-
Notifications
You must be signed in to change notification settings - Fork 0
/
draft-opsec-ip-options-filtering-00.xml
2747 lines (2074 loc) · 168 KB
/
draft-opsec-ip-options-filtering-00.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- try to enforce the ID-nits conventions and DTD validity -->
<?rfc strict="no" ?> <!-- items used when reviewing the document -->
<?rfc comments="no" ?> <!-- controls display of <cref> elements -->
<?rfc inline="no" ?> <!-- when no, put comments at end in comments section,
otherwise, put inline -->
<?rfc editing="no" ?> <!-- when yes, insert editing marks -->
<!-- create table of contents (set it options).
Note the table of contents may be omitted
for very short documents -->
<?rfc toc="yes"?><?rfc tocompact="yes"?>
<?rfc tocdepth="4"?>
<!-- choose the options for the references. Some like
symbolic tags in the references (and citations)
and others prefer numbers. -->
<?rfc symrefs="yes"?><?rfc sortrefs="yes" ?>
<!-- these two save paper: start new paragraphs from the same page etc. -->
<?rfc compact="yes" ?><?rfc subcompact="no" ?>
<!-- end of list of processing instructions -->
<!-- Information about the document.
categories values: std, bcp, info, exp, and historic
For Internet-Drafts, specify attribute "ipr".
(ipr values are: full3667, noModification3667, noDerivatives3667),
Also for Internet-Drafts, can specify values for
attributes "iprExtract", and "docName". Note
that the value for iprExtract is the anchor attribute
value of a section that can be extracted, and is only
useful when the value of "ipr" is not "full3667". -->
<!-- TODO: verify which attributes are specified only
by the RFC editor. It appears that attributes
"number", "obsoletes", "updates", and "seriesNo"
are specified by the RFC editor (and not by
the document author). -->
<rfc
category="info"
ipr="trust200811"
docName="draft-ietf-opsec-ip-security-03.txt" >
<front>
<title abbrev="IPv4 Security Assessment">Security Assessment of the Internet Protocol version 4</title>
<!-- add 'role="editor"' below for the editors if appropriate -->
<author
fullname="Fernando Gont"
initials="F.G."
surname="Gont">
<!-- abbrev not needed but can be used for the header
if the full organization name is too long -->
<organization abbrev="UK CPNI">UK Centre for the Protection of National Infrastructure</organization>
<address>
<email>[email protected]</email>
<uri>http://www.cpni.gov.uk</uri>
<!-- If I had a phone, fax machine, and a URI, I could add the following: --->
</address>
</author>
<date year="2010" month="February"/>
<!-- month="May" is no longer necessary note also, day="30" is optional -->
<area>Internet</area> <!-- WG name at the upperleft corner of the doc,
IETF fine for individual submissions -->
<workgroup>Operational Security Capabilities for IP Network Infrastructure (opsec)</workgroup>
<abstract>
<t>
This document contains a security assessment of the IETF specifications of the Internet Protocol version 4, and of a number of mechanisms and policies in use by popular IPv4 implementations. It is based on the results of a project carried out by the UK's Centre for the Protection of National Infrastructure (CPNI).
</t>
</abstract>
</front>
<middle>
<section title="Preface">
<section title="Introduction">
<t>
The TCP/IP protocols were conceived in an environment that was quite different from the hostile environment they currently operate in. However, the effectiveness of the protocols led to their early adoption in production environments, to the point that, to some extent, the current world's economy depends on them.
</t>
<t>
While many textbooks and articles have created the myth that the Internet protocols were designed for warfare environments, the top level goal for the DARPA Internet Program was the sharing of large service machines on the ARPANET <xref target="Clark1988"/>. As a result, many protocol specifications focus only on the operational aspects of the protocols they specify, and overlook their security implications.</t>
<t>
While the Internet technology evolved since its inception, the Internet's building blocks are basically the same core protocols adopted by the ARPANET more than two decades ago. During the last twenty years, many vulnerabilities have been identified in the TCP/IP stacks of a number of systems. Some of them were based on flaws in some protocol implementations, affecting only a reduced number of systems, while others were based on flaws in the protocols themselves, affecting virtually every existing implementation <xref target="Bellovin1989"/>. Even in the last couple of years, researchers were still working on security problems in the core protocols <xref target="I-D.ietf-tcpm-icmp-attacks"/> <xref target="Watson2004"/> <xref target="NISCC2004"/> <xref target="NISCC2005"/>.</t>
<t>
The discovery of vulnerabilities in the TCP/IP protocols led to reports being published by a number of CSIRTs (Computer Security Incident Response Teams) and vendors, which helped to raise awareness about the threats and the best mitigations known at the time the reports were published. Unfortunately, this also led to the documentation of the discovered protocol vulnerabilities being spread among a large number of documents, which are sometimes difficult to identify.</t>
<t>
For some reason, much of the effort of the security community on the Internet protocols did not result in official documents (RFCs) being issued by the IETF (Internet Engineering Task Force). This basically led to a situation in which "known" security problems have not always been addressed by all vendors. In addition, in many cases vendors have implemented quick "fixes" to protocol flaws without a careful analysis of their effectiveness and their impact on interoperability <xref target="Silbersack2005"/>.</t>
<t>
The lack of adoption of these fixes by the IETF means that any system built in the future according to the official TCP/IP specifications will reincarnate security flaws that have already hit our communication systems in the past.</t>
<t>
Producing a secure TCP/IP implementation nowadays is a very difficult task, in part because of the lack of a single document that serves as a security roadmap for the protocols. Implementers are faced with the hard task of identifying relevant documentation and differentiate between that which provides correct advisory, and that which provides misleading advisory based on inaccurate or wrong assumptions.</t>
<t>
There is a clear need for a companion document to the IETF specifications that discusses the security aspects and implications of the protocols, identifies the possible threats, discusses the possible counter-measures, and analyzes their respective effectiveness.</t>
<t>
This document is the result of an assessment of the IETF specifications of the Internet Protocol (IP), from a security point of view. Possible threats were identified and, where possible, counter-measures were proposed. Additionally, many implementation flaws that have led to security vulnerabilities have been referenced in the hope that future implementations will not incur the same problems. Furthermore, this document does not limit itself to performing a security assessment of the relevant IETF specifications, but also provides an assessment of common implementation strategies found in the real world.</t>
<t>
This document does not aim to be the final word on the security of the Internet Protocol (IP). On the contrary, it aims to raise awareness about many security threats based on the IP protocol that have been faced in the past, those that we are currently facing, and those we may still have to deal with in the future. It provides advice for the secure implementation of the Internet Protocol (IP), but also provides insights about the security aspects of the Internet Protocol that may be of help to the Internet operations community.</t>
<t>
Feedback from the community is more than encouraged to help this document be as accurate as possible and to keep it updated as new threats are discovered.
