[Bro-Dev] #882: Requests related to IPv6 routing extension header
Bro Tracker
bro at tracker.bro-ids.org
Mon Sep 24 12:37:30 PDT 2012
#882: Requests related to IPv6 routing extension header
------------------------------+------------------------
Reporter: sheharbano.k | Owner:
Type: Feature Request | Status: new
Priority: Normal | Milestone: Bro2.2
Component: Bro | Version: git/master
Resolution: | Keywords:
------------------------------+------------------------
Comment (by jsiwek):
Replying to [ticket:882 sheharbano.k]:
> 1). Generate event for RType=0 in IPv6 routing extension headers.
RType=0 is deprecated and poses DoS risk
(http://tools.ietf.org/html/rfc5095)
They currently create a weird called "routing0_hdr" which could be
upgraded to a notice if desirable.
> 2) In Wireshark, i can see the Type-specific Data field of the routing
header as addresses. Bro should be able to parse addresses in the type
specific data field of the routing extension header, which it doesn't as
of now.
The data itself is available in script-layer events which get extension
headers (it's the *data* field of `ip6_routing` records). There's a BIF
called `routing0_data_to_addrs` to parse out addresses for routing type 0
headers. Something could be done similarly for other types, but I hadn't
tried too hard to find a way to parse the data at the script-layer alone,
so if that's possible, it would be better.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/882#comment:1>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list