Monitoring IPv4 vs IPv6 Traffic

ipv6network-monitoring

We have a fully functional dual-stack network running in our business. Has anyone found a simple tool for monitoring IPv4 vs IPv6 traffic ratios on a given host? When I say "simple" I'm thinking a daemon/service similar to 'vnstat'

A perfect report in it's simplest form would look something like this:

                 Total     IPv4          IPv6          Ratio
This Month:      300gb     100gb (33%)   200gb (66%)   1:2
This Week:       5gb       1gb (20%)     4gb (80%)     1:4
Today:           1.2gb     400mb (33%)   800mb (66%)   1:2

Forgive me if any of my maths is wrong, that's why I want a tool 😉

I'm primarily interested in Linux (CentOS 6) hosts, but any Windows (2008R2) tools would be useful too.

I found a thread suggesting netstat -s -6 | grep -i octets but the -6 option is invalid on CentOS 6; I'm guessing it's a recent addition to netstat.

Best Answer

I'm already doing this, and have been for some time, using munin and a custom plugin I wrote myself, which gets data from iptables audit rules. It's running on a C6 box so you should be able to fork-lift it into place if no-one has any better ideas. It's not the simple one-liner you wanted, but it's working, and produces data like these:

munin graph of network throughput

The plugin is simple enough, it just takes data from two flat files created in /var/tmp:

#!/bin/bash
#
# (c) Gatekeeper Technology Ltd., 2013
# May be used under the terms of GPLv3 or, at your discretion, any later version

if [ "$1" = "config" ]; then

    echo 'graph_title Network Throughput'
    echo 'graph_category network'
    echo 'graph_info This is the total throughput on the NIC since the beginning of the calendar month, or the last reboot, whichever was mo
st recent.'
    echo 'graph_vlabel bytes'
    echo 'graph_args --logarithmic'
    echo 'in4.label       in v4'
    echo 'in4.colour      ff0000'
    echo 'out4.label      out v4'
    echo 'out4.colour     00ff00'
    echo 'in6.label       in v6'
    echo 'in6.colour      aa0088'
    echo 'out6.label      out v6'
    echo 'out6.colour     00aa88'
    echo 'total.label     total'
    echo 'total.colour    0000ff'
    exit 0
fi

out=`head -3 /var/tmp/audit.out.counts | tail -1 | awk '{print $2}'`
echo "out4.value $out"
in=`head -3 /var/tmp/audit.in.counts | tail -1 | awk '{print $2}'`
echo "in4.value $in"

out6=`head -3 /var/tmp/audit.out.v6.counts | tail -1 | awk '{print $2}'`
echo "out6.value $out6"
in6=`head -3 /var/tmp/audit.in.v6.counts | tail -1 | awk '{print $2}'`
echo "in6.value $in6"

total=$(($in+$out+$in6+$out6))
echo "total.value $total"

The crontab entry that makes them looks like this:

# output the audit rule counts for munin purposes
* * * * *  /sbin/iptables  -L AUDIT-I -n -x -v > /var/tmp/audit.in.counts
* * * * *  /sbin/iptables  -L AUDIT-O -n -x -v > /var/tmp/audit.out.counts
* * * * *  /sbin/ip6tables -L AUDIT-I -n -x -v > /var/tmp/audit.in.v6.counts
* * * * *  /sbin/ip6tables -L AUDIT-O -n -x -v > /var/tmp/audit.out.v6.counts
# and zero the counts once a month
0 0 1 * *  /sbin/iptables  -Z AUDIT-I
0 0 1 * *  /sbin/iptables  -Z AUDIT-O
0 0 1 * *  /sbin/ip6tables -Z AUDIT-I
0 0 1 * *  /sbin/ip6tables -Z AUDIT-O

and the iptables rules are made with the following /etc/sysconfig/iptables rules:

:AUDIT-I - [0:0]
:AUDIT-O - [0:0]
# audit input traffic
-A INPUT -i eth0 -j AUDIT-I
 [ALL OTHER INPUT RULES APPEAR HERE, AFTER THE AUDIT RULE]
# audit outbound traffic
-A OUTPUT -o eth0 -j AUDIT-O
 [ALL OTHER OUTPUT RULES APPEAR HERE, AFTER THE AUDIT RULE]
# AUDIT rules
-A AUDIT-I -p all
-A AUDIT-O -p all

The reason crontab is involved is to stop the munin plugin needing to run with root privileges; if you didn't mind it doing that, you could have the plugin get the packet counts directly, by invoking iptables itself.

