A 5-tuple refers to a set of five different values that comprise a Transmission Control Protocol/Internet Protocol (TCP/IP) connection. It includes a source IP address/port number, destination IP address/port number and the protocol in use. 5-Tuple has been a mainstay in performing network access control and segmentation for decades. OpenC2 requires a datatype suitable for representing a 5-tuple within the Target field of an OpenC2 command. STIX Cyber Observables and CybOX 2 each define objects that could be used for this purpose (network-traffic and Network_Connection respectively), but these types include information about observed packet flows (e.g., Creation_Time, TCP States, and Layer7_Connections for Network_Connection, and many fields (start and end times, byte and packet counts, links to enclosed and enclosing flows for network-traffic) that are not needed in a 5-tuple. These fields are optional to transmit, but require much unnecessary code complexity in order to support those types.
POTENTIAL SOLUTION
OpenC2 defines a 5-tuple type containing only the information necessary to support C2 operations (access control) vice observed traffic. CybOX Network_Connection contains its own protocol enumerations; the proposed OpenC2 5-tuple explicitly reuses IETF/IANA standard enumerations so that if it is desired to specify new or unusual protocols as access control targets, IANA has already done the work of standardizing their number and name definitions,
The proposed type is called ip-connection, although any name including 5-tuple would do. The proposed definition is:
ip-connection ::= RECORD { -- 5-tuple that specifies a tcp/ip connection
src-addr socket-addr OPTIONAL, -- source address
src-port port OPTIONAL, -- source TCP/UDP port number
dst-addr socket-addr OPTIONAL, -- destination address
dst-port port OPTIONAL, -- destination TCP/UDP port number
layer3-protocol layer3-protocol OPTIONAL, -- IEEE 802 Ether Type
layer4-protocol layer4-protocol OPTIONAL, -- Protocol (IPv4) / Next Header (IPv6)
}
socket-addr ::= CHOICE {
v4 [1] ipv4-addr,
v6 [2] ipv6-addr,
mac [3] mac-addr,
dns [4] domain-name
}
port ::= CHOICE { -- TCP/UDP port number or protocol
number INTEGER, -- Port number (e.g., dynamically assigned)
protocol layer7-protocol -- Registered port nummber (registered with IANA)
}
layer3-protocol ::= ENUMERATED { -- IEEE 802 Ether Types - any IANA value, RFC 7042
IPv4 (2048), -- 0x0800 Internet Protocol Version 4
ARP (2054), -- 0x0806 Address Resolution Protocol
IPv6 (34525), -- 0x86DD Internet Protocol Version 6
MPLS (34887) -- 0x8847 Multi-Protocol Label Switching
}
layer4-protocol ::= ENUMERATED { -- protocol (IPv4) or next header (IPv6) field - any IANA value, RFC 5237
ICMP (1), -- Internet Control Message Protocol - RFC 792
TCP (6), -- Transmission Control Protocol - RFC 793
UDP (17) -- User Datagram Protocol - RFC 768
}
layer7-protocol ::= ENUMERATED { -- Service Name and Transport Protocol Port - any IANA value, RFC 6335
ftp-data (20), -- File Transfer Protocol (data)
ftp (21), -- File Transfer Protocol (control)
ssh (22), -- Secure Shell Protocol
telnet (23), -- Telnet
smtp (25), -- Simple Mail Transfer Protocol
http (80), -- Hypertext Transport Protocol
https (443) -- HTTP over TLS
}
PROBLEM
A 5-tuple refers to a set of five different values that comprise a Transmission Control Protocol/Internet Protocol (TCP/IP) connection. It includes a source IP address/port number, destination IP address/port number and the protocol in use. 5-Tuple has been a mainstay in performing network access control and segmentation for decades. OpenC2 requires a datatype suitable for representing a 5-tuple within the Target field of an OpenC2 command. STIX Cyber Observables and CybOX 2 each define objects that could be used for this purpose (network-traffic and Network_Connection respectively), but these types include information about observed packet flows (e.g., Creation_Time, TCP States, and Layer7_Connections for Network_Connection, and many fields (start and end times, byte and packet counts, links to enclosed and enclosing flows for network-traffic) that are not needed in a 5-tuple. These fields are optional to transmit, but require much unnecessary code complexity in order to support those types.
POTENTIAL SOLUTION
OpenC2 defines a 5-tuple type containing only the information necessary to support C2 operations (access control) vice observed traffic. CybOX Network_Connection contains its own protocol enumerations; the proposed OpenC2 5-tuple explicitly reuses IETF/IANA standard enumerations so that if it is desired to specify new or unusual protocols as access control targets, IANA has already done the work of standardizing their number and name definitions,
The proposed type is called
ip-connection, although any name including5-tuplewould do. The proposed definition is: