Skip to main content

D3 Data Sharing Flows


Distributed device descriptors are designed to be shared.

A D3 statement encapsulates an interoperable payload (JSON data), within a structure that identifies the identity of the issuer of the information. This allows the recipient of the information to identify the data provenance irrespective of the method of transport. This makes it ideal for sharing operational cyber security information in real time.

Practically, however, we need to consider the pros and cons of information disclosure, for various cyber security use cases. Too little information and the data is of no practical use for cyber security analysis; too much information carries both performance and privacy implications.

In this document we will outline a set of prioritised practical data sharing use cases and define the precise data structures to be transported.

This document covers the sharing of operational cyber security data between peers or peers and an authority, This document does not address the submission and approval of primary type data; that is covered in the D3 Sources section

Payload use cases

In this section we define the data structure to be shared, and the typical use to which this data is put


Two collaborators may share the full capture of all activity observed across the network, or network segment.

PCAPs are well specified

StructureAnd interoperable PCAP file defined by:
File is authenticated using a D3 claim and file is referenced by relative file name/URI and MD5 hash
PurposeForensic analysis of an attack, post event.
Fine grained data against which an future unspecified algorithm can be runt
ConsiderationsBandwidth and storage: PCAP files can be large, reflecting the full data captured.
Privacy: this method exposes all unencrypted data for all devices in visibility. This method should only be use between strongly trusted parties

Filtered PCAP

Typical filters may include

  • restrict

Actor use cases

In this section we define the typical actors involved in the data exchange.

Authenticating a source

See section on authenticated sources in the D3 Sources document .