Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX (Short Paper)

IPv6 is being deployed but many Internet Service Providers have not implemented its support yet. Most of the end users have IPv6 ready computers but their network doesn’t support native IPv6 connection so they are forced to use transition mechanisms which transports IPv6 packets through IPv4 network. Unfortunately deployment of IPv6 is slow and at this rate, completion of the migration from IPv4 to IPv6 will take several years. Until then tunneled IPv6 traffic will be present on most networks. This means possible security risk because many of nowadays network tools and firewalls just see IPv4 traffic and content of the encapsulated IPv6 traffic is hidden. We do not know, what kind of traffic is inside of these tunnels, which services are used and if the traffic does not bypass security policy. This paper proposes an approach, how to monitor IPv6 tunnels even on high-speed networks. The contribution of this approach is a possibility of monitoring what is inside IPv6 tunnels. This gives network administrators a way to detect security threats which would be otherwise considered as harmless IPv4 traffic. This approach is also suitable for long term network monitoring. This is achieved by the usage of IPFIX (IP Flow Information Export) as the information carrying format. The proposed approach also allows to monitor traffic on 10 Gbps links, because it supports hardware-accelerated packet distribution to multiple processors. A system based on the proposed approach is deployed at the CESNET2 network, which is the largest academic network in the Czech Republic. This paper also presents statistics about tunneled traffic on the CESNET2 backbone links.