Security Visualization Tools and IPv6 Addresses · Visualization of IPv6 addresses is difﬁcult Really long numbers (128-bit) Address space is sparsely populated Transition mechanisms

Introduction IPv4 vs IPv6 Problem Whitespace Filtering IPv6 Hierarchy Conclusions

Security Visualization Tools and IPv6Addresses

David BarreraP.C. van Oorschot

1 / 22


1 Introduction2 IPv4 vs. IPv63 Problem4 Proposal 1: Whitespace filtering5 Proposal 2: IPv6 address hierarchy with treemaps6 Conclusions

2 / 22


Introduction

IPv4 address exhaustion predicted to happen in mid-2012(745 days remaining) 1

10% of Class A’s remainingIPv6 deployment on the global Internet is low (~1%)IPv6 deployment inside organizations could be significantlyhigher

1http://www.potaroo.net/tools/ipv4/index.html3 / 22


Introduction

IPv6 is already hereUserspace applications require almost no modificationsEnabled in new operating systemsWidely deployed in network tools

4 / 22


Introduction

Visualization of IPv6 addresses is difficultReally long numbers (128-bit)Address space is sparsely populatedTransition mechanisms interfere with ‘real’ IPv6 addresses

Most visualization tools don’t support IPv6Assume IPv4Tools are hardcoded to 32-bitsDrop/ignore IPv6 packetsCrash

5 / 22


Address Representation

2001:0DB8:0000:0078:9ABC:0000:0000:00002001:0DB8:0:0078:9ABC:0:0:02001:DB8:0:78:9ABC::

6 / 22


Packet Header Changes

The IPv6 header omits rarely used fieldsIPID, flags, fragment offset, header checksum no longerpresentFlow label is new to the IP header

7 / 22


Packet Header Changes

8 / 22


Updated protocols

DHCPv6 and address auto-configurationICMPv6Multicast, scope IDsNew security issues to visualize

9 / 22


Visualization Steps

Capture raw dataParseProcess and reformatDisplay

10 / 22


Visualization Steps

Capture raw data - Wireshark, TCPdumpParse - Scripts in perl, pythonProcess and reformat - Nonexisting fields, size of datastructuresDisplay - Designed for 32-bits

11 / 22


Whitespace Filtering

The IPv6 address space is sparsely populatedVast majority of the address space is whitespace(darkspace)

12 / 22



13 / 22



Why is visualizing the entire address space important?Remove whitespace

Keep a (sorted) list of the “seen” IPv6 addressesWhen plotting, use the index rather than the full addressOptionally insert gaps between points

14 / 22



15 / 22


IPv6 Address Allocation

IPv6 addresses must be allocated hierarchicallyAvoid unnecessary load on backbone routersGive greater meaning to IP addressesFlexibility to organizations for block assignments

RFCs that specify how addresses can be aggregated tokeep routing tables efficientReading more bits of an IPv6 address reveals moreinformation (country, AS, ISP, zone, etc)Treemaps are useful for visualizing hierarchy

16 / 22


IPv6 Address Visualization with Treemaps

Parse the dataset identifying all the unique IPv6 addressesMake each hextet a level of the tree

2001:0DB8:0000:0078:9ABC:0000:0000:00002001:0DB8:FABC:0078:9ABC:1234:5678:EEFF

If there is more screen real-estate, display more hextets

17 / 22


IPv6 Address Visualization with Treemaps

Improvements by color-coding type of trafficMake the size of each node proportional to the volume ofdataDisplay port number information in the contents of eachnode

18 / 22


IPv6 Treemaps

19 / 22


IPv6 Treemaps

20 / 22


Conclusions

IPv6 is hereNew visualization techniques/tools to support IPv62 proposals for dealing with these datasets

21 / 22


Questions

22 / 22

Documents

Security Visualization Tools and IPv6 Addresses · Visualization of IPv6 addresses is difﬁcult Really long numbers (128-bit) Address space is sparsely populated Transition mechanisms