tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 7126

BCP 186
Pages: 36
Top     in Index     Prev     Next
in Group Index     Prev in Group     Next in Group     Group: OPSEC

Recommendations on Filtering of IPv4 Packets Containing IPv4 Options

Part 1 of 2, p. 1 to 20
None       Next RFC Part

 


Top       ToC       Page 1 
Internet Engineering Task Force (IETF)                           F. Gont
Request for Comments: 7126                        UTN-FRH / SI6 Networks
BCP: 186                                                     R. Atkinson
Category: Best Current Practice                               Consultant
ISSN: 2070-1721                                             C. Pignataro
                                                                   Cisco
                                                           February 2014


  Recommendations on Filtering of IPv4 Packets Containing IPv4 Options

Abstract

   This document provides advice on the filtering of IPv4 packets based
   on the IPv4 options they contain.  Additionally, it discusses the
   operational and interoperability implications of dropping packets
   based on the IP options they contain.

Status of This Memo

   This memo documents an Internet Best Current Practice.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It has been approved for publication by the Internet
   Engineering Steering Group (IESG).  Further information on BCPs is
   available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7126.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Top       Page 2 
Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Terminology and Conventions Used in This Document . . . .   3
     1.2.  Operational Focus . . . . . . . . . . . . . . . . . . . .   4
   2.  IP Options  . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  General Security Implications of IP Options . . . . . . . . .   5
     3.1.  Processing Requirements . . . . . . . . . . . . . . . . .   5
   4.  Advice on the Handling of Packets with Specific IP Options  .   7
     4.1.  End of Option List (Type = 0) . . . . . . . . . . . . . .   7
     4.2.  No Operation (Type = 1) . . . . . . . . . . . . . . . . .   7
     4.3.  Loose Source and Record Route (LSRR) (Type = 131) . . . .   8
     4.4.  Strict Source and Record Route (SSRR) (Type = 137)  . . .  10
     4.5.  Record Route (Type = 7) . . . . . . . . . . . . . . . . .  11
     4.6.  Stream Identifier (Type = 136) (obsolete) . . . . . . . .  12
     4.7.  Internet Timestamp (Type = 68)  . . . . . . . . . . . . .  13
     4.8.  Router Alert (Type = 148) . . . . . . . . . . . . . . . .  14
     4.9.  Probe MTU (Type = 11) (obsolete)  . . . . . . . . . . . .  15
     4.10. Reply MTU (Type = 12) (obsolete)  . . . . . . . . . . . .  16
     4.11. Traceroute (Type = 82)  . . . . . . . . . . . . . . . . .  16
     4.12. DoD Basic Security Option (Type = 130)  . . . . . . . . .  17
     4.13. DoD Extended Security Option (Type = 133) . . . . . . . .  20
     4.14. Commercial IP Security Option (CIPSO) (Type = 134)  . . .  22
     4.15. VISA (Type = 142) . . . . . . . . . . . . . . . . . . . .  23
     4.16. Extended Internet Protocol (Type = 145) . . . . . . . . .  24
     4.17. Address Extension (Type = 147)  . . . . . . . . . . . . .  25
     4.18. Sender Directed Multi-Destination Delivery (Type = 149) .  25
     4.19. Dynamic Packet State (Type = 151) . . . . . . . . . . . .  26
     4.20. Upstream Multicast Pkt. (Type = 152)  . . . . . . . . . .  26
     4.21. Quick-Start (Type = 25) . . . . . . . . . . . . . . . . .  27
     4.22. RFC3692-Style Experiment (Types = 30, 94, 158, and 222) .  28
     4.23. Other IP Options  . . . . . . . . . . . . . . . . . . . .  29
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  31
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  31
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  31
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .  31
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  32

Top      ToC       Page 3 
1.  Introduction

   This document discusses the filtering of IPv4 packets based on the
   IPv4 options they contain.  Since various protocols may use IPv4
   options to some extent, dropping packets based on the options they
   contain may have implications on the proper functioning of such
   protocols.  Therefore, this document attempts to discuss the
   operational and interoperability implications of such dropping.
   Additionally, it outlines what a network operator might do in typical
   enterprise or Service Provider environments.  This document also
   draws and is partly derived from [RFC6274], which also received
   review from the operational community.

