Logical Traffic Isolation Using Differentiated Services

  • Tinus Strauss
  • Martin Olivier
  • Derrick Kourie
Part of the IFIP Advances in Information and Communication book series (IFIPAICT, volume 222)


This paper proposes a scheme in which the differentiated services field of IP headers is used to logically isolate network traffic for forensic purposes. The scheme is described and two example scenarios are presented to illustrate its utility. The scheme, which is based on standard networking technology, helps achieve isolation without additional network infrastructure. Moreover, the scheme is relatively easy to implement in an existing differentiated services network. The paper also discusses key design and configuration challenges that must be addressed in a successful implementation.


Network forensics differentiated services traffic isolation 


  1. [1]
    S. Blake, D. Black, M. Carlson, E. Davies, Z. Wang and W. Weiss, An architecture for differentiated services, RFC 2475, December 1998.Google Scholar
  2. [2]
    R. Callon and M. Suzuki, A framework for layer 3 providerprovisioned virtual private networks, RFC 4110, July 2005.Google Scholar
  3. [3]
    E. Casey, Network traffic as a source of evidence: Tool strengths, weaknesses and future needs, Digital Investigation, vol. 1(1), pp. 28–43, 2004.CrossRefGoogle Scholar
  4. [4]
    E. Casey, Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet, Elsevier Academic Press, London, United Kingdom, 2004.Google Scholar
  5. [5]
    A. Charny, F. Baker, B. Davie, J. Bennett, K. Benson, J. Le Boudec, A. Chiu, W. Courtney, S. Davari, V. Firoiu, C. Klamanek, K. Ramakrishnan and D. Stiliadis, Supplemental information for the new definition of the expedited forwarding per hop behavior, RFC 3247, March 2002.Google Scholar
  6. [6]
    V. Corey, C. Peterman, S. Shearin, M. Greenberg and J. van Bokkelen, Network forensic analysis, IEEE Internet Computing, vol. 6(6), pp. 60–66, 2002.CrossRefGoogle Scholar
  7. [7]
    B. Davie, A. Charny, J, Bennett, K. Benson, J. Le Boudec, W. Courtney, S. Davari, V. Firoiu and D. Stiliadis, An expedited forwarding per hop behavior, RFC 3246, March 2002.Google Scholar
  8. [8]
    N. Genge, The Forensic Casebook — The Science of Crime Scene Investigation, Ebury, London, United Kingdom, 2004.Google Scholar
  9. [9]
    J. Heinanen, F. Baker, W. Weiss and J. Wroclawski, Assured forwarding per hop behavior group, RFC 2597, June 1999.Google Scholar
  10. [10]
    K. Nichols, S. Blake, F. Baker and D. Black, Definition of the differentiated services field in the IPv4 and IPv6 headers, RFC 2474, December 1998.Google Scholar
  11. [11]
    E. Rosen, A. Viswanathan and R. Callon, Multi protocol label switching architecture, RFC 3031, January 2001.Google Scholar

Copyright information

© IFIP Internatonal Federation for Information Processing 2006

Authors and Affiliations

  • Tinus Strauss
    • 1
  • Martin Olivier
    • 1
  • Derrick Kourie
    • 1
  1. 1.University of PretoriaPretoriaSouth Africa

Personalised recommendations