Active and Passive Monitoring and Analysis of IP Option Header Transparency from Covert Channel Point of View

In a context of network covert channels, unused header fields in communication protocols are vulnerable to embed secret data. An IP Option field in the IP header is considered as one of useful spaces for constructing the Internet-wide network covert channels. On the other hand, IP packets with IP Option have been said non-transparent on the global Internet. This paper investigates how an IP packet with IP option can be going through over the Internet by active and passive monitoring methods. At first, we investigated AS border traffic in an academic AS and a commercial IX. The result was that only four types of IP Options, Route Record (RR), Time Stamp (TS), No Operation (NOP) and End of Option List (EOOL), were observed. Then, we preliminary evaluated transparency of these four types IP Options over the global Internet by probing from ten Planetlab nodes on six countries against 5,000 randomly chosen destination IP addresses and 11,251 intermediate routers. Both destination addresses and intermediate routers were included in 1,132 intermediate ASes. As the active measurement result, 57% routers replied to IP packets with the RR Option, that is, the RR Option was transparent in 914 intermediate ASes on this experiment. On the other hand, 41% of intermediate routers replied probe packets with the TS option, that is, the TS Option was transparent in 811 intermediate ASes on this experiment.