RFC 3514: New Bit Defined for IPv4 Headers

RFC 3514 was just released, with a new bit definition for use in the headers of IP packets. Because there are important security implications, anyone coding internet services (on either the client or server end) should probably take a look.

It's about time!

[Motherfucking+Shit]

Finally, the scriptkiddie bit! Now we'll be able to drop all that pesky DDoS traffic with ease!

I can see it now.

[Renraku]

The bit set to 1 indicates a pr0n site, the bit set to 0 indicates a non-pr0n site.

Re:I can see it now.

[JWSmythe]

Ok, I'll take the liberty to be off-topic.. Mod me down.

I have friends in the military around the world. I'm sure as hell not going to be the one to throw rotten fruit at them, or call them baby killers when they come home. Ask any Vietnam vet how that feels.

Our military aren't under orders to shoot anything that moves.. They're given legitimate military targets.. Our soldiers always have the option of not shooting, if it doesn't seem like a valid target. They don't waste bullets shooting into empty shacks. They spend them on targets that are very potentially out to kill them.

If the Iraq gov't wants to portray Americans as targeting children and the elderly, that's their spin on it. Just as CNN makes it look like we only throw huge bombs at empty military buildings. Somewhere in the middle is the truth.

When our troops come back, they'll be talkative. They always are. They'll tell you the kinds of targets they hit.. If there were guys in the building shooting at you, they're a valid target. Ask the troops who were effected by chemical weapons in the last war if Saddam played fair.

If it turns out the Iraq military killed the family that lived there to make it base, that's why we're fighting this war.

Re:I can see it now.

[Simon+Brooke]

Our military aren't under orders to shoot anything that moves.. They're given legitimate military targets.. Our soldiers always have the option of not shooting, if it doesn't seem like a valid target. They don't waste bullets shooting into empty shacks. They spend them on targets that are very potentially out to kill them.

Like British tanks and buses full of unarmed women and children.

Re:I can see it now.

[JWSmythe]

Too bad the second BBC link doesn't have the full details clearly at the beginning of the story.

The van drove up to the checkpoint. But rather than stopping or even slowing down, it continued at full speed through the checkpoint.

If I was guarding a checkpoint, to make sure no one's driving a car bomb through, and they did the same manuver, I'd fire too.

That's the easiest way to get a bomb through a checkpoint. Drive. Don't stop.

Bin Laden did the same thing, except with airplanes full of men, women, and children. It was aparently easier than sneaking a bomb into the country.

you are 2 hours early...

[MarvinMouse]

This is such an amazingly important invention, but you are 2 hours early on the release. No one was supposed to know that.

Darn! You have already thwarted my evil plans yet again.

Re:you are 2 hours early...

[geodejo]

Depends on your time zone! Last year I freaked out for a minute after reading Linus's post on April 2!

Re:you are 2 hours early...

[Plug]

Not all the world runs on your time clock. It's been April Fools Day for almost 16 hours at my time of posting...

Re:you are 2 hours early...

[Mac+Degger]

Hehe...in regards to your sig...my mom thought me and my bro where serious computer criminals when we were talking about the hacks we had on our palmpilots :)

In other news....

[VC]

Microsoft have released a beowulf distro.
Linus has joined redhat.
Slackware is closing down.
Linux now runs on single entangled electrons at MIT
etc etc etc

Re:In other news....

[Pseudonym]

...BSD is not dying.

Re:In other news....

[Mr.+Neutron]

IP Over Carrier Pidgeon implemented by Cringely
Linux Kernel 2.6 to include DRM
Slashdot becomes an MSN Featured Site
IBM unveils first 1.0 exabyte ATAPI hard drive
RIAA successfully lobbies for $1 tax on every MP3 file on the net

Re:In other news....

[Com2Kid]

• IP Over Carrier Pidgeon implemented by Cringely

Don't give him any ideas.

• 
  Linux Kernel 2.6 to include DRM
  

[tinfoil hat]
The way things are going, there might not be much choice. . . .
[/tinfoil hat]

• 
  Slashdot becomes an MSN Featured Site
  

With all the MS ads, you mean it isn't already?

