Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

RFC 3514: New Bit Defined for IPv4 Headers

jamie posted more than 11 years ago | from the SHOULD dept.

Security 270

RFC 3514 was just released, with a new bit definition for use in the headers of IP packets. Because there are important security implications, anyone coding internet services (on either the client or server end) should probably take a look.

cancel ×

270 comments

first? (-1, Troll)

samj (115984) | more than 11 years ago | (#5635658)

probably not

Re:first? (0)

Anonymous Coward | more than 11 years ago | (#5635764)

It's April Fools time already! Even our favorite site [goatse.cx] is getting into the act.

It's about time! (5, Funny)

Motherfucking Shit (636021) | more than 11 years ago | (#5635663)

Finally, the scriptkiddie bit! Now we'll be able to drop all that pesky DDoS traffic with ease!

Re:It's about time! (0)

Anonymous Coward | more than 11 years ago | (#5635708)

That's not offtopic, that what the whole message is about. If the mods can't get an April Fools joke, then mayhaps they shouldn't be modding, no?

Re:It's about time! (0)

Anonymous Coward | more than 11 years ago | (#5635735)

I fully agree. Some dork is going to camp with his moderation power.

Proof that democracy does not work, and we need a benevolent dictatorship.

Re:It's about time! (0)

Anonymous Coward | more than 11 years ago | (#5635760)

would a moderator PLEASE READ THE DAMN RFC!!! I think they'd then get the joke the poor guy tryin' to make!

Re:It's about time! (0)

Pharmboy (216950) | more than 11 years ago | (#5635844)

would a moderator PLEASE READ THE DAMN RFC!!! I think they'd then get the joke the poor guy tryin' to make!

The people who POST don't read the article. What the HELL makes you think a moderator is going to?

What we need is 24 hours notice: "You are going to get Moderator points in 24 hours" so they can get over the giddyness before they get to use them. Maybe even read the FAQ....naw.

I can see it now. (4, Funny)

Renraku (518261) | more than 11 years ago | (#5635665)

The bit set to 1 indicates a pr0n site, the bit set to 0 indicates a non-pr0n site.

Re:I can see it now. (0)

Anonymous Coward | more than 11 years ago | (#5635682)

The hair on your palm tells me you like a lot of sites with the 1

sex or war (4, Funny)

lingqi (577227) | more than 11 years ago | (#5635840)

Actually I think somebody famous* established long time ago that sex, as strange as some of its involved rituals may seem to many at times, are a better alternative to war.

I propose that instead anything coming from or going to a .gov extension has the eBit** set.

*note: Larry Flint. Watch the movie.

**I hereforth trademark this name.

when will we see the first april fools story? (0)

Anonymous Coward | more than 11 years ago | (#5635666)

blah blah blah

first post! (-1)

Anonymous Coward | more than 11 years ago | (#5635667)

first post!

A new bit! (-1, Offtopic)

Ummite (195748) | more than 11 years ago | (#5635668)

Wow, instead of putting new bits & bytes in my bowl, they put it in my network connexion! Wooooooo, stop that and take some beer!

Guess I'll have to patch... (0, Offtopic)

koehn (575405) | more than 11 years ago | (#5635669)

That SQL Server worm I've been working on. What bit was that again?

Trouble for mac users (-1, Flamebait)

gonadware (630179) | more than 11 years ago | (#5635672)

Mac homos already reserved that field for the faggot bit.

you are 2 hours early... (3, Funny)

MarvinMouse (323641) | more than 11 years ago | (#5635674)

This is such an amazingly important invention, but you are 2 hours early on the release. No one was supposed to know that.

Darn! You have already thwarted my evil plans yet again.

Re:you are 2 hours early... (2, Funny)

geodejo (127236) | more than 11 years ago | (#5635742)

Depends on your time zone! Last year I freaked out for a minute after reading Linus's post on April 2!

Re:you are 2 hours early... (4, Insightful)

Plug (14127) | more than 11 years ago | (#5635755)

Not all the world runs on your time clock. It's been April Fools Day for almost 16 hours at my time of posting...

Re:you are 2 hours early... (1)

AtariDatacenter (31657) | more than 11 years ago | (#5635916)

Sounds like the joke is on you! All the funny stuff won't be released until after April Fools for you.

Hardy Har Har (0)

Anonymous Coward | more than 11 years ago | (#5635675)

APR1L F00Lz!!!

Hehehehhe (1)

einhverfr (238914) | more than 11 years ago | (#5635799)

I was actually wondering how this would help... Now I understand why.

