I have joked before about units called 'doobies' but the idea is simple and flexible. Assume secure DNS. Use DNS as the dynamic database that it is - to create a sub-domain that relates to value. Each organisation may have different values/exchange rates to their own countries currency unit.
Once you breakdown your traffic to objects and flows and start quantifying different types, you can then assign arbitrary amounts to atomic entities to begin with and tweak from there.
value.companyx.com
dns-flows.value.companyx.com
dns-packets.value.companyx.com
dns-records.value.companyx.com
customer-ssn.value.companyx.com
customer-address.value.companyx.com
This could get very complicated very quickly, but could also be as basic and simple as one wanted. Using either any part of IPv4 address space or just BOGONS/Martians RFC1918/RFC3330 current values are resolved and could have huge scope depending on the organisation.
This value is your 'dooby' value. Devices report back, or are queried, on how many of each type of object they have processed or stored in an interim. Devices then supply flexible stats and can consult a central value database.(Kinda like SNMP/RMON only better, unless I am missing
something!)
DNS is ubiquitous. Kernel hooks to a special accounting/reporting client is required.
Device processed x times type y 'doobies'. What is the current 'dooby' exchange rate for my organisation?
Maybe you could re-use SNMP but I think the centralised DNS store of current values is more flexible.
Thoughts, this is just a beer mat type scribble idea on my behalf.
2 comments:
Essentially after re-reading it's not as clear as I'd hoped. From host A do a lookup against the below A record which doesn't exist:
4728465241436.dns-flows.value.companyx.com
the NS would receive from the source IP. Alternatively a lookup table could map to more information from the preceeding code. 512byte UDP limit. A shared secret or signed value is also possible. Basically just using DNS to transmit arbitrary information.. however I wanted to use it as host reporting mechanism.. thus 'agentless' as such!
One more time for clarification....
Basically tunnelling a form of simplified netflow data in DNS and using your own NS servers to record the lookups e.g. the resource records don't exist but data is passed from the SRC host to the DST NS.
Post a Comment