• 
  IBM unveils first 1.0 exabyte ATAPI hard drive
  

IBM is out of the hard drive business, you should read /. more often. :)

• 
  RIAA successfully lobbies for $1 tax on every MP3 file on the net
  

I am sure they are working on it. :)

Re:In other news....

[Zork+the+Almighty]

Widely known value of Pi in error, actually 3.15...

Re:In other news....

[Zork+the+Almighty]

Apple to sell PCs, no longer interested in "thinking different".

...and so it begins

[stevens]

I love April fool's day.

Perl programmers may want to check out their beloved cpan.org site today, too. :-)

A couple of mirrors

[Motherfucking+Shit]

Mirror 1

Mirror 2

To lighten the load.

Patch for Cisco IOS needed

[Degrees]

Now, best practices will include setting this bit for all interfaces connected to Microsoft servers and AOL users.

It'll be the Router Admin Full Employment Act of 2003!

;-)

Chomping at the bit

[Brett+Glass]

Does the DMCA impose penalties for modifying the bit?

100% Correct Spam Filters Now Possible

[Persnickity]

Please, please, please take this wonderful advance in technology and extend it to email. Then Spam can have a new header called "Evil: Yes". Then we can leverage the same technology to do perfect Spam filtering.

Re:100% Correct Spam Filters Now Possible

[sqlrob]

Already covered in this RFC.

Content-Type: application/evil

Timing problem

[jpetts]

Hey: it's still before midnight where I am! I'll need to take this seriously for the next couple of hours...

Must remember

[the_other_one]

Benign packets have this bit set to 0; those that are used for an attack will have the bit set to 1.

Note to self: Remember to set "evil" bit to 1 when launching world domination attempt.

Why computers crash, by Dr. Seuss

[Mattygfunk1]

If a packet hits a pocket on a socket on a port, and the bus is interrupted at a very last resort, and the access of the memory makes your floppy disk abort, then the socket packet pocket has an error to report.

If your cursor finds a menu item followed by a dash, and the double-clicking icon puts your Window in the trash, and your data is corrupted 'cause the index doesn't hash, then your situation's hopeless and your system's gonna crash!!

If the label on the cable on the table at your house says the network is connected to the button on your mouse, but your packets want to tunnel to another protocol that's repeatedly rejected by the printer down the hall, and your screen is all distorted by the side effects of gauss, so your icons in the window are as wavy as a souse; then you may as well reboot and go out with a bang, 'cuz sure as I'm a poet, the sucker's gonna hang!

When the copy of your floppy's getting sloppy in the disk, and the macro code instructions cause unnecessary risk, then you'll have to flash the memory and you'll want to RAM your ROM. Quick, turn off the computer and be sure to tell your Mom!

Blatently pinched from - Twisted Monkey Entertainment

_________________
Cheap Web Site Hosting - recommended by some worker posting on slashdot!

Re:Why computers crash, by Dr. Seuss

[sinnergy]

Please attribute properly :)

http://people.cornell.edu/pages/elz1/clocktower/Dr Seuss.html

The whole thing was created by Gene Ziegler. He gives a pretty good history of the poem as well as the full thing, which most people don't post.

Don't forget RFC3251 as well

[Billly+Gates]

More info is here

The 128-bit strength indicator levels!

[EvilNTUser]

Unfortunately the RFC neglects to define what levels of evil the values of the 128-bit strength indicator maps to.

Therefore I, on behalf of the United Corp^H^H^H^H^H States government, submit that the top values should be reserved for the following:

2^127-n
4: Unpatriotic activity.
3: Terrorism. For up to date definition, see www.dhs.gov
2: Attempt to secure personal communication by encryption
1: Circumvention of copy protection mechanisms for purposes of piracy
0: Circumvention of copy protection mechanisms for purposes of "fair use"

Note that the last bit is reserved to indicate whether the packet originates from a foreign country.

I have security.

