draft-gont-opsec-ip-options-filtering-02.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
    <!-- try to enforce the ID-nits conventions and DTD validity -->
<?rfc strict="no" ?>    <!-- items used when reviewing the document -->
<?rfc comments="no" ?>  <!-- controls display of <cref> elements -->
<?rfc inline="no" ?>    <!-- when no, put comments at end in comments section,
                                otherwise, put inline -->
<?rfc editing="no" ?>   <!-- when yes, insert editing marks -->

    <!-- create table of contents (set it options).
           Note the table of contents may be omitted
         for very short documents -->

<?rfc toc="yes"?><?rfc tocompact="yes"?>
<?rfc tocdepth="4"?>

    <!-- choose the options for the references. Some like
         symbolic tags in the references (and citations)
         and others prefer numbers. --> 
<?rfc symrefs="yes"?><?rfc sortrefs="yes" ?>
    <!-- these two save paper: start new paragraphs from the same page etc. -->
<?rfc compact="yes" ?><?rfc subcompact="no" ?>
<!-- end of list of processing instructions -->
    <!-- Information about the document.
         categories values: std, bcp, info, exp, and historic
         For Internet-Drafts, specify attribute "ipr".
         (ipr values are: full3667, noModification3667, noDerivatives3667),
         Also for Internet-Drafts, can specify values for
         attributes "iprExtract", and "docName".  Note
         that the value for iprExtract is the anchor attribute
         value of a section that can be extracted, and is only
         useful when the value of "ipr" is not "full3667". -->
    <!-- TODO: verify which attributes are specified only
            by the RFC editor.  It appears that attributes
            "number", "obsoletes", "updates", and "seriesNo"
            are specified by the RFC editor (and not by
            the document author). -->

<rfc    
    category="bcp"
    ipr="trust200902"
    docName="draft-gont-opsec-ip-options-filtering-02.txt" >

<front>
    <title abbrev="Filtering of IP-optioned packets">Recommendations on filtering of IP packets containing IP options</title>

    <!-- add 'role="editor"' below for the editors if appropriate -->    

<author
        fullname="Fernando Gont"
        initials="F."
        surname="Gont">
    <!-- abbrev not needed but can be used for the header
         if the full organization name is too long -->
        <organization abbrev="UTN/FRH">Universidad Tecnologica Nacional / Facultad Regional Haedo</organization>
        <address>
            <postal>                <!-- I've omitted my street address here -->
             <street>Evaristo Carriego 2644</street>
		<code>1706</code><city>Haedo</city>
 		<region>Provincia de Buenos Aires</region>
		<country>Argentina</country>
            </postal>
            <phone>+54 11 4650 8472</phone>
            <email>fernando@gont.com.ar</email>
		<uri>http://www.gont.com.ar</uri>
        <!--            If I had a phone, fax machine, and a URI, I could add the following: --->

        </address>
    </author>    

<author
        fullname="RJ Atkinson"
        initials="R. J."
        surname="Atkinson">
        <organization>Consultant</organization>
        <address>
			<postal>              
				<code>22103</code><city>McLean</city>
				<region>VA</region>
				<country>USA</country>
			</postal>
        
			<email>rja.lists@gmail.com</email>
        </address>
</author>    


<date year="2011"/> 
<!-- month="May" is no longer necessary note also, day="30" is optional -->
    <area>Internet</area>    <!-- WG name at the upperleft corner of the doc,
         IETF fine for individual submissions -->
    <workgroup>Operational Security Capabilities for IP Network Infrastructure (opsec)</workgroup>

<abstract>
<t>
This document document provides advice on the filtering of packets based on the IP options they contain.  Additionally, it discusses the operational and interoperability implications of such filtering.
</t>
</abstract>

</front>

<middle>

<section title="Introduction" anchor="intro">
<t>Various protocols may use IP Options to some extent, therefore the filtering of such options may have implications on proper functioning of the protocol.  As such, this document attempts to discuss the operational and interoperability implications of such filtering.  Additionally, this document will outline what a network operator might do in a typical enterprise or Service Provider environment.</t>

<t>We note that data seems to indicate that there is a current widespread practice of blocking IPv4 optioned packets. There are various plausible approaches to minimize the potential negative effects of IPv4 optioned packets while allowing some options semantics. One approach is to allow for specific options that are expected or needed, and a default deny. A different approach is to deny unneeded options and a default allow. Yet a third option is to allow for end-to-end semantics by ignoring options and treating packets as un-optioned while in transit. The current state tends to support the first or third approaches as more realistic. Some results of regarding the current state of affairs with respect to filtering of packets containing IP options can be found in <xref target="MEDINA"/>.</t>

<t>We also note that while this document provides advice on a "per IP option type", not all devices may provide functionality to filter IP packets on a "per IP option type". Additionally, even in cases in which such functionality is provided, the operator might want to specify a filtering policy with a coarser granularity (rather than on a "per IP option type" granularity), as indicated above.</t>

<t>Finally, in scenarios in which processing of IP options by intermediate systems is not required, a widespread approach is to simply ignore IP options, and process the corresponding packets as if they do not contain any IP options.
</t>

            <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
            "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
            and "OPTIONAL" in this document are to be interpreted as
            described in <xref target="RFC2119"/>.</t>
</section>


<section title="IP Options" anchor="general-discussion">

<t>IP options allow for the extension of the Internet Protocol</t>

<t>There are two cases for the format of an option:</t>

<t>
<list style="symbols">
<t>Case 1: A single byte of option-type.</t>
<t>Case 2: An option-type byte, an option-length byte, and the actual option-data bytes.</t>
</list>
</t>

