <span class="insert">option with per-interface granularity.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This capability has been present in many Cisco routers since the</td><td> </td><td class="right"> This capability has been present in many Cisco routers since the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> early 1990s [Cisco-IPSO-Cmds]. Some governmental products</td><td> </td><td class="right"> early 1990s [Cisco-IPSO-Cmds]. Some governmental products</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0031"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> reportedly support <span class="delete">IPSO,</span> notably CANEWARE [RFC4949]. Support for</td><td> </td><td class="rblock"> reportedly support <span class="insert">BSO,</span> notably CANEWARE [RFC4949]. Support for</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">IPSO</span> is included in the "IPsec Configuration Policy Information</td><td> </td><td class="rblock"> <span class="insert">BSO</span> is included in the "IPsec Configuration Policy Information</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Model" [RFC3585] and in the "IPsec Security Policy Database</td><td> </td><td class="right"> Model" [RFC3585] and in the "IPsec Security Policy Database</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Configuration MIB" [RFC4807].</td><td> </td><td class="right"> Configuration MIB" [RFC4807].</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.12.3. Threats</td><td> </td><td class="right">4.12.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Presence of this option in a packet does not by itself create any</td><td> </td><td class="right"> Presence of this option in a packet does not by itself create any</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> specific new threat (other than the usual generic issues that might</td><td> </td><td class="right"> specific new threat (other than the usual generic issues that might</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> be created if packets with options are forwarded via the "slow</td><td> </td><td class="right"> be created if packets with options are forwarded via the "slow</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> path"). Packets with this option ought not normally be seen on the</td><td> </td><td class="right"> path"). Packets with this option ought not normally be seen on the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> global public Internet.</td><td> </td><td class="right"> global public Internet.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l15"><small>skipping to change at</small><em> page 15, line 16</em></a></th><th> </th><th><a name="part-r15"><small>skipping to change at</small><em> page 15, line 44</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> the packet but associate an incorrect sensitivity label with the</td><td> </td><td class="right"> the packet but associate an incorrect sensitivity label with the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> received data from the packet whose BSO was stripped by an</td><td> </td><td class="right"> received data from the packet whose BSO was stripped by an</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> intermediate router or firewall. Associating an incorrect</td><td> </td><td class="right"> intermediate router or firewall. Associating an incorrect</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> sensitivity label can cause the received information either to be</td><td> </td><td class="right"> sensitivity label can cause the received information either to be</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> handled as more sensitive than it really is ("upgrading") or as less</td><td> </td><td class="right"> handled as more sensitive than it really is ("upgrading") or as less</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> sensitive than it really is ("downgrading"), either of which is</td><td> </td><td class="right"> sensitive than it really is ("downgrading"), either of which is</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> problematic.</td><td> </td><td class="right"> problematic.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.12.5. Advice</td><td> </td><td class="right">4.12.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0032"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">Routers and firewalls ought not</span> by default <span class="delete">drop</span> packets <span class="delete">containing</span></td><td> </td><td class="rblock"> <span class="insert">A router or firewall SHOULD NOT</span> by default <span class="insert">modify or remove this</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> IPSO</span> and <span class="delete">also ought not</span> by default <span class="delete">strip the IPSO from the packet.</span></td><td> </td><td class="rblock"><span class="insert"> option from IP</span> packets and <span class="insert">a router or firewall SHOULD NOT</span> by default</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> For auditing reasons, routers and firewalls SHOULD be capable of</td><td> </td><td class="rblock"> <span class="insert">drop packets containing this option.</span> For auditing reasons, routers</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> logging the numbers of packets containing the BSO on a per-interface</td><td> </td><td class="rblock"> and firewalls SHOULD be capable of logging the numbers of packets</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> basis. Also, routers and firewalls SHOULD be capable of <span class="delete">filtering</span></td><td> </td><td class="rblock"> containing the BSO on a per-interface basis. Also, routers and</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> packets based on the BSO presence as well as the BSO values.</td><td> </td><td class="rblock"> firewalls SHOULD be capable of <span class="insert">dropping</span> packets based on the BSO</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> presence as well as the BSO values.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.13. DoD Extended Security Option (Type = 133)</td><td> </td><td class="right">4.13. DoD Extended Security Option (Type = 133)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.13.1. Uses</td><td> </td><td class="right">4.13.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option permits additional security labeling information, beyond</td><td> </td><td class="right"> This option permits additional security labeling information, beyond</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> that present in the Basic Security Option (Section 4.12), to be</td><td> </td><td class="right"> that present in the Basic Security Option (Section 4.12), to be</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> supplied in an IP datagram to meet the needs of registered</td><td> </td><td class="right"> supplied in an IP datagram to meet the needs of registered</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> authorities.