Flow Based Monitoring of IPv6 - cesnet

Tomáš Podermański, tpoder@cis.vutbr.czMatěj Grégr, igregr@fit.vutbr.czMiroslav Šoltes, xsolte@stud.fit.vutbr.cz

IPv6 - autoconfiguration• Brand new autoconfiguration mechanisms– Router advertisement (M/O flags)– DHCPv6 uses DUID that does not contain MAC address of NIC• Privacy extensions– IPv6 addresses are created randomly by hosts• Different platforms support different techniques– Windows XP - SLAAC– Windows Vista/7 – SLAAC + DHCPv6– MAC OS, iOS - SLAAC only (expect Lion – released 06/2011)– Linux, BSD, … – depends on distribution• You have to use both mechanisms in real network– DHCPv6 server, Advertises on router– + DHCP(v4)

Traffic for a single host• Filter definition for nfdump (one host)nfdump -R -6 . "host 2001:67c:1220:e000:1d90:c54c:7183:2771 orhost 2001:67c:1220:e000:1d76:8ea4:1433:3a06 orhost 2001:67c:1220:e000:f8c7:b911:607e:ded3 orhost 2001:67c:1220:e000:fc24:ab74:10cc:a6b7 orhost 2001:67c:1220:e000:b9:bc89:32f3:36b8:e14e orhost 2001:67c:1220:e000:8c8b:37f0:9ecc:fc51 orhost 2001:67c:1220:e000:61ff:16c0:3d52:366”• Ho to get accounting information for top n hosts ?• Who the address XX:YY::AA:BB belongs to ?

Host identification in IP(v4) and IPv6• How it works in IPv4– DHCP(v4) – based on MAC address– Direct relation between MAC address, IP address, host– IP address is pretty stable (one host can lease same IPaddress for long time)– Usually only one IP(v4) is assigned• Can authentication through 802.1x help ?– Not directly, there is no relation between L2authentication and IPv6 address• Can DHCPv6 only environment help ?– Not at all there is no relation between DUID and MACaddress• An host has usually more IP address

Extended flow record• Basic flow record– key fields: src/dst addess, src/dst port– non-key fields: bytes, pktsIP address

Extended flow record• Basic flow record– key fields: src/dst addess, src/dst port– non-key fields: bytes, pkts• Extended flow record– MAC address : neighbor cache (NC), arp tableNC, ARPIP addressMAC address

Extended flow record• Basic flow record– key fields: src/dst addess, src/dst port– non-key fields: bytes, pkts• Extended flow record– MAC address : neighbor cache (NC), arp table– Switch port: forwarding database (FDB)NC, ARPFDBIP address MAC address Switch port

Extended flow record• Basic flow record– key fields: src/dst addess, src/dst port– non-key fields: bytes, pkts• Extended flow record– MAC address : neighbor cache (NC), arp table– Switch port: forwarding database (FDB)– Login : radius serverradiusNC, ARPFDBIP address MAC address Switch port Login ID

Where to get proper information• Mapping IPv6/IPv4 address MAC address– neighbor cache, ARP table– passive probes at local networks (ndwatch, arpwatch)– SNMP MIB database on routers• ipv6NetToMediaTable, ipNetToPhysicalTable

Where to get proper information• Mapping IPv6/IPv4 address MAC address– neighbor cache, ARP table– passive probes at local networks (ndwatch, arpwatch)– SNMP MIB database on routers• ipv6NetToMediaTable, ipNetToPhysicalTable• Mapping MAC address – switch port– SNMP MIB database on switches• RFC 4188: BRIDGE-MIB• RFC 4363: Q-BRIDGE MIB (dot1dTpFdbTable)

Where to get proper information• Mapping IPv6/IPv4 address MAC address– neighbor cache, ARP table– passive probes at local networks (ndwatch, arpwatch)– SNMP MIB database on routers• ipv6NetToMediaTable, ipNetToPhysicalTable• Mapping MAC address – switch port– SNMP MIB database on switches• RFC 4188: BRIDGE-MIB• RFC 4363: Q-BRIDGE MIB (dot1dTpFdbTable)• Mapping MAC address – user identity– radius server – 802.1x (authentication data)– external source (DB, DHCP server, … )

Architecture of the system

Architecture of the system• netflow/ipfix exports• flowmon probes

Architecture of the system• nfdump toolsethttp://nfdump.sourceforge.net/

netflow collectorNetFlov9

Architecture of the system• Network AdministrationVisualized (NAV)http://metanav.uninett.no/

Architecture of the system• Network AdministrationVisualized (NAV)http://metanav.uninett.no/• Added pluging for radiusserver (radiator)

SNMPThe image cannot be displayed. Your computer may not have enoughmemory to open the image, or the image may have been corrupted. Restartcollecting NC, ARPradius dataradius servers

Architecture of the system• Home made nftool• 1 st phase User ID mapped tompls tags• 2 nd phase User ID itemadded into nfdump

Architecture of nftool• Periodical process– Obtain data from NAV database (PostgreSQL)– Update information in nfdump filesNAV DBflow data(flat files)nftoolflow data(updated flat files)

Architektura DR systému• CLI interface – nfdump

A few examples of usage• Traffic belonging to host with MAC 58:1f:aa:82:39:6cnfdump -R . "mac 58:1f:aa:82:39:6c"• Aggregated traffic for each MACnfdump -R . -a -A insrcmac,outsrcmac• Aggregated traffic for each usernfdump -R . -a -A mpls1,mpls2• All traffic belonging to user with ID 183nfdump -R . -a -A insrcmac,outsrcmac "(mpls label1183 or mpls label2 183 )”

Future work• Extension of nfdump– Not “raping” mpls fields for user identification– Pathes for nfdump adding:• User ID itemnfdump –r CESNET/2012-04-20/13/nfcapd.201204201300 "user 1100"• Extension for “progress bar”nfdump -p /tmp/pbar -R 2012-04-24 -a -A srcip "host 147.229.3.15"[root@coyote ~]# cat /tmp/pbarProcessing 2012-04-24/00/nfcapd.201204240055: 14%• NAV : some parts written in java– developers are working on moving to python J

Future work II• Secure transport of the flow data• Reliable transport of the flow data– Currently we lost data when the network goes down– “Small” buffer on the probe side