</t>
<t>This document is heavily based on the "Security Assessment of the Internet Protocol" <xref target="CPNI2008"/> released by the UK Centre for the Protection of National Infrastructure (CPNI), available at: http://www.cpni.gov.uk/Products/technicalnotes/3677.aspx .</t>
</section>
<section title="Scope of this document">
<t>
While there are a number of protocols that affect the way in which IP systems operate, this document focuses only on the specifications of the Internet Protocol (IP). For example, routing and bootstrapping protocols are considered out of the scope of this project.</t>
<t>
The following IETF RFCs were selected for assessment as part of this work:</t>
<t>
<list style="symbols">
<t>RFC 791, "Internet Protocol. DARPA Internet Program. Protocol Specification" (51 pages). </t>
<t>RFC 815, "IP datagram reassembly algorithms" (9 pages). </t>
<t>RFC 919, "BROADCASTING INTERNET DATAGRAMS" (8 pages).</t>
<t>RFC 950, "Internet Standard Subnetting Procedure" (18 pages)</t>
<t>RFC 1112, "Host Extensions for IP Multicasting" (17 pages)</t>
<t>RFC 1122, "Requirements for Internet Hosts -- Communication Layers" (116 pages).</t>
<t>RFC 1812, "Requirements for IP Version 4 Routers" (175 pages).</t>
<t>RFC 2474, "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers" (20 pages).</t>
<t>RFC 2475, "An Architecture for Differentiated Services" (36 pages).</t>
<t>RFC 3168, "The Addition of Explicit Congestion Notification (ECN) to IP" (63 pages).</t>
<t>RFC 4632, "Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan" (27 pages).</t>
</list>
</t>
</section>
<section title="Organization of this document">
<t>
This document is basically organized in two parts: "Internet Protocol header fields" and "Internet Protocol mechanisms". The former contains an analysis of each of the fields of the Internet Protocol header, identifies their security implications, and discusses the possible counter-measures. The latter contains an analysis of the security implications of the mechanisms implemented by the Internet Protocol.</t>
</section>
</section>
<section title="The Internet Protocol">
<t>
The Internet Protocol (IP) provides a basic data transfer function for passing data blocks called "datagrams" from a source host to a destination host, across the possible intervening networks. Additionally, it provides some functions that are useful for the interconnection of heterogeneous networks, such as fragmentation and reassembly.</t>
<t>
The "datagram" has a number of characteristics that makes it convenient for interconnecting systems <xref target="Clark1988"/>:</t>
<t>
<list style="symbols">
<t>It eliminates the need of connection state within the network, which improves the survivability characteristics of the network.</t>
<t>It provides a basic service of data transport that can be used as a building block for other transport services (reliable data transport services, etc.).</t>
<t>It represents the minimum network service assumption, which enables IP to be run over virtually any network technology.</t>
</list>
</t>
</section>
<section title="Internet Protocol Header Fields">
<t>The IETF specifications of the Internet Protocol define the syntax of the protocol header, along with the semantics of each of its fields. Figure 1 shows the format of an IP datagram. </t>
<t>
<figure title="Internet Protocol header format" anchor="ipheader">
<artwork align="center">
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
<postamble></postamble>
</figure>
</t>
<t>Even when the minimum IP header size is 20 bytes, an IP module might be handed an (illegitimate) "datagram" of less than 20 bytes. Therefore, before doing any processing of the IP header fields, the following check should be performed by the IP module on the packets handed by the link layer:</t>
<t>
<artwork align="center">
LinkLayer.PayloadSize >= 20
</artwork>
</t>
<t>where LinkLayer.PayloadSize is the length (in octets) of the datagram passed from the link layer to the IP layer.</t>
<t>If the packet does not pass this check, it should be dropped, and this event should be logged (e.g., a counter could be incremented reflecting the packet drop).</t>
<t>The following subsections contain further sanity checks that should be performed on IP packets.</t>
<section title="Version">
<t>This is a 4-bit field that indicates the version of the Internet Protocol (IP), and thus the syntax of the packet. For IPv4, this field must be 4.</t>
<t>When a Link-Layer protocol de-multiplexes a packet to an internet module, it does so based on a "Protocol Type" field in the data-link packet header.</t>
<t>In theory, different versions of IP could coexist on a network by using the same "Protocol Type" at the Link-layer, but a different value in the Version field of the IP header. Thus, a single IP module could handle all versions of the Internet Protocol, differentiating them by means of this field. </t>
<t>However, in practice different versions of IP are identified by a different "Protocol Type" number in the link-layer protocol header. For example, IPv4 datagrams are encapsulated in Ethernet frames using a "Protocol Type" field of 0x0800, while IPv6 datagrams are encapsulated in Ethernet frames using a "Protocol Type" field of 0x86DD <xref target="IANA2006a"/>.</t>
<t>Therefore, if an IPv4 module receives a packet, the Version field must be checked to be 4. If this check fails, the packet should be silently dropped, and this event should be logged (e.g., a counter could be incremented reflecting the packet drop).</t>
</section>
<section title="IHL (Internet Header Length)">
<t>
The IHL (Internet Header Length) indicates the length of the internet header in 32-bit words (4 bytes). As the minimum datagram size is 20 bytes, the minimum legal value for this field is 5. Therefore, the following check should be enforced:</t>
<t>
<artwork align="center">
IHL >= 5
</artwork>
</t>
<t>If the packet does not pass this check, it should be dropped, and this event should be logged (e.g., a counter could be incremented reflecting the packet drop).</t>
<t>For obvious reasons, the Internet header cannot be larger than the whole Internet datagram it is part of. Therefore, the following check should be enforced:</t>
<t>
<artwork align="center">
IHL * 4 <= Total Length
</artwork>
</t>
<t>
<list style="hanging">
<t>This needs to refer to the size of the datagram as specified by the sender in the Total Lenght field, since link layers might have added some padding (see <xref target="total-length"/>).</t>
</list>
</t>
<t>If the packet does not pass this check, it should be dropped, and this event should be logged (e.g., a counter could be incremented reflecting the packet drop).</t>
<t>The above check allows for Internet datagrams with no data bytes in the payload that, while nonsensical for virtually every protocol that runs over IP, are is still legal.</t>
</section>
<section title="Type of Service">
<section title="Original Interpretation" anchor="TOS-discussion">
<t>Figure 2 shows the original syntax of the Type of Service field, as defined by RFC 791 <xref target="RFC0791"/>, and updated by RFC 1349 <xref target="RFC1349"/>. This definition has been superseded long ago (see <xref target="diffserv"/> and <xref target="ecn"/>), but it is still assumed by some deployed implementations.</t>
<t>
<figure title="Type of Service field" align="center" anchor="TOS">
<artwork>
0 1 2 3 4 5 6 7
+-----+-----+-----+-----+-----+-----+-----+-----+
| PRECEDENCE | D | T | R | C | 0 |
+-----+-----+-----+-----+-----+-----+-----+-----+
</artwork>
<postamble></postamble>
</figure>
</t>
<texttable title="TOS bits" style="all" anchor="TOSbits">
<ttcol align="left">Bits 0-2</ttcol>
<ttcol align="center">Precedence</ttcol>
<c>Bit 3</c>
<c>0 = Normal Delay, 1 = Low Delay</c>
<c>Bit 4</c>
<c>0 = Normal Throughput, 1 = High Throughput</c>
<c>Bit 5</c>
<c>0 = Normal Reliability, 1 = High Reliability</c>
<c>Bit 6</c>
<c>0 = Normal Cost, 1 = Minimize Monetary Cost</c>
<c>Bits 7</c>
<c>Reserved for Future Use (must be zero)</c>
</texttable>
<texttable title="Precedence field" style="all" anchor="Precedence">
<ttcol align="left">111</ttcol>
<ttcol align="center">Network Control</ttcol>
<c>110</c>
<c>Internetwork</c>
<c>101</c>
<c>CRITIC/ECP</c>
<c>100</c>
<c>Flash Override</c>
<c>011</c>
<c>Flash</c>
<c>010</c>
<c>Immediate</c>
<c>001</c>
<c>Priority</c>
<c>000</c>
<c>Routine</c>
</texttable>
