-
Notifications
You must be signed in to change notification settings - Fork 0
/
diff-00-01.html
1219 lines (1215 loc) · 249 KB
/
diff-00-01.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<!-- Generated by rfcdiff 1.41: rfcdiff -->
<!-- <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional" > -->
<!-- System: Linux cabernet 2.6.32-3-amd64 #1 SMP Wed Feb 24 18:07:42 UTC 2010 x86_64 GNU/Linux -->
<!-- Using awk: /usr/bin/gawk: GNU Awk 3.1.7 -->
<!-- Using diff: /usr/bin/diff: diff (GNU diffutils) 3.0 -->
<!-- Using wdiff: /usr/bin/wdiff: wdiff (GNU wdiff) 0.6.5 -->
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<meta http-equiv="Content-Style-Type" content="text/css">
<title>Diff: draft-gont-opsec-ip-options-filtering-00.txt - draft-gont-opsec-ip-options-filtering-01.txt</title>
<style type="text/css">
body { margin: 0.4ex; margin-right: auto; }
tr { }
td { white-space: pre; font-family: monospace; vertical-align: top; font-size: 0.86em;}
th { font-size: 0.86em; }
.small { font-size: 0.6em; font-style: italic; font-family: Verdana, Helvetica, sans-serif; }
.left { background-color: #EEE; }
.right { background-color: #FFF; }
.diff { background-color: #CCF; }
.lblock { background-color: #BFB; }
.rblock { background-color: #FF8; }
.insert { background-color: #8FF; }
.delete { background-color: #ACF; }
.void { background-color: #FFB; }
.cont { background-color: #EEE; }
.linebr { background-color: #AAA; }
.lineno { color: red; background-color: #FFF; font-size: 0.7em; text-align: right; padding: 0 2px; }
.elipsis{ background-color: #AAA; }
.left .cont { background-color: #DDD; }
.right .cont { background-color: #EEE; }
.lblock .cont { background-color: #9D9; }
.rblock .cont { background-color: #DD6; }
.insert .cont { background-color: #0DD; }
.delete .cont { background-color: #8AD; }
.stats, .stats td, .stats th { background-color: #EEE; padding: 2px 0; }
</style>
</head><body>
<table border="0" cellpadding="0" cellspacing="0">
<tbody><tr bgcolor="orange"><th></th><th><a href="http://tools.ietf.org/rfcdiff?url2=draft-gont-opsec-ip-options-filtering-00.txt" style="color: rgb(0, 0, 136); text-decoration: none;"><</a> <a href="http://tools.ietf.org/html/draft-gont-opsec-ip-options-filtering-00.txt" style="color: rgb(0, 0, 136);">draft-gont-opsec-ip-options-filtering-00.txt</a> </th><th> </th><th> <a href="http://tools.ietf.org/html/draft-gont-opsec-ip-options-filtering-01.txt" style="color: rgb(0, 0, 136);">draft-gont-opsec-ip-options-filtering-01.txt</a> <a href="http://tools.ietf.org/rfcdiff?url1=draft-gont-opsec-ip-options-filtering-01.txt" style="color: rgb(0, 0, 136); text-decoration: none;">></a></th><th></th></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0001"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock">Operational Security Capabilities F. Gont</td><td> </td><td class="rblock">Operational Security Capabilities <span class="insert">for</span> F. Gont</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete">for</span> IP Network Infrastructure <span class="delete">UTN/FRH</span></td><td> </td><td class="rblock">IP Network Infrastructure (opsec) <span class="insert">UTN/FRH</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock">(opsec) <span class="delete">S. Fouant</span></td><td> </td><td class="rblock">Internet-Draft <span class="insert">R. Atkinson</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock">Internet-Draft <span class="delete">Shortest Path First</span></td><td> </td><td class="rblock">Intended status: BCP <span class="insert">Consultant</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock">Intended status: BCP <span class="delete">February 2010</span></td><td> </td><td class="rblock">Expires: <span class="insert">October 24, 2011 April 22, 2011</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock">Expires: <span class="delete">August 5, 2010</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> IP Options Filtering Recommendations</td><td> </td><td class="right"> IP Options Filtering Recommendations</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0002"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> draft-gont-opsec-ip-options-filtering-0<span class="delete">0</span>.txt</td><td> </td><td class="rblock"> draft-gont-opsec-ip-options-filtering-0<span class="insert">1</span>.txt</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">Abstract</td><td> </td><td class="right">Abstract</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This document document provides advice on the filtering of packets</td><td> </td><td class="right"> This document document provides advice on the filtering of packets</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> based on the IP options they contain. Additionally, it discusses the</td><td> </td><td class="right"> based on the IP options they contain. Additionally, it discusses the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> operational and interoperability implications of such filtering.</td><td> </td><td class="right"> operational and interoperability implications of such filtering.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">Status of this Memo</td><td> </td><td class="right">Status of this Memo</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0003"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> This Internet-Draft is submitted <span class="delete">to IETF </span>in full conformance with the</td><td> </td><td class="rblock"> This Internet-Draft is submitted in full conformance with the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> provisions of BCP 78 and BCP 79.</td><td> </td><td class="right"> provisions of BCP 78 and BCP 79.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Internet-Drafts are working documents of the Internet Engineering</td><td> </td><td class="right"> Internet-Drafts are working documents of the Internet Engineering</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0004"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> Task Force <span class="delete">(IETF), its areas, and its working groups.</span> Note that</td><td> </td><td class="rblock"> Task Force <span class="insert">(IETF).</span> Note that other groups may also distribute</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> other groups may also distribute working documents as Internet-</td><td> </td><td class="rblock"> working documents as <span class="insert">Internet-Drafts. The list of current</span> Internet-</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">Drafts.</span></td><td> </td><td class="rblock"> <span class="insert">Drafts is at http://datatracker.ietf.org/drafts/current/.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Internet-Drafts are draft documents valid for a maximum of six months</td><td> </td><td class="right"> Internet-Drafts are draft documents valid for a maximum of six months</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> and may be updated, replaced, or obsoleted by other documents at any</td><td> </td><td class="right"> and may be updated, replaced, or obsoleted by other documents at any</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> time. It is inappropriate to use Internet-Drafts as reference</td><td> </td><td class="right"> time. It is inappropriate to use Internet-Drafts as reference</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> material or to cite them other than as "work in progress."</td><td> </td><td class="right"> material or to cite them other than as "work in progress."</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0005"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">The list of current Internet-Drafts can be accessed at</span></td><td> </td><td class="rblock"> This Internet-Draft will expire on <span class="insert">October 24, 2011.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> http://www.ietf.org/ietf/1id-abstracts.txt.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> The list of Internet-Draft Shadow Directories can be accessed at</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> http://www.ietf.org/shadow.html.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> </td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> This Internet-Draft will expire on <span class="delete">August 5, 2010.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">Copyright Notice</td><td> </td><td class="right">Copyright Notice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0006"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> Copyright (c) 201<span class="delete">0</span> IETF Trust and the persons identified as the</td><td> </td><td class="rblock"> Copyright (c) 201<span class="insert">1</span> IETF Trust and the persons identified as the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> document authors. All rights reserved.</td><td> </td><td class="right"> document authors. All rights reserved.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This document is subject to BCP 78 and the IETF Trust's Legal</td><td> </td><td class="right"> This document is subject to BCP 78 and the IETF Trust's Legal</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Provisions Relating to IETF Documents</td><td> </td><td class="right"> Provisions Relating to IETF Documents</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> (http://trustee.ietf.org/license-info) in effect on the date of</td><td> </td><td class="right"> (http://trustee.ietf.org/license-info) in effect on the date of</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> publication of this document. Please review these documents</td><td> </td><td class="right"> publication of this document. Please review these documents</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> carefully, as they describe your rights and restrictions with respect</td><td> </td><td class="right"> carefully, as they describe your rights and restrictions with respect</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> to this document. Code Components extracted from this document must</td><td> </td><td class="right"> to this document. Code Components extracted from this document must</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> include Simplified BSD License text as described in Section 4.e of</td><td> </td><td class="right"> include Simplified BSD License text as described in Section 4.e of</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> the Trust Legal Provisions and are provided without warranty as</td><td> </td><td class="right"> the Trust Legal Provisions and are provided without warranty as</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0007"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> described in the BSD License.</td><td> </td><td class="rblock"> described in the <span class="insert">Simplified </span>BSD License.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">Table of Contents</td><td> </td><td class="right">Table of Contents</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5</td><td> </td><td class="right"> 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 2. IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . 5</td><td> </td><td class="right"> 2. IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . 5</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 3. Processing requirements . . . . . . . . . . . . . . . . . . . 6</td><td> </td><td class="right"> 3. Processing requirements . . . . . . . . . . . . . . . . . . . 6</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4. Advice on handling of specific IP Options . . . . . . . . . . 6</td><td> </td><td class="right"> 4. Advice on handling of specific IP Options . . . . . . . . . . 6</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.1. End of Option List (Type = 0) . . . . . . . . . . . . . . 6</td><td> </td><td class="right"> 4.1. End of Option List (Type = 0) . . . . . . . . . . . . . . 6</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.1.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 6</td><td> </td><td class="right"> 4.1.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 6</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.1.2. Option specification . . . . . . . . . . . . . . . . . 7</td><td> </td><td class="right"> 4.1.2. Option specification . . . . . . . . . . . . . . . . . 7</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l2"><small>skipping to change at</small><em> page 2, line 40</em></a></th><th> </th><th><a name="part-r2"><small>skipping to change at</small><em> page 2, line 34</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.3.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 8</td><td> </td><td class="right"> 4.3.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 8</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.3.2. Option specification . . . . . . . . . . . . . . . . . 8</td><td> </td><td class="right"> 4.3.2. Option specification . . . . . . . . . . . . . . . . . 8</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.3.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 8</td><td> </td><td class="right"> 4.3.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 8</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.3.4. Operational/interoperability impact if blocked . . . . 9</td><td> </td><td class="right"> 4.3.4. Operational/interoperability impact if blocked . . . . 9</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.3.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 9</td><td> </td><td class="right"> 4.3.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 9</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.4. Strict Source and Record Route (SSRR) (Type = 137) . . . . 9</td><td> </td><td class="right"> 4.4. Strict Source and Record Route (SSRR) (Type = 137) . . . . 9</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.4.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 9</td><td> </td><td class="right"> 4.4.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 9</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.4.2. Option specification . . . . . . . . . . . . . . . . . 