<t>In the Case 2, the option-length byte counts the option-type byte and the option-length byte, as well as the actual option-data bytes. </t>

<t>All current and future options except "End of Option List" (Type = 0) and "No Operation" (Type = 1), are of Class 2.</t>

<t>The option-type has three fields:</t>

<t>
<list style="symbols">
<t>1 bit:  copied flag.</t>
<t>2 bits: option class.</t>
<t>5 bits: option number.</t>
</list>
</t>

<t>The copied flag indicates whether this option should be copied to all fragments in the event the packet carrying it needs to be fragmented:</t>

<t>
<list style="symbols">
<t>0 = not copied.</t>
<t>1 = copied.</t>
</list>
</t>

<t>The values for the option class are:</t>

<t>
<list style="symbols">
<t>0 = control.</t>
<t>1 = reserved for future use.</t>
<t>2 = debugging and measurement.</t>
<t>3 = reserved for future use.</t>
</list>
</t>

<t>This format allows for the creation of new options for the extension of the Internet Protocol (IP).</t>

<t>Finally, the option number identifies the syntax of the rest of the option.</t>

<t><xref target="IANA2006b"/> contains the list of the currently assigned IP option numbers.</t>
</section>


<section title="General security implications of IP options" anchor="general-implications">
<section title="Processing requirements" anchor="process-requirements">

<t>Router manufacturers tend to do IP option processing in a slower path. Unless special care is taken, this represents Denial of Service (DoS) risk, as there is potential for overwhelming the router with option processing.</t>
<t>The following sections contain a description of each of the IP options that have so far been specified, a discussion of possible interoperability implications if packets containing such options are filtered, and specific advice on whether to filter packets containing these options in a typical enterprise or Service Provider environment.</t>
</section>
</section>

<section title="Advice on handling of specific IP Options">
<section title="End of Option List (Type = 0)">
<section title="Uses">
<t>This option is used to indicate the "end of options" in those cases in which the end of options would not coincide with the end of the Internet Protocol Header.</t>
</section>

<section title="Option specification">
<t>Specified in RFC 791 <xref target="RFC0791"/>.</t>
</section>

<section title="Threats">
<t>No security issues are known for this option, other than the general security implications of IP options discussed in <xref target="general-implications"/>. </t>
</section>

<section title="Operational/interoperability impact if blocked">
<t>Packets containing any IP options are likely to include an End of Option List. Therefore, if packets containing this option are filtered, it is very likely that legitimate traffic is filtered.</t>
</section>

<section title="Advice">
<t>Do not filter packets containing this option.</t>
</section>

</section>

<section title="No Operation (Type = 1)">

<section title="Uses">
<t>The no-operation option is basically meant to allow the sending system to align subsequent options in, for example, 32-bit boundaries.</t>
</section>

<section title="Option specification">
<t>Specified in RFC 791 <xref target="RFC0791"/>.</t>
</section>

<section title="Threats">
<t>No security issues are known for this option, other than the general security implications of IP options discussed in <xref target="general-implications"/>. 
</t>
</section>

<section title="Operational/interoperability impact if blocked">
Packets containing any IP options are likely to include a No Operation option. Therefore, if packets containing this option are filtered, it is very likely that legitimate traffic is filtered.
</section>

<section title="Advice">
<t>Do not filter packets containing this option.</t>
</section>

</section>


<section title="Loose Source and Record Route (LSRR) (Type = 131)" anchor="LSRR">


<t>RFC 791 states that this option should appear, at most, once in a given packet. Thus, if a packet contains more than one LSRR option, it should be dropped, and this event should be logged (e.g., a counter could be incremented to reflect the packet drop). Additionally, packets containing a combination of LSRR and SSRR options should be dropped, and this event should be logged (e.g., a counter could be incremented to reflect the packet drop).</t>

<section title="Uses">
<t>This option lets the originating system specify a number of intermediate systems a packet must pass through to get to the destination host. Additionally, the route followed by the packet is recorded in the option. The receiving host (end-system) must use the reverse of the path contained in the received LSRR option.</t>

<t>The LSSR option can be of help in debugging some network problems. Some ISP (Internet Service Provider) peering agreements require support for this option in the routers within the peer of the ISP. </t>
</section>

<section title="Option specification">
<t>Specified in RFC 791 <xref target="RFC0791"/>.</t>
</section>

<section title="Threats">
<t>The LSRR option has well-known security implications. Among other things, the option can be used to:</t>

<t>
<list style="symbols">
<t>Bypass firewall rules</t>
<t>Reach otherwise unreachable internet systems</t>
<t>Establish TCP connections in a stealthy way</t>
<t>Learn about the topology of a network</t>
<t>Perform bandwidth-exhaustion attacks</t>
</list>
</t>

<t>Of these attack vectors, the one that has probably received least attention is the use of the LSRR option to perform bandwidth exhaustion attacks. The LSRR option can be used as an amplification method for performing bandwidth-exhaustion attacks, as an attacker could make a packet bounce multiple times between a number of systems by carefully crafting an LSRR option.</t>

<t>
<list style="hanging">
<t>This is the IPv4-version of the IPv6 amplification attack that was widely publicized in 2007 <xref target="Biondi2007"/>. The only difference is that the maximum length of the IPv4 header (and hence the LSRR option) limits the amplification factor when compared to the IPv6 counter-part.</t>
</list>
</t>

</section>

<section title="Operational/interoperability impact if blocked">
<t>Network troubleshooting techniques that may employ the LSRR option (such as ping or traceroute) would break. Nevertheless, it should be noted that it is virtually impossible to use such techniques due to widespread filtering of the LSRR option.</t>
</section>

