Scribd Logo
Upload

Welcome to Scribd!

  • 21 views

    Monitoring Ipv6 Transition Techniques: Matěj Grégr

    Uploaded by

    Makis Nikas
    This document discusses monitoring IPv6 transition techniques using Netflow. It summarizes that monitoring tools have difficulty monitoring tunneled IPv6 traffic. The author developed plugins for a Flowmon exporter to gain insight into tunneled flows and distinguish transition techniques like 6to4, 6rd, ISATAP, and Teredo. The plugin decapsulates packet headers to create flows with relevant information that are exported to a Netflow collector for analysis. Future work could involve testing new exporter versions and more detailed traffic analysis.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Monitoring Ipv6 Transition Techniques: Matěj Grégr

    Uploaded by

    Makis Nikas
    21 views24 pages
    This document discusses monitoring IPv6 transition techniques using Netflow. It summarizes that monitoring tools have difficulty monitoring tunneled IPv6 traffic. The author developed plugins for a Flowmon exporter to gain insight into tunneled flows and distinguish transition techniques like 6to4, 6rd, ISATAP, and Teredo. The plugin decapsulates packet headers to create flows with relevant information that are exported to a Netflow collector for analysis. Future work could involve testing new exporter versions and more detailed traffic analysis.

    Original Description:

    ipv6

    Original Title

    08_gregr-ipv6-transition

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document discusses monitoring IPv6 transition techniques using Netflow. It summarizes that monitoring tools have difficulty monitoring tunneled IPv6 traffic. The author developed plugins for a Flowmon exporter to gain insight into tunneled flows and distinguish transition techniques like 6to4, 6rd, ISATAP, and Teredo. The plugin decapsulates packet headers to create flows with relevant information that are exported to a Netflow collector for analysis. Future work could involve testing new exporter versions and more detailed traffic analysis.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    21 views24 pages

    Monitoring Ipv6 Transition Techniques: Matěj Grégr

    Uploaded by

    Makis Nikas
    This document discusses monitoring IPv6 transition techniques using Netflow. It summarizes that monitoring tools have difficulty monitoring tunneled IPv6 traffic. The author developed plugins for a Flowmon exporter to gain insight into tunneled flows and distinguish transition techniques like 6to4, 6rd, ISATAP, and Teredo. The plugin decapsulates packet headers to create flows with relevant information that are exported to a Netflow collector for analysis. Future work could involve testing new exporter versions and more detailed traffic analysis.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 24

    Monitoring IPv6 transition

    techniques

    Matěj Grégr
    Brno University of Technology, Faculty of Information Technology
    [email protected]
    Motivation

    • Monitoring transition techniques

    • Inability of monitoring tools to monitor tunneled traffic

    • Testing plugins for Flowmon exporter

    2
    Insight into tunneled traffic

    • Flow: 192.168.2.16:3797 -> 83.170.1.38:32900 proto UDP

    • Flow: [2001:0:4137:9e50:8000:f12a:b9c8:2815]:1286 ->


    [2001:4860:0:2001::6]:80 proto TCP

    3
    Transition techniques and security

    • ACL: deny any to any proto tcp eq 25

    4
    Topology ①

    Netflow probe

    5
    Topology ②

    6
    Transition techniques

    • Simple encapsulation:
    • 6to4
    • 6rd
    • ISATAP

    • More complicated encapsulation


    • 6in4
    • AYIYA

    • Most complicated encapsulation


    • Teredo

    7
    Simple encapsulation

    • Protocol field in IPv4 header set to value 41

    • Used by:
    • 6to4, 6rd, ISATAP
    • 6to4
    • Detection is based on
    • IPv6 prefix 2002::/16
    • Anycast IPv4 address – 192.88.99.1
    • ISATAP
    • 64-bit link-local or global unicast prefix + 0000:5EFE + <IPv4 of
    ISATAP link>
    • 6rd
    • Does not use anycast relay, ISP IPv6 prefix

