RFC 3514: New Bit Defined for IPv4 Headers

RFC 3514 was just released, with a new bit definition for use in the headers of IP packets. Because there are important security implications, anyone coding internet services (on either the client or server end) should probably take a look.

It's about time!

[Motherfucking Shit]

Finally, the scriptkiddie bit! Now we'll be able to drop all that pesky DDoS traffic with ease!

I can see it now.

[Renraku]

The bit set to 1 indicates a pr0n site, the bit set to 0 indicates a non-pr0n site.

you are 2 hours early...

[MarvinMouse]

This is such an amazingly important invention, but you are 2 hours early on the release. No one was supposed to know that.

Darn! You have already thwarted my evil plans yet again.

In other news....

[VC]

Microsoft have released a beowulf distro.
Linus has joined redhat.
Slackware is closing down.
Linux now runs on single entangled electrons at MIT
etc etc etc

New Bit

[Anonymous Coward]

Hmm, a little bit of this and a little bit of that. Sounds like an old recipe from my grandma..

...and so it begins

[stevens]

I love April fool's day.

Perl programmers may want to check out their beloved cpan.org [cpan.org] site today, too. :-)

Patch for Cisco IOS needed

[Degrees]

Now, best practices will include setting this bit for all interfaces connected to Microsoft servers and AOL users.

It'll be the Router Admin Full Employment Act of 2003!

;-)

Chomping at the bit

[Brett Glass]

Does the DMCA impose penalties for modifying the bit?

Well...

[Anonymous Coward]

Since the "evil" bit *MUST* be set in attack programs, I guess that will thwart all hacker attacks!! This RFC must have been sponsored by Micro$oft... After all, Microsoft makes hackers obsolete [slashdot.org]...

the evil one

[initnull]

So saddam is part of TCP ?

100% Correct Spam Filters Now Possible

[Persnickity]

Please, please, please take this wonderful advance in technology and extend it to email. Then Spam can have a new header called "Evil: Yes". Then we can leverage the same technology to do perfect Spam filtering.

Timing problem

[jpetts]

Hey: it's still before midnight where I am! I'll need to take this seriously for the next couple of hours...

Must remember

[the_other_one]

Benign packets have this bit set to 0; those that are used for an attack will have the bit set to 1.

Note to self: Remember to set "evil" bit to 1 when launching world domination attempt.

Why computers crash, by Dr. Seuss

[Mattygfunk1]

If a packet hits a pocket on a socket on a port, and the bus is interrupted at a very last resort, and the access of the memory makes your floppy disk abort, then the socket packet pocket has an error to report.

If your cursor finds a menu item followed by a dash, and the double-clicking icon puts your Window in the trash, and your data is corrupted 'cause the index doesn't hash, then your situation's hopeless and your system's gonna crash!!

If the label on the cable on the table at your house says the network is connected to the button on your mouse, but your packets want to tunnel to another protocol that's repeatedly rejected by the printer down the hall, and your screen is all distorted by the side effects of gauss, so your icons in the window are as wavy as a souse; then you may as well reboot and go out with a bang, 'cuz sure as I'm a poet, the sucker's gonna hang!

When the copy of your floppy's getting sloppy in the disk, and the macro code instructions cause unnecessary risk, then you'll have to flash the memory and you'll want to RAM your ROM. Quick, turn off the computer and be sure to tell your Mom!

Blatently pinched from - Twisted Monkey Entertainment [twistedmonkey.org]

_________________
Cheap Web Site Hosting [cheap-web-...ing.com.au] - recommended by some worker posting on slashdot!

Re:you are 2 hours early...

[geodejo]

Depends on your time zone! Last year I freaked out for a minute after reading Linus's post on April 2!

The 128-bit strength indicator levels!

[EvilNTUser]

Unfortunately the RFC neglects to define what levels of evil the values of the 128-bit strength indicator maps to.

Therefore I, on behalf of the United Corp^H^H^H^H^H States government, submit that the top values should be reserved for the following:

2^127-n
4: Unpatriotic activity.
3: Terrorism. For up to date definition, see www.dhs.gov
2: Attempt to secure personal communication by encryption
1: Circumvention of copy protection mechanisms for purposes of piracy
0: Circumvention of copy protection mechanisms for purposes of "fair use"

Note that the last bit is reserved to indicate whether the packet originates from a foreign country.

I have security.

