Firewalls: Re: Filtering TCP establish

Firewalls
(March 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Filtering TCP establish
From:	"Peter Harrison" <harrison @ wellfleet . com . au>
Date:	25 Mar 1995 00:21:01 U
To:	"Paul Ferguson" <paul @ hawksbill . sprintmrn . com>
Cc:	"Firewalls List" <firewalls @ greatcircle . com>

        Reply to:   RE>>Filtering TCP establish
> In the same vein, how would go about blocking all loose-source routed
> IP traffic on a particular interface?

Well, actually, I have had discussions on this very subject. My initial belief
was that I needed to simply filter all packets with options, because I couldn't
be sure where among the options the Loose Source Routing option might be, if
there was more than one option specified. The rule to match all IP packets with
non-trivial options (i.e. with options) would be:

     Protocol: Ignore
     Header: Network
     Offset: 4
     Length: 4
     Range: 0x6-0xF

This filter rule is actually checking the IP Header Length Field. A header with
no Options (the 'usual' case) has length 5 (32-bit words). Any longer, and
there must be options.

However, someone within our organisation told me recently that the Source
Routing option will always be the first, if it is present. If this is the case
(comment anyone?), then the filter rule to check the first option, and match a
header containing Loose Source Routing information would be:

     Protocol: Ignore
     Header: Network
     Offset: 161
     Length: 7
     Range: 0x3

The rule to to check the first option, and match a header containing Strict
Source Routing information would be:

     Protocol: Ignore
     Header: Network
     Offset: 161
     Length: 7
     Range: 0x9

These filter rules skip the main IP Header fields (5 x 32-bit words = 160
bits), and the Copy Flag (1-bit) in the Option Code field. The next 7 bits
comprise the Option Class (2 bits; 0 in each case), and the Option Number (5
bits; 3 for Loose and 9 for Strict Source Routing). You could check for both
Loose & Strict Source Routing by simply including two Ranges in one filter
rule. But note that both of these depend on the premise that the first Option
is the Source Routing option.

Even if the Source routing option was *supposed* to be the first option, if it
was included, I don't know if you could rely on that for security purposes:
i.e. it would depend very much on whether or not a particular implementation of
IP router code would act on a Source Routing option that was not listed first.
If it would, checking the first option only would be a waste of time.

So I still reckon that, if you're serious about this, you'd just stop all
packets with an Options field, no matter what was in the Options field.

I would definitely class this as obscure. But lets face it, how many people
even *knew* that there was an IP source routing option before the latest
kerfuffle? Hell, I didn't! So maybe I'm just ignorant..... :-(

Regards - Pete

Indexed By Date	Previous:	Re: Filtering TCP establish From: paul @ hawksbill . sprintmrn . com (Paul Ferguson)
Indexed By Date	Next:	Internet Security From: Desiree Andrews <Desiree_Andrews @ mckinsey . com>
Indexed By Thread	Previous:	Re: Filtering TCP establish From: paul @ hawksbill . sprintmrn . com (Paul Ferguson)
Indexed By Thread	Next:	Re: Filtering TCP establish From: "Alastair Young" <alastair @ cadence . com>