Added by Michel SABORDE almost 14 years ago. Updated over 13 years ago.
Description
Teredo IPv6 is a common tunneling mechanism often used in Microsoft environment.
It would be great if Suricata could support it.
RFC can be found here : http://www.ietf.org/rfc/rfc4380.txt
Miredo is an open source implementation : http://www.remlab.net/miredo/
Files
| teredo.pcap (2.64 KB) teredo.pcap | Victor Julien, 06/11/2012 09:54 AM | ||
| teredo-complete.pcap (9.13 KB) teredo-complete.pcap | Eric Leblond, 07/04/2012 11:03 AM | ||
| 0001-Teredo-tunnel-supports.patch (6.09 KB) 0001-Teredo-tunnel-supports.patch | Eric Leblond, 07/16/2012 07:42 AM |
This is the easy part. the IPv6 packet is simply put inside the IPv4 packet via encapsulation. We may have a dedicated field before the IPv6 field but it will be enough to iterate other the block starting with 0x0 and to get the length of the block. Then jumping to the next block can be done. If it looks like an IPv6 header this is one!
This part is more tricky. The start of the exchange is made with a teredo-server. A negotiation is made and this lead to the choice by the teredo server of a teredo-relay (the real data are exchanged with the relay). A message is sent by toredo-server to indicate the teredo-relay params.
Then the teredo-client can send tunneled data to the teredo-relay.
I don't think using a match on 0x0 (0x0|0x1) is a sufficient criteria as there is too few bits. A possible detection method is to try to decode the protocol and if we found a IPv6 packet after a few jumps, we've won.
I attach a complete pcap (with data to relay) to the ticket.
I attach the patch against origin/master to the ticket. No configuration is needed to activate the decoding.
Pull request on github: https://github.com/inliniac/suricata/pull/2
Merged, thanks Eric.
Can you also add teredo packet counter?
Counter merged as well, thanks Eric!