draft-ietf-opsec-ip-options-filtering-00.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
    <!-- try to enforce the ID-nits conventions and DTD validity -->
<?rfc strict="no" ?>    <!-- items used when reviewing the document -->
<?rfc comments="no" ?>  <!-- controls display of <cref> elements -->
<?rfc inline="no" ?>    <!-- when no, put comments at end in comments section,
                                otherwise, put inline -->
<?rfc editing="no" ?>   <!-- when yes, insert editing marks -->

    <!-- create table of contents (set it options).
           Note the table of contents may be omitted
         for very short documents -->

<?rfc toc="yes"?><?rfc tocompact="yes"?>
<?rfc tocdepth="2"?>

    <!-- choose the options for the references. Some like
         symbolic tags in the references (and citations)
         and others prefer numbers. --> 
<?rfc symrefs="yes"?><?rfc sortrefs="yes" ?>
    <!-- these two save paper: start new paragraphs from the same page etc. -->
<?rfc compact="yes" ?><?rfc subcompact="no" ?>
<!-- end of list of processing instructions -->
    <!-- Information about the document.
         categories values: std, bcp, info, exp, and historic
         For Internet-Drafts, specify attribute "ipr".
         (ipr values are: full3667, noModification3667, noDerivatives3667),
         Also for Internet-Drafts, can specify values for
         attributes "iprExtract", and "docName".  Note
         that the value for iprExtract is the anchor attribute
         value of a section that can be extracted, and is only
         useful when the value of "ipr" is not "full3667". -->
    <!-- TODO: verify which attributes are specified only
            by the RFC editor.  It appears that attributes
            "number", "obsoletes", "updates", and "seriesNo"
            are specified by the RFC editor (and not by
            the document author). -->

<rfc    
    category="bcp"
    ipr="trust200902"
    docName="draft-ietf-opsec-ip-options-filtering-00.txt" >

<front>
    <title abbrev="Filtering of IP-optioned packets">Recommendations on filtering of IPv4 packets containing IPv4 options</title>

    <!-- add 'role="editor"' below for the editors if appropriate -->    

<author
        fullname="Fernando Gont"
        initials="F."
        surname="Gont">
    <!-- abbrev not needed but can be used for the header
         if the full organization name is too long -->
        <organization abbrev="UTN-FRH / SI6 Networks">UTN-FRH / SI6 Networks</organization>
        <address>
            <postal>                <!-- I've omitted my street address here -->
             <street>Evaristo Carriego 2644</street>
        <code>1706</code><city>Haedo</city>
         <region>Provincia de Buenos Aires</region>
        <country>Argentina</country>
            </postal>
            <phone>+54 11 4650 8472</phone>
            <email>fgont@si6networks.com</email>
        <uri>http://www.si6networks.com</uri>
        <!--            If I had a phone, fax machine, and a URI, I could add the following: --->

        </address>
    </author>    

<author
        fullname="RJ Atkinson"
        initials="R. J."
        surname="Atkinson">
        <organization>Consultant</organization>
        <address>
            <postal>              
            <street/>
                <code>22103</code><city>McLean</city>
                <region>VA</region>
                <country>USA</country>
            </postal>
        
            <email>rja.lists@gmail.com</email>
        </address>
</author>    


<author fullname="Carlos Pignataro" initials="C.M."
                                    surname="Pignataro">
    <organization abbrev="Cisco">Cisco Systems, Inc.</organization>
    <address>
        <postal>
            <street>7200-12 Kit Creek Road</street>
            <street/>
            <city>Research Triangle Park</city>
            <code>27709</code>
            <region>NC</region>
            <country>US</country>
        </postal>
<!--
        <phone>+1-919-392-7428</phone>
        <facsimile>+1-919-869-1438</facsimile>
-->
        <email>cpignata@cisco.com</email>
    </address>
</author>



<date /> 
<!-- month="May" is no longer necessary note also, day="30" is optional -->
    <area>Internet</area>    <!-- WG name at the upperleft corner of the doc,
         IETF fine for individual submissions -->
    <workgroup>Operational Security Capabilities for IP Network Infrastructure (opsec)</workgroup>

<abstract>
<t>
This document document provides advice on the filtering of IPv4 packets based on the IPv4 options they contain.  Additionally, it discusses the operational and interoperability implications of dropping packets based on the IP options they contain.
</t>
</abstract>

</front>

<middle>

<section title="Introduction" anchor="intro">
<t>This document document discusses the filtering of IPv4 packets based on the IPv4 options they contain. Since various protocols may use IPv4 options to some extent, dropping packets based on the options they contain may have implications on the proper functioning of the protocol.  Therefore, this document attempts to discuss the operational and interoperability implications of such dropping.  Additionally, it outlines what a network operator might do in a typical enterprise or Service Provider environments.</t>

<t>We note that data seems to indicate that there is a current widespread practice of blocking IPv4 optioned packets. There are various plausible approaches to minimize the potential negative effects of IPv4 optioned packets while allowing some options semantics. One approach is to allow for specific options that are expected or needed, and a default deny. A different approach is to deny unneeded options and a default allow. Yet a third possible approach is to allow for end-to-end semantics by ignoring options and treating packets as un-optioned while in transit. Experiments and currently-available data tends to support the first or third approaches as more realistic. Some results of regarding the current state of affairs with respect to dropping packets containing IP options can be found in <xref target="MEDINA"/>.</t>

<t>We also note that while this document provides advice on dropping packets on a "per IP option type", not all devices may provide this capability with such granularity. Additionally, even in cases in which such functionality is provided, the operator might want to specify a dropping policy with a coarser granularity (rather than on a "per IP option type" granularity), as indicated above.</t>

<t>Finally, in scenarios in which processing of IP options by intermediate systems is not required, a widespread approach is to simply ignore IP options, and process the corresponding packets as if they do not contain any IP options.
</t>

<section title="Terminology and Conventions Used in This Document" 
    anchor="terms">
    <t>
        The terms "fast path", "slow path", and associated relative 
        terms ("faster path" and "slower path") are loosely defined as 
        in Section 2 of <xref target="RFC6398" />.
    </t>

            <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
            "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
            and "OPTIONAL" in this document are to be interpreted as
            described in <xref target="RFC2119"/>.</t>
</section>
</section>


<section title="IP Options" anchor="general-discussion">

<t>IP options allow for the extension of the Internet Protocol</t>

<t>There are two cases for the format of an option:</t>

<t>
<list style="symbols">
<t>Case 1: A single byte of option-type.</t>
<t>Case 2: An option-type byte, an option-length byte, and the actual option-data bytes.</t>
</list>
</t>
<t>IP options of Case 1 have the following syntax:

