Highlights

  • Integrated cyber attack analysis platform "NIRVANA Kai" newly supports IPv6 and enhances its functions.
  • Observation of IPv6 communications, collection of IPv6-related alerts, and real-time visualization of IPv6 networks
  • Expected to simplify security operations in IPv6 networks.

Abstract

The Cybersecurity Laboratory of the National Institute of Information and Communications Technology (NICT, President: TOKUDA Hideyuki, Ph.D.) has enhanced its cyber attack integrated analysis platform "NIRVANA Kai" to support the Internet Protocol version 6 (IPv6), the successor to IPv4. NIRVANA Kai has succeeded in real-time visualization of packets flowing in the vast address space of IPv6 for the first time in the world. Until now, NIRVANA Kai has only been able to observe and analyze IPv4 communications, however, with the new support for IPv6 communications, it is expected to be useful for security measures for more diverse and extensive networks.
 
Figure1
Figure1 Visualization of IPv6 address space by NIRVANA revision for IPv6
Each orange panel, lined up horizontally and vertically, represents an active IP address block where IPv6 communication has been observed (/16 in this figure). The light blue triangular pyramid objects represent IPv6 packets, and flexible visualization settings such as real-time display of each packet and filtering by IP address/port number are available.
[Click picture to enlarge]

Achievements

NIRVANA revision has been enhanced to support IPv6 in all parts of the system (communication observation, alert collection, visualization, etc.). In particular, the visualization section has succeeded in efficiently visualizing the vast IPv6 address space by dynamically adding active IP address blocks where communication has been observed (see Figures 1 to 4). In addition, an indicator has been newly implemented to improve the visibility of the current position in the hierarchical structure of the IPv6 address space (see the rightmost part of Figure 2). Furthermore, IPv6-related alert information issued by security appliances is also supported, and filtering by IPv6 address is now possible (see Figure 2).
 
Figure 2
Figure 2 Overview of IPv6 address space and indicators
The center group of panels shows a panoramic view of the IPv6 address space (/0), and the hexagonal icons indicate alerts issued by security appliances. The indicator on the right side of the screen shows the current position in the hierarchical structure of the IPv6 space (red arrow) and the number of address blocks contained in each level.
[Click picture to enlarge]
Figure 3
Figure 3 Dynamic addition of IP address blocks
When communication from a new IP address is observed in a segment, the IP address block containing the address is dynamically added. In this figure, the panel 2001:0:5d7a::/48 is added with a rotating motion. The added panels can be sorted automatically.
[Click picture to enlarge]
Figure 4
Figure 4 IPv6 communication of the NICT time server
This figure visualizes the IPv6 communication on the time server (ntp.nict.jp) operated by NICT. We can see that a large number of UDP (red) packets from a wide range of source IP addresses are coming and going to the two IPv6 addresses.
[Click picture to enlarge]

Future Prospects

With NIRVANA revision supporting IPv6 communication, the application range of the system will be significantly expanded, and security operations in IPv6 networks will be simplified.

Technical Contact

INOUE Daisuke
SUZUKI Koei
HIRATA Mayumi
Cybersecurity Laboratory
Cybersecurity Research Institute

E-mail: nicter_atmark_ml.nict.go.jp

Media Contact

Press Office
Public Relations Department

E-mail: publicity_atmark_nict.go.jp