1%%% 2 3 Title = "The Security Flag in the IPv4 Header" 4 abbrev = "The Security Flag in the IPv4 Header" 5 category = "info" 6 docName = "rfc-3514" 7 ipr= "trust200902" 8 area = "Internet" 9 workgroup = "Network Working Group" 10 keyword = [""] 11 12 date = 2003-04-01T00:00:00Z 13 14 [[author]] 15 initials="S." 16 surname="Bellovin" 17 fullname="Steven M. Bellovin" 18 #role="editor" 19 organization = "AT&T Labs Research" 20 [author.address] 21 email = "bellovin@acm.org" 22 phone = "+1 973-360-8656" 23 [author.address.postal] 24 street = "180 Park Avenue" 25 city = "Florham Park" 26 code = "NJ 07932" 27 28%%% 29 30.# Abstract 31 32Firewalls, packet filters, intrusion detection systems, and the like 33often have difficulty distinguishing between packets that have 34malicious intent and those that are merely unusual. We define a 35security flag in the IPv4 header as a means of distinguishing the two 36cases. 37 38{mainmatter} 39 40# Introduction 41 42Firewalls [@!CBR03], packet filters, intrusion detection systems, and 43the like often have difficulty distinguishing between packets that 44have malicious intent and those that are merely unusual. The problem 45is that making such determinations is hard. To solve this problem, 46we define a security flag, known as the "evil" bit, in the IPv4 47[@!RFC0791] header. Benign packets have this bit set to 0; those that 48are used for an attack will have the bit set to 1. 49 50## Terminology 51 52The keywords **MUST**, **MUST NOT**, **REQUIRED**, **SHALL**, **SHALL NOT**, **SHOULD**, 53**SHOULD NOT**, **RECOMMENDED**, **MAY**, and **OPTIONAL**, when they appear in this 54document, are to be interpreted as described in [@!RFC2119]. 55 56# Syntax 57 58The high-order bit of the IP fragment offset field is the only unused 59bit in the IP header. Accordingly, the selection of the bit position 60is not left to IANA. 61 62The bit field is laid out as follows: 63 64{align="left"} 65 0 66 +-+ 67 |E| 68 +-+ 69 70Currently-assigned values are defined as follows: 71 720x0: 73: If the bit is set to 0, the packet has no evil intent. Hosts, 74 network elements, etc., **SHOULD** assume that the packet is 75 harmless, and **SHOULD NOT** take any defensive measures. (We note 76 that this part of the spec is already implemented by many common 77 desktop operating systems.) 78 790x1: 80: If the bit is set to 1, the packet has evil intent. Secure 81 systems **SHOULD** try to defend themselves against such packets. 82 Insecure systems **MAY** chose to crash, be penetrated, etc. 83 84# Setting the Evil Bit 85 86There are a number of ways in which the evil bit may be set. Attack 87applications may use a suitable API to request that it be set. 88Systems that do not have other mechanisms **MUST** provide such an API; 89attack programs **MUST** use it. 90 91Multi-level insecure operating systems may have special levels for 92attack programs; the evil bit **MUST** be set by default on packets 93emanating from programs running at such levels. However, the system 94*MAY* provide an API to allow it to be cleared for non-malicious 95activity by users who normally engage in attack behavior. 96 97Fragments that by themselves are dangerous **MUST** have the evil bit 98set. If a packet with the evil bit set is fragmented by an 99intermediate router and the fragments themselves are not dangerous, 100the evil bit **MUST** be cleared in the fragments, and **MUST** be turned 101back on in the reassembled packet. 102 103Intermediate systems are sometimes used to launder attack 104connections. Packets to such systems that are intended to be relayed 105to a target SHOULD have the evil bit set. 106 107Some applications hand-craft their own packets. If these packets are 108part of an attack, the application **MUST** set the evil bit by itself. 109 110In networks protected by firewalls, it is axiomatic that all 111attackers are on the outside of the firewall. Therefore, hosts 112inside the firewall **MUST NOT** set the evil bit on any packets. 