Trust me, this program is not malicious. ;-)

4/1/03 (0)

dkemist (199970) | more than 11 years ago | (#5635676)

jumping the gun on April Fools Day a bit, aren't we?

Re:4/1/03 (0)

Anonymous Coward | more than 11 years ago | (#5635732)

Actually they're late... it's aready after 12 on the 1/4/03 here :)

Re:4/1/03 (1)

hendridm (302246) | more than 11 years ago | (#5635801)

> Posted by jamie on Monday March 31, @09:25PM

Perhaps they failed that all-to-important question when installing RedHat that asked, "Is your clock set to GMT or local time?"

Re:4/1/03 (4, Insightful)

Pharmboy (216950) | more than 11 years ago | (#5635829)

jumping the gun on April Fools Day a bit, aren't we?

Thanks for the reminder.

I am sitting here, reading the article before the replys here (yes, some of us really do before we post ;) and thinking "wtf is an evil bit?"

I mean, the whole protocol thing is over my head, but I read anyway to maybe learn something. It took about 3 minutes of head scratching before I really looked at the url, return here suspicious and decide that I had been had.

I am betting 1% of the readers come back and think the new protocol is a good thing before realizing its a hoax ;)

Re:4/1/03 (3, Insightful)

ergo98 (9391) | more than 11 years ago | (#5635871)

I am betting 1% of the readers come back and think the new protocol is a good thing before realizing its a hoax

I'd also put down that about 80% of /. readers are releasing a collecting groan and muttering something along the lines of "Oh God...is it April 1st again...". I'm not being a spoilsport, but after a few years April Fools Day jokes start to seem a little formulaic and predictable.

Re:4/1/03 (1)

CerebusUS (21051) | more than 11 years ago | (#5635869)

April Fool's Day.

Also known as the one day a year I avoid /. like the plague. See you all on Wednesday.

In other news.... (4, Funny)

VC (89143) | more than 11 years ago | (#5635679)

Microsoft have released a beowulf distro.
Linus has joined redhat.
Slackware is closing down.
Linux now runs on single entangled electrons at MIT
etc etc etc

Re:In other news.... (0)

Anonymous Coward | more than 11 years ago | (#5635692)

Here we go again...

Re:In other news.... (4, Funny)

Pseudonym (62607) | more than 11 years ago | (#5635807)

...BSD is not dying.

A little bit of this, a little bit of that... (0)

Anonymous Coward | more than 11 years ago | (#5635680)

Apparently it does nothing to prevent Slashdotting.

First Bit! (0)

Anonymous Coward | more than 11 years ago | (#5635681)

Yavolle heir commandant!

two hours early, and already slashdotted (1)

jenkin sear (28765) | more than 11 years ago | (#5635684)

that's gotta be a record. I know subscribers get early access, but geez!

Re:two hours early, and already slashdotted (1)

JPriest (547211) | more than 11 years ago | (#5635736)

If a website is slashdoted and someone does not pipe in with "that has got to be a record", was it ever really slashdotted?

New Bit (1, Funny)

Anonymous Coward | more than 11 years ago | (#5635686)

Hmm, a little bit of this and a little bit of that. Sounds like an old recipe from my grandma..

...and so it begins (4, Funny)

stevens (84346) | more than 11 years ago | (#5635690)

I love April fool's day.

Perl programmers may want to check out their beloved cpan.org [cpan.org] site today, too. :-)

Nasty! (1)

mparaz (31980) | more than 11 years ago | (#5635768)

Now we were really rolling on the floor laughing on that one. Is there a link explaining why they chose that theme?

Re:Nasty! (5, Informative)

stevens (84346) | more than 11 years ago | (#5635824)

Is there a link explaining why they chose that theme?

No link necessary. Matt's Script archive is well-known among Perl programmers as one of the densest collections of hole-ridden crappy code on the net.

There's even a project [sourceforge.net] to write secure, well-written clones of his scripts so the poor bastards stuck with his can drop-in something that won't allow remote exploits on their machine. :-)

Re:...and so it begins (1)

MrP- (45616) | more than 11 years ago | (#5635797)

that has to be the funniest thing ive ever seen, i cant breath!!

Re:...and so it begins (1)

MonMotha (514624) | more than 11 years ago | (#5635833)

One may also want to check out grsecurity.net.

Apparently AOL/TW have gotten a lot more agressive at cracking down on TOS violations.

