Mar 27, 2012 - Destination Options ext. Does not require âslow pathâ processing + has space for many stains + has sp
IP(v6) packet staining
dra$-‐macaulay-‐6man-‐packet-‐stain-‐00
IETF 83 March 2012 Tyson Macaulay, VP Technology, 2Keys Security Solutions
[email protected] +16132929132
Draft released Feb
th 14
2012
2
Prior work
3
Summer 2010 http://iac.dtic.mil/iatac/download/Vol13_No3.pdf Fall 2010 http://iac.dtic.mil/iatac/download/Vol13_No4.pdf Winter 2011 http://iac.dtic.mil/iatac/download/Vol14_No1.pdf
4
Why?
6
Older detection approaches are failing • Time between compromise and exploitation can be sub-second • Too much latency between detection and intelligence distribution • .dat files and CRLS are huge – Not appropriate for metered services (3G/4G)
• On-line queries subject to disruption and compromise 7
>2015
Multi-layer (5+): Legacy controls + Proactive Intelligence + Smart device security
Hacktivists Spies Criminals Soldiers, Terrorists
Business Data risk = reputation risk = compliance risk = financial risks = intellectual property risks
Control Data (kinetic) Artificial Intelligence / Autonomous Threats
= physical risk = property risk
8
What?
9
Threat Intelligence Closed source
Traffic flow analysis
Messaging / Web analysis
Customer support
Intra-carrier Info share Product vendor subscriptions
Reputation and Threat Intelligence
Correla'on and aggrega'on
Open Source info Spamhaus, MAUWG, CERT, SANS, Team Cymru
DNS Traffic shaping
Domain Name Services
How?
IP header staining IPv4 header
X
IPv6 header
Not enough space / fully allocated
X X
Largely not supported by network nodes or end-‐points
Nxt Hdr
Does not require “slow path” processing + has space for many stains + has space for digital signature as appropriate
Short on space and trend towards other uses (load balancing)?
Ext length
Destination Options ext
12
Destination Options format
Op'ons type
8-‐bit iden'fier of the type of op'on. The op'on iden'fier for the reputa'on stain op'on will be allocated by the IANA
Op'ons length
8-‐bit unsigned integer. The length of the op'on (excluding the Op'on Type and Op'on Length fields).
S bit
When this bit is set, the reputa'on stain op'on has been signed.
U bit
When this bit is set, the reputa'on stain op'on contains a malicious URL.
Stain data
Contains the stain (reputa'on informa'on) data
13
IPv6 concept of operations Stain applied as Des'na'on Op'on header extension
Untreated IPv6 packet
Perimeter device may read stain and apply policy – or pass to endpoint
End point device reads stain and applies policy.
Packet Manipula'on Device (PMD)
Carrier network
Or…
Enterprise network
PMD
Internet/partner intranet network
Enterprise network 14
Questions & Comments to date Draft 01 (April 2012) – Is this legal? – Provide sample code? – More details on S and U bits – Add use-case for home users (mitigate loss of NAT firewalls) – Add stain semantics – Discuss scalability advantages over .dat or CRL-type solutions – Discuss reputation algorithms 15
Conclusion Is “packet staining” worth pursuing?
16
Back-‐up
17
Use-cases IP Packet Staining Internet
Bot Master SSL
Peer Z
Peer Y
Peer X
Compromised device
AS 666 Peer W
Intelligence source
Carrier Network PMD
Intelligence Distribution
Smart Transport
Smart Medicine
× Smart Home
Enterprise WAN
Industrial Control
Intelligence management
Stained packet from suspect source
Unstained / neutral packet
Compromised / victim device
Packet Manipulation Device (PMD)
“Staining reading device” © Tyson Macaulay 2011
