Neighbor Discovery Watch

Download: ndwatch-0.8.2.tar.gz (tar.gz)

Features

  • Neighbor Discovery for IP version 6 Monitoring (aka Arpwatch)
  • ARP snooping (to store IPv4 address of IPv6 node and report DNS name)
  • Rogue IPv6 Router Advertisement Monitoring and Handling
  • Configurable DBM/MySQL node database
  • Configurable valid (legal) IPv6 routers
  • Configurable event mailing
  • Standalone C++ IPv6/ICMPv6 packet decoding and encoding library included (inspired by Scapy)
Example of email notification: 
Update node MAC 00:30:68:30:86:46
IPv4 address: 192.168.9.11 (test.example.com) last Sat Apr  2 17:18:49 2011
IPv4 address: 192.168.9.19 (test2.example.com) last Sat Apr  2 17:18:43 2011
IPv6 LLA address: fe80::230:68ff:fe30:8646 last Sat Apr  2 17:12:23 2011
IPv6 address: 2001:db8:1c0:1234::90b last Sat Apr  2 16:53:40 2011
IPv6 address: 2001:db8:1c0:1234::913 last Sat Apr  2 16:59:25 2011
Example of node database dump: 
MAC 00:30:68:30:86:46 Sat Apr  2 17:01:58 2011
    IPv4 192.168.9.11 Sat Apr  2 16:59:31 2011
    LLA fe80::230:68ff:fe30:8646 Sat Apr  2 16:57:23 2011
    IPv6 2001:db8:1c0:1234::90b Sat Apr  2 16:53:40 2011
    IPv6 2001:db8:1c0:1234::913 Sat Apr  2 16:59:25 2011
MAC 00:04:a6:1d:4e:30 Sat Apr  2 17:02:25 2011
    LLA fe80::204:a6ff:fe1d:4e30 Sat Apr  2 17:02:25 2011
    IPv6 2001:db8:1c0:1234::1 Sat Apr  2 16:53:47 2011
This program doesn't have anything common with ndpmon, it was written from scratch using similar idea and associated RFCs. We have been running ndpmon for some time in our network, so we can list some of its deficiencies comparing to ndwatch:
  • ndpmon uses XML format configuration file (heavy weight tool for such simple task)
  • ndpmon stores discovered nodes in XML file, if ndpmon exits unexpectedly, this file is generaly damaged (and during the next run you will have to run detection phase again)
  • some regular combinations of flags are reported as invalid (M/O flags)
  • many validation checks suggested by RFC 4862 are not implemented in ndpmon
  • only one monitoring interface
  • no rogue router unregistration (ndpmon-1.3)
  • DAD DoS detection is limited to only one node a time
  • no DoS ND packet flood detection
  • no support for MLD monitoring (MLD report for solicited-node groups)
  • no support for ARP monitoring (to store IPv4 address of discovered node)

Requirements

  • C++ compiler (gcc-4.2 or newer)
  • libpcap (FreeBSD or Linux)
  • BDB, GDBM, NDBM or MySQL client library

Installation

Included Makefile is ok for FreeBSD systems. To compile program on Linux, you have to hack it a little (add -ldb, perhaps remove MySQL stuff from libpacket). Default format of node database is BDB/DBM database. MySQL database can be used if ndwatch.cc is compiled with conditional define SQL. Program has to be run under root account to be able to open pcap interfaces. You have to copy program file ndwatch and dynamic library libpacket.so to appropriate locations in your system manually (/usr/local/sbin and /usr/local/lib). Location of the configuration file is /etc/ndwatch.cfg or /usr/local/etc/ndwatch.cfg (see Examples).

Command options: ndwatch [-dut] [-i if ...]

-d
increase debug verbosity (always use this option during testing)
-i interface
monitoring interface, it can be specified multiple times to monitor any number of interfaces
-u
unregister bogus (invalid) routers using Router Advertisement with zero router lifetime (you should always use this option to get rid of all Windows-ICS machines from your network)
-t
dump nodes database and exit
Program handles SIGINT (CTRL-C) - clean shutdown, and SIGINFO (Ctrl-T) - dump packet statistics.