<section title="Advice">
<t>All systems should, by default, drop IP packets that contain an LSRR option.</t>
</section>


</section>

<section title="Strict Source and Record Route (SSRR) (Type = 137)" anchor="SSRR">

<section title="Uses">
<t>This option allows the originating system to specify a number of intermediate systems a packet must pass through to get to the destination host. Additionally, the route followed by the packet is recorded in the option, and the destination host (end-system) must use the reverse of the path contained in the received SSRR option.</t>

<t>This option is similar to the Loose Source and Record Route (LSRR) option, with the only difference that in the case of SSRR, the route specified in the option is the exact route the packet must take (i.e., no other intervening routers are allowed to be in the route).</t>

<t>The SSSR option can be of help in debugging some network problems. Some ISP (Internet Service Provider) peering agreements require support for this option in the routers within the peer of the ISP. </t>
</section>

<section title="Option specification">
<t>Specified in RFC 791 <xref target="RFC0791"/>.</t>
</section>

<section title="Threats">
<t>The SSRR option has the same security implications as the LSRR option. Please refer to <xref target="LSRR"/> for a discussion of such security implications.</t>
</section>

<section title="Operational/interoperability impact if blocked">
<t>Network troubleshooting techniques that may employ the SSRR option (such as ping or traceroute) would break. Nevertheless, it should be noted that it is virtually impossible to use such techniques due to widespread filtering of the SSRR option.</t>
</section>

<section title="Advice">
<t>All systems should, by default, drop IP packets that contain an SSRR option.</t>
</section>


</section>

<section title="Record Route (Type = 7)">

<section title="Uses">
<t>This option provides a means to record the route that a given packet follows.</t>
</section>

<section title="Option specification">
<t>Specified in RFC 791 <xref target="RFC0791"/>.</t>
</section>

<section title="Threats">
<t>This option can be exploited to map the topology of a network. However, the limited space in the IP header limits the usefulness of this option for that purpose.</t>
</section>

<section title="Operational/interoperability impact if blocked">
<t>Network troubleshooting techniques that may employ the RR option (such as ping with the RR option) would break. Nevertheless, it should be noted that it is virtually impossible to use such techniques due to widespread filtering of the RR option.</t>
</section>

<section title="Advice">
<t>Drop IP packets that contain a Record Route option.</t>
</section>


</section>

<section title="Stream Identifier (Type = 136)">

<t>The Stream Identifier option originally provided a means for the 16-bit SATNET stream Identifier to be carried through networks that did not support the stream concept.</t>

<t>However, as stated by Section 4.2.2.1 of RFC 1812 <xref target="RFC1812"/>, this option is obsolete. Therefore, it must be ignored by the processing systems.</t>

<t>In the case of legacy systems still using this option, the length field of the option should be checked to be 4. If the option does not pass this check, it should be dropped, and this event should be logged (e.g., a counter could be incremented to reflect the packet drop).</t>

<t>RFC 791 states that this option appears at most once in a given datagram. Therefore, if a packet contains more than one instance of this option, it should be dropped, and this event should be logged (e.g., a counter could be incremented to reflect the packet drop).</t>

<section title="Uses">
This option is obsolete. There is no current use for this option.
</section>

<section title="Option specification">
<t>Specified in RFC 791 <xref target="RFC0791"/>.</t>
</section>

<section title="Threats">
<t>TBD</t>
</section>

<section title="Operational/interoperability impact if blocked">
<t>None.</t>
</section>

<section title="Advice">
<t>Filter IP packets that contain a Stream Identifier option.</t>
</section>


</section>

<section title="Internet Timestamp (Type = 68)">

<section title="Uses">
<t>This option provides a means for recording the time at which each system processed this datagram.</t>
</section>

<section title="Option specification">
<t>Specified by RFC 791 <xref target="RFC0791"/>.</t>
</section>

<section title="Threats">
<t>The timestamp option has a number of security implications. Among them are: </t>

<t>
<list style="symbols">
<t>It allows an attacker to obtain the current time of the systems that process the packet, which the attacker may find useful in a number of scenarios.</t>
<t>It may be used to map the network topology, in a similar way to the IP Record Route option.</t>
<t>It may be used to fingerprint the operating system in use by a system processing the datagram.</t>
<t>It may be used to fingerprint physical devices, by analyzing the clock skew.</t>
</list>
</t>
<t><xref target="Kohno2005"/> describes a technique for fingerprinting devices by measuring the clock skew. It exploits, among other things, the timestamps that can be obtained by means of the ICMP timestamp request messages <xref target="RFC0791"/>. However, the same fingerprinting method could be implemented with the aid of the Internet Timestamp option.</t>
</section>

<section title="Operational/interoperability impact if blocked">
<t>No security issues are known for this option, other than the general security implications of IP options discussed in <xref target="general-implications"/>.
</t>
</section>

<section title="Advice">
<t>Filter IP packets that contain an Internet Timestamp option.</t>
</section>


</section>

<section title="Router Alert (Type = 148)">

<section title="Uses">
<t>The Router Alert option has the semantic &quot;routers should examine this packet more closely, if they participate in the functionality denoted by the Value of the option&quot;.</t>
</section>

<section title="Option specification">
<t>The Router Alert option is defined in RFC 2113 <xref target="RFC2113"/> and later updates to it have been clarified by RFC 5350 <xref target="RFC5350"/>.  It contains a 16-bit Value governed by an IANA registry (see <xref target="RFC5350"/>).</t>
</section>

<section title="Threats">
<t>The security implications of the Router Alert option have been discussed in detail in <xref target="I-D.ietf-intarea-router-alert-considerations"/>. Basically, the Router Alert option might be exploited to perform a Denial of Service (DoS) attack by exhausting CPU resources at the processing routers.</t>
</section>

