Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Gsoc 2011 idea about IPv6
From: David Fifield <david () bamsoftware com>
Date: Mon, 21 Mar 2011 16:57:30 -0700

On Sun, Mar 20, 2011 at 11:26:49AM +0800, 许伟林 wrote:
Hi all,
    I'm a college student from Beijing, China. This is my 3rd year of
computer science. I'm very interested in nmap so I would like to apply for
the Gsoc 2011 program.
    Actually, I have been researching IPv6 in part time for half a year and
got some experiences. Last November, I helped Simon Kelley improve a feature
of Dnsmasq about IPv6 DNS. (Mail-subject named 'Modification to the feature
of config-static DNS    record in dual-stack network.' in
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2010q4/subject.html).

That's good. Involvement in other free software projects is good, so be
sure to mention it in your proposal.

    In addition, my team has created a open-source project 'stateful
IPv6-to-IPv6 Network Address Translation (NAPT66)' last month in
http://code.google.com/p/napt66/. NAPT66 has been deployed in several types
of middle-box routers and Chinese people can use it to reduce the expensive
cost of accessing Internet.
    I have read the 6 required items of IPv6 support carefully, and got some
ideas.
    For the first 5 items, are the basic theories the same to IPv4's ways?

This is an interesting question. We are not sure, so part of this
project will involve doing research and testing the new possibilities of
IPv6.

For OS detection, there is at least one tool that applies identical
techniques to IPv4 and IPv6 OS detection:
http://www.gomor.org/bin/view/Sinfp. I think we need to research new
tests though. You can see some ideas we've had in the file notes.txt in
        svn co --username guess --password "" svn://svn.insecure.org/nmap-exp/david/ipv6

Port scans and traceroute will probably be mostly the same. Something to
think about is the possibility of including extension headers.

    For the 6th item about IPv6 host discovery, I think we have more than
two ways to handle this problem.
    First, we can used a public BGP information to narrow down the IPv6
address space so that 2^128 times of scanning are not necessary.
    Second, we can use the worm's technique to discover all active hosts in
a subnet. I recently read a paper about worm exploiting IPv6 network. (A new
worm exploiting IPv6 and IPv4-IPv6 dual-stack networks: experiment,
modeling, simulation, and
defense<http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5274918>)

Thanks, these are good ideas. We've had some others in the ipv6.txt file
I linked above. In some ways I think host discovery on the same subnet
will be easier and more effective than with IPv4 because we can use
multicast to do most of the work. For remote hosts it's harder; I
suspect that we will start relying more on NSE scripts to find targets.

If you like, please comment on the ipv6.c program in the Subversion
directory I linked above. I'm thinking to use its functions as the base
of Nmap's raw IPv6 sending.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]