<t>The Type of Service field can be used to affect the way in which the packet is treated by the systems of a network that process it. Section 4.2.1 ("Precedence-ordered queue service") and Section 4.2.3 ("Weak TOS") of this document describe the security implications of the Type of Service field in the forwarding of packets.</t>
</section>
<section title="Standard Interpretation" anchor="tos-standard">
<section title="Differentiated Services field" anchor="diffserv">
<t>The Differentiated Services Architecture is intended to enable scalable service discrimination in the Internet without the need for per-flow state and signaling at every hop <xref target="RFC2475"/>. RFC 2474 <xref target="RFC2474"/> redefined the IP &Type of Service& octet, introducing a Differentiated Services Field (DS Field. <xref target="dsfield"/> shows the format of the field.</t>
<t>
<figure title="Structure of the DS Field" align="center" anchor="dsfield">
<artwork align="center">
0 1 2 3 4 5 6 7
+---+---+---+---+---+---+---+---+
| DSCP | CU |
+---+---+---+---+---+---+---+---+
</artwork>
<postamble></postamble>
</figure>
</t>
<t>The DSCP ("Differentiated Services CodePoint").is used to select the treatment the packet is to receive within the Differentiated Services Domain. The CU ("Currently Unused") field was, at the time the specification was issued, reserved for future use. The DSCP field is used to select a PHB, by matching against the entire 6-bit field. </t>
<t>Considering that the DSCP field determines how a packet is treated within a DS domain, an attacker send packets with a forged DSCP field to perform a theft of service or even a Denial of Service attack. In particular, an attacker could forge packets with a codepoint of the type '11x000' which, according to Section 4.2.2.2 of RFC 2474 <xref target="RFC2474"/>, would give the packets preferential forwarding treatment when compared with the PHB selected by the codepoint '000000'. If strict priority queuing were utilized, a continuous stream of such pockets could perform a Denial of Service to other flows which have a DSCP of lower relative order.</t>
<t>As the DS field is incompatible with the original Type of Service field, both DS domains and networks using the original Type of Service field should protect themselves by remarking the corresponding field where appropriate, probably deploying remarking boundary nodes. Nevertheless, care must be taken so that packets received with an unrecognized DSCP do not cause the handling system to malfunction.</t>
</section>
<section title="Explicit Congestion Notification (ECN)" anchor="ecn">
<t>RFC 3168 <xref target="RFC3168"/> specifies a mechanism for routers to signal congestion to hosts sending IP packets, by marking the offending packets, rather than discarding them. RFC 3168 defines the ECN field, which utilizes the CU unused field of the DSCP field described in Section 3.14 of this document. <xref target="figure-ecn"/> shows the syntax of the ECN field, together with the DSCP field used for Differentiated Services.</t>
<t>
<figure title="The Differentiated Services and ECN fields in IP" align="center" anchor="figure-ecn">
<artwork align="center">
0 1 2 3 4 5 6 7
+-----+-----+-----+-----+-----+-----+-----+-----+
| DS FIELD, DSCP | ECN FIELD |
+-----+-----+-----+-----+-----+-----+-----+-----+
</artwork>
<postamble></postamble>
</figure>
</t>
<t>As such, the ECN field defines four codepoints:</t>
<texttable title="ECN codepoints" style="all" anchor="ecncodepoints">
<ttcol align="center">ECN field</ttcol>
<ttcol align="center">Codepoint</ttcol>
<c>00</c>
<c>Not-ECT</c>
<c>01</c>
<c>ECT(1)</c>
<c>10</c>
<c>ECT(0)</c>
<c>11</c>
<c>CE</c>
</texttable>
<t>The security implications of ECN are discussed in detail in a number of Sections of RFC 3168. Of the possible threats discussed in the ECN specification, we believe that one that can be easily exploited is that of host falsely indicating ECN-Capability.</t>
<t>An attacker could set the ECT codepoint in the packets it sends, to signal the network that the endpoints of the transport protocol are ECN-capable. Consequently, when experiencing moderate congestion, routers using active queue management based on RED would mark the packets (with the CE codepoint) rather than discard them. In the same scenario, packets of competing flows that do not have the ECT codepoint set would be dropped. Therefore, an attacker would get better network service than the competing flows.</t>
<t>However, if this moderate congestion turned into heavy congestion, routers should switch to drop packets, regardless of whether the packets have the ECT codepoint set or not.</t>
<t>A number of other threats could arise if an attacker was a man in the middle (i.e., was in the middle of the path the packets travel to get to the destination host). For a detailed discussion of those cases, we urge the reader to consult Section 16 of RFC 3168.</t>
</section>
</section>
</section>
<section title="Total Length" anchor="total-length">
<t>The Total Length field is the length of the datagram, measured in bytes, including both the IP header and the IP payload. Being a 16-bit field, it allows for datagrams of up to 65535 bytes. RFC 791 <xref target="RFC0791"/> states that all hosts should be prepared to receive datagrams of up to 576 bytes (whether they arrive as a whole, or in fragments). However, most modern implementations can reassemble datagrams of at least 9 Kbytes.</t>
<t>Usually, a host will not send to a remote peer an IP datagram larger than 576 bytes, unless it is explicitly signaled that the remote peer is able to receive such "large" datagrams (for example, by means of TCP's MSS option). However, systems should assume that they may be sent datagrams larger than 576 bytes, regardless of whether they signal their remote peers to do so or not. In fact, it is common for NFS <xref target="RFC3530"/>implementations to send datagrams larger than 576 bytes, even without explicit signaling that the destination system can receive such "large" datagram.</t>
<t>
<list style="hanging">
<t>Additionally, see the discussion in Section 4.1 "Fragment reassembly" regarding the possible packet sizes resulting from fragment reassembly.</t>
</list>
</t>
<t>Implementations should be aware that the IP module could be handed a packet larger than the value actually contained in the Total Length field. Such a difference usually has to do with legitimate padding bytes at the link-layer protocol, but it could also be the result of malicious activity by an attacker. Furthermore, even when the maximum length of an IP datagram is 65535 bytes, if the link-layer technology in use allows for payloads larger than 65535 bytes, an attacker could forge such a large link-layer packet, meaning it for the IP module. If the IP module of the receiving system were not prepared to handle such an oversized link-layer payload, an unexpected failure might occur. Therefore, the memory buffer used by the IP module to store the link-layer payload should be allocated according to the payload size reported by the link-layer, rather than according to the Total Length field of the IP packet it contains. </t>
<t>The IP module could also be handed a packet that is smaller than the actual IP packet size claimed by the Total Length field. This could be used, for example, to produce an information leakage. Therefore, the following check should be performed:</t>
<t>
<artwork align="center">
LinkLayer.PayloadSize >= Total Length
</artwork>
</t>
<t>If this check fails, the IP packet should be dropped, and this event should be logged (e.g., a counter could be incremented reflecting the packet drop). As the previous expression implies, the number of bytes passed by the link-layer to the IP module should contain at least as many bytes as claimed by the Total Length field of the IP header.</t>
<t>
<list style="hanging">
<t><xref target="US-CERT2002"/> is an example of the exploitation of a forged IP Total Length field to produce an information leakage attack.</t>
</list>
</t>
</section>
<section title="Identification (ID)">
<t>The Identification field is set by the sending host to aid in the reassembly of fragmented datagrams. At any time, it needs to be unique for each set of {Source Address, Destination Address, Protocol}.</t>
