Сегодняшний RFC

sergey_m

Network Working Group S. Bellovin
Request for Comments: 3514 AT&T Labs Research
Category: Informational 1 April 2003
The Security Flag in the IPv4 Header
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
Firewalls, packet filters, intrusion detection systems, and the like
often have difficulty distinguishing between packets that have
malicious intent and those that are merely unusual. We define a
security flag in the IPv4 header as a means of distinguishing the two
cases.
1. Introduction
Firewalls [CBR03], packet filters, intrusion detection systems, and
the like often have difficulty distinguishing between packets that
have malicious intent and those that are merely unusual. The problem
is that making such determinations is hard. To solve this problem,
we define a security flag, known as the "evil" bit, in the IPv4
[RFC791] header. Benign packets have this bit set to 0; those that
are used for an attack will have the bit set to 1.
1.1. Terminology
The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
document, are to be interpreted as described in [RFC2119].
2. Syntax
The high-order bit of the IP fragment offset field is the only unused
bit in the IP header. Accordingly, the selection of the bit position
is not left to IANA.
Bellovin Informational [Page 1]

RFC 3514 The Security Flag in the IPv4 Header 1 April 2003
The bit field is laid out as follows:
0
+-+
|E|
+-+
Currently-assigned values are defined as follows:
0x0 If the bit is set to 0, the packet has no evil intent. Hosts,
network elements, etc., SHOULD assume that the packet is
harmless, and SHOULD NOT take any defensive measures. (We note
that this part of the spec is already implemented by many common
desktop operating systems.)
0x1 If the bit is set to 1, the packet has evil intent. Secure
systems SHOULD try to defend themselves against such packets.
Insecure systems MAY chose to crash, be penetrated, etc.
3. Setting the Evil Bit
There are a number of ways in which the evil bit may be set. Attack
applications may use a suitable API to request that it be set.
Systems that do not have other mechanisms MUST provide such an API;
attack programs MUST use it.
Multi-level insecure operating systems may have special levels for
attack programs; the evil bit MUST be set by default on packets
emanating from programs running at such levels. However, the system
MAY provide an API to allow it to be cleared for non-malicious
activity by users who normally engage in attack behavior.
Fragments that by themselves are dangerous MUST have the evil bit
set. If a packet with the evil bit set is fragmented by an
intermediate router and the fragments themselves are not dangerous,
the evil bit MUST be cleared in the fragments, and MUST be turned
back on in the reassembled packet.
Intermediate systems are sometimes used to launder attack
connections. Packets to such systems that are intended to be relayed
to a target SHOULD have the evil bit set.
Some applications hand-craft their own packets. If these packets are
part of an attack, the application MUST set the evil bit by itself.
In networks protected by firewalls, it is axiomatic that all
attackers are on the outside of the firewall. Therefore, hosts
inside the firewall MUST NOT set the evil bit on any packets.
Bellovin Informational [Page 2]

RFC 3514 The Security Flag in the IPv4 Header 1 April 2003
Because NAT [RFC3022] boxes modify packets, they SHOULD set the evil
bit on such packets. "Transparent" http and email proxies SHOULD set
the evil bit on their reply packets to the innocent client host.
Some hosts scan other hosts in a fashion that can alert intrusion
detection systems. If the scanning is part of a benign research
project, the evil bit MUST NOT be set. If the scanning per se is
innocent, but the ultimate intent is evil and the destination site
has such an intrusion detection system, the evil bit SHOULD be set.
4. Processing of the Evil Bit
Devices such as firewalls MUST drop all inbound packets that have the
evil bit set. Packets with the evil bit off MUST NOT be dropped.
Dropped packets SHOULD be noted in the appropriate MIB variable.
Intrusion detection systems (IDSs) have a harder problem. Because of
their known propensity for false negatives and false positives, IDSs
MUST apply a probabilistic correction factor when evaluating the evil
bit. If the evil bit is set, a suitable random number generator
[RFC1750] must be consulted to determine if the attempt should be
logged. Similarly, if the bit is off, another random number
generator must be consulted to determine if it should be logged
despite the setting.
The default probabilities for these tests depends on the type of IDS.
Thus, a signature-based IDS would have a low false positive value but
a high false negative value. A suitable administrative interface
MUST be provided to permit operators to reset these values.
Routers that are not intended as as security devices SHOULD NOT
examine this bit. This will allow them to pass packets at higher
speeds.
As outlined earlier, host processing of evil packets is operating-
system dependent; however, all hosts MUST react appropriately
according to their nature.
5. Related Work
Although this document only defines the IPv4 evil bit, there are
complementary mechanisms for other forms of evil. We sketch some of
those here.
For IPv6 [RFC2460], evilness is conveyed by two options. The first,
a hop-by-hop option, is used for packets that damage the network,
such as DDoS packets. The second, an end-to-end option, is for
packets intended to damage destination hosts. In either case, the
Bellovin Informational [Page 3]