</td><td> </td><td class="right"> authorities.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.13.2. Option Specification</td><td> </td><td class="right">4.13.2. Option Specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> The DoD Extended Security Option (ESO) is specified by RFC 1108</td><td> </td><td class="right"> The DoD Extended Security Option (ESO) is specified by RFC 1108</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [RFC1108].</td><td> </td><td class="right"> [RFC1108].</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0033"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> Many Cisco routers that run Cisco IOS include support for <span class="delete">per-</span></td><td> </td><td class="rblock"> Many Cisco routers that run Cisco IOS include support for <span class="insert">dropping</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> interface packet filtering of IP</span> packets <span class="delete">containing</span> this <span class="delete">option.</span></td><td> </td><td class="rblock"> packets <span class="insert">that contain</span> this <span class="insert">option with a per-interface granularity.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This capability has been present in many Cisco routers since the</td><td> </td><td class="right"> This capability has been present in many Cisco routers since the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> early 1990s [Cisco-IPSO-Cmds]. Some governmental products</td><td> </td><td class="right"> early 1990s [Cisco-IPSO-Cmds]. Some governmental products</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0034"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> reportedly support <span class="delete">IPSO,</span> notably CANEWARE [RFC4949]. Support for</td><td> </td><td class="rblock"> reportedly support <span class="insert">ESO,</span> notably CANEWARE [RFC4949]. Support for</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">IPSO</span> is included in the "IPsec Configuration Policy Information</td><td> </td><td class="rblock"> <span class="insert">ESO</span> is included in the "IPsec Configuration Policy Information</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Model" [RFC3585] and in the "IPsec Security Policy Database</td><td> </td><td class="right"> Model" [RFC3585] and in the "IPsec Security Policy Database</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Configuration MIB" [RFC4807].</td><td> </td><td class="right"> Configuration MIB" [RFC4807].</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.13.3. Threats</td><td> </td><td class="right">4.13.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Presence of this option in a packet does not by itself create any</td><td> </td><td class="right"> Presence of this option in a packet does not by itself create any</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> specific new threat (other than the usual generic issues that might</td><td> </td><td class="right"> specific new threat (other than the usual generic issues that might</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> be created if packets with options are forwarded via the "slow</td><td> </td><td class="right"> be created if packets with options are forwarded via the "slow</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> path"). Packets with this option ought not normally be seen on the</td><td> </td><td class="right"> path"). Packets with this option ought not normally be seen on the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> global public Internet</td><td> </td><td class="right"> global public Internet</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l16"><small>skipping to change at</small><em> page 16, line 22</em></a></th><th> </th><th><a name="part-r16"><small>skipping to change at</small><em> page 17, line 7</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> the packet but associate an incorrect sensitivity label with the</td><td> </td><td class="right"> the packet but associate an incorrect sensitivity label with the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> received data from the packet whose ESO was stripped by an</td><td> </td><td class="right"> received data from the packet whose ESO was stripped by an</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> intermediate router or firewall. Associating an incorrect</td><td> </td><td class="right"> intermediate router or firewall. Associating an incorrect</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> sensitivity label can cause the received information either to be</td><td> </td><td class="right"> sensitivity label can cause the received information either to be</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> handled as more sensitive than it really is ("upgrading") or as less</td><td> </td><td class="right"> handled as more sensitive than it really is ("upgrading") or as less</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> sensitive than it really is ("downgrading"), either of which is</td><td> </td><td class="right"> sensitive than it really is ("downgrading"), either of which is</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> problematic.</td><td> </td><td class="right"> problematic.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.13.5. Advice</td><td> </td><td class="right">4.13.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0035"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">Routers and firewalls ought not</span> by default <span class="delete">drop</span> packets <span class="delete">containing an</span></td><td> </td><td class="rblock"> <span class="insert">A router or firewall SHOULD NOT</span> by default <span class="insert">modify or remove this</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> ESO</span> and <span class="delete">also ought not</span> by default <span class="delete">strip the ESO from the packet.</span> For</td><td> </td><td class="rblock"><span class="insert"> option from IP</span> packets and <span class="insert">a router or firewall SHOULD NOT</span> by default</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> auditing reasons, routers and firewalls SHOULD be capable of logging</td><td> </td><td class="rblock"> <span class="insert">drop packets containing this option.