TUNNELCHECK v1.0 ================ What is tunnelcheck? -------------------- Tunnelcheck is a tool used for detecting IPv6 in IPv4 tunnels. More precisely, given two IPv4 Addresses it checks if there is a tunnel between them. If there is evidence of the presence of a tunnel, tunnelcheck outputs a confidence value, which provides a measure of the probability that the tunnel exists, and tries to determine the IPv6 addresses of the endpoints. Techniques used --------------- Tunnelcheck uses three techniques to detect tunnels: 1) IPv4 spoofing 2) DNS lookups 3) Queries to the 6bone registry Each of the above techniques has a degree of confidence. The confidence value output by tunnelcheck is the sum of the confidence values of each technique that succeeded. Brief description of the techniques ----------------------------------- 1. IPv4 spoofing These are the main techniques used by tunnelcheck. By encapsulating an IPv6 packet in an IPv4 packet having the source address of one of the tunnel endpoints, tunnelcheck can trick the other endpoint into treating the packet as if it had come from the tunnel. Tunnelcheck uses four spoofing techniques: a) Injected Ping Encapsulated IPv6 echo request to a pingable IPv6 interface. Used to determine if there is a tunnel. b) Dying Packet Similar to the above, but injects packets with a Hop Count field of 1. Used to determine the IPv6 addresses of the tunnel endpoints. c) Ping Pong Packet Similar to the above, but attempts to determine the address of one endpoint if the address of the other endpoint is known. d) Fragmented Injection As Injected Ping but puts the IPv6 echo request message into three IPv4 fragments 2. DNS Lookups Looks for AAAA records with the endpoint hostnames. 3. Queries to the 6bone registry Looks for a corresponding entry in the 6bone registries. Tunnelcheck requires a copy of the 6bone registry file to be stored locally in /etc/6bone.db or in the directory where tunnelcheck is installed. You may download this file from ftp://whois.6bone.net/6bone/6bone.db.gz A detailed description of the techniques used can be found in the papers available at the URL: http://www.dia.uniroma3.it/~compunet/tunneldiscovery/tunneling-noms.pdf How confidence values are calculated ------------------------------------ The Confidence value output by Tunnelcheck is calculated using the following criteria: Spoofing Techniques -> Injected Ping success on 1 Endpoint only : 5 Confidence Points Injected Ping success of both Endpoints : 7 Confidence Points Dying Packet success on each Endpoint : 1 Confidence point Ping Pong Packet success on one Endpoint (if Dying Packet didn't work) : 1 Confidence point If Spoofing Techniques succeeded, then -> 6bone registries lookup success : 1 Confidence points If no Spoofing Technique succeeded, then -> DNS lookups success : 1 Confidence points 6bone registries lookup success : 4 Confidence points Compiling tunnelcheck --------------------- To compile tunnelcheck, run the build.sh script in the distribution. Compilation requires the C++ development libraries to be installed. Tunnelcheck is known to compile on Linux and FreeBSD, but should also compile and run on other platforms such as Solaris. Tunnelcheck runs on both littleEndian and bigEndian machines. Using tunnelcheck ----------------- 1. Prerequisites Due to the use of spoofing techniques that require raw sockets, you must be root to run tunnelcheck. Some of the techniques used by tunnelcheck require a reference IPv6 address. This address must be globally routed or, at a minimum, reachable from the tunnel endpoints. The reference IPv6 address may be specified on the command line using the -h parameter or in the file /etc/tunnelcheck.ip. As stated previously, tunnelcheck also requires a 6bone registry dump in the file /etc/6bone.db or in the directory where tunnelcheck is installed. You may run multiple istances of tunnelcheck in parallel, since each one recognizes its own spoofed packets. 2. Usage Tunnelcheck's syntax is the following : tunnelcheck [ -h reference IPv6 ] [ -v ] Where AND : IPv4 addresses or hostnames Tunnelcheck exits with an error if or are not valid IPv4 addresses or resolvable hostnames or if the reference IPv6 is not a valid IPv6 address. The -v option is used for generating Parametric OUTPUT (on one line) in order to see the techniques that worked in detail Output format ------------- The output format of tunnelcheck is the following: # tunnelcheck source_host(source_IPv4) -> dest_host(dest_IPv4) source_IPv6 -> dest_IPv6 ; CONFIDENCE X/10 If none of the techniques worked, tunnelcheck will output a confidence value of zero and one or both of the IPv6 addresses will be shown as "unknown". Credits ------- Tunnelcheck was developed as part of Davide De Micco's master thesis in collaboration with the Computer Networks research group at Roma Tre University. Contributors are: Davide De Micco Lorenzo Colitti Giuseppe Di Battista Emanuele Conti Maurizio Patrignani