9</td><td> </td><td class="right"> 4.4.2. Option specification . . . . . . . . . . . . . . . . . 9</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.4.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 9</td><td> </td><td class="right"> 4.4.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 9</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.4.4. Operational/interoperability impact if blocked . . . . 9</td><td> </td><td class="right"> 4.4.4. Operational/interoperability impact if blocked . . . . 9</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0008"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.4.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . <span class="delete"> 9</span></td><td> </td><td class="rblock"> 4.4.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">10</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.5. Record Route (Type = 7) . . . . . . . . . . . . . . . . . 10</td><td> </td><td class="right"> 4.5. Record Route (Type = 7) . . . . . . . . . . . . . . . . . 10</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.5.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 10</td><td> </td><td class="right"> 4.5.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 10</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.5.2. Option specification . . . . . . . . . . . . . . . . . 10</td><td> </td><td class="right"> 4.5.2. Option specification . . . . . . . . . . . . . . . . . 10</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.5.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 10</td><td> </td><td class="right"> 4.5.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 10</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.5.4. Operational/interoperability impact if blocked . . . . 10</td><td> </td><td class="right"> 4.5.4. Operational/interoperability impact if blocked . . . . 10</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.5.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 10</td><td> </td><td class="right"> 4.5.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 10</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.6. Stream Identifier (Type = 136) . . . . . . . . . . . . . . 10</td><td> </td><td class="right"> 4.6. Stream Identifier (Type = 136) . . . . . . . . . . . . . . 10</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0009"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.6.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 1<span class="delete">0</span></td><td> </td><td class="rblock"> 4.6.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 1<span class="insert">1</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.6.2. Option specification . . . . . . . . . . . . . . . . . 11</td><td> </td><td class="right"> 4.6.2. Option specification . . . . . . . . . . . . . . . . . 11</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.6.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 11</td><td> </td><td class="right"> 4.6.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 11</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.6.4. Operational/interoperability impact if blocked . . . . 11</td><td> </td><td class="right"> 4.6.4. Operational/interoperability impact if blocked . . . . 11</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.6.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 11</td><td> </td><td class="right"> 4.6.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 11</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.7. Internet Timestamp (Type = 68) . . . . . . . . . . . . . . 11</td><td> </td><td class="right"> 4.7. Internet Timestamp (Type = 68) . . . . . . . . . . . . . . 11</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.7.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 11</td><td> </td><td class="right"> 4.7.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 11</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.7.2. Option specification . . . . . . . . . . . . . . . . . 11</td><td> </td><td class="right"> 4.7.2. Option specification . . . . . . . . . . . . . . . . . 11</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.7.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 11</td><td> </td><td class="right"> 4.7.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 11</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.7.4. Operational/interoperability impact if blocked . . . . 12</td><td> </td><td class="right"> 4.7.4. Operational/interoperability impact if blocked . . . . 12</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.7.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 12</td><td> </td><td class="right"> 4.7.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 12</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l3"><small>skipping to change at</small><em> page 3, line 12</em></a></th><th> </th><th><a name="part-r3"><small>skipping to change at</small><em> page 3, line 4</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.6.2. Option specification . . . . . . . . . . . . . . . . . 11</td><td> </td><td class="right"> 4.6.2. Option specification . . . . . . . . . . . . . . . . . 11</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.6.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 11</td><td> </td><td class="right"> 4.6.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 11</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.6.4. Operational/interoperability impact if blocked . . . . 11</td><td> </td><td class="right"> 4.6.4. Operational/interoperability impact if blocked . . . . 11</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.6.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 11</td><td> </td><td class="right"> 4.6.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 11</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.7. Internet Timestamp (Type = 68) . . . . . . . . . . . . . . 11</td><td> </td><td class="right"> 4.7. Internet Timestamp (Type = 68) . . . . . . . . . . . . . . 11</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.7.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 11</td><td> </td><td class="right"> 4.7.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 11</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.7.2. Option specification . . . . . . . . . . . . . . . . . 11</td><td> </td><td class="right"> 4.7.2. Option specification . . . . . . . . . . . . . . . . . 11</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.7.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 11</td><td> </td><td class="right"> 4.7.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 11</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.7.4. Operational/interoperability impact if blocked . . . . 12</td><td> </td><td class="right"> 4.7.4. Operational/interoperability impact if blocked . . . . 12</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.7.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 12</td><td> </td><td class="right"> 4.7.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 12</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0010"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> </span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.8. Router Alert (Type = 148) . . . . . . . . . . . . . . . . 12</td><td> </td><td class="right"> 4.8. Router Alert (Type = 148) . . . . . . . . . . . . . . . . 12</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.8.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 12</td><td> </td><td class="right"> 4.8.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 12</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.8.2. Option specification . . . . . . . . . . . . . . . . . 12</td><td> </td><td class="right"> 4.8.2. Option specification . . . . . . . . . . . . . . . . . 12</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.8.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 12</td><td> </td><td class="right"> 4.8.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 12</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.8.4. Operational/interoperability impact if blocked . . . . 12</td><td> </td><td class="right"> 4.8.4. Operational/interoperability impact if blocked . . . . 12</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0011"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.8.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">12</span></td><td> </td><td class="rblock"> 4.8.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">13</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.9. Probe MTU (Type = 11) (obsolete) . . . . . . . . . . . . . <span class="delete">12</span></td><td> </td><td class="rblock"> 4.9. Probe MTU (Type = 11) (obsolete) . . . . . . . . . . . . . <span class="insert">13</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.9.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">12</span></td><td> </td><td class="rblock"> 4.9.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">13</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.9.2. Option specification . . . . . . . . . . . . . . . . . <span class="delete">12</span></td><td> </td><td class="rblock"> 4.9.2. Option specification . . . . . . . . . . . . . . . . . <span class="insert">13</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.9.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 13</td><td> </td><td class="right"> 4.9.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 13</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.9.4. Operational/interoperability impact if blocked . . . . 13</td><td> </td><td class="right"> 4.9.4. Operational/interoperability impact if blocked . . . . 13</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.9.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 13</td><td> </td><td class="right"> 4.9.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 13</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.10. Reply MTU (Type = 12) (obsolete) . . . . . . . . . . . . . 13</td><td> </td><td class="right"> 4.10. Reply MTU (Type = 12) (obsolete) . . . . . . . . . . . . . 13</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.10.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 13</td><td> </td><td class="right"> 4.10.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 13</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.10.2. Option specification . . . . . . . . . . . . . . . . . 13</td><td> </td><td class="right"> 4.10.2. Option specification . . . . . . . . . . . . . . . . . 13</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.10.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 13</td><td> </td><td class="right"> 4.10.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 13</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0012"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.10.4. Operational/interoperability impact if blocked . . . . <span class="delete">13</span></td><td> </td><td class="rblock"> 4.10.4. Operational/interoperability impact if blocked . . . . <span class="insert">14</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.10.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">13</span></td><td> </td><td class="rblock"> 4.10.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">14</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.11. Traceroute (Type = 82) . . . . . . . . . . . . . . . . . . <span class="delete">13</span></td><td> </td><td class="rblock"> 4.11. Traceroute (Type = 82) . . . . . . . . . . . . . . . . . . <span class="insert">14</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.11.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">13</span></td><td> </td><td class="rblock"> 4.11.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">14</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.11.2. Option specification . . . . . . . . . . . . . . . . . <span class="delete">13</span></td><td> </td><td class="rblock"> 4.11.2. Option specification . . . . . . . . . . . . . . . . . <span class="insert">14</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.11.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 14</td><td> </td><td class="right"> 4.11.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 14</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.11.4. Operational/interoperability impact if blocked . . . . 14</td><td> </td><td class="right"> 4.11.4. Operational/interoperability impact if blocked . . . . 14</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.11.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 14</td><td> </td><td class="right"> 4.11.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . 14</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.12. DoD Basic Security Option (Type = 130) . . . . . . . . . . 14</td><td> </td><td class="right"> 4.12. DoD Basic Security Option (Type = 130) . . . . . . . . . . 14</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.12.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 14</td><td> </td><td class="right"> 4.12.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . 14</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0013"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.12.2. Option specification . . . . . . . . . . . . . . . . . 1<span class="delete">4</span></td><td> </td><td class="rblock"> 4.12.2. Option specification . . . . . . . . . . . . . . . . . 1<span class="insert">5</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.12.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 15</td><td> </td><td class="right"> 4.12.3. Threats . . . . . . . . . . . . . . . . . . . . . . . 15</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 4.12.4. Operational/interoperability impact if blocked . . . . 15</td><td> </td><td class="right"> 4.12.4. Operational/interoperability impact if blocked . . . . 15</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0014"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.12.