Re: GSoC 2011 - IPv6 idea

[David Fifield <david () bamsoftware com>]

On Wed, Apr 06, 2011 at 10:46:58PM +0200, Linh Vu Hong wrote:
> Currently I was busy with my study at my school so I did not follow up
> with the conversation. I attached my proposal for the project of
> adding IPv6 OS detection feature. Please take a look and give me some
> comments. 
> Thanks!
> Best regards,
>
> Linh

> I would like to work on the project of adding IPv6 features to Nmap,
> especially in the OS detection feature. Based on researching the
> related literatures and suggestion from David Fifield, the OS
> detection or OS fingerprinting mainly based on the difference in the
> implementation of the IP/TCP stack of the vendors. This action of
> fingerprinting can be active or passive. According to the report of
> Frederic Beck[1], the passive fingerprinting is not effective.

I wouldn't assume that passive IPv6 fingerprinting is not effective. I
haven't seen convincing research either way. But for Nmap, yes, we are
thinking of an active scanner.

> Therefore, in this project, we will focus on the active
> fingerprinting. The expected timeline for the project is following:
>       - Continue to research literatures including the related RFC
>       standards, implementing and checking if existing IPv4 tests can
>       be used in IPv6. Furthermore, check the effectiveness of various
>       tests for IPv6 proposed in [1][2] and the mapping approach of
>       SinFP[3] (3 weeks)

Yes, that's a good question to answer: Do operating systems in fact
treat IPv4 and IPv6 the same with respect to header fields, or to they
differ in common configurations?

>       - Based on the results of stage 1, propose and implement a
>       sample test suit for both one-hop and over-internet IPv6 OS
>       fingerprinting. Checking the effectiveness of those test suit.
>       (2 weeks)
>       - From the results of stage 2 and literatures, build a new tests
>       for IPv6 probably based on the extension headers and analyze the
>       tests. (3 weeks)
>       - In parallel, build new test suit and collect the fingerprint
>       database. Implement matching algorithm. (2 weeks)
>       - Implement and integrate the feature into Nmap. Testing and
>       reviewing (2 weeks) 
>       For detect different version of one OS, it should be noticed
>       that some vendor may implement the IPv6 stack once and port it
>       to all of their OSes, make this task become more complex. 

This is a problem we already deal with in IPv4. Just try counting the
number of Windows XP fingerprints in nmap-os-db to see what kind of
variety is possible within one operating system. I think that we'll be
able to make an IPv6 system even more sensitive than the IPv4 system, so
I don't think distinguishing similar OSes will be a problem. But that's
the point--we don't know until we do the measurements.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/