<artwork>
+-+-+-+-+-+-+-+-+- - - - - - - - -
|  option-type  |  option-data
+-+-+-+-+-+-+-+-+- - - - - - - - -
</artwork>
</t>
<t>The length of IP options of Case 1 is implicitly specified by the option-type byte.</t>

<t>IP options of Case 2 have the following syntax:

<artwork>
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
|  option-type  | option-length |  option-data
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
</artwork>
</t>

<t>In this case, the option-length byte counts the option-type byte and the option-length byte, as well as the actual option-data bytes. </t>

<t>All current and future options except "End of Option List" (Type = 0) and "No Operation" (Type = 1), are of Class 2.</t>

<t>The option-type has three fields:</t>

<t>
<list style="symbols">
<t>1 bit:  copied flag.</t>
<t>2 bits: option class.</t>
<t>5 bits: option number.</t>
</list>
</t>

<t>The copied flag indicates whether this option should be copied to all fragments in the event the packet carrying it needs to be fragmented:</t>

<t>
<list style="symbols">
<t>0 = not copied.</t>
<t>1 = copied.</t>
</list>
</t>

<t>The values for the option class are:</t>

<t>
<list style="symbols">
<t>0 = control.</t>
<t>1 = reserved for future use.</t>
<t>2 = debugging and measurement.</t>
<t>3 = reserved for future use.</t>
</list>
</t>

<t>This format allows for the creation of new options for the extension of the Internet Protocol (IP).</t>

<t>Finally, the option number identifies the syntax of the rest of the option.</t>

<t>The "IP OPTION NUMBERS" registry <xref target="IANA-IP"/> contains 
    the list of the currently assigned IP option numbers.</t>
</section>


<section title="General Security Implications of IP options" anchor="general-implications">
<section title="Processing Requirements" anchor="process-requirements">

<t>Router architectures can perform IP option processing in a slower 
    path.  Unless protective measures are taken, this represents a 
    potential Denial of Service (DoS) risk, as there is possibility for 
    the option processing to overwhelm the router's CPU or the protocols 
    processed in the router's slow path.

    Additional considerations for protecting the router control plane 
    from IP optioned packets can be found in <xref target="RFC6192" />. 

</t>
</section>
</section>

<section title="Advice on the Handling of Packets with Specific IP Options">
<t>The following subsections contain a description of each of the IP 
    options that have so far been specified, a discussion of possible 
    interoperability implications if packets containing such options are 
    dropped, and specific advice on whether to drop packets 
    containing these options in a typical enterprise or Service Provider 
    environment.</t>
<section title="End of Option List (Type = 0)">
<section title="Uses">
<t>This option is used to indicate the "end of options" in those cases in which the end of options would not coincide with the end of the Internet Protocol Header.</t>
</section>

<section title="Option Specification">
<t>Specified in RFC 791 <xref target="RFC0791"/>.</t>
</section>

<section title="Threats">
<t>No security issues are known for this option, other than the general security implications of IP options discussed in <xref target="general-implications"/>. </t>
</section>

<section title="Operational and Interoperability Impact if Blocked">
<t>Packets containing any IP options are likely to include an End of Option List. Therefore, if packets containing this option are dropped, it is very likely that legitimate traffic is blocked.</t>
</section>

<section title="Advice">
<t>Routers, security gateways, and firewalls SHOULD NOT drop packets containing this option.</t>
</section>

</section>

<section title="No Operation (Type = 1)">

<section title="Uses">
<t>The no-operation option is basically meant to allow the sending system to align subsequent options in, for example, 32-bit boundaries.</t>
</section>

<section title="Option Specification">
<t>Specified in RFC 791 <xref target="RFC0791"/>.</t>
</section>

<section title="Threats">
<t>No security issues are known for this option, other than the general security implications of IP options discussed in <xref target="general-implications"/>. 
</t>
</section>

<section title="Operational and Interoperability Impact if Blocked">
<t>
Packets containing any IP options are likely to include a No Operation option. Therefore, if packets containing this option are dropped, it is very likely that legitimate traffic is blocked.
</t>
</section>

<section title="Advice">
<t>Routers, security gateways, and firewalls SHOULD NOT drop packets containing this option.</t>
</section>

</section>


<section title="Loose Source and Record Route (LSRR) (Type = 131)" anchor="LSRR">


<t>RFC 791 states that this option should appear, at most, once in a given packet. Thus, if a packet contains more than one LSRR option, it should be dropped, and this event should be logged (e.g., a counter could be incremented to reflect the packet drop). Additionally, packets containing a combination of LSRR and SSRR options should be dropped, and this event should be logged (e.g., a counter could be incremented to reflect the packet drop).</t>

<section title="Uses">
<t>This option lets the originating system specify a number of intermediate systems a packet must pass through to get to the destination host. Additionally, the route followed by the packet is recorded in the option. The receiving host (end-system) must use the reverse of the path contained in the received LSRR option.</t>

<t>The LSSR option can be of help in debugging some network problems. Some ISP (Internet Service Provider) peering agreements require support for this option in the routers within the peer of the ISP. </t>
</section>

<section title="Option Specification">
<t>Specified in RFC 791 <xref target="RFC0791"/>.</t>
</section>

<section title="Threats">
<t>The LSRR option has well-known security implications. Among other things, the option can be used to:</t>

<t>
<list style="symbols">
<t>Bypass firewall rules</t>
<t>Reach otherwise unreachable internet systems</t>
<t>Establish TCP connections in a stealthy way</t>
<t>Learn about the topology of a network</t>
<t>Perform bandwidth-exhaustion attacks</t>
</list>
</t>

<t>Of these attack vectors, the one that has probably received least attention is the use of the LSRR option to perform bandwidth exhaustion attacks. The LSRR option can be used as an amplification method for performing bandwidth-exhaustion attacks, as an attacker could make a packet bounce multiple times between a number of systems by carefully crafting an LSRR option.</t>

<t>
<list style="hanging">
<t>This is the IPv4-version of the IPv6 amplification attack that was widely publicized in 2007 <xref target="Biondi2007"/>. The only difference is that the maximum length of the IPv4 header (and hence the LSRR option) limits the amplification factor when compared to the IPv6 counter-part.</t>
</list>
</t>
<t>Additionally, some implementations have been found to fail to include proper sanity checks on the LSRR option, thus leading to security issues.
<list style="hanging">
<t><xref target="Microsoft1999"/> is a security advisory about a vulnerability arising from improper validation of the Pointer field of the LSRR option.</t>
</list>
</t>

<t>Finally, we note that some systems were known for providing a system-wide toggle to enable support for this option for those scenarios in which this option is required. However, improper implementation of such system-wide toggle caused those systems to support the LSRR option even when explicitly configured not to do so.

