Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 275
  • Last Modified:

Is the tcp "options" header always preserved over switches, routers, & firewalls?

I want to make use of the TCP "options" header (see http://www.freesoft.org/CIE/Course/Section4/8.htm) in an application.  Is the tcp "options" header always preserved over switches, routers, & firewalls?
1 Solution
Are you asking about putting un-standardised data in the header? If you diverge from the already standardised option types, you risk getting into problems with devices that do more than just simple forwarding of the packets.

A switch or a simple router will not alter or drop the tcp options header. They don't even look at, or care, about what is in this header.

Firewalls / intrusion detection/prevention systems / home broadband routers doing NAT and other more complex network devices might look at this header and drop or alter what is there if they do not understand the contents. Even with well documented tcp option types, there have been many examples of firewalls/NAT etc that got it wrong and caused problems.

See RFC 2780: http://www.ietf.org/rfc/rfc2780.txt
"Security analyzers such as firewalls and network intrusion detection monitors often rely on unambiguous interpretations of the fields described in this memo.  As new values for the fields are assigned, existing security analyzers that do not understand the new values may fail, resulting in either loss of connectivity if the analyzer declines to forward the unrecognized traffic, or loss of security if it does forward the traffic and the new values are used as part of an attack."

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now