[rice_burners_suck]

Security implications? Bah, humbug. I have the most secure network anywhere. First of all, I use 100% wireless networking with no encryption whatsoever. I am using Windows operating systems, which are unbreakable in terms of security because nobody other than Microsoft, the most respectable organization in the world, has access to the source code, which is flawless in every way. Sharing is turned on for all drives with no passwords. As a matter of fact, there are no passwords on anything. And the computers are being kept on all the time. Private documents are stored on these computers, as are diaries, pictures, videos and other proofs of the illegal crimes my organization commits (see fine print below). As such, I firmly believe that no update to any aspect of my network needs to take place, as I am 100% safe from evil hackers and from those evil people who do not agree 100% with the viewpoints of Microsoft, the RIAA, the MPAA, AOL Time Warner, The Walt Disney Company and Saddam Hussein.

The fine print: Aforementioned crimes are only illegal in Afghanistan and include, but are limited to, allowing women to walk around without being entirely concealed under a table cloth, teaching children how to read and write, and singing nursery rhymes.

HTTP link

[apankrat]

Here [aist.go.jp]

Also note that it's actually based on the ideas initially developed by HTCPCP [ietf.org] protocol, which just turned 5 years.

A potential hole...

[russotto]

An attacker can take advantage of the quantum nature of reality to set this bit to an indeterminate/combined value influenced by the nature of the observer of the packet. An observer who knows the evil nature of the sender of the packet will see the "evil" bit set to one, as it should be. However, unsuspecting observers, including firewalls and potential victims, will see the bit set to zero and be fooled.

The inherent subtlety of this attack is revealed by considering what happens when a security expert attempts to analyze the attack. As soon as he recognizes the evil nature of the attacker, the packets appear to have the 'evil' bit set, and his firewalls start dropping the packets, depriving him of further packets for analysis. The attack is thus even more precisely targeted towards the naive than an attack on Microsoft IIS.

Evil

[NickisGod.com]

Is it time to bring out the April Fools Day Tree yet?

Should I start opening the April Fools Day gifts?

Serious question: Will this bit work over Carrier Pigeon?

And one other thought, will Windows2003Server recognize it? Oh...they'll have to release the Service Pack because anything set to 0 won't get through because of a buffer overflow extension illegal operation segfault doo-hickey.

Any other cliches missed?

Oh geez...

[sfe_software]

...it's 4/1 already...

I liked this bit (emphasis mine):

0x0 If the bit is set to 0, the packet has no evil intent. Hosts,
network elements, etc., SHOULD assume that the packet is
harmless, and SHOULD NOT take any defensive measures. (We note
that this part of the spec is already implemented by many common
desktop operating systems.)

0x1 If the bit is set to 1, the packet has evil intent. Secure
systems SHOULD try to defend themselves against such packets.
Insecure systems MAY chose to crash, be penetrated, etc.

Re:In other news....

[Pseudonym]

...BSD is not dying.

If only real life was as simple

[krammit]

If only it was that easy to detect evil intent in real life...

"Sally, cross your legs! His bit is set to 'evil'!"

On second thought...

sex or war

[lingqi]

Actually I think somebody famous* established long time ago that sex, as strange as some of its involved rituals may seem to many at times, are a better alternative to war.

I propose that instead anything coming from or going to a .gov extension has the eBit** set.

*note: Larry Flint. Watch the movie.

**I hereforth trademark this name.

This will never work

[falsification]

That is totally the wrong approach. It will never work. In reality, there is no evil per se. One system's evil is another's good.

Let's say there's a so-called "cyberterrorist attack" against Windows-architecture systems. Why should Unix-architecture systems treat that "attack" as evil, even if the "evil bit" is set? If it doesn't harm the Unix system, then it must be the equivalent of valid data.

What we really need is more social justice and handouts to resource-needy systems, like those with Windows-architecture. More handshakes wouldn't be bad, either. Thus, we are forced to answer the question: why do they hate us? It is because we are secure, and they are not.

An evil bit is discriminatory. Just because they're evil, is that sufficient justification for sending it to /dev/null? Have a heart, people. Have a heart. Just remember that every evil bit has a parent bit. Allowing "bit profiling" to pervade our systems will mean that the evildoers will have already one.

Re:Must remember

[Pharmboy]

Note to self: Remember to set "evil" bit to 1 when launching world domination attempt.

Which makes me think: Will the cable company terminate my account if I forget to set the evil bit when I am DDoSing someone, as a TOS violation?