113 114Because NAT [@!RFC3022] boxes modify packets, they **SHOULD** set the evil 115bit on such packets. "Transparent" http and email proxies **SHOULD** set 116the evil bit on their reply packets to the innocent client host. 117 118Some hosts scan other hosts in a fashion that can alert intrusion 119detection systems. If the scanning is part of a benign research 120project, the evil bit **MUST NOT** be set. If the scanning per se is 121innocent, but the ultimate intent is evil and the destination site 122has such an intrusion detection system, the evil bit **SHOULD** be set. 123 124# Processing of the Evil Bit 125 126Devices such as firewalls **MUST** drop all inbound packets that have the 127evil bit set. Packets with the evil bit off **MUST NOT** be dropped. 128Dropped packets **SHOULD** be noted in the appropriate MIB variable. 129 130Intrusion detection systems (IDSs) have a harder problem. Because of 131their known propensity for false negatives and false positives, IDSs 132**MUST** apply a probabilistic correction factor when evaluating the evil 133bit. If the evil bit is set, a suitable random number generator 134[@!RFC1750] must be consulted to determine if the attempt should be 135logged. Similarly, if the bit is off, another random number 136generator must be consulted to determine if it should be logged 137despite the setting. 138 139The default probabilities for these tests depends on the type of IDS. 140Thus, a signature-based IDS would have a low false positive value but 141a high false negative value. A suitable administrative interface 142**MUST** be provided to permit operators to reset these values. 143 144Routers that are not intended as as security devices **SHOULD NOT** 145examine this bit. This will allow them to pass packets at higher 146speeds. 147 148As outlined earlier, host processing of evil packets is operating- 149system dependent; however, all hosts **MUST** react appropriately 150according to their nature. 151 152# Related Work 153 154Although this document only defines the IPv4 evil bit, there are 155complementary mechanisms for other forms of evil. We sketch some of 156those here. 157 158For IPv6 [@!RFC2460], evilness is conveyed by two options. The first, 159a hop-by-hop option, is used for packets that damage the network, 160such as DDoS packets. The second, an end-to-end option, is for 161packets intended to damage destination hosts. In either case, the 162option contains a 128-bit strength indicator, which says how evil the 163packet is, and a 128-bit type code that describes the particular type 164of attack intended. 165 166Some link layers, notably those based on optical switching, may 167bypass routers (and hence firewalls) entirely. Accordingly, some 168link-layer scheme **MUST** be used to denote evil. This may involve evil 169lambdas, evil polarizations, etc. 170 171DDoS attack packets are denoted by a special diffserv code point. 172 173An application/evil MIME type is defined for Web- or email-carried 174mischief. Other MIME types can be embedded inside of evil sections; 175this permit easy encoding of word processing documents with macro 176viruses, etc. 177 178# IANA Considerations 179 180This document defines the behavior of security elements for the 0x0 181and 0x1 values of this bit. Behavior for other values of the bit may 182be defined only by IETF consensus [@!RFC2434]. 183 184# Security Considerations 185 186Correct functioning of security mechanisms depend critically on the 187evil bit being set properly. If faulty components do not set the 188evil bit to 1 when appropriate, firewalls will not be able to do 189their jobs properly. Similarly, if the bit is set to 1 when it 190shouldn't be, a denial of service condition may occur. 191 192<reference anchor='CBR03' target=''> 193 <front> 194 <title>Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition</title> 195 <author initials='W.R.' surname='Cheswick' fullname='W.R. Cheswick'></author> 196 <author initials='S.M.' surname='Bellovin' fullname='S.M. Bellovin'></author> 197 <author initials='A.D.' surname='Rubin' fullname='A.D. Rubin'></author> 198 <date year='2003' /> 199 </front> 200 <seriesInfo name="Addison-Wesley" value='' /> 201 </reference> 202 203{backmatter} 204