In this post I want to give an overview of IPv6 security testing efforts performed by various researchers in the past. As laid out in the first part of this series such testing can be considered one of the pillars of an overall IPv6 security strategy in complex environments. I will also try to develop a bit of a classification approach as for the ‘questions’ that the individual testing efforts were supposed to answer.
One of the earliest efforts was undoubtedly Marc Heuse‘s PacSec 2005 talk on “Attacking the IPv6 Protocol Suite” in which he discussed the now famous THC IPv6 toolkit for the 1st time in public. That talk was mainly focused on general IPv6 properties and how to exploit them. Another milestone of IPv6 security research (albeit quite a few years later than Marc’s talk) was Antonios Atlasis‘ Black Hat EU 2012 talk on “Attacking IPv6 Implementation Using Fragmentation“. I saw that one live as I presented at the same event myself, and I remember being impressed by the huge security impact that seemingly small implementation nuances can have (e.g. CVE-2012-4444 in the Linux kernel was one outcome of that research). I also realized that IPv6 fragmentation can be a really bad thing from a security perspective. That work was heavily focused on the ‘how do different implementations behave [when confronted with specific packets], and why does it matter’ angle. Highlighting that differences between IPv6 stacks exist, and that these might be relevant for an implementation’s security posture, was an important contribution/message in itself.
Antonios then expanded his research into looking at the way how various firewalls handled IPv6 fragmentation and IPv6 extension headers (2013, together with Christopher “Chris” Werny), and how IDPS systems could be evaded by means of extension headers (2014. see also the “Hiding in Complexity” talk by Marc Heuse in 2015). Similar testing was done by Marc & Fernando Gont (“Security Assessments of IPv6 Networks and Firewalls“, 2013) and by Johannes Weber in his master thesis (“IPv6 Security Test Laboratory”, 2013). All these research efforts explicitly looked at both IPv6 implementation differences on security components and at their resilience when being exposed to individual (and potentially ‘peculiar’) IPv6 packets. At the time another group of researchers performed various related activities at the University of Potsdam (see also their publications); a few results of their work were presented at the Troopers IPv6 Security Summit 2014.
Some of the above papers included (more or less detailed) descriptions of test cases, but the most comprehensive taxonomy of tests to be performed with regard to the secure implementation of IPv6 on operating systems or network devices could be found in the “Testing the security of IPv6 implementations” paper published in March 2014 by a group of (mostly) Dutch researchers (incl. Cristofaro Mune and Albert Spruyt):
Since then not much has happened in the space of IPv6 security research centered around implementation differences of OSs or network devices (I myself contributed to lab testing of various OSs in the context of SLAAC/DHCPv6, IPv6 source address selection or RFC 6980 support, although besides the latter none of these had a specific security perspective). A notable exception is a Ph.D. thesis on “Measuring IPv6 Resilience and Security” published in 2019, but they mostly looked at the real-life distribution of specific patterns and IPv6 security issues on an Internet scale (as opposed to performing tests in one individual environment and/or in a lab). While this is super-interesting research it is supposed to answer a different (set of) research question(s). Also there is an interesting paper/thesis on “IPv6 Security Issues in Linux and FreeBSD Kernels: A 20-Year Retrospective” from 2018 (authored by Jack Cardwell, with my old friend Sergey Bratus as advisor).
On the other hand I can confirm from IPv6-focused security assessments in customer environments which Chris and I led between 2016 and early 2019 that significant implementation differences still exist(ed) in more recent times. Maybe it’s hence time to revive such testing efforts, now that IPv6 deployment gains ever more traction in enterprise environments? In another post I will discuss how a framework for testing IPv6 implementations from different (not only security-centric) perspectives could look like.
Stay tuned, and thank you for reading so far ;-).