Re: IPv6 Hop Limit as feature in FPEngine

[David Fifield <david () bamsoftware com>]

On Wed, Mar 11, 2015 at 10:50:25AM +0100, Alexandru Geana wrote:
> I am sending further improved versions of the patches which add the
> hop limit to the list of features used by the machine learning back end
> when doing OS detection over IPv6. These take into account the the most
> recent feedback I obtained.
>
> The FPModel.cc file should be regenerated from the python scripts in the
> nmap-exp/luis/ipv6tests folder. Furthermore, there is also now a FPModel.h
> file generated by c_struct.py which needs to be placed in the nmap folder
> next to FPModel.cc. Since c_struct.py now generates two files, it writes
> the contents to the files directly and not to stdout anymore.

> +def vectorize_hlim(ip, rs):
> +    if ip is None:
> +        return UNKNOWN
> +    hlim = ip.hlim
> +    # check for the DS value in the fingerprint SCAN line
> +    if 'DS' in rs.scan_line and rs.scan_line['DS'] > 0:
> +        hlim += rs.scan_line['DS'] - 1
> +    return hlim

It seems weird to conditionally subtract the DS. I don't remember, is
that value always present? Or only when we get an ICMPv6 reply?

Some alternatives are:
 * Just use the raw received hoplimit value (don't try to infer what the
   original value was). Like the "TG" test in IPv4 OS detection.
 * Round up to known common values (64, 128, 255).
 * Record hlim + DS - 1 when we have DS, otherwise record -1.

If IPv6 is like IPv4, then there will be cases where middleboxes rewrite
the hoplimit field and you can't really trust it.

David Fifield
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/