</span> For auditing reasons, routers</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> the numbers of packets containing the ESO on a per-interface basis.</td><td> </td><td class="rblock"> and firewalls SHOULD be capable of logging the numbers of packets</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> Also, routers and firewalls SHOULD be capable of <span class="delete">filtering</span> packets</td><td> </td><td class="rblock"> containing the ESO on a per-interface basis. Also, routers and</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> based on the ESO presence as well as the ESO values.</td><td> </td><td class="rblock"> firewalls SHOULD be capable of <span class="insert">dropping</span> packets based on the ESO</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> presence as well as the ESO values.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.14. Commercial IP Security Option (CIPSO) (Type = 134)</td><td> </td><td class="right">4.14. Commercial IP Security Option (CIPSO) (Type = 134)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.14.1. Uses</td><td> </td><td class="right">4.14.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option was proposed by the Trusted Systems Interoperability</td><td> </td><td class="right"> This option was proposed by the Trusted Systems Interoperability</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Group (TSIG), with the intent of meeting trusted networking</td><td> </td><td class="right"> Group (TSIG), with the intent of meeting trusted networking</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> requirements for the commercial trusted systems market place.</td><td> </td><td class="right"> requirements for the commercial trusted systems market place.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> It is currently implemented in a number of operating systems (e.g.,</td><td> </td><td class="right"> It is currently implemented in a number of operating systems (e.g.,</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> IRIX [IRIX2008], Security-Enhanced Linux [SELinux2008], and Solaris</td><td> </td><td class="right"> IRIX [IRIX2008], Security-Enhanced Linux [SELinux2008], and Solaris</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [Solaris2008]), and deployed in a number of high-security networks.</td><td> </td><td class="right"> [Solaris2008]), and deployed in a number of high-security networks.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.14.2. Option Specification</td><td> </td><td class="right">4.14.2. Option Specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option is specified in [CIPSO1992] and [FIPS1994]. There are</td><td> </td><td class="right"> This option is specified in [CIPSO1992] and [FIPS1994]. There are</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> zero known IP router implementations of CIPSO. Several MLS operating</td><td> </td><td class="right"> zero known IP router implementations of CIPSO. Several MLS operating</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> systems support CIPSO, generally the same MLS operating systems that</td><td> </td><td class="right"> systems support CIPSO, generally the same MLS operating systems that</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> support IPSO.</td><td> </td><td class="right"> support IPSO.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0036"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> <span class="insert">The TSIG proposal was taken to the Commercial Internet Security</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Option (CIPSO) Working Group of the IETF [CIPSOWG1994], and an</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Internet-Draft was produced [CIPSO1992]. The Internet-Draft was</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> never published as an RFC, but the proposal was later standardized</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> by the U.S. National Institute of Standards and Technology (NIST)</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> as "Federal Information Processing Standard Publication 188"</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> [FIPS1994].</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> </td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.14.3. Threats</td><td> </td><td class="right">4.14.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Presence of this option in a packet does not by itself create any</td><td> </td><td class="right"> Presence of this option in a packet does not by itself create any</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> specific new threat (other than the usual generic issues that might</td><td> </td><td class="right"> specific new threat (other than the usual generic issues that might</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> be created if packets with options are forwarded via the "slow</td><td> </td><td class="right"> be created if packets with options are forwarded via the "slow</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> path"). Packets with this option ought not normally be seen on the</td><td> </td><td class="right"> path"). Packets with this option ought not normally be seen on the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> global public Internet.</td><td> </td><td class="right"> global public Internet.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.14.4. Operational and Interoperability Impact if Blocked</td><td> </td><td class="right">4.14.4. Operational and Interoperability Impact if Blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l17"><small>skipping to change at</small><em> page 17, line 27</em></a></th><th> </th><th><a name="part-r17"><small>skipping to change at</small><em> page 18, line 24</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> sensitivity label can cause the received information either to be</td><td> </td><td class="right"> sensitivity label can cause the received information either to be</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> handled as more sensitive than it really is ("upgrading") or as less</td><td> </td><td class="right"> handled as more sensitive than it really is ("upgrading") or as less</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> sensitive than it really is ("downgrading"), either of which is</td><td> </td><td class="right"> sensitive than it really is ("downgrading"), either of which is</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> problematic.</td><td> </td><td class="right"> problematic.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.14.5. Advice</td><td> </td><td class="right">4.14.