Follow Slashdot stories on Twitter


Forgot your password?

IPv4 Headers Investigated 347

An anonymous reader writes "New security measures are being suggested (see RFC 3514) for the IPv4 header. The measures include a bit that can be set and unset according to whether the packet is secure or not. Due to the important security implications, anyone coding client/server internet applications might want to take a look."
This discussion has been archived. No new comments can be posted.

IPv4 Headers Investigated

Comments Filter:
  • I've never heard of anything like this before!!! This is as crazy as Salon posting pro-war articles! []. I'm befuddled!
  • Jeez (Score:5, Informative)

    by abh (22332) <> on Tuesday April 01, 2003 @01:11PM (#5639011) Homepage
    April Fool's or not, this may be a record for a duplicate... the previous story was a whole THREE entries below this one on the homepage...
    • Re:Jeez (Score:5, Funny)

      by jkujawa (56195) on Tuesday April 01, 2003 @01:17PM (#5639103) Homepage
      This is beginning to remind me of that fat kid in school who only knew one joke, and kept repeating it ALL THE GODDAMNED TIME.

      You know him. He was at your school, too.
    • by abh (22332)
      Is that there's a bunch of duplicate stories, and people can't tell if it's April Fools, or just business as usual...
    • Re:Jeez (Score:2, Informative)

      by vslashg (209560)
      Three entries is impressive, but the record [] is two [].
    • and 8 entries down....and 11 entries down..... It's one of Taco's bad, bad jokes
    • I think taco is taking a poke at himself.

      he knows people get pissed off when normal stories are duped, so this is his way of saying "yeah, I know that's goin on- normally it's not intentional."

      did you se the department for the igrill?
      it was from the "slashvertisements" dept- a commonly used slang that people use because slashdot posts a lot of articles about cool stuff they find.

      enjoy it- they are.
    • I think slashdot's april fool this year is duplicates...
    • I think the record is that it was three entries down by the same editor! I mean i can see if you didn't read a story posted a few days ago but you forget a story you posted 3 hours ago?!?
    • by Pollux (102520) <speter@t e d a t a> on Tuesday April 01, 2003 @01:42PM (#5639365) Journal
      "This is the post that doesn't end,
      yes it goes on and on my friends.
      Ol' Taco started posting it, not knowing what it was,
      And he'll continue posting it forever just because,

      This is the post that doesn't end,
      yes it goes on and on my friends..."

    • That IS the whole april fools joke. This story has been reposted what, 4-5 times now? In the past few hours?
    • ...Taco must reeeeeeeally hate the server, in order to slashdot it four times in six hours.
  • by dacarr (562277) on Tuesday April 01, 2003 @01:11PM (#5639015) Homepage Journal
    There! I claim it in the name of the third dupe! So we've already had a dupe and a tripe, perhaps we call this...hmm, what's a good name for a fourth dupe?
  • by gristlebud (638970) on Tuesday April 01, 2003 @01:12PM (#5639023)
    Why am I always the last to know about these things. I try and keep up to date about technology matters, but I've missed out on this. I wish that I could have seen this one coming.
  • Actually, I think this is getting MORE funny with each posting... :)

    I wonder, exactly, how many people submitted this story... or is CmdrTaco just making them up?
  • by jayhawk88 (160512) <> on Tuesday April 01, 2003 @01:12PM (#5639031)
    Seems clear that this is going to be a running gag throughout the day. Any bets on how many total we'll have?
  • by fobbman (131816) on Tuesday April 01, 2003 @01:12PM (#5639033) Homepage
    It's April 1st. I wonder if Taco's gonna do anything out of the ordinary today for April Fool's Day?

  • by generic-man (33649) on Tuesday April 01, 2003 @01:12PM (#5639040) Homepage Journal
    Microsoft have released a beowulf distro.
    Linus has joined redhat.
    Slackware is closing down.
    Linux now runs on single entangled electrons at MIT
    etc etc etc
  • slashdot, the only place where the articles feel like the output of a feedback loop.

  • Could CmdrTaco really post 2 dups of a post he originally put up? Gotta be an April Fool's on him...
  • Someone is gonna post that IPv6 will be implemented by year end, right? I just saw the article somewhere...