Re:...and so it begins (1)

chicagozer (585086) | more than 11 years ago | (#5635927)

hmmm...check the date on the RFC..methinks my yank is being chained. ZZ

A couple of mirrors (4, Informative)

Motherfucking Shit (636021) | more than 11 years ago | (#5635695)

Mirror 1 [phplabs.com]

Mirror 2 [shat.net]

To lighten the load.

Patch for Cisco IOS needed (4, Funny)

Degrees (220395) | more than 11 years ago | (#5635696)

Now, best practices will include setting this bit for all interfaces connected to Microsoft servers and AOL users.

It'll be the Router Admin Full Employment Act of 2003!

;-)

Whoops! Should have read the RFC (1)

Degrees (220395) | more than 11 years ago | (#5635858)

All interfaces inside the firewall are, by default, to not set the bit.

I think I will set it for the IIS servers anyway. I can remove it the day Microsoft stops adding sabotage code to their products.

Anyone care to place a bet? I need the URL of those 'Betting Pool' web sites. This one will need to run until at least the year 2050....

;-)

Chomping at the bit (4, Funny)

Brett Glass (98525) | more than 11 years ago | (#5635700)

Does the DMCA impose penalties for modifying the bit?

Well... (1, Funny)

Anonymous Coward | more than 11 years ago | (#5635710)

Since the "evil" bit *MUST* be set in attack programs, I guess that will thwart all hacker attacks!! This RFC must have been sponsored by Micro$oft... After all, Microsoft makes hackers obsolete [slashdot.org] ...

the evil one (1, Funny)

initnull (512461) | more than 11 years ago | (#5635712)

So saddam is part of TCP ?

First evil comment (1)

njchick (611256) | more than 11 years ago | (#5635714)

First post with the Evil flag set. If you are reading this comment, Slashdot is not RFC3514-compliant.

Re:First evil comment (3, Funny)

einhverfr (238914) | more than 11 years ago | (#5635899)

Or not a secure system. Insecure systems can choose to ignore the flag (as per RFC).

My favorite quote of the RFC is:
" This document defines the behavior of security elements for the 0x0
and 0x1 values of this bit. Behavior for other values of the bit may
be defined only by IETF consensus [RFC2434]."

Yes it's a joke (1)

tiltowait (306189) | more than 11 years ago | (#5635716)

And not the last....

[In case you don't wanna bother or it's Slashdotted, it's about designating bits "evil" or not. Not that funny IMO, compared to some other good RFCs [google.com] .]

Last 4/1 the editors posted about 15 of these in a row. Moderators got punchy and the whole place went to... well... be prepared.

Re:Yes it's a joke (2, Interesting)

SN74S181 (581549) | more than 11 years ago | (#5635888)

Actually, some of the humor in this RFC is that it mocks the futile 'consensus' basis of all the RFCs.

Take it just a little bit serious and you say to yourself 'Wait a minute, this isn't that funny. People really do believe a consensus-based network will scale well worldwide....'

ROFL (1)

Tensor (102132) | more than 11 years ago | (#5635719)

I was reading the txt, thinking this is the stupidest thing ever, before i realized it was April Fool's.

ARggghhhhhh

Very Elegant (1)

BlueTooth (102363) | more than 11 years ago | (#5635723)

This is a very elegant solution to most of the internets security problems. This could even prevent DDoS attacks! Does anyone know when the patched version of the SQL Slammer worm will be available, or should I just drop my firewall and let it install itself?

100% Correct Spam Filters Now Possible (4, Funny)

Persnickity (47761) | more than 11 years ago | (#5635726)

Please, please, please take this wonderful advance in technology and extend it to email. Then Spam can have a new header called "Evil: Yes". Then we can leverage the same technology to do perfect Spam filtering.

Bad News (1)

Crapflooder Supreme (574259) | more than 11 years ago | (#5635868)

You'll have to write a RFC, and until then, you'll have to use "X-Evil:" instead and hope it catches on.

Re:100% Correct Spam Filters Now Possible (2, Insightful)

sqlrob (173498) | more than 11 years ago | (#5635900)

Already covered in this RFC.

Content-Type: application/evil

Timing problem (2, Funny)

jpetts (208163) | more than 11 years ago | (#5635737)

Hey: it's still before midnight where I am! I'll need to take this seriously for the next couple of hours...

Must remember (3, Funny)

the_other_one (178565) | more than 11 years ago | (#5635739)

Benign packets have this bit set to 0; those that are used for an attack will have the bit set to 1.

Note to self: Remember to set "evil" bit to 1 when launching world domination attempt.

Re:Must remember (2, Funny)

Pharmboy (216950) | more than 11 years ago | (#5635867)

Note to self: Remember to set "evil" bit to 1 when launching world domination attempt.

