How does zERT aggregation summarize the information?

The zERT discovery information is aggregated into separate security session records according to the following rules:
  • The connections must use the same server IP address and client IP address.
  • The connections must use the same individual server port or server port range (see How does zERT aggregation determine the server port? for more information).
  • The job name associated with the local endpoint is the same for all connections.
  • The local endpoint acts in the same server or client role for all connections. When the server and client for a TCP connection use the same IP address, separate session records are maintained for the server view and for the client view of the security session.
  • The connections must use the same significant security cryptographic attributes for the security session being aggregated.
    • Significant security cryptographic attributes are characteristics of the security session, such as cipher, authentication method, etc., that make a substantial difference to the strength of the security coverage being provided by the security session.
    • The zERT discovery function also collects and records informational security cryptographic attributes, such as tunnel ID, handshake time limits, etc. These attributes are of interest for a given TCP connection but do not have any impact on the protection strength provided. The zERT aggregation function does not report or consider informational security cryptographic attributes when aggregating connection information.
Consider the following example:
  • Client-A at 10.11.1.2 establishes a series of six TCP connections to server at 10.12.3.3 using port 50. All connections use the same TLS security coverage characteristics.
  • Client-B at 10.11.1.4 establishes a series of three TCP connections to the same server at 10.12.3.3, port 50. All connections use both IPSec and TLS security coverage.
  • Client-C at 10.11.1.4 also establishes three connections to the same server, and all connections use the same IPSec tunnels and TLS sessions as the Client-B connections.

The zERT discovery function would generate at least 12 SMF records for this example if all TCP connections were all short-lived, meaning less than 10 seconds in duration, or at least 24 records if all TCP connections were long-lived (more than 10 seconds in duration).

The zERT aggregation function would instead generate just three SMF records:
  • The connections involving Client-A would be aggregated into a single SMF record.
  • The connections involving the other clients would be aggregated into two SMF records:
    • One SMF record would report the use of an IPSec tunnel for the connections involving both Client-B and Client-C.
    • One SMF record would report the use of the TLS session for the connections involving both Client-B and Client-C.