Limitations

Program should be run on software IPv6 router to receive all necessary multicast packets. If you have hardware router (like Cisco), then
  1. You can setup mirror port to mirror all ICMPv6 packets from all required vlans to dedicated mirror port (packets have to be tagged with source vlan tag) and connect this dedicated port to separate interface on monitoring server (BSD/Linux).
  2. If your router doesn't support such mirroring, you can create trunk with all required vlans tagged and connect this trunk to the monitoring server (trunk can be also used for regular connection of monitoring server). Then you have to configure required vlans on this server interface (for FreeBSD see man vlan) and run ndwatch with multiple interfaces.
  3. If you cannot connect monitoring server directly to the bacbone router, you can run ndwatch on any server in given subnet, but you have to run it standalone in all required vlans/subnets.
Notice: If you use option 2 or 3, then it's better not to enable MLD snooping on L2 switches in your network. If you enable MLD snooping, then ndwatch will not receive some multicast packets (with destination to solicited-node group) and monitoring will be incomplete (but sufficient to detect rogue routers). It's not possible for ndwatch to join all solicited-node groups (there is 2^24 groups) and it's not possible to detect the group from snooping, since NS is typically sent to this solicited-node group and NA to unicast destination.

Copyright

Copyright (c) 2011 Brno University of Technology, Faculty of Information Technology
All Rights Reserved.

History

  • libpacket-0.1 (2011-01-14)
  • libpacket-0.2 (2011-01-17)
    new: ndwatch DAD, pcap ifs, nc6, util, test_util, some const fixes, setup() deleted, length bug in ND build
  • libpacket-0.3 (2011-01-20)
    new: Linux portability issues, fix pcap timeout handling
  • libpacket-0.4 (2011-02-03)
    new: packet setup solved, const fixes, MLD decoding, ndwatch enhancements (-u), tests
  • ndwatch-0.5 (2011-02-10)
    new: output cleanup, configurable events mailing
  • ndwatch-0.6 (2011-04-03)
    new: ARP decoding, ipv4 address added to node database, DNS name reporting, new email event NODE_UPD
  • ndwatch-0.7 (2011-04-10)
    new: solicited-node group MLD registration check (for LLA only), check for NS DAD/RS order, UDP send/receive, IPv4/IPv6 fragments decoding
  • ndwatch-0.8 (2011-04-18)
    new: ndwatch - MySQL nodes database
  • ndwatch-0.8.1 (2011-05-25)
    new: BDB, GDBM interface, IPv4/UDP fixes, BOOTP, DHCP decoding
  • ndwatch-0.8.2 (2011-06-05)
    new: TCP updated, ndwatch - packet statistics, fragmented packets check

Single interface

ndwatch.cfg: 
# BDB/DBM/GDBM nodes database
nodes /var/db/nodes.db
# MySQL nodes database
# nodes host database user password

# RA packet rate_limit (packets/s) email_interval (secs/email)
ra_limit 10 3000

# email events
# new_node = new node discovered
# upd_node = any protocol address change/discovery for given MAC
# invalid_ra = invalid IPv6 router announcement
# invalid_na = invalid IPv6 neighbor announcement
# dad_dos = duplicate address detection DoS (other node has requested address)
email nobody@company.org new_node upd_node invalid_ra invalid_na dad_dos

# IPv6 subnet and router(s) definition
subnet 2001:db8:1c0:1234::/64
	# monitoring interface
	dev em0		# or eth0, igb0, etc.
	# router MAC address Link-Local address       Global Unicast address...
	mac 0:ab:cd:ef:12:34 fe80::2ab:cdff:feef:1234 2001:db8:1234::1
startup: 
ndwatch -d -u -i em0

Multiple interfaces

# BDB/DBM/GDBM nodes database
nodes /var/db/nodes.db
# MySQL nodes database
# nodes host database user password

# RA packet rate_limit (packets/s) email_interval (secs/email)
ra_limit 10 3000

# email events
email nobody@company.org new_node upd_node invalid_ra invalid_na dad_dos

# IPv6 subnet and router(s) definition
subnet 2001:db8:1c0:1234::/64
	# monitoring interface
	dev vlan0
	# router MAC address Link-Local address       Global Unicast address...
	mac 0:ab:cd:ef:12:34 fe80::2ab:cdff:feef:1234 2001:db8:1234::1

subnet 2001:db8:1c0:5678::/64
	# monitoring interface
	dev vlan1
	# router MAC address Link-Local address       Global Unicast address...
	mac 0:ab:cd:ef:12:78 fe80::2ab:cdff:feef:1278 2001:db8:5678::1
startup: 
ndwatch -d -u -i vlan0 -i vlan1
© 2011 Faculty of Information Technology BUT
Last modification: Sun Jun 5 19:44:12 2011