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">15</span></td><td> </td><td class="rblock"> 4.12.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">16</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.13. DoD Extended Security Option (Type = 133) . . . . . . . . <span class="delete">15</span></td><td> </td><td class="rblock"> 4.13. DoD Extended Security Option (Type = 133) . . . . . . . . <span class="insert">16</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.13.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">15</span></td><td> </td><td class="rblock"> 4.13.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">16</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.13.2. Option specification . . . . . . . . . . . . . . . . . <span class="delete">15</span></td><td> </td><td class="rblock"> 4.13.2. Option specification . . . . . . . . . . . . . . . . . <span class="insert">16</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.13.3. Threats . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">15</span></td><td> </td><td class="rblock"> 4.13.3. Threats . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">16</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.13.4. Operational/interoperability impact if blocked . . . . <span class="delete">15</span></td><td> </td><td class="rblock"> 4.13.4. Operational/interoperability impact if blocked . . . . <span class="insert">16</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.13.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">15</span></td><td> </td><td class="rblock"> 4.13.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">17</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.14. Commercial IP Security Option (CIPSO) (Type = 134) . . . . <span class="delete">15</span></td><td> </td><td class="rblock"> 4.14. Commercial IP Security Option (CIPSO) (Type = 134) . . . . <span class="insert">17</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.14.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">15</span></td><td> </td><td class="rblock"> 4.14.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">17</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.14.2. Option specification . . . . . . . . . . . . . . . . . <span class="delete">16</span></td><td> </td><td class="rblock"> 4.14.2. Option specification . . . . . . . . . . . . . . . . . <span class="insert">17</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.14.3. Threats . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">16</span></td><td> </td><td class="rblock"> 4.14.3. Threats . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">17</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.14.4. Operational/interoperability impact if blocked . . . . <span class="delete">16</span></td><td> </td><td class="rblock"> 4.14.4. Operational/interoperability impact if blocked . . . . <span class="insert">17</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.14.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">16</span></td><td> </td><td class="rblock"> 4.14.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">18</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.15. Sender Directed Multi-Destination Delivery (Type = 149) . <span class="delete">16</span></td><td> </td><td class="rblock"> 4.15. Sender Directed Multi-Destination Delivery (Type = 149) . <span class="insert">18</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.15.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">16</span></td><td> </td><td class="rblock"> 4.15.1. Uses . . . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">18</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.15.2. Option specification . . . . . . . . . . . . . . . . . <span class="delete">16</span></td><td> </td><td class="rblock"> 4.15.2. Option specification . . . . . . . . . . . . . . . . . <span class="insert">18</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.15.3. Threats . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">16</span></td><td> </td><td class="rblock"> 4.15.3. Threats . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">18</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.15.4. Operational/interoperability impact if blocked . . . . <span class="delete">16</span></td><td> </td><td class="rblock"> 4.15.4. Operational/interoperability impact if blocked . . . . <span class="insert">18</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 4.15.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">16</span></td><td> </td><td class="rblock"> 4.15.5. Advice . . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">18</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 5. Security Considerations . . . . . . . . . . . . . . . . . . . <span class="delete">16</span></td><td> </td><td class="rblock"> </td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">17</span></td><td> </td><td class="rblock"> 5. Security Considerations . . . . . . . . . . . . . . . . . . . <span class="insert">18</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">17</span></td><td> </td><td class="rblock"> 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">19</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 7.1. Normative References . . . . . . . . . . . . . . . . . . . <span class="delete">17</span></td><td> </td><td class="rblock"> 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">19</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> 7.2. Informative References . . . . . . . . . . . . . . . . . . <span class="delete">18</span></td><td> </td><td class="rblock"> 7.1. Normative References . . . . . . . . . . . . . . . . . . . <span class="insert">19</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> 7.2. Informative References . . . . . . . . . . . . . . . . . . <span class="insert">20</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Appendix A. Changes from previous versions of the draft (to</td><td> </td><td class="right"> Appendix A. Changes from previous versions of the draft (to</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> be removed by the RFC Editor before publishing</td><td> </td><td class="right"> be removed by the RFC Editor before publishing</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0015"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> this document as an RFC) . . . . . . . . . . . . . . <span class="delete">27</span></td><td> </td><td class="rblock"> this document as an RFC) . . . . . . . . . . . . . . <span class="insert">25</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . <span class="delete">27</span></td><td> </td><td class="rblock"><span class="insert"> A.1. Changes introduced in</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> draft-gont-opsec-ip-options-filtering-01 . . . . . . . . . 25</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . <span class="insert">26</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">1. Introduction</td><td> </td><td class="right">1. Introduction</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This document document provides advice on the filtering of IP Options</td><td> </td><td class="right"> This document document provides advice on the filtering of IP Options</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> within IPv4 headers. Various protocols may use IP Options to some</td><td> </td><td class="right"> within IPv4 headers. Various protocols may use IP Options to some</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> extent, therefore the filtering of such options may have implications</td><td> </td><td class="right"> extent, therefore the filtering of such options may have implications</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> on proper functioning of the protocol. As such, this document</td><td> </td><td class="right"> on proper functioning of the protocol. As such, this document</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> attempts to discuss the operational and interoperability implications</td><td> </td><td class="right"> attempts to discuss the operational and interoperability implications</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> of such filtering. Additionaly, this document will outline what a</td><td> </td><td class="right"> of such filtering. Additionaly, this document will outline what a</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> network operator might do in a typical enterprise or Service Provider</td><td> </td><td class="right"> network operator might do in a typical enterprise or Service Provider</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l4"><small>skipping to change at</small><em> page 7, line 11</em></a></th><th> </th><th><a name="part-r4"><small>skipping to change at</small><em> page 7, line 11</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option is used to indicate the "end of options" in those cases</td><td> </td><td class="right"> This option is used to indicate the "end of options" in those cases</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> in which the end of options would not coincide with the end of the</td><td> </td><td class="right"> in which the end of options would not coincide with the end of the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Internet Protocol Header.</td><td> </td><td class="right"> Internet Protocol Header.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.1.2. Option specification</td><td> </td><td class="right">4.1.2. Option specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Specified in RFC 791 [RFC0791].</td><td> </td><td class="right"> Specified in RFC 791 [RFC0791].</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.1.3. Threats</td><td> </td><td class="right">4.1.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0016"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">No security issues are known for this option, other than the general</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> security implications of IP options discussed in Section 2.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.1.4. Operational/interoperability impact if blocked</td><td> </td><td class="right">4.1.4. Operational/interoperability impact if blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Packets containing any IP options are likely to include an End of</td><td> </td><td class="right"> Packets containing any IP options are likely to include an End of</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Option List. Therefore, if packets containing this option are</td><td> </td><td class="right"> Option List. Therefore, if packets containing this option are</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> filtered, it is very likely that legitimate traffic is filtered.</td><td> </td><td class="right"> filtered, it is very likely that legitimate traffic is filtered.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.1.5. Advice</td><td> </td><td class="right">4.1.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Do not filter packets containing this option.</td><td> </td><td class="right"> Do not filter packets containing this option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l5"><small>skipping to change at</small><em> page 7, line 37</em></a></th><th> </th><th><a name="part-r5"><small>skipping to change at</small><em> page 7, line 38</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> The no-operation option is basically meant to allow the sending</td><td> </td><td class="right"> The no-operation option is basically meant to allow the sending</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> system to align subsequent options in, for example, 32-bit</td><td> </td><td class="right"> system to align subsequent options in, for example, 32-bit</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> boundaries.</td><td> </td><td class="right"> boundaries.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.2.2. Option specification</td><td> </td><td class="right">4.2.2. Option specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Specified in RFC 791 [RFC0791].</td><td> </td><td class="right"> Specified in RFC 791 [RFC0791].</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.2.3. Threats</td><td> </td><td class="right">4.2.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0017"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">No security issues are known for this option, other than the general</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> security implications of IP options discussed in Section 2.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.2.4. Operational/interoperability impact if blocked</td><td> </td><td class="right">4.2.4. Operational/interoperability impact if blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.2.5. Advice</td><td> </td><td class="right">4.2.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Do not filter packets containing this option.</td><td> </td><td class="right"> Do not filter packets containing this option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.3. Loose Source and Record Route (LSRR) (Type = 131)</td><td> </td><td class="right">4.3. Loose Source and Record Route (LSRR) (Type = 131)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> RFC 791 states that this option should appear, at most, once in a</td><td> </td><td class="right"> RFC 791 states that this option should appear, at most, once in a</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l6"><small>skipping to change at</small><em> page 9, line 7</em></a></th><th> </th><th><a name="part-r6"><small>skipping to change at</small><em> page 9, line 7</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> by carefully crafting an LSRR option.