TCP and IP Options

by Don Parker [Published on 26 Jan. 2006 / Last Updated on 26 Jan. 2006]

Going back over the basics is always a good idea. One of the most fundamental pieces of knowledge in regards to computer communications are the four core protocols; IP, TCP, UDP, and ICMP. What we shall do over the course of this article is cover the options for both TCP and IP to see what, if any, security implications they may have.

TCP and IP options

I have spoken at length before about the TCP/IP protocol suite and its dozens of protocols. When people refer to the TCP/IP protocol suite they are referring to all layers of the OSI Reference model. With that in hand we most certainly have dozens of various protocols that come to mind. The vast bulk of these dozens of protocols reside at the application layer. Many of these application layer protocols have any number of vulnerabilities associated with them.

What of the “four core protocols” though? What are they, what do they do, and why are they called the “core” protocols? The four core protocols as listed in the article description are IP for routing, TCP and UDP for transport, and lastly ICMP for error message handling. These protocols are considered core ones as every operating system must have them in order to be able to talk ie: send packets. So whether it be say Mac or BSD or other type operating system they all have these core protocols, albeit sometimes as implemented by a different stack. Think Novell for a good example of that.

Is it worse for a core protocol?

So we know then that operating systems must have these core protocols to communicate. Well seeing as this is a Windows centric computer security site, it bears further study to see if there are vulnerabilities associated with the core protocols or more specifically any of their options. Unless you have a copy of a good TCP/IP book I would suggest you download the TCP/IP and tcpdump flyer. You will see it at the bottom of the page. Once you have downloaded this page you will find, at the bottom of each protocol, the options for it, if any.

Seeing as these core protocols are omnipresent in computer communications today, it makes sense that we would be interested in some of their lesser known aspects. That would be where their options come in. I will assume from here on that you have downloaded the page I just hyperlinked to. We can see that at the bottom of the page for IP are listed six different options. We will now look at them in order and evaluate them from a computer security perspective.

IP and its options

End of Options list
We can see that this IP option has a “kind” value of 0 and its length is 1 byte. There are no known security issues for this IP option and it is used only at the end of the IP options used in the header.

No operation
This IP option has a “kind” value of 1 and by kind I mean what kind of option it is. This IP option is not to be confused with the Assembler language NOP instruction. The Assembler NOP instruction is used by the exploit developer to allow themselves a large window on the stack in which to return the malicious code to. The NOP instruction used in the IP header is used to fill out another option that was used, in order to make it fill a 32 bit boundary. It was funny as I had wrongly written this portion till I realized I was writing about the IP option and not the idempotent NOP instruction used in Assembly.

Record Route
This IP option has a kind value of seven and is of a variable length. This record route is used in conjunction with the other two IP options of “Loose Source route” and “Strict source route”. Their kind values are respectively 131 and 137. Record route or more specifically Loose Source Record Route packets have been a longstanding computer security concern. Back in 2002 I was able to determine that W2K and XP were still reversing the first hop of a LSRR packet. This was allowed by default on those TCP/IP stacks.

While this may not sound like the end of the world that is because it isn’t . Though it is not a good thing either as it is useful for attacks. The same research at that time also indicated to me that most firewall vendors such as Symantec’s Norton Firewall were also allowing inbound LSRR packets. Suffice it to say that there really is no legitimate reason to be seeing LSRR packets on today’s networks. There is no real reason that someone would want to specify a series of hops in a packets path.

Timestamp
This option has a kind value of 68 and is used by routers to insert its timestamp onto the packet. There is really little practical value to this IP option and I have rarely ever seen it used. Nor have I ever seen or heard of any computer security issues involving the use or abuse of this option.

TCP and its options

End of options list
This option is the same as the one for IP with the same kind number and uses.

No operation
This has a kind value of 1 and is also one byte in length. Much like the IP headers NOP option this is also used to pad out another option that was used to make sure that it falls within a 32 bit word. There are several options used by TCP that don’t cleanly fall within a 32 bit word ie: they don’t all use four bytes.

Window Scale
This option has a kind value of three and a byte size of three as well. It is used to increase the window size from a 16 bit value to a 32 bit one. There are no known uses for this option as it impacts computer security. That said, it is a very neat option and is also known to some as the “sliding window” when used. You should only ever see this option though during the three way TCP/IP handshake.

Selective ACK ok
This TCP option has a kind value of 4 and a length of two bytes. There are no known computer security issues to my knowledge associated with this option. The option should only be seen during the TCP/IP three way handshake.

Timestamp
This TCP option has a kind value of eight and a variable length. There are two uses for this option as used by TCP. One is to calculate the RTT or return trip time and the second is used to prevent the PAWS aka protect against wrapped sequences, attack. This is an option which can be seen in a packet.

Wrap up

We have covered all of the options presently available for both TCP and IP. You may be saying to yourself, well what about UDP and ICMP? At this time there are no options for either one. Should you want to play around with some of these options for TCP and IP, then you would be well advised to download a packet crafter. A good packet crafting program will allow you to manipulate almost every field found in either TCP or IP. Well I sincerely hope this article was of some use to you, and as always welcome your feedback. Till next time!

Featured Links