Observe IPv6 Traffic Encapsulated Within IPv4 Packets

Understanding your network means understanding IPv6 tunneled packets

In the past few weeks several organizations have asked me about these "funny" packets they see leaving their networks destined for the Internet. These packets turned out to be IPv6 packets encapsulated within an IPv4 header (IP protocol 41). IPv6 packets that are encapsulated in IPv4 packets may be created unintentionally or they may be malicious activity that is trying to avoid detection. To understand this potential security issue you need tools to help you inspect this type of traffic. The way these organizations noticed this traffic is they had recently upgraded the software on their IPS systems so they were now capable of seeing these tunneled packets. As I have mentioned in earlier blogs, 6to4 and Teredo are dynamic tunneling techniques used by desktop operating systems to help their users gain access to the IPv6 Internet. These techniques tunnel the IPv6 packets within IPv4 packets. The 6to4 method places the IPv6 packets within IPv4 protocol 41 packets. The Teredo method places the IPv6 packets within IPv4 packets with a UDP 3544 header. On July 15, 2009 I wrote a blog about how people should not be overly alarmed about tunneled IPv6 packets leaving their organization. While most of these packets may be benign the concern is those few packets that may be malicious in nature. The issue is "fear of the unknown" because we often lack the ability to inspect the data within these packets. The fact is that we all lack visibility to what's within encapsulated packets passing through our network perimeters. It has always been a best practice to have an inbound (duh) and an outbound firewall policy. However, so many people have fallen into bad habits of taking the easy way out and having a default permit outbound policy. This was the one default property that I don't like about Cisco firewalls where all traffic from the higher security-level interface (100, trusted) to the lower security-level interface (0, untrusted) is permitted by default. That leads many organizations to get sloppy with their firewall policies. Organizations without an outbound firewall policy are at risk of allowing all IPv6 traffic tunneled in IPv4 port 41 or UDP 3544 (Teredo) traffic. All IPv6 traffic can leave their organization without any condition placed on the type of packets can leave. Because these firewalls are stateful, the returning traffic is permitted. Even if you have a solid security policy we still need to gain greater visibility to what's entering and leaving our networks. One of the primary issues with Deep Packet Inspection (DPI) is that it is typically done at points in the network topology where there is a large amount of aggregated traffic. These choke points are also where the 1Gbps and 10Gbps links are connected. This is particularly true in service-provider networks. It takes a fast processor to be able to keep up with those types of traffic volumes. Another major concern about DPI systems is their inability to parse packets where one protocol is encapsulated within another protocol. This is certainly the case with this IPv6 traffic that is tunneled within IPv4 packets. So this begs the question: What products are available to perform Deep Packet Inspection (DPI) of IPv6 tunneled packets? Following is a list of the various products that I am aware of that will help you gain visibility into this IPv6 encapsulated traffic. If you know of any others please let us know by posting a comment to this blog. Cisco IPS Cisco's IPS sensors have had the ability to inspect IPv6 packets. However, early on in their development there were only a few signatures that existed for IPv6. With IPS software version 6.2 Cisco added significantly to their IPv6 inspection capabilities. Cisco's IPS 7.0 offers a lot of capabilities; however, anomaly detection is not available for IPv6. Cisco Flexible Packet Matching (FPM) Within Cisco's IOS there is a feature called Flexible Packet Matching (FPM) that can be used to match packets and handle the packets appropriately. With this feature you can create complex ACLs using MQC-type configurations and then specify how the packets should be treated. You can define virtually any type of layer 2 frame or layer-3 packet by defining an offset value and specifying in hex the information to check for. FPM has also been enhanced in the recent IOS release 15.0. My good friend and coauthor Eric Vyncke has a good example of how to use FPM to detect Teredo traffic on a Cisco router. This is documented in our book on IPv6 Security in Chapter 10, page 458. His FPM example matches IPv4 packets that use UDP port 3544 to encapsulate IPv6 packets. FPM can look deep inside the packet and can match packets based on port number and use of the 2001::/32 prefix even if those packets are using a non-standard Teredo port number. One of the significant limitations of FPM is that "FPM inspects only IPv4 unicast packets." Therefore, FPM can't be used to observe IPv6 packets that are encapsulated in IPv6 packets or any native IPv6 packets. Command Information Assure6 Command Information has a long-standing reputation in the IPv6 community. They have a developed a system that can perform DPI on all types of IPv6 traffic types. Their Assure6 offering can look at IPv6 packets encapsulated in IPv4, it can look at native IPv6 packets, and it can look at IPv6 packets encapsulated within IPv6. There are many signatures built into the system for most of the common types of IPv6 attacks. Boeing Security Monitoring Infrastructure System (SMIS) The Boeing Company even has a system that can perform intensive security evaluations of network traffic. The Boeing Security Monitoring Infrastructure System (SMIS) is built on a platform that can inspect IPv6 packets. Not much public information exists about this system but it may be another option for gaining visibility of IPv6 traffic traversing a perimeter or choke point. Snort Snort has supported IPv6 since version 2.8.0 and the latest version 2.8.5 has IPv6 DPI capabilities. The trick is that when compiling Snort you need to use the "./configure --enable-ipv6" configuration parameter. When you are configuring rules be sure to use ipvar instead of var and the net command allows you to specify IPv6 addresses. OpenDPI A German company Ipoque has developed a library called Protocol and Application Classification Engine (PACE), which can be added to the OpenDPI software. Initially, it appeared that OpenDPI didn't support IPv6. However, in the manual of this product it claims IPv6 support is available when using PACE. Sandvine Sandvine is a company in Ontario Canada that produces equipment and software to perform traffic management for service-provider and enterprise networks. Their systems (PTS 8210, PTS 14000, PTS 24000) provide high-bandwidth traffic inspection. However, I was unable to determine from looking at their publicly-available information how deep their systems can look at IPv6 packets. DPI Testing Systems - Shenick There are even products to help manufacturers of DPI systems to test their software. One such vendor is Shenick which offers a DPI test system called diversifEye. It's data sheet claims to have IPv6 capabilities. In fact, Sandvine is using their systems presumably to test their product's IPv6 capabilities. Wireshark My favorite protocol analyzer is Wireshark. It is one tool that I can't live without. Because it is a protocol analyzer it can look at any type of packet and it can correctly parse packets that are encapsulated within other packets. If you don't want to spend a lot of money but still want to find out if you have any IPv6 encapsulated packets leaving your network you can simply set up a monitor session and a computer running Wireshark. I bet you will be surprised at what you find. Conclusion We expect that vendors will increase their capabilities to perform Deep Packet Inspection (DPI) on IPv6 packets or IPv6 encapsulated packets. The expectation is that the vendor landscape will continue to grow as vendors see the market potential for inspecting IPv6 packets as IPv6 packets become more common. You don't need to spend a lot of money to gain this visibility but I encourage you to investigate the types of traffic leaving and then entering your organization. Scott

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10