<section title="Operational/interoperability impact if blocked">
<t>Applications that employ the Router Alert option (such as RSVP <xref target="RFC2205"/>) would break.</t>
</section>

<section title="Advice">
<t>This option should be allowed only on controlled environments, where the option can be used safely (<xref target="I-D.ietf-intarea-router-alert-considerations"/> identifies such environments). In other environments, packets containing this option should be dropped.</t>
</section>



</section>

<section title="Probe MTU (Type = 11) (obsolete)">

<section title="Uses">
<t>This option originally provided a mechanism to discover the Path-MTU. It has been declared obsolete.</t>
</section>

<section title="Option specification">
<t>This option was defined in RFC 1063 <xref target="RFC1063"/>. This option is obsolete.</t>

</section>

<section title="Threats">
<t>None</t>
</section>

<section title="Operational/interoperability impact if blocked">
<t>None</t>
</section>

<section title="Advice">
<t>Filter IP packets that contain a Probe MTU option.</t>
</section>

</section>

<section title="Reply MTU (Type = 12) (obsolete)">

<section title="Uses">
<t>This option and originally provided a mechanism to discover the Path-MTU. It is now obsolete.</t>
</section>

<section title="Option specification">
<t>This option was originally specified by RFC 1063 <xref target="RFC1063"/>, and is now obsolete.</t> 
</section>

<section title="Threats">
<t>None.</t>
</section>

<section title="Operational/interoperability impact if blocked">
<t>None</t>
</section>

<section title="Advice">
<t>Filter IP packets that contain a Reply MTU option.</t>
</section>

</section>

<section title="Traceroute (Type = 82)">

<section title="Uses">
<t>This option originally provided a mechanism to trace the path to a host.</t>
</section>

<section title="Option specification">
<t>This option was originally specified by RFC 1393 <xref target="RFC1393"/>. It has been declared obsolete.</t>
</section>

<section title="Threats">
<t>None</t>
</section>

<section title="Operational/interoperability impact if blocked">
<t>None</t>
</section>

<section title="Advice">
<t>Filter IP packets that contain a Traceroute option.</t>
</section>

</section>

<section title="DoD Basic Security Option (Type = 130)" anchor="dod-basic-security">

<section title="Uses">
<t>This option is used by Multi-Level-Secure (MLS) end-systems and intermediate systems in specific environments to <xref target="RFC1108"/>:</t>

<t>
<list style="symbols">
<t>Transmit from source to destination in a network standard representation the common security labels required by computer security models <xref target="Landwehr81"/>,</t>
<t>Validate the datagram as appropriate for transmission from the source and delivery to the destination, and,</t>
<t>Ensure that the route taken by the datagram is protected to the level required by all protection authorities indicated on the datagram.</t>
</list>
</t>

<t>The DoD Basic Security Option (BSO) is currently implemented in a number of operating systems (e.g., <xref target="IRIX2008"/>, <xref target="SELinux2008"/>, <xref target="Solaris2008"/>, and <xref target="Cisco2008"/>), and deployed in a number of high-security networks. These networks are typically either in physically secure locations, protected by military/governmental communications security equipment, or both.  Such networks are typically built using commercial off-the-shelf (COTS) IP routers and Ethernet switches, but are not normally interconnected with the global public Internet.  This option probably has more deployment now than when the IESG removed this option from the IETF standards-track.  <xref target="RFC5570"/> describes a similar option recently defined for IPv6 and has much more detailed explanations of how sensitivity label options are used in real-world deployments.</t>

</section>

<section title="Option specification">
<t>It is specified by RFC 1108 <xref target="RFC1108"/> (which obsoletes RFC 1038 <xref target="RFC1038"/>).</t>

<t>
<list style="hanging">
<t>RFC 791 <xref target="RFC0791"/> defined the "Security Option" (Type = 130), which used the same option type as the DoD Basic Security option discussed in this section. The "Security Option" specified in RFC 791 is considered obsolete by Section 3.2.1.8 of RFC 1122, and therefore the discussion in this section is focused on the DoD Basic Security option specified by RFC 1108 <xref target="RFC1108"/>.</t>
</list>
</t>

<t>Section 4.2.2.1 of RFC 1812 states that routers "SHOULD implement this option".</t>

<t>
<list style="hanging">Many Cisco routers that run Cisco IOS include support for per-interface packet filtering of IP packets containing this option.  This capability has been present in many Cisco routers since the early 1990s <xref target="IOS-12.2"/>. Some governmental products reportedly support IPSO, notably CANEWARE <xref target="RFC4949"/>.  Support for IPSO is included in the &quot;IPsec Configuration Policy Information Model&quot; and in the &quot;IPsec Security Policy Databse Configuration MIB&quot; <xref target="RFC3585"/> <xref target="RFC4807"/>.
</list>
</t>

</section>

<section title="Threats">
<t>Presence of this option in a packet does not by itself create any specific new threat (other than the usual generic issues that might be created if packets with options are forwarded via the "slow path").  Packets with this option ought not normally be seen on the global public Internet.</t>
</section>

<section title="Operational/interoperability impact if blocked">
<t>If packets with this option are blocked or if the option is stripped from the packet during transmission from source to destination, then the packet itself is likely to be dropped by the receiver because it isn't properly labelled.  In some cases, the receiver might receive the packet but associate an incorrect sensitivity label with the received data from the packet whose BSO was stripped by an intermediate router or firewall.  Associating an incorrect sensitivity label can cause the received information either to be handled as more sensitive than it really is ("upgrading") or as less sensitive than it really is ("downgrading"), either of which is problematic.</t>
</section>

