Applying Self-Shielding Dynamics to the Network Architecture
The static nature of computer networks allows attackers to gather intelligence, perform planning, and then execute attacks at will. Further, once an attacker has gained access to a node within an enclave, there is little to stop a determined attacker from mapping out and spreading to other hosts and services within the enclave. To reduce the impact and spread of an attack before it is detected and removed, semantic changes can be made to several fundamental aspects of the network in order to create cryptographically-strong dynamics. In this chapter, we describe such an architecture designed on top of IPv6 for a wired network enclave. User and operating system impacts are mitigated through the use of a hypervisor, and the dynamics remain compatible with existing network infrastructure. At the same time, an attacker’s ability to plan, spread, and communicate within the network is significantly limited by the imposed dynamics.
KeywordsIntermediate Node Legitimate User IPv6 Address Network Administrator Address Resolution Protocol
The authors would like to thank AFRL for funding this research under contracts FA8750-10-C-0089 and FA8750-11-C-0179. We would like to thank our program manager Mr. Walt Tirenin from AFRL and Mr. Lynn Meredith from Lockheed Martin for their valuable suggestions and advice during this project.
- 1.S. M. Bellovin, A. Keromytis, and B. Cheswick, “Worm propagation strategies in an IPv6 Internet,” ;login:, pp. 70–76, February 2006.Google Scholar
- 2.Panda Security, “2nd international barometer of security in smbs,” Report, July 2010. [Online]. Available: http://press.pandasecurity.com/wp-content/uploads/2010/08/2nd-International-Security-Barometer.pdf
- 3.W. J. Lynn, “Defending a new domain,” Foreign Affairs, vol. 5, no. 89, September/October 2010.Google Scholar
- 4.P. Dasgupta, C. K. S., and S. K. Gupta, “Vulnerabilities of PKI based smartcards,” in Proc. of IEEE Military Communications Conference (MILCOM), Orlando, FL, USA, October 2007.Google Scholar
- 5.McAfee, “Unified secure access solution for network access control,” Datasheet. [Online]. Available: http://www.mcafee.com/us/local_content/datasheets/ds_nac.pdf
- 6.J. Yackoski, P. Xie, H. Bullen, J. Li, and K. Sun, “A self-shielding dynamic network architecture,” in MILCOM, Baltimore, MD, USA, November 2011.Google Scholar
- 7.T. D. Morgan, “IPv6 address cookies: Mitigating spoofed attacks in the next generation internet,” Master’s thesis, Northwestern University, 2006.Google Scholar
- 8.T. Narten, G. Huston, and L. Roberts, “IPv6 Address Assignment to End Sites,” RFC 6177 (Best Current Practice), Internet Engineering Task Force, Mar. 2011.Google Scholar
- 9.S. Kent and K. Seo, “Security Architecture for the Internet Protocol,” RFC 4301 (Proposed Standard), Internet Engineering Task Force, Dec. 2005.Google Scholar
- 10.A. Lenstra and E. Verheul, “Selecting cryptographic key size,” Cryptography, vol. 14, no. 4, pp. 255–293, 2001.Google Scholar
- 11.Cisco Systems, Inc., “Cisco express forwarding,” Whitepaper, 1997. [Online]. Available: http://packetstormsecurity.org/defcon10/MoreInfo/CiscoExpressForwardingCEF.pdf