<t>In many systems, the value used for this field is determined at the IP layer, on a protocol-independent basis. Many of those systems also simply increment the IP Identification field for each packet they send. </t>
<t>This implementation strategy is inappropriate for a number of reasons. First, if the Identification field is set on a protocol-independent basis, it will wrap more often than necessary, and thus the implementation will be more prone to the problems discussed in <xref target="Kent1987"/> and <xref target="RFC4963"/>.</t>
<t>Additionally, this implementation strategy opens the door to an information leakage that can be exploited in a number of ways. <xref target="Sanfilippo1998a"/> originally pointed out how this field could be examined to determine the packet rate at which a given system is transmitting information. Later, <xref target="Sanfilippo1998b"/> described how a system with such an implementation can be used to perform a stealth port scan to a third (victim) host. <xref target="Sanfilippo1999"/> explained how to exploit this implementation strategy to uncover the rules of a number of firewalls. <xref target="Bellovin2002"/> explains how the IP Identification field can be exploited to count the number of systems behind a NAT. <xref target="Fyodor2004"/> is an entire paper on most (if not all) the ways to exploit the information provided by the Identification field of the IP header.</t>
<section title="Some workarounds implemented by the industry">
<t>As the IP Identification field is only used for the reassembly of datagrams, some operating systems (such as Linux) decided to set this field to 0 in all packets that have the DF bit set. This would, in principle, avoid any type of information leakage. However, it was detected that some non-RFC-compliant middle-boxes fragmented packets even if they had the DF bit set. In such a scenario, all datagrams originally sent with the DF bit set would all result in fragments that would have an Identification field of 0, which would lead to problems ("collision" of the Identification number) in the reassembly process.</t>
<t>Linux (and Solaris) later set the IP Identification field on a per-IP-address basis. This avoids some of the security implications of the IP Identification field, but not all. For example, systems behind a load balancer can still be counted.</t>
</section>
<section title="Possible security improvements">
<t>Contrary to common wisdom, the IP Identification field does not need to be system-wide unique for each packet, but has to be unique for each {Source Address, Destination Address, Protocol} tuple. </t>
<t>
<list style="hanging">
<t>For instance, the TCP specification defines a generic send() function which takes the IP ID as one of its arguments.</t>
</list>
</t>
<t>We provide an analysis of the possible security improvements that could be implemented, based on whether the protocol using the services of IP is connection-oriented or connection-less.</t>
<section title="Connection-oriented protocols">
<t>To avoid the security implications of the information leakage described above, a pseudo-random number generator (PRNG) could be used to set the IP Identification field on a {Source Address, Destination Address} basis (for each connection-oriented transport protocol).</t>
<t>
<list style="hanging">
<t><xref target="Klein2007"/> is a security advisory that describes a weakness in the pseudo random number generator (PRNG) in use for the generation of the IP Identification by a number of operating systems.</t>
</list>
</t>
<t>While in theory a pseudo-random number generator could lead to scenarios in which a given Identification number is used more than once in the same time-span for datagrams that end up getting fragmented (with the corresponding potential reassembly problems), in practice this is unlikely to cause trouble. </t>
<t>By default, most implementations of connection-oriented protocols, such as TCP, implement some mechanism for avoiding fragmentation (such as the Path-MTU Discovery mechanism described in <xref target="RFC1191"/>). Thus, fragmentation will only take place sporadically, when a non-RFC-compliant middle-box is placed somewhere along the path that the packets travel to get to the destination host. Once the sending system is signaled by the middle-box that it should reduce the size of the packets it sends, fragmentation would be avoided. Also, for reassembly problems to arise, the same Identification field should be reused very frequently, and either strong packet reordering or packet loss should take place. </t>
<t>Nevertheless, regardless of what policy is used for selecting the Identification field, with the current link speeds fragmentation is already bad enough to rely on it. A mechanism for avoiding fragmentation (such as <xref target="RFC1191"/> or <xref target="RFC4821"/> should be implemented, instead.</t>
</section>
<section title="Connectionless protocols">
<t>Connectionless protocols usually have these characteristics:</t>
<t>
<list style="symbols">
<t>lack of flow-control mechanisms,</t>
<t>lack of packet sequencing mechanisms, and,</t>
<t>lack of reliability mechanisms (such as "timeout and retransmit").</t>
</list>
</t>
<t>This basically means that the scenarios and/or applications for which connection-less transport protocols are used assume that:</t>
<t>
<list style="symbols">
<t>Applications will be used in environments in which packet reordering is very unlikely (such as Local Area Networks), as the transport protocol itself does not provide data sequencing. </t>
<t>The data transfer rates will be low enough that flow control will be unnecessary.</t>
<t>Packet loss is not important and probably also unlikely.</t>
</list>
</t>
<t>With these assumptions in mind, the Identification field could still be set according to a pseudo-random number generator (PRNG). In the event a given Identification number was reused while the first instance of the same number is still on the network, the first IP datagram would be reassembled before the fragments of the second IP datagram get to their destination. </t>
<t>In the event this was not the case, the reassembly of fragments would result in a corrupt datagram. While some existing work <xref target="Silbersack2005"/> assumes that this error would be caught by some upper-layer error detection code, the error detection code in question (such as UDP's checksum) might be intended to detect single bit errors, rather than data corruption arising from the replacement of a complete data block (as is the case in corruption arising from collision of IP Identification numbers). </t>
<t>
<list style="hanging">
<t>In the case of UDP, unfortunately some systems have been known to not enable the UDP checksum by default. For most applications, packets containing errors should be dropped. Probably the only application that may benefit from disabling the checksum is streaming media, to avoid dropping a complete sample for a single-bit error. </t>
</list>
</t>
<t>In general, if IP Identification number collisions become an issue for the application using the connection-less protocol, then use of a different transport protocol (which hopefully avoids fragmentation) should be considered.</t>
<t>It must be noted that an attacker could intentionally exploit collisions of IP Identification numbers to perform a Denial of Service attack, by sending forged fragments that would cause the reassembly process to result in a corrupt datagram that would either be dropped by the transport protocol, or would incorrectly be handed to the corresponding application. This issue is discussed in detail in section 4.1 ("Fragment Reassembly").</t>
</section>
</section>
</section>
<section title="Flags">
<t>The IP header contains 3 control bits, two of which are currently used for the fragmentation and reassembly function.</t>
<t>As described by RFC 791, their meaning is:</t>
<t>Bit 0: reserved, must be zero</t>
<t>Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment</t>
<t>Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments</t>
<t>The DF bit is usually set to implement the Path-MTU Discovery (PMTUD) mechanism described in <xref target="RFC1191"/>. However, it can also be exploited by an attacker to evade Network Intrusion Detection Systems. An attacker could send a packet with the DF bit set to a system monitored by a NIDS, and depending on the Path-MTU to the intended recipient, the packet might be dropped by some intervening router (because of being too big to be forwarded without fragmentation), without the NIDS being aware of it.</t>
