The SCNM request packet specifies the characteristics of the traffic to monitor including source, destination, and port(s) of the traffic. We use a thirty-two bit magic number field to permit quick rejection of spurious packets on the activation port. The activation packet format version and the sequence number of the activation packet uniquely identify this request and how to interpret it. Traffic type provides the IP protocol number of the type of traffic to monitor (e.g. UDP or TCP). The rest of the packet contains parameters specifying the characteristics of the traffic to monitor such as the source and destination addresses and ports used by the traffic. For example, the destination address and port are specified using a parameter that is six bytes in length with the first four being address and the second two being the port. If a monitoring request is accepted, the SCNM will configure a Berkeley packet filter to capture headers from the corresponding packet stream. Each request packet has a limited life-time. The user must periodically send additional request packets to maintain the monitoring. This allows for graceful recovery from crashes of the end host requesting the monitoring. Monitoring output data is sent back to the application data source or destination host.
The core of the security model revolves around the concept that a user is allowed to monitor her own data. In order to be accepted by the SCNM host, the activation packet must be traveling between the source and destination of the traffic to be monitored. The SCNM host verifies this by comparing the request parameters with the source and destination in the IP header of the activation packet. Also, the SCNM host is only willing to send resulting data to the source or destination of the monitored traffic. Thus, although spoofing of the IP source and destination might result in an extra stream being monitored, the resulting monitoring data will not be sent to the spoofing host. Also, since the monitoring data is sent over a TCP connection to the destination, it will only be sent if the host is listening for the results. Each SCNM host also maintains a local audit log of all monitoring requests.
Access control lists can be configured at an SCNM host to allow
an individual site to limit the types of requests and monitoring
data destinations allowed. The current SCNM access control list
(ACL) method works as follows. When the filter control daemon (fcd)
starts, it looks for a default configuration file - called
act_auth.conf for a list of host names or IP addresses. If this
list exists, monitoring data may only be forward to these hosts. If
no configuration file is present or the file is empty, then the
control list will be empty and data is allowed to be sent to the
source host (activation host) only.
In the current design, we assume that all users with access to an end host are allowed to monitor traffic to or from that host. If this turns out to be an issue, one can limit the ability of users to activate the monitor by using a privileged port for the activation packets. In this case, the end user would need to have root access to request monitoring of traffic to or from that host.