</td><td> </td><td class="right"> by carefully crafting an LSRR option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This is the IPv4-version of the IPv6 amplification attack that was</td><td> </td><td class="right"> This is the IPv4-version of the IPv6 amplification attack that was</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> widely publicized in 2007 [Biondi2007]. The only difference is</td><td> </td><td class="right"> widely publicized in 2007 [Biondi2007]. The only difference is</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> that the maximum length of the IPv4 header (and hence the LSRR</td><td> </td><td class="right"> that the maximum length of the IPv4 header (and hence the LSRR</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> option) limits the amplification factor when compared to the IPv6</td><td> </td><td class="right"> option) limits the amplification factor when compared to the IPv6</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> counter-part.</td><td> </td><td class="right"> counter-part.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.3.4. Operational/interoperability impact if blocked</td><td> </td><td class="right">4.3.4. Operational/interoperability impact if blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0018"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">Network troubleshooting techniques that may employ the LSRR option</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> (such as ping or traceroute) would break. Nevertheless, it hould be</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> noted that it is virtually impossible to use such techniques due to</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> widespread filtering of the LSRR option.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.3.5. Advice</td><td> </td><td class="right">4.3.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> All systems should, by default, drop IP packets that contain an LSRR</td><td> </td><td class="right"> All systems should, by default, drop IP packets that contain an LSRR</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> option.</td><td> </td><td class="right"> option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.4. Strict Source and Record Route (SSRR) (Type = 137)</td><td> </td><td class="right">4.4. Strict Source and Record Route (SSRR) (Type = 137)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.4.1. Uses</td><td> </td><td class="right">4.4.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l7"><small>skipping to change at</small><em> page 9, line 45</em></a></th><th> </th><th><a name="part-r7"><small>skipping to change at</small><em> page 9, line 48</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Specified in RFC 791 [RFC0791].</td><td> </td><td class="right"> Specified in RFC 791 [RFC0791].</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.4.3. Threats</td><td> </td><td class="right">4.4.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> The SSRR option has the same security implications as the LSRR</td><td> </td><td class="right"> The SSRR option has the same security implications as the LSRR</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> option. Please refer to Section 4.3 for a discussion of such</td><td> </td><td class="right"> option. Please refer to Section 4.3 for a discussion of such</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> security implications.</td><td> </td><td class="right"> security implications.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.4.4. Operational/interoperability impact if blocked</td><td> </td><td class="right">4.4.4. Operational/interoperability impact if blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0019"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">Network troubleshooting techniques that may employ the SSRR option</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> (such as ping or traceroute) would break. Nevertheless, it hould be</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> noted that it is virtually impossible to use such techniques due to</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> widespread filtering of the SSRR option.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.4.5. Advice</td><td> </td><td class="right">4.4.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> All systems should, by default, drop IP packets that contain an SSRR</td><td> </td><td class="right"> All systems should, by default, drop IP packets that contain an SSRR</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> option.</td><td> </td><td class="right"> option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.5. Record Route (Type = 7)</td><td> </td><td class="right">4.5. Record Route (Type = 7)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.5.1. Uses</td><td> </td><td class="right">4.5.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l8"><small>skipping to change at</small><em> page 10, line 24</em></a></th><th> </th><th><a name="part-r8"><small>skipping to change at</small><em> page 10, line 29</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Specified in RFC 791 [RFC0791].</td><td> </td><td class="right"> Specified in RFC 791 [RFC0791].</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.5.3. Threats</td><td> </td><td class="right">4.5.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option can be exploited to map the topology of a network.</td><td> </td><td class="right"> This option can be exploited to map the topology of a network.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> However, the limited space in the IP header limits the usefulness of</td><td> </td><td class="right"> However, the limited space in the IP header limits the usefulness of</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> this option for that purpose.</td><td> </td><td class="right"> this option for that purpose.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.5.4. Operational/interoperability impact if blocked</td><td> </td><td class="right">4.5.4. Operational/interoperability impact if blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0020"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">Network troubleshooting techniques that may employ the RR option</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> (such as ping with the RR option) would break. Nevertheless, it</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> hould be noted that it is virtually impossible to use such techniques</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> due to widespread filtering of the RR option.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.5.5. Advice</td><td> </td><td class="right">4.5.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Drop IP packets that contain a Record Route option.</td><td> </td><td class="right"> Drop IP packets that contain a Record Route option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.6. Stream Identifier (Type = 136)</td><td> </td><td class="right">4.6. Stream Identifier (Type = 136)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> The Stream Identifier option originally provided a means for the 16-</td><td> </td><td class="right"> The Stream Identifier option originally provided a means for the 16-</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> bit SATNET stream Identifier to be carried through networks that did</td><td> </td><td class="right"> bit SATNET stream Identifier to be carried through networks that did</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> not support the stream concept.</td><td> </td><td class="right"> not support the stream concept.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l9"><small>skipping to change at</small><em> page 11, line 4</em></a></th><th> </th><th><a name="part-r9"><small>skipping to change at</small><em> page 11, line 11</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> not pass this check, it should be dropped, and this event should be</td><td> </td><td class="right"> not pass this check, it should be dropped, and this event should be</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> logged (e.g., a counter could be incremented to reflect the packet</td><td> </td><td class="right"> logged (e.g., a counter could be incremented to reflect the packet</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> drop).</td><td> </td><td class="right"> drop).</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> RFC 791 states that this option appears at most once in a given</td><td> </td><td class="right"> RFC 791 states that this option appears at most once in a given</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> datagram. Therefore, if a packet contains more than one instance of</td><td> </td><td class="right"> datagram. Therefore, if a packet contains more than one instance of</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> this option, it should be dropped, and this event should be logged</td><td> </td><td class="right"> this option, it should be dropped, and this event should be logged</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> (e.g., a counter could be incremented to reflect the packet drop).</td><td> </td><td class="right"> (e.g., a counter could be incremented to reflect the packet drop).</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.6.1. Uses</td><td> </td><td class="right">4.6.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0021"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> </span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.6.2. Option specification</td><td> </td><td class="right">4.6.2. Option specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Specified in RFC 791 [RFC0791].</td><td> </td><td class="right"> Specified in RFC 791 [RFC0791].</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.6.3. Threats</td><td> </td><td class="right">4.6.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0022"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> <span class="insert">TBD</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> </td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.6.4. Operational/interoperability impact if blocked</td><td> </td><td class="right">4.6.4. Operational/interoperability impact if blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0023"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> <span class="insert">None.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> </td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.6.5. Advice</td><td> </td><td class="right">4.6.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0024"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> <span class="insert">Filter IP packets that contain a Stream Identifier option.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> </td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.7. Internet Timestamp (Type = 68)</td><td> </td><td class="right">4.7. Internet Timestamp (Type = 68)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.7.1. Uses</td><td> </td><td class="right">4.7.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option provides a means for recording the time at which each</td><td> </td><td class="right"> This option provides a means for recording the time at which each</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> system processed this datagram.</td><td> </td><td class="right"> system processed this datagram.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.7.2. Option specification</td><td> </td><td class="right">4.7.2. Option specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Specified by RFC 791 [RFC0791].</td><td> </td><td class="right"> Specified by RFC 791 [RFC0791].</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l10"><small>skipping to change at</small><em> page 12, line 7</em></a></th><th> </th><th><a name="part-r10"><small>skipping to change at</small><em> page 12, line 16</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> clock skew.</td><td> </td><td class="right"> clock skew.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [Kohno2005] describes a technique for fingerprinting devices by</td><td> </td><td class="right"> [Kohno2005] describes a technique for fingerprinting devices by</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> measuring the clock skew. It exploits, among other things, the</td><td> </td><td class="right"> measuring the clock skew. It exploits, among other things, the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> timestamps that can be obtained by means of the ICMP timestamp</td><td> </td><td class="right"> timestamps that can be obtained by means of the ICMP timestamp</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> request messages [RFC0791]. However, the same fingerprinting method</td><td> </td><td class="right"> request messages [RFC0791]. However, the same fingerprinting method</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> could be implemented with the aid of the Internet Timestamp option.</td><td> </td><td class="right"> could be implemented with the aid of the Internet Timestamp option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.7.4. Operational/interoperability impact if blocked</td><td> </td><td class="right">4.7.4. Operational/interoperability impact if blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0025"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD.</span></td><td> </td><td class="rblock"> <span class="insert">No security issues are known for this option, other than the general</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> security implications of IP options discussed in Section 2.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.7.5. Advice</td><td> </td><td class="right">4.7.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Filter IP packets that contain an Internet Timestamp option.</td><td> </td><td class="right"> Filter IP packets that contain an Internet Timestamp option.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.8. Router Alert (Type = 148)</td><td> </td><td class="right">4.8. Router Alert (Type = 148)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.8.1. Uses</td><td> </td><td class="right">4.8.