EnglishFrenchSpanish

Ad


OnWorks favicon

flow6 - Online in the Cloud

Run flow6 in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command flow6 that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

PROGRAM:

NAME


flow6 - A security assessment tool for the IPv6 Flow Label field

SYNOPSIS


flow6 [-i INTERFACE] -d DST_ADDR [-S LINK_SRC_ADDR] [-D LINK_DST_ADDR] [-s SRC_ADDR[/LEN]]
[-A HOP_LIMIT] [-P PROTOCOL] [-p PORT] [-W] [-v] [-h]

DESCRIPTION


flow6 performs a security assessment of the Flow Label generation policy of a target node.
It is part of the SI6 Networks' IPv6 Toolkit: a security assessment suite for the IPv6
protocols.

flow6 sends a number of probe packets to the target node, and samples the Flow Label
values of the corresponding response packets. Based on the sampled values, it tries to
infer the Flow Label generation policy of the target.

The tool will first send a number of probe packets from single IPv6 address, such that the
per-destination policy is determined. The tool will then send probe packets from random
IPv6 addresses (from the same prefix as the first probes) such that the "global" Flow
Label generation policy can be determined.

The tool computes the expected value and the standard deviation of the difference between
consecutive-sampled Flow Label values (Labeln - Labeln-1) with the intent of inferring the
Flow Label generation algorithm of the target node.

If the standard deviation of [Labeln - Labeln-1] is 0, the Flow Label is assumed to be set
to a constant value, and the corresponding value is informed to the user. For small values
of the standard deviation, the Flow Label is assumed to be a monotonically-increasing
function with increments of the "expected value", and such "expected value" together with
the standard deviation, are informed to the user. For large values of the standard
deviation, the Flow Label is assumed to be randomized, and the expected value and standard
deviation are informed to the user, as indicators of the "quality" of the Flow Label
generation algorithm.

OPTIONS


flow6 takes it parameters as command-line options. Each of the options can be specified
with a short name (one character preceded with the hyphen character, as e.g. "-i") or with
a long name (a string preceded with two hyphen characters, as e.g. "--interface").

-i INTERFACE, --interface INTERFACE
This option specifies the network interface that the tool will use. If the
destination address ("-d" option) is a link-local address, the interface must be
explicitly specified. The interface may also be specified alon with a destination
address, with the "-d" option.

-s SRC_ADDR, --src-address SRC_ADDR

This option specifies the IPv6 source address (or IPv6 prefix) to be used for the
Source Address of the probe packets. If an IPv6 prefix is specified, the IPv6
Source Address of the ICMPv6 packets will be randomized from that prefix.

-d DST_ADDR, --dst-address DST_ADDR

This option specifies the IPv6 Destination Address of the target node. This option
cannot be left unspecified.

-A HOP_LIMIT, --hop-limit HOP_LIMIT

This option specifies the Hop Limit to be used for the IPv6 packets. By default,
the Hop Limit is randomized.

-S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR

This option specifies the link-layer Source Address of the probe packets
(currently, only Ethernet is supported). If left unspecified, the link-layer Source
Address of the packets is set to the real link-layer address of the network
interface.

-D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR

This option specifies the link-layer Destination Address of the probe packets
(currently, only Ethernet is supported). By default, the link-layer Destination
Address is automatically set to the link-layer address of the destination host (for
on-link destinations) or to the link-layer address of the first-hop router.

-P PROTOCOL, --protocol PROTOCOL

This option specifies the protocol type of the probe packets. Currently, both "UDP"
and "TCP" are supported. If this option is left unspecified, the protocol type
defaults to "TCP".

-p PORT, --dst-port PORT

This option specifies the Destination Port of the probe packets. If left
unspecified, the Destination Port defaults to "80" when the IPv6 payload is TCP,
and to 53 if the IPv6 payload is UDP.

Note: Since it is vital for the tool to receive response packets to be able to
infer the Flow Label algorithm of the target, the protocol type and Destination
Port should be carefully selected (i.e., the corresponding protocol and Destination
Port should not be filter, and the target should respond to packets sent to that
protocol/port).

-W, --flow-label-policy
This option instructs the tool to determine the Flow Label generation policy. As of
this version of the tool, this option must be specified.

-v, --verbose

This option instructs the flow6 tool to be verbose. If this option is set twice,
the tool is "very verbose", and outputs the sampled Flow Label values (in addition
to other information).

-h, --help

Print help information for the flow6 tool.

EXAMPLES


The following sections illustrate typical use cases of the flow6 tool.

Example #1

# flow6 -i eth0 --flow-label-policy -d fe80::1 -v

Assess the Flow Label generation policy of the host "fe80::1", using the network interface
"eth0". Probe packets are TCP segments directed to port 80 (default). Be verbose. In this
example, since the IPv6 destination address is a link-local address, the network interface
ccard must be explicitly specified.

Example #2

# flow6 -d 2001:db8::1 --flow-label-policy -P TCP -p 22 -vv

Assess the Flow Label generation policy of the host "2001:db8::1". Probe packets are TCP
segments directed to port 22. Be very verbose (i.e., list the sampled Flow Label values).

Use flow6 online using onworks.net services


Free Servers & Workstations

Download Windows & Linux apps

Linux commands

Ad