Network-aware active wardens described in this study obviously require knowl- edge about their surrounding network. The sections below present different models of the wardens’ knowledge and their impact on wardens’ capabilities.
3.5.1
Perfect Warden
The analysis of countermeasures presented in Section 3.4 assumes that network- aware active wardens posses all required knowledge of all relevant network parameters. These wardens are called perfect wardens, and they require the following information about the network:
• Addresses of all relevant network nodes. • Hop distances to all relevant network nodes.
• MTU values of all relevant links.
• Distinction between routers and hosts present on the network. • Home Agent capabilities of present routers.
• IPv6 header and option support status in all relevant nodes. • All traffic classes in use in the network.
• Currently used flow labels for all relevant flows. • IPsec security association information.
If an active warden lacks certain type of necessary information, some of the network-based normalizations will be impossible. This lack of information will not however affect other normalizations. For example, if Wendy does not have the information about hop distances on the monitored network, she will not be able to perform Hop Limit normalizations, all other normalizations will still be possible.
3.5.2
Locally perfect warden
A perfect warden described above will perform the best normalizations the- oretically possible. However, gathering all required information about the global network is likely not feasible.
In contrast to the perfect warden, a locally perfect warden has information that is limited to the warden’s local network. The limitation of its network
knowledge makes network information gathering more practical. For exam- ple, an active warden can have all necessary knowledge about an autonomous system and be placed in a way that allows it to monitor all incoming and outgoing traffic (see Figure 3.1).
Wendy
Figure 3.1: Local warden positioned to monitor incoming/outgoing traffic.
The fact that a locally perfect warden lacks some of the information necessary for network-based traffic normalizations will affect its capabilities. Generally, a warden can only normalize traffic that carries information about the network the warden is familiar with.
Assuming the scenario mentioned above as an example – where the war- den has knowledge about an autonomous system and is placed so it can ob- serve incoming and outgoing traffic – the limitation of its knowledge means that the normalizations can only be performed for outgoing or incoming traf- fic depending on the type of information the given packets carry.
For example, a Home Agent Discovery Reply message conveys information about addresses of routers capable of serving as a Home Agent for a mobile
IPv6 node. If such a message originates in the warden’s network, the warden can verify whether the addresses listed are in fact home agents and normalize the message if needed. However, when the warden inspects a similar message coming from the outside network, the normalization is impossible because the warden’s knowledge is not sufficient. An opposite situation takes place in case of Hop Limit normalizations. The Hop Limit field of incoming packets can be reset according to warden’s knowledge, but outgoing packets cannot be modified the same way, as the warden does not know enough about the topology of the outside system.
rule direction description
23 incoming only traffic classes belonging to local network
can be verified; outgoing packet might carry traffic classes unknown to the warden
24 incoming/outgoing flow labels belong to flows and can be ob-
served by the warden regardless of flow di- rection
25 incoming the warden does not know the distance to
outside destinations
26 incoming the warden does not know the distance to
outside destinations
27 outgoing only internal nodes addresses are known to
rule direction description
28 outgoing only internal nodes’ addresses are known to
the warden
29 incoming/outgoing depends on the IPsec security context knowl-
edge of the warden
30 incoming/outgoing IPsec simulation can be performed for both
flow directions
31 outgoing only internal network MTUs are known to
the warden
32 outgoing only capabilities of internal nodes can be
checked by the warden
33 outgoing only internal home agents can be verified
Table 3.6: Effects of limited knowledge on traffic normal- ization
3.5.3
Multiple Wardens
A network-aware active warden can perform network-based traffic normal- ization if the observed traffic carries information about the network that the warden is familiar with. In consequence, it is possible that more than one warden contributes to a given packet’s normalization as it traverses their respective networks. At the very least, a packet originating from one au-
tonomous system and traveling to another one could be inspected by two local wardens guarding the two respective systems. An additional factor in this scenario is that an origin warden will see the traffic as outgoing, while the destination warden will perceive the same traffic as incoming. As de- scribed in section 3.5.2, limited network knowledge will result in some of the proposed normalizations to become uni-directional only. However, since the two wardens perceive the same traffic as coming from different directions, together they can mitigate attacks that neither of them can defeat alone provided that the covert channel sender and receiver are placed within the wardens’ networks.