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Because of the design of this option, with variable syntax and</td><td> </td><td class="right"> Because of the design of this option, with variable syntax and</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> variable length, it is not practical to support specialized filtering</td><td> </td><td class="right"> variable length, it is not practical to support specialized filtering</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> using the CIPSO information. No routers or firewalls are known to</td><td> </td><td class="right"> using the CIPSO information. No routers or firewalls are known to</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0037"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> support this option. However, <span class="delete">by default</span> a router or firewall <span class="delete">should</span></td><td> </td><td class="rblock"> support this option. However, a router or firewall <span class="insert">SHOULD NOT by</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> not</span> modify or remove this option from IP packets and a router or</td><td> </td><td class="rblock"><span class="insert"> default</span> modify or remove this option from IP packets and a router or</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> firewall <span class="delete">should not</span> by default drop packets containing this option.</td><td> </td><td class="rblock"> firewall <span class="insert">SHOULD NOT</span> by default drop packets containing this option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0038"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock">4.15. <span class="delete">Sender Directed Multi-Destination Delivery (Type = 149</span>)</td><td> </td><td class="rblock">4.15. <span class="insert">VISA (Type = 142</span>)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.15.1. Uses</td><td> </td><td class="right">4.15.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0039"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> This <span class="delete">option originally provided unreliable UDP delivery to a set</span> of</td><td> </td><td class="rblock"> This <span class="insert">options was part</span> of <span class="insert">an experiment at USC and was never widely</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">addresses included in the option.</span></td><td> </td><td class="rblock"><span class="insert"> deployed.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.15.2. Option Specification</td><td> </td><td class="right">4.15.2. Option Specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0040"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">This option is defined in RFC 1770 [RFC1770]</span>.</td><td> </td><td class="rblock"> <span class="insert">Not publicly available</span>.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.15.3. Threats</td><td> </td><td class="right">4.15.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0041"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">This option could have been exploited for bandwidth-amplification in</span></td><td> </td><td class="rblock"> <span class="insert">Not possible to determine (other the general security implications</span> of</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Denial</span> of <span class="delete">Service (DoS) attacks.</span></td><td> </td><td class="rblock"> <span class="insert">IP options discussed in Section 3), since the corresponding</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> specification is not publicly available.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.15.4. Operational and Interoperability Impact if Blocked</td><td> </td><td class="right">4.15.4. Operational and Interoperability Impact if Blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> None.</td><td> </td><td class="right"> None.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.15.5. Advice</td><td> </td><td class="right">4.15.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0042"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">Filter IP</span> packets that contain <span class="delete">a Sender Directed Multi-Destination</span></td><td> </td><td class="rblock"> <span class="insert">Drop</span> packets that contain <span class="insert">this</span> option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Delivery</span> option.</td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0043"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock">4.16. <span class="delete">Quick-Start (Type = 2</span>5)</td><td> </td><td class="rblock">4.16. <span class="insert">Extended Internet Protocol (Type = 14</span>5)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.16.1. Uses</td><td> </td><td class="right">4.16.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0044"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">This IP Option is used in</span> the <span class="delete">specification</span> of <span class="delete">Quick-Start for TCP</span></td><td> </td><td class="rblock"> <span class="insert">The EIP option was introduced by one of the proposals submitted</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> and IP.</span></td><td> </td><td class="rblock"><span class="insert"> during the IPng efforts to address</span> the <span class="insert">problem</span> of <span class="insert">IPv4 address</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> exhaustion.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.16.2. Option Specification</td><td> </td><td class="right">4.16.2. Option Specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0045"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> Specified in <span class="delete">RFC 4782 [RFC4782] as an Experimental specification.</span></td><td> </td><td class="rblock"> Specified in <span class="insert">[RFC1385]. This option is in the process of being</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> formally obsoleted by [I-D.gp-intarea-obsolete-ipv4-options-iana].</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.16.3. Threats</td><td> </td><td class="right">4.16.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0046"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">There are no know threats arising from this option, other than the</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> general security implications of IP options discussed in Section 3.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.16.4. Operational and Interoperability Impact if Blocked</td><td> </td><td class="right">4.16.4. Operational and Interoperability Impact if Blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0047"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">None.