<list style="hanging">
<t><xref target="OpenBSD1998"/> is a security advisory about an improper implementation of such a system-wide toggle in 4.4BSD kernels.</t>
</list>
</t>

</section>

<section title="Operational and Interoperability Impact if Blocked">
<t>Network troubleshooting techniques that may employ the LSRR option (such as ping or traceroute) would break. Nevertheless, it should be noted that it is virtually impossible to use the LSRR option for troubleshooting, due to widespread dropping of packets that contain such option.</t>
</section>

<section title="Advice">
<t>Routers, security gateways, and firewalls SHOULD, by default, drop IP packets that contain an LSRR option.</t>
</section>


</section>

<section title="Strict Source and Record Route (SSRR) (Type = 137)" anchor="SSRR">

<section title="Uses">
<t>This option allows the originating system to specify a number of intermediate systems a packet must pass through to get to the destination host. Additionally, the route followed by the packet is recorded in the option, and the destination host (end-system) must use the reverse of the path contained in the received SSRR option.</t>

<t>This option is similar to the Loose Source and Record Route (LSRR) option, with the only difference that in the case of SSRR, the route specified in the option is the exact route the packet must take (i.e., no other intervening routers are allowed to be in the route).</t>

<t>The SSSR option can be of help in debugging some network problems. Some ISP (Internet Service Provider) peering agreements require support for this option in the routers within the peer of the ISP. </t>
</section>

<section title="Option Specification">
<t>Specified in RFC 791 <xref target="RFC0791"/>.</t>
</section>

<section title="Threats">
<t>The SSRR option has the same security implications as the LSRR option. Please refer to <xref target="LSRR"/> for a discussion of such security implications.</t>
</section>

<section title="Operational and Interoperability Impact if Blocked">
<t>Network troubleshooting techniques that may employ the SSRR option (such as ping or traceroute) would break. Nevertheless, it should be noted that it is virtually impossible to use the SSR option for trouble-shooting, due to widespread dropping of packets that contain such option.</t>
</section>

<section title="Advice">
<t>Routers, security gateways, and firewalls SHOULD, by default, drop IP packets that contain an SSRR option.</t>
</section>


</section>

<section title="Record Route (Type = 7)">

<section title="Uses">
<t>This option provides a means to record the route that a given packet follows.</t>
</section>

<section title="Option Specification">
<t>Specified in RFC 791 <xref target="RFC0791"/>.</t>
</section>

<section title="Threats">
<t>This option can be exploited to map the topology of a network. However, the limited space in the IP header limits the usefulness of this option for that purpose.</t>
</section>

<section title="Operational and Interoperability Impact if Blocked">
<t>Network troubleshooting techniques that may employ the RR option (such as ping with the RR option) would break. Nevertheless, it should be noted that it is virtually impossible to use such techniques due to widespread dropping of packets that contain RR options.</t>
</section>

<section title="Advice">
<t>Routers, security gateways, and firewalls SHOULD drop IP packets containing a Record Route option.</t>
</section>


</section>

<section anchor="OPT-136"
    title="Stream Identifier (Type = 136) (obsolete)">

<t>The Stream Identifier option originally provided a means for the 16-bit SATNET stream Identifier to be carried through networks that did not support the stream concept.</t>

<t>However, as stated by Section 3.2.1.8 of RFC 1122 <xref 
        target="RFC1122" /> and Section 4.2.2.1 of RFC 
    1812 <xref target="RFC1812"/>, this option is obsolete. Therefore, 
    it must be ignored by the processing systems.
    See also <xref target="IANA" />.</t>

<t>RFC 791 states that this option appears at most once in a given datagram. Therefore, if a packet contains more than one instance of this option, it should be dropped, and this event should be logged (e.g., a counter could be incremented to reflect the packet drop).</t>

<section title="Uses">
<t>
This option is obsolete. There is no current use for this option.
</t>
</section>

<section title="Option Specification">
<t>Specified in RFC 791 <xref target="RFC0791"/>, and obsoleted in RFC 
    1122 <xref target="RFC1122" /> and RFC 1812 <xref target="RFC1812" 
         />.</t>
</section>

<section title="Threats">
<t>No security issues are known for this option, other than the general security implications of IP options discussed in <xref target="general-implications"/>. </t>
</section>

<section title="Operational and Interoperability Impact if Blocked">
<t>None.</t>
</section>

<section title="Advice">
<t>Routers, security gateways, and firewalls SHOULD drop IP packets containing a Stream Identifier option.</t>
</section>


</section>

<section title="Internet Timestamp (Type = 68)">

<section title="Uses">
<t>This option provides a means for recording the time at which each system processed this datagram.</t>
</section>

<section title="Option Specification">
<t>Specified by RFC 791 <xref target="RFC0791"/>.</t>
</section>

<section title="Threats">
<t>The timestamp option has a number of security implications. Among them are: </t>

<t>
<list style="symbols">
<t>It allows an attacker to obtain the current time of the systems that process the packet, which the attacker may find useful in a number of scenarios.</t>
<t>It may be used to map the network topology, in a similar way to the IP Record Route option.</t>
<t>It may be used to fingerprint the operating system in use by a system processing the datagram.</t>
<t>It may be used to fingerprint physical devices, by analyzing the clock skew.</t>
</list>
</t>
<t><xref target="Kohno2005"/> describes a technique for fingerprinting devices by measuring the clock skew. It exploits, among other things, the timestamps that can be obtained by means of the ICMP timestamp request messages <xref target="RFC0791"/>. However, the same fingerprinting method could be implemented with the aid of the Internet Timestamp option.</t>
</section>

<section title="Operational and Interoperability Impact if Blocked">
<t>No security issues are known for this option, other than the general security implications of IP options discussed in <xref target="general-implications"/>.
</t>
</section>

<section title="Advice">
<t>Routers, security gateways, and firewalls SHOULD drop IP packets containing an Internet Timestamp option.</t>
</section>


</section>

<section title="Router Alert (Type = 148)">

<section title="Uses">
<t>The Router Alert option has the semantic &quot;routers should examine this packet more closely, if they participate in the functionality denoted by the Value of the option&quot;.</t>
</section>

<section title="Option Specification">
<t>The Router Alert option is defined in RFC 2113 <xref target="RFC2113"/> and later updates to it have been clarified by RFC 5350 <xref target="RFC5350"/>.  It contains a 16-bit Value governed by an IANA registry (see <xref target="RFC5350"/>).</t>
</section>

<section title="Threats">
<t>The security implications of the Router Alert option have been discussed in detail in <xref target="RFC6398"/>. Basically, the Router Alert option might be exploited to perform a Denial of Service (DoS) attack by exhausting CPU resources at the processing routers.</t>
</section>

<section title="Operational and Interoperability Impact if Blocked">
<t>Applications that employ the Router Alert option (such as RSVP <xref target="RFC2205"/>) would break.</t>
</section>