   We note that data seems to indicate that there is a current
   widespread practice of blocking IPv4 optioned packets.  There are
   various plausible approaches to minimize the potential negative
   effects of IPv4 optioned packets while allowing some option
   semantics.  One approach is to allow for specific options that are
   expected or needed, and have a default deny.  A different approach is
   to deny unneeded options and have a default allow.  Yet a third
   possible approach is to allow for end-to-end semantics by ignoring
   options and treating packets as un-optioned while in transit.
   Experiments and currently available data tend to support the first or
   third approaches as more realistic.  Some results regarding the
   current state of affairs with respect to dropping packets containing
   IP options can be found in [MEDINA] and [FONSECA].  Additionally,
   [BREMIER-BARR] points out that the deployed Internet already has many
   routers that do not process IP options.

   We also note that while this document provides advice on dropping
   packets on a "per IP option type", not all devices (routers, security
   gateways, and firewalls) may provide this capability with such
   granularity.  Additionally, even in cases in which such functionality
   is provided, an operator might want to specify a dropping policy with
   a coarser granularity (rather than on a "per IP option type"
   granularity), as indicated above.

   Finally, in scenarios in which processing of IP options by
   intermediate systems is not required, a widespread approach is to
   simply ignore IP options and process the corresponding packets as if
   they do not contain any IP options.

1.1.  Terminology and Conventions Used in This Document

   The terms "fast path", "slow path", and associated relative terms
   ("faster path" and "slower path") are loosely defined as in Section 2
   of [RFC6398].

Top      ToC       Page 4 
   Because of the security-oriented nature of this document, we are
   deliberately including some historical citations.  The goal is to
   explicitly retain and show history, as well as remove ambiguity and
   confusion.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

1.2.  Operational Focus

   All of the recommendations in this document have been made in an
   effort to optimize for operational community consensus, as best the
   authors have been able to determine that.  This has included not only
   accepting feedback from public lists, but also accepting off-list
   feedback from people at various network operators (e.g. Internet
   Service Providers, content providers, educational institutions,
   commercial firms).

2.  IP Options

   IP options allow for the extension of the Internet Protocol.  As
   specified in [RFC0791], there are two cases for the format of an
   option:

   o  Case 1: A single byte of option-type.

   o  Case 2: An option-type byte, an option-length byte, and the actual
      option-data bytes.

   IP options of Case 1 have the following syntax:

   +-+-+-+-+-+-+-+-+- - - - - - - - -
   |  option-type  |  option-data
   +-+-+-+-+-+-+-+-+- - - - - - - - -

   The length of IP options of Case 1 is implicitly specified by the
   option-type byte.

   IP options of Case 2 have the following syntax:

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
   |  option-type  | option-length |  option-data
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -

   In this case, the option-length byte counts the option-type byte and
   the option-length byte, as well as the actual option-data bytes.

Top      ToC       Page 5 
   All current and future options, except "End of Option List" (Type =
   0) and "No Operation" (Type = 1), are of Class 2.

   The option-type has three fields:

   o  1 bit: copied flag.

   o  2 bits: option class.

   o  5 bits: option number.

   The copied flag indicates whether this option should be copied to all
   fragments in the event the packet carrying it needs to be fragmented:

   o  0 = not copied.

   o  1 = copied.

   The values for the option class are:

   o  0 = control.

   o  1 = reserved for future use.

   o  2 = debugging and measurement.

   o  3 = reserved for future use.

   This format allows for the creation of new options for the extension
   of the Internet Protocol (IP).

   Finally, the option number identifies the syntax of the rest of the
   option.

   The "IP OPTION NUMBERS" registry [IANA-IP] contains the list of the
   currently assigned IP option numbers.