  • by carl67lp (465321) on Tuesday April 01, 2003 @01:13PM (#5639058) Journal
    I read somewhere today that there's a new RFC out regarding IP header bits--you can set and unset a particular bit to determine the packet's overall security. I haven't seen it linked anywhere yet, and I'm considering sending it in to the editors, but I can't find their address.

    This is something I think they'd be very interested in.
  • Enough already!
  • I'm going to resubmit this and see if I can get it posted again.
  • If CmdrTaco wanted to do an April Fool's joke about dupe stories, wish he would've picked one where the link actually survived the ensuing /.'ing. Does anyone have a mirror?
  • 2 6&mode=thread&tid=172&tid=156 / &mode=thread&tid=95 l?sid=03/04/01/133217 &mode=thread&tid=95 l?sid=03/04/01/143420 9&mode=thread&tid=95&tid=172 0&mode=thread&tid=172

    Nice April Fool's Day joke. Blah.
  • by PissingInTheWind (573929) on Tuesday April 01, 2003 @01:16PM (#5639093)
    Quad Damage!
  • I think I understand why Rob's posting this four times! According to [], slashdot is a reputable news source. Google determines what news gets on the main page by the frequency similar items appear on all the different news sources. With the amount of webpages that mirror slashdot, having one story show up four times is practically guarunteed to be on That's just hilarious!
  • So.....

    Do tools like Nessus and ISS Set or Clear the evil bit?

  • If the last one was a Tripe this one must be a Quade! What will be the next one called?
  • by The Bungi (221687)
    To all those humorless dicks who complain about how this is the fifth dupe of this article: RENT A SENSE OF HUMOR.

    What is the thing that we bitch most about? Dupes. What are the /. crowd doing? Posting dupes. Duh.

    It's quite funny but it ceases to be funny if it needs to be explained. So just go away and don't read /. today, k? thx!

  • The RFC proposal incorporates an additional bit. If you are going to send malicious packets, set the bit. If not then leave it clear. This is an easy solution to tell legit traffic from malicious packets.

    Heh, and I loved the overview of the flags in the protocol.

    The bit field is laid out as follows:


    Sure we can grasp that complexity?

  • One more time Taco. Post this just ONE MORE TIME and the penguin gets it!

    Oh and Happy April Fool's Day to you too. You bastage.
  • I Love Taco (Score:3, Informative)

    by fozzy(pro) (267441) on Tuesday April 01, 2003 @01:21PM (#5639162)
    Taco Trolls the main slashdot site.
  • "For the love of God, Montressor!"
  • by trb (8509)
    third post!
  • ... the result is obviously four, not three.
  • by Atilla (64444)
    all your bits are belong to slashdot.

  • Isn't this one of the signs on the Apocalyspe....

    from Taco's Revelations Chapter 41 verses 20-03

    Yea, and thou shall see on the fourth correspondence a great many people annoucing its mighty fourthness and a great many people will know a plague has struck. The ovens shall be alit from for away with the fearsome second cereal bus of everyone and the postings shall boil over, the sky will fall, stricking on every evil bit. And thou shall know that his name is the Lord and April's Day has come to you al

  • by Eric_Cartman_South_P (594330) on Tuesday April 01, 2003 @01:29PM (#5639256)
    So far its been the normal shitty stories and repeat posts. Does anyone know is Slashdot is gonna do any funny/fictitious postings like other sites are doing for April Fools Day?

  • Duplicate... dupe
    Triplicate...tripe (with thanks to whoever thought it up)
    Quadruplicate... quipe? quap? el quapaqudara?

    Oh my, I wonder how far I'm going to have to go with this....
  • by Vengie (533896) on Tuesday April 01, 2003 @01:34PM (#5639297)
    And i have proof! []
  • This one fell off within seconds after the first time it was posted.

    The Onion [] has taken all the good ideas.
  • that author Stephen King died in a car accident?
  • ...a beowulf cluster of dupes!

    it must be a slow day
  • by peacefinder (469349) <alan,dewitt&gmail,com> on Tuesday April 01, 2003 @01:41PM (#5639352) Journal
    At long last, we know for certain that Taco does hear our plea: "Stop with the duplicate stories already!"

    He just doesn't care. :)

    Now THAT is comedy.
  • ... because while I did open my firewall to pass 'evil' bits, I forgot to turn off 'stupid' bit blocking.