<section title="Advice">
<t>This option SHOULD be allowed only in controlled environments, where the option can be used safely. <xref target="RFC6398"/> identifies some such environments.  In unsafe environments, packets containing this option SHOULD be dropped. </t> 

<t>A given router, security gateway, or firewall system has no way of knowing a priori whether this option is valid in its operational environment.  Therefore, routers, security gateways, and firewalls SHOULD, by default, ignore the Router Alert option. Additionally, Routers, security gateways, and firewalls SHOULD have a configuration setting that indicates whether they should react act on the Router Alert option as indicated in the corresponding specification or ignore the option, or whether packets containing this option should be dropped (with the default configuration being to ignore the Router Alert option).
</t>

</section>



</section>

<section title="Probe MTU (Type = 11) (obsolete)" anchor="OPT-11">

<section title="Uses">
<t>This option originally provided a mechanism to discover the Path-MTU. It has been declared obsolete.</t>
</section>

<section title="Option Specification">
<t>This option was originally defined in RFC 1063 <xref 
        target="RFC1063"/>, and was obsoleted with RFC 1191 <xref 
        target="RFC1191" />.  This option is now obsolete, as RFC 
    1191 obsoletes RFC 1063 without using IP options.</t>

</section>

<section title="Threats">
<t>No security issues are known for this option, other than the general security implications of IP options discussed in <xref target="general-implications"/>.</t>
</section>

<section title="Operational and Interoperability Impact if Blocked">
<t>None</t>
</section>

<section title="Advice">
<t>Routers, security gateways, and firewalls SHOULD drop IP packets that contain a Probe MTU option.</t>
</section>

</section>

<section title="Reply MTU (Type = 12) (obsolete)" anchor="OPT-12">

<section title="Uses">
<t>This option and originally provided a mechanism to discover the Path-MTU. It is now obsolete.</t>
</section>

<section title="Option Specification">
<t>This option was originally defined in RFC 1063 <xref 
        target="RFC1063"/>, and was obsoleted with RFC 1191 <xref 
        target="RFC1191" />.  This option is now obsolete, as RFC 
    1191 obsoletes RFC 1063 without using IP options.</t>
</section>

<section title="Threats">
<t>No security issues are known for this option, other than the general security implications of IP options discussed in <xref target="general-implications"/>.</t>
</section>

<section title="Operational and Interoperability Impact if Blocked">
<t>None</t>
</section>

<section title="Advice">
<t>Routers, security gateways, and firewalls SHOULD drop IP packets that contain a Reply MTU option.</t>
</section>

</section>

<section title="Traceroute (Type = 82)" anchor="OPT-82">

<section title="Uses">
<t>This option originally provided a mechanism to trace the path to a host.</t>
</section>

<section title="Option Specification">
   <t>This option was originally specified by RFC 1393 <xref 
           target="RFC1393"/>.
       The Traceroute option is defined as "experimental" and it was never widely deployed on the public Internet.
   </t>
</section>

<section title="Threats">
<t>No security issues are known for this option, other than the general security implications of IP options discussed in <xref target="general-implications"/>.</t>
</section>

<section title="Operational and Interoperability Impact if Blocked">
<t>None</t>
</section>

<section title="Advice">
<t>Routers, security gateways, and firewalls SHOULD drop IP packets that contain a Traceroute option.</t>
</section>

</section>

<section title="DoD Basic Security Option (Type = 130)" 
    anchor="OPT-130">

<section title="Uses">
<t>This option is used by Multi-Level-Secure (MLS) end-systems and intermediate systems in specific environments to <xref target="RFC1108"/>:</t>

<t>
<list style="symbols">
<t>Transmit from source to destination in a network standard representation the common security labels required by computer security models <xref target="Landwehr81"/>,</t>
<t>Validate the datagram as appropriate for transmission from the source and delivery to the destination, and,</t>
<t>Ensure that the route taken by the datagram is protected to the level required by all protection authorities indicated on the datagram.</t>
</list>
</t>

<t>The DoD Basic Security Option (BSO) is currently implemented in a 
    number of operating systems (e.g., <xref target="IRIX2008"/>, <xref 
        target="SELinux2008"/>, <xref target="Solaris2008"/>, and <xref 
        target="Cisco-IPSO"/>), and deployed in a number of 
    high-security networks. These networks are typically either in 
    physically secure locations, protected by military/governmental 
    communications security equipment, or both.  Such networks are 
    typically built using commercial off-the-shelf (COTS) IP routers and 
    Ethernet switches, but are not normally interconnected with the 
    global public Internet.  This option probably has more deployment 
    now than when the IESG removed this option from the IETF 
    standards-track.  <xref target="RFC5570"/> describes a similar 
    option recently defined for IPv6 and has much more detailed 
    explanations of how sensitivity label options are used in real-world 
    deployments.</t>

</section>

<section title="Option Specification">
<t>It is specified by RFC 1108 <xref target="RFC1108"/>], which obsoleted RFC 1038 <xref target="RFC1038"/> (which in turn obsoleted the Security Option defined in RFC 791 <xref target="RFC0791"/>).</t>

<t>
<list style="hanging">
   <t>RFC 791 <xref target="RFC0791" /> defined the "Security Option" 
       (Type = 130), which used the same option type as the DoD Basic 
       Security option discussed in this section.
       Later, RFC 1038 <xref target="RFC1038" /> revised the IP security  
       options, and in turn was obsoleted by RFC 1108 <xref 
           target="RFC1108" />.
           The "Security Option" specified in RFC 
           791 is considered obsolete by Section 3.2.1.8 of RFC 1122 
           <xref target="RFC1122" /> and Section 4.2.2.1 of RFC 
       1812 <xref target="RFC1812" />, and therefore the discussion in 
       this section is focused on the DoD Basic Security option 
       specified by RFC 
    1108 <xref target="RFC1108"/>.</t>
</list>
</t>

<t>Section 4.2.2.1 of RFC 1812 states that routers "SHOULD implement this option".</t>

<t>
<list style="hanging"><t>Many Cisco routers that run Cisco IOS include support dropping packets that contain this option with per-interface granularity.  This capability has been present in 
        many Cisco routers since the early 1990s <xref 
            target="Cisco-IPSO-Cmds"/>.  Some governmental products 
        reportedly support BSO, notably CANEWARE <xref 
            target="RFC4949"/>.  Support for BSO is included in the 
        &quot;IPsec Configuration Policy Information Model&quot; <xref 
            target="RFC3585"/> and in the &quot;IPsec Security Policy 
        Database Configuration MIB&quot; <xref target="RFC4807"/>.</t>
</list>
</t>

