I'll chime in seeing as most of the v6 code is mine. Adding IPv6
support was actually pretty easy for us. We had to add another branch
at the ethertype demux layer:
packet_receive()
if (ether_type == ETHERTYPE_IP)
ip_receive()
else if (ether_type == ETHERTYPE_IPV6)
ip6_receive()
The IPv6 IP layer stuff is almost identical to the IPv4 IP stuff. The
biggest difference is how it parses the IPv6 options. They even share
most of the fragment reassembly code. At the end of both IP stacks we
check for tunnels and recurse the packet back into whichever stack was
tunneled.
The only change to the UDP layer is the checksum code (UDP checksums
are mandatory in IPv6) and the pseudoheader obviously extended for the
longer addresses.
The TCP stack changes involved the checksumming again and extending the
state lookup for the longer addresses.
We chose to do IPv6 support exclusively in the engine and keep the
signature language IP version agnostic as much as possible. Our N-Code
language contains intrinsic variables like 'ip.src' and 'tcp.connSrc'
which have their own "IP address" typing which was extended to
transparently support IPv6 as well as v4. An example from Matt LeGrow's
MSRPC portmapper code:
$index = pack(ip.src, ip.dst, udp.dport, "UDP");
if (MSRPC_PORTMAP[$index]) {
...
MSRPC_PORTMAP is an associative array (just like a hash table) which is
watching for msrpc portmap scanning. The hash key is based on 'ip.src'
and 'ip.dst' which can be either of IPv4 or IPv6 without the actual
signature having to care.
There are constructs in the N-Code signature language to specify IPv4 or
IPv6 if the signature needs the information or is specific to one IP
version.
The performance hit is probably on the order of ~1%. We lose hardware
checksum acceleration with IPv6; which gets offset by the fact that
doing the checksum in software acts like a cache preload. And there are
obviously a few extra branches in the IPv4/IPv6 shared code.
.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28
> Mike,
>
> Adding IPv6 support is not a trivial process. Can you be a little more
> specific?
>
> -----Original Message-----
> From: Mike Barkett [mailto:[EMAIL PROTECTED]
> Sent: Monday, November 07, 2005 5:26 PM
> To: 'Scott Sloan'; 'David Williams'; 'Planz'
> Cc: [email protected]
> Subject: RE: IPv6 support in IDS/IPS products
>
> Scott -
>
> There is no performance hit on NFR, as IPv6 support is built into the sensor
> engine.
>
> Thanks.
> -MAB
>
>
> > -----Original Message-----
> > From: Scott Sloan [mailto:[EMAIL PROTECTED]
> > Sent: Monday, November 07, 2005 4:49 PM
> > To: 'David Williams'; 'Planz'
> > Cc: 'Mike Barkett'; [email protected]
> > Subject: RE: IPv6 support in IDS/IPS products
> >
> > What is the performance hit when turning on this feature within NFR and
> > ISS?
> >
> > -Scott
> >
> > -----Original Message-----
> > From: David Williams [mailto:[EMAIL PROTECTED]
> > Sent: Monday, November 07, 2005 9:51 AM
> > To: Planz
> > Cc: Mike Barkett; [email protected]
> > Subject: Re: IPv6 support in IDS/IPS products
> >
> > I'm a little surprised. I have only heard back from two vendors that
> > claim to do full IPv6: NFR & ISS. I doubt this is an accurate
> > representation, so I'll try one more time. Has anybody heard anything
> > about the other products out there?
> >
> > thanks,
> >
> > D
> >
> >
> > On 11/3/05, Planz <[EMAIL PROTECTED]> wrote:
> > > As per the below whitepaper, ISS is supporting IPv6 and corresponding
> > > tunneling to IPv4 and vice versa, but I have seen no claims by other
> > > verdors as well.
> > >
> > > http://documents.iss.net/whitepapers/IPv6.pdf
> > >
> > > Besides that, I read an interesting slide on IPv6 Security in the
> > > following link:
> > >
> > > http://www.wareonearth.com/whitepapers/IPv6SecurityIssues.pps
> > >
> > >
> > >
> > > Mike Barkett wrote:
> > >
> > > >David -
> > > >
> > > >I will pipe up for NFR. Our Sentivist Smart sensors are natively
> > capable
> > of
> > > >"all of the above" at the sensor engine level. Tunneling, full
> > analysis,
> > > >everything. And we've been doing it for a couple of years now.
> > > >
> > > >I cannot provide a list of vendors who do this, but I will say that I
> > was
> > > >told 7 months ago by an IPv6 expert that we were the only IPS vendor he
> > was
> > > >aware of who did it "properly". I don't know if that's actually/still
> > true,
> > > >so I'd be very interested in seeing who else chimes in on this thread.
> > > >
> > > >Not surprisingly, we find this feature to be very popular in the U.S.
> > > >government and overseas, particularly in Asia. What we try to explain
> > to
> > > >the rest of the world is that even if they don't think they are running
> > > >IPv6, parts of their network may still be at risk of a tunneled IPv6
> > attack.
> > > >
> > > >-MAB
> > > >
> > > >--
> > > >(nfr)(security)
> > > >Michael A Barkett, CISSP
> > > >Vice President, Systems Engineering
> > > >(www.nfr.com) +1.240.632.9000 Fax: +1.240.747.3512
> > > >
> > > >
> > > >
> > > >>-----Original Message-----
> > > >>From: David Williams [mailto:[EMAIL PROTECTED]
> > > >>Sent: Sunday, October 30, 2005 9:53 AM
> > > >>To: [email protected]
> > > >>Subject: IPv6 support in IDS/IPS products
> > > >>
> > > >>Hi list,
> > > >>
> > > >>I've read that some IDS/IPS vendors can monitor IPv6, but not
> > > >>completely. For example, they might be able to alert on the
> > > >>presence of IPv6 traffic, but they can't actually do full analysis
> > > >>because they can't parse the headers correctly. Especially for
> > > >>things like IPv6 tunneled over IPv4, or IPv6 tunneled over IPv6, etc.
> > > >>
> > > >>Does anybody have a list of which vendors support what, and to what
> > > >>extent?
> > > >>
> > > >>thanks,
> > > >>
> > > >>D
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