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.16.5. Advice</td><td> </td><td class="right">4.16.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0048"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">Drop packets that contain this option.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0049"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock">4.17. RFC3692-style Experiment (Types = 30, 94, 158, and 222)</td><td> </td><td class="rblock">4.17. <span class="insert">Address Extension (Type = 147)</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.17.1. Uses</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> The Address Extension option was introduced by one of the proposals</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> submitted during the IPng efforts to address the problem of IPv4</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> address exhaustion.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.17.2. Option Specification</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Specified in [RFC1475]. This option is in the process of being</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> formally obsoleted by [I-D.gp-intarea-obsolete-ipv4-options-iana].</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.17.3. Threats</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> There are no know threats arising from this option, other than the</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> general security implications of IP options discussed in Section 3.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.17.4. Operational and Interoperability Impact if Blocked</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> None.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.17.5. Advice</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Drop packets that contain this option.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.18. Sender Directed Multi-Destination Delivery (Type = 149)</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.18.1. Uses</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> This option originally provided unreliable UDP delivery to a set of</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> addresses included in the option.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.18.2. Option Specification</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> This option is defined in RFC 1770 [RFC1770].</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.18.3. Threats</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> This option could have been exploited for bandwidth-amplification in</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Denial of Service (DoS) attacks.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.18.4. Operational and Interoperability Impact if Blocked</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> None.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.18.5. Advice</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Drop IP packets that contain a Sender Directed Multi-Destination</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Delivery option.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.19. Dynamic Packet State (Type = 151)</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.19.1. Uses</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> The Dynamic Packet State option was used to specify specified Dynamic</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Packet State (DPS) in the context of the differentiated service</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> architecture.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.19.2. Option Specification</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> The Dynamic Packet State option was specified in</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> [I-D.stoica-diffserv-dps]. The aforementioned document was meant to</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> be published as "Experimental", but never made it into an RFC. This</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> option is in the process of being formally obsoleted by</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> [I-D.gp-intarea-obsolete-ipv4-options-iana].</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.19.3. Threats</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Possible threats include theft of service and Denial of Service.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> However, we note that is option has never been widely implemented or</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> deployed.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.19.4. Operational and Interoperability Impact if Blocked</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> None.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.19.5. Advice</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Drop packets that contain this option.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.20. Upstream Multicast Pkt. (Type = 152)</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.20.1. Uses</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> This option was meant to solve the problem of doing upstream</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> forwarding of multicast packets on a multi-access LAN.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.20.2. Option Specification</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> This option was originally specified in [draft-farinacci-bidir-pim].</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Its use was obsoleted by [RFC5015], which employs a control plane</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> mechanism to solve the problem of doing upstream forwarding of</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> multicast packets on a multi-access LAN. This option is in the</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> process of being formally obsoleted by</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> [I-D.gp-intarea-obsolete-ipv4-options-iana].</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.20.3. Threats</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> TBD.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.20.4. Operational and Interoperability Impact if Blocked</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> None.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.20.5. Advice</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Drop packets that contain this option.