</section>

<section title="Threats">
<t>Presence of this option in a packet does not by itself create any specific new threat (other than the usual generic issues that might be created if packets with options are forwarded via the "slow path").  Packets with this option ought not normally be seen on the global public Internet.</t>
</section>

<section title="Operational and Interoperability Impact if Blocked">
<t>If packets with this option are blocked or if the option is stripped from the packet during transmission from source to destination, then the packet itself is likely to be dropped by the receiver because it isn't properly labelled.  In some cases, the receiver might receive the packet but associate an incorrect sensitivity label with the received data from the packet whose BSO was stripped by an intermediate router or firewall.  Associating an incorrect sensitivity label can cause the received information either to be handled as more sensitive than it really is ("upgrading") or as less sensitive than it really is ("downgrading"), either of which is problematic.</t>
</section>

<section title="Advice">
<t>Routers, security gateways, and firewalls SHOULD NOT by default modify or remove this option from IP packets and SHOULD NOT by default drop packets containing this option. For auditing reasons, Routers, security gateways, and firewalls SHOULD be capable of logging the numbers of packets containing the BSO on a per-interface basis.  Also, Routers, security gateways, and firewalls SHOULD be capable of dropping packets based on the BSO presence as well as the BSO values.</t>
</section>

</section>

<section title="DoD Extended Security Option (Type = 133)">

<section title="Uses">
<t>This option permits additional security labeling information, beyond 
    that present in the Basic Security Option (<xref 
        target="OPT-130"/>), to be supplied in an IP datagram to meet 
    the needs of registered authorities.</t>
</section>

<section title="Option Specification">
<t>The DoD Extended Security Option (ESO) is specified by RFC 1108 <xref target="RFC1108"/>.</t>
<t>
<list style="hanging"><t>Many Cisco routers that run Cisco IOS include support for dropping packets that contain this option with a per-interface granularity.  This capability has been present in 
        many Cisco routers since the early 1990s <xref 
            target="Cisco-IPSO-Cmds"/>.  Some governmental products 
        reportedly support ESO, notably CANEWARE <xref 
            target="RFC4949"/>.  Support for ESO is included in the 
        &quot;IPsec Configuration Policy Information Model&quot; <xref 
            target="RFC3585"/> and in the &quot;IPsec Security Policy 
        Database Configuration MIB&quot; <xref target="RFC4807"/>.</t>
</list>
</t>
</section>

<section title="Threats">
<t>
Presence of this option in a packet does not by itself create any specific new threat (other than the usual generic issues that might be created if packets with options are forwarded via the "slow path").  Packets with this option ought not normally be seen on the global public Internet
</t>
</section>

<section title="Operational and Interoperability Impact if Blocked">
<t>If packets with this option are blocked or if the option is stripped from the packet during transmission from source to destination, then the packet itself is likely to be dropped by the receiver because it isn't properly labelled.  In some cases, the receiver might receive the packet but associate an incorrect sensitivity label with the received data from the packet whose ESO was stripped by an intermediate router or firewall.  Associating an incorrect sensitivity label can cause the received information either to be handled as more sensitive than it really is ("upgrading") or as less sensitive than it really is ("downgrading"), either of which is problematic.</t>
</section>

<section title="Advice">
<t>Routers, security gateways, and firewalls SHOULD NOT by default modify or remove this option from IP packets and SHOULD NOT by default drop packets containing this option. For auditing reasons, Routers, security gateways, and firewalls SHOULD be capable of logging the numbers of packets containing the ESO on a per-interface basis.  Also, Routers, security gateways, and firewalls SHOULD be capable of dropping packets based on the ESO presence as well as the ESO values.</t>
</section>


</section>

<section title="Commercial IP Security Option (CIPSO) (Type = 134)">


<section title="Uses">
<t>This option was proposed by the Trusted Systems Interoperability Group (TSIG), with the intent of meeting trusted networking requirements for the commercial trusted systems market place. </t>

<t>It is currently implemented in a number of operating systems (e.g., IRIX <xref target="IRIX2008"/>, Security-Enhanced Linux <xref target="SELinux2008"/>, and Solaris <xref target="Solaris2008"/>), and deployed in a number of high-security networks.</t>
</section>

<section title="Option Specification">
<t>This option is specified in <xref target="CIPSO1992"/> and <xref target="FIPS1994"/>. There are zero known IP router implementations of CIPSO. Several MLS operating systems support CIPSO, generally the same MLS operating systems that support IPSO.

<list style="hanging">
<t>The TSIG proposal was taken to the Commercial Internet Security Option (CIPSO) Working Group of the IETF <xref target="CIPSOWG1994"/>, and an Internet-Draft was produced <xref target="CIPSO1992"/>. The Internet-Draft was never published as an RFC, but the proposal was later standardized by the U.S. National Institute of Standards and Technology (NIST) as "Federal Information Processing Standard Publication 188" <xref target="FIPS1994"/>.</t>
</list>
</t>
</section>

<section title="Threats">
<t>Presence of this option in a packet does not by itself create any specific new threat (other than the usual generic issues that might be created if packets with options are forwarded via the "slow path").  Packets with this option ought not normally be seen on the global public Internet.</t>
</section>

<section title="Operational and Interoperability Impact if Blocked">
<t>If packets with this option are blocked or if the option is stripped from the packet during transmission from source to destination, then the packet itself is likely to be dropped by the receiver because it isn't properly labelled.  In some cases, the receiver might receive the packet but associate an incorrect sensitivity label with the received data from the packet whose CIPSO was stripped by an intermediate router or firewall.  Associating an incorrect sensitivity label can cause the received information either to be handled as more sensitive than it really is ("upgrading") or as less sensitive than it really is ("downgrading"), either of which is problematic.</t>
</section>

<section title="Advice">
<t>Because of the design of this option, with variable syntax and variable length, it is not practical to support specialized filtering using the CIPSO information.  No routers or firewalls are known to support this option.  However, Routers, security gateways, and firewalls SHOULD NOT by default modify or remove this option from IP packets and SHOULD NOT by default drop packets containing this option.
</t>
</section>
</section>

<section title="VISA (Type = 142)">
    <section title="Uses">
        <t>This options was part of an experiment at USC and was never widely deployed.
        </t>
    </section>

    <section title="Option Specification">
        <t>Not publicly available.</t>
    </section>
    <section title="Threats">
        <t>Not possible to determine (other the general security implications of IP options discussed in <xref target="general-implications"/>), since the corresponding specification is not publicly available.</t>
    </section>
    <section title="Operational and Interoperability Impact if Blocked">
        <t>None.</t>
    </section>
    <section title="Advice">
        <t>Routers, security gateways, and firewalls SHOULD drop IP packets that contain this option.</t>
    </section>