Re:First evil comment

[einhverfr]

Or not a secure system. Insecure systems can choose to ignore the flag (as per RFC).

My favorite quote of the RFC is:
" This document defines the behavior of security elements for the 0x0
and 0x1 values of this bit. Behavior for other values of the bit may
be defined only by IETF consensus [RFC2434]."

What a day!

[Ridge]

First this and now I noticed the W3C added an addendum to HTTP 1.1:

10.5.4.1 503.1 Slashdotted

The server is currently unable to handle the request due to a fucking slashdotting of the server. Visit slashdot.org for potential mirrors.

Re:4/1/03

[Pharmboy]

I'm not being a spoilsport, but after a few years April Fools Day jokes start to seem a little formulaic and predictable.

Well, ya they are predictable, they come every April 1....:)

Perhaps if they just did a few random hoaxes a year, at different times, it would be a little more fun. As it is, its kind of like acting suprised when you get socks for christmas. And just as gratifying.

Hey, I recognize this security scheme!

[eison]

In networks protected by firewalls, it is axiomatic that all
attackers are on the outside of the firewall. Therefore, hosts inside the firewall MUST NOT set the evil bit on any packets.

Our IT group must have contributed to this RFC! Now I know exactly what to think of it... :)

Perspiring minds want to know....

[unitron]

Enough about the evil bit, where are the "naughty bits"?

If we lobby hard enough

[lpontiac]

I bet we could get the US Congress to pass a law making it illegal to set this bit incorrectly.

Re:ROFL

[MrLint]

How would one go about setting the evil flag bit when you use the avian transport layer?

I'm not evil, I swear!

[jemele]

Fooled you - with my stupid bit~!

have we forgotten that evil people often masquerade in sheep's clothing????
stupid!
joshua

What would script-kiddy see in l337?

[DJ Rubbie]

3514 translated into l337 sp34k is ESIA... Doesn't ring a bell, but Egoistic Scriptkiddy Ignoring Annihilation seems to fit...

Re:Evil

[Caraig]

Considering that carrier pigeons used to carry TCP packets are already compliant with IPv4, then I'd say that the evil bit can be set.

Usually, it can be detected for by a specially-designed packet sniffer: a freshly-washed car right beneath the carrier pigeons' flight path.

I think a much more pressing ssue would be making carrier pigeons compatable with IPv6. Perhaps if there were two pigeons, and they carried the packet on a string held between them.....

Re:In other news....

[Mr. Neutron]

IP Over Carrier Pidgeon implemented by Cringely
Linux Kernel 2.6 to include DRM
Slashdot becomes an MSN Featured Site
IBM unveils first 1.0 exabyte ATAPI hard drive
RIAA successfully lobbies for $1 tax on every MP3 file on the net

Here's yer problem...

[jose c rivera]

somebody set this thing to "Evil."

Re:Perspiring minds want to know....

[ZorMonkey]

Enough about the evil bit, where are the "naughty bits"?

Oog. Dont sniff those packets...

another joke you probably missed in this

[Imperator]

6. IANA Considerations

This document defines the behavior of security elements for the 0x0 and 0x1 values of this bit. Behavior for other values of the bit may be defined only by IETF consensus [RFC2434].

(emphasis mine)

Re:you are 2 hours early...

[Mac Degger]

Hehe...in regards to your sig...my mom thought me and my bro where serious computer criminals when we were talking about the hacks we had on our palmpilots :)

Re:In other news....

[Com2Kid]

• IP Over Carrier Pidgeon implemented by Cringely

Don't give him any ideas.

• 
  Linux Kernel 2.6 to include DRM
  

[tinfoil hat]
The way things are going, there might not be much choice. . . .
[/tinfoil hat]

• 
  Slashdot becomes an MSN Featured Site
  

With all the MS ads, you mean it isn't already?

• 
  IBM unveils first 1.0 exabyte ATAPI hard drive
  

IBM is out of the hard drive business, you should read /. more often. :)

• 
  RIAA successfully lobbies for $1 tax on every MP3 file on the net
  

I am sure they are working on it. :)

Re:In other news....

[Zork the Almighty]

Widely known value of Pi in error, actually 3.15...

Re:In other news....

[Zork the Almighty]

Apple to sell PCs, no longer interested in "thinking different".

Re:ROFL

[MrLint]

Ya know I was thinking about my original post, and it occured to me taht Hitchcock's "the birds" is really an archetype for evil avian transport DDoS.