Covert Channels in IPv6

  • Norka B. Lucena
  • Grzegorz Lewandowski
  • Steve J. Chapin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3856)


A covert channel is a communication path that allows transferring information in a way that violates a system security policy. Because of their concealed nature, detecting and preventing covert channels are obligatory security practices. In this paper, we present an examination of network storage channels in the Internet Protocol version 6 (IPv6). We introduce and analyze 22 different covert channels. In the appendix, we define three types of active wardens, stateless, stateful, and network-aware, who differ in complexity and ability to block the analyzed covert channels.


covert channel IPv6 active warden stateless stateful IPsec 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Gligor, V.D.: A Guide to Understanding Covert Channel Analysis of Trusted Systems. National Computer Security Center, Meade, MD, USA. Version-1 edn. (1993) NCSC-TG-030Google Scholar
  2. 2.
    McHugh, J.: Covert Channel Analysis: A Chapter of the Handbook for the Computer Security Certification of Trusted Systems. Portland State University, Portland, Oregon, USA (1995)Google Scholar
  3. 3.
    of Defense, U.D.: Department of Defense Trusted Computer System Evaluation Criteria (1985) DOD 5200.28-STDGoogle Scholar
  4. 4.
    Cabuk, S., Brodley, C.E., Shields, C.: Ip covert timing channels: Design and detection. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, Washington DC, USA, pp. 178–187. ACM Press, New York (2004)Google Scholar
  5. 5.
    Ahsan, K.: Covert channel analysis and data hiding in tcp/ip. Master’s thesis, University of Toronto (2002)Google Scholar
  6. 6.
    Ahsan, K., Kundur, D.: Practical data hiding in tcp/ip. In: Proceedings of the ACM Workshop on Multimedia Security at ACM Multimedia (2002)Google Scholar
  7. 7.
    Servetto, S.D., Vetterli, M.: Codes for the fold-sum channel. In: Proceedings of the 35th Annual Conference on Information Science and Systems (CISS), Baltimore, MD, USA (2001)Google Scholar
  8. 8.
    Servetto, S.D., Vetterli, M.: Communication using phantoms: Covert channels in the internet. In: Proceedings of the IEEE International Symposium on Information Theory (ISIT), Washington, DC, USA (2001)Google Scholar
  9. 9.
    Handel, T., Sandford, M.: Hiding data in the OSI network model. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 23–38. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  10. 10.
    Szczypiorski, K.: Hiccups: Hidden communication system for coruppted networks. In: Proceedings of the Tenth International Multi-Conference on Advanced Computer Systems ACS 2003, Międzyzdroje, Poland, pp. 31–40 (2003)Google Scholar
  11. 11.
    Rowland, C.H.: Covert channels in the TCP/IP protocol suite. Psionics Technologies (1996),
  12. 12.
    Dunigan, T.: Internet steganography. Technical report, Oak Ridge National Laboratory (Contract No. DE-AC05-96OR22464), Oak Ridge, Tennessee (1998) [ORNL/TM-limited distribution]Google Scholar
  13. 13.
    Rutkowska, J.: The implementation of passive covert channels in the linux kernel. In: 21st Chaos Communication Congress, Berliner Congress Center, Berlin, Germany (2004),
  14. 14.
    Abad, C.: Ip checksum covert channels and selected hash collision (2001),
  15. 15.
    Wang, X., Feng, D., Lai, X., Yu, H.: Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMID (2004),
  16. 16.
    Kaminsky, D.: MD5 to be considered harmful someday (2004),
  17. 17.
    Giffin, J., Greenstadt, R., Litwack, P., Tibbetts, R.: Covert messaging through TCP timestamps. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 194–208. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. 18.
    daemon9 ( Loki2 (the implementation). Phrack Magazine, 51, article 6 (1997),
  19. 19.
    daemon9 (, alhambra ( Project loki. Phrack Magazine, 49, Article 6 (1996),
  20. 20.
    Skoudis, E.: Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses. In: Series in Computer networking and Distributed Systems. Prentice Hall, Upper Saddle River (2002)Google Scholar
  21. 21.
    Malan, G.R., Watson, D., Jahanian, F., Howell, P.: Transport and application protocol scrubbing. In: Proceedings of the IEEE INFOCOM 2002 Conference, Tel-Aviv, Israel, pp. 1381–1390 (2000)Google Scholar
  22. 22.
    Handley, M., Paxson, V.: Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In: Proceedings of the 10th USENIX Security Symposium, Washington, DC, USA. USENIX Association (2001)Google Scholar
  23. 23.
    Fisk, G., Fisk, M., Papadopoulos, C., Neil, J.: Eliminating steganography in internet traffic with active wardens. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 18–35. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  24. 24.
    Murdoch, S.J., Lewis, S.: Embedding covert channels into TCP/IP. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds.) IH 2005. LNCS, vol. 3727, pp. 247–261. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Simmons, G.J.: The prisoners’ problem and the subliminal channel. In: Chaum, D. (ed.) Advances in Cryptology, Proceedings of CRYPTO 1983, pp. 51–67. Plenum Press (1984)Google Scholar
  26. 26.
    Lucena, N.B., Pease, J., Yadollahpour, P., Chapin, S.J.: Syntax and semantics-preserving application-layer protocol steganography, Toronto, Canada. LNCS, pp. 164–179. Springer, Heidelberg (2004)Google Scholar
  27. 27.
    Craver, S.: On public-key steganography in the presence of an active warden. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 355–368. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  28. 28.
    Katzenbeisser, S., Petitcolas, F.A.: Information Hiding: Techniques for Steganography and Digital Watermarking, Artech House, Norwood, MA (2000)Google Scholar
  29. 29.
    Deering, S., Hinden, R.: Internet protocol, version 6 (ipv6) specification (1998) RFC 2460Google Scholar
  30. 30.
    Hagen, S.: IPv6 Essentials. 1st edn. O’Reilly & Associates, Inc., Sebastopol (2002)Google Scholar
  31. 31.
    Kent, S., Atkinson, R.: Security architecture for the internet protocol (1998) RFC 2401Google Scholar
  32. 32.
    Kent, S., Atkinson, R.: Ip authentication header (1998) RFC 2402Google Scholar
  33. 33.
    Kent, S., Atkinson, R.: Ip encapsulating security payload (esp) (1998) RFC 2406Google Scholar
  34. 34.
    Kent, S., Atkinson, R.: Definition of the differentiated services field (ds field) in the ipv4 and ipv6 header (1998) RFC 2402Google Scholar
  35. 35.
    (IANA), I.A.N.A.: Protocol numbers (2004),
  36. 36.
    (IANA), I.A.N.A.: IP version 6 parameters (2004),
  37. 37.
    Graf, T.: Messaging over ipv6 destination options (2003),

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Norka B. Lucena
    • 1
  • Grzegorz Lewandowski
    • 1
  • Steve J. Chapin
    • 1
  1. 1.Syracuse UniversitySyracuseUSA

Personalised recommendations