</section>

<section title="Extended Internet Protocol (Type = 145)">
    <section title="Uses">
        <t>The EIP option was introduced by one of the proposals submitted during the IPng efforts to address the problem of IPv4 address exhaustion.
        </t>
    </section>

    <section title="Option Specification">
        <t>Specified in <xref target="RFC1385"/>. This option is in the process of being formally obsoleted by <xref target="I-D.gp-intarea-obsolete-ipv4-options-iana"/>.</t>
    </section>
    <section title="Threats">
        <t>There are no know threats arising from this option, other than the general security implications of IP options discussed in <xref target="general-implications"/>.</t>
    </section>
    <section title="Operational and Interoperability Impact if Blocked">
        <t>None.</t>
    </section>
    <section title="Advice">
        <t>Routers, security gateways, and firewalls SHOULD drop packets that contain this option.</t>
    </section>

</section>

<section title="Address Extension (Type = 147)">
    <section title="Uses">
        <t>The Address Extension option was introduced by one of the proposals submitted during the IPng efforts to address the problem of IPv4 address exhaustion.
        </t>
    </section>

    <section title="Option Specification">
        <t>Specified in <xref target="RFC1475"/>. This option is in the process of being formally obsoleted by <xref target="I-D.gp-intarea-obsolete-ipv4-options-iana"/>.</t>
    </section>
    <section title="Threats">
        <t>There are no know threats arising from this option, other than the general security implications of IP options discussed in <xref target="general-implications"/>.</t>
    </section>
    <section title="Operational and Interoperability Impact if Blocked">
        <t>None.</t>
    </section>
    <section title="Advice">
        <t>Routers, security gateways, and firewalls SHOULD drop packets that contain this option.</t>
    </section>

</section>

<section title="Sender Directed Multi-Destination Delivery (Type = 149)">

<section title="Uses">
<t>This option originally provided unreliable UDP delivery to a set of 
    addresses included in the option.</t>
</section>

<section title="Option Specification">
<t>This option is defined in RFC 1770 <xref target="RFC1770"/>.</t>
</section>

<section title="Threats">
<t>This option could have been exploited for bandwidth-amplification in Denial of Service (DoS) attacks.</t>
</section>

<section title="Operational and Interoperability Impact if Blocked">
<t>None.</t>
</section>

<section title="Advice">
<t>Routers, security gateways, and firewalls SHOULD drop IP packets that contain a Sender Directed Multi-Destination Delivery option.</t>
</section>


</section>


<section title="Dynamic Packet State (Type = 151)">

    <section title="Uses">
        <t>The Dynamic Packet State option was used to specify specified Dynamic Packet State (DPS) in the context of the differentiated service architecture.
        </t>
    </section>

    <section title="Option Specification">
        <t>The Dynamic Packet State option was specified in <xref target="I-D.stoica-diffserv-dps"/>. The aforementioned document was meant to be published as "Experimental", but never made it into an RFC. This option is in the process of being formally obsoleted by <xref target="I-D.gp-intarea-obsolete-ipv4-options-iana"/>.</t>
    </section>
    <section title="Threats">
        <t>Possible threats include theft of service and Denial of Service. However, we note that is option has never been widely implemented or deployed.</t>
    </section>
    <section title="Operational and Interoperability Impact if Blocked">
        <t>None.</t>
    </section>
    <section title="Advice">
        <t>Routers, security gateways, and firewalls SHOULD drop packets that contain this option.</t>
    </section>

</section>

<section title="Upstream Multicast Pkt. (Type = 152)">

    <section title="Uses">
        <t>This option was meant to solve the problem of doing upstream forwarding of multicast packets on a multi-access LAN.
        </t>
    </section>

    <section title="Option Specification">
        <t>This option was originally specified in <xref target="draft-farinacci-bidir-pim"/>. Its use was obsoleted by <xref target="RFC5015"/>, which employs a control plane mechanism to solve the problem of doing upstream forwarding of multicast packets on a multi-access LAN. This option is in the process of being formally obsoleted by <xref target="I-D.gp-intarea-obsolete-ipv4-options-iana"/>.</t>
    </section>
    <section title="Threats">
        <t>TBD.</t>
    </section>
    <section title="Operational and Interoperability Impact if Blocked">
        <t>None.</t>
    </section>
    <section title="Advice">
        <t>Routers, security gateways, and firewalls SHOULD drop packets that contain this option.</t>
    </section>

</section>

<section title="Quick-Start (Type = 25)">

    <section title="Uses">
        <t>
            This IP Option is used in the specification of Quick-Start for TCP and IP, which is an experimental mechanism that allows transport protocols, in cooperation with routers, to determine an allowed sending rate at the start and, at times, in the middle of a data transfer (e.g., after an idle period) <xref target="RFC4782"/>.
        </t>
    </section>

    <section title="Option Specification">
        <t>Specified in RFC 4782 <xref target="RFC4782"/>, on the "Experimental" track.</t>
    </section>
    <section title="Threats">
        <t>Section 9.6 of <xref target="RFC4782"/> notes that Quick-Start is vulnerable to two kinds of attacks:
<list style="symbols">
<t>attacks to increase the routers' processing and state load, and,</t>
<t>attacks with bogus Quick-Start Requests to temporarily tie up available Quick-Start bandwidth, preventing routers from
   approving Quick-Start Requests from other connections</t>
</list>
</t>
    </section>
    <section title="Operational and Interoperability Impact if Blocked">
        <t>The Quick-Start functionality would be disabled, and additional delays in e.g. TCP's connection establishment could be introduced (please see Section 4.7.2 of <xref target="RFC4782"/>. We note, however, that Quick-Start has been proposed as mechanism that could be of use in controlled environments, and not as a mechanism that would be intended or appropriate for ubiquitous deployment in the global Internet <xref target="RFC4782"/>.</t>
    </section>
    <section title="Advice">
<t>A given router, security gateway, or firewall system has no way of knowing a priori whether this option is valid in its operational environment.  Therefore, routers, security gateways, and firewalls SHOULD, by default, ignore the Quick Start option. Additionally, routers, security gateways, and firewalls SHOULD have a configuration setting that indicates whether they should react act on the Quick Start option as indicated in the corresponding specification or ignore the option, or whether packets containing this option should be dropped (with the default configuration being to ignore the Quick Start option).
</t>

<list style="hanging">
<t><!--The decision to advise packets containing this option to be dropped is based on the fact that the <xref target="RFC4782"/> itself notes that Quick-Start has been proposed as mechanism that could be of use in controlled environments, and not as a mechanism that would be intended or appropriate for ubiquitous deployment in the global Internet. -->We note that if routers in a given environment do not implement and enable the Quick-Start mechanism, only the general security implications of IP options (discussed in <xref target="general-implications"/>) would apply.</t>
</list>
    </section>