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.21. Quick-Start (Type = 25)</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.21.1. Uses</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> This IP Option is used in the specification of Quick-Start for TCP</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> and IP, which is an experimental mechanism that allows transport</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> protocols, in cooperation with routers, to determine an allowed</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> sending rate at the start and, at times, in the middle of a data</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> transfer (e.g., after an idle period) [RFC4782].</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.21.2. Option Specification</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Specified in RFC 4782 [RFC4782], on the "Experimental" track.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.21.3. Threats</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Section 9.6 of [RFC4782] notes that Quick-Start is vulnerable to two</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> kinds of attacks:</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> o attacks to increase the routers' processing and state load, and,</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> o attacks with bogus Quick-Start Requests to temporarily tie up</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> available Quick-Start bandwidth, preventing routers from approving</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Quick-Start Requests from other connections</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.21.4. Operational and Interoperability Impact if Blocked</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> The Quick-Start functionality would be disabled, and additional</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> delays in e.g. TCP's connection establishment could be introduced</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> (please see Section 4.7.2 of [RFC4782]. We note, however, that</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Quick-Start has been proposed as mechanism that could be of use in</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> controlled environments, and not as a mechanism that would be</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> intended or appropriate for ubiquitous deployment in the global</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Internet [RFC4782].</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.21.5. Advice</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> By default, packets containing this option SHOULD be dropped. In</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> controlled environments where systems have been explicitly configured</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> to enable Quick-Start, packets SHOULD NOT be dropped.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> A given router, security gateway, or firewall system has no way of</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> knowing a priori whether this option is valid in its operational</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> environment. So, systems SHOULD have a configuration setting that</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> indicates whether packets containing this option are dropped or not,</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> with the default configuration being to DROP such packets.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> The decision to advise packets containing this option to be</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> dropped is based on the fact that the [RFC4782] itself notes that</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Quick-Start has been proposed as mechanism that could be of use in</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> controlled environments, and not as a mechanism that would be</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> intended or appropriate for ubiquitous deployment in the global</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Internet. We note that if routers in a given environment do not</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> implement and enable the Quick-Start mechanism, only the general</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> security implications of IP options (discussed in Section 3) would</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> apply.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">4.22.</span> RFC3692-style Experiment (Types = 30, 94, 158, and 222)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Section 2.5 of RFC 4727 [RFC4727] allocates an option number with all</td><td> </td><td class="right"> Section 2.5 of RFC 4727 [RFC4727] allocates an option number with all</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> defined values of the "copy" and "class" fields for RFC3692-style</td><td> </td><td class="right"> defined values of the "copy" and "class" fields for RFC3692-style</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> experiments. This results in four distinct option type codes: 30,</td><td> </td><td class="right"> experiments. This results in four distinct option type codes: 30,</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 94, 158, and 222.</td><td> </td><td class="right"> 94, 158, and 222.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0050"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock">4.<span class="delete">17</span>.1. Uses</td><td> </td><td class="rblock">4.<span class="insert">22</span>.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> It is only appropriate to use these values in explicitly-configured</td><td> </td><td class="right"> It is only appropriate to use these values in explicitly-configured</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> experiments; they MUST NOT be shipped as defaults in implementations.</td><td> </td><td class="right"> experiments; they MUST NOT be shipped as defaults in implementations.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0051"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock">4.<span class="delete">17</span>.2. Option Specification</td><td> </td><td class="rblock">4.<span class="insert">22</span>.2. Option Specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Specified in RFC 4727 [RFC4727] in the context of RFC3692-style</td><td> </td><td class="right"> Specified in RFC 4727 [RFC4727] in the context of RFC3692-style</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> experiments.</td><td> </td><td class="right"> experiments.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0052"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock">4.