Network forensics in a clean-slate Internet architecture

This paper reflects on the network forensic implication of a specific clean-slate future internetwork architecture. The paper first provides an overview of the architecture and how it compares to the well-established TCP/IP model. The architecture´s network forensic features are then considered. The architecture´s approach to naming and addressing fundamentally differs from the approach used in the current Internet. Great care is taken to distinguish between names and addresses. Names are used to identify entities and generally have a large scope. Addresses, however, are used to locate entities within a limited scope and are consequently not necessarily globally significant. These properties in particular create additional challenges when capturing and analysing network traffic as evidence. The paper shows that the architecture is well-suited for a distributed systems approach to forensics and that the network architecture increases the potential sources of reliable evidence.