Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX Martin Elich1, Matěj Grégr2 and Pavel Čeleda1 Masaryk University, Brno, Czech Republic — elich|celeda@mail.muni.cz Brno University of Technology, Brno, Czech Republic — igregr@fit.vutbr.cz Wien, 28th April 2011 Martin Elich, Matěj Grégr and Pavel Čeleda Monitoring of Tunneled IPv6 Using Packet Decapsulation . . . Solution I Collector NetFlow V9/IPFIX Straight Zero Copy Data Interface COMBOv2 + HANIC FlowMon FlowMon FlowMon Input Plug-in Input Plug-in Input Plug-in ■ ■ ■ Martin Elich, Matěj Grégr and Pavel Čeleda Monitoring of Tunneled IPv6 Using Packet Decapsulation olution II FlowMon exporter • Generator of NetFlow/IPFIX data. • Support of input plug-ins. Input plug-in • Detection and decapsulation of tunneled packets. • Detection of used transiton mechanism. » Extraction of outside and inside IP addresses. • Extraction of outside and inside ports. 9 toring of Tunneled IPv6 Using Packet Decapsulatio 10 jmiiiiiiiiiiiini nullum iiiiiiiiiiiiiiiiTDliiiiiiiiiiiiiiiiiiiiinii'i 4 — _1_ _1_ 4 Cores - 6to4, ISATAP • 4 Cores - Teredo ^ 1 Core - 6to4, ISATAP O 1 Core - Teredo 128 256 512 800 1024 Packet Size [B] 1280 1518 toring of Tunneled IPv6 Using Packet Decapsulation . CPU Usage During the Test 100 - eccss 60 40 20 t Vi -i-1-1-r 4 Cores - 6to4, ISATAP • 4 Cores - Teredo A 1 Cores - 6to4, ISATAP O 1 Cores - Teredo ...........^ ---------J,.,.'SAivjafiiist J_L. 128 256 512 800 1024 Packet Size [B] 1280 1518 ■OQ.O Martin Elich, Matěj Grégr and Pavel Čeleda Monitoring of Tunneled IPv6 Using Packet Decapsulation Data generating • FlowMon exporter + plug-in —> NetFlow v9. • Transport of data to collector over IPv6. Data collecting • NfSen 1.3.4 + NFDUMP 1.6.1. • Enabled extensions 6 (src/dst vlan id labels). • Profiles: • native IPv6, • Teredo, • 6to4, • ISATAP toring of Tunneled IPv6 Using Packet Decapsulation . Test bed 0 Deployed on CESNET2 network. toring of Tunneled IPv6 Using Packet Decapsulation . Structure of traffic by flows Martin Elich, Matěj Grégr and Pavel Čeleda Monitoring of Tunneled IPv6 Using Packet Decapsulation hanisms in tunnels Structure of transition mechanisms by flows Teredo □ 6to4 □ ISATAP 88.18% FInws Par.kfits Bvtfis Teredo 88.18% 89.10% 88.85% ISATAP 0.06% 0.03% 0.03% onitoring of Tunneled IPv6 Using Packet Decapsulation . in Teredo a 6to4 Tunnels Martin Elich, Matěj Grégr and Pavel Čeleda Monitoring of Tunneled IPv6 Using Packet Decapsulation TTPS a DNS Protocols By Flows IPv4 Native IPv6 Tunneled IPv6 HTTP 38.25% 1.99% 0.35% HTTPS 3.26% <0.01% 0.08% DNS 10.39% 61.76% 0.45% By Packets IPv4 Native IPv6 Tunneled IPv6 HTTP 49.99% 65.50% 2.98% HTTPS 1.72% <0.01% 2.85% DNS 0.45% 1.68% 0.05% By Bytes IPv4 Native IPv6 Tunneled IPv6 HTTP 56.80% 76.16% 0.38% HTTPS 1.17% <0.01% 0.33% DNS 0.07% 0.42% 0.01% Martin Elich, Matěj Grégr and Pavel Čeleda itoring of Tunneled IPv6 Using Packet Decapsulation Part I Conclusion Martin Elich, Matěj Grégr and Pavel Čeleda Monitoring of Tunneled IPv6 Using Packet Decapsulation Monitoring system • No equivalent solution found. » In future switching export from NetFlow to IPFIX. Monitoring results • Tunneled traffic prevail over native IPv6 traffic. • Different structure of traffic in IPv6 tunnels and IPv4. • Majority of traffic is generated by P2P networks and other unidentified services. Martin Elich, Matěj Grégr and Pavel Čeleda itoring of Tunneled IPv6 Using Packet Decapsulation