RFC3514: The Security Flag in the IPv4 Header

A little networking humor. Excerpt:

  4. Processing of the Evil Bit       Devices such as firewalls MUST drop all inbound packets that have the     evil bit set.  Packets with the evil bit off MUST NOT be dropped.     Dropped packets SHOULD be noted in the appropriate MIB variable.       Intrusion detection systems (IDSs) have a harder problem.  Because of     their known propensity for false negatives and false positives, IDSs     MUST apply a probabilistic correction factor when evaluating the evil     bit.  If the evil bit is set, a suitable random number generator     [RFC1750] must be consulted to determine if the attempt should be     logged.  Similarly, if the bit is off, another random number     generator must be consulted to determine if it should be logged     despite the setting.       The default probabilities for these tests depends on the type of IDS.     Thus, a signature-based IDS would have a low false positive value but     a high false negative value.  A suitable administrative interface     MUST be provided to permit operators to reset these values.  

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.