Which makes me think: Will the cable company terminate my account if I forget to set the evil bit when I am DDoSing someone, as a TOS violation?

Why computers crash, by Dr. Seuss (4, Funny)

Mattygfunk1 (596840) | more than 11 years ago | (#5635741)

If a packet hits a pocket on a socket on a port, and the bus is interrupted at a very last resort, and the access of the memory makes your floppy disk abort, then the socket packet pocket has an error to report.

If your cursor finds a menu item followed by a dash, and the double-clicking icon puts your Window in the trash, and your data is corrupted 'cause the index doesn't hash, then your situation's hopeless and your system's gonna crash!!

If the label on the cable on the table at your house says the network is connected to the button on your mouse, but your packets want to tunnel to another protocol that's repeatedly rejected by the printer down the hall, and your screen is all distorted by the side effects of gauss, so your icons in the window are as wavy as a souse; then you may as well reboot and go out with a bang, 'cuz sure as I'm a poet, the sucker's gonna hang!

When the copy of your floppy's getting sloppy in the disk, and the macro code instructions cause unnecessary risk, then you'll have to flash the memory and you'll want to RAM your ROM. Quick, turn off the computer and be sure to tell your Mom!

Blatently pinched from - Twisted Monkey Entertainment [twistedmonkey.org]

_________________
Cheap Web Site Hosting [cheap-web-...ing.com.au] - recommended by some worker posting on slashdot!

is anyone else missing the point here? (0)

Lord_Slepnir (585350) | more than 11 years ago | (#5635745)


There are a number of ways in which the evil bit may be set. Attack
applications may use a suitable API to request that it be set.
Systems that do not have other mechanisms MUST provide such an API;
attack programs MUST use it.

In other news, Tom Ridge is introducing a bill into congress that requires all sleeper cell terrorists duct tape to themselves a peice of orange plastic so they can be easily identified and arrested by Federal authorities.

Re:is anyone else missing the point here? (1)

Commutative Monoid (657673) | more than 11 years ago | (#5635925)

Only those that are unaware of the cultural nonsense that occurs on the first of April.

Don't forget RFC3251 as well (2, Interesting)

Billly Gates (198444) | more than 11 years ago | (#5635758)

More info is here [faqs.org]

The 128-bit strength indicator levels! (3, Funny)

EvilNTUser (573674) | more than 11 years ago | (#5635761)

Unfortunately the RFC neglects to define what levels of evil the values of the 128-bit strength indicator maps to.

Therefore I, on behalf of the United Corp^H^H^H^H^H States government, submit that the top values should be reserved for the following:

2^127-n
4: Unpatriotic activity.
3: Terrorism. For up to date definition, see www.dhs.gov
2: Attempt to secure personal communication by encryption
1: Circumvention of copy protection mechanisms for purposes of piracy
0: Circumvention of copy protection mechanisms for purposes of "fair use"

Note that the last bit is reserved to indicate whether the packet originates from a foreign country.

Re:The 128-bit strength indicator levels! (0)

Anonymous Coward | more than 11 years ago | (#5635875)

You're an idiot and I'm getting mighty bored of all the offtopic lame-ass "amrica is teh sux" comments.

How about these bits:

the gay bit, denotes origination from a macintosh

the smelly bit, denotes open source software

the tiniest bit, denotes sender has penis in hand

Here's the info... (1)

TheSHAD0W (258774) | more than 11 years ago | (#5635763)

Cached in my journal [slashdot.org]

I have security. (3, Funny)

rice_burners_suck (243660) | more than 11 years ago | (#5635770)

Security implications? Bah, humbug. I have the most secure network anywhere. First of all, I use 100% wireless networking with no encryption whatsoever. I am using Windows operating systems, which are unbreakable in terms of security because nobody other than Microsoft, the most respectable organization in the world, has access to the source code, which is flawless in every way. Sharing is turned on for all drives with no passwords. As a matter of fact, there are no passwords on anything. And the computers are being kept on all the time. Private documents are stored on these computers, as are diaries, pictures, videos and other proofs of the illegal crimes my organization commits (see fine print below). As such, I firmly believe that no update to any aspect of my network needs to take place, as I am 100% safe from evil hackers and from those evil people who do not agree 100% with the viewpoints of Microsoft, the RIAA, the MPAA, AOL Time Warner, The Walt Disney Company and Saddam Hussein.



The fine print: Aforementioned crimes are only illegal in Afghanistan and include, but are limited to, allowing women to walk around without being entirely concealed under a table cloth, teaching children how to read and write, and singing nursery rhymes.