<span class="delete">17</span>.3. Threats</td><td> </td><td class="rblock">4.<span class="insert">22</span>.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> No security issues are known for this option, other than the general</td><td> </td><td class="right"> No security issues are known for this option, other than the general</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> security implications of IP options discussed in Section 3.</td><td> </td><td class="right"> security implications of IP options discussed in Section 3.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0053"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock">4.<span class="delete">17</span>.4. Operational and Interoperability Impact if Blocked</td><td> </td><td class="rblock">4.<span class="insert">22</span>.4. Operational and Interoperability Impact if Blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> None.</td><td> </td><td class="right"> None.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0054"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock">4.<span class="delete">17</span>.5. Advice</td><td> </td><td class="rblock">4.<span class="insert">22</span>.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0055"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">Filter</span> IP packets that contain RFC3692-style Experiment options.</td><td> </td><td class="rblock"> <span class="insert">Drop</span> IP packets that contain RFC3692-style Experiment options.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0056"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock">4.<span class="delete">18</span>. Other IP Options</td><td> </td><td class="rblock">4.<span class="insert">23</span>. Other IP Options</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Unrecognized IP Options are to be ignored. Section 3.2.1.8 of RFC</td><td> </td><td class="right"> Unrecognized IP Options are to be ignored. Section 3.2.1.8 of RFC</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 1122 [RFC1122] and Section 4.2.2.6 of RFC 1812 [RFC1812] specify this</td><td> </td><td class="right"> 1122 [RFC1122] and Section 4.2.2.6 of RFC 1812 [RFC1812] specify this</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> behavior as follows:</td><td> </td><td class="right"> behavior as follows:</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> RFC 1122: "The IP and transport layer MUST each interpret those IP</td><td> </td><td class="right"> RFC 1122: "The IP and transport layer MUST each interpret those IP</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> options that they understand and silently ignore the</td><td> </td><td class="right"> options that they understand and silently ignore the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> others."</td><td> </td><td class="right"> others."</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> RFC 1812: "A router MUST ignore IP options which it does not</td><td> </td><td class="right"> RFC 1812: "A router MUST ignore IP options which it does not</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l18"><small>skipping to change at</small><em> page 19, line 40</em></a></th><th> </th><th><a name="part-r18"><small>skipping to change at</small><em> page 24, line 12</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This document adds that unrecognized IP Options MAY also be logged.</td><td> </td><td class="right"> This document adds that unrecognized IP Options MAY also be logged.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> A number of additional options are specified in the "IP OPTIONS</td><td> </td><td class="right"> A number of additional options are specified in the "IP OPTIONS</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> NUMBERS" IANA registry [IANA-IP]. Specifically:</td><td> </td><td class="right"> NUMBERS" IANA registry [IANA-IP]. Specifically:</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Copy Class Number Value Name Reference</td><td> </td><td class="right"> Copy Class Number Value Name Reference</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> ---- ----- ------ ----- ------------------------------- ------------</td><td> </td><td class="right"> ---- ----- ------ ----- ------------------------------- ------------</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 0 0 10 10 ZSU - Experimental Measurement [ZSu]</td><td> </td><td class="right"> 0 0 10 10 ZSU - Experimental Measurement [ZSu]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 1 2 13 205 FINN - Experimental Flow Control [Finn]</td><td> </td><td class="right"> 1 2 13 205 FINN - Experimental Flow Control [Finn]</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0057"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> 1 0 14 142 VISA - Expermental Access Control [Estrin]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 0 0 15 15 ENCODE - ??? [VerSteeg]</td><td> </td><td class="right"> 0 0 15 15 ENCODE - ??? [VerSteeg]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 1 0 16 144 IMITD - IMI Traffic Descriptor [Lee]</td><td> </td><td class="right"> 1 0 16 144 IMITD - IMI Traffic Descriptor [Lee]</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0058"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">1 0 17 145 EIP - Extended Internet Protocol[RFC1385]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> 1 0 19 147 ADDEXT - Address Extension [Ullmann IPv7]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 1 0 22 150 - Unassigned (Released 18 Oct. 2005)</td><td> </td><td class="right"> 1 0 22 150 - Unassigned (Released 18 Oct. 2005)</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0059"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">1 0 23 151 DPS - Dynamic Packet State [Malis]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> 1 0 24 152 UMP - Upstream Multicast Pkt. [Farinacci]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">5. IANA Considerations</td><td> </td><td class="right">5. IANA Considerations</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> The "IP OPTION NUMBERS" registry [IANA-IP] contains the list of the</td><td> </td><td class="right"> The "IP OPTION NUMBERS" registry [IANA-IP] contains the list of the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> currently assigned IP option numbers. This registry also denotes an</td><td> </td><td class="right"> currently assigned IP option numbers. This registry also denotes an</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> obsoleted IP Option Number by marking it with a single asterisk</td><td> </td><td class="right"> obsoleted IP Option Number by marking it with a single asterisk</td><td class="lineno" valign="top"></td></tr>