3.  General Security Implications of IP Options

3.1.  Processing Requirements

   Historically, most IP routers used a general-purpose CPU to process
   IP packets and forward them towards their destinations.  This same
   CPU usually also processed network management traffic (e.g., SNMP),
   configuration commands (e.g., command line interface), and various
   routing protocols (e.g., RIP, OSPF, BGP, IS-IS) or other control
   protocols (e.g., RSVP, ICMP).  In such architectures, it has been
   common for the general-purpose CPU also to perform any packet

Top      ToC       Page 6 
   filtering that has been enabled on the router (or router interface).
   An IP router built using this architecture often has a significant
   Distributed Denial-of-Service (DDoS) attack risk if the router
   control plane (e.g., CPU) is overwhelmed by a large number of IPv4
   packets that contain IPv4 options.

   From about 1995 onwards, a growing number of IP routers have
   incorporated silicon specialized for IP packet processing (i.e.,
   Field-Programmable Gate Array (FPGA), Application-Specific Integrated
   Circuit (ASIC)), thereby separating the function of IP packet
   forwarding from the other functions of the router.  Such router
   architectures tend to be more resilient to DDoS attacks that might be
   seen in the global public Internet.  Depending upon various
   implementation and configuration details, routers with a silicon
   packet-forwarding engine can handle high volumes of IP packets
   containing IP options without any adverse impact on packet-forwarding
   rates or on the router's control plane (e.g., general-purpose CPU).
   Some implementations have a configuration knob simply to forward all
   IP packets containing IP options at wire-speed in silicon, as if the
   IP packet did not contain any IP options ("ignore options &
   forward").  Other implementations support wire-speed silicon-based
   packet filtering, thereby enabling packets containing certain IP
   options to be selectively dropped ("drop"), packets containing
   certain other IP options to have those IP options ignored ("ignore
   options & forward"), and other packets containing different IP
   options to have those options processed, either on a general-purpose
   CPU or using custom logic (e.g., FPGA, ASIC), while the packet is
   being forwarded ("process option & forward").

   Broadly speaking, any IP packet that requires processing by an IP
   router's general-purpose CPU can be a DDoS risk to that router's
   general-purpose CPU (and thus to the router itself).  However, at
   present, the particular architectural and engineering details of the
   specific IP router being considered are important to understand when
   evaluating the operational security risks associated with a
   particular IP packet type or IP option type.

   Operators are urged to consider the capabilities of potential IP
   routers for IP option filtering and handling as they make deployment
   decisions in the future.

   Additional considerations for protecting the control plane from
   packets containing IP options can be found in [RFC6192].

   Finally, in addition to advice to operators, this document also
   provides advice to router, security gateway, and firewall
   implementers in terms of providing the capability to filter packets

Top      ToC       Page 7 
   with different granularities: both on a "per IP option type"
   granularity (to maximize flexibility) as well as more coarse filters
   (to minimize configuration complexity).

4.  Advice on the Handling of Packets with Specific IP Options

   The following subsections contain a description of each of the IP
   options that have so far been specified, a discussion of possible
   interoperability implications if packets containing such options are
   dropped, and specific advice on whether to drop packets containing
   these options in a typical enterprise or Service Provider
   environment.

4.1.  End of Option List (Type = 0)

4.1.1.  Uses

   This option is used to indicate the "end of options" in those cases
   in which the end of options would not coincide with the end of the
   Internet Protocol header.

4.1.2.  Option Specification

   Specified in RFC 791 [RFC0791].

4.1.3.  Threats

   No specific security issues are known for this IPv4 option.

4.1.4.  Operational and Interoperability Impact if Blocked

   Packets containing any IP options are likely to include an End of
   Option List.  Therefore, if packets containing this option are
   dropped, it is very likely that legitimate traffic is blocked.

4.1.5.  Advice

   Routers, security gateways, and firewalls SHOULD NOT drop packets
   because they contain this option.

4.2.  No Operation (Type = 1)

4.2.1.  Uses

   The no-operation option is basically meant to allow the sending
   system to align subsequent options in, for example, 32-bit
   boundaries.

Top      ToC       Page 8 
4.2.2.  Option Specification

   Specified in RFC 791 [RFC0791].

4.2.3.  Threats

   No specific security issues are known for this IPv4 option.

4.2.4.  Operational and Interoperability Impact if Blocked

   Packets containing any IP options are likely to include a No
   Operation option.  Therefore, if packets containing this option are
   dropped, it is very likely that legitimate traffic is blocked.

