SECURITY ASSESSMENT OF THE INTERNET PROTOCOL JULY 2008 Written by Fernando Gont on behalf of CPNI. Disclaimer Reference to any specific commercial product, process or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. To the fullest extent permitted by law, CPNI accepts no liability for any loss or damage (whether direct, indirect or consequential and including, but not limited to, loss of profits or anticipated profits, loss of data, business or goodwill) incurred by any person and howsoever caused arising from or connected with any error or omission in this document or from any person acting, omitting to act or refraining form acting upon, or otherwise using, the information contained in this document or its references. You should make your own judgement as regards to use of this document and seek independent professional advice on your particular circumstances. www.cpni.gov.uk Security Assessment of the Internet Protocol Table of Contents 1. Preface ..................................................................................................................................... 3 1. Introduction ..................................................................................................................... 3 1.2 Scope of this document .................................................................................................. 4 1.3 Organization of this document ......................................................................................... 4 1.4 Typographical conventions .............................................................................................. 5 1.5 Getting the latest version of this document ....................................................................... 5 1.6 Advice and guidance to vendors ...................................................................................... 5 1.5 Acknowledgements ......................................................................................................... 5 2. The Internet Protocol .............................................................................................................. 6 3. Internet Protocol header fields .............................................................................................. 7 3. Version ............................................................................................................................. 7 3.2 IHL (Internet Header Length) ............................................................................................ 8 3.3 TOS ................................................................................................................................. 8 3.4 Total Length ..................................................................................................................... 9 3.5 Identification (ID) ............................................................................................................. 0 3.5. Some workarounds implemented by the industry ........................................................ 0 3.5.2 Possible security improvements .................................................................................. 3.6 Flags .............................................................................................................................. 3 3.7 Fragment Offset ............................................................................................................. 4 3.8 Time to Live (TTL) ........................................................................................................... 5 3.9 Protocol ......................................................................................................................... 9 3.0 Header Checksum ....................................................................................................... 9 3. Source Address ........................................................................................................... 9 3.12 Destination Address ..................................................................................................... 20 3.3 Options ........................................................................................................................ 20 3.3. General issues with IP options ................................................................................... 2 3.3.. Processing requirements ........................................................................................ 2 3.3..2 Processing of the options by the upper layer protocol ............................................ 22 3.3..3 General sanity checks on IP options ....................................................................... 22 3.13.2 Issues with specific options ....................................................................................... 23 3.3.2. End of Option List (Type = 0) .................................................................................. 23 3.3.2.2 No Operation (Type = ) ......................................................................................... 24 3.3.2.3 Loose Source Record Route (LSRR) (Type = 3) .................................................. 24 Security Assessment of the Internet Protocol 3.3.2.4 Strict Source and Record Route (SSRR) (Type = 37) ............................................. 26 3.3.2.5 Record Route (Type = 7) ......................................................................................... 29 3.13.2.6 Stream Identifier (Type = 136) ................................................................................. 3 3.3.2.7 Internet Timestamp (Type = 68) .............................................................................. 3 3.3.2.8 Router Alert (Type = 48) ........................................................................................ 34 3.3.2.9 Probe MTU (Type =) ........................................................................................... 34 3.3.2.0 Reply MTU (Type = 2) ......................................................................................... 34 3.3.2. Traceroute (Type = 82) .......................................................................................... 35 3.13.2.12 DoD Basic Security Option (Type = 130) ............................................................... 35 3.13.2.13 DoD Extended Security Option (Type = 133) ......................................................... 36 3.3.2.4 Commercial IP Security Option (CIPSO) ................................................................ 36 3.13.2.15 Sender Directed Multi-Destination Delivery (Type = 149) ....................................... 37 3.14 Differentiated Services field .......................................................................................... 37 3.15 Explicit Congestion Notification (ECN) ......................................................................... 38 4. Internet Protocol Mechanisms ............................................................................................. 40 4. Fragment reassembly .................................................................................................... 40 4.. Problems related with memory allocation .................................................................... 4 4.1.2 Problems that arise from the length of the IP Identification field ................................... 42 4.1.3 Problems that arise from the complexity of the reassembly algorithm ......................... 43 4..4 Problems that arise from the ambiguity of the reassembly process ............................. 43 4..5 Problems that arise from the size of the IP fragments ................................................. 44 4..6 Possible security improvements ................................................................................. 45 4.2 Forwarding .................................................................................................................... 49 4.2.1 Precedence-ordered queue service ............................................................................ 49 4.2.2 Weak Type of Service ................................................................................................. 50 4.2.3 Address Resolution .................................................................................................... 5 4.2.4 Dropping packets ....................................................................................................... 5 4.3 Addressing .................................................................................................................... 52 4.3. Unreachable addresses .............................................................................................. 52 4.3.2 Private address space ................................................................................................ 52 4.3.3 Class D addresses (224/4 address block) ................................................................... 52 4.3.4 Class E addresses (240/4 address block) ................................................................... 52 4.3.5 Broadcast and multicast addresses, and connection-oriented protocols .................... 53 4.3.6 Broadcast and network addresses ............................................................................. 53 4.3.7 Special Internet addresses ........................................................................................