Proposed means to support (deny or allow) ICMP types

["Brule, Joseph M" <jmbrule@radium.ncsc.mil>]

All,

 

Recall that we identified a gap in the SLPF.  As currently written, the SLPF does not support deny (or allow) traffic based on ICMP type. 

 

This is a direct paste from an issue on github located at:  https://github.com/oasis-tcs/openc2-apsc-stateless-packet-filter/issues/69

 

Here are three proposals: 

 

ONE:  Overload the ipv*_connection target. 

Add text in section 2.1.2.2

"Semantics / requirements as they pertain to ipv*_connection

• Proto= TCP - 5 tuple is proto=TCP, src-ip, dst-ip, src-port, dest-port
• Proto= UDP - 5 tuple is proto=UDP, src-ip, dst-ip, src-port, dest-port
• Proto= ICMP - 5 tuple is proto=ICMP, src-ip, dst-ip, icmp-type, icmp-code
• Proto= any other - 5 tuple is proto, src-ip, dst-ip, unused, unused

 

TWO:  Create a new target type(s) for ICMP with properties of src address, dest address and ICMP type

 

THREE:  Expand the ip_connection to a 'six-tuple' vice five tuple to accommodate the ICMP type

 

Please provide your insights/ feedback in this matter. 

 

Also, it would be most helpful if you indicated your preferred approach or indicate that oyu have no preference

 

Thank you

 

VR

 

Joe B

 

Joe Brule

Engineering (Y2D122)

FNX-3, B4A335

410.854.4045

'Adnius ad retinedam puritem noster peciosus corporalis fluidorum…'

I welcome VSRE emails.  Learn more at http://vsre.info/