Blog 4: Beyond the Thunderdome:
A Review of TROOPERS15


We hope you are enjoying the ride as we continue our journey through IPv6. Below we have a great mix of talks, slides, and videos in this area posted below. We look forward to hosting more IPv6 (March 14th & 15th) talks next year at TROOPERS16!


“New Features of the SI6 Networks’IPv6 Toolkit” talk created and given by Fernando Gont

The IPV6 Toolkit was originally developed for UK CPNI in an effort to enhance and be able to test the current state of IPv6 security. The toolkit itself was mainly developed for security analysis and trouble shooting of IPv6 networks and implementations. It is running on a wide range of *nix based systems (this probably is considered painful to support given that low level implementation of network functions) and release under the GPL. You can directly check it out here:

To quote Fernando the IPV6 Toolkit is “an interface between your brain and your “IPv6 network”. Which means if you don’t know what to do, it will not help you much, but if you know it is great extension of your capabilities. The suite itself consists of many different tools suited for different purposes. The new Version 2.0 released at TROOPER15 contains lots of bug fixes, new tools and also exiting new options for existing tools. To summarize the presented improvements:


scan6 now has a heuristic approach to detect patterns in IPv6 addresses and just scans the addresses that match this pattern. e.g. scan6 -d DOMAIN/64 scan6 -d IPV6ADDR/64 So far scan6 is probably the most sophisticated IPv6 address scanner you can get your hands on. Furthermore does scan6 now support IPv6-based TCP/UDP port scanning. The different port scan modes for scan6 include SYN, FIN, NULL and XMAS.

One little limitation is it is currently only possible to scan one host at a time. One of the most interesting improvements is that scan6 can now carry out attacks on different TCP state. It is possible to choose from the different open states to the different close states and leave a remote system in any of theses states without consuming relevant resources on the attacker side. This was all explained in detail during the talk and also demo wise. There are many more attacks implemented in scan6. The original ideas for these attacks are from Fernando security assessment of TCP (see for further details).


udp6 allows sending of arbitrary IPv6 UDP datagrams in the new version this tool now allows the usage of arbitrary extension header and also the –data flag is now implemented. This flag allows one to send arbitrary UDP payload data.


script6 is a great way for batch-processing of “IPv6 related network tasks”. It can,for example, be used to get the AAAA record of a list of domain names, to get the MX records for all these domains or to get the AS (autonomous system) Number and further information. This can be combined and chained on command line to further enhance the usefulness.


path6 is a trace route program for IPv6 … but one can use extensions header! As many as you want! As ridiculous as you want -> extremely flexible


blackhole6 is useful to find out what device drops which specific packets (on a network path). It compares different trace route with and without extension headers (user defined <3) and prints out the last reachable host and also the dropping host in case of dropped packets due to extension headers.

Besides that Fernando has shown the attendees how he was able to create his real world data showing if one can reliable employ extension header on the Internet. Therefore he used many of his tools together to create this data in an automated fashion.

Thanks Fernando!


“Managing Security Incidents in an IPV6 World” talk created and given by Merike Kaeo

The talk from Merike Kaeo was about how to behave, when an Incident is happening on your IPV6 environment. For easier handling of incoming incidents, it is important to prepare the network, the tools you use to analyze, the logging and the filtering, and set appropriate guidelines on your system. This allows you to handle any incident without panic. Observing the traffic from where you collected is very helpful. You have to consider which addresses are used, where the source traffic is coming from, and where the source traffic is going. Therefore there are fundamental tools like snmp netflow/sflow, syslog, tacacs/radius. For the investigation tools like ping, trace route, dig, whois, pDNS are essential. Also route and packet filtering or Blacklists for filter SPAM or Domains might be helpful.

The problem with SNMP is, that the ip protocol version independent MIBS makes ipv6-specific MIBS obsolete. It is important to know which address in the ipconfig is being used by the SNMP server to poll the agents.

While using netflow, it is essential to use the netflow.v9 to get IPV6 information. By default, configuration IPV4 has higher priority. Flow export with both (IPv4 and IPv6) is not supported. When facing amplification attacks, like the abuse of an open recursive DNS server, it is good to know, where the domain name is pointing to using pdns. Find the criminal domain names via bad name servers or via a bad a record, which is used by most malicious domains. Test the dual-stack and transition technology behavior to know when dns replies utilize a or aaaa records. The tools for incident response in the IPv6 world need still more improvement.

While the video is unavailable for this talk please check out these slides


“Avoiding Mistakes Others Have Made” talk created and given by Merike Kaeo

The talk showed typical mistakes made in deploying IPv6 networks. From planning/designing over monitoring to securing your IPv6 network. After defining the security goals for your network consider the risks and threats that can occur. Important goals to achieve security are, to control the data access, to control the network access, protect your data on transit, ensuring availability, prevent intrusions and respond to incidences. Therefore, it is important that all the devices, which are in use, are secure. The next question is are the costs of the risk mitigations proportionate to the security advantages? Do not spend more to protect something than it is actually worth. With IPv6 there are new protocol behaviors and more possibilities than in Ipv4. Do you want to do the same as in IPv4? In IPv6 you have to rethink your address plans and behavior within the network. For example there are multiple addresses on the same interface, different protocol operations, more automation and the possibility for end-to-end encryption. Just putting Ipv6 on top of your Ipv4 seems not a good idea. What security services are being used to adhere to security policy requirements but are instantiations of ipv4 architecture limitations?

This talk focuses on updated best practices for architecting a secure IPv6 deployment as well as pointing out mistakes people have made which you should avoid. Important things, when it comes to ipv6 security in your environment are the threats from outside, the vulnerability in the system and the risks that depend on both and how to handle them.

So the questions you have to ask are: “What do I have to care about it? Where am I vulnerable and do I have to do something about it?”

A few problems that come along with IPv6 deployment are the issue with the multiple addresses on the interfaces, automation advantage versus the security risk, the ipv4 content, that has to be available, and how to handle the packet and data filtering. Those issues are easy in theory, but harder in practice. To build a secure ipv6 environment, consider what’s best for the environment. Secure the management place by setting up authentication access, and access from the management station. Secure the logging infrastructure, log useful information and have a backup plan for logging, if syslog gets unavailable. Also remove private information from your logs. Deny all traffic and only allow the traffic needed. Use filtering lists and reject packets with special-use prefix in destination. Deny sending packets that use routing headers, destination addresses in the 6to4 reserved address range and packets with destination addresses in the teredo address. Also block routing header type 0, to prevent ddos attacks. There still has to be more improvement of the ipv6 security technologies.


Last but not least we roll over to Exploits and Attacks!