</section>


<section title="RFC3692-style Experiment (Types = 30, 94, 158, and 222)">
    <t>
        Section 2.5 of RFC 4727 <xref target="RFC4727" /> allocates an 
        option number with all defined values of the "copy" and "class" 
        fields for RFC3692-style experiments. This results in four 
        distinct option type codes: 30, 94, 158, and 222.</t>

    <section title="Uses">
        <t>
            It is only appropriate to use these values in 
            explicitly-configured experiments; they MUST NOT be shipped 
            as defaults in implementations.
        </t>
    </section>

    <section title="Option Specification">
        <t>Specified in RFC 4727 <xref target="RFC4727"/> in the context 
            of RFC3692-style experiments.</t>
    </section>
    <section title="Threats">
<t>No security issues are known for this option, other than the general security implications of IP options discussed in <xref target="general-implications"/>.</t>
    </section>
    <section title="Operational and Interoperability Impact if Blocked">
        <t>None.</t>
    </section>
    <section title="Advice">
        <t>Routers, security gateways, and firewalls SHOULD drop IP packets that contain RFC3692-style Experiment 
            options.</t>
    </section>

</section>

<section title="Other IP Options">
    <t>
        Unrecognized IP Options are to be ignored. Section 3.2.1.8 of 
        RFC 1122 <xref target="RFC1122" /> and Section 4.2.2.6 of RFC 
        1812 <xref target="RFC1812" /> specify this behavior as follows:  
        <list style='hanging' hangIndent="9">
        <t hangText="RFC 1122:">
             "The IP and transport layer MUST each interpret those IP 
             options that they understand and silently ignore the 
             others."
         </t>
        <t hangText="RFC 1812:">
            "A router MUST ignore IP options which it does not 
            recognize."
         </t>
        </list>

        This document adds that unrecognized IP Options MAY also be 
        logged.
    </t>
    <t>
        A number of additional options are specified in the "IP OPTIONS 
        NUMBERS" IANA registry <xref target="IANA-IP" />. Specifically:
    </t>
        <figure align="left">
<artwork>
Copy Class Number Value Name                               Reference
---- ----- ------ ----- ------------------------------- ------------
   0     0     10    10 ZSU    - Experimental Measurement      [ZSu]
   1     2     13   205 FINN   - Experimental Flow Control    [Finn]
   0     0     15    15 ENCODE - ???                      [VerSteeg]
   1     0     16   144 IMITD  - IMI Traffic Descriptor        [Lee]
   1     0     22   150        - Unassigned (Released 18 Oct. 2005) 
</artwork>
</figure>


</section>


</section>

<section anchor="IANA" title="IANA Considerations">
    <t>
        The "IP OPTION NUMBERS" registry <xref target="IANA-IP"/> 
        contains the list of the currently assigned IP option numbers.
        This registry also denotes an obsoleted IP Option Number by 
        marking it with a single asterisk ("*"). The Stream Identifier 
        Option (Type = 136) is obsolete (see <xref target="OPT-136" /> 
        and should therefore be marked as such.
    </t>
    <t>
        [[ IANA is requested to mark it as such, please remove this note  
        upon publication. ]]
        [[ IANA is also requested to fix the "Expermental" typo. ]]</t>
</section>


<section anchor="Security" title="Security Considerations">
<t>
This document provides advice on the filtering of IP packets that contain IP options. Dropping such packets can help to mitigate the security issues that arise from use of different IP options.
</t>
</section>


<section title="Acknowledgements">
<t>The authors would like to thank Panos Kampanakis and Donald Smith for providing valuable comments on earlier versions of this document.</t>
<t>Part of this document is based on the document &quot;Security 
    Assessment of the Internet Protocol&quot; <xref target="CPNI2008"/> 
    that is the result of a project carried out by Fernando Gont on 
    behalf of UK CPNI (formerly NISCC). </t>
<t>Fernando Gont would like to thank UK CPNI (formerly NISCC) for their continued support.</t>
</section>


</middle>

<back>
<references title="Normative References">
    <?rfc include="reference.RFC.0791" ?>
    <?rfc include="reference.RFC.1191" ?>

    <?rfc include="reference.RFC.1108" ?>



    <?rfc include="reference.RFC.1770" ?>

    <?rfc include="reference.RFC.1812" ?>
    <?rfc include="reference.RFC.4727" ?>
    <?rfc include="reference.RFC.1122" ?>
    <?rfc include="reference.RFC.4782" ?>

    <?rfc include="reference.RFC.2113" ?>
    <?rfc include="reference.RFC.2119" ?>
    
    <?rfc include="reference.RFC.5015" ?>
</references>

<references title="Informative References">
    <?rfc include="reference.RFC.1063" ?>
    <?rfc include="reference.RFC.1038" ?>
    <?rfc include="reference.RFC.1475" ?>
    <?rfc include="reference.RFC.4949" ?>
    <?rfc include="reference.RFC.2205" ?>
    <?rfc include="reference.RFC.3585" ?>
    <?rfc include="reference.RFC.4807" ?>
    <?rfc include="reference.RFC.5350" ?>
    <?rfc include="reference.RFC.5570" ?>

    <?rfc include="reference.RFC.6398" ?>
    <?rfc include="reference.RFC.1385" ?>
    <?rfc include="reference.RFC.1393" ?>

    <?rfc include="reference.RFC.6192" ?>

    <?rfc include="reference.I-D.gp-intarea-obsolete-ipv4-options-iana" ?>
    <?rfc include="reference.I-D.stoica-diffserv-dps" ?>

    <reference anchor="draft-farinacci-bidir-pim">
  <front>
  <title abbrev="Bi-Dir Shared Trees in PIM-SM">Bi-Directional Shared Trees in PIM-SM</title>
  <author initials="D.E." surname="Estrin" fullname="D. Estrin">
				<organization>USC/ISI</organization>
  </author>

  <author initials="D.F." surname="Farinacci" fullname="D. Farinacci">
				<organization>Cisco Systems</organization>
  </author>
  <date month="May" year="1999"/>
  </front>
		<seriesInfo name="" value="IETF Internet Draft, draft-farinacci-bidir-pim, work in progress"/>
  </reference>

    <reference anchor="CIPSO1992">
        <front>
            <title>COMMERCIAL IP SECURITY OPTION (CIPSO 2.2)</title>
            <author initials="" surname="CIPSO" fullname="CIPSO">
                <organization></organization>
            </author>
            <date year="1992"/>
        </front>
        <seriesInfo name="Internet-Draft" 
            value="draft-ietf-cipso-ipsecurity-01"/>
    </reference>


