[NSE] ipOps.isPrivate new special use assignments, performance improvement, return value enhancement

[jah <jah () zadkiel plus com>]

Hi folks,

Attached is a patch for ipOps.lua which adds some special use IPv4
addresses to isPrivate which are described in RFC 5736 [1] and RFC 5737
[2], published in Jan 2010. These are:

192.0.0.0/24    RFC 5736 IETF Protocol Assignments
192.0.2.0/24    RFC 5737 TEST-NET-1
198.51.100.0/24 RFC 5737 TEST-NET-2
203.0.113.0/24  RFC 5737 TEST-NET-3

In addition, the patch adds:

198.18.0.0/15 RFC 2544 Network Interconnect Device Benchmark Testing
224.0.0/24    RFC 3171 Multicast Local Network Control Block
240.0.0.0/4   RFC 1112 Reserved for Future Use (assignment includes
              RFC 919 RFC 922 Limited Broadcast)

None of these are 'Private Use' addresses as defined in RFC 1918, but
neither are Loopback and Link Local addresses currently defined in
isPrivate.
Nevertheless, they're supposed to be non-routable over the public
internet.  I welcome any comments on whether they should or should not
be included.
I reckon we should rename isPrivate to something closer to its current
function, such as isRoutable or isSpecialUse - maybe even keep isPrivate
and just test for private use addresses.

The patch also refactors the isPrivate tests for IPv4 addresses to use
string.sub and string.match as much as possible instead of calling
ip_in_range so much.  The refactored code is two orders of magnitude
faster than the existsing code.  For one or two tests, this doesn't make
much difference, but for 10000 tests of IPv4 addresses it amounts to
nearly 30 seconds difference on my x86 machine.
I've attached ipprivtest.nse which tests isPrivate by calling it a few
times for each special use assignment and also performs a crude speed test:

nmap -sn -Pn -n --script=ipprivtest.nse --script-args=n=10000 <any_target>

Current ipOps:

Host script results:
| ipprivtest: Passed 51 of 65 test cases. Failures:
| <snip - failures are for assignments not currently handled>
|_Speed test: 10000 isPrivate calls in ~ 28.28 seconds.

Patched ipOps:

Host script results:
| ipprivtest: Passed 65 of 65 test cases.
|_Speed test: 10000 isPrivate calls in ~ 0.25 seconds.

The final feature the patch would add is to complement the return value
from isPrivate, when it is true, with a string representing the special
use assignment that contains the tested address. So where it currently
returns:

bool true, nil

it would instead return

bool true, string <range>

e.g. ipOps.isPrivate(192.168.1.1) => true, '192.168/16'

The other return cases are unaffected:

bool false, nil
nil, err

I have a use case for this enhancement: In ntp-monlist I want the script
output to summarise the 'leaked' internal addresses and this feature
allows a single call to isPrivate to both determine whether an IP is
'private' and to inform the caller what kind of 'private'.  I think this
may be generally useful. None of the included scripts using isPrivate
(whois, asn-query) would be adversely affected by this change.

Out of the three changes, I most want to see the speed improvement in
the next nmap release.

Best,

jah

[1] - http://tools.ietf.org/html/rfc5736
[2] - http://tools.ietf.org/html/rfc5737

Attachment: ipOps.lua.patch
Description:

Attachment: ipprivtest.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/