<t>
<figure title="NIDS evasion by means of the Internet Protocol DF bit" anchor="nidsevasion">
<artwork>
+---+
| R |
+---+ Victim host
|
Router A | MTU=1500
|
+---+ +---+ +---+
| R |-----| R |---------| R |
+---+ +---+ +---+
| MTU=17914 Router B
+---+ |
| R |-----+
+---+ |
|
NIDS Sensor |
|
_ ___/---\___ Attacker
/ \_/ \--\_ +---+
/ Internet |---------| |
\_ __/ +---+
\__ __ ___/ <------
\---/ \__/ 17914-byte packet
DF bit set
</artwork>
<postamble></postamble>
</figure>
</t>
<t>In Figure 3, an attacker sends a 17914-byte datagram meant to the victim host in the same figure. The attacker's packet probably contains an overlapping IP fragment or an overlapping TCP segment, aiming at "confusing" the NIDS, as described in <xref target="Ptacek1998"/>. The packet is screened by the NIDS sensor at the network perimeter, which probably reassembles IP fragments and TCP segments for the purpose of assessing the data transferred to and from the monitored systems. However, as the attacker's packet should transit a link with an MTU smaller than 17914 bytes (1500 bytes in this example), the router that encounters that this packet cannot be forwarded without fragmentation (Router B) discards the packet, and sends an ICMP "fragmentation needed and DF bit set" error message to the source host. In this scenario, the NIDS may remain unaware that the screened packet never reached the intended destination, and thus get an incorrect picture of the data being transferred to the monitored systems.</t>
<t>
<list style="hanging">
<t><xref target="Shankar2003"/> introduces a technique named "Active Mapping" that prevents evasion of a NIDS by acquiring sufficient knowledge about the network being monitored, to assess which packets will arrive at the intended recipient, and how they will be interpreted by it.</t>
</list>
</t>
<t>Some firewalls are known to drop packets that have both the MF (More Fragments) and the DF (Don't fragment) bits set. While in principle such a packet might seem nonsensical, there are a number of reasons for which non-malicious packets with these two bits set can be found in a network. First, they may exist as the result of some middle-box processing a packet that was too large to be forwarded without fragmentation. Instead of simply dropping the corresponding packet and sending an ICMP error message to the source host, some middle-boxes fragment the packet (copying the DF bit to each fragment), and also send an ICMP error message to the originating system. Second, some systems (notably Linux) set both the MF and the DF bits to implement Path-MTU Discovery (PMTUD) for UDP. These scenarios should be taken into account when configuring firewalls and/or tuning Network Intrusion Detection Systems (NIDS).</t>
</section>
<section title="Fragment Offset">
<t>The Fragment Offset is used for the fragmentation and reassembly of IP datagrams. It indicates where in the original datagram payload the payload of the fragment belongs, and is measured in units of eight bytes. As a consequence, all fragments (except the last one), have to be aligned on an 8-byte boundary. Therefore, if a packet has the MF flag set, the following check should be enforced:</t>
<t>
<artwork align="center">
(Total Length - IHL * 4) % 8 == 0
</artwork>
</t>
<t>If the packet does not pass this check, it should be dropped, and this event should be logged (e.g., a counter could be incremented reflecting the packet drop).</t>
<t>Given that Fragment Offset is a 13-bit field, it can hold a value of up to 8191, which would correspond to an offset 65528 bytes within the original (non-fragmented) datagram. As such, it is possible for a fragment to implicitly claim to belong to a datagram larger than 65535 bytes (the maximum size for a legitimate IP datagram). Even when the fragmentation mechanism would seem to allow fragments that could reassemble into such large datagrams, the intent of the specification is to allow for the transmission of datagrams of up to 65535 bytes. Therefore, if a given fragment would reassemble into a datagram of more than 65535 bytes, the resulting datagram should be dropped, and this event should be logged (e.g., a counter could be incremented reflecting the packet drop). To detect such a case, the following check should be enforced on all packets for which the Fragment Offset contains a non-zero value:</t>
<t>
<artwork align="center">
Fragment Offset * 8 + (Total Length - IHL * 4) + IHL_First_Fragment * 4 <= 65535
</artwork>
</t>
<t>
where IHL_First_Fragment is the IHL field of the first fragment (the one with a Fragment Offset of 0).</t>
<t>If a fragment does not pass this check, it should be dropped.</t>
<t>In the worst-case scenario, an attacker could craft IP fragments such that the reassembled datagram reassembled into a datagram of 131043 bytes.</t>
<t>
<list style="hanging">
<t>Such a datagram would result when the first fragment has a Fragment Offset of 0 and a Total Length of 65532, and the second (and last) fragment has a Fragment Offset of 8189 (65512 bytes), and a Total Length of 65535. Assuming an IHL of 5 (i.e., a header length of 20 bytes), the reassembled datagram would be 65532 + (65535 - 20) = 131047 bytes.</t>
</list>
</t>
<t>Additionally, the IP module should implement all the necessary measures to be able to handle such illegitimate reassembled datagrams, so as to avoid them from overflowing the buffer(s) used for the reassembly function.</t>
<t>
<list style="hanging">
<t><xref target="CERT1996c"/> and <xref target="Kenney1996"/> describe the exploitation of this issue to perform a Denial of Service (DoS) attack.</t>
</list>
</t>
</section>
<section title="Time to Live (TTL)">
<t>The Time to Live (TTL) field has two functions: to bind the lifetime of the upper-layer packets (e.g., TCP segments) and to prevent packets from looping indefinitely in the network.</t>
<t>Originally, this field was meant to indicate the maximum time a datagram was allowed to remain in the internet system, in units of seconds. As every internet module that processes a datagram must decrement the TTL by at least one, the original definition of the TTL field became obsolete, and in practice it is interpreted as a hop count (see Section 5.3.1 of <xref target="RFC1812"/>).</t>
<t>Most systems allow the administrator to configure the TTL to be used for the packets sent, with the default value usually being a power of 2, or 255 (see e.g. <xref target="Arkin2000"/>). The recommended value for the TTL field, as specified by the IANA is 64 <xref target="IANA2006b"/>. This value reflects the assumed "diameter" of the Internet, plus a margin to accommodate its growth.</t>
<t>The TTL field has a number of properties that are interesting from a security point of view. Given that the default value used for the TTL is usually a power of eight, chances are that, unless the originating system has been explicitly tuned to use a non-default value, if a packet arrives with a TTL of 60, the packet was originally sent with a TTL of 64. In the same way, if a packet is received with a TTL of 120, chances are that the original packet had a TTL of 128.</t>
<t>
<list style="hanging">
<t>This discussion assumes there was no protocol scrubber, transparent proxy, or some other middle-box that overwrites the TTL field in a non-standard way, between the originating system and the point of the network in which the packet was received.</t>
</list>
</t>
<t>Asserting the TTL with which a packet was originally sent by the source system can help to obtain valuable information. Among other things, it may help in:</t>
<t>
<list style="symbols">
<t>Fingerprinting the operating system being used by the source host.</t>
<t>Fingerprinting the physical device from which the packets originate.</t>
<t>Mapping the network topology.</t>
<t>Locating the source host in the network topology.</t>
<t>Evading Network Intrusion Detection Systems. </t>
</list>
</t>
<t>Additionally, it can be used to perform functions such as:</t>
<t>
<list style="symbols">
<t>Improving the security of applications that make use of the Internet Protocol (IP).</t>
<t>Limiting spread of packets.</t>
</list>
</t>
<section title="Fingerprinting the operating system in use by the source host">