    <reference anchor="Biondi2007">
        <front>
            <title>IPv6 Routing Header Security</title>
            <author initials="P." surname="Biondi" fullname= "P. Biondi">
                <organization></organization>
            </author>
            <author initials="A." surname="Ebalard" fullname= "A. Ebalard">
                <organization></organization>
            </author>

            <date year="2007"/>
        </front>
        <seriesInfo name="CanSecWest 2007 Security Conference" 
            value="&lt;http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf&gt;"/>
    </reference>

	<reference anchor="CIPSOWG1994" target="http://www.ietf.org/proceedings/94jul/charters/cipso-charter.html">
		<front>
			<title>Commercial Internet Protocol Security Option (CIPSO) Working Group</title>
			<author initials="" surname="CIPSOWG" fullname="CIPSOWG">
				<organization></organization>
			</author>
			<date year="1994"/>
		</front>
	
	</reference>

    <reference anchor="Cisco-IPSO">
        <front>
            <title>Cisco IOS Security Configuration Guide, Release 12.2 - Configuring IP Security Options</title>
            <author initials="" surname="" fullname="">
                <organization>Cisco Systems, Inc.</organization>
            </author>
            <date year="2006"/>
        </front>
        <seriesInfo name="" 
            value="&lt;http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfipso.html&gt;"/>
    </reference>


    <reference anchor="Cisco-IPSO-Cmds">
        <front>
            <title>Cisco IOS Security Command Reference, Release 12.2 - IP Security Options Commands</title>
            <author initials="" surname="" fullname="">
                <organization>Cisco Systems, Inc.</organization>
            </author>
            <date />
        </front>
        <seriesInfo name="" 
            value="&lt;http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfipso.html&gt;"/>
    </reference>
    

    <reference anchor="FIPS1994">
        <front>
            <title>Standard Security Label for Information Transfer</title>
            <author initials="" surname="FIPS" fullname= "FIPS">
                <organization></organization>
            </author>

            <date year="1994"/>
        </front>
        <seriesInfo name="Federal Information Processing Standards Publication."
            value="FIP PUBS 188, 
            &lt;http://csrc.nist.gov/publications/fips/fips188/fips188.pdf&gt;" 
            />
        <format type="PDF"
            target="http://csrc.nist.gov/publications/fips/fips188/fips188.pdf" 
            />
    </reference>



    <reference anchor="IANA-IP"
            target='http://www.iana.org/assignments/ip-parameters'>
        <front>
            <title>IP OPTION NUMBERS</title>
            <author
                fullname=''>
            <organization>
                Internet Assigned Numbers Authority
            </organization>
            </author>
            <date month='April' year="2011"/>
        </front>
        <format type="TXT"
            target="http://www.iana.org/assignments/ip-parameters" />
    </reference>


    <reference anchor="IRIX2008">
        <front>
            <title>IRIX 6.5 trusted_networking(7) manual page</title>
            <author initials="" surname="IRIX" fullname="IRIX">
                <organization></organization>
            </author>
            <date year="2008"/>
        </front>
        <seriesInfo name="" 
            value="&lt;http://techpubs.sgi.com/library/tpl/cgi-bin/getdoc.cgi?coll=0650&db=man&fname=/usr/share/catman/a_man/cat7/trusted_networking.z&gt;"/>
    </reference>

    <reference anchor="Kohno2005">
        <front>
            <title>Remote Physical Device Fingerprinting</title>
            <author initials="T." surname="Kohno" fullname="T. Kohno">
                <organization></organization>
            </author>
            <author initials="A." surname="Broido" fullname="A. Broido">
                <organization></organization>
            </author>
            <author initials="kc" surname="Claffy" fullname="kc Claffy">
                <organization></organization>
            </author>

            <date year="2005"/>
        </front>
        <seriesInfo name="IEEE Transactions on Dependable and Secure Computing" value="Vol. 2, No. 2"/>
    </reference>

    <reference anchor="Landwehr81">
        <front>
            <title>Formal Models for Computer Security</title>
            <author initials="C." surname="Landwehr" fullname="Carl E. Landwehr">
                <organization></organization>
            </author>

            <date year="1981"/>
        </front>
        <seriesInfo name="ACM Computing Surveys" value="Vol 13, No 3, September 1981, Assoc for Computing Machinery, New York, NY, USA"/>
    </reference>
    


    <reference anchor="CPNI2008">
        <front>
            <title>Security Assessment of the Internet Protocol</title>
            <author initials="F." surname="Gont" fullname="Fernando Gont">
                <organization>Centre for the Protection of National Infrastructure</organization>
            </author>
            <date year="2008"/>
        </front>
        <seriesInfo name="" 
            value="&lt;http://www.cpni.gov.uk/Docs/InternetProtocol.pdf&gt;"/>
    </reference>

<reference anchor="MEDINA">
<front>
<title>Measuring Interactions Between Transport Protocols and
Middleboxes</title>
<author initials="A." surname="Medina" fullname="Alberto Medina">
<organization />
</author>
<author initials="M." surname="Allman" fullname="Mark Allman">
<organization />
</author>
<author initials="S." surname="Floyd" fullname="Sally Floyd">
<organization />
</author>
<date month="October" year="2004" />
</front>
<seriesInfo name="Proc. 4th ACM SIGCOMM/USENIX Conference on Internet"
value="Measurement" />
</reference>

	<reference anchor="Microsoft1999" target="http://www.microsoft.com/technet/security/bulletin/ms99-038.mspx">
		<front>
			<title>Microsoft Security Program: Microsoft Security Bulletin (MS99-038). Patch Available for "Spoofed Route Pointer" Vulnerability</title>
			<author initials="" surname="Microsoft" fullname="Microsoft">
				<organization></organization>
			</author>
			<date year="1999"/>
		</front>
	
	</reference>


	<reference anchor="OpenBSD1998" target="http://www.openbsd.org/advisories/sourceroute.txt">
		<front>
			<title>OpenBSD Security Advisory: IP Source Routing Problem</title>
			<author initials="" surname="OpenBSD" fullname="OpenBSD">
				<organization></organization>
			</author>
			<date year="1998"/>
		</front>
	
	</reference>






    <reference anchor="SELinux2008">
        <front>
            <title>http://www.nsa.gov/selinux/</title>
            <author initials="" surname="Security Enhanced Linux" fullname="Security Enhanced Linux">
                <organization></organization>
            </author>
            <date year=""/>
        </front>
    </reference>

    


    <reference anchor="Solaris2008">
        <front>
            <title>http://www.sun.com/software/solaris/ds/trusted_extensions.jsp#3</title>
            <author initials="" surname="Solaris Trusted Extensions - Labeled Security for Absolute Protection" fullname="Solaris Trusted Extensions - Labeled Security for Absolute Protection">
                <organization></organization>
            </author>
            <date year="2008"/>
        </front>
    </reference>




</references>

</back>
</rfc>