  • by nmg196 (184961)
    Looks like CmdrTaco *is* the April Fool!
  • by oPless (63249) on Tuesday April 01, 2003 @02:03PM (#5639528) Journal
    Network Working Group S. Bellovin
    Request for Comments: 3514 AT&T Labs Research
    Category: Informational 1 April 2003
    The Security Flag in the IPv4 Header

    Status of this Memo

    This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

    Copyright Notice

    Copyright (C) The Internet Society (2003). All Rights Reserved.


    Firewalls, packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. We define a security flag in the IPv4 header as a means of distinguishing the two cases.

    1. Introduction

    Firewalls CBR03 , packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. The problem is that making such determinations is hard. To solve this problem, we define a security flag, known as the "evil" bit, in the IPv4 RFC791 header. Benign packets have this bit set to 0; those that are used for an attack will have the bit set to 1.

    1.1. Terminology

    The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this document, are to be interpreted as described in RFC2119 .

    2. Syntax

    The high-order bit of the IP fragment offset field is the only unused bit in the IP header. Accordingly, the selection of the bit position is not left to IANA.

    The bit field is laid out as follows:


    Currently-assigned values are defined as follows:

    0x0 If the bit is set to 0, the packet has no evil intent. Hosts, network elements, etc., SHOULD assume that the packet is harmless, and SHOULD NOT take any defensive measures. (We note
    that this part of the spec is already implemented by many common desktop operating systems.)

    0x1 If the bit is set to 1, the packet has evil intent. Secure systems SHOULD try to defend themselves against such packets. Insecure systems MAY chose to crash, be penetrated, etc.

    3. Setting the Evil Bit

    There are a number of ways in which the evil bit may be set. Attack applications may use a suitable API to request that it be set. Systems that do not have other mechanisms MUST provide such an API; attack programs MUST use it.

    Multi-level insecure operating systems may have special levels for attack programs; the evil bit MUST be set by default on packets emanating from programs running at such levels. However, the system MAY provide an API to allow it to be cleared for non-malicious activity by users who normally engage in attack behavior.

    Fragments that by themselves are dangerous MUST have the evil bit set. If a packet with the evil bit set is fragmented by an intermediate router and the fragments themselves are not dangerous, the evil bit MUST be cleared in the fragments, and MUST be turned back on in the reassembled packet.

    Intermediate systems are sometimes used to launder attack connections. Packets to such systems that are intended to be relayed to a target SHOULD have the evil bit set.

    Some applications hand-craft their own packets. If these packets are part of an attack, the application MUST set the evil bit by itself.

    In networks protected by firewalls, it is axiomatic that all attackers are on the outside of the firewall. Therefore, hosts inside the firewall MUST NOT set the evil bit on any packets.

    Because NAT RFC3022 boxes modify packets, they SHOULD set the evil bit on such packets. "Transparent" http and email proxies SHOULD set the evil bit on their reply packets to the innocent client host.

    Some hosts scan other hosts in a fashion that can alert intrusion detection systems. If the scanning is part of a benign research project, the evil bit MUST NOT be set

  • Maybe we need a duplicate story bit too...

  • We GET it already!! (Score:3, Informative)

    by Sgt York (591446) <> on Tuesday April 01, 2003 @02:13PM (#5639637)
    Come on, an RFC released on 4/1?

    Is everybody ready for the internet cleaning day?

    C'mon, though was funny the first time. Humorous the second, but come ON....Are you going for a record or something?

    Actually,'s probably a reference to something mentioned in the RFC(j)...I just haven't taken the time to read it yet.

  • by iggymanz (596061) on Tuesday April 01, 2003 @05:34PM (#5640952)
    I'm employing a Full Software Development Life Cycle Methodology (FSDLCM) with Extreme Programming to modify my TCP stack for an Evil Bit Payload Control System(EBPCS). Using the latest Rational Tools I've already made several lengthy iterations on a UML modeling with advanced design patterns including the Inactive Observer and Simpleton Factory. The enabling features of Rational Rose groupware has empowered everyone from marketing to sales and janitorial staff to participate and pool their synergism in the IT architectural process. ~

There is one way to find out if a man is honest -- ask him. If he says "Yes" you know he is crooked. -- Groucho Marx