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> The Router Alert option has the semantic "routers should examine this</td><td> </td><td class="right"> The Router Alert option has the semantic "routers should examine this</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l11"><small>skipping to change at</small><em> page 12, line 29</em></a></th><th> </th><th><a name="part-r11"><small>skipping to change at</small><em> page 12, line 39</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> by the Value of the option".</td><td> </td><td class="right"> by the Value of the option".</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.8.2. Option specification</td><td> </td><td class="right">4.8.2. Option specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> The Router Alert option is defined in RFC 2113 [RFC2113] and later</td><td> </td><td class="right"> The Router Alert option is defined in RFC 2113 [RFC2113] and later</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> updates to it have been clarified by RFC 5350 [RFC5350]. It contains</td><td> </td><td class="right"> updates to it have been clarified by RFC 5350 [RFC5350]. It contains</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> a 16-bit Value governed by an IANA registry (see [RFC5350]).</td><td> </td><td class="right"> a 16-bit Value governed by an IANA registry (see [RFC5350]).</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.8.3. Threats</td><td> </td><td class="right">4.8.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0026"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD.</span></td><td> </td><td class="rblock"> <span class="insert">The security implications of the Router Alert option have been</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> discussed in detail in</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> [I-D.ietf-intarea-router-alert-considerations]. Basically, the</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Router Alert option might be exploited to perform a Denial of Service</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> (DoS) attack by exhausting CPU resources at the processing routers.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.8.4. Operational/interoperability impact if blocked</td><td> </td><td class="right">4.8.4. Operational/interoperability impact if blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0027"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">Applications that employ the Router Alert option (such as RSVP</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> [RFC2205]) would break.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.8.5. Advice</td><td> </td><td class="right">4.8.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0028"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">This option should be allowed only on controlled environments, where</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> the option can be used safely</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> ([I-D.ietf-intarea-router-alert-considerations] identifies such</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> environments). In other environments, packets containing this option</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> should be dropped.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.9. Probe MTU (Type = 11) (obsolete)</td><td> </td><td class="right">4.9. Probe MTU (Type = 11) (obsolete)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.9.1. Uses</td><td> </td><td class="right">4.9.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option originally provided a mechanism to discover the Path-MTU.</td><td> </td><td class="right"> This option originally provided a mechanism to discover the Path-MTU.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> It has been declared obsolete.</td><td> </td><td class="right"> It has been declared obsolete.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.9.2. Option specification</td><td> </td><td class="right">4.9.2. Option specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l12"><small>skipping to change at</small><em> page 14, line 26</em></a></th><th> </th><th><a name="part-r12"><small>skipping to change at</small><em> page 14, line 46</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.12. DoD Basic Security Option (Type = 130)</td><td> </td><td class="right">4.12. DoD Basic Security Option (Type = 130)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.12.1. Uses</td><td> </td><td class="right">4.12.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option is used by Multi-Level-Secure (MLS) end-systems and</td><td> </td><td class="right"> This option is used by Multi-Level-Secure (MLS) end-systems and</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> intermediate systems in specific environments to [RFC1108]:</td><td> </td><td class="right"> intermediate systems in specific environments to [RFC1108]:</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> o Transmit from source to destination in a network standard</td><td> </td><td class="right"> o Transmit from source to destination in a network standard</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> representation the common security labels required by computer</td><td> </td><td class="right"> representation the common security labels required by computer</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0029"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> security models,</td><td> </td><td class="rblock"> security models<span class="insert"> [Landwehr81]</span>,</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> o Validate the datagram as appropriate for transmission from the</td><td> </td><td class="right"> o Validate the datagram as appropriate for transmission from the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> source and delivery to the destination, and,</td><td> </td><td class="right"> source and delivery to the destination, and,</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> o Ensure that the route taken by the datagram is protected to the</td><td> </td><td class="right"> o Ensure that the route taken by the datagram is protected to the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> level required by all protection authorities indicated on the</td><td> </td><td class="right"> level required by all protection authorities indicated on the</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> datagram.</td><td> </td><td class="right"> datagram.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> The DoD Basic Security Option is currently implemented in a number of</td><td> </td><td class="right"> The DoD Basic Security Option is currently implemented in a number of</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> operating systems (e.g., [IRIX2008], [SELinux2008], [Solaris2008],</td><td> </td><td class="right"> operating systems (e.g., [IRIX2008], [SELinux2008], [Solaris2008],</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> and [Cisco2008]), and deployed in a number of high-security networks.</td><td> </td><td class="right"> and [Cisco2008]), and deployed in a number of high-security networks.</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0030"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> <span class="insert">These networks are typically either in physically secure locations,</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> protected by military/governmental communications security equipment,</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> or both. Such networks are typically built using commercial off-the-</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> shelf (COTS) IP routers and Ethernet switches, but are not normally</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> interconnected with the global public Internet. This option probably</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> has more deployment now than when the IESG removed this option from</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> the IETF standards-track. [RFC5570] describes a similar option</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> recently defined for IPv6 and has much more detailed explanations of</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> how sensitivity label options are used in real-world deployments.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.12.2. Option specification</td><td> </td><td class="right">4.12.2. Option specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> It is specified by RFC 1108 [RFC1108] (which obsoletes RFC 1038</td><td> </td><td class="right"> It is specified by RFC 1108 [RFC1108] (which obsoletes RFC 1038</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [RFC1038]).</td><td> </td><td class="right"> [RFC1038]).</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> RFC 791 [RFC0791] defined the "Security Option" (Type = 130),</td><td> </td><td class="right"> RFC 791 [RFC0791] defined the "Security Option" (Type = 130),</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> which used the same option type as the DoD Basic Security option</td><td> </td><td class="right"> which used the same option type as the DoD Basic Security option</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> discussed in this section. The "Security Option" specified in RFC</td><td> </td><td class="right"> discussed in this section. The "Security Option" specified in RFC</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 791 is considered obsolete by Section 3.2.1.8 of RFC 1122, and</td><td> </td><td class="right"> 791 is considered obsolete by Section 3.2.1.8 of RFC 1122, and</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> therefore the discussion in this section is focused on the DoD</td><td> </td><td class="right"> therefore the discussion in this section is focused on the DoD</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Basic Security option specified by RFC 1108 [RFC1108].</td><td> </td><td class="right"> Basic Security option specified by RFC 1108 [RFC1108].</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Section 4.2.2.1 of RFC 1812 states that routers "SHOULD implement</td><td> </td><td class="right"> Section 4.2.2.1 of RFC 1812 states that routers "SHOULD implement</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> this option".</td><td> </td><td class="right"> this option".</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0031"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> <span class="insert">[IOS-12.2][RFC4949][RFC3585][RFC4807]</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> </td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.12.3. Threats</td><td> </td><td class="right">4.12.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0032"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD.</span></td><td> </td><td class="rblock"> <span class="insert">Presence of this option in a packet does not by itself create any</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> specific new threat (other than the usual generic issues that might</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> be created if packets with options are forwarded via the "slow</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> path"). Packets with this option ought not normally be seen on the</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> global public Internet.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.12.4. Operational/interoperability impact if blocked</td><td> </td><td class="right">4.12.4. Operational/interoperability impact if blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0033"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">If packets with this option are blocked or if the option is stripped</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> from the packet during transmission from source to destination, then</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> the packet itself is likely to be dropped by the receiver because it</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> isn't properly labelled. In some cases, the receiver might receive</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> the packet but associate an incorrect sensitivity label with the</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> received data from the packet whose IPSO BSO was stripped by an</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> intermediate router or firewall. Associating an incorrect</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> sensitivity label can cause the received information either to be</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> handled as more sensitive than it really is ("upgrading") or as less</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> sensitive than it really is ("downgrading"), either of which is</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> problematic.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.12.5. Advice</td><td> </td><td class="right">4.12.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0034"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">Routers and firewalls ought not by default drop packets containing</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> IPSO and also ought not by default strip the IPSO from the packet.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> For auditing reasons, routers and firewalls SHOULD be capable of</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> logging the numbers of packets containing the IPSO BSO on a per-</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> interface basis. Also, routers and firewalls SHOULD be capable of</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> filtering packets based on the IPSO BSO presence as well as the IPSO</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> BSO values.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.13. DoD Extended Security Option (Type = 133)</td><td> </td><td class="right">4.13. DoD Extended Security Option (Type = 133)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.13.1. Uses</td><td> </td><td class="right">4.13.