[rice_burners_suck]

Security implications? Bah, humbug. I have the most secure network anywhere. First of all, I use 100% wireless networking with no encryption whatsoever. I am using Windows operating systems, which are unbreakable in terms of security because nobody other than Microsoft, the most respectable organization in the world, has access to the source code, which is flawless in every way. Sharing is turned on for all drives with no passwords. As a matter of fact, there are no passwords on anything. And the computers are being kept on all the time. Private documents are stored on these computers, as are diaries, pictures, videos and other proofs of the illegal crimes my organization commits (see fine print below). As such, I firmly believe that no update to any aspect of my network needs to take place, as I am 100% safe from evil hackers and from those evil people who do not agree 100% with the viewpoints of Microsoft, the RIAA, the MPAA, AOL Time Warner, The Walt Disney Company and Saddam Hussein.

The fine print: Aforementioned crimes are only illegal in Afghanistan and include, but are limited to, allowing women to walk around without being entirely concealed under a table cloth, teaching children how to read and write, and singing nursery rhymes.

HTTP link

[apankrat]

Here

Also note that it's actually based on the ideas initially developed by HTCPCP protocol, which just turned 5 years.

A potential hole...

[russotto]

An attacker can take advantage of the quantum nature of reality to set this bit to an indeterminate/combined value influenced by the nature of the observer of the packet. An observer who knows the evil nature of the sender of the packet will see the "evil" bit set to one, as it should be. However, unsuspecting observers, including firewalls and potential victims, will see the bit set to zero and be fooled.

The inherent subtlety of this attack is revealed by considering what happens when a security expert attempts to analyze the attack. As soon as he recognizes the evil nature of the attacker, the packets appear to have the 'evil' bit set, and his firewalls start dropping the packets, depriving him of further packets for analysis. The attack is thus even more precisely targeted towards the naive than an attack on Microsoft IIS.

Evil

[NickisGod.com]

Is it time to bring out the April Fools Day Tree yet?

Should I start opening the April Fools Day gifts?

Serious question: Will this bit work over Carrier Pigeon?

And one other thought, will Windows2003Server recognize it? Oh...they'll have to release the Service Pack because anything set to 0 won't get through because of a buffer overflow extension illegal operation segfault doo-hickey.

Any other cliches missed?

Re:Evil

[Caraig]

Considering that carrier pigeons used to carry TCP packets are already compliant with IPv4, then I'd say that the evil bit can be set.

Usually, it can be detected for by a specially-designed packet sniffer: a freshly-washed car right beneath the carrier pigeons' flight path.

I think a much more pressing ssue would be making carrier pigeons compatable with IPv6. Perhaps if there were two pigeons, and they carried the packet on a string held between them.....

Oh geez...

[sfe_software]

...it's 4/1 already...

I liked this bit (emphasis mine):

0x0 If the bit is set to 0, the packet has no evil intent. Hosts,
network elements, etc., SHOULD assume that the packet is
harmless, and SHOULD NOT take any defensive measures. (We note
that this part of the spec is already implemented by many common
desktop operating systems.)

0x1 If the bit is set to 1, the packet has evil intent. Secure
systems SHOULD try to defend themselves against such packets.
Insecure systems MAY chose to crash, be penetrated, etc.

Re:Nasty!

[stevens]

Is there a link explaining why they chose that theme?

No link necessary. Matt's Script archive is well-known among Perl programmers as one of the densest collections of hole-ridden crappy code on the net.

There's even a project to write secure, well-written clones of his scripts so the poor bastards stuck with his can drop-in something that won't allow remote exploits on their machine. :-)

If only real life was as simple

[krammit]

If only it was that easy to detect evil intent in real life...

"Sally, cross your legs! His bit is set to 'evil'!"

On second thought...

Re:4/1/03

[Pharmboy]

jumping the gun on April Fools Day a bit, aren't we?

Thanks for the reminder.

I am sitting here, reading the article before the replys here (yes, some of us really do before we post ;) and thinking "wtf is an evil bit?"

I mean, the whole protocol thing is over my head, but I read anyway to maybe learn something. It took about 3 minutes of head scratching before I really looked at the url, return here suspicious and decide that I had been had.

I am betting 1% of the readers come back and think the new protocol is a good thing before realizing its a hoax ;)

sex or war

[lingqi]

Actually I think somebody famous* established long time ago that sex, as strange as some of its involved rituals may seem to many at times, are a better alternative to war.

I propose that instead anything coming from or going to a .gov extension has the eBit** set.

*note: Larry Flint. Watch the movie.

