With DoD networks steadily adopting and transitioning to the next generation Internet Protocol, IPv6, careful considerationmust be given to IPv6-specific implications on network protection. While Network Intrusion Detection Systems (NIDS) assistin protecting current IPv4 DoD networks, NIDS performance in operational DoD IPv6 environments is largely unknown. As astep toward more rigorous NIDS evaluation, we investigate the extent to which known IPv4 attacks are able to evade detectionwhen converted to equivalent IPv6 attacks. Utilizing 13 general attack classes, we test the IPv6 readiness of two popular opensource NIDSs: SNORT and BRO. Attacks in each class are evaluated in a virtual test bed that models both “native” and“transitional” networks. In the native IPv6 environment, we achieve a 95% detection rate for SNORT as compared to 8% withBRO. In addition, we discover a bug in SNORT where a carefully crafted IPv6 packet causes the NIDS to fail open, allowingfull circumvention. Our findings suggest that, with respect to IPv6, both NIDS signatures and NIDS software requireadditional testing and evaluation to be operationally ready.
展开▼