So 2003/04/01 starts in GMT? (0, Redundant)

Hawke (1719) | more than 11 years ago | (#5635775)

East coast time, its not April 1st yet. Shouldn't you wait a couple more hours before posting these?

Re:So 2003/04/01 starts in GMT? (0)

Anonymous Coward | more than 11 years ago | (#5635796)

This is slashdot.org, not slashdot.org.us

Re:So 2003/04/01 starts in GMT? (1)

Pharmboy (216950) | more than 11 years ago | (#5635943)

This is slashdot.org, not slashdot.org.us


Technically, you are wrong. It IS uscentric. Quoting directly from the FAQ [slashdot.org] ...

Slashdot is U.S.-centric. We readily admit this, and really don't see it as a problem. Slashdot is run by Americans, after all, and the vast majority of our readership is in the U.S. We're certainly not opposed to doing more international stories, but we don't have any formal plans for making that happen. All we can really tell you is that if you're outside the U.S. and you have news, submit it, and if it looks interesting, we'll post it.

sooo, according the guys that own the place, it IS slashdot.org.us and if you are not in the US, well, your welcome to join too.

So it SHOULD have been posted later.

Feel free to mod me up, i had to search awhile to find that quote, reducing the time I can spend downloading pr0n now.

Re:So 2003/04/01 starts in GMT? (0)

Anonymous Coward | more than 11 years ago | (#5635821)

Oops, we forgot, the universe revolves around the USA. Our bad.

HTTP link (2, Funny)

apankrat (314147) | more than 11 years ago | (#5635779)

Here [aist.go.jp]

Also note that it's actually based on the ideas initially developed by HTCPCP [ietf.org] protocol, which just turned 5 years.

Re:HTTP link (0)

Anonymous Coward | more than 11 years ago | (#5635932)

The best part is
"""2.3.2 418 I'm a teapot

Any attempt to brew coffee with a teapot should result in the error
code "418 I'm a teapot". The resulting entity body MAY be short and
stout.""

A potential hole... (3, Funny)

russotto (537200) | more than 11 years ago | (#5635781)

An attacker can take advantage of the quantum nature of reality to set this bit to an indeterminate/combined value influenced by the nature of the observer of the packet. An observer who knows the evil nature of the sender of the packet will see the "evil" bit set to one, as it should be. However, unsuspecting observers, including firewalls and potential victims, will see the bit set to zero and be fooled.

The inherent subtlety of this attack is revealed by considering what happens when a security expert attempts to analyze the attack. As soon as he recognizes the evil nature of the attacker, the packets appear to have the 'evil' bit set, and his firewalls start dropping the packets, depriving him of further packets for analysis. The attack is thus even more precisely targeted towards the naive than an attack on Microsoft IIS.

Offtopic -BUT THIS SHIT IS NO JOKE (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5635782)

HONG KONG -- Health officials announced on Monday night the biggest single-day increase in cases of a new respiratory illness, and they warned that even more cases were likely in the days to come.

Dr. Yeoh Eng-kiong, Hong Kong's secretary of health, welfare and food, said that there had been 80 new cases, including 64 at a single apartment complex where the outbreak spread rapidly last week.

Police officers in masks cordoned off one building in the complex early Monday morning as health care workers in full surgical gear waited at the doors to prevent residents from trying to leave without their permission before midnight April 9.

But when health officials in protective gear went door to door Monday in the building, they found that more than half the residents had fled. Fearing that those who left might spread the disease, law-enforcement and health officials were trying to track them down.

The apartment complex outbreak has led World Health Organization officials to focus more attention on the possibility that the illness, known as SARS, for severe acute respiratory syndrome, could be spread in a different way than close face-to-face contact. Among the possibilities: sewage, contaminated water and other objects, such as doorknobs and elevator buttons.

The first confirmed case of the illness was reported in Australia, but the patient had already recovered and the illness has not spread, health officials said.

The disease continued spreading in other affected hot spots, such as Singapore and Toronto.

There have been 1,622 SARS cases reported worldwide and 58 deaths, according to the World Health Organization. There are 69 suspected cases in the United States, the Centers for Disease Control and Prevention said Monday.

In the Twin Cities, 3M officials advised employees to avoid unnecessary travel to Asia. The company, which has sizable operations in China and Japan, staffs the bulk of its overseas operations with foreign nationals. As a result, not many workers are expected to be affected by the travel advisory, said 3M spokesman John Cornwell.

The Associated Press, the Los Angeles Times and staff writer Dee DePass contributed to this report.

