A New Model for Testing IPv6 Fragment Handling

Since the origins of the Internet, various vulnerabilities exploiting the IP fragmentation process have plagued IPv4 protocol, many leading to a wide range of attacks. IPv6 modified the handling of fragmentations and introduced a specific extension header, not solving the related problems, as proved by extensive literature. One of the primary sources of problems has been the overlapping fragments, which result in unexpected or malicious packets when reassembled. To overcome the problem related to fragmentation, the authors of RFC 5722 decided that IPv6 hosts MUST silently drop overlapping fragments. Since then, several studies have proposed methodologies to check if IPv6 hosts accept overlapping fragments and are still vulnerable to related attacks. However, some of the above methodologies have not been proven complete or need to be more accurate. In this paper we propose a novel model to check IPv6 fragmentation handling specifically suited for the reassembling strategies of modern operating systems. Previous models, indeed, considered OS reassembly policy as byte-based. However, nowadays, reassembly policies are fragment-based, making previous models inadequate. Our model leverages the commutative property of the checksum, simplifying the whole assessing process. Starting with this new model, we were able to better evaluate the RFC-5722 and RFC-9099 compliance of modern operating systems against fragmentation handling. Our results suggest that IPv6 fragmentation can still be considered a threat and that more effort is needed to solve related security issues

The Impact of IPv6 on Penetration Testing

In this paper we discuss the impact the use of IPv6 has on remote penetration testing of servers and web applications. Several modifications to the penetration testing process are proposed to accommodate IPv6. Among these modifications are ways of performing fragmentation attacks, host discovery and brute-force protection. We also propose new checks for IPv6-specific vulnerabilities, such as bypassing firewalls using extension headers and reaching internal hosts through available transition mechanisms. The changes to the penetration testing process proposed in this paper can be used by security companies to make their penetration testing process applicable to IPv6 targets

Speedtrap: Internet-Scale IPv6 Alias Resolution

Proceedings of the Thirteenth ACM SIGCOMM Internet Measurement (IMC 2013) Conference, Barcelona, ES, October 2013.The article of record as published may be located at http://dx.doi.org/10.1145/2504730.2504759.Impediments to resolving IPv6 router aliases have precluded understanding the emerging router-level IPv6 Internet topology. In this work, we design, implement, and validate the first {\em Internet-scale alias resolution technique} for IPv6. Our technique, \st, leverages the ability to induce fragmented IPv6 responses from router interfaces in a particular temporal pattern that produces distinguishing per-router fingerprints. Our algorithm surmounts three fundamental challenges to Internet-scale IPv6 alias resolution using fragment identifier values: (1) unlike for IPv4, the identifier counters on IPv6 routers have no natural velocity, (2) the values of these counters are similar across routers, and (3) the packet size required to collect inferences is 46 times larger than required in IPv4. We demonstrate the efficacy of the technique by producing router-level Internet IPv6 topologies using measurements from CAIDA's distributed infrastructure. Our preliminary work represents a step toward understanding the Internet's IPv6 router-level topology, an important objective with respect to IPv6 network resilience, security, policy, and longitudinal evolution

So you've got IPv6 address space. Can you defend it?

Internet Protocol version 6 (IPv6) is the successor of Internet Protocol version 4 (IPv4). IPv6 will become the next standard networking protocol on the Internet. It brings with it a great increase in address space, changes to network operations, and new network security concerns. In this thesis we examine IPv6 from a security perspective. The security of IPv6 is important to all protocols that use IPv6 on the Internet. The goal of this thesis is to introduce the reader to existing IPv6 security challenges, demonstrate how IPv6 changes network security and show how IPv6 is being improved.Master i InformatikkMAMN-INFINF39

Look at IPV6 Security advantages over IPV4

Due to the increase of internet usage especially in homes, offices and there will be many devices that will use the new 3G/4G technologies ,so Internet address exhaustion will be raised to serious problem gradually. Now days, the IPv4 address shortage problem has been solved incompletely using NAT (Network Address Translation) anyway, the changeover to IPV6 address will be accelerated because of advantages such as mobility, QoS etc.., .we here show some of the improvements associated with the Internet Protocol version 6, with an emphasis on its security-related functionality . Keywords: IPV6 security, security, addressing, IP threats; IP attacks

Covert6: A Tool to Corroborate the Existence of IPv6 Covert Channels

Covert channels are any communication channel that can be exploited to transfer information in a manner that violates the system’s security policy. Research in the field has shown that, like many communication channels, IPv4 and the TCP/IP protocol suite have been susceptible to covert channels, which could be exploited to leak data or be used for anonymous communications. With the introduction of IPv6, researchers are acutely aware that many vulnerabilities of IPv4 have been remediated in IPv6. However, a proof of concept covert channel system was demonstrated in 2006. A decade later, IPv6 and its related protocols have undergone major changes, which has introduced a need to reevaluate the current state of covert channels within IPv6. The current research demonstrates the corroboration of covert channels in IPv6 by building a tool that establishes a covert channel against a simulated enterprise network. This is further validated against multiple channel criteria

Leveraging Programmable Data Plane For Compressing Forwarding Tables

The Forwarding Information Base (FIB) resides in the data plane of a routing device and is used to forward packets to a next-hop, based on packets\u27 destination IP addresses. The constant growth of a FIB forces network operators to spend more resources on maintaining memory with line-rate Longest Prefix Match (LPM) lookup in a FIB, namely, expensive and energy-hungry Ternary Content-Addressable Memory (TCAM) chips. In this work, we review two different approaches used to mitigate the FIB overflow problem. First, we investigate FIB aggregation, i.e., merging adjacent or overlapping routes with the same next-hop while preserving the forwarding behavior of a FIB. We propose a near-optimal algorithm, FIB Aggregation with Quick Selections (FAQS), that minimizes the FIB churn and speeds BGP update processing by more than twice. In the meantime, FAQS preserves a high compression ratio (at most 73\%). FAQS handles BGP updates incrementally, without the need of re-aggregating the entire FIB table. Second, we investigate FIB (or route) caching, when TCAM holds only a portion of a FIB that carries most of the traffic. We leverage the emerging concept of the programmable data plane to propose a Programmable FIB Caching Architecture (PFCA), that allows cache-victim selection at the line rate and significantly reduces the FIB churn compared to FIB aggregation. PFCA achieves 99.8% cache-hit ratio with only 3.3\% of the FIB placed in a FIB cache. Finally, we extend PFCA\u27s design with a novel approach of integrating incremental FIB aggregation and FIB caching. Such integration needed to overcome cache hiding challenge when a less specific prefix in a cache hides a more specific prefix in a secondary FIB table, which leads to incorrect LPM matching at the cache. In Combined FIB Caching and Aggregation (CFCA), cache-hit ratio is maximized up to 99.94% with only 2.5\% entries of the FIB, while the total number of route changes in TCAM is reduced by more than 40\% compared to low-churn FIB aggregation techniques

Analysis of IPv6 through Implementation of Transition Technologies and Security attacks

IPv6 provides more address space, improved address design, and greater security than IPv4. Different transition mechanisms can be used to migrate from IPv4 to IPv6 which includes dual stack networks, tunnels and translation technologies. Within all of this, network security is an essential element and therefore requires special attention. This paper analyses two transition technologies which are dual stack and tunnel. Both technologies are implemented using Cisco Packet Tracer and GNS3. This work will also analyse the security issues of IPv6 to outline the most common vulnerabilities and security issues during the transition. Finally, the authors will design and implement the dual stack, automatic and manual tunnelling transition mechanisms using Riverbed Modeler simulation tool to analyse the performance and compare with the native IPv4 and IPv6 networks