[Bro-Dev] tunnel decapsulators?

Gregor Maier gregor at icir.org
Thu Feb 16 15:30:36 PST 2012 

On 2/16/12 14:40 , Robin Sommer wrote:
> On Thu, Feb 16, 2012 at 12:50 -0800, you wrote:
> 
>> see topic/gregor/tunnel
> 
> I havne't actually following that too closely. Can you briefly
> summarize what the code is doing?

from my tunnel.bro script ;-) 

##! Handle tunneled connections.  
##! 
##! Bro can decapsulate IPinIP and IPinUDP tunnels, were "IP" can be either
##! IPv4 or IPv6. The most common case will be decapsulating Teredo, 6to4,
##! 6in4, and AYIYA. When this script is loaded, decapsulation will be 
##! enabled. "tunnel.log" will log the "parent" for each tunneled 
##! connection. The identity (and existence) of the tunnel connection
##! is otherwise lost. 
##!
##! Currently handles: 
##!
##!   * IP6 in IP{4,6}. (IP4 in IP is easy to add, but omitted due to lack
##!     of test cases.
##!   * IP{4,6} in UDP. This decapsulates e.g., standard *Teredo* packets
##!     (without authentication or origin indicator)
##!   * IP{4,6} in AYIYA
##!   * Only checks for UDP tunnels on Teredo's and AYIYA's default 
##!     ports. See :bro:id:`udp_tunnel_ports` and 
##!     :bro:id:`udp_tunnel_allports`
##! 
##! Decapsulation happens early in a packets processing, right after IP
##! defragmentation but before there is a connection context. The tunnel
##! headers are stripped from packet and the identity of the parent is 
##! is stored as the ``tunnel_parent`` member of :bro:type:`connection`, 
##! which is of type :bro:type:`Tunnel::Parent`. 
##! 
##! *Limitation:* The decapsulated packets are not fed through the 
##! defragmenter again and decapsulation happens only on the primary
##! path, i.e., it's not available for the secondary path. 
##! 
##! 

Tunnel decapsulation can be enabled/disabled for IP and UDP separately. For UDP you can specify the set of UDP ports that should be considered. For UDP tunnels without glue headers (i.e., the inner IP header starts right after the UDP header) we probabilistically check if the UDP payload is indeed a valid IP header. This is similar to the old UDP tunnel code. 

> We also might need to do a bit more brainstorming on how to generally
> handle tunnels. It's not really clear yet to me at least.

ACK. 
My code is simple and works but definitely has limitations. The right thing TODO would be to make the IP handling in Bro part of the analyzer tree. Then tunnel decapsulation can just be an analyzer that feeds the decapsulated packets back into IP processing. 


cu
Gregor

More information about the bro-dev mailing list