Visible to the public Platform agnostic, scalable, and unobtrusive FPGA network processor design of moving target defense over IPv6 (MT6D) over IEEE 802.3 Ethernet

TitlePlatform agnostic, scalable, and unobtrusive FPGA network processor design of moving target defense over IPv6 (MT6D) over IEEE 802.3 Ethernet
Publication TypeConference Paper
Year of Publication2017
AuthorsSagisi, J., Tront, J., Bradley, R. M.
Conference Name2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)
Date Publishedmay
Keywordsapplication specific integrated circuits, ASIC, complex instruction set computer instruction set architecture, Computers, cryptography, electrical engineering, embedded application-specified integrated circuit, EPON, field programmable gate arrays, FPGA, IEEE 802.3 Ethernet, IEEE 802.3 Standard, Instruction sets, IP networks, IPv6, IPv6 interfaces, Local area networks, low power wireless personal area networks, Metrics, modular crypto engine, moving target defense, moving target defense over IPv6, MT6D, network processor, network-based keyed access, pubcrawl, register transfer level logic, Resiliency, RTL-based Network Time Protocol v4 synchronization

This work presents the proof of concept implementation for the first hardware-based design of Moving Target Defense over IPv6 (MT6D) in full Register Transfer Level (RTL) logic, with future sights on an embedded Application-Specified Integrated Circuit (ASIC) implementation. Contributions are an IEEE 802.3 Ethernet stream-based in-line network packet processor with a specialized Complex Instruction Set Computer (CISC) instruction set architecture, RTL-based Network Time Protocol v4 synchronization, and a modular crypto engine. Traditional static network addressing allows attackers the incredible advantage of taking time to plan and execute attacks against a network. To counter, MT6D provides a network host obfuscation technique that offers network-based keyed access to specific hosts without altering existing network infrastructure and is an excellent technique for protecting the Internet of Things, IPv6 over Low Power Wireless Personal Area Networks, and high value globally routable IPv6 interfaces. This is done by crypto-graphically altering IPv6 network addresses every few seconds in a synchronous manner at all endpoints. A border gateway device can be used to intercept select packets to unobtrusively perform this action. Software driven implementations have posed many challenges, namely, constant code maintenance to remain compliant with all library and kernel dependencies, the need for a host computing platform, and less than optimal throughput. This work seeks to overcome these challenges in a lightweight system to be developed for practical wide deployment.

Citation Keysagisi_platform_2017