Analysis of tunneled traffic

IPv6, Monitoring, Networking @Campus network monitoring workshop

Traditional firewall techniques usually permit traffic according to IP addresses or port numbers. More advanced firewalls inspect even packet’s payload – e.g. http traffic. However, neither of these techniques is sufficient when dealing with IPv6 transition techniques. An attacker can easily avoid a security policy in a network by using one of many IPv6 transition techniques. Using Teredo as an example, the IPv6 traffic is encapsulated in UDP payload on high port numbers.

Traditional firewall can’t detect traffic inside the tunnel if the DPI of every UDP packet is not performed. Unfortunately, firewalls in current network equipment (Cisco, Juniper, HP …) do not support this functionality. To make things worse, these firewalls are often used as border firewalls in enterprise networks. The presentation focuses on our monitoring solution of IPv6 transition techniques. The probe monitors network traffic and generates NetFlow statistics. The type of transition technique is encoded in NetFlow data. We support AYIYA, 6to4, 6in4, Teredo and ISATAP.

About the Author

Matej Gregr

http://www.fit.vutbr.cz/~igregr/ igregr@fit.vutbr.cz

PhD student at Brno University of Technology. He teaches network related courses and his research concerns IPv6 security, monitoring and deployment. He works also as a network administrator at Brno campus network and participates in the European project - GÉAN3 Campus Best Practice.