Initialize-Router-Table message X'06' and Initialize-Router-Table-Ack message X'07'

[duffy-ocraven]

Initialize-Router-Table message is indicated by a network_layer_message_type of X'06' followed by a "Number of Ports". Valid entries in this field are 0-255. Figure 6-11 specifies that Number of Ports is 1 octet. Nowhere in the prose of the standard, outside of Figure 6-11, specifies that Number of Ports is 1 octet, instead describing it as an unsigned integer. As you'll see in following paragraph, the possibility of an implementation sending a multi-octet "Number of Ports" is the least of things to worry about.

If an Initialize-Routing-Table message is sent with the Number of Ports equal to zero, the responding device shall return its complete routing table in an Initialize-Routing-Table-Ack message without updating its routing table. If an Initialize-Routing-Table message is sent with the Number of Ports greater than zero, then a routing table, an unlimited-length, standardized but extensible, content then follows. As you can immediately grasp (and gasp!) from reading that last sentence, the standards authors were awfully naive in 1995. If a router sends acknowledgment of having executed an Initialize-Routing-Table update message, which had a non-zero value in the Number of Ports field, it shall return an Initialize-Routing-Table-Ack without data.

Basically, Initialize-Routing-Table message sent with the Number of Ports equal to zero does see some utilization, for tools doing dynamic discovery of the routing topology. It is--even when performed legitimately--a strong indication of a perpetrator mapping the network, and should always be treated accordingly.

Initialize-Routing-Table message sent with the Number of Ports greater than zero might as well be called "Infect-Router-With-Payload" and should always be treated accordingly. A router which sends acknowledgment of an Initialize-Routing-Table update message, should be remarked with some amusement at the sense of humor of the virus-writer, since that packet was likely an attempt to root the router, and if it succeeds, then the router still bothering to send acknowledgment of the Initialize-Routing-Table update message, is execution of code which the hacker included.