IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IPv6 support in IDS/IPS products

From: Mike Frantzen <frantzen () nfr com>
Date: Thu, 10 Nov 2005 09:10:49 -0500

I'll chime in seeing as most of the v6 code is mine.  Adding IPv6
support was actually pretty easy for us.  We had to add another branch
at the ethertype demux layer:
        packet_receive()
                if (ether_type == ETHERTYPE_IP)
                        ip_receive()
                else if (ether_type == ETHERTYPE_IPV6)
                        ip6_receive()
The IPv6 IP layer stuff is almost identical to the IPv4 IP stuff.  The
biggest difference is how it parses the IPv6 options.  They even share
most of the fragment reassembly code.  At the end of both IP stacks we
check for tunnels and recurse the packet back into whichever stack was
tunneled.

The only change to the UDP layer is the checksum code (UDP checksums
are mandatory in IPv6) and the pseudoheader obviously extended for the
longer addresses.

The TCP stack changes involved the checksumming again and extending the
state lookup for the longer addresses.


We chose to do IPv6 support exclusively in the engine and keep the
signature language IP version agnostic as much as possible.  Our N-Code
language contains intrinsic variables like 'ip.src' and 'tcp.connSrc'
which have their own "IP address" typing which was extended to
transparently support IPv6 as well as v4.  An example from Matt LeGrow's
MSRPC portmapper code:
        $index = pack(ip.src, ip.dst, udp.dport, "UDP");
        if (MSRPC_PORTMAP[$index]) {
                ...
MSRPC_PORTMAP is an associative array (just like a hash table) which is
watching for msrpc portmap scanning.  The hash key is based on 'ip.src'
and 'ip.dst' which can be either of IPv4 or IPv6 without the actual
signature having to care.

There are constructs in the N-Code signature language to specify IPv4 or
IPv6 if the signature needs the information or is specific to one IP
version.


The performance hit is probably on the order of ~1%.  We lose hardware
checksum acceleration with IPv6; which gets offset by the fact that
doing the checksum in software acts like a cache preload.  And there are
obviously a few extra branches in the IPv4/IPv6 shared code.

.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP:  CC A4 E2 E8 0C F8 42 F0  BC 26 85 5B 6F 9E ED 28


Mike,

Adding IPv6 support is not a trivial process. Can you be a little more
specific? 

-----Original Message-----
From: Mike Barkett [mailto:mbarkett () nfr com] 
Sent: Monday, November 07, 2005 5:26 PM
To: 'Scott Sloan'; 'David Williams'; 'Planz'
Cc: focus-ids () securityfocus com
Subject: RE: IPv6 support in IDS/IPS products

Scott -

There is no performance hit on NFR, as IPv6 support is built into the sensor
engine.

Thanks.
-MAB



-----Original Message-----
From: Scott Sloan [mailto:swsloan.ml () gmail com]
Sent: Monday, November 07, 2005 4:49 PM
To: 'David Williams'; 'Planz'
Cc: 'Mike Barkett'; focus-ids () securityfocus com
Subject: RE: IPv6 support in IDS/IPS products

What is the performance hit when turning on this feature within NFR and
ISS?

-Scott

-----Original Message-----
From: David Williams [mailto:dwilliamsd () gmail com]
Sent: Monday, November 07, 2005 9:51 AM
To: Planz
Cc: Mike Barkett; focus-ids () securityfocus com
Subject: Re: IPv6 support in IDS/IPS products

I'm a little surprised.  I have only heard back from two vendors that
claim to do full IPv6: NFR & ISS.  I doubt this is an accurate
representation, so I'll try one more time.  Has anybody heard anything
about the other products out there?

thanks,

D


On 11/3/05, Planz <planz2009 () gmail com> wrote:

  As per the below whitepaper, ISS is supporting IPv6 and corresponding
tunneling to IPv4 and vice versa, but I have seen no claims by other
verdors as well.

http://documents.iss.net/whitepapers/IPv6.pdf

Besides that, I read an interesting slide on IPv6 Security in the
following link:

http://www.wareonearth.com/whitepapers/IPv6SecurityIssues.pps



Mike Barkett wrote:


David -

I will pipe up for NFR.  Our Sentivist Smart sensors are natively

capable
of

"all of the above" at the sensor engine level.  Tunneling, full

analysis,

everything.  And we've been doing it for a couple of years now.

I cannot provide a list of vendors who do this, but I will say that I

was

told 7 months ago by an IPv6 expert that we were the only IPS vendor he

was

aware of who did it "properly".  I don't know if that's actually/still

true,

so I'd be very interested in seeing who else chimes in on this thread.

Not surprisingly, we find this feature to be very popular in the U.S.
government and overseas, particularly in Asia.  What we try to explain

to

the rest of the world is that even if they don't think they are running
IPv6, parts of their network may still be at risk of a tunneled IPv6

attack.


-MAB

--
(nfr)(security)
Michael A Barkett, CISSP
Vice President, Systems Engineering
(www.nfr.com) +1.240.632.9000 Fax: +1.240.747.3512




-----Original Message-----
From: David Williams [mailto:dwilliamsd () gmail com]
Sent: Sunday, October 30, 2005 9:53 AM
To: focus-ids () securityfocus com
Subject: IPv6 support in IDS/IPS products

Hi list,

I've read that some IDS/IPS vendors can monitor IPv6, but not
completely.  For example, they might be able to alert on the
presence of IPv6 traffic, but they can't actually do full analysis
because they can't parse the headers correctly.  Especially for
things like IPv6 tunneled over IPv4, or IPv6 tunneled over IPv6, etc.

Does anybody have a list of which vendors support what, and to what
extent?

thanks,

D


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: