With DoD networks steadily adopting and transitioning to the next generation Internet Protocol, IPv6, careful consideration
must be given to IPv6-specific implications on network protection. While Network Intrusion Detection Systems (NIDS) assist
in protecting current IPv4 DoD networks, NIDS performance in operational DoD IPv6 environments is largely unknown. As a
step toward more rigorous NIDS evaluation, we investigate the extent to which known IPv4 attacks are able to evade detection
when converted to equivalent IPv6 attacks. Utilizing 13 general attack classes, we test the IPv6 readiness of two popular open
source NIDSs: SNORT and BRO. Attacks in each class are evaluated in a virtual test bed that models both “native” and
“transitional” networks. In the native IPv6 environment, we achieve a 95% detection rate for SNORT as compared to 8% with
BRO. In addition, we discover a bug in SNORT where a carefully crafted IPv6 packet causes the NIDS to fail open, allowing
full circumvention. Our findings suggest that, with respect to IPv6, both NIDS signatures and NIDS software require
additional testing and evaluation to be operationally ready.
http://archive.org/details/theunexploredimp109456800
Lieutenant, United States Navy