OpenVAS Change Request #27: IPv6 support

Votes: +10. Done. Released with openvas-libraries and openvas-scanner 3.0.0.

Purpose

To introduce IPv6 support into OpenVAS

References

IPv6 and a text about OpenVAS on InternetNews

Rationale

In the current version, OpenVAS only supports IPv4 protocol. This is now a dominant protocol on the Internet. The problems with IPv4 are long known, e.g. shortage of addresses, and a subset of those problems is expected to be solved by a new protocol, IPv6. IPv6 is now supported on all the major operating systems, network devices and in the applications and the IPv6 deployment is growing steadily but certainly. This means that the OpenVAS, in order to stay viable solution for the security testings, has to be extended to support IPv6.

More specifically, supporting IPv6 in OpenVAS means at least the following:

1. It means that you can enter IPv6 address(es) in the OpenVAS client and then those hosts, whith those addresses, are scanned.
2. It means that when you enter hostname (or FQDN) which resolves to IPv6 address, this address will be used

Effects

The code changes will not impact any existing functionality. They will allow existing checks to be used over the IPv6 network. Additionally, it will be possible to write new tests specialized for IPv6 weaknesses.

Design and Implementation

The following changes will be necessary:

• Much of the core socket functions used currently in OpenVAS are specific to IPv4 and they have to be changed.
• There is a code in OpenVAS for forging IP packets. This code has to be enhanced to know how to construct IPv6 packets.
• NASL laguage has to be enhanced to accept IPv6 addresses, and potentially IPv6 specific extensions.

Specifically, the following modules will undergo changes,

• openvas-libnasl:

  - capture_packet.c - Used by packet forgery
  - nasl_packet_forgery.c - all functions need to be changed and additional
    functions for IPv6
  - nasl.c - command line tool
  - nasl_host.c  - deals with remote host
  - nasl_socket.c
  - The include files structures
  

• openvas-libraries:

  - ids_send.c - IDS evasion techniques
  - network.c
  - pcap.c
  - resolve.c
  - www_funcs.c
  - Host Gatherer module
  

• openvas-server:

  - openvasd.c
  

• openvas-client:

  - network.c
  - system.c
  - resolv.c
  The above modules are a copy of modules in openvas-library, changes will be
  common.
  
  Additionally openvas-client has the following modules that would need changes,
  - prefs_dialog modules to validate various user inputs
  - nessus.c
  - parser.c
  - attack.c
  

The proposed development steps are:

1. Phase I: Allow IPv6 addresses to be entered by the user, even though they are not used, i.e. when user enters IPv6 the address is ignored with appropriate warning or error message.
2. Phase II: Refactor the current IPv4 specific code into separate module and/or functions.
3. Phase III: Then, in the next step this code is extended so that it transparently supports IPv6 in addition to IPv4.
4. Phase IV: Add the code to handle raw IPv6 packets.
5. Phase V: Update the OpenVAS compendium documenting the IPv6 support and design overview

History

• 2009-01-06 Stjepan Gros <sgros.ml@gmail.com>:
  Initial text.
• 2009-01-08 Chandrashekhar B <bchandra@secpod.com>:
  Updated module level details.
• 2009-01-13 Chandrashekhar B <bchandra@secpod.com>:
  Updated openvas-client modules
• 2010-01-06 Felix Wolfsteller <felix.wolfsteller@intevation.de>:
  Updated status as done.