    8
    More complex encapsulation – AYIYA

    • UDP – allows NAT traversal


    • 6in4 = AYIYA without security
    • UDP port 5072

    • Problem to distinguish AYIYA traffic from other traffic


    on port 5072
    • Epoch time check

    9
    The most complex encapsulation – Teredo ①

    • UDP similar to AYIYA


    • NAT traversal
    • Basic communication – UDP port 3544

    • Several Teredo headers

    • How to proccess?
    10
    The most complex encapsulation – Teredo ②

    • Difficult to detect
    • Every UDP packet must be processed - UDP video
    stream (multicast, DNS)

    • The beginning of IPv6 header is sometimes same as


    transaction ID of DNS packet

    • Difficult to distinguish Teredo traffic


    • Statefull protocol – stateless monitoring

    • Firewall issues?

    11
    Flowmon probe

    • Module for HP 5406

    12
    Flowmon probe

    • Linux (CentOS 5.2) installed

    • Netflow data exporter


    • Binary application from INVEA-TECH a.s.

    • One input interface


    • Input / output traffic cannot be distinguished

    13
    Flowmon probe – plugin

    • INVEA community program

    • Exporter provides API for flows modification


    • Possibility to modify a packet or a flow
    • Possibility to export flow directly – bypass the flow-cache
    • Non trivial C coding

    • Different versions of exporters


    • Higher version – more features e.g. MAC address export

    14
    Plugin + tunneled traffic detection ①

    • Every relevant header is decapsulated


    • Flows are created and filled with relevant information

    • Ethernet – MAC addresses (currently unsupported),


    VLAN
    • IPv4 – src, dst addresses
    • UDP/TCP – src, dst, ports
    • IPv6 – src, dst addresses
    • ICMP/ICMPv6 – message code (echo request, replay)

    • Exported as NetFlow v9 packet and sent to collector

    15
    Plugin + tunneled traffic detection ②

    • Most complex is decapsulation of Teredo traffic


    • Binary data stream without knowledge of a context
    • It looks like IPv6, it behaves like IPv6 – it is probably
    IPv6!

    • Traffic is distinguished – output interface field


    • native, 6to4, Teredo, ISATAP, AYIYA
    • Simplify the processing of NetFlow data (statistics)

    • NetFlow data are sent to collector (nfcapd)


    • Processed with scripts and sent to Zabbix

    16
    Packet processing

    17
    IPv6 native, Teredo

    18
    6to4, ISATAP

    19
    Compare to IPv4 traffic

    • Total traffic = IPv4 + IPv6

    20
    Native traffic

    • IPv6 native traffic


    • 86% web (77% port 80, 9% port 443) – 570GB/day
    • Google - cca 70%
    • FIT – video servers – cca 10%
    • Navratdoreality.cz – cca 10%
    • Funny pictures and porn

    • 6% Real Time Messaging Protocol – 40GB/den


    • Aplications for video/audio streaming – p2p streaming

    21
    Teredo, 6to4, ISATAP traffic

    • UDP dynamic ports


    • Necessary to use DPI
    • Mainly UDP trafficprovoz + trochu TCP
    • ISATAP
    • None – requires DNS name – not used at BUT
    • 6to4
    • Mainly UDP traffic
    • Native traffic sometimes flows through 6to4 tunel
    2001:67c:1220:c1b2:cabc:c8ff:fea4:21e8.51858 -> 2a01:4f8:100:3021:188:40:234:48.80
    Encapsulated through „relay“ 147.229.186.110 - b05-329b.kn.vutbr.cz – student dormitory

    • Rogue router advertisement problem – even though that


    rogue RA are monitored and erased from routing tables

    22
    Future work

    • Testing new version of exporter


    • More flexible – possibility to modify input, flow-cache
    and output
    • Support for rawnetpcap
    • More complex

    • More detailed traffic analysis


    • Suggestions are welcomed

    • Thank to Pavel Čeleda and Martin Elich for initial


    support with plugin development

    23
    ???

    Záhlaví (99.99.9999) 24

    You might also like