Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security

IPv4 Headers Investigated 347

Posted by CmdrTaco
from the that-makes-a-lot-of-sense dept.
An anonymous reader writes "New security measures are being suggested (see RFC 3514) for the IPv4 header. The measures include a bit that can be set and unset according to whether the packet is secure or not. Due to the important security implications, anyone coding client/server internet applications might want to take a look."
This discussion has been archived. No new comments can be posted.

IPv4 Headers Investigated

Comments Filter:
  • Jeez (Score:5, Informative)

    by abh (22332) <ahockley@gmail.com> on Tuesday April 01, 2003 @01:11PM (#5639011) Homepage
    April Fool's or not, this may be a record for a duplicate... the previous story was a whole THREE entries below this one on the homepage...
  • Re:Jeez (Score:2, Informative)

    by vslashg (209560) on Tuesday April 01, 2003 @01:19PM (#5639145)
    Three entries is impressive, but the record [slashdot.org] is two [slashdot.org].
  • I Love Taco (Score:3, Informative)

    by fozzy(pro) (267441) on Tuesday April 01, 2003 @01:21PM (#5639162)
    Taco Trolls the main slashdot site.
  • by Vengie (533896) on Tuesday April 01, 2003 @01:34PM (#5639297)
    And i have proof! [slashdot.org]
    hehe
  • by peacefinder (469349) <alan...dewitt@@@gmail...com> on Tuesday April 01, 2003 @01:41PM (#5639352) Journal
    At long last, we know for certain that Taco does hear our plea: "Stop with the duplicate stories already!"

    He just doesn't care. :)

    Now THAT is comedy.
  • by oPless (63249) on Tuesday April 01, 2003 @02:03PM (#5639528) Journal
    Network Working Group S. Bellovin
    Request for Comments: 3514 AT&T Labs Research
    Category: Informational 1 April 2003
    The Security Flag in the IPv4 Header

    Status of this Memo

    This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

    Copyright Notice

    Copyright (C) The Internet Society (2003). All Rights Reserved.

    Abstract

    Firewalls, packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. We define a security flag in the IPv4 header as a means of distinguishing the two cases.

    1. Introduction

    Firewalls CBR03 , packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. The problem is that making such determinations is hard. To solve this problem, we define a security flag, known as the "evil" bit, in the IPv4 RFC791 header. Benign packets have this bit set to 0; those that are used for an attack will have the bit set to 1.

    1.1. Terminology

    The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this document, are to be interpreted as described in RFC2119 .

    2. Syntax

    The high-order bit of the IP fragment offset field is the only unused bit in the IP header. Accordingly, the selection of the bit position is not left to IANA.

    The bit field is laid out as follows:

    0
    +-+
    |E|
    +-+

    Currently-assigned values are defined as follows:

    0x0 If the bit is set to 0, the packet has no evil intent. Hosts, network elements, etc., SHOULD assume that the packet is harmless, and SHOULD NOT take any defensive measures. (We note
    that this part of the spec is already implemented by many common desktop operating systems.)

    0x1 If the bit is set to 1, the packet has evil intent. Secure systems SHOULD try to defend themselves against such packets. Insecure systems MAY chose to crash, be penetrated, etc.

    3. Setting the Evil Bit

    There are a number of ways in which the evil bit may be set. Attack applications may use a suitable API to request that it be set. Systems that do not have other mechanisms MUST provide such an API; attack programs MUST use it.

    Multi-level insecure operating systems may have special levels for attack programs; the evil bit MUST be set by default on packets emanating from programs running at such levels. However, the system MAY provide an API to allow it to be cleared for non-malicious activity by users who normally engage in attack behavior.

    Fragments that by themselves are dangerous MUST have the evil bit set. If a packet with the evil bit set is fragmented by an intermediate router and the fragments themselves are not dangerous, the evil bit MUST be cleared in the fragments, and MUST be turned back on in the reassembled packet.

    Intermediate systems are sometimes used to launder attack connections. Packets to such systems that are intended to be relayed to a target SHOULD have the evil bit set.

    Some applications hand-craft their own packets. If these packets are part of an attack, the application MUST set the evil bit by itself.

    In networks protected by firewalls, it is axiomatic that all attackers are on the outside of the firewall. Therefore, hosts inside the firewall MUST NOT set the evil bit on any packets.

    Because NAT RFC3022 boxes modify packets, they SHOULD set the evil bit on such packets. "Transparent" http and email proxies SHOULD set the evil bit on their reply packets to the innocent client host.

    Some hosts scan other hosts in a fashion that can alert intrusion detection systems. If the scanning is part of a benign research project, the evil bit MUST NOT be set
  • We GET it already!! (Score:3, Informative)

    by Sgt York (591446) <jvolm&earthlink,net> on Tuesday April 01, 2003 @02:13PM (#5639637)
    Come on, an RFC released on 4/1?

    Is everybody ready for the internet cleaning day?

    C'mon, though really...it was funny the first time. Humorous the second, but come ON....Are you going for a record or something?

    Actually, hell...it's probably a reference to something mentioned in the RFC(j)...I just haven't taken the time to read it yet.

  • Re:God Dammit! (Score:3, Informative)

    by Darby (84953) on Tuesday April 01, 2003 @03:18PM (#5640089)
    You forgot The Matrix: Spectral Decomposition.

  • Re:Jeez (Score:3, Informative)

    by Sleepy (4551) on Tuesday April 01, 2003 @08:25PM (#5641980) Homepage
    > This is beginning to remind me of that fat kid in school who only knew one joke, and kept repeating it ALL THE GODDAMNED TIME.
    >You know him. He was at your school, too.

    You may think that's funny, but CowboyNeal has feelings too!

"No job too big; no fee too big!" -- Dr. Peter Venkman, "Ghost-busters"

Working...