Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1612
Views
0
Helpful
2
Replies

IP options: "0x14"

dcmueller
Level 1
Level 1

‎06-19-2002 11:18 AM - edited ‎03-08-2019 11:02 PM

I have noticed these notices from my PIX on my SYSLOG servers

ccsd-pixe0 Jun 19 2002 00:14:08: %PIX-2-106012: Deny IP from 10.40.1.165 to 63.150.183.38, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:14:03: %PIX-2-106012: Deny IP from 10.40.1.165 to 204.71.61.248, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:13:58: %PIX-2-106012: Deny IP from 10.40.1.165 to 63.150.183.38, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:13:53: %PIX-2-106012: Deny IP from 10.40.1.165 to 63.210.47.68, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:13:48: %PIX-2-106012: Deny IP from 10.40.1.165 to 63.150.183.38, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:13:48: %PIX-2-106012: Deny IP from 10.40.1.165 to 204.71.61.248, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:13:42: %PIX-2-106012: Deny IP from 10.40.1.165 to 63.210.47.68, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:13:41: %PIX-2-106012: Deny IP from 10.40.1.165 to 204.71.61.248, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:13:33: %PIX-2-106012: Deny IP from 10.40.1.165 to 63.210.47.68, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:13:01: %PIX-2-106012: Deny IP from 10.40.1.165 to 208.45.172.46, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:12:50: %PIX-2-106012: Deny IP from 10.40.1.165 to 208.45.172.46, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:12:44: %PIX-2-106012: Deny IP from 10.40.1.165 to 208.45.172.87, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:12:39: %PIX-2-106012: Deny IP from 10.40.1.165 to 208.45.172.82, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:12:34: %PIX-2-106012: Deny IP from 10.40.1.165 to 208.45.172.87, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:12:28: %PIX-2-106012: Deny IP from 10.40.1.165 to 208.45.172.132, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:12:23: %PIX-2-106012: Deny IP from 10.40.1.165 to 63.210.47.22, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:12:17: %PIX-2-106012: Deny IP from 10.40.1.165 to 63.236.98.10, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:12:12: %PIX-2-106012: Deny IP from 10.40.1.165 to 63.210.47.22, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:12:07: %PIX-2-106012: Deny IP from 10.40.1.165 to 208.45.172.87, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:12:07: %PIX-2-106012: Deny IP from 10.40.1.165 to 63.236.98.10, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:12:06: %PIX-2-106012: Deny IP from 10.40.1.165 to 63.210.47.22, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:12:02: %PIX-2-106012: Deny IP from 10.40.1.165 to 208.45.172.82, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:12:00: %PIX-2-106012: Deny IP from 10.40.1.165 to 63.236.98.10, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:11:56: %PIX-2-106012: Deny IP from 10.40.1.165 to 208.45.172.132, IP options: "0x14"

ccsd-pixe0 Jun 19 2002 00:11:56: %PIX-2-106012: Deny IP from 10.40.1.165 to 208.45.172.82, IP options: "0x14"

Cisco's explaination for alarm 106012 is "An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded."

Ok - now, what created these packets. It's a machine running Windows 95, and if I can't solve it, it's time for a reload (98 is next)

I have seen some references to MS Netmeeting on the 'net about it causing these errors, but no explanation as to why. This machine is not using NetMeeting, btw

From http://www.iana.org/assignments/ip-parameters :

The Internet Protocol (IP) has provision for optional header fields

identified by an option type field. Options 0 and 1 are exactly one

octet which is their type field. All other options have their one

octet type field, followed by a one octet length field, followed by

length-2 octets of option data. The option type field is sub-divided

into a one bit copied flag, a two bit class field, and a five bit

option number. These taken together form an eight bit value for the

option type field. IP options are commonly refered to by this value.

Copy Class Number Value Name Reference

---- ----- ------ ----- ------------------------------- ---------

0 0 0 0 EOOL - End of Options List [RFC791,JBP]

0 0 1 1 NOP - No Operation [RFC791,JBP]

1 0 2 130 SEC - Security [RFC1108]

1 0 3 131 LSR - Loose Source Route [RFC791,JBP]

0 2 4 68 TS - Time Stamp [RFC791,JBP]

1 0 5 133 E-SEC - Extended Security [RFC1108]

1 0 6 134 CIPSO - Commercial Security [???]

0 0 7 7 RR - Record Route [RFC791,JBP]

1 0 8 136 SID - Stream ID [RFC791,JBP]

1 0 9 137 SSR - Strict Source Route [RFC791,JBP]

0 0 10 10 ZSU - Experimental Measurement [ZSu]

0 0 11 11 MTUP - MTU Probe [RFC1191]*

0 0 12 12 MTUR - MTU Reply [RFC1191]*

1 2 13 205 FINN - Experimental Flow Control [Finn]

1 0 14 142 VISA - Expermental Access Control [Estrin]

0 0 15 15 ENCODE - ??? [VerSteeg]

1 0 16 144 IMITD - IMI Traffic Descriptor [Lee]

1 0 17 145 EIP - Extended Internet Protocol[RFC1385]

0 2 18 82 TR - Traceroute [RFC1393]

1 0 19 147 ADDEXT - Address Extension [Ullmann IPv7]

1 0 20 148 RTRALT - Router Alert [RFC2113]

1 0 21 149 SDB - Selective Directed Broadcast[Graff]

1 0 22 150 NSAPA - NSAP Addresses [Carpenter]

1 0 23 151 DPS - Dynamic Packet State [Malis]

1 0 24 152 UMP - Upstream Multicast Pkt. [Farinacci]

Just a little curious...

Labels:
0 Helpful
2 Replies 2

mmellet
Level 3
Level 3

‎06-25-2002 01:35 PM

I would reinstall Windows clean. Perhaps a virus or IP stack modification happened on that machine.

0 Helpful

luisroja
Level 1
Level 1

‎11-29-2012 10:32 AM

The PIX firewall that runs on a code previos than 7.0(1) won't be able to let those packet to pass thru, since the options are removed by default.

What you can do, is to upgrade the PIX to 7.0(1)  (8.0 is preffered) and configure a tcp-map that allows this. For example:

0x14   = where 0x means HEX value... and 14 would be the HEX value. So 14 in HEX = 20 on DEC

That being said, the TCP MAP would be like this:

tcp-map IP-OPT

  tcp-options range 20 20 allow

Then, you must specify this in the MPF configuration:

class-map TCP-opt

match any

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

class TCP-opt

  set connection advanced-options IP-OPT

That will do the trick.

Let me know how it goes.

--Armando Rojas

--Security Engineer

0 Helpful
Customers Also Viewed These Support Documents