A few weeks ago I published an article in which I proposed a method on how to capture the MAC- to IPv6-address bindings via sniffing and storing IPv6 DAD messages. Though any IPv6 node MUST send these Duplicate Address Detection messages prior to assign the address, I was not fully assured that *really* each new IPv6 address is stored with this Tcpdump sniffer.
That is, over a whole month I captured the DAD messages on a test BYOD-LAN and furthermore the complete IPv6 connection logs of the corresponding firewall. At best, I should have any IPv6 address that made an outbound connection through the firewall in the DAD logfiles. Here are the results:
For these analysis I captured the whole March 2013. I used a Linux Ubuntu server for my Tcpdump script, while the corresponding firewall was a Cisco ASA 5520 with syslog enabled at the “debugging” stage. The values (in brackets) are the names of the raw-files which will be able for download at the end of this post.
The first step was to analyze the logfiles of the DAD messages such as presented in my previous post here. I merged all pcaps to a single one, piped the Tcpdump output to a textfile, and deleted all line with entries prior or after March (DAD-march2014).
Then I reduced the textfile to only IPv6 addresses and used “sort” and “uniq” to have a list of all global-unicast IPv6 addresses (DAD-onlyIPv6-sort-uniq-gua). Similarly I generated a list of all different MAC addresses (DAD-onlyMAC-sort-uniq).
With “wc -l” I counted the number of unique addresses:
- 117 MAC addresses, i.e., different clients
- 148 link-local IPv6 addresses of type “fe80::”
- 3047 global-unicast IPv6 addresses of type “2001:db8::” (wow, the Privacy Extensions are really out there…)
- 16123 DAD messages (!)
Firewall Connection Log
Similarly, I analyzed the syslog messages from the firewall. First, I grepped all global-unicast IPv6 addresses and used a few seds in a quick and dirty way to reduce the file to only IPv6 addresses (fwlogs-all-addresses-sort-uniq):
cat fwlogs-really-all-connections | sed s/.*BYOD:// | sed s/\\/.*// | sed s/.*faddr.// | sed s/.*304001:.// | sed s/.Accessed.*// | sed s/Mar.*// | sed s/.duration.*// | sed s/..type.*// | sort | uniq
A short “wc -l” analysis revealed the following value:
- 1235 unique global-unicast IPv6 addresses
Comparing the Logs
Finally, I used “comm” to compare the two logs with only global-unicast IPv6 addresses: The DAD log on the one side against the firewall connection log on the other side. The following output shows the complete range of addresses that were not present in the DAD log while they made connections to the Internet:
weberjoh@jw-nb09:~$ comm -13 DAD-onlyIPv6-sort-uniq-gua fwlogs-all-addresses-sort-uniq
From these 12 addresses, 2 can be omitted since they were seen in my DAD logs before March 2014 (2001:db8::78ef:b5ff:fe8c:a55 and 2001:db8::9dce:5de1:d14f:709e).
–> That is, only 10 IPv6 addresses were in the firewall logs while not present in my DAD logs! Since there were 1235 different IPv6 addresses in the firewall logs, the 10 missed IPv6 addresses are only about 0,8 %.
Obviously I do not know whether these IPv6 addresses are from the same client (MAC address) or not. In the worst case, they all come from different clients (10 x), which is compared to the total count of 127 different MAC addresses on the network a missing rate of 7,8 %.
The following figure shows the relation between these four values:
Due to assumption that some operating systems could omit the DAD messages for either EUI-64 or privacy extended IPv6 addresses, I did this analysis of DAD message sniffing for more than 100 IPv6-capable devices over a whole month. The result shows that almost all new IPv6 addresses are stored in the DAD logs, i.e., the operating systems sent out the appropriate neighbor solicitation messages.
Since the tested network is a BYOD Wifi with a zoo of different operating systems including Windows, Mac, Android and iPhones, the overall missing rate of 1 % is quite ok. Since the method of this DAD sniffing is not useful against attackers at all, the level of the missing rate is acceptable for usage in a productive environment with “normal but imprudent” users.
Here is the zip file containing all the address lists specified in the above sections as italic words. Of course, all global unicast IPv6 addresses are masked to 2001:db8:: .