<section title="Advice">
<t>Routers and firewalls ought not by default drop packets containing IPSO and also ought not by default strip the IPSO from the packet. For auditing reasons, routers and firewalls SHOULD be capable of logging the numbers of packets containing the BSO on a per-interface basis.  Also, routers and firewalls SHOULD be capable of filtering packets based on the BSO presence as well as the BSO values.</t>
</section>

</section>

<section title="DoD Extended Security Option (Type = 133)">

<section title="Uses">
<t>This option permits additional security labeling information, beyond that present in the Basic Security Option (<xref target="dod-basic-security"/>), to be supplied in an IP datagram to meet the needs of registered authorities.</t>
</section>

<section title="Option specification">
<t>The DoD Extended Security Option (ESO) is specified by RFC 1108 <xref target="RFC1108"/>.</t>
<t>
<list style="hanging">Many Cisco routers that run Cisco IOS include support for per-interface packet filtering of IP packets containing this option.  This capability has been present in many Cisco routers since the early 1990s <xref target="IOS-12.2"/>. Some governmental products reportedly support IPSO, notably CANEWARE <xref target="RFC4949"/>.  Support for IPSO is included in the &quot;IPsec Configuration Policy Information Model&quot; and in the &quot;IPsec Security Policy Databse Configuration MIB&quot; <xref target="RFC3585"/> <xref target="RFC4807"/>.
</list>
</t>
</section>

<section title="Threats">
<t>
Presence of this option in a packet does not by itself create any specific new threat (other than the usual generic issues that might be created if packets with options are forwarded via the "slow path").  Packets with this option ought not normally be seen on the global public Internet
</t>
</section>

<section title="Operational/interoperability impact if blocked">
<t>If packets with this option are blocked or if the option is stripped from the packet during transmission from source to destination, then the packet itself is likely to be dropped by the receiver because it isn't properly labelled.  In some cases, the receiver might receive the packet but associate an incorrect sensitivity label with the received data from the packet whose ESO was stripped by an intermediate router or firewall.  Associating an incorrect sensitivity label can cause the received information either to be handled as more sensitive than it really is ("upgrading") or as less sensitive than it really is ("downgrading"), either of which is problematic.</t>
</section>

<section title="Advice">
<t>Routers and firewalls ought not by default drop packets containing an ESO and also ought not by default strip the ESO from the packet. For auditing reasons, routers and firewalls SHOULD be capable of logging the numbers of packets containing the ESO on a per-interface basis.  Also, routers and firewalls SHOULD be capable of filtering packets based on the ESO presence as well as the ESO values.</t>
</section>


</section>

<section title="Commercial IP Security Option (CIPSO) (Type = 134)">




<section title="Uses">
<t>This option was proposed by the Trusted Systems Interoperability Group (TSIG), with the intent of meeting trusted networking requirements for the commercial trusted systems market place. </t>

<t>It is currently implemented in a number of operating systems (e.g., IRIX <xref target="IRIX2008"/>, Security-Enhanced Linux <xref target="SELinux2008"/>, and Solaris <xref target="Solaris2008"/>), and deployed in a number of high-security networks.</t>
</section>

<section title="Option specification">
<t>This option is specified in <xref target="CIPSO1992"/> and <xref target="FIPS1994"/>. There are zero known IP router implementations of CIPSO. Several MLS operating systems support CIPSO, generally the same MLS operating systems that support IPSO.
</t>
</section>

<section title="Threats">
<t>Presence of this option in a packet does not by itself create any specific new threat (other than the usual generic issues that might be created if packets with options are forwarded via the "slow path").  Packets with this option ought not normally be seen on the global public Internet.</t>
</section>

<section title="Operational/interoperability impact if blocked">
<t>If packets with this option are blocked or if the option is stripped from the packet during transmission from source to destination, then the packet itself is likely to be dropped by the receiver because it isn't properly labelled.  In some cases, the receiver might receive the packet but associate an incorrect sensitivity label with the received data from the packet whose CIPSO was stripped by an intermediate router or firewall.  Associating an incorrect sensitivity label can cause the received information either to be handled as more sensitive than it really is ("upgrading") or as less sensitive than it really is ("downgrading"), either of which is problematic.</t>
</section>

<section title="Advice">
<t>Because of the design of this option, with variable syntax and variable length, it is not practical to support specialized filtering using the CIPSO information.  No routers or firewalls are known to support this option.  However, by default a router or firewall should not modify or remove this option from IP packets and a router or firewall should not by default drop packets containing this option.
</t>
</section>


</section>

<section title="Sender Directed Multi-Destination Delivery (Type = 149)">

<section title="Uses">
<t>This option originally provided unreliable UDP delivery to a set of addresses included in the option. It is currently obsolete. </t>
</section>

<section title="Option specification">
<t>This option is defined in RFC 1770 <xref target="RFC1770"/>.</t>
</section>

<section title="Threats">
<t>This option could have been exploited for bandwidth-amplification in Denial of Service (DoS) attacks.</t>
</section>

<section title="Operational/interoperability impact if blocked">
<t>None.</t>
</section>

<section title="Advice">
<t>Filter IP packets that contain a Sender Directed Multi-Destination Delivery option.</t>
</section>


</section>
</section>

<section title="Security Considerations">
<t>
This document provides advice on the filtering of IP packets that contain IP options. Filtering of such packets can help to mitigate the security issues that arise from use of different IP options.
</t>
</section>