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option permits additional security labeling information, beyond</td><td> </td><td class="right"> This option permits additional security labeling information, beyond</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> that present in the Basic Security Option (Section 4.12), to be</td><td> </td><td class="right"> that present in the Basic Security Option (Section 4.12), to be</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> supplied in an IP datagram to meet the needs of registered</td><td> </td><td class="right"> supplied in an IP datagram to meet the needs of registered</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> authorities.</td><td> </td><td class="right"> authorities.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.13.2. Option specification</td><td> </td><td class="right">4.13.2. Option specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option is specified by RFC 1108 [RFC1108].</td><td> </td><td class="right"> This option is specified by RFC 1108 [RFC1108].</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0035"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> <span class="insert">[IOS-12.2][RFC4949][RFC3585][RFC4807]</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> </td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.13.3. Threats</td><td> </td><td class="right">4.13.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0036"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">Presence of this option in a packet does not by itself create any</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> specific new threat (other than the usual generic issues that might</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> be created if packets with options are forwarded via the "slow</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> path"). Packets with this option ought not normally be seen on the</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> global public Internet</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.13.4. Operational/interoperability impact if blocked</td><td> </td><td class="right">4.13.4. Operational/interoperability impact if blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0037"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">If packets with this option are blocked or if the option is stripped</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> from the packet during transmission from source to destination, then</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> the packet itself is likely to be dropped by the receiver because it</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> isn't properly labelled. In some cases, the receiver might receive</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> the packet but associate an incorrect sensitivity label with the</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> received data from the packet whose IPSO BSO was stripped by an</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> intermediate router or firewall. Associating an incorrect</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> sensitivity label can cause the received information either to be</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> handled as more sensitive than it really is ("upgrading") or as less</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> sensitive than it really is ("downgrading"), either of which is</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> problematic.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.13.5. Advice</td><td> </td><td class="right">4.13.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0038"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">Routers and firewalls ought not by default drop packets containing</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> IPSO and also ought not by default strip the IPSO from the packet.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> For auditing reasons, routers and firewalls SHOULD be capable of</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> logging the numbers of packets containing the IPSO BSO on a per-</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> interface basis. Also, routers and firewalls SHOULD be capable of</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> filtering packets based on the IPSO BSO presence as well as the IPSO</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> BSO values.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.14. Commercial IP Security Option (CIPSO) (Type = 134)</td><td> </td><td class="right">4.14. Commercial IP Security Option (CIPSO) (Type = 134)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.14.1. Uses</td><td> </td><td class="right">4.14.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option was proposed by the Trusted Systems Interoperability</td><td> </td><td class="right"> This option was proposed by the Trusted Systems Interoperability</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Group (TSIG), with the intent of meeting trusted networking</td><td> </td><td class="right"> Group (TSIG), with the intent of meeting trusted networking</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> requirements for the commercial trusted systems market place.</td><td> </td><td class="right"> requirements for the commercial trusted systems market place.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> It is currently implemented in a number of operating systems (e.g.,</td><td> </td><td class="right"> It is currently implemented in a number of operating systems (e.g.,</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> IRIX [IRIX2008], Security-Enhanced Linux [SELinux2008], and Solaris</td><td> </td><td class="right"> IRIX [IRIX2008], Security-Enhanced Linux [SELinux2008], and Solaris</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [Solaris2008]), and deployed in a number of high-security networks.</td><td> </td><td class="right"> [Solaris2008]), and deployed in a number of high-security networks.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.14.2. Option specification</td><td> </td><td class="right">4.14.2. Option specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0039"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> This option is specified in [CIPSO1992] and [FIPS1994].</td><td> </td><td class="rblock"> This option is specified in [CIPSO1992] and [FIPS1994]. <span class="insert">There are</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> zero known IP router implementations of CIPSO. Several MLS operating</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> systems support CIPSO, generally the same MLS operating systems that</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> support IPSO.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.14.3. Threats</td><td> </td><td class="right">4.14.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0040"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">Presence of this option in a packet does not by itself create any</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> specific new threat (other than the usual generic issues that might</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> be created if packets with options are forwarded via the "slow</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> path"). Packets with this option ought not normally be seen on the</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> global public Internet.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.14.4. Operational/interoperability impact if blocked</td><td> </td><td class="right">4.14.4. Operational/interoperability impact if blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0041"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">If packets with this option are blocked or if the option is stripped</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> from the packet during transmission from source to destination, then</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> the packet itself is likely to be dropped by the receiver because it</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> isn't properly labelled. In some cases, the receiver might receive</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> the packet but associate an incorrect sensitivity label with the</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> received data from the packet whose IPSO BSO was stripped by an</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> intermediate router or firewall. Associating an incorrect</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> sensitivity label can cause the received information either to be</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> handled as more sensitive than it really is ("upgrading") or as less</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> sensitive than it really is ("downgrading"), either of which is</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> problematic.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.14.5. Advice</td><td> </td><td class="right">4.14.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0042"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">Because of the design of this option, with variable syntax and</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> variable length, it is not practical to support specialised filtering</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> using the CIPSO information. No routers or firewalls are known to</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> support this option. However, by default a router or firewall should</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> not modify or remove this option from IP packets and a router or</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> firewall should not by default drop packets containing this option.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.15. Sender Directed Multi-Destination Delivery (Type = 149)</td><td> </td><td class="right">4.15. Sender Directed Multi-Destination Delivery (Type = 149)</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.15.1. Uses</td><td> </td><td class="right">4.15.1. Uses</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option originally provided unreliable UDP delivery to a set of</td><td> </td><td class="right"> This option originally provided unreliable UDP delivery to a set of</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> addresses included in the option. It is currently obsolete.</td><td> </td><td class="right"> addresses included in the option. It is currently obsolete.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.15.2. Option specification</td><td> </td><td class="right">4.15.2. Option specification</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This option is defined in RFC 1770 [RFC1770].</td><td> </td><td class="right"> This option is defined in RFC 1770 [RFC1770].</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.15.3. Threats</td><td> </td><td class="right">4.15.3. Threats</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0043"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">This option could have been exploited for bandwidth-amplification in</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Denial of Service (DoS) attacks.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.15.4. Operational/interoperability impact if blocked</td><td> </td><td class="right">4.15.4. Operational/interoperability impact if blocked</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0044"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">None.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">4.15.5. Advice</td><td> </td><td class="right">4.15.5. Advice</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0045"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">TBD</span></td><td> </td><td class="rblock"> <span class="insert">Filter IP packets that contain a Sender Directed Multi-Destination</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Delivery option.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">5. Security Considerations</td><td> </td><td class="right">5. Security Considerations</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> This document provides advice on the filtering of IP packets that</td><td> </td><td class="right"> This document provides advice on the filtering of IP packets that</td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0046"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> contain IP options.</td><td> </td><td class="rblock"> contain IP options. <span class="insert">Filtering of such packets can help to mitigate</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> the security issues that arise from use of different IP options.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">6. Acknowledgements</td><td> </td><td class="right">6. Acknowledgements</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Part of this document is based on the document &Security Assesment of</td><td> </td><td class="right"> Part of this document is based on the document &Security Assesment of</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> the Internet Protocol& [CPNI2008] that is the result of a project</td><td> </td><td class="right"> the Internet Protocol& [CPNI2008] that is the result of a project</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> carried out by Fernando Gont on behalf of UK CPNI (formerly NISCC).</td><td> </td><td class="right"> carried out by Fernando Gont on behalf of UK CPNI (formerly NISCC).</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Fernando Gont would like to thank UK CPNI (formerly NISCC) for their</td><td> </td><td class="right"> Fernando Gont would like to thank UK CPNI (formerly NISCC) for their</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> continued support.