[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

possible AH & IPv4 compromise




Folks,

  Bill Simpson was in town in late August and unexpectedly telephoned
me and then dropped by NRL 30 minutes later for a chat about
IPv4 options and AH.  This discussion largely consisted of Bill
"educating" me about things.

  It turns out that the way one might read LSRR's specification is
not the way it has been implemented in most systems that implement
it.  It has been implemented so that the addresses recorded are
NOT the arriving interfaces of the listed intermediate systems
but instead the next-hop after leaving each listed intermediate system.
This last isn't predictable in the general case.  I can see both
interpretations in the text of RFC-791, but what matters is what has
been implemented.

  Similarly, SSRR originally lists the inbound address of each
intermediate hop but records the outbound address of each intermediate
hop (at least in real world implementations).  Again, this makes
SSRR unpredictable in the general case.  RFC-791 does appear to
say this upon re-reading, but it is too subtly worded for my taste.

  This leaves only IPSO/BSO, IPSO/ESO, SATID, NOP and EOL as the
only really invariant options.  Of these, EOL and NOP don't impact
security.

  The software that Bill has mentioned that did reorder IPv4 options
is now ancient and has long been superceded by software releases that
do not reorder IPv4 options.  None of the major router vendors (by
market share) ever used the particular implementation that Bill cited.
I believe that implementations that reorder IP options are broken
(ignoring security, it is a PAINFUL performance hit) and should be
ignored in our mulling things over.

  Bill, Craig, and I think we have a compromise position on IPv4 AH
processing.  At least one router vendor that Bill talks with has also
agreed that this is reasonable.  I am altering the freely distributable
NRL implementation to reflect this compromise.

The compromise goes like this:

Included in AH computation:
	IP Version
	IP Header Length
	Total Length
	Ident
	Protocol
	Source Address
	Destination Address

	IPSO/BSO
	IPSO/ESO
	CIPSO  		(Option # available from Assigned Numbers,
			Option Length should be in the usual place)
	SATNET ID

Zeroed for AH computation:
	TOS		(enough real world routers munge this one
			that it ought to be excluded even though
			router munging of this sort really is evil)
	Frag Offset
	Flags Field
	TTL
	IP-layer Checksum

	All existing documented IP options other than
	IPSO/*, CIPSO, and SATNET ID


Ran
rja@cs.nrl.navy.mil

On behalf of Bill, Craig, and Ran...