Virus Risks of RFC1149 and RFC2549

Allan Dyer

A recent Gartner report has concluded, “A pandemic wouldn't affect IT systems directly” however, the author feels that Gartner has neglected to consider RFC1149 and RFC2549 in its analysis. This paper addresses this oversight and makes recommendations for administrators of networks using these standards.

Although first published in 1990, there were no reports of implementation of RFC1149 until 2001, when the Bergen Linux User Group successfully implemented the protocol stack for Linux . However, the standard has attracted a fair amount of attention (see this, this and this), including the 1999 update to add QoS, RFC2549. Unfortunately, most network technology surveys do not ask specifically about deployment of RFC1149 networks, so there is no data on the extent of use. Survey respondents with RFC1149 networks might have reported them as a wireless technology and some surveys indicate that wireless usage is increasing. Therefore, it would be dangerous to assume that RFC1149-compliant networks have not been deployed. Other uses for avian carriers have also been proposed. It should also be noted that the use of avian carriers for data communications networks pre-dates TCP/IP (see this and this). This article only considers TCP/IP networks, but the basic conclusions should be applicable to other avian carrier-based networks, and other uses of avian carriers.

The current threat is the spread of a virus known as avian influenza A (H5N1). Note that this name does not conform to the CARO Naming Scheme, it is unknown whether avian influenza A (H5N1) (referred to as H5N1 in the remainder of this paper) has been analysed by any CARO members. A CME identifier has not been issued. Although there are many reports of H5N1 in the press, it is not listed on the current Wildlist.

H5N1 may result in:

Infection of carriers leading to Carrier Loss. RFC1149 notes, “With time, the carriers are self-regenerating”, but infection by H5N1 may cause loss of carriers faster than they can be regenerated.

Culling. When an outbreak of H5N1 occurs, civil authorities generally require immediate termination of all carriers in the affected area, whether or not infected.

Loss of connectivity. Civil authorities are already imposing a ban on imports from affected areas.

Endpoint infection. Although not mandated by RFC1149, current implementations generally use a human to load and unload packets on the carriers. There is a risk of infection of the endpoints from direct contact with carriers. This may also lead to a reassortment event or adaptive mutation. The resulting strain could cause a human pandemic. Note that the resulting strain would be distinct from H5N1, and it should be given a new name and CME identifier.

Thus, the usual response to an outbreak of H5N1 will cause a network outage far beyond the actual infection. Areas closer to the infection will suffer from a loss of all carriers. In the worst case, endpoints may be infected, leading to loss of endpoints and a global human pandemic.

How should network administrators address these threats?

Administrators of RFC1149 networks should be aware that H5N1 can cause a catastrophic loss of network connectivity. Be prepared to re-route traffic to alternate network connections that are not dependant on RFC1149.

Current computer anti-virus products do not operate low enough in the protocol stack – they are completely unable to detect or destroy H5N1 because it operates at the physical layer. Likewise, encryption (including IPSec VPNs) and integrity checking, while preventing modification of data, will not prevent infection.

A reassortment event is a possibility if an endpoint is infected with H5N1 and a human influenza virus simultaneously. Therefore, endpoints should be quarantined if they show signs of infection by human influenza.

If an infection occurs, carriers should be terminated without delay. Note that, unlike most computer viruses, termination of the carrier does not render H5N1 non-infective. Terminated carriers must be disposed of in a secure manner. Endpoints should not consume terminated carriers.

Endpoints should be handled differently. Note that, in most jurisdictions, it is illegal to terminate endpoints, even if they are infected.

If lost, carriers and endpoints should not be rebooted. The results are usually considered unsatisfactory.

It is clear that H5N1 can cause catastrophic failure of RFC1149 networks. Further study is required to assess the deployment of such networks, and the effects of such failure.

Slashdot   Slashdot It! | Share