4.2.5.  Advice

   Routers, security gateways, and firewalls SHOULD NOT drop packets
   because they contain this option.

4.3.  Loose Source and Record Route (LSRR) (Type = 131)

   RFC 791 states that this option should appear at most once in a given
   packet.  Thus, if a packet contains more than one LSRR option, it
   should be dropped, and this event should be logged (e.g., a counter
   could be incremented to reflect the packet drop).  Additionally,
   packets containing a combination of LSRR and SSRR options should be
   dropped, and this event should be logged (e.g., a counter could be
   incremented to reflect the packet drop).

4.3.1.  Uses

   This option lets the originating system specify a number of
   intermediate systems a packet must pass through to get to the
   destination host.  Additionally, the route followed by the packet is
   recorded in the option.  The receiving host (end-system) must use the
   reverse of the path contained in the received LSRR option.

   The LSSR option can be of help in debugging some network problems.
   Some Internet Service Provider (ISP) peering agreements require
   support for this option in the routers within the peer of the ISP.

4.3.2.  Option Specification

   Specified in RFC 791 [RFC0791].

Top      ToC       Page 9 
4.3.3.  Threats

   The LSRR option has well-known security implications [RFC6274].
   Among other things, the option can be used to:

   o  Bypass firewall rules.

   o  Reach otherwise unreachable internet systems.

   o  Establish TCP connections in a stealthy way.

   o  Learn about the topology of a network.

   o  Perform bandwidth-exhaustion attacks.

   Of these attack vectors, the one that has probably received least
   attention is the use of the LSRR option to perform bandwidth
   exhaustion attacks.  The LSRR option can be used as an amplification
   method for performing bandwidth-exhaustion attacks, as an attacker
   could make a packet bounce multiple times between a number of systems
   by carefully crafting an LSRR option.

      This is the IPv4 version of the IPv6 amplification attack that was
      widely publicized in 2007 [Biondi2007].  The only difference is
      that the maximum length of the IPv4 header (and hence the LSRR
      option) limits the amplification factor when compared to the IPv6
      counterpart.

   Additionally, some implementations have been found to fail to include
   proper sanity checks on the LSRR option, thus leading to security
   issues.  These specific issues are believed to be solved in all
   modern implementations.

      [Microsoft1999] is a security advisory about a vulnerability
      arising from improper validation of the Pointer field of the LSRR
      option.

   Finally, we note that some systems were known for providing a system-
   wide toggle to enable support for this option for those scenarios in
   which this option is required.  However, improper implementation of
   such a system-wide toggle caused those systems to support the LSRR
   option even when explicitly configured not to do so.

      [OpenBSD1998] is a security advisory about an improper
      implementation of such a system-wide toggle in 4.4BSD kernels.
      This issue was resolved in later versions of the corresponding
      operating system.

Top      ToC       Page 10 
4.3.4.  Operational and Interoperability Impact if Blocked

   Network troubleshooting techniques that may employ the LSRR option
   (such as ping or traceroute with the appropriate arguments) would
   break when using the LSRR option.  (Ping and traceroute without IPv4
   options are not impacted.)  Nevertheless, it should be noted that it
   is virtually impossible to use the LSRR option for troubleshooting,
   due to widespread dropping of packets that contain the option.

4.3.5.  Advice

   Routers, security gateways, and firewalls SHOULD implement an option-
   specific configuration knob to select whether packets with this
   option are dropped, packets with this IP option are forwarded as if
   they did not contain this IP option, or packets with this option are
   processed and forwarded as per [RFC0791].  The default setting for
   this knob SHOULD be "drop", and the default setting MUST be
   documented.

   Please note that treating packets with LSRR as if they did not
   contain this option can result in such packets being sent to a
   different device than the initially intended destination.  With
   appropriate ingress filtering, this should not open an attack vector
   into the infrastructure.  Nonetheless, it could result in traffic
   that would never reach the initially intended destination.  Dropping
   these packets prevents unnecessary network traffic and does not make
   end-to-end communication any worse.

4.4.  Strict Source and Record Route (SSRR) (Type = 137)

4.4.1.  Uses

   This option allows the originating system to specify a number of
   intermediate systems a packet must pass through to get to the
   destination host.  Additionally, the route followed by the packet is
   recorded in the option, and the destination host (end-system) must
   use the reverse of the path contained in the received SSRR option.