<section title="Acknowledgements">
<t>The authors would like to thank Carlos Pignataro and Donald Smith for providing valuable comments on earlier versions of this document.</t>
<t>Part of this document is based on the document &amp;Security Assesment of the Internet Protocol&amp; <xref target="CPNI2008"/> that is the result of a project carried out by Fernando Gont on behalf of UK CPNI (formerly NISCC). </t>
<t>Fernando Gont would like to thank UK CPNI (formerly NISCC) for their continued support.</t>
</section>


<section title="Contributors">
<t>Carlos Pignataro provided material that was incorporated into this document.</t>
</section>
</middle>

<back>
<references title="Normative References">
	<?rfc include="reference.RFC.0791" ?>
	<?rfc include="reference.RFC.0826" ?>
	<?rfc include="reference.RFC.1038" ?>
	<?rfc include="reference.RFC.1063" ?>

	<?rfc include="reference.RFC.1108" ?>
	<?rfc include="reference.RFC.1112" ?>
	<?rfc include="reference.RFC.1122" ?>
	<?rfc include="reference.RFC.1191" ?>

	<?rfc include="reference.RFC.1349" ?>
	<?rfc include="reference.RFC.1393" ?>


	<?rfc include="reference.RFC.1770" ?>

	<?rfc include="reference.RFC.1812" ?>

	<?rfc include="reference.RFC.2113" ?>
	<?rfc include="reference.RFC.2119" ?>
	
	<?rfc include="reference.RFC.2474" ?>

	<?rfc include="reference.RFC.2475" ?>
	<?rfc include="reference.RFC.2644" ?>
	<?rfc include="reference.RFC.3927" ?>
	<?rfc include="reference.RFC.4821" ?>
	<?rfc include="reference.RFC.5735" ?>

</references>

<references title="Informative References">
	<?rfc include="reference.RFC.0815" ?>
	<?rfc include="reference.RFC.1858" ?>
	<?rfc include="reference.RFC.1918" ?>
	<?rfc include="reference.RFC.2205" ?>
	<?rfc include="reference.RFC.2544" ?>
	<?rfc include="reference.RFC.2827" ?>
	<?rfc include="reference.RFC.3056" ?>
	<?rfc include="reference.RFC.3128" ?>
	<?rfc include="reference.RFC.3168" ?>
	<?rfc include="reference.RFC.3530" ?>
	<?rfc include="reference.RFC.3585" ?>
	<?rfc include="reference.RFC.3704" ?>
	<?rfc include="reference.RFC.4459" ?>
	<?rfc include="reference.RFC.4632" ?>
	<?rfc include="reference.RFC.4807" ?>
	<?rfc include="reference.RFC.4949" ?>
	<?rfc include="reference.RFC.4963" ?>
	<?rfc include="reference.RFC.4987" ?>
	<?rfc include="reference.RFC.5082" ?>
	<?rfc include="reference.RFC.5350" ?>
	<?rfc include="reference.RFC.5570" ?>


	<?rfc include="reference.I-D.templin-mtuassurance" ?>
	<?rfc include="reference.I-D.wilson-class-e" ?>
	<?rfc include="reference.I-D.ietf-intarea-router-alert-considerations" ?>
	

	<reference anchor="CIPSO1992">
		<front>
			<title>COMMERCIAL IP SECURITY OPTION (CIPSO 2.2)</title>
			<author initials="" surname="CIPSO" fullname="CIPSO">
				<organization></organization>
			</author>
			<date year="1992"/>
		</front>
		<seriesInfo name="IETF Internet-Draft (draft-ietf-cipso-ipsecurity-01.txt), work in progress" value=""/>
	</reference>

	<reference anchor="Barisani2006">
		<front>
			<title>FTester - Firewall and IDS testing tool</title>
			<author initials="A." surname="Barisani" fullname="A. Barisani">
				<organization></organization>
			</author>
			<date year="2001"/>
		</front>
		<seriesInfo name="Available at: http://dev.inversepath.com/trac/ftester" value=""/>
	</reference>


	<reference anchor="Biondi2007">
		<front>
			<title>IPv6 Routing Header Security</title>
			<author initials="P." surname="Biondi" fullname= "P. Biondi">
				<organization></organization>
			</author>
			<author initials="A." surname="Ebalard" fullname= "A. Ebalard">
				<organization></organization>
			</author>

			<date year="2007"/>
		</front>
		<seriesInfo name="CanSecWest 2007 Security Conference" value="http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf"/>
	</reference>


	<reference anchor="CERT1996a">
		<front>
			<title>CERT Advisory CA-1996-01: UDP Port Denial-of-Service Attack</title>
			<author initials="" surname="CERT" fullname="CERT">
				<organization></organization>
			</author>
			<date year="1996"/>
		</front>
		<seriesInfo name="" value="http://www.cert.org/advisories/CA-1996-01.html"/>
	</reference>

	<reference anchor="CERT1996c">
		<front>
			<title>CERT Advisory CA-1996-26: Denial-of-Service Attack via ping</title>
			<author initials="" surname="CERT" fullname="CERT">
				<organization></organization>
			</author>
			<date year="1996"/>
		</front>
		<seriesInfo name="" value="http://www.cert.org/advisories/CA-1996-26.html"/>
	</reference>

	<reference anchor="CERT1997">
		<front>
			<title>CERT Advisory CA-1997-28: IP Denial-of-Service Attacks</title>
			<author initials="" surname="CERT" fullname="CERT">
				<organization></organization>
			</author>
			<date year="1997"/>
		</front>
		<seriesInfo name="" value="http://www.cert.org/advisories/CA-1997-28.html"/>
	</reference>