Sweeet!! (0)

Anonymous Coward | more than 11 years ago | (#5635783)

Now when I write my viruses and attacking applications I'll set the evil bit to 0... I'M A GENIUS, NO ONE WILL KNOW IM EVIL!! MWUAHAHAHAA

Body of April fools joke. (0)

Anonymous Coward | more than 11 years ago | (#5635785)

Bellovin Informational [Page 1]

RFC 3514 The Security Flag in the IPv4 Header 1 April 2003

The bit field is laid out as follows:

0
+-+
|E|
+-+

Currently-assigned values are defined as follows:

0x0 If the bit is set to 0, the packet has no evil intent. Hosts,
network elements, etc., SHOULD assume that the packet is
harmless, and SHOULD NOT take any defensive measures. (We note
that this part of the spec is already implemented by many common
desktop operating systems.)

0x1 If the bit is set to 1, the packet has evil intent. Secure
systems SHOULD try to defend themselves against such packets.
Insecure systems MAY chose to crash, be penetrated, etc.

3. Setting the Evil Bit

There are a number of ways in which the evil bit may be set. Attack
applications may use a suitable API to request that it be set.
Systems that do not have other mechanisms MUST provide such an API;
attack programs MUST use it.

Multi-level insecure operating systems may have special levels for
attack programs; the evil bit MUST be set by default on packets
emanating from programs running at such levels. However, the system
MAY provide an API to allow it to be cleared for non-malicious
activity by users who normally engage in attack behavior.

Fragments that by themselves are dangerous MUST have the evil bit
set. If a packet with the evil bit set is fragmented by an
intermediate router and the fragments themselves are not dangerous,
the evil bit MUST be cleared in the fragments, and MUST be turned
back on in the reassembled packet.

Intermediate systems are sometimes used to launder attack
connections. Packets to such systems that are intended to be relayed
to a target SHOULD have the evil bit set.

Some applications hand-craft their own packets. If these packets are
part of an attack, the application MUST set the evil bit by itself.

In networks protected by firewalls, it is axiomatic that all
attackers are on the outside of the firewall. Therefore, hosts
inside the firewall MUST NOT set the evil bit on any packets.

Bellovin Informational [Page 2]

RFC 3514 The Security Flag in the IPv4 Header 1 April 2003

Because NAT [RFC3022] boxes modify packets, they SHOULD set the evil
bit on such packets. "Transparent" http and email proxies SHOULD set
the evil bit on their reply packets to the innocent client host.

Some hosts scan other hosts in a fashion that can alert intrusion
detection systems. If the scanning is part of a benign research
project, the evil bit MUST NOT be set. If the scanning per se is
innocent, but the ultimate intent is evil and the destination site
has such an intrusion detection system, the evil bit SHOULD be set.

4. Processing of the Evil Bit

Devices such as firewalls MUST drop all inbound packets that have the
evil bit set. Packets with the evil bit off MUST NOT be dropped.
Dropped packets SHOULD be noted in the appropriate MIB variable.

Intrusion detection systems (IDSs) have a harder problem. Because of
their known propensity for false negatives and false positives, IDSs
MUST apply a probabilistic correction factor when evaluating the evil
bit. If the evil bit is set, a suitable random number generator
[RFC1750] must be consulted to determine if the attempt should be
logged. Similarly, if the bit is off, another random number
generator must be consulted to determine if it should be logged
despite the setting.

The default probabilities for these tests depends on the type of IDS.
Thus, a signature-based IDS would have a low false positive value but
a high false negative value. A suitable administrative interface
MUST be provided to permit operators to reset these values.

Routers that are not intended as as security devices SHOULD NOT
examine this bit. This will allow them to pass packets at higher
speeds.

As outlined earlier, host processing of evil packets is operating-
system dependent; however, all hosts MUST react appropriately
according to their nature.

5. Related Work

Although this document only defines the IPv4 evil bit, there are
complementary mechanisms for other forms of evil. We sketch some of
those here.

For IPv6 [RFC2460], evilness is conveyed by two options. The first,
a hop-by-hop option, is used for packets that damage the network,
such as DDoS packets. The second, an end-to-end option, is for
packets intended to damage destination hosts. In either case, the

Bellovin Informational [Page 3]

RFC 3514 The Security Flag in the IPv4 Header 1 April 2003

option contains a 128-bit strength indicator, which says how evil the
packet is, and a 128-bit type code that describes the particular type
of attack intended.