   This option is similar to the Loose Source and Record Route (LSRR)
   option, with the only difference that in the case of SSRR, the route
   specified in the option is the exact route the packet must take
   (i.e., no other intervening routers are allowed to be in the route).

   The SSRR option can be of help in debugging some network problems.
   Some ISP peering agreements require support for this option in the
   routers within the peer of the ISP.

Top      ToC       Page 11 
4.4.2.  Option Specification

   Specified in RFC 791 [RFC0791].

4.4.3.  Threats

   The SSRR option has the same security implications as the LSRR
   option.  Please refer to Section 4.3 for a discussion of such
   security implications.

4.4.4.  Operational and Interoperability Impact if Blocked

   Network troubleshooting techniques that may employ the SSRR option
   (such as ping or traceroute with the appropriate arguments) would
   break when using the SSRR option.  (Ping and traceroute without IPv4
   options are not impacted.)  Nevertheless, it should be noted that it
   is virtually impossible to use the SSRR option for trouble-shooting,
   due to widespread dropping of packets that contain such option.

4.4.5.  Advice

   Routers, security gateways, and firewalls SHOULD implement an option-
   specific configuration knob to select whether packets with this
   option are dropped, packets with this IP option are forwarded as if
   they did not contain this IP option, or packets with this option are
   processed and forwarded as per [RFC0791].  The default setting for
   this knob SHOULD be "drop", and the default setting MUST be
   documented.

   Please note that treating packets with SSRR as if they did not
   contain this option can result in such packets being sent to a
   different device that the initially intended destination.  With
   appropriate ingress filtering this should not open an attack vector
   into the infrastructure.  Nonetheless, it could result in traffic
   that would never reach the initially intended destination.  Dropping
   these packets prevents unnecessary network traffic, and does not make
   end-to-end communication any worse.

4.5.  Record Route (Type = 7)

4.5.1.  Uses

   This option provides a means to record the route that a given packet
   follows.

4.5.2.  Option Specification

   Specified in RFC 791 [RFC0791].

Top      ToC       Page 12 
4.5.3.  Threats

   This option can be exploited to map the topology of a network.
   However, the limited space in the IP header limits the usefulness of
   this option for that purpose.

4.5.4.  Operational and Interoperability Impact if Blocked

   Network troubleshooting techniques that may employ the RR option
   (such as ping with the RR option) would break when using the RR
   option.  (Ping without IPv4 options is not impacted.)  Nevertheless,
   it should be noted that it is virtually impossible to use such
   techniques due to widespread dropping of packets that contain RR
   options.

4.5.5.  Advice

   Routers, security gateways, and firewalls SHOULD implement an option-
   specific configuration knob to select whether packets with this
   option are dropped, packets with this IP option are forwarded as if
   they did not contain this IP option, or packets with this option are
   processed and forwarded as per [RFC0791].  The default setting for
   this knob SHOULD be "drop", and the default setting MUST be
   documented.

4.6.  Stream Identifier (Type = 136) (obsolete)

   The Stream Identifier option originally provided a means for the
   16-bit SATNET stream Identifier to be carried through networks that
   did not support the stream concept.

   However, as stated by Section 3.2.1.8 of RFC 1122 [RFC1122] and
   Section 4.2.2.1 of RFC 1812 [RFC1812], this option is obsolete.
   Therefore, it must be ignored by the processing systems.  See also
   [IANA-IP] and [RFC6814].

   RFC 791 states that this option appears at most once in a given
   datagram.  Therefore, if a packet contains more than one instance of
   this option, it should be dropped, and this event should be logged
   (e.g., a counter could be incremented to reflect the packet drop).

4.6.1.  Uses

   This option is obsolete.  There is no current use for this option.

Top      ToC       Page 13 
4.6.2.  Option Specification

   Specified in RFC 791 [RFC0791], and deprecated in RFC 1122 [RFC1122]
   and RFC 1812 [RFC1812].  This option has been formally obsoleted by
   [RFC6814].

4.6.3.  Threats

   No specific security issues are known for this IPv4 option.

