>The best source is the IPv4 standard RFC 791: > >"The Options provide for control functions needed or useful in some > situations but unnecessary for the most common communications. The > options include provisions for timestamps, security, and special > routing....The options may appear or not in datagrams...The option >field is variable in length. " > >The following options exist (from my own TCP/IP course): >+++++++++++++++++++++++++++++++++++++++++++++++++ >o the security if the data field is encrypted, > >o the source routing (loose or strict) where the actual route followed >by the datagram may be specified as a list of router addresses, > >o the route recording, where the addresses of the visited routers are >recorded during the transit of the datagram through the internet path, > >o the time recording (timestamp) used by the visited routers to register >the current time in the processed datagram. >++++++++++++++ >For more details, codes etc. go to the RFC. > >As options are extremely rarely used I wonder whether some filtering >upon them would be available on routers? > >Rita
You're quite correct, Rita, that the definitions are in RFC 791. It's worthwhile also to read relevant parts of RFC 1812 to indicate their more current usage. It may very well be that the use of some of these options is now deprecated, so they aren't supported and don't need to be filtered. Offhand, you definitely can disable source routing in the IOS, since it is generally regarded as a security hole. Some providers do turn it on in very controlled circumstances as a debugging tool. It's my feeling that IP source routing is increasingly irrelevant with the increased use of MPLS. There is a separate RFC on the Internet Protocol Security Option. Don't remember its number. I have made use of it without encryption but to keep traffic of different sensitivities from going onto less trusted subnets within an enterprise. There's a case study of this in my book, "Designing Routing and Switching Architectures for Enterprise Networks." Today, however, I'd be much more prone to use IPSec for the same purpose--more powerful and more secure. I believe there also are additional documents on timestamping, which also look at the problem of time synchronization. IIRC, there's an ICMP extension with a more modern approach to timestamps. >Aamer Kaleem wrote: >> >> Can anyone shed some light on "Options" in the IP Packet. On CCO, it is >said >> that they can used for security etc. Also how can we filter packets based >on >> "option types". >> >> Thanx, >> > Aamer kaleem Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31409&t=31364 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
