Covert Channels in IPv6

1
Covert Channelsin IPv6

• Norka B. Lucena, Grzegorz Lewandowski, and Steve
  J. Chapin
• Syracuse University

PET 2005, Cavtat, Croatia

May 31st, 2005
2
Outline

• IPv6 Overview
• Covert Channels Description
• Active Wardens Analysis
• Conclusions

3
IPv6 Overview

• Header structure has a fixed length 40 bytes
• Header does not present five of the fields from
  IPv4 header length, identification, flags,
  fragment offset, and checksum
• A full implementation includes six headers
• Hop-by-hop Options
• Routing
• Fragment
• Destination Options
• Authentication (AH)
• Encapsulating Security Payload (ESP)

4
Covert Channels

• Covert channel as a communication path that
  allows transferring information in a way that
  violates a security policy
• Concerned only with network storage channels
• Adversary model allows Alice and Bob to be or not
  be the same as the Sender and Receiver
• A specification-based analysis of 22 covert
  channels

5
IPv6 Header Hop Limit
Hop Limit (1 byte)

• Setting an initial hop limit value and modifying
  it appropriately in subsequent packets

6
IPv6 Header Hop Limit
h
Alice
Bob
Bandwidth n packets, n 1 bits

• Alice sets an initial value, h , for the hop limit

• Alice signals a 0 decreasing by ? the hop count
  relatively to the previous packet

• Alice signals a 1 increasing the same value by ?

7
Hop-by-Hop Options Header Jumbograms

• Using Jumbograms as means of covert communication
  in two ways
• Modifying an existing jumbogram length to append
  covert data
• Converting a regular datagram into a jumbogram to
  fill in the extra bytes with hidden content

8
Hop-by-Hop Options Header Jumbograms
Alice
Bob
Bandwidth Varies

• Alice sets the payload length of the IPv6 header
  to 0

• Alice sets the option type of the Hop-by-Hop
  header to C2

• Alice sets the option data length of the
  Hop-by-Hop header to 4

9
Routing Header Routing Type 0

• Fabricating addresses out of arbitrary data
  meaningful only to the covert communicating agents

10
Routing Header Routing Type 0
Alice
Bob
Bandwidth Up to 2048 bytes/per packet

• Alice takes inserts two fake addresses into the
  routing header

• Alice modifies the header extension length field
  accordingly

• Alice does not modify the original value of the
  segments left field

11
Active Wardens

• Stateless Active Warden
• Knows the protocol syntax and semantics and
  attempts to verify them
• Sees one packet at a time
• Performs at two levels of diligence
• Stateful Active Warden
• Registers already-observed semantic conditions
• Network-aware Active Warden
• Is a stateful active warden
• Is also a network topologist

12
Conclusions

• Provide awareness of the existence of at least 22
  covert channels in IPv6
• Generate discussion toward harmful means of
  covert communication
• Help to understand potential attacks that exploit
  IPv6 traffic to take appropriate countermeasures
• Raise issues for considerations by implementors
  of IPv6 protocol stacks and firewalls
• Introduce three types of active wardens
  stateless, stateful, and network-aware

13
Any Questions?
14
Thank You All!