/* Draft, incomplete, for blue sky discussion, brain storming, etc. Comment welcome to jhs @ berklix . com Makefile checks syntax with: cc -c record.h ; rm -f record.h.gch */ #include #define byte char /* extern char *ctime() ; */ struct security { short project_id ; /* Deter Project Identity Number. 0 = invalid/unallocated. 1 = us the first iteration of of our type. There may later be several different deter projects using common code, & common incident report structures, that only partially co-operate, for qarious possible reasons, eg: incomplete trust, because some nations are crippled by local law from full co-operation in or outbound, or politics etc. Other projects eg USA may also develop interfaces to us & vice versa, & they would get a different number. */ int agency_id ; /* Government Agency [or large corporation] Identity Number. Index number to a list of project registrants, & encryption keys. There might be just one per agency, but some agencies might have a few */ } ; struct address { byte which ; /* 0=IPV4, 1=IPV6 */ /* http://en.wikipedia.org/wiki/Ipv6 */ byte number[16] ; /* Ordering: LSB first */ /* union */ /* byte ordering no problem at beginning as all using same architecture */ } ; struct record { /* Alignement efficiency considerations will not be done till later */ int version_type ; /* Version of record. Bound to change both as we evolve & also in a distributed system some nodes will be old, updated at different times after local human initiation/ authorisation, & some return from off to on line after power or other net faliure, so we must have capability to at least reject, but better to handle old style records (& send "please upgrade response) */ struct security sender_sec ; /* which agency filed the report */ struct address sender_ad ; /* IP No of reporting node */ int sender_pot ; /* Optional, 0=Unused. Some reporting nodes on the deter net will be connected to a collection of honey ports, This is for if that node wants to keep track to refer back. It might later become a long for a bit mask, or a struct. */ struct address attacker_ad ; /* where sender_ad reports attack is coming from */ struct address proxy1 ; /* optional, for later, if sender_ad is reporting to central net of NOCs (Net Operation Centres) via a proxy 'cos our system has grown large, & traffic needs an intermediary, hierachical structure, Perhaps also we may adopt hierachical filtering for protection of central net against attack by enemy */ struct address proxy2 ; /* Optional for much later, if ever, if stuct too big, abandon this, implement only in a new version_type */ byte analysis; /* Bitfield. 0 = test record = take no action. Things checked, characteristics of received attack. Define later. ? Maybe: One Bit will be cancel this record. */ int port ; /* /etc/services tcp & udp */ int udp_tcp ; /* 0=udp 1=tcp http://en.wikipedia.org/wiki/Communications_protocol */ long repeat ; /* number of attacks received between time_start & time_end */ time_t time_start ; /* local node first detected */ time_t time_end ; /* local node prepares a report to send */ time_t time_accept ; /* when NOC accepts report - (this field may have no useful purpose, cheap & easy for NOC to set it) */ time_t tim_renewal ; /* set by central net of NOCs, earlier than time_expire expire_by */ time_t time_expire ; /* time after which any NOC is entitled to localy delete its copy of this record, without reference to any other NOC. */ byte status ; /* bitmap: reported to central net, acknowledged, etc (or maybe use if ((time_t)0 != rec_p->tim_... ) */ char telno[30] ; /* optional, for queries in early test days, field to be abandoned later */ /* more fields ... JJLATER */ } ;