A quick comment: the Inter-exchange and analysis of TCP and IP Header metadata is very valuable for a number of covert channel, side-channel analysis , exfiltration, attribution, fingerprinting, and detection use cases.
The "bad guys" have some really nasty tricks up their sleeves including a number of TCP and IP Header manipulations. Check out "Trend 3 -Attacks on Networking Devices" in the Fireeye 2016 M-Trends report:
https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf
This type of very sophisticated activity from Determined Adversaries is just starting to get public exposure.
We need to ensure we can express this type of data in a standard community format. Note that I'm not arguing to extend this now, just that we leave our options open for doing so down the road.
Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email:
pmaroney@specere.org