[ntp:questions] Re: Strange IP flags set in NTP conversation

Vernon Schryver vjs at calcite.rhyolite.com
Wed Oct 15 03:35:05 UTC 2003

In article <RP6dnag0Mu3ADhGiRVn-uA at speakeasy.net>,
Michael Sierchio  <kudzu at tenebras.com> wrote:

>> Do you have an exgesis of DS RFCs showing 0x10 is invalid?
>When looked at as a DS field, the upper six bits are the differentiated
>services code, and 0x04 is undefined.  0x04 in the upper six bits is
>the same as 0x10 in the byte if I have counted my bits correctly.  I
>suppose I shouldn't look at these for UDP anyway.  But there is malware
>that uses these as a subliminal channel.

I have vague recollections to the effect that the official DS values
were chosen to be different from the old TOS values.  Section 4 of
RFC 2474 seeems to support those fuzzy memories.

>> There are plenty of routers that honor the old TOS values.
>I suppose those same routers don't handle explicit congestion
>notification ?

I'd rather not say, since I'd be guessing.  What does RFC 1812 say?
I do have other vague recollections that the TCP/IP ECN bits were also
chosen to not collide with the TOS values.

Vernon Schryver    vjs at rhyolite.com

More information about the questions mailing list