Creating and Detecting IPv6 Transition Mechanism-Based Information Exfiltration Covert Channels

  • Bernhards BlumbergsEmail author
  • Mauno Pihelgas
  • Markus Kont
  • Olaf Maennel
  • Risto Vaarandi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10014)


The Internet Protocol Version 6 (IPv6) transition opens a wide scope for potential attack vectors. IPv6 transition mechanisms could allow the set-up of covert egress communication channels over an IPv4-only or dual-stack network, resulting in full compromise of a target network. Therefore effective tools are required for the execution of security operations for assessment of possible attack vectors related to IPv6 security.

In this paper, we review relevant transition technologies, describe and analyze two newly-developed IPv6 transition mechanism-based proof-of-concept tools for the establishment of covert information exfiltration channels. The analysis of the generated test cases confirms that IPv6 and various evasion techniques pose a difficult task for network security monitoring. While detection of various transition mechanisms is relatively straightforward, other evasion methods prove more challenging.


IPv6 security IPv6 transition Covert channels Computer network operations Red teaming Monitoring and detection 



This research was conducted with the support of NATO Cooperative Cyber Defense Center of Excellence. The authors would like to acknowledge the valuable contribution of Leo Trukšāns, Walter Willinger, and Merike Käo.


  1. 1.
    Atlasis, A.: Attacking IPv6 implementation using fragmentation. Technical report, Centre for Strategic Cyberspace + Security Science (2011)Google Scholar
  2. 2.
    Atlasis, A.: Security impacts of abusing IPv6 extension headers. Technical report, Centre for Strategic Cyberspace + Security Science (2012)Google Scholar
  3. 3.
    Atlasis, A., Rey, E.: Evasion of high-end IPS devices in the age of IPv6. Technical report, (2014)Google Scholar
  4. 4.
    Blumbergs, B.: Technical analysis of advanced threat tactics targeting critical information infrastructure. Cyber Security Review, pp. 25–36 (2014)Google Scholar
  5. 5.
    Blunden, B.: Covert Channels. In: Blunden, B. (ed.) The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd edn. Jones and Bartlett Learning, Burlington (2013)Google Scholar
  6. 6.
    Brangetto, P., Çalişkan, E., Rõigas, H.: Cyber Red Teaming - Organisational, technical and legal implications in a military context. NATO CCD CoE (2015)Google Scholar
  7. 7.
    Bukač, V.: IDS system evasion techniques. Master’s thesis, Masarykova Univerzita Fakulta Informatiky (2010)Google Scholar
  8. 8.
    Carpenter, B., Jung, C.: Transmission of IPv6 over IPv4 Domains without Explicit Tunnels. RFC 2529, IETF Secretariat, standards Track, March 1999Google Scholar
  9. 9.
    Colajanni, M., Zotto, L.D., Marchetti, M., Messori, M.: Defeating NIDS evasion in Mobile IPv6 networks. In: IEEE (2011)Google Scholar
  10. 10.
    Colitti, L., Gunderson, S.H., Kline, E., Refice, T.: Evaluating IPv6 adoption in the internet. In: Krishnamurthy, A., Plattner, B. (eds.) PAM 2010. LNCS, vol. 6032, pp. 141–150. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-12334-4_15 CrossRefGoogle Scholar
  11. 11.
    Convery, S., Miller, D.: IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation. White paper, Cisco Systems, March 2004Google Scholar
  12. 12.
    Czyz, J., Allman, M., Zhang, J., Iekel-Johnson, S., Osterweil, E., Bailey, M.: Measuring IPv6 adoption. In: ACM SIGCOMM14 (2014)Google Scholar
  13. 13.
    Ellens, W., Żuraniewski, P., Sperotto, A., Schotanus, H., Mandjes, M., Meeuwissen, E.: Flow-based detection of DNS tunnels. In: Doyen, G., Waldburger, M., Čeleda, P., Sperotto, A., Stiller, B. (eds.) AIMS 2013. LNCS, vol. 7943, pp. 124–135. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38998-6_16 CrossRefGoogle Scholar
  14. 14.
    Farinacci, D., Li, T., Hanks, S., Meyer, D., Traina, P.: Generic Routing Encapsulation (GRE). RFC 2784, IETF Secretariat, March 2000. (standards Track. Supplemented with RFC2890)Google Scholar
  15. 15.
    Fortinet: Biting the Bullet: A Practical Guide for Beginning the Migration to IPv6. white paper, Fortinet Inc. (2011)Google Scholar
  16. 16.
    Data SecurityLabs, G.: Uroburos: Highly complex espionage software with Russian roots. Technical report, G Data Software AG, February 2014Google Scholar
  17. 17.
    Gont, F.: Processing of IPv6 “Atomic” Fragments. RFC 6946, May 2013Google Scholar
  18. 18.
    Gont, F.: Security Implications of IPv6 on IPv4 Networks. RFC 7123, February 2014Google Scholar
  19. 19.
    Gont, F., Chown, T.: Network Reconnaissance in IPv6 Networks. Technical report, IETF Secretariat, February 2015. (internet Draft)Google Scholar
  20. 20.