**I hereforth trademark this name.

Re:Must remember

[Pharmboy]

Note to self: Remember to set "evil" bit to 1 when launching world domination attempt.

Which makes me think: Will the cable company terminate my account if I forget to set the evil bit when I am DDoSing someone, as a TOS violation?

Re:4/1/03

[ergo98]

I am betting 1% of the readers come back and think the new protocol is a good thing before realizing its a hoax

I'd also put down that about 80% of /. readers are releasing a collecting groan and muttering something along the lines of "Oh God...is it April 1st again...". I'm not being a spoilsport, but after a few years April Fools Day jokes start to seem a little formulaic and predictable.

Re:Yes it's a joke

[SN74S181]

Actually, some of the humor in this RFC is that it mocks the futile 'consensus' basis of all the RFCs.

Take it just a little bit serious and you say to yourself 'Wait a minute, this isn't that funny. People really do believe a consensus-based network will scale well worldwide....'

Re:First evil comment

[einhverfr]

Or not a secure system. Insecure systems can choose to ignore the flag (as per RFC).

My favorite quote of the RFC is:
" This document defines the behavior of security elements for the 0x0
and 0x1 values of this bit. Behavior for other values of the bit may
be defined only by IETF consensus [RFC2434]."

What a day!

[Ridge]

First this and now I noticed the W3C added an addendum to HTTP 1.1:

10.5.4.1 503.1 Slashdotted

The server is currently unable to handle the request due to a fucking slashdotting of the server. Visit slashdot.org for potential mirrors.

April 1st RFCs are always the most important...

[Bradee-oh!]

There may be some strange cosmic significance about April 1st, or just a series of amazing coincidences, but many RFCs published on April 1st are of amazing importance.

Potentially devastating Y10k problem

Lifesaving method to temporarily reroute ip in cause of equipment failure

Protocol to guarantee software engineer productivity and efficiency

Addressing ipv6 with incredible bandwidth savings

Planning ahead to Star Trek technology with current protocols and infrastructure

I don't even know what this one is about...

And many, many more. Any self-respecting network engineer should be especially familiar with all April 1st RFCs, in my opinion...

Re:4/1/03

[Pharmboy]

I'm not being a spoilsport, but after a few years April Fools Day jokes start to seem a little formulaic and predictable.

Well, ya they are predictable, they come every April 1....:)

Perhaps if they just did a few random hoaxes a year, at different times, it would be a little more fun. As it is, its kind of like acting suprised when you get socks for christmas. And just as gratifying.

Hey, I recognize this security scheme!

[eison]

In networks protected by firewalls, it is axiomatic that all
attackers are on the outside of the firewall. Therefore, hosts inside the firewall MUST NOT set the evil bit on any packets.

Our IT group must have contributed to this RFC! Now I know exactly what to think of it... :)

Perspiring minds want to know....

[unitron]

Enough about the evil bit, where are the "naughty bits"?

Re:Perspiring minds want to know....

[ZorMonkey]

Enough about the evil bit, where are the "naughty bits"?

Oog. Dont sniff those packets...

If we lobby hard enough

[lpontiac]

I bet we could get the US Congress to pass a law making it illegal to set this bit incorrectly.

Re:ROFL

[MrLint]

How would one go about setting the evil flag bit when you use the avian transport layer?

I'm not evil, I swear!

[jemele]

Fooled you - with my stupid bit~!

have we forgotten that evil people often masquerade in sheep's clothing????
stupid!
joshua

What would script-kiddy see in l337?

[DJ+Rubbie]

3514 translated into l337 sp34k is ESIA... Doesn't ring a bell, but Egoistic Scriptkiddy Ignoring Annihilation seems to fit...

Re:ROFL

[DCowern]

Actually, "today" (1 April) is also the 13th anniversary of RFC1149.

Check out its majesty: ftp://ftp.rfc-editor.org/in-notes/rfc1149.txt

People were so much more creative back in 1990. ;-)

Previous April 1 RFCs

[arvindn]

There's a list here. I guess the most famous of them is the IP over avian carriers thing. On the subject of avians, google came out with a cool pigeonrank joke last year.