<t>Different operating systems use a different default TTL for the packets they send. Thus, asserting the TTL with which a packet was originally sent will help to reduce the number of possible operating systems in use by the source host.</t>
</section>
<section title="Fingerprinting the physical device from which the packets originate">
<t>When several systems are behind a middle-box such as a NAT or a load balancer, the TTL may help to count the number of systems behind the middle-box. If each of the systems behind the middle-box use a different default TTL for the packets they send, or they are located in a different place of the network topology, an attacker could stimulate responses from the devices being fingerprinted, and each response that arrives with a different TTL could be assumed to come from a different device.</t>
<t>
<list style="hanging">
<t>Of course, there are many other (and much more precise) techniques to fingerprint physical devices. Among drawbacks of this method, while many systems differ in the default TTL they use for the packets they send, there are also many implementations which use the same default TTL. Additionally, packets sent by a given device may take different routes (e.g., due to load sharing or route changes), and thus a given packet may incorrectly be presumed to come from a different device, when in fact it just traveled a different route.</t>
</list>
</t>
</section>
<section title="Mapping the Network Topology">
<t>
The originating host sets the TTL field of the packets it sends to progressively increasing values in order to elicit an ICPM error message from the router that decrements the TTL of each packet to zero, and thereby determines the IP addresses of the routers on the path to the packet's destination. This procedure has been traditioanlly employed by the traceroute tool.
</t>
</section>
<section title="Locating the source host in the network topology">
<t>The TTL field may also be used to locate the source system in the network topology <xref target="Northcutt2000"/>. </t>
<t>
<figure title="Tracking a host by means of the TTL field" align="center" anchor="ttltracking">
<artwork>
+---+ +---+ +---+ +---+ +---+
| A |-----| R |------| R |----| R |-----| R |
+---+ +---+ +---+ +---+ +---+
/ | / \
/ | / \
/ | / +---+
/ +---+ +---+ +---+ | E |
/ | R |----| R |------| R |-- +---+
/ +---+ +---+\ +---+ \
/ / / \ \ \
/ ---- / +---+ \ \+---+
/ / / | F | \ | D |
+---+ +---+ +---+ \ +---|
| R |----------| R |-- \
+---+ +---+ \ \
| \ / \ +---+| +---+
| \ / ----| R |------| R |
| \ / +---+ +---+
+---+ \ +---+ +---+
| B | \| R |----| C |
+---+ +---+ +---+
</artwork>
<postamble></postamble>
</figure>
</t>
<t>Consider network topology of <xref target="ttltracking"/>. Assuming that an attacker ("F" in the figure) is performing some type of attack that requires forging the Source Address (such as a TCP-based DoS reflection attack), and some of the involved hosts are willing to cooperate to locate the attacking system.</t>
<t>Assuming that:</t>
<t>
<list style="symbols">
<t>All the packets A gets have a TTL of 61.</t>
<t>All the packets B gets have a TTL of 61.</t>
<t>All the packets C gets have a TTL of 61.</t>
<t>All the packets D gets have a TTL of 62.</t>
</list>
</t>
<t>Based on this information, and assuming that the system's default value was not overridden, it would be fair to assume that the original TTL of the packets was 64. With this information, the number of hops between the attacker and each of the aforementioned hosts can be calculated. </t>
<t>The attacker is:</t>
<t>
<list style="symbols">
<t>Three hops away from A.</t>
<t>Three hops away from B.</t>
<t>Three hops away from C.</t>
<t>Two hops away from D.</t>
</list>
</t>
<t>In the network setup of Figure 3, the only system that satisfies all these conditions is the one marked as the "F".</t>
<t>The scenario described above is for illustration purposes only. In practice, there are a number of factors that may prevent this technique from being successfully applied:</t>
<t>
<list style="symbols">
<t>Unless there is a "large" number of cooperating systems, and the attacker is assumed to be no more than a few hops away from these systems, the number of "candidate" hosts will usually be too large for the information to be useful. </t>
<t>The attacker may be using a non-default TTL value, or, what is worse, using a pseudo-random value for the TTL of the packets it sends.</t>
<t>The packets sent by the attacker may take different routes, as a result of a change in network topology, load sharing, etc., and thus may lead to an incorrect analysis.</t>
</list>
</t>
</section>
<section title="Evading Network Intrusion Detection Systems">
<t>The TTL field can be used to evade Network Intrusion Detection Systems. Depending on the position of a sensor relative to the destination host of the examined packet, the NIDS may get a different picture from that of the intended destination system. As an example, a sensor may process a packet that will expire before getting to the destination host. A general counter-measure for this type of attack is to normalize the traffic that gets to an organizational network. Examples of such traffic normalization can be found in <xref target="Paxson2001"/>. OpenBSD Packet Filter is an example of a packet filter that includes TTL-normalization functionality <xref target="OpenBSD-PF"/></t>
</section>
<section title="Improving the security of applications that make use of the Internet Protocol (IP)">
<t>In some scenarios, the TTL field can be also used to improve the security of an application, by restricting the hosts that can communicate with the given application <ref target="RFC5082"/>. For example, there are applications for which the communicating systems are typically in the same network segment (i.e., there are no intervening routers). Such an application is the BGP (Border Gateway Protocol) utilized between by two peer routers.</t>
<t>If both systems use a TTL of 255 for all the packets they send to each other, then a check could be enforced to require all packets meant for the application in question to have a TTL of 255.</t>
<t>As all packets sent by systems that are not in the same network segment will have a TTL smaller than 255, those packets will not pass the check enforced by these two cooperating peers. This check reduces the set of systems that may perform attacks against the protected application (BGP in this case), thus mitigating the attack vectors described in <xref target="NISCC2004"/> and <xref target="Watson2004"/>.</t>
<t>
<list style="hanging">
<t>This same check is enforced for related ICMP error messages, with the intent of mitigating the attack vectors described in <xref target="NISCC2005"/> and <xref target="I-D.ietf-tcpm-icmp-attacks"/>.</t>
</list>
</t>
<t>The TTL field can be used in a similar way in scenarios in which the cooperating systems either do not use a default TTL of 255, or are not in the same network segment (i.e., multi-hop peering). In that case, the following check could be enforced:</t>
<t>
<artwork align="center">
TTL >= 255 - DeltaHops
</artwork>
</t>
<t>This means that the set of hosts from which packets will be accepted for the protected application will be reduced to those that are no more than DeltaHops away. While for obvious reasons the level of protection will be smaller than in the case of directly-connected peers, the use of the TTL field for protecting multi-hop peering still reduces the set of hosts that could potentially perform a number of attacks against the protected application.</t>
<t>This use of the TTL field has been officially documented by the IETF under the name "Generalized TTL Security Mechanism" (GTSM) in <xref target="RFC5082"/>.</t>
<t>Some protocol scrubbers enforce a minimum value for the TTL field of the packets they forward. It must be understood that depending on the minimum TTL being enforced, and depending on the particular network setup, the protocol scrubber may actually help attackers to fool the GTSM, by "raising" the TTL of the attacking packets.</t>
</section>
<section title="Limiting spread">
<t>
The originating host sets the TTL field to a small value (frequently 1, for link-scope services) in order to artifically limit the (topological) distance the packet is allowed to travel. This is suggested in Section 4.2.2.9 of RFC 1812 <xref target="RFC1812"/>. Further discussion of this technique can be found in in RFC 1112 <xref target="RFC1112"/>.