Some link layers, notably those based on optical switching, may
bypass routers (and hence firewalls) entirely. Accordingly, some
link-layer scheme MUST be used to denote evil. This may involve evil
lambdas, evil polarizations, etc.

DDoS attack packets are denoted by a special diffserv code point.

An application/evil MIME type is defined for Web- or email-carried
mischief. Other MIME types can be embedded inside of evil sections;
this permit easy encoding of word processing documents with macro
viruses, etc.

6. IANA Considerations

This document defines the behavior of security elements for the 0x0
and 0x1 values of this bit. Behavior for other values of the bit may
be defined only by IETF consensus [RFC2434].

7. Security Considerations

Correct functioning of security mechanisms depend critically on the
evil bit being set properly. If faulty components do not set the
evil bit to 1 when appropriate, firewalls will not be able to do
their jobs properly. Similarly, if the bit is set to 1 when it
shouldn't be, a denial of service condition may occur.

8. References

[CBR03] W.R. Cheswick, S.M. Bellovin, and A.D. Rubin, "Firewalls
and Internet Security: Repelling the Wily Hacker", Second
Edition, Addison-Wesley, 2003.

[RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791, September
1981.

[RFC1750] Eastlake, D., 3rd, Crocker, S. and J. Schiller, "Randomness
Recommendations for Security", RFC 1750, December 1994.

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 2434,
October 1998.

Bellovin Informational [Page 4]

RFC 3514 The Security Flag in the IPv4 Header 1 April 2003

[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998.

[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022, January
2001.

9. Author's Address

Steven M. Bellovin
AT&T Labs Research
Shannon Laboratory
180 Park Avenue
Florham Park, NJ 07932

Phone: +1 973-360-8656
EMail: bellovin@acm.org

Evil (3, Funny)

NickisGod.com (453769) | more than 11 years ago | (#5635787)

Is it time to bring out the April Fools Day Tree yet?

Should I start opening the April Fools Day gifts?

Serious question: Will this bit work over Carrier Pigeon?

And one other thought, will Windows2003Server recognize it? Oh...they'll have to release the Service Pack because anything set to 0 won't get through because of a buffer overflow extension illegal operation segfault doo-hickey.

Any other cliches missed?

Oh geez... (4, Funny)

sfe_software (220870) | more than 11 years ago | (#5635790)

...it's 4/1 already...

I liked this bit (emphasis mine):

0x0 If the bit is set to 0, the packet has no evil intent. Hosts,
network elements, etc., SHOULD assume that the packet is
harmless, and SHOULD NOT take any defensive measures. (We note
that this part of the spec is already implemented by many common
desktop operating systems.
)

0x1 If the bit is set to 1, the packet has evil intent. Secure
systems SHOULD try to defend themselves against such packets.
Insecure systems MAY chose to crash, be penetrated, etc.

Re:Oh geez... (1)

BJH (11355) | more than 11 years ago | (#5635887)

I like this part myself:

6. IANA Considerations

This document defines the behavior of security elements for the 0x0
and 0x1 values of this bit. Behavior for other values of the bit may
be defined only by IETF consensus [RFC2434].


Other values of the bit?

Re:Oh geez... (1)

Angry White Guy (521337) | more than 11 years ago | (#5635907)

IETF consensus? Maybe they should have Stephen Hawking approve it before the IETF does.

Re:Oh geez... (1)

delta407 (518868) | more than 11 years ago | (#5635895)

Actually, something else rather interesting:
4. Processing of the Evil Bit

Devices such as firewalls MUST drop all inbound packets that have the
evil bit set. Packets with the evil bit off MUST NOT be dropped.
Dropped packets SHOULD be noted in the appropriate MIB variable.
Many [broken] routers and firewalls drop packets with reserved bit(s) set in various header fields of TCP and IP. This is one of the reasons Explicit Congestion Notification (see RFC 3168 [isi.edu] ) has problems behind certain devices [gtf.org] . Since all 'evil' packets must be marked as such and dropped accordingly, these manufacturers were quite forward-thinking.

So, it turns out that several common products actually implement RFC 3514 without realizing it. :-)

yep... (1)

Robo210 (548438) | more than 11 years ago | (#5635809)

From the SHOULD dept. Something like this should happen, though I think its one of those "shoulda-know-better" things your mother told you about.

Funny thing is - there IS a spare bit in IP header (0)

Anonymous Coward | more than 11 years ago | (#5635823)

Some dude was sending hidden messages in them.
I read that on Slashdot, so it may or may not be true.

If only real life was as simple (2, Funny)

krammit (540755) | more than 11 years ago | (#5635825)

If only it was that easy to detect evil intent in real life...

