You Can't Do That On Protocols Anymore: Analysis of Covert Channels in IETF Standards

Information hiding techniques are used by threat actors to elude countermeasures and prevent reversing the attack chain. Recently, they have been deployed to create covert channels, i.e., parasitic communications paths cloaked in network traffic and digital objects. Unfortunately, their detection and mitigation are not simple tasks, especially when information is hidden in network protocols. For instance, revealing the presence of additional data is context-dependent and sanitization could partially impair the traffic. In this paper, we analyze the work of the IETF to evaluate whether risks arising from the presence of covert channels have been considered during the standardization phase. Our findings indicate that the exposure to hidden communications has been addressed only occasionally. We then provide some guidelines to improve the standardization of new protocols and services, especially to prevent the need of deploying a-posteriori fixes.