</t>
</section>
</section>
<section title="Protocol">
<t>
The Protocol field indicates the protocol encapsulated in the internet datagram. The Protocol field may not only contain a value corresponding to protocol implemented by the system processing the packet, but also a value corresponding to a protocol not implemented, or even a value not yet assigned by the IANA <xref target="IANA2006c"/>.</t>
<t>
While in theory there should not be security implications from the use of any value in the protocol field, there have been security issues in the past with systems that had problems when handling packets with some specific protocol numbers <xref target="Cisco2003"/> <xref target="CERT2003"/>. </t>
</section>
<section title="Header Checksum">
<t>
The Header Checksum field is an error detection mechanism meant to detect errors in the IP header. While in principle there should not be security implications arising from this field, it should be noted that due to non-RFC-compliant implementations, the Header Checksum might be exploited to detect firewalls and/or evade network intrusion detection systems (NIDS). </t>
<t><xref target="Ed3f2002"/> describes the exploitation of the TCP checksum for performing such actions. As there are internet routers known to not check the IP Header Checksum, and there might also be middle-boxes (NATs, firewalls, etc.) not checking the IP checksum allegedly due to performance reasons, similar malicious activity to the one described in <xref target="Ed3f2002"/> might be performed with the IP checksum.</t>
</section>
<section title="Source Address">
<t>The Source Address of an IP datagram identifies the node from which the packet originated.</t>
<t>
<list style="hanging">
<t>Strictly speaking, the Source Address of an IP datagram identifies the interface of the sending system from which the packet was sent, (rather than the originating "system"), as in the Internet Architecture there's no concept of "node address".</t>
</list>
</t>
<t>Unfortunately, it is trivial to forge the Source Address of an Internet datagram because of the apparent lack of consistent &egress filtering& near the edge of the network. This has been exploited in the past for performing a variety of DoS (Denial of Service) attacks <xref target="NISCC2004"/> <xref target="RFC4987"/> <xref target="CERT1996a"/> <xref target="CERT1996b"/> <xref target="CERT1998a"/>, and to impersonate as other systems in scenarios in which authentication was based on the Source Address of the sending system <xref target="daemon91996"/>. </t>
<t>The extent to which these attacks can be successfully performed in the Internet can be reduced through deployment of ingress/egress filtering in the internet routers. <xref target="NISCC2006"/> is a detailed guide on ingress and egress filtering. <xref target="RFC2827"/> and <xref target="RFC3704"/> discuss ingress filtering. <xref target="GIAC2000"/> discusses egress filtering.</t>
<t>
<list style="hanging">
<t>Even when the obvious field on which to perform checks for ingress/egress filtering is the Source Address and Destination Address fields of the IP header, there are other occurrences of IP addresses on which the same type of checks should be performed. One example is the IP addresses contained in the payload of ICMP error messages, as discussed in <xref target="I-D.ietf-tcpm-icmp-attacks"/> and <xref target="Gont2006"/>.</t>
</list>
</t>
<t>There are a number of sanity checks that should be performed on the Source Address of an IP datagram. Details can be found in Section 4.2 ("Addressing").</t>
<t>Additionally, there exist freely available tools that allow administrators to monitor which IP addresses are used with which MAC addresses <xref target="LBNL2006"/>. This functionality is also included in many Network Intrusion Detection Systems (NIDS).</t>
<t>It is also very important to understand that authentication should never rely solely on the Source Address of the communicating systems.</t>
</section>
<section title="Destination Address">
<t>The Destination Address of an IP datagram identifies the destination host to which the packet is meant to be delivered.</t>
<t>
<list style="hanging">
<t>Strictly speaking, the Destination Address of an IP datagram identifies the interface of the destination network interface, rather than the destination "system", as in the Internet Architecture there's no concept of "node address".</t>
</list>
</t>
<t>There are a number of sanity checks that should be performed on the Destination Address of an IP datagram. Details can be found in Section 4.2 ("Addressing").</t>
</section>
<section title="Options">
<t>According to RFC 791, IP options must be implemented by all IP modules, both in hosts and gateways (i.e., end-systems and intermediate-systems).</t>
<t>There are two cases for the format of an option:</t>
<t>
<list style="symbols">
<t>Case 1: A single byte of option-type.</t>
<t>Case 2: An option-type byte, an option-length byte, and the actual option-data bytes.</t>
</list>
</t>
<t>In the Case 2, the option-length byte counts the option-type byte and the option-length byte, as well as the actual option-data bytes. </t>
<t>All current and future options except "End of Option List" (Type = 0) and "No Operation" (Type = 1), are of Class 2.</t>
<t>The option-type has three fields:</t>
<t>
<list style="symbols">
<t>1 bit: copied flag.</t>
<t>2 bits: option class.</t>
<t>5 bits: option number.</t>
</list>
</t>
<t>The copied flag indicates whether this option should be copied to all fragments in the event the packet carrying it needs to be fragmented:</t>
<t>
<list style="symbols">
<t>0 = not copied.</t>
<t>1 = copied.</t>
</list>
</t>
<t>The values for the option class are:</t>
<t>
<list style="symbols">
<t>0 = control.</t>
<t>1 = reserved for future use.</t>
<t>2 = debugging and measurement.</t>
<t>3 = reserved for future use.</t>
</list>
</t>
<t>This format allows for the creation of new options for the extension of the Internet Protocol (IP).</t>
<t>Finally, the option number identifies the syntax of the rest of the option.</t>
<t><xref target="IANA2006b"/> contains the list of the currently assigned IP option numbers.</t>
<section title="General issues with IP options">
<t>The following subsections discuss security issues that apply to all IP options. The proposed checks should be performed in addition to any option-specific checks proposed in the next sections.</t>
<section title="Processing requirements">
<t>Router manufacturers tend to do IP option processing on the main processor, rather than on line cards. Unless special care is taken, this represents Denial of Service (DoS) risk, as there is potential for overwhelming the router with option processing.</t>
<t>To reduce the impact of these packets on the system performance, a few counter-measures could be implemented:</t>
<t>
<list style="symbols">
<t>Rate-limit the number of packets with IP options that are processed by the system.</t>
<t>Enforce a limit on the maximum number of options to be accepted on a given internet datagram.</t>
</list>
</t>
<t>The first check avoids a flow of packets with IP options to overwhelm the system in question. The second check avoids packets with multiple IP options to affect the performance of the system.</t>
</section>
<section title="Processing of the options by the upper layer protocol">
