Identity-Based Internet Protocol Network presented at Shmoocon 2013

by David Pisano,

Tags: Network Defence IBIP


Summary : "The Identity-Based Internet Protocol (IBIP) Network project is experimenting with a new enterprise oriented network architecture using standard IPv6 to encode user and host identity (ID) information into the IP address. Our motivation is to increase our security posture by leveraging identity, reducing our threat exposure, enhancing situational understanding of our environment, and simplifying network operations. Our current implementation uses credentials from the Common Access Card (CAC) and from the computer's Trusted Platform Module (TPM) to establish a host and user ID and IP address. A registration process (built on top of 802.1x) that occurs between the host and a RADIUS server. After validating the credentials, the RADIUS server then automatically configures the edge router, fronting the host, with appropriate access privileges so that no IP address spoofing (or impersonation) is permitted. Hosts that are client machines do not have their IP addresses advertised, making them unreachable or hidden from reconnaissance initiated by other clients. Servers have their IP addresses advertised as usual. A unique IPv6 extension header was conceived to enable return traffic to hidden clients. Access controls are created and deployed from the RADIUS server without human intervention, enforcing established policies."