Uncovering Gaps Between RFC Updates and TCP/IP Implementations

As the core of the Internet infrastructure, the TCP/IP protocol stack undertakes the task of network data transmission. However, due to the complexity of the protocol and the uncertainty of cross-layer interaction, there are often inconsistencies between the implementation of the protocol stack code and the RFC standard. This inconsistency may not only lead to differences in protocol functions but also cause serious security vulnerabilities. … We conduct extensive evaluations to validate the effectiveness of our framework, demonstrating its effectiveness in identifying potential vulnerabilities caused by RFC code inconsistencies. Our experiments reveal 15 inconsistencies between code implementations and protocol specifications, including ISN generation, TCP challenge acknowledgments, TCP authentication, and TCP timestamp options across multiple operating systems. These inconsistencies can introduce serious vulnerabilities (e.g., traffic amplification and replay attacks) in the TCP/IP protocol suite. … ## 1 Introduction In the field of network and distributed systems, adherence to RFC (Request for Comments) specifications is crucial for ensuring the security and robustness of protocol implementations. ... However, inconsistencies between these specifications and their corresponding code can introduce various vulnerabilities, ranging from functional deviations to severe security risks such as traffic amplification and replay attacks. … Experimental results show that our approach achieves 91.1% accuracy and an F1 score of 0.857 based on GPT-4o, significantly outperforms vanilla LLM-based detection. As a result, our framework identified 15 inconsistencies between the code implementations and protocol specifications, including ISN generation, TCP challenge acknowledgment, TCP authentication, and TCP timestamp options, , which can introduce serious vulnerabilities like traffic amplification, data injection, and TCP RST spoofing. … ## 2 Background The TCP/IP protocol stack has experienced decades of development. As security issues and new features emerge, RFC standard documents are frequently updated, making compatibility and maintenance between versions a huge challenge. There are significant differences in code implemented by different vendors and communities, leading to increased collaboration and interoperability issues. At the same time, due to developers’ different understandings of standards and the fact that certain features are not implemented according to the standards (or are not implemented), inconsistencies between code and protocol standards may lead to corresponding security issues and functional failures. … An attacker can easily disconnect a legitimate TCP connection by guessing the connection’s four-tuple (source IP, destination IP, source port, destination port) and the sliding window range, and then sending a forged RST packet. Such attacks can lead to service disruptions (e.g., termination of HTTP, SSH, or database connections) and present a denial of service (DoS) risk, particularly affecting long-lived connections like video streams or remote control services. … Scalability in Large-Scale Code and Specifications The amount of code implemented in the protocol stack and the length of the RFC documents are very large, which poses a serious challenge to the scalability of the detection process. In addition, there are multiple protocol implementation versions (such as Linux and FreeBSD), and achieving comprehensive coverage requires a lot of human effort and computing resources, resulting in high time costs and computing costs. … #### 4.3.2 Incremental Specification Graph Construction ... With advancements in technology and evolving security requirements, protocol specifications are continually updated—typically through revisions and deprecations in RFC documents, which are indicated in the Standard Track to guide developers in their code implementations. However, system development and standard updates are not always synchronized, therefore different versions of systems may not timely adapt to the latest standards, leading to inconsistencies between the code implementation and the specification, potentially introducing security vulnerabilities. … - • RFC793 → RFC2385 → RFC5925: Addresses TCP authentication, transitioning from TCP MD5 signatures to TCP Authentication Options (TCP-AO). ... RFC793 → RFC1323 → RFC7323: Pertains to TCP performance extensions, such as window scaling and timestamps, and includes security considerations like PAWS and timestamp-related issues. … |Replay attack risks.| | |RFC 7323|Non-RST segment timestamps are not enforced (only check `sysctl_tcp_timestamps`) and `tcp_v4_reqsk_send_ack` directly uses `req->rcv_wnd` without right-shift, ignoring the window scaling factor; Random per-connection timestamp offsets are not implemented, with timestamp handling relying on `tcp_time_stamp`. … |RST spoofing attack. Blind in-window attack. ACK injection attack.| | |RFC 5925|Missing the support of TCP Authentication Option (TCP-AO).|Replay attack risks.| | |RFC 7323|Non-RST segment timestamps are not enforced (only check `sysctl_tcp_timestamps`) and `tcp_v4_reqsk_send_ack` directly uses `req->rcv_wnd` without right-shift; Random per-connection timestamp offsets are not implemented, relying on `tcp_time_stamp`.