On another note, I know there is alot of progress being made on bro
compatibility with IPv6. Are there any groups using bro to detect 6to4
tunnelling or "Teredo"?
So, if your network has some devices that are configured to run IPv6
through Toredo (or "need" to for some reason or another?!?), then
blocking 3544 isn't acceptable and isn't a great solution regardless.
I am wondering if it would be possible to inspect IPv4 UDP traffic for
wrapped IPv6 packets. Has anyone looked into this already or doing it?
If so, whitelisting known hosts that are allowed to send tunnelled
traffic would be trivial.
Thanks in advance.
-Will
Side note:
Is "tunnelling" spelled with one "L" or two? Or optional?
I haven't done it myself but 6to4 and 6-in-4 tunnels are fairly easy to
detect, since they use a specific IP protocol number (41).
There's no immediate way for Toredo and other UDP encapsulated traffic
though (other than checking which hosts have traffic on port 3544 and
build whitelists/blacklists based on that). However, it should be fairly
easy to write an analyzer that parses UDP packets and checks if it is
Toredo or some other tunneling technique by checking
a) whether there's an IPv6 header in the payload that makes sense
(e.g., next header)
b) the IPv6 address prefix in the header makes sense (e.g., is
2001::/31 for Toldedo, etc.)
c) (maybe) check that the IPv4 address is encoded in the IPv6 address
according to the tunneling scheme.
Such an analyzer should be very lightweight and it doesn't need state.
It can either be run on only port 3544 traffic, all UDP traffic. Or, I
guess one could make DPD signatures for it by looking for the prefix
(e.g., 2001::/32, ip-version, an next-header value that makes sense)
Actually extracting and parsing the encapsulated v6 traffic is more
difficult, since the extracted packets would have be injected back into
Bro's processing above the analyzer trees.
I haven't done it myself but 6to4 and 6-in-4 tunnels are fairly easy to
detect, since they use a specific IP protocol number (41).
There's no immediate way for Toredo and other UDP encapsulated traffic
though (other than checking which hosts have traffic on port 3544 and
build whitelists/blacklists based on that). However, it should be fairly
easy to write an analyzer that parses UDP packets and checks if it is
Toredo or some other tunneling technique by checking
a) whether there's an IPv6 header in the payload that makes sense
(e.g., next header)
b) the IPv6 address prefix in the header makes sense (e.g., is
2001::/31 for Toldedo, etc.)
c) (maybe) check that the IPv4 address is encoded in the IPv6 address
according to the tunneling scheme.
Such an analyzer should be very lightweight and it doesn't need state.
It can either be run on only port 3544 traffic, all UDP traffic. Or, I
guess one could make DPD signatures for it by looking for the prefix
(e.g., 2001::/32, ip-version, an next-header value that makes sense)
Yes, I think this sounds like the way to do it. I appreciate the feedback.
Actually extracting and parsing the encapsulated v6 traffic is more
difficult, since the extracted packets would have be injected back into
Bro's processing above the analyzer trees.
Extracting the encapsulated traffic would be great and probably should
be the end goal, but for now, I would settle with knowing which hosts
are using the protocol then ensuring they should be based on policy.