<t>Section 3.2.1.8 of RFC 1122 <xref target="RFC1122"/> states that all the IP options received in IP datagrams must be passed to the transport layer (or to ICMP processing when the datagram is an ICMP message). Therefore, care in option processing must be taken not only at the internet layer, but also in every protocol module that may end up processing the options included in an IP datagram.</t>
</section>
<section title="General sanity checks on IP options">
<t>There are a number of sanity checks that should be performed on IP options before further option processing is done. They help prevent a number of potential security problems, including buffer overflows. When these checks fail, the packet carrying the option should be dropped, and this event should be logged (e.g., a counter could be incremented to reflect the packet drop). </t>
<t>RFC 1122 <xref target="RFC1122"/> recommends to send an ICMP "Parameter Problem" message to the originating system when a packet is dropped because of a invalid value in a field, such as the cases discussed in the following subsections. Sending such a message might help in debugging some network problems. However, it would also alert attackers about the system that is dropping packets because of the invalid values in the protocol fields.</t>
<t>We advice that systems default to sending an ICMP "Parameter Problem" error message when a packet is dropped because of an invalid value in a protocol field (e.g., as a result of dropping a packet due to the sanity checks described in this section). However, we recommend that systems provide a system-wide toggle that allows an administrator to override the default behavior so that packets can be silently dropped when an invalid value in a protocol field is encountered.</t>
<t>
<list style="hanging">
<t hangText="Option length">
<vspace blankLines="1" />Section 3.2.1.8 of RFC 1122 explicitly states that the IP layer must not crash as the result of an option length that is outside the possible range, and mentions that erroneous option lengths have been observed to put some IP implementations into infinite loops.</t>
<t>For options that belong to the "Case 2" described in the previous section, the following check should be performed:</t>
<t>
<artwork align="center">
option-length >= 2
</artwork>
</t>
<t>
<list style="hanging">
<t>The value "2" accounts for the option-type byte, and the option-length byte.</t>
</list>
</t>
<t>This check prevents, among other things, loops in option processing that may arise from incorrect option lengths.</t>
<t>Additionally, while the option-length byte of IP options of "Case 2" allows for an option length of up to 255 bytes, there is a limit on legitimate option length imposed by the syntax of the IP header. </t>
<t>For all options of "Case 2", the following check should be enforced:</t>
<t>
<artwork align="center">
option-offset + option-length <= IHL * 4
</artwork>
</t>
<t>Where option-offset is the offset of the first byte of the option within the IP header, with the first byte of the IP header being assigned an offset of 0. </t>
<t>This check assures that the option does not overlap with the IP payload (i.e., it does not go past the IP header). If the packet does not pass this check, it should be dropped, and this event should be logged (e.g., a counter could be incremented to reflect the packet drop).</t>
<t>The aforementioned check is meant to detect forged option-length values that might make an option overlap with the IP payload. This would be particularly dangerous for those IP options which request the processing systems to write information into the option-data area (such as the Record Route option), as it would allow the generation of overflows.</t>
<t hangText="Data types">
<vspace blankLines="1" />Many IP options use pointer and length fields. Care must be taken as to the data type used for these fields in the implementation. For example, if an 8-bit signed data type were used to hold an 8-bit pointer, then, pointer values larger than 128 might mistakenly be interpreted as negative numbers, and thus might lead to unpredictable results.</t>
</list>
</t>
</section>
</section>
<section title="Issues with specific options">
<section title="End of Option List (Type = 0)">
<t>This option is used to indicate the "end of options" in those cases in which the end of options would not coincide with the end of the Internet Protocol Header.</t>
<t>IP systems are required to ignore those options they do not implement. Therefore, even in those cases in which this option is required, but is missing, IP systems should be able to process the remaining bytes of the IP header without any problems.</t>
<t>Additionally, nodes must ignore octets in the IP header following the &End of Option List& option, and regard these as padding.</t>
</section>
<section title="No Operation (Type = 1)">
<t>The no-operation option is basically meant to allow the sending system to align subsequent options in, for example, 32-bit boundaries.</t>
<t>This option does not have security implications.</t>
</section>
<section title="Loose Source and Record Route (LSRR) (Type = 131)" anchor="Section3.13.2.3">
<t>This option lets the originating system specify a number of intermediate systems a packet must pass through to get to the destination host. Additionally, the route followed by the packet is recorded in the option. The receiving host (end-system) must use the reverse of the path contained in the received LSRR option.</t>
<t>The LSSR option can be of help in debugging some network problems. Some ISP (Internet Service Provider) peering agreements require support for this option in the routers within the peer of the ISP. </t>
<t>The LSRR option has well-known security implications. Among other things, the option can be used to:</t>
<t>
<list style="symbols">
<t>Bypass firewall rules</t>
<t>Reach otherwise unreachable internet systems</t>
<t>Establish TCP connections in a stealthy way</t>
<t>Learn about the topology of a network</t>
<t>Perform bandwidth-exhaustion attacks</t>
</list>
</t>
<t>Of these attack vectors, the one that has probably received least attention is the use of the LSRR option to perform bandwidth exhaustion attacks. The LSRR option can be used as an amplification method for performing bandwidth-exhaustion attacks, as an attacker could make a packet bounce multiple times between a number of systems by carefully crafting an LSRR option.</t>
<t>
<list style="hanging">
<t>This is the IPv4-version of the IPv6 amplification attack that was widely publicized in 2007 <xref target="Biondi2007"/>. The only difference is that the maximum length of the IPv4 header (and hence the LSRR option) limits the amplification factor when compared to the IPv6 counter-part.</t>
</list>
</t>
<t>While the LSSR option may be of help in debugging some network problems, its security implications outweigh any legitimate use.</t>
<t>All systems should, by default, drop IP packets that contain an LSRR option, and should log this event (e.g., a counter could be incremented to reflect the packet drop). However, they should provide a system-wide toggle to enable support for this option for those scenarios in which this option is required. Such system-wide toggle should default to "off" (or "disable"). </t>
<t>
<list style="hanging">
<t><xref target="OpenBSD1998"/> is a security advisory about an improper implementation of such a system-wide toggle in 4.4BSD kernels.</t>
</list>
</t>
<t>Section 3.3.5 of RFC 1122 <xref target="RFC1122"/> states that a host may be able to act as an intermediate hop in a source route, forwarding a source-routed datagram to the next specified hop. We strongly discourage host software from forwarding source-routed datagrams. </t>