Skip to content

Proposal: Add New ARP Cache Object

Jump to bottom Edit New page
Ivan Kirillov edited this page Dec 18, 2013 · 4 revisions

Status: Closed
Comment Period Closes: 12/17/2013
Affects Backwards Compatibility: No
Relevant Issue: https://github.com/CybOXProject/schemas/issues/41

Background Information

Most operating systems store a local cache of Address Resolution Protocol (ARP) entries that map IP to physical (i.e. MAC) addresses. Having a standard representation of these stored entries can be useful for malware artifact detection, digital forensics, and other use cases.

Proposal

We propose the creation of a new Object capable of characterizing the ARP cache on a system. Thus, this object should have a list (1-N) of ARP Cache Entries; each ARP Cache Entry (ARPCacheEntryType) will contain the fields:

Field Type Description
IP_Address AddressObj:AddressObjectType The IP_Address field specifies the IP address that is mapped to the physical address in the ARP cache entry.
Physical_Address cyboxCommon:StringObjectPropertyType The Physical_Address field specifies the physical (e.g. MAC-48) address that is mapped to the IP address in the ARP cache entry. Either a colon (':') or a dash ('-') may be used a separator between the octets.
Type ARPCacheObj:ARPCacheEntryTypeType The Type field specifies the type of ARP cache entry, which typically refers to the way the entry was added to the cache.
Network_Interface SystemObj:NetworkInterfaceType The Network_Interface field permits the specification of the network interface to which the ARP cache entry belongs.

The ARPCacheEntryTypeType is a union of the base xs:string type and the ARPCacheEntryTypeEnum. The ARPCacheEntryTypeEnum is intended to enumerate possible types of ARP cache entries and thus contains the following values:

Value Description
static The static value specifies an IP address/physical address pair that was manually added to the cache table for a device and is kept in the cache on a permanent basis.
dynamic The dynamic value specifies an IP address/physical address pair added to the cache automatically as a result of successfully-completed past ARP resolutions.

For the full proposed schema, please see https://github.com/ikiril01/schemas/commit/14f2d2008b10ac6b04270170829c93be8eb59366.

Impact

There is no expected compatibility impact.

Requested Feedback

  1. Does it make sense to add such an object to CybOX?
  2. Are there any fields we should add to the ARPCacheEntryType? Should we change any of the types used to capture the fields we've defined?
  3. Are there any values we should add to the ARPCacheEntryTypeEnum?
Add a custom footer
Add a custom sidebar
Clone this wiki locally