	<reference anchor="CERT1999">
		<front>
			<title>CERT Advisory CA-1999-17: Denial-of-Service Tools</title>
			<author initials="" surname="CERT" fullname="CERT">
				<organization></organization>
			</author>
			<date year="1999"/>
		</front>
		<seriesInfo name="" value="http://www.cert.org/advisories/CA-1999-17.html"/>
	</reference>


	<reference anchor="CIPSOWG1994">
		<front>
			<title>Commercial Internet Protocol Security Option (CIPSO) Working Group</title>
			<author initials="" surname="CIPSOWG" fullname="CIPSOWG">
				<organization></organization>
			</author>
			<date year="1994"/>
		</front>
		<seriesInfo name="" value="http://www.ietf.org/proceedings/94jul/charters/cipso-charter.html"/>
	</reference>

	<reference anchor="Cisco2008">
		<front>
			<title>Cisco IOS Security Configuration Guide, Release 12.2</title>
			<author initials="" surname="Cisco" fullname="Cisco">
				<organization></organization>
			</author>
			<date year="2003"/>
		</front>
		<seriesInfo name="" value="http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfipso.html"/>
	</reference>



	<reference anchor="FIPS1994">
		<front>
			<title>Standard Security Label for Information Transfer</title>
			<author initials="" surname="FIPS" fullname= "FIPS">
				<organization></organization>
			</author>

			<date year="1994"/>
		</front>
		<seriesInfo name="Federal Information Processing Standards Publication. FIP PUBS 188" value="http://csrc.nist.gov/publications/fips/fips188/fips188.pdf"/>
	</reference>


	<reference anchor="Haddad2004">
		<front>
			<title>Security Distribution for Linux Clusters</title>
			<author initials="I." surname="Haddad" fullname="Haddad">
				<organization></organization>
			</author>
			<author initials="M." surname="Zakrzewski" fullname="Zakrzewski">
				<organization></organization>
			</author>
			<date year="2004"/>
		</front>
		<seriesInfo name="Linux Journal" value="http://www.linuxjournal.com/article/6943"/>
	</reference>


	<reference anchor="IANA2006a">
		<front>
			<title>http://www.iana.org/assignments/ethernet-numbers</title>
			<author initials="" surname="Ether Types" fullname="Ether Types">
				<organization></organization>
			</author>
			<date year=""/>
		</front>
	</reference>


	<reference anchor="IANA2006b">
		<front>
			<title>http://www.iana.org/assignments/ip-parameters</title>
			<author initials="" surname="IP Parameters" fullname="IP Parameters">
				<organization></organization>
			</author>
			<date year=""/>
		</front>
	</reference>


	<reference anchor="IANA2006c">
		<front>
			<title>http://www.iana.org/assignments/protocol-numbers</title>
			<author initials="" surname="Protocol Numbers" fullname="Protocol Numbers">
				<organization></organization>
			</author>
			<date year=""/>
		</front>
	</reference>

	
	<reference anchor="IOS-12.2">
		<front>
			<title>IP Security Options Commands</title>
			<author initials="" surname="Cisco" fullname="Cisco">
				<organization></organization>
			</author>
			<date year="2011"/>
		</front>
		<seriesInfo name="" value="http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfipso.html"/>
	</reference>
	
	<reference anchor="IRIX2008">
		<front>
			<title>IRIX 6.5 trusted_networking(7) manual page</title>
			<author initials="" surname="IRIX" fullname="IRIX">
				<organization></organization>
			</author>
			<date year="2008"/>
		</front>
		<seriesInfo name="" value="http://techpubs.sgi.com/library/tpl/cgi-bin/getdoc.cgi?coll=0650&db=man&fname=/usr/share/catman/a_man/cat7/trusted_networking.z"/>
	</reference>

	<reference anchor="Kohno2005">
		<front>
			<title>Remote Physical Device Fingerprinting</title>
			<author initials="T." surname="Kohno" fullname="T. Kohno">
				<organization></organization>
			</author>
			<author initials="A." surname="Broido" fullname="A. Broido">
				<organization></organization>
			</author>
			<author initials="kc" surname="Claffy" fullname="kc Claffy">
				<organization></organization>
			</author>

			<date year="2005"/>
		</front>
		<seriesInfo name="IEEE Transactions on Dependable and Secure Computing" value="Vol. 2, No. 2"/>
	</reference>

	<reference anchor="Landwehr81">
		<front>
			<title>Formal Models for Computer Security</title>
			<author initials="C." surname="Landwehr" fullname="Carl E. Landwehr">
				<organization></organization>
			</author>

			<date year="1981"/>
		</front>
		<seriesInfo name="ACM Computing Surveys" value="Vol 13, No 3, September 1981, Assoc for Computing Machinery, New York, NY, USA"/>
	</reference>
	

	<reference anchor="Linux2006">
		<front>
			<title>http://www.kernel.org</title>
			<author initials="" surname="The Linux Project" fullname="The Linux Kernel web site">
				<organization></organization>
			</author>
			<date year=""/>
		</front>
	</reference>


	<reference anchor="Microsoft1999">
		<front>
			<title>Microsoft Security Program: Microsoft Security Bulletin (MS99-038). Patch Available for "Spoofed Route Pointer" Vulnerability</title>
			<author initials="" surname="Microsoft" fullname="Microsoft">
				<organization></organization>
			</author>
			<date year="1999"/>
		</front>
		<seriesInfo name="" value="http://www.microsoft.com/technet/security/bulletin/ms99-038.mspx"/>
	</reference>


	<reference anchor="CPNI2008">
		<front>
			<title>Security Assessment of the Internet Protocol</title>
			<author initials="F." surname="Gont" fullname="Fernando Gont">
				<organization>Centre for the Protection of National Infrastructure</organization>
			</author>
			<date year="2008"/>
		</front>
		<seriesInfo name="" value="http://www.cpni.gov.uk/Docs/InternetProtocol.pdf"/>
	</reference>