</td><td> </td><td class="right"> continued support.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l13"><small>skipping to change at</small><em> page 18, line 38</em></a></th><th> </th><th><a name="part-r13"><small>skipping to change at</small><em> page 20, line 38</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> May 2005.</td><td> </td><td class="right"> May 2005.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU</td><td> </td><td class="right"> [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Discovery", RFC 4821, March 2007.</td><td> </td><td class="right"> Discovery", RFC 4821, March 2007.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses",</td><td> </td><td class="right"> [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses",</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> BCP 153, RFC 5735, January 2010.</td><td> </td><td class="right"> BCP 153, RFC 5735, January 2010.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left">7.2. Informative References</td><td> </td><td class="right">7.2. Informative References</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0047"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">[Anderson2001]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Anderson, J., "An Analysis of Fragmentation Attacks",</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Available at: http://www.ouah.org/fragma.html , 2001.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> [Arkin2000]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Arkin, "IP TTL Field Value with ICMP (Oops - Identifying</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Windows 2000 again and more)", http://</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> ofirarkin.files.wordpress.com/2008/11/</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> ofirarkin2000-06.pdf, 2000.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> </td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [Barisani2006]</td><td> </td><td class="right"> [Barisani2006]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Barisani, A., "FTester - Firewall and IDS testing tool",</td><td> </td><td class="right"> Barisani, A., "FTester - Firewall and IDS testing tool",</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Available at: http://dev.inversepath.com/trac/ftester ,</td><td> </td><td class="right"> Available at: http://dev.inversepath.com/trac/ftester ,</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 2001.</td><td> </td><td class="right"> 2001.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0048"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">[Bellovin1989]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Bellovin, S., "Security Problems in the TCP/IP Protocol</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Suite", Computer Communication Review Vol. 19, No. 2, pp.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> 32-48, 1989.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> [Bellovin2002]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Bellovin, S., "A Technique for Counting NATted Hosts",</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> IMW'02 Nov. 6-8, 2002, Marseille, France, 2002.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> [Bendi1998]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Bendi, "Boink exploit", http://www.insecure.org/sploits/</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> 95.NT.fragmentation.bonk.html , 1998.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> </td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [Biondi2007]</td><td> </td><td class="right"> [Biondi2007]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Biondi, P. and A. Ebalard, "IPv6 Routing Header Security",</td><td> </td><td class="right"> Biondi, P. and A. Ebalard, "IPv6 Routing Header Security",</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> CanSecWest 2007 Security Conference http://www.secdev.org/</td><td> </td><td class="right"> CanSecWest 2007 Security Conference http://www.secdev.org/</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> conf/IPv6_RH_security-csw07.pdf, 2007.</td><td> </td><td class="right"> conf/IPv6_RH_security-csw07.pdf, 2007.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [CERT1996a]</td><td> </td><td class="right"> [CERT1996a]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> CERT, "CERT Advisory CA-1996-01: UDP Port Denial-of-</td><td> </td><td class="right"> CERT, "CERT Advisory CA-1996-01: UDP Port Denial-of-</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Service Attack",</td><td> </td><td class="right"> Service Attack",</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> http://www.cert.org/advisories/CA-1996-01.html, 1996.</td><td> </td><td class="right"> http://www.cert.org/advisories/CA-1996-01.html, 1996.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0049"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">[CERT1996b]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> CERT, "CERT Advisory CA-1996-21: TCP SYN Flooding and IP</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Spoofing Attacks",</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> http://www.cert.org/advisories/CA-1996-21.html, 1996.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> </td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [CERT1996c]</td><td> </td><td class="right"> [CERT1996c]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> CERT, "CERT Advisory CA-1996-26: Denial-of-Service Attack</td><td> </td><td class="right"> CERT, "CERT Advisory CA-1996-26: Denial-of-Service Attack</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> via ping",</td><td> </td><td class="right"> via ping",</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> http://www.cert.org/advisories/CA-1996-26.html, 1996.</td><td> </td><td class="right"> http://www.cert.org/advisories/CA-1996-26.html, 1996.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [CERT1997]</td><td> </td><td class="right"> [CERT1997]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> CERT, "CERT Advisory CA-1997-28: IP Denial-of-Service</td><td> </td><td class="right"> CERT, "CERT Advisory CA-1997-28: IP Denial-of-Service</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Attacks", http://www.cert.org/advisories/CA-1997-28.html,</td><td> </td><td class="right"> Attacks", http://www.cert.org/advisories/CA-1997-28.html,</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 1997.</td><td> </td><td class="right"> 1997.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0050"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">[CERT1998a]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> CERT, "CERT Advisory CA-1998-01: Smurf IP Denial-of-</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Service Attacks",</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> http://www.cert.org/advisories/CA-1998-01.html, 1998.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> [CERT1998b]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> CERT, "CERT Advisory CA-1998-13: Vulnerability in Certain</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> TCP/IP Implementations",</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> http://www.cert.org/advisories/CA-1998-13.html, 1998.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> </td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [CERT1999]</td><td> </td><td class="right"> [CERT1999]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> CERT, "CERT Advisory CA-1999-17: Denial-of-Service Tools",</td><td> </td><td class="right"> CERT, "CERT Advisory CA-1999-17: Denial-of-Service Tools",</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> http://www.cert.org/advisories/CA-1999-17.html, 1999.</td><td> </td><td class="right"> http://www.cert.org/advisories/CA-1999-17.html, 1999.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0051"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">[CERT2001]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> CERT, "CERT Advisory CA-2001-09: Statistical Weaknesses in</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> TCP/IP Initial Sequence Numbers",</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> http://www.cert.org/advisories/CA-2001-09.html, 2001.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> [CERT2003]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> CERT, "CERT Advisory CA-2003-15 Cisco IOS Interface</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Blocked by IPv4 Packet",</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> http://www.cert.org/advisories/CA-2003-15.html, 2003.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> </td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [CIPSO1992]</td><td> </td><td class="right"> [CIPSO1992]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> CIPSO, "COMMERCIAL IP SECURITY OPTION (CIPSO 2.2)", IETF</td><td> </td><td class="right"> CIPSO, "COMMERCIAL IP SECURITY OPTION (CIPSO 2.2)", IETF</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Internet-Draft (draft-ietf-cipso-ipsecurity-01.txt), work</td><td> </td><td class="right"> Internet-Draft (draft-ietf-cipso-ipsecurity-01.txt), work</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> in progress , 1992.</td><td> </td><td class="right"> in progress , 1992.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [CIPSOWG1994]</td><td> </td><td class="right"> [CIPSOWG1994]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> CIPSOWG, "Commercial Internet Protocol Security Option</td><td> </td><td class="right"> CIPSOWG, "Commercial Internet Protocol Security Option</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> (CIPSO) Working Group", http://www.ietf.org/proceedings/</td><td> </td><td class="right"> (CIPSO) Working Group", http://www.ietf.org/proceedings/</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 94jul/charters/cipso-charter.html, 1994.</td><td> </td><td class="right"> 94jul/charters/cipso-charter.html, 1994.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [CPNI2008]</td><td> </td><td class="right"> [CPNI2008]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Gont, F., "Security Assessment of the Internet Protocol",</td><td> </td><td class="right"> Gont, F., "Security Assessment of the Internet Protocol",</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> http://www.cpni.gov.uk/Docs/InternetProtocol.pdf, 2008.</td><td> </td><td class="right"> http://www.cpni.gov.uk/Docs/InternetProtocol.pdf, 2008.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0052"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">[Cerf1974]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Cerf, V. and R. Kahn, "A Protocol for Packet Network</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Intercommunication", IEEE Transactions on</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Communications Vol. 22, No. 5, May 1974, pp. 637-648,</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> 1974.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> [Cisco2003]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Cisco, "Cisco Security Advisory: Cisco IOS Interface</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Blocked by IPv4 packet", http://www.cisco.com/en/US/</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> products/products_security_advisory09186a00801a34c2.shtml,</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> 2003.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> </td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [Cisco2008]</td><td> </td><td class="right"> [Cisco2008]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Cisco, "Cisco IOS Security Configuration Guide, Release</td><td> </td><td class="right"> Cisco, "Cisco IOS Security Configuration Guide, Release</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 12.2", http://www.cisco.com/en/US/docs/ios/12_2/security/</td><td> </td><td class="right"> 12.2", http://www.cisco.com/en/US/docs/ios/12_2/security/</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> configuration/guide/scfipso.html, 2003.</td><td> </td><td class="right"> configuration/guide/scfipso.html, 2003.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0053"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">[Clark1988]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Clark, D., "The Design Philosophy of the DARPA Internet</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Protocols", Computer Communication Review Vol. 18, No. 4,</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> 1988.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> [Ed3f2002]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Ed3f, "Firewall spotting and networks analisys with a</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> broken CRC", Phrack Magazine, Volume 0x0b, Issue 0x3c,</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Phile #0x0c of 0x10 http://www.phrack.org/</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> issues.html?issue=60&id=12&mode=txt, 2002.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> </td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [FIPS1994]</td><td> </td><td class="right"> [FIPS1994]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> FIPS, "Standard Security Label for Information Transfer",</td><td> </td><td class="right"> FIPS, "Standard Security Label for Information Transfer",</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Federal Information Processing Standards Publication. FIP</td><td> </td><td class="right"> Federal Information Processing Standards Publication. FIP</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> PUBS 188 http://csrc.nist.gov/publications/fips/fips188/</td><td> </td><td class="right"> PUBS 188 http://csrc.nist.gov/publications/fips/fips188/</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> fips188.pdf, 1994.</td><td> </td><td class="right"> fips188.pdf, 1994.