"Sally, cross your legs! His bit is set to 'evil'!"

On second thought...

I was about to write a looong message... (1)

chicoy (305673) | more than 11 years ago | (#5635828)

and then, I thought, "this kind of obvious trolling only comes around April".

A little bit early jamie (all the pun intended).

zerg (1)

Lord Omlette (124579) | more than 11 years ago | (#5635837)

I sent an email to my TCP/IP professor asking if he could explain this RFC to us in class because I couldn't understand it, and he wrote back saying I just earned an F. ^^;;

IPv6 evilness indicator and type code (1)

3.1415926535 (243140) | more than 11 years ago | (#5635838)

I don't think 256-bits of evilness strength and type code will be enough granularity for the amount of variety observed in the way certain popular operating systems crash in response to an attack.

Har har har (1)

stratjakt (596332) | more than 11 years ago | (#5635843)

geek humor is so the opposite of funny

Now, if Goldberg isnt really going to be at backlash, and that's an april fools joke, then THAT would sure suck.

This will never work (3, Funny)

falsification (644190) | more than 11 years ago | (#5635854)

That is totally the wrong approach. It will never work. In reality, there is no evil per se. One system's evil is another's good.

Let's say there's a so-called "cyberterrorist attack" against Windows-architecture systems. Why should Unix-architecture systems treat that "attack" as evil, even if the "evil bit" is set? If it doesn't harm the Unix system, then it must be the equivalent of valid data.

What we really need is more social justice and handouts to resource-needy systems, like those with Windows-architecture. More handshakes wouldn't be bad, either. Thus, we are forced to answer the question: why do they hate us? It is because we are secure, and they are not.

An evil bit is discriminatory. Just because they're evil, is that sufficient justification for sending it to /dev/null? Have a heart, people. Have a heart. Just remember that every evil bit has a parent bit. Allowing "bit profiling" to pervade our systems will mean that the evildoers will have already one.

Oh, come on...what a lame "from the ___dept" line (1)

SuperBanana (662181) | more than 11 years ago | (#5635876)

from the SHOULD dept.

Oh come ON. That -SO- should have been:
from the "evil" dept.

(http://us.imdb.com/Title?0118655)

Now they tell us (1)

DJ Rubbie (621940) | more than 11 years ago | (#5635879)

So now they tell us the true source of evil on the Internet...

Time to get coding boys! We don't want the evil to pass through our non-evil-bit-checking firewalls/NATs/Proxies!

Hey! (0)

Anonymous Coward | more than 11 years ago | (#5635894)

ACs' can no longer participate in discussions that are more than a day old? Is there some sort of misconfiguration on my end or is this a new /. feature?

Ah, I can now post as an AC (0)

Anonymous Coward | more than 11 years ago | (#5635908)

The feel of power. Aye.

TIME FOR A DAY OFF (0)

Anonymous Coward | more than 11 years ago | (#5635911)

See y'all tomorrow. I'm off to get actual information elsewhere.

What a day! (5, Funny)

Ridge (37884) | more than 11 years ago | (#5635914)

First this and now I noticed the W3C added an addendum to HTTP 1.1:

10.5.4.1 503.1 Slashdotted

The server is currently unable to handle the request due to a fucking slashdotting of the server. Visit slashdot.org for potential mirrors.

April 1st RFCs are always the most important... (5, Informative)

Bradee-oh! (459922) | more than 11 years ago | (#5635928)

There may be some strange cosmic significance about April 1st, or just a series of amazing coincidences, but many RFCs published on April 1st are of amazing importance.

Potentially devastating Y10k problem [rfc-editor.org]

Lifesaving method to temporarily reroute ip in cause of equipment failure [rfc-editor.org]

Protocol to guarantee software engineer productivity and efficiency [rfc-editor.org]

Addressing ipv6 with incredible bandwidth savings [rfc-editor.org]

Planning ahead to Star Trek technology with current protocols and infrastructure [rfc-editor.org]

I don't even know what this one is about... [rfc-editor.org]

And many, many more. Any self-respecting network engineer should be especially familiar with all April 1st RFCs, in my opinion...

In Other News (0)

Anonymous Coward | more than 11 years ago | (#5635936)

The US Patent Office rejects "Evil Bit" patent...

Ugh (0)

Anonymous Coward | more than 11 years ago | (#5635938)

Gentoo Weekly Newsletter contains the worst april fools' joke in existence

lol (1)

Mercury2k (133466) | more than 11 years ago | (#5635942)

Does this mean I wont be able to run my Windows update through my firewall now?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...