RFC 3514 The Security Flag in the IPv4 Header 1 April 2003
option contains a 128-bit strength indicator, which says how evil the
packet is, and a 128-bit type code that describes the particular type
of attack intended.
Some link layers, notably those based on optical switching, may
bypass routers (and hence firewalls) entirely. Accordingly, some
link-layer scheme MUST be used to denote evil. This ma

kanareykina

гы
а я думал, первое апреля только у нас котируеца

bobking

IETF всегда рулит на первое апреля.
А вот как рулит FreeBSD:


mdodd       2003/04/01 00:21:44 PST

  FreeBSD src repository

  Modified files:

    sbin/ping            ping.8 ping.c 

    share/man/man4       inet.4 ip.4 

    sys/netinet          in.h in_pcb.h ip.h ip_input.c ip_output.c 

                         ip_var.h 

    usr.bin/netstat      inet.c 

  Log:

  Implement support for RFC 3514 (The Security Flag in the IPv4 Header).

  (See: ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt)

  

  This fulfills the host requirements for userland support by

  way of the setsockopt IP_EVIL_INTENT message.

  

  There are three sysctl tunables provided to govern system behavior.

  

          net.inet.ip.rfc3514:

  

                  Enables support for rfc3514.  As this is an

                  Informational RFC and support is not yet widespread

                  this option is disabled by default.

  

          net.inet.ip.hear_no_evil

  

                   If set the host will discard all received evil packets.

  

          net.inet.ip.speak_no_evil

  

                  If set the host will discard all transmitted evil packets.

  

  The IP statistics counter 'ips_evil' (available via 'netstat') provides

  information on the number of 'evil' packets recieved.

  

  For reference, the '-E' option to 'ping' has been provided to demonstrate

  and test the implementation.

  

  Revision  Changes    Path

  1.47      +4 -2      src/sbin/ping/ping.8

  1.92      +13 -1     src/sbin/ping/ping.c

  1.21      +11 -0     src/share/man/man4/inet.4

  1.29      +9 -0      src/share/man/man4/ip.4

  1.75      +2 -0      src/sys/netinet/in.h

  1.59      +1 -0      src/sys/netinet/in_pcb.h

  1.22      +1 -0      src/sys/netinet/ip.h

  1.232     +14 -0     src/sys/netinet/ip_input.c

  1.181     +28 -1     src/sys/netinet/ip_output.c

  1.72      +1 -0      src/sys/netinet/ip_var.h

  1.57      +1 -0      src/usr.bin/netstat/inet.c

sergey_m

Мне вот это проперло:
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=976198+0+archive/2003/cvs-all/20030323.cvs-all
Date: Sat, 22 Mar 2003 15:56:22 -0800 (PST)
From: Kris Kennaway <FreeBSD.org>
To: ports-FreeBSD.org, cvs-FreeBSD.org, cvs-FreeBSD.org
Subject: cvs commit: ports INDEX
Message-ID: <200303222356.h2MNrepoman.freebsd.org>
kris 2003/03/22 15:56:22 PST
FreeBSD ports repository
Modified files:
. INDEX
Log:
Porter Man
----------
(sung to the tune of "Rocket Man" by Elton John)

I built my ports last night, pre-freeze
Zero hour, nine p.m.
And I'm gonna be high
As a kite by then

I miss the tree so much
I miss my ports
It's lonely during the freeze
Oh such a timeless wait

And I think it's gonna be a long, long time
'Til bento brings me 'round again to find
This is not the code I think I ran at home
Ah, no no no...
I'm a Porter man
Porter man
Waiting out the freeze
Down here alone

PRs aren't the kind of place
To test your ports
In fact, it's slow as hell
And no one cares to test them
If you did

And all this code
I don't understand
It's just my job
Seven days a week
A porter Man
Porter Man

And I think it's gonna be a long, long time
'Til bento brings me 'round again to find
This is not the code I think I ran at home
Ah, no no no...

And I think it's gonna be a long, long time
'Til bento brings me 'round again to find
This is not the code I think I ran at home
Ah, no no no...
I'm a porter man
Porter man
Waiting out the freeze
Down here alone

And I think it's gonna be a long, long, time
And I think it's gonna be a long, long, time
And I think it's gonna be a long, long, time

Long, long, time
Long, long, time

Ah, no, no, no...
Oh, no, no, no, no, no, no, no...

(This is the candidate INDEX for 4.8-RELEASE, with 8332 ports)

Revision Changes Path
1.371 +4603 -4478 ports/INDEX
To Unsubscribe: send mail to FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Оставить комментарий
Имя или ник:
Комментарий: