Identity-Based Internet Protocol Network

Presented at ShmooCon IX (2013), Unknown date/time (Unknown duration).

The Identity-Based Internet Protocol (IBIP) Network project is experimenting with a new enterprise oriented network architecture using standard IPv6 to encode user and host identity (ID) information into the IP address. Our motivation is to increase our security posture by leveraging identity, reducing our threat exposure, enhancing situational understanding of our environment, and simplifying network operations. Our current implementation uses credentials from the Common Access Card (CAC) and from the computer's Trusted Platform Module (TPM) to establish a host and user ID and IP address. A registration process (built on top of 802.1x) that occurs between the host and a RADIUS server. After validating the credentials, the RADIUS server then automatically configures the edge router, fronting the host, with appropriate access privileges so that no IP address spoofing (or impersonation) is permitted. Hosts that are client machines do not have their IP addresses advertised, making them unreachable or hidden from reconnaissance initiated by other clients. Servers have their IP addresses advertised as usual. A unique IPv6 extension header was conceived to enable return traffic to hidden clients. Access controls are created and deployed from the RADIUS server without human intervention, enforcing established policies.


Presenters:

  • David Pisano
    David earned a B.S. in Applied Networking and Systems Administration and an M.S. in Networking and Systems Administration from Rochester Institute of Technology. He is a contributor to The Honeynet Project. Professionally, David is active in research in the fields of network engineering and network security. His interests include data visualization and data correlation. David has coauthored multiple peer-reviewed papers in the fields of networking and cyber security.

Links:

Similar Presentations: