SR-Snort: IPv6 Segment Routing Aware IDS/IPS

Service Function Chaining (SFC) allows the delivery of advanced end-to-end services composed of one or more network functions. IPv6 Segment Routing (SRv6) is a network architecture based on source routing, where a list of segments is attached to packets to enforce different path from the shortest one. SRv6 supports SFC by assigning each network function a segment and combining these segments into a segment list. In order to fully leverage the SRv6 network programming capabilities, network functions are required to be SR-aware. In this paper, we present our implementation of SR-Snort, a SR-aware intrusion detection system (IDS) and intrusion prevention system (IPS). We extended the open-source implementation of Snort, so it can apply the configured rules to the inner packet of SR traffic. SR-Snort can handle both inner IPv4 and inner IPv6 traffic. It can work in either IDS or IPS mode.