X

The upcoming Bro 2.1 release includes major improvements to its
IPv6 support. IPv6 is enabled by default and no longer needs any
special configuration. IPv6 has been fully integrated into all parts
of Bro including protocol analysis and the scripting language.

Some of the most significant enhancements include support for IPv6
fragment reassembly, support for following IPv6 extension header
chains, and support for tunnel decapsulation (6to4 and Teredo).
The DNS analyzer now handles AAAA records properly, and DNS lookups
that Bro itself performs now include AAAA queries, so that,
for example, the result returned by the "lookup_hostname" built-in
function is a set that can contain both IPv4 and IPv6 addresses.
Support for the most common ICMPv6 message types has been added.
Also, the FTP EPSV and EPRT commands are now handled properly.

When building Bro from source, the "–enable-brov6" configure option
has been removed because it is no longer relevant. The way IP
addresses are stored internally has been improved, so Bro can
handle both IPv4 and IPv6 by default without any special configuration.

There are a couple of changes to the Bro scripting language to better
support IPv6. First, IPv6 literals appearing in a Bro script must
now be enclosed in square brackets (for example, [fe80::db15]).
For subnet literals, the slash "/" appears after the closing square
bracket (for example, [fe80:1234::]/32). Second, when an IP
address variable or IP address literal is enclosed in pipes (for
example, |[fe80::db15]|) the result is now the size of the
address in bits (32 for IPv4 and 128 for IPv6).

There are several new built-in functions. The "is_v4_addr" and "is_v6_addr"
built-in functions can be used to determine whether a given IP address is
IPv4 or IPv6. The "to_subnet" built-in function can do conversions from a
string representation of a subnet (such as "192.168.0.0/16" or
"2607:f8b0::/32") to the corresponding value as a Bro "subnet" type.
Similarly, "addr_to_counts" and "counts_to_addr" can do conversions
between an IP address and a vector of counts (four elements if address
is IPv6 and one if IPv4). Finally, "routing0_data_to_addrs" takes the
"data" field of an IPv6 type 0 routing header and returns a vector of
IP addresses contained in the routing header data.

A couple built-in functions have been removed: "addr_to_count" (this only
worked with IPv4 addresses; use "addr_to_counts" instead), and "bro_has_ipv6"
(this is no longer needed, because Bro always supports IPv6 now).

There are some new events that improve support for IPv6 (although neither
of these events are yet handled in any of the Bro scripts). The event
"ipv6_ext_headers" is generated for any IPv6 packet containing extension
headers. Another new event "esp_packet" is generated for any packets
using ESP (Encapsulating Security Payload).

There are some new events that are generated for specific ICMPv6
message types: "icmp_packet_too_big", "icmp_parameter_problem",
"icmp_router_solicitation", "icmp_router_advertisement",
"icmp_neighbor_solicitation", and "icmp_neighbor_advertisement".
And there’s a new event "icmp_error_message" that is generated if Bro
sees an ICMPv6 error message for which there is no dedicated event.
It should be noted that none of these new events are currently handled
in any of the Bro scripts.

One other small change related to ICMP events is that the "icmp_redirect"
event signature has changed (it now includes both the target and
destination addresses).

Although not a new event, the "dns_AAAA_reply" event is now generated for
DNS replies of type AAAA (previously, Bro would generate a "dns_A_reply"
instead), and the event signature has changed slightly (the last parameter
has been removed because it was unused). There is a new event "dns_A6_reply"
that is generated for DNS replies of type A6.

There is a new experimental feature (to enable it, build Bro with the
new configure option "–enable-mobile-ipv6") to analyze Mobile IPv6 (see
RFC 6275). If enabled, there is a new event "mobile_ipv6_message"
(although currently none of the scripts handle this event).

In addition to Bro itself, the other Bro components have also been
made IPv6-aware by default. In particular, significant changes were
made to trace-summary, PySubnetTree, and Broccoli to support IPv6.

There are a few API changes in PySubnetTree to support a new
concept called binary lookup mode, which only affects IP address
lookups (i.e., this feature does not affect how subnets are
added to the SubnetTree data structure). There is a new method
"set_binary_lookup_mode" which can be used to enable or disable
binary lookup mode, and there’s a new method "binary_lookup_mode"
to check whether or not binary lookup mode is currently enabled.
Finally, the SubnetTree constructor has a new optional argument
which lets you choose whether or not to enable binary lookup mode
immediately, but you can always use "set_binary_lookup_mode" at a
later time.

There are a few API changes in Broccoli to support IPv6. First,
there is a new type "BroAddr" which can store either an IPv4 or
IPv6 address, and the "BroSubnet" type has been made larger to
accommodate both IPv4 and IPv6. Also, there is a new function
"bro_util_is_v4_addr" which can be used to check if an address is
IPv4 or not. Finally, there is a new constant "BRO_IPV4_MAPPED_PREFIX"
which is the first 12 bytes of a 16-byte IPv4-mapped IPv6 address (see
RFC 4291).

%d bloggers like this: