Some months ago, I told you I wanted to improve Bro IPv6 support.
After a long time of source code reading I've started to code something.
To begin, I've primarily focused on the support for extensions.
So now when Bro receives a TCP or UDP packet with an arbitrary number of IPv6 extensions (hop-by-hop option, destination option and routing header for the moment) it can parse the content of the upper layer.
It's a beginning, but now I have some questions :
- what should I do with the data of the extensions header ?
- what do you think is the "best pratice" in Bro to code the support of ICMPv6 (it's a major update compared to ICMPv4) ?
- do you think binpac could help me ?
I have not yet catched all the details of the analysers and event handlers, and the most of the doc I have found focuses on upper layer protocols, so any help would be greatly appreciated !
After that I will start dealing with the fragmentation, IPsec headers and eventually the transition mechanisms.
Thank you for your help.
Julien Desfossez
P.S : sorry but my code isn't clean enough yet to attach the patch, as soon as I have something fully functionnal/tested I'll send it to the list.
So now when Bro receives a TCP or UDP packet with an arbitrary number of
IPv6 extensions (hop-by-hop option, destination option and routing
header for the moment) it can parse the content of the upper layer.
It's a beginning, but now I have some questions :
- what should I do with the data of the extensions header ?
Ideal would be to generate an event per header (assuming that the policy
script defines a corresponding handler).
- what do you think is the "best pratice" in Bro to code the support of
ICMPv6 (it's a major update compared to ICMPv4) ?
I don't know the specifics of ICMPv6. What are the main ways in which
it's a major update?
- do you think binpac could help me ?
It will need extensions to do so. You should contact Ruoming Pang
<rpang@CS.Princeton.EDU> to see what degree he has interest/cycles
in adding the necessary support.
After that I will start dealing with the fragmentation, IPsec headers
and eventually the transition mechanisms.
It will need extensions to do so. You should contact Ruoming Pang
<rpang@CS.Princeton.EDU> to see what degree he has interest/cycles
in adding the necessary support.
Julien,
It can probably help you. The difference between using binpac for
application level protocols and for IPv6 is that you won't have the
notion of connection/flow in IPv6. But binpac can still help you parse
the packet headers and generate events.
For an example of using binpac without connection/flow, please take a
look at smb.pac (it's written before we had the notion of
connection/flow in binpac). Do not hesitate to contact me if you have
any question.
- what do you think is the "best pratice" in Bro to code the support of ICMPv6 (it's a major update compared to ICMPv4) ?
I don't know the specifics of ICMPv6. What are the main ways in which
it's a major update?
By major update I think about :
- the replacement of IGMP by MLD (Multicast Listener Discovery)
- the Neighbor Discovery Protocol which replaces ARP (broadcast disappears, so does ARP) and adds features such as neighbor unreachability detection, stateless autoconfiguration, duplicate address detection, parameters discovery...
So I think there is some work to do to integrate it in Bro (more than just adapting the ICMPv4 part).
As soon as I'm done with the extensions and fragments I will start working on it.
