Internet Engineering Task Force (ietf) Security Assessment of the Internet Protocol Version 4

This document contains a security assessment of the IETF specifications of the Internet Protocol version 4, and of a number of mechanisms and policies in use by popular IPv4 implementations. It is based on the results of a project carried out by the UK's Centre for the Protection of National Infrastructure (CPNI).

[1]  Philip Eardley,et al.  Pre-Congestion Notification (PCN) Architecture , 2009, RFC.

[2]  David Robinson,et al.  Network File System (NFS) version 4 Protocol , 2003, RFC.

[3]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[4]  Michael Menth,et al.  Baseline Encoding and Transport of Pre-Congestion Information , 2009, RFC.

[5]  Philip Eardley,et al.  Metering and Marking Behaviour of PCN-Nodes , 2009, RFC.

[6]  Charles Graff IPv4 Option for Sender Directed Multi-Destination Delivery , 1995, RFC.

[7]  Stuart Cheshire,et al.  Dynamic Configuration of IPv4 Link-Local Addresses , 2005, RFC.

[8]  Darren Reed,et al.  Security Considerations for IP Fragment Filtering , 1995, RFC.

[9]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[10]  Michael J. Silbersack Improving TCP / IP security through randomization without sacrificing interoperability , 2005 .

[11]  Matt Mathis,et al.  IPv4 Reassembly Errors at High Data Rates , 2007, RFC.

[12]  Randall J. Atkinson,et al.  Common Architecture Label IPv6 Security Option (CALIPSO) , 2009, RFC.

[13]  Michelle Cotton,et al.  Special Use IPv4 Addresses , 2010, RFC.

[14]  Vinton G. Cerf,et al.  A protocol for packet network intercommunication , 1974, CCRV.

[15]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[16]  Vern Paxson,et al.  Active mapping: resisting NIDS evasion without altering traffic , 2003, 2003 Symposium on Security and Privacy, 2003..

[17]  Steven M. Bellovin,et al.  A technique for counting natted hosts , 2002, IMW '02.

[18]  Ibrahim Haddad,et al.  Linux Distributed Security Module , 2002 .

[19]  Dave Katz,et al.  IP Router Alert Option , 1997, RFC.

[20]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[21]  Ibrahim Haddad,et al.  Security distribution for Linux clusters , 2004 .

[22]  Keith McCloghrie,et al.  IP MTU discovery options , 1988, RFC.

[23]  Daniel Senie,et al.  Changing the Default for Directed Broadcasts in Routers , 1999, RFC.

[24]  Fred Baker,et al.  Ingress Filtering for Multihomed Networks , 2004, RFC.

[25]  Ian Miller,et al.  Protection Against a Variant of the Tiny Fragment Attack (RFC 1858) , 2001, RFC.

[26]  Frank Mayer Security Enhanced Linux Syposium-SELinux 2007 , 2007 .

[27]  Stephen E. Deering,et al.  Host extensions for IP multicasting , 1986, RFC.

[28]  Wesley M. Eddy,et al.  TCP SYN Flooding Attacks and Common Mitigations , 2007, RFC.

[29]  David Meyer,et al.  The Generalized TTL Security Mechanism (GTSM) , 2004, RFC.

[30]  Jukka Manner,et al.  IANA Considerations for the IPv4 and IPv6 Router Alert Options , 2008, RFC.

[31]  Zheng Wang,et al.  An Architecture for Differentiated Services , 1998, RFC.

[32]  Jeffrey C. Mogul,et al.  Fragmentation considered harmful , 1987, CCRV.

[33]  David C. Plummer,et al.  Ethernet Address Resolution Protocol: Or Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware , 1982, RFC.

[34]  Philip Almquist,et al.  Type of Service in the Internet Protocol Suite , 1992, RFC.

[35]  Yakov Rekhter,et al.  Address Allocation for Private Internets , 1994, RFC.

[36]  Stephen E. Deering,et al.  Path MTU discovery , 1990, RFC.

[37]  Jon Postel,et al.  Internet Protocol , 1981, RFC.

[38]  Fred Baker,et al.  Requirements for IP Version 4 Routers , 1995, RFC.

[39]  David L. Black,et al.  Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers , 1998, RFC.

[40]  David D. Clark,et al.  IP datagram reassembly algorithms , 1982, RFC.

[41]  Robert T. Braden,et al.  Requirements for Internet Hosts - Communication Layers , 1989, RFC.

[42]  Fernando Gont,et al.  ICMP Attacks against TCP , 2010, RFC.

[43]  Donald E. Eastlake,et al.  Randomness Requirements for Security , 2005, RFC.

[44]  Scott O. Bradner,et al.  Benchmarking Methodology for Network Interconnect Devices , 1996, RFC.

[45]  Scott O. Bradner,et al.  Key words for use in RFCs to Indicate Requirement Levels , 1997, RFC.

[46]  David Moore,et al.  Characteristics of fragmented IP traffic on internet links , 2001, IMW '01.

[47]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[48]  Francois Le Faucheur,et al.  IP Router Alert Considerations and Usage , 2011, RFC.

[49]  Bob Briscoe,et al.  Tunnelling of Explicit Congestion Notification , 2010, RFC.

[50]  David D. Clark,et al.  The design philosophy of the DARPA internet protocols , 1988, SIGCOMM '88.

[51]  Matt Mathis,et al.  Packetization Layer Path MTU Discovery , 2007, RFC.

[52]  Mike St. Johns Draft revised IP security option , 1988, RFC.

[53]  Vince Fuller,et al.  Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan , 2006, RFC.

[54]  Technical Whitepaper,et al.  SLIPPING IN THE WINDOW: TCP RESET ATTACKS , 2003 .

[55]  Gary Scott Malkin,et al.  Traceroute Using an IP Option , 1993, RFC.

[56]  Isij Monitor,et al.  Network Intrusion Detection: An Analyst’s Handbook , 2000 .

[57]  David L. Black,et al.  The Addition of Explicit Congestion Notification (ECN) to IP , 2001, RFC.