Though the IPv6 network is believed to be safe against security-violating exploits or attacks that were prevailed in IPv4, it is still expected that brand-new or mutational anomaly traffic will appear as IPv6 networks are being deployed. In this paper, among several anomaly traffic patterns we consider the possible IPv6 attacks that are utilizing ICMPv6, IPv6 extension headers, and IPv6-over-IPv4 tunneling. For IPv6 traffic measurement infrastructure, we employ IP Flow Information eXport (IPFIX) that has been standardized to generate the flow-level traffic measurement information. Thus, we present new IPFIX templates that have been extended to carry IPv6 anomaly traffic related with ICMPv6, IPv6 extension headers, and IPv6-over-IPv4 tunneling. Then, based on the extended IPFIX flow templates, we propose a simple IPv6 flow classification method that could be used for detecting IPv6 DoS attack, IPv6 covert channel exploiting destination option, and IPv6-over-IPv4 tunneling flows. From the experiments with our own IPFIX analyzer and the IPFIX flow-generating probe, we have shown that IPFIX is useful for monitoring normal IPv6 traffic as well as anomaly IPv6 traffic.
展开▼
