extend in_private_net to check for unique local addresses in IPv6

src/main/java/org/graylog/plugins/threatintel/functions/misc/PrivateNetLookupFunction.java

@@ -39,7 +39,7 @@ public class PrivateNetLookupFunction extends AbstractFunction<Boolean> {
     public static final String NAME = "in_private_net";
     private static final String VALUE = "ip_address";
 
-    private final ParameterDescriptor<String, String> valueParam = ParameterDescriptor.string(VALUE).description("The IPv4 address to look up.").build();
+    private final ParameterDescriptor<String, String> valueParam = ParameterDescriptor.string(VALUE).description("The IP address to look up.").build();
 
     protected Timer lookupTime;
 
@@ -75,7 +75,7 @@ public Boolean evaluate(FunctionArgs args, EvaluationContext context) {
     public FunctionDescriptor<Boolean> descriptor() {
         return FunctionDescriptor.<Boolean>builder()
                 .name(NAME)
-                .description("Check if an IPv4 address is in a private network as defined in RFC 1918. (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)")
+                .description("Check if an IP address is in a private network as defined in RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or RFC 4193 (fc00::/7)")
                 .params(valueParam)
                 .returnType(Boolean.class)
                 .build();

src/main/java/org/graylog/plugins/threatintel/tools/PrivateNet.java

@@ -17,23 +17,37 @@
 package org.graylog.plugins.threatintel.tools;
 
 import com.google.common.net.InetAddresses;
+import org.jboss.netty.handler.ipfilter.CIDR;
 
 import java.net.Inet6Address;
 import java.net.InetAddress;
+import java.net.UnknownHostException;
 
 public class PrivateNet {
 
+    private static CIDR UNIQUE_LOCAL_ADDR_MASK = null;
+    static {
+        try {
+            // RFC 4193: https://tools.ietf.org/html/rfc4193#section-3.1
+            UNIQUE_LOCAL_ADDR_MASK = CIDR.newCIDR("FC00::/7");
+        } catch (UnknownHostException ignored) {
+        }
+
+    }
    /**
-     * Checks if an IPv4 address is part of a private network as defined in RFC 1918. This ignores IPv6 addresses for now and always returns false for them.
+     * Checks if an IP address is part of a private network as defined in RFC 1918 (for IPv4) and RFC 4193 (for IPv6).
+    *
      *
-     * @param ip The IPv4 address to check
+     * @param ip The IP address to check
      * @return
      */
     public static boolean isInPrivateAddressSpace(String ip) {
         InetAddress inetAddress = InetAddresses.forString(ip);
         if (inetAddress instanceof Inet6Address) {
-            // we don't deal with IPv6 unique local addresses currently.
-            return false;
+            // Inet6Address#isSiteLocalAddress is wrong: it only checks for FEC0:: prefixes, which is deprecated in RFC 3879
+            // instead we need to check for unique local addresses, which are in FC00::/7 (in practice assigned are in FD00::/8,
+            // but the RFC allows others in the future)
+            return UNIQUE_LOCAL_ADDR_MASK.contains(inetAddress);
         }
         return inetAddress.isSiteLocalAddress();
     }

src/test/java/org/graylog/plugins/threatintel/tools/PrivateNetTest.java

@@ -29,6 +29,7 @@ public void testIsInPrivateAddressSpace() throws Exception {
         assertTrue(PrivateNet.isInPrivateAddressSpace("192.168.1.1"));
         assertFalse(PrivateNet.isInPrivateAddressSpace("99.42.44.219"));
         assertFalse(PrivateNet.isInPrivateAddressSpace("ff02:0:0:0:0:0:0:fb"));
+        assertTrue(PrivateNet.isInPrivateAddressSpace("fd80:0:0:0:0:0:0:fb"));
         assertThrows(IllegalArgumentException.class, () -> PrivateNet.isInPrivateAddressSpace("this is not an IP address"));
     }