4.6.4.  Operational and Interoperability Impact if Blocked

   None.

4.6.5.  Advice

   Routers, security gateways, and firewalls SHOULD drop IP packets
   containing a Stream Identifier option.

4.7.  Internet Timestamp (Type = 68)

4.7.1.  Uses

   This option provides a means for recording the time at which each
   system (or a specified set of systems) processed this datagram, and
   it may optionally record the addresses of the systems providing the
   timestamps.

4.7.2.  Option Specification

   Specified by RFC 791 [RFC0791].

4.7.3.  Threats

   The timestamp option has a number of security implications [RFC6274].
   Among them are:

   o  It allows an attacker to obtain the current time of the systems
      that process the packet, which the attacker may find useful in a
      number of scenarios.

   o  It may be used to map the network topology in a similar way to the
      IP Record Route option.

   o  It may be used to fingerprint the operating system in use by a
      system processing the datagram.

Top      ToC       Page 14 
   o  It may be used to fingerprint physical devices by analyzing the
      clock skew.

   [Kohno2005] describes a technique for fingerprinting devices by
   measuring the clock skew.  It exploits, among other things, the
   timestamps that can be obtained by means of the ICMP timestamp
   request messages [RFC0791].  However, the same fingerprinting method
   could be implemented with the aid of the Internet Timestamp option.

4.7.4.  Operational and Interoperability Impact if Blocked

   Network troubleshooting techniques that may employ the Internet
   Timestamp option (such as ping with the Timestamp option) would break
   when using the Timestamp option.  (Ping without IPv4 options is not
   impacted.)  Nevertheless, it should be noted that it is virtually
   impossible to use such techniques due to widespread dropping of
   packets that contain Internet Timestamp options.

4.7.5.  Advice

   Routers, security gateways, and firewalls SHOULD drop IP packets
   containing an Internet Timestamp option.

4.8.  Router Alert (Type = 148)

4.8.1.  Uses

   The Router Alert option has the semantic "routers should examine this
   packet more closely, if they participate in the functionality denoted
   by the Value of the option".

4.8.2.  Option Specification

   The Router Alert option is defined in RFC 2113 [RFC2113] and later
   updates to it have been clarified by RFC 5350 [RFC5350].  It contains
   a 16-bit Value governed by an IANA registry (see [RFC5350]).

4.8.3.  Threats

   The security implications of the Router Alert option have been
   discussed in detail in [RFC6398].  Basically, the Router Alert option
   might be exploited to perform a DoS attack by exhausting CPU
   resources at the processing routers.

4.8.4.  Operational and Interoperability Impact if Blocked

   Applications that employ the Router Alert option (such as RSVP
   [RFC2205]) would break.

Top      ToC       Page 15 
4.8.5.  Advice

   This option SHOULD be allowed only in controlled environments, where
   the option can be used safely.  [RFC6398] identifies some such
   environments.  In unsafe environments, packets containing this option
   SHOULD be dropped.

   A given router, security gateway, or firewall system has no way of
   knowing a priori whether this option is valid in its operational
   environment.  Therefore, routers, security gateways, and firewalls
   SHOULD, by default, ignore the Router Alert option.  Additionally,
   routers, security gateways, and firewalls SHOULD have a configuration
   setting that governs their reaction in the presence of packets
   containing the Router Alert option.  This configuration setting
   SHOULD allow to honor and process the option, ignore the option, or
   drop packets containing this option.

4.9.  Probe MTU (Type = 11) (obsolete)

4.9.1.  Uses

   This option originally provided a mechanism to discover the Path-MTU.
   It has been declared obsolete.

4.9.2.  Option Specification

   This option was originally defined in RFC 1063 [RFC1063] and was
   obsoleted with RFC 1191 [RFC1191].  This option is now obsolete, as
   RFC 1191 obsoletes RFC 1063 without using IP options.

4.9.3.  Threats

   This option is obsolete.  This option could have been exploited to
   cause a host to set its Path MTU (PMTU) estimate to an inordinately
   low or an inordinately high value, thereby causing performance
   problems.