Back to the RFCs: the list above doesn't seem exhaustive. I found some more: 12 networking truths RFC, telnet randomly lose option and Hyper Text Coffee Pot Control Protocol

Here's yer problem...

[jose+c+rivera]

somebody set this thing to "Evil."

It isn't April 1st yet

[Istealmymusic]

In my timezone, it is currently 10:30 of March 31st. Shouldn't the Internet community wait until it is April 1st everywhere before trying to implement this suggestion?

another joke you probably missed in this

[Imperator]

6. IANA Considerations

This document defines the behavior of security elements for the 0x0 and 0x1 values of this bit. Behavior for other values of the bit may be defined only by IETF consensus [RFC2434].

(emphasis mine)

Linux 2.4.20 patch

[zcougar]

You can find a patch for Linux 2.4.20 kernel at http://www.version6.net/patches/linux-2.4.20-rfc35 14.dif

Enjoy! :-)

Nmap compliance!

[spydir31]

There now exists a patch for nmap which sets the evil bit on by default, available here
also, more discussion on when the evil bit should be set.

Full text, ftp server slashdotted

[oPless]

Network Working Group S. Bellovin
Request for Comments: 3514 AT&T Labs Research
Category: Informational 1 April 2003
The Security Flag in the IPv4 Header

Status of this Memo

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2003). All Rights Reserved.

Abstract

Firewalls, packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. We define a security flag in the IPv4 header as a means of distinguishing the two cases.

1. Introduction

Firewalls CBR03 , packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. The problem is that making such determinations is hard. To solve this problem, we define a security flag, known as the "evil" bit, in the IPv4 RFC791 header. Benign packets have this bit set to 0; those that are used for an attack will have the bit set to 1.

1.1. Terminology

The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this document, are to be interpreted as described in RFC2119 .

2. Syntax

The high-order bit of the IP fragment offset field is the only unused bit in the IP header. Accordingly, the selection of the bit position is not left to IANA.

The bit field is laid out as follows:

0
+-+
|E|
+-+

Currently-assigned values are defined as follows:

0x0 If the bit is set to 0, the packet has no evil intent. Hosts, network elements, etc., SHOULD assume that the packet is harmless, and SHOULD NOT take any defensive measures. (We note
that this part of the spec is already implemented by many common desktop operating systems.)

0x1 If the bit is set to 1, the packet has evil intent. Secure systems SHOULD try to defend themselves against such packets. Insecure systems MAY chose to crash, be penetrated, etc.

3. Setting the Evil Bit

There are a number of ways in which the evil bit may be set. Attack applications may use a suitable API to request that it be set. Systems that do not have other mechanisms MUST provide such an API; attack programs MUST use it.

Multi-level insecure operating systems may have special levels for attack programs; the evil bit MUST be set by default on packets emanating from programs running at such levels. However, the system MAY provide an API to allow it to be cleared for non-malicious activity by users who normally engage in attack behavior.

Fragments that by themselves are dangerous MUST have the evil bit set. If a packet with the evil bit set is fragmented by an intermediate router and the fragments themselves are not dangerous, the evil bit MUST be cleared in the fragments, and MUST be turned back on in the reassembled packet.

Intermediate systems are sometimes used to launder attack connections. Packets to such systems that are intended to be relayed to a target SHOULD have the evil bit set.

Some applications hand-craft their own packets. If these packets are part of an attack, the application MUST set the evil bit by itself.

In networks protected by firewalls, it is axiomatic that all attackers are on the outside of the firewall. Therefore, hosts inside the firewall MUST NOT set the evil bit on any packets.

Because NAT RFC3022 boxes modify packets, they SHOULD set the evil bit on such packets. "Transparent" http and email proxies SHOULD set the evil bit on their reply packets to the innocent client host.

Some hosts scan other hosts in a fashion that can alert intrusion detection systems. If the scanning is part of a be

what about the "security" bit?

[eirikma]

There used to be a "security" bit you could use to mark you packets as especially interesting (the do-not-route-thru-Iraq-bit) [rfc 791]. Is that feature obsoleted by this evil?

Re:ROFL

[MrLint]

Ya know I was thinking about my original post, and it occured to me taht Hitchcock's "the birds" is really an archetype for evil avian transport DDoS.