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0054"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">[Fuller2008a]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Fuller, V., Lear, E., and D. Meyer, "240.0.0.0/4: The</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Future Begins Now", Routing SIG Meeting, 25th APNIC Open</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Policy Meeting, February 25 - 29 2008, Taipei, Taiwan http</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> ://www.apnic.net/meetings/25/program/routing/</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> fuller-240-future.pdf, 2008.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> [Fyodor2004]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Fyodor, "Idle scanning and related IP ID games",</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> http://www.insecure.org/nmap/idlescan.html, 2004.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> [GIAC2000]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> GIAC, "Egress Filtering v 0.2",</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> http://www.sans.org/y2k/egress.htm, 2000.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> [Gont2006]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Gont, F., "Advanced ICMP packet filtering",</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> http://www.gont.com.ar/papers/icmp-filtering.html, 2006.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> </td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [Haddad2004]</td><td> </td><td class="right"> [Haddad2004]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Haddad, I. and M. Zakrzewski, "Security Distribution for</td><td> </td><td class="right"> Haddad, I. and M. Zakrzewski, "Security Distribution for</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Linux Clusters", Linux</td><td> </td><td class="right"> Linux Clusters", Linux</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Journal http://www.linuxjournal.com/article/6943, 2004.</td><td> </td><td class="right"> Journal http://www.linuxjournal.com/article/6943, 2004.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0055"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">[Humble1998]</span></td><td> </td><td class="rblock"> <span class="insert">[I-D.ietf-intarea-router-alert-considerations]</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Gont,</span> F., <span class="delete">"Nestea exploit",</span></td><td> </td><td class="rblock"><span class="insert"> Faucheur,</span> F., <span class="insert">"IP Router Alert Considerations and Usage",</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> http://www.insecure.org/sploits/linux.PalmOS.nestea.html,</span></td><td> </td><td class="rblock"><span class="insert"> draft-ietf-intarea-router-alert-considerations-03</span> (work in</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> 1998.</span></td><td> </td><td class="rblock"> progress), March <span class="insert">2011.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> [I-D.fuller-240space]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Fuller, V., "Reclassifying 240/4 as usable unicast address</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> space", draft-fuller-240space-02</span> (work in progress),</td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> March <span class="delete">2008.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> [I-D.ietf-tcpm-icmp-attacks]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Gont, F., "ICMP attacks against TCP",</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> draft-ietf-tcpm-icmp-attacks-11 (work in progress),</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> February 2010.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [I-D.templin-mtuassurance]</td><td> </td><td class="right"> [I-D.templin-mtuassurance]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Templin, F., "Requirements for IP-in-IP Tunnel MTU</td><td> </td><td class="right"> Templin, F., "Requirements for IP-in-IP Tunnel MTU</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Assurance", draft-templin-mtuassurance-02 (work in</td><td> </td><td class="right"> Assurance", draft-templin-mtuassurance-02 (work in</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> progress), October 2006.</td><td> </td><td class="right"> progress), October 2006.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [I-D.wilson-class-e]</td><td> </td><td class="right"> [I-D.wilson-class-e]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Wilson, P., Michaelson, G., and G. Huston, "Redesignation</td><td> </td><td class="right"> Wilson, P., Michaelson, G., and G. Huston, "Redesignation</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> of 240/4 from "Future Use" to "Private Use"",</td><td> </td><td class="right"> of 240/4 from "Future Use" to "Private Use"",</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> draft-wilson-class-e-02 (work in progress),</td><td> </td><td class="right"> draft-wilson-class-e-02 (work in progress),</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
<tr bgcolor="gray"><td></td><th><a name="part-l14"><small>skipping to change at</small><em> page 22, line 33</em></a></th><th> </th><th><a name="part-r14"><small>skipping to change at</small><em> page 22, line 28</em></a></th><td></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> "http://www.iana.org/assignments/ethernet-numbers".</td><td> </td><td class="right"> "http://www.iana.org/assignments/ethernet-numbers".</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [IANA2006b]</td><td> </td><td class="right"> [IANA2006b]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> IP Parameters,</td><td> </td><td class="right"> IP Parameters,</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> "http://www.iana.org/assignments/ip-parameters".</td><td> </td><td class="right"> "http://www.iana.org/assignments/ip-parameters".</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [IANA2006c]</td><td> </td><td class="right"> [IANA2006c]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Protocol Numbers,</td><td> </td><td class="right"> Protocol Numbers,</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> "http://www.iana.org/assignments/protocol-numbers".</td><td> </td><td class="right"> "http://www.iana.org/assignments/protocol-numbers".</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0056"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> <span class="insert">[IOS-12.2]</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Cisco, "IP Security Options Commands", http://</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> www.cisco.com/en/US/docs/ios/12_2/security/command/</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> reference/srfipso.html, 2011.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"> </td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [IRIX2008]</td><td> </td><td class="right"> [IRIX2008]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> IRIX, "IRIX 6.5 trusted_networking(7) manual page", http:</td><td> </td><td class="right"> IRIX, "IRIX 6.5 trusted_networking(7) manual page", http:</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> //techpubs.sgi.com/library/tpl/cgi-bin/</td><td> </td><td class="right"> //techpubs.sgi.com/library/tpl/cgi-bin/</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> getdoc.cgi?coll=0650&db=man&fname=/usr/share/catman/a_man/</td><td> </td><td class="right"> getdoc.cgi?coll=0650&db=man&fname=/usr/share/catman/a_man/</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> cat7/trusted_networking.z, 2008.</td><td> </td><td class="right"> cat7/trusted_networking.z, 2008.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0057"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">[Jones2002]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Jones, R., "A Method Of Selecting Values For the</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Parameters Controlling IP Fragment Reassembly", ftp://</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> ftp.cup.hp.com/dist/networking/briefs/ip_reass_tuning.txt,</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> 2002.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> [Kenney1996]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Kenney, M., "The Ping of Death Page",</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> http://www.insecure.org/sploits/ping-o-death.html, 1996.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> [Kent1987]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Kent, C. and J. Mogul, "Fragmentation considered harmful",</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Proc. SIGCOMM '87 Vol. 17, No. 5, October 1987, 1987.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> [Klein2007]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Klein, A., "OpenBSD DNS Cache Poisoning and Multiple O/S</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Predictable IP ID Vulnerability", http://</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> www.trusteer.com/files/</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> _ID_Vulnerability.pdf, 2007.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> </td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [Kohno2005]</td><td> </td><td class="right"> [Kohno2005]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Kohno, T., Broido, A., and kc. Claffy, "Remote Physical</td><td> </td><td class="right"> Kohno, T., Broido, A., and kc. Claffy, "Remote Physical</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Device Fingerprinting", IEEE Transactions on Dependable</td><td> </td><td class="right"> Device Fingerprinting", IEEE Transactions on Dependable</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> and Secure Computing Vol. 2, No. 2, 2005.</td><td> </td><td class="right"> and Secure Computing Vol. 2, No. 2, 2005.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0058"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">[LBNL2006]</span></td><td> </td><td class="rblock"> <span class="insert">[Landwehr81]</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> LBNL/NRG, "arpwatch tool", http://ee.lbl.gov/, 2006.</span></td><td> </td><td class="rblock"><span class="insert"> Landwehr, C., "Formal Models for Computer Security", ACM</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Computing Surveys Vol 13, No 3, September 1981, Assoc for</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"> Computing Machinery, New York, NY, USA, 1981.</span></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [Linux2006]</td><td> </td><td class="right"> [Linux2006]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> The Linux Project, "http://www.kernel.org".</td><td> </td><td class="right"> The Linux Project, "http://www.kernel.org".</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [Microsoft1999]</td><td> </td><td class="right"> [Microsoft1999]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Microsoft, "Microsoft Security Program: Microsoft Security</td><td> </td><td class="right"> Microsoft, "Microsoft Security Program: Microsoft Security</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Bulletin (MS99-038). Patch Available for "Spoofed Route</td><td> </td><td class="right"> Bulletin (MS99-038). Patch Available for "Spoofed Route</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Pointer" Vulnerability", http://www.microsoft.com/</td><td> </td><td class="right"> Pointer" Vulnerability", http://www.microsoft.com/</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> technet/security/bulletin/ms99-038.mspx, 1999.</td><td> </td><td class="right"> technet/security/bulletin/ms99-038.mspx, 1999.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0059"></a></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> <span class="delete">[NISCC2004]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> NISCC, "NISCC Vulnerability Advisory 236929: Vulnerability</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Issues in TCP",</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> http://www.uniras.gov.uk/niscc/docs/</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> re-20040420-00391.pdf, 2004.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> [NISCC2005]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> NISCC, "NISCC Vulnerability Advisory 532967/NISCC/ICMP:</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Vulnerability Issues in ICMP packets with TCP payloads",</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf,</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> 2005.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> [NISCC2006]</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> NISCC, "NISCC Technical Note 01/2006: Egress and Ingress</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> Filtering", http://www.niscc.gov.uk/niscc/docs/</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"><span class="delete"> re-20060420-00294.pdf?lang=en, 2006.</span></td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="lblock"> </td><td> </td><td class="rblock"></td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> [Northcutt2000]</td><td> </td><td class="right"> [Northcutt2000]</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Northcut, S. and Novak, "Network Intrusion Detection - An</td><td> </td><td class="right"> Northcut, S. and Novak, "Network Intrusion Detection - An</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> Analyst's Handbook", Second Edition New Riders Publishing,</td><td> </td><td class="right"> Analyst's Handbook", Second Edition New Riders Publishing,</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"> 2000.</td><td> </td><td class="right"> 2000.</td><td class="lineno" valign="top"></td></tr>
<tr><td class="lineno" valign="top"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno" valign="top"></td></tr>
<tr><td><a name="diff0060"></a></td></tr>