4.9.4.  Operational and Interoperability Impact if Blocked

   None

      This option is NOT employed with the modern "Path MTU Discovery"
      (PMTUD) mechanism [RFC1191], which employs special ICMP messages
      (Type 3, Code 4) in combination with the IP DF bit.  Packetization
      Layer PMTUD (PLPMTUD) [RFC4821] can perform PMTUD without the need
      for any special packets.

Top      ToC       Page 16 
4.9.5.  Advice

   Routers, security gateways, and firewalls SHOULD drop IP packets that
   contain a Probe MTU option.

4.10.  Reply MTU (Type = 12) (obsolete)

4.10.1.  Uses

   This option originally provided a mechanism to discover the Path-MTU.
   It is now obsolete.

4.10.2.  Option Specification

   This option was originally defined in RFC 1063 [RFC1063] and was
   obsoleted with RFC 1191 [RFC1191].  This option is now obsolete, as
   RFC 1191 obsoletes RFC 1063 without using IP options.

4.10.3.  Threats

   This option is obsolete.  This option could have been exploited to
   cause a host to set its PMTU estimate to an inordinately low or an
   inordinately high value, thereby causing performance problems.

4.10.4.  Operational and Interoperability Impact if Blocked

   None

      This option is NOT employed with the modern "Path MTU Discovery"
      (PMTUD) mechanism [RFC1191], which employs special ICMP messages
      (Type 3, Code 4) in combination with the IP DF bit.  PLPMTUD
      [RFC4821] can perform PMTUD without the need of any special
      packets.

4.10.5.  Advice

   Routers, security gateways, and firewalls SHOULD drop IP packets that
   contain a Reply MTU option.

4.11.  Traceroute (Type = 82)

4.11.1.  Uses

   This option originally provided a mechanism to trace the path to a
   host.

Top      ToC       Page 17 
4.11.2.  Option Specification

   This option was originally specified by RFC 1393 [RFC1393] as
   "experimental", and it was never widely deployed on the public
   Internet.  This option has been formally obsoleted by [RFC6814].

4.11.3.  Threats

   This option is obsolete.  Because this option required each router in
   the path both to provide special processing and to send an ICMP
   message, it could have been exploited to perform a DoS attack by
   exhausting CPU resources at the processing routers.

4.11.4.  Operational and Interoperability Impact if Blocked

   None

4.11.5.  Advice

   Routers, security gateways, and firewalls SHOULD drop IP packets that
   contain a Traceroute option.

4.12.  DoD Basic Security Option (Type = 130)

4.12.1.  Uses

   This option [RFC1108] is used by Multi-Level Secure (MLS) end-systems
   and intermediate systems in specific environments to:

   o  transmit from source to destination in a network standard
      representation the common security labels required by computer
      security models [Landwehr81],

   o  validate the datagram as appropriate for transmission from the
      source and delivery to the destination, and,

   o  ensure that the route taken by the datagram is protected to the
      level required by all protection authorities indicated on the
      datagram.

   The DoD Basic Security Option (BSO) was implemented in IRIX
   [IRIX2008] and is currently implemented in a number of operating
   systems (e.g., Security-Enhanced Linux [SELinux2008], Solaris
   [Solaris2008], and Cisco IOS [Cisco-IPSO]).  It is also currently
   deployed in a number of high-security networks.  These networks are
   typically either in physically secure locations, protected by
   military/governmental communications security equipment, or both.

Top      ToC       Page 18 
   Such networks are typically built using commercial off-the-shelf
   (COTS) IP routers and Ethernet switches, but they are not normally
   interconnected with the global public Internet.  MLS systems are much
   more widely deployed now than they were at the time the then-IESG
   decided to remove IPSO (IP Security Options) from the IETF Standards
   Track.  Since nearly all MLS systems also support IPSO BSO and IPSO
   ESO, this option is believed to have more deployment now than when
   the IESG removed this option from the IETF Standards Track.
   [RFC5570] describes a similar option recently defined for IPv6 and
   has much more detailed explanations of how sensitivity label options
   are used in real-world deployments.

4.12.2.  Option Specification

   It is specified by RFC 1108 [RFC1108], which obsoleted RFC 1038
   [RFC1038] (which in turn obsoleted the Security Option defined in RFC
   791 [RFC0791]).