    Gont, F., Liu, W., Bonica, R.: Transmission and processing of IPv6 options. Technical report, IETF Secretariat, March 2015. (best Current Practice)Google Scholar
  21. 21.
    Gont, F., Heuse, M.: Security assessments of IPv6 networks and firewalls. IPv6 Congress 2013 (2013). (presentation)Google Scholar
  22. 22.
    The Government of HKSAR: IPV6 security. Technical report, The Government of the Hong Kong Special Administrative Region, May 2011Google Scholar
  23. 23.
    Hogg, S., Vyncke, E.: IPv6 Security. Cisco Press, Indianapolis (2009)Google Scholar
  24. 24.
    Krishnan, S.: Handling of Overlapping IPv6 Fragments. RFC 5722, IETF Secretariat, December 2009. (standards Track. Updates RFC 2460)Google Scholar
  25. 25.
    Krishnan, S., Woodyatt, J., Kline, E., Hoagland, J., Bhatia, M.: A uniform format for IPv6 extension headers. Technical reportGoogle Scholar
  26. 26.
    Lucena, N.B., Lewandowski, G., Chapin, S.J.: Covert channels in IPv6. In: Danezis, G., Martin, D. (eds.) PET 2005. LNCS, vol. 3856, pp. 147–166. Springer, Heidelberg (2006). doi: 10.1007/11767831_10 CrossRefGoogle Scholar
  27. 27.
    Moore, K.: Connection of IPv6 Domains via IPv4 Clouds. RFC 3056, IETF Secretariat, February 2001. (standards Track)Google Scholar
  28. 28.
    Murphy, R.: IPv6 / ICMPv6 Covert Channels. DEF CON 2014 (2014). (presentation)Google Scholar
  29. 29.
    National Cybersecurity and Communications Integration Center: ICS-CERT Monitor. Technical report, US Dep. of Homeland Security, December 2013Google Scholar
  30. 30.
    Niemi, O.P., Levomki, A., Manner, J.: Dismantling intrusion prevention systems. In: ACM SIGCOMM 2012, August 2012Google Scholar
  31. 31.
    Nordmark, E., Gilligan, R.: Basic transition mechanisms for IPv6 hosts and routers. RFC 4213, IETF Secretariat, October 2005. (standards Track)Google Scholar
  32. 32.
    Pastrana, S., Montero-Castillo, J., Orfila, A.: Evading IDSs and firewalls as fundamental sources of information in SIEMS. In: Pastrana, S., Montero-Castillo, J., Orfila, A. (eds.) Advances in Security Information Management: Perceptions and Outcomes. Nova Science Publishers, New York (2013)Google Scholar
  33. 33.
    Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: eluding network intrusion detection. Technica report, DTIC Document, January 1998Google Scholar
  34. 34.
    Sarrar, N., Maier, G., Ager, B., Sommer, R., Uhlig, S.: Investigating IPv6 traffic: What happened at the world IPv6 day? In: Taft, N., Ricciato, F. (eds.) PAM 2012. LNCS, vol. 7192, pp. 11–20. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-28537-0_2 CrossRefGoogle Scholar
  35. 35.
    Degen, S., et al.: Testing the security of IPv6 implementations. Technical report, Ministryof Economic Affairs of the Netherlands, March 2014Google Scholar
  36. 36.
    Skoberne, N., Maennel, O., Phillips, I., Bush, R., Zorz, J., Ciglaric, M.: Ipv4 address sharing mechanism classification and tradeoff analysis. IEEE/ACM Trans. Netw. 22(2), 391–404 (2014)CrossRefGoogle Scholar
  37. 37.
    Steffann, S., van Beijnum, I., van Rein, R.: A comparison of IPv6-over-IPv4 tunnel mechanisms. RFC 7059, IETF Secretariat, November 2013. (informational)Google Scholar
  38. 38.
    Tadayoni, R., Henten, A.: Transition from IPv4 to IPv6. In: 23rd European Regional Conference of the International Telecommunication Society, July 2012Google Scholar
  39. 39.
    Taib, A.H.M., Budiarto, R.: Evaluating IPv6 Adoption in the Internet. In: 5th Student Conference on Research and Development. IEEE, December 2007Google Scholar
  40. 40.
    Templin, F., Gleeson, T., Thaler, D.: Intra-site automatic tunnel addressing protocol (ISATAP). RFC 5214, IETF Secretariat, March 2008. (informational)Google Scholar
  41. 41.
    TrendLabs: targeted attack trends 2014 Report. Technical report, TrendMicro (2015)Google Scholar
  42. 42.
    Troan, O., Carpenter, B.: Deprecating the Anycast Prefix for 6to4 Relay Routers. RFC 7526, IETF Secretariat, May 2015. (best Current Practice)Google Scholar
  43. 43.
    Vidal, J.M., Castro, J.D.M., Orozco, A.L.S., Villalba, L.J.G.: Evolutions of evasion techniques aigainst network intrusion detection systems. In: ICIT 2013, The 6th International Conference on Information Technology, May 2013Google Scholar
  44. 44.
    Wu, P., Cui, Y., Wu, J., Liu, J., Metz, C.: Transition from IPv4 to IPv6: a state-of-the-art survey. IEEE Comm. Surv. Tutorials 15(3), 1407–1424 (2013)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Bernhards Blumbergs
    • 1
    Email author
  • Mauno Pihelgas
    • 1
  • Markus Kont
    • 1
  • Olaf Maennel
    • 2
  • Risto Vaarandi
    • 2
  1. 1.NATO Cooperative Cyber Defense Center of ExcellenceTallinnEstonia
  2. 2.Tallinn University of TechnologyTallinnEstonia

Personalised recommendations