The counts don't survive a reboot (hence the extra drop down to zero in the graph above), but if you have your server set up to save iptables rules and packet counts on reboot, this wouldn't affect you.

Related Solutions

IPv6 – Equivalent to IPv4 RFC1918 Addresses

The "Unique Local Address" is exactly what you're looking for. fc00::/7 gives you enough bits that if you generate a random number instead of just picking one the chances of collision are small.

Does this mean I'll need extra protections so my router would not automatically start advertising these private IPv6 addresses to the world?

The RFC that covers these ULAs (RFC4193) specifically states that these numbers should not be routed on the internet, though two peers may mutually agree to pass certain prefixes. Unless Comcast decides to unilaterally route these (unlikely in the extreme) you should have no worries about route advertisement.

Assuming I will never, ever, tie that IPv6 address into the real internet (a router will NAT & firewall it), can I ignore the RFC to an extent and go with fc00::4:0/120?

Don't assume that. For instance, Comcast is currently doing IPv6 trials and they're passing out /64's to end-users (slide 5); not just the single address they're doing with IPv4. This means that their now-running IPv6 testers have the option of running with globally routeable addresses, but firewalled by their router, or do some kind of NAT with either link-local or unique-global-addresses.

However, running without any kind of address translation is not as insane as it sounds. Keep in mind a few points.

Comcast is handing out a /64 subnet to you, so your attacker already knows what your IP space looks like.
A /64 provides a mind bogglingly huge number of potential addresses. 2^64 worth! That's four billion IPv4 Internet's worth of IP addresses. (2^64 == 2^32 * 2^32. Four billion times four billion .) While the nature of IPv6 autoprovisioning reduces the actual number of addresses that need scanning, scanning it is still infeasible.
Unless you set up your own domain to provide it, Comcast will not be providing forward or reverse DNS lookups to your /64-worth of IP addresses. This greatly reduces the ability of attackers to recon your network.
Running without NAT makes certain network problems easier, and certainly makes undesirable but very popular peer-to-peer technologies (you know what I'm talking about) a lot easier to get up and running.

Running without a firewall is still just as insane as it sounds, though. Happily, you can do firewalling without having to NAT.

Second question, what's this link-local thing?

Think of it as able to reach anything in the current broadcast domain, and can not be routed. Like NetBEUI-of-old. In fact, if your home network is completely flat you can use these addresses instead of Unique Local Addresses.

Third question, what is scope id for?

It's used for two different things, which makes it annoying to describe:

Thing 1: Multicast. It defines how far the multicast packet is intended to reach.

Thing 2: (What I think you're referring to) This is used on a URI as a way of defining which interface to use. It's used primarily with link-local addresses. It should never be used in conjunction with CIDR notation, so the two syntaxes should never be combined.

Linux – How to disable IPv4-mapped IPv6

This is controlled by the net.ipv6.bindv6only sysctl. Add the following to /etc/sysctl.conf and run sudo sysctl -p to effect the change.

net.ipv6.bindv6only=1

Applications can also explicitly only bind to the IPv6 address instead of changing this globally, for example, nginx has the ipv6only option to the listen directive. This corresponds to the IPV6_V6ONLY option to setsockopt().

Best Answer

Related Solutions

IPv6 – Equivalent to IPv4 RFC1918 Addresses

Linux – How to disable IPv4-mapped IPv6

Related Topic