      RFC 791 [RFC0791] defined the "Security Option" (Type = 130),
      which used the same option type as the DoD Basic Security option
      discussed in this section.  Later, RFC 1038 [RFC1038] revised the
      IP security options, and in turn was obsoleted by RFC 1108
      [RFC1108].  The "Security Option" specified in RFC 791 is
      considered obsolete by Section 3.2.1.8 of RFC 1122 [RFC1122] and
      Section 4.2.2.1 of RFC 1812 [RFC1812], and therefore the
      discussion in this section is focused on the DoD Basic Security
      option specified by RFC 1108 [RFC1108].

   Section 4.2.2.1 of RFC 1812 states that routers "SHOULD implement
   [this option]".

      Some private IP networks consider IP router-based per-interface
      selective filtering of packets based on (a) the presence of an
      IPSO option (including BSO and ESO) and (b) the contents of that
      IPSO option to be important for operational security reasons.  The
      recent IPv6 Common Architecture Label IPv6 Security Option
      (CALIPSO) specification discusses this in additional detail,
      albeit in an IPv6 context [RFC5570].

      Such private IP networks commonly are built using both commercial
      and open-source products -- for hosts, guards, firewalls,
      switches, routers, etc.  Some commercial IP routers support this
      option, as do some IP routers that are built on top of MLS
      operating systems (e.g., on top of Trusted Solaris [Solaris2008]
      or Security-Enhanced Linux [SELinux2008]).

Top      ToC       Page 19 
      For example, many Cisco routers that run Cisco IOS include support
      for selectively filtering packets that contain the IP Security
      Options (IPSO) with per-interface granularity.  This capability
      has been present in many Cisco routers since the early 1990s
      [Cisco-IPSO-Cmds].  Some government-sector products reportedly
      also support the IP Security Options (IPSO), for example, CANEWARE
      [RFC4949].

      Support for the IPSO Basic Security Option also is included in the
      "IPsec Configuration Policy Information Model" [RFC3585] and in
      the "IPsec Security Policy Database Configuration MIB" [RFC4807].
      Section 4.6.1 of the IP Security Domain of Interpretation
      [RFC2407] includes support for labeled IPsec security associations
      compatible with the IP Security Options.  (Note: RFC 2407 was
      obsoleted by [RFC4306], which was obsoleted by [RFC5996].)

4.12.3.  Threats

   Presence of this option in a packet does not by itself create any
   specific new threat.  Packets with this option ought not normally be
   seen on the global public Internet.

4.12.4.  Operational and Interoperability Impact if Blocked

   If packets with this option are blocked or if the option is stripped
   from the packet during transmission from source to destination, then
   the packet itself is likely to be dropped by the receiver because it
   is not properly labeled.  In some cases, the receiver might receive
   the packet but associate an incorrect sensitivity label with the
   received data from the packet whose BSO was stripped by an
   intermediate router or firewall.  Associating an incorrect
   sensitivity label can cause the received information either to be
   handled as more sensitive than it really is ("upgrading") or as less
   sensitive than it really is ("downgrading"), either of which is
   problematic.

4.12.5.  Advice

   A given IP router, security gateway, or firewall has no way to know a
   priori what environment it has been deployed into.  Even closed IP
   deployments generally use exactly the same commercial routers,
   security gateways, and firewalls that are used in the public
   Internet.

Top      ToC       Page 20 
   Since operational problems result in environments where this option
   is needed if either the option is dropped or IP packets containing
   this option are dropped, but no harm results if the option is carried
   in environments where it is not needed, the default configuration
   SHOULD NOT (a) modify or remove this IP option or (b) drop an IP
   packet because the IP packet contains this option.

   A given IP router, security gateway, or firewall MAY be configured to
   drop this option or to drop IP packets containing this option in an
   environment known to not use this option.

   For auditing reasons, routers, security gateways, and firewalls
   SHOULD be capable of logging the numbers of packets containing the
   BSO on a per-interface basis.  Also, routers, security gateways, and
   firewalls SHOULD be capable of dropping packets based on the BSO
   presence as well as the BSO values.



(page 20 continued on part 2)

Next RFC Part