Routing Assignment



Routing Assignment

Introduction

Network forensics and incident response play a critical role in recovering from and preventing further attacks against enterprise networks. One of the key capacities required for the effective execution of these activities is network situational awareness - knowing what hosts, services and traffic exist on your organization's network. Certain aspects of the behavior of Internet Protocol Version 6 (IPv6) make it difficult to precisely match an address observed in a log file or packet capture to an actual host at a later time, making complete network situational awareness difficult to obtain. With the gradually accelerating deployment of the IPv6 protocol on enterprise networks, investigators need a mechanism that will provide this capability. In this thesis, I propose and demonstrate a system - IPv6 Address Correlator (IPAC) - that allows network administrators and incident responders to track the use of IPv6 addresses within their organization's network and identify which node utilized a specific IP address at any given time.

Netwrok design

Network forensic analysis is complicated by the use of IPv6 because of two aspects of the nature of IPv6 addressing: multiplicity and volatility. As discussed in Section 3.4, hosts with IPv6 functionality will always have more than one active IP address if they are able to communicate beyond their local network segment. In some cases, the actual number of addresses used by the host could be upwards of ten, or even several dozen. In each case the exact number of addresses used by the host will depend on three factors: the number of network prefixes advertised on the network segment, whether or not Privacy Extensions for IPv6 are enabled, and (if Privacy Extensions are enabled) how long the host has been active on the network. For each network prefix used by the network segment, an autoconfigured EUI-64 address will be generated [20]. If Privacy Extensions are enabled, a pseudorandom temporary address will also be generated for each network prefix. For every Preferred Lifetime interval (usually one day) that the host has been active on the network beyond the first, up to the number of intervals allowed by the Valid Lifetime (usually seven days), the host will have an additional pseudorandom temporary address for each network prefix. The formulas used to calculate how many autoconfigured addresses a host will have at any given time on a given network interface are provided in Figure 2.1. Note that these formulas do not take into consideration any addresses obtained by methods other than Autoconfiguration, such as DHCPv6 or static assignment.

As a result of the methods of generating autoconfigured addresses, the volatility of IPv6 addresses usually conforms to one of two diametric cases: either near-zero volatility or extreme volatility, with little middle ground in normal scenarios. The determining factor for this is the use of Privacy Extensions. If Privacy Extensions are not enabled on the host, then all autoconfigured addresses will reflect the network interface's MAC address (constructed in the EUI-64 format)2. The only variation in addresses over time would be a result ...