Rochester Institute of Technology
Correlating IPv6 addresses for network situational awareness.
Degree: MS, Information Sciences and Technologies (GCCIS), 2011, Rochester Institute of Technology
The advent of the IPv6 protocol on enterprise networks provides fresh challenges to network incident investigators. Unlike the conventional behavior and implementation of its predecessor, the typical deployment of IPv6 presents issues with address generation (host-based autoconfiguration rather than centralized distribution), address multiplicity (multiple addresses per host simultaneously), and address volatility (randomization and frequent rotation of host identifiers). These factors make it difficult for an investigator, when reviewing a log file or packet capture ex post facto, to both identify the origin of a particular log entry/packet and identify all log entries/packets related to a specific network entity (since multiple addresses may have been used). I have demonstrated a system, titled IPv6 Address Correlator (IPAC), that allows incident investigators to match both a specific IPv6 address to a network entity (identified by its MAC address and the physical switch port to which it is attached) and a specific entity to a set of IPv6 addresses in use within an organization's networks at any given point in time. This system relies on the normal operation of the Neighbor Discovery Protocol for IPv6 (NDP) and bridge forwarding table notifications from Ethernet switches to keep a record of IPv6 and MAC address usage over time. With this information, it is possible to pair each IPv6 address to a MAC address and each MAC address to a physical switch port. When the IPAC system is deployed throughout an organization's networks, aggregated IPv6 and MAC addressing timeline information can be used to identify which host caused an entry in a log file or sent/received a captured packet, as well as correlate all packets or log entries related to a given host.
Advisors/Committee Members: Johnson, Daryl, Hartpence, Bruce, Pan, Yin.
Subjects/Keywords: IPv6; NDP for IPv6; Network management; Network security
to Zotero / EndNote / Reference
APA (6th Edition):
Froehlich, J. (2011). Correlating IPv6 addresses for network situational awareness. (Masters Thesis). Rochester Institute of Technology. Retrieved from https://scholarworks.rit.edu/theses/393
Chicago Manual of Style (16th Edition):
Froehlich, Jason. “Correlating IPv6 addresses for network situational awareness.” 2011. Masters Thesis, Rochester Institute of Technology. Accessed October 23, 2019.
MLA Handbook (7th Edition):
Froehlich, Jason. “Correlating IPv6 addresses for network situational awareness.” 2011. Web. 23 Oct 2019.
Froehlich J. Correlating IPv6 addresses for network situational awareness. [Internet] [Masters thesis]. Rochester Institute of Technology; 2011. [cited 2019 Oct 23].
Available from: https://scholarworks.rit.edu/theses/393.
Council of Science Editors:
Froehlich J. Correlating IPv6 addresses for network situational awareness. [Masters Thesis]. Rochester Institute of Technology; 2011. Available from: https://scholarworks.rit.edu/theses/393