RFC 3871           Operational Security Requirements      September 2004

4.1.  Identify Origin of IP Stack

   Requirement.

      The vendor SHOULD disclose the origin or basis of the IP stack

      used on the system.

   Justification.

      This information is required to better understand the possible

      security vulnerabilities that may be inherent in the IP stack.

   Examples.

      "The IP stack was derived from BSD 4.4", or "The IP stack was

      implemented from scratch."

   Warnings.

      Many IP stacks make simplifying assumptions about how an IP packet

      should be formed.  A malformed packet can cause unexpected

      behavior in the device, such as a system crash or buffer overflow

      which could result in  unauthorized access to the system.

4.2.  Identify Origin of Operating System

   Requirement.

      The vendor SHOULD disclose the origin or basis of the operating

      system (OS).

   Justification.

      This information is required to better understand the security

      vulnerabilities that may be inherent to the OS based on its

      origin.

   Examples.

      "The operating system is based on Linux kernel 2.4.18."

   Warnings.

      None.

Jones                        Informational                     [Page 70]