ipv6 (cont.) · 2019-09-30 · hard for humans to remember regardless of representation ... anycast...

IPv6 (cont.)

Example: IPv6 Next Header

Extension Headers:

Example: IPv6 Next Header Codes

IPv6 (cont.)

Example: IPv6 Extension Headers (cont.)

IPv6 (cont.)

(e.g., router alert)

(and routers in Routing option)

IPv6 (cont.)

Example: IPv6 Extension Headers (cont.)

IPv6 Addressing• IPv4 address = 32 bit sequence

typically represented in dotted decimal notation, which iseasier for humans to remember

• IPv6 address = 128 bit sequence hard for humans to remember regardless of representation typically represented in colon hexadecimal notation (8 16-bit

blocks), which is easier to convert to binary than decimal

16-bit block

IPv6 Addressing (cont.)

Example: Converting between binary and hexadecimal


• IPv6 Address Compression Rules Rule 1: Zero Suppression – leading zeros in any 16-bit

segment can be omitted

→ only a single contiguous string of all-zero segments can berepresented with a double colon!

Rule 2: Zero Compression – a contiguous sequence of 16-bit blocks set to 0 can be compressed to double-colon (::)

https://www.slideshare.net/NadiaBENCHIKHA/ipv6-foundations


Example: Shortening in IPv6 address space


Example: Shortening in IPv6 address space (cont.)



Example: Shortening in IPv6 space examples


• IPv6 Address Structure

Can be a privacy problem!!!


• IPv6 Address Categories

https://kasiviswanathanblog.wordpress.com/2017/03/18/ipv6-address-types-and-the-rest/


http://www.steves-internet-guide.com/ipv6-guide/


Example: IPv6 anycast

https://www.netactuate.com/anycast/anycast-for-ipv6/

Anycast is a type of IPv6 network communication in which IPv6 datagrams from a source are routed to the nearest device (in terms of routing distance) from a group servers which provide the same service. Every nodes which provide the same service are configured with same Anycast destination address.

IPv6 Security Vulnerabilities• Vulnerability 1: Tracking Identity of IPv6 Users

when using IPv6 address auto-configuration, the MACaddress of a network card is used to make this card’sIPv6 address→ privacy concern for mobile devices

because when they access the Internet from different locations, their MAC based IPv6 identifier stays the same, so device can be tracked across different networks

→ SOLUTION: RFC 4941 – privacy extensions for Stateless Address Auto-configuration (SLAAC) interface identifier is derived from MAC initially, but then

passed through a 1-way hash algorithm, … cons: complicates network debugging, security/audit RFC 7217 offers further improvements

https://techglimpse.com/ipv6-stateless-autoconfiguration-in-packet-tracer-simulator/

IPv6 Security Vulnerabilities (cont.)

Example: IPv6 stateless configurationThe stateless mechanism allows a host to generate its own addresses using a combination of locally available information and information advertised by routers. This mechanism does not require the establishment of a server to delve out address space. The IPv6 stateless autoconfiguration mechanism requires no manual configuration of hosts, minimal (if any) configuration of routers, and no additional servers. This method uses the MAC address of the device to create an IPv6 address with the 2000:: prefix set in the router.

The stateless approach is used when a site is not particularly concerned with the exact addresses hosts use, so long as they are unique and properly routable. Stateful and Stateless Autoconfiguration may be used simultaneously.

Example: IPv6 privacy addressing

https://www.usenix.org/system/files/login/articles/105438-Barrera.pdf


• Vulnerability 2: Easy Network Reconnaissance IPv6 has introduced some specialized site-local and

link-local multicast addresses


→ reconnaissance is greatly simplified, as certain select groupsof devices can be probed/scanned at once

→ multicast addresses also enable simple blind attacks on groupsof critically important nodes (e.g., routers, DHCP servers, …)

→ SOLUTION: perform ingress filtering of multicast packets;though this will not work against ‘insider attacks’

Example: IPv6 fixed scope multicast addresses

https://www.edn.com/Home/PrintView?contentItemId=4014403



• Vulnerability 3: Packet Fragmentation Abuse in IPv6 packet fragmentation by intermediary nodes is NOT

allowed – only the end hosts are allowed to create andreassemble fragments

→ this can be used by attackers to hide their attacks (e.g.) by splitting‘attack payload’ over multiple smaller packets (routers/firewalls thatdo not correlate subsequent packets would not ‘catch’ the attack)

→ only node performing deep packet inspection would be able todetect such attacks

AT T A CK

AT T A CK


• Vulnerability 4: Extension Headers Abuse an IPv6 can have an arbitrary (large) number of extension

headers combined with Hop-by-Hop & Routing EH→ someone could create an IPv6 packet that meets the protocol

specification and has an unlimited number of EHs→ packet like that could cause a DoS of intermediary systems along

the transmission path or the destination system

IPv6 Security MythsMyth 1:I’m not running IPv6 so I don’t have to worry about IPv6 security!

→ IPv6 is enabled by default in modern hosts, servers, devices.→ Thus, even in a network where no one has intentionally deployed

IPv6, it is quite likely that devices are sending IPv6 packets and have IPv6 sockets open.

Myth 2:IPv6 has security designed in so I do notneed to worry about security!

→ IPv6 was developed in the late 1990’s – many of today’s securitythreats were not known.

→ IPSec is what makes IPv6 secure – must be actively used!!!

IPv6 Security Myths (cont.)

Myth 3:IPv6 has no NAT; global addresses used.I am exposed to attacks from the Internet!

→ While the NAT may provide a bit of obfuscation, by hiding yourinternal addresses, it is really the statefull firewalls that protectyour network from unwanted intrusion (so you should use them).

Myth 4:IPv6 are too big to scan. Hackers will havehard time finding devices in my network!

→ IPv6 tend to clump up in certain IPv6 address ranges. Hence,scanning IPv6 networks is not impossible because there areshortcuts available ...



Myth 5:IPv6 is too new to be attacked!

→ IPv6 was designed 20 years ago.→ IPv6 hardware and software bugs and other vulnerabilities are well

known and widely published, and there are many available IPv6test/attack tools.

https://www.internetsociety.org/blog/2015/03/ipv6-security-myth-10-deploying-ipv6-is-too-risky/

ipv6 (cont.) · 2019-09-30 · hard for humans to remember regardless of representation ... anycast...

Documents