<reference anchor="MEDINA">
<front>
<title>Measuring Interactions Between Transport Protocols and
Middleboxes</title>
<author initials="A." surname="Medina" fullname="Alberto Medina">
<organization />
</author>
<author initials="M." surname="Allman" fullname="Mark Allman">
<organization />
</author>
<author initials="S." surname="Floyd" fullname="Sally Floyd">
<organization />
</author>
<date month="October" year="2004" />
</front>
<seriesInfo name="Proc. 4th ACM SIGCOMM/USENIX Conference on Internet"
value="Measurement" />
</reference>

	<reference anchor="Northcutt2000">
		<front>
			<title>Network Intrusion Detection - An Analyst's Handbook</title>
			<author initials="S." surname="Northcut" fullname="Stephen Northcutt">
				<organization></organization>
			</author>
			<author initials="" surname="Novak" fullname="J. Novak">
				<organization></organization>
			</author>

			<date year="2000"/>
		</front>
		<seriesInfo name="Second Edition" value="New Riders Publishing"/>
	</reference>


	<reference anchor="OpenBSD1998">
		<front>
			<title>OpenBSD Security Advisory: IP Source Routing Problem</title>
			<author initials="" surname="OpenBSD" fullname="OpenBSD">
				<organization></organization>
			</author>
			<date year="1998"/>
		</front>
		<seriesInfo name="" value="http://www.openbsd.org/advisories/sourceroute.txt"/>
	</reference>


	<reference anchor="Paxson2001">
		<front>
			<title>Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics</title>
			<author initials="V." surname="Paxson" fullname="V. Paxson">
				<organization></organization>
			</author>
			<author initials="M." surname="Handley" fullname="M. Handley">
				<organization></organization>
			</author>
			<author initials="C." surname="Kreibich" fullname="C. Kreibich">
				<organization></organization>
			</author>

			<date year="2001"/>
		</front>
		<seriesInfo name="" value="USENIX Conference, 2001"/>
	</reference>



	<reference anchor="OpenBSD-PF">
		<front>
			<title>PF: Scrub (Packet Normalization)</title>
			<author initials="S." surname="Sanfilippo" fullname="S. Sanfilippo">
				<organization></organization>
			</author>
			<date year="2010"/>
		</front>
		<seriesInfo name="" value="http://www.openbsd.org/faq/pf/scrub.html"/>
	</reference>


	<reference anchor="SELinux2008">
		<front>
			<title>http://www.nsa.gov/selinux/</title>
			<author initials="" surname="Security Enhanced Linux" fullname="Security Enhanced Linux">
				<organization></organization>
			</author>
			<date year=""/>
		</front>
	</reference>

	
	<reference anchor="Silbersack2005">
		<front>
			<title>Improving TCP/IP security through randomization without sacrificing interoperability</title>
			<author initials="M.J." surname="Silbersack" fullname="M. J. Silbersack">
				<organization></organization>
			</author>
			<date year="2005"/>
		</front>
		<seriesInfo name="EuroBSDCon 2005 Conference" value="http://www.silby.com/eurobsdcon05/eurobsdcon_slides.pdf"/>
	</reference>


	<reference anchor="Solaris2008">
		<front>
			<title>http://www.sun.com/software/solaris/ds/trusted_extensions.jsp#3</title>
			<author initials="" surname="Solaris Trusted Extensions - Labeled Security for Absolute Protection" fullname="Solaris Trusted Extensions - Labeled Security for Absolute Protection">
				<organization></organization>
			</author>
			<date year="2008"/>
		</front>
	</reference>


	<reference anchor="US-CERT2001">
		<front>
			<title>US-CERT Vulnerability Note VU#446689: Check Point FireWall-1 allows fragmented packets through firewall if Fast Mode is enabled</title>
			<author initials="" surname="US-CERT" fullname="US-CERT">
				<organization></organization>
			</author>
			<date year="2001"/>
		</front>
		<seriesInfo name="" value="http://www.kb.cert.org/vuls/id/446689"/>
	</reference>


	<reference anchor="US-CERT2002">
		<front>
			<title>US-CERT Vulnerability Note VU#310387: Cisco IOS discloses fragments of previous packets when Express Forwarding is enabled</title>
			<author initials="" surname="US-CERT" fullname="US-CERT">
				<organization></organization>
			</author>
			<date year="2002"/>
		</front>
		<seriesInfo name="" value="http://www.kb.cert.org/vuls/id/310387"/>
	</reference>

	<reference anchor="Zakrzewski2002">
		<front>
			<title>Linux Distributed Security Module</title>
			<author initials="M." surname="Zakrzewski" fullname= "M. Zakrzewski">
				<organization></organization>
			</author>
			<author initials="I." surname="Haddad" fullname= "I. Haddad">
				<organization></organization>
			</author>
			<date year="2002"/>
		</front>
		<seriesInfo name="" value="http://www.linuxjournal.com/article/6215"/>
	</reference>


</references>


<section title="Changes from previous versions of the draft (to be removed by the RFC Editor before publishing this document as an RFC)" anchor="changes">
<section title="Changes introduced in draft-gont-opsec-ip-options-filtering-01">
<list style="symbols">
<t>Populated many sections that had a "TBD" placeholder.</t>
<t>Many unused references were prunned from the "References" section.</t>
<t>Addresses part of the comments provided by Carlos Pignataro and Donald Smith.</t>
</list>
</section>


</section>

</back>
</rfc>