Due to the exhaustion of IPv4 free address space, the use of IPv6 on the Internet is gradually increasing. All Windows operating systems since Windows Vista have IPv6 enabled by default. IPv6 brings a series of improvements compared to IPV4, but these improvements are also put a double-edged sword. Recently, we have been focusing on "IPv6" attack research and found that in the IPV6 environment, there are many attack points, such as Iptables will fail, use IPV6 to bypass the Web defense strategy and abuse IPV6-specific protocols for man-in-the-middle attacks, and Other attack ideas! In this speech, I will disclose the attack methods and ideas I have found for IPV6, and will also release tools for IPV6 attacks.

1. J i n g l u n L i , S e c u r i t y R e s e a r c h e r @ B C M S o c i a l C o r p .
New threat are already around you
the IPv6 attack must be understood
h t t p s : / / c y b e r w e e k . a e

2. 2
State of IPv6 deployment

3. World IPv6 capability and preference
3
The current growth rate is getting faster recently.

4. IPv6 statistics of Google
4
So many users that access Google over IPv6.
The data of this image is collected by Google.

5. OS IPv6 Ready Version Memo
Android 5.0+
iOS 4.1+
Windows XP+ * IPv6 on XP is not installed by default.
macOS OSX 10.7+(Lion)
Ubuntu All
Debian 3.0+
Comparison of IPv6 support in operating systems
5
Modern systems already support IPv6.

6. 6
What changed in IPv6 mainly?
ARP was replaced by NDP(Neighbor Discovery Protocol)
Larger address space
Internet Protocol Security (IPSec) part
IP header (No header length, no IPID, no checksum …)
…

7. 7
ARP & NDP
- ARP (IPv4):
Q: Who is 10.64.116.98?
A: I am. My MAC is 00-17-FC-6B-61-34.
- NDP/ICMPv6 (IPv6):

8. 8
A larger address space
- IPv4:
32-bit
4, 294, 967, 296 addresses.
- IPv6:
128-bit
340,282,366,920,938,463,463,374,607,431,768,211,456 addresses.

9. 9
Internet Protocol Security (IPSec)
IPSec Tunnel

10. 10
Problems of IPv6

11. 11
NAT
IPv4 NAT

12. 12
ARP Spoofing disappeared? Not really.
IPv4 ARP Spoofing

13. 13
NDP neighbor spoofing

14. 14
Attack the gateway (Flooding)
- Attack:
1. DHCPv6 Type
2. SLAAC Type
- Solve:
A. limit the number of addresses that each MAC can request
B. limit the number of MAC that each port of a switch can serve

15. 15
Privacy problem
- A unique IP address makes it easier for servers to correlate requests and real users.
- Even data is encrypted, metadata will leak things.
- Privacy extensions for IPv6 (RFC 4941)
- Maybe it’s still not enough…

16. 16
Tools for IPv6 are becoming more and more powerful
- ping6
- nmap
- ipv6-toolkit (SI6 Networks):

17. 17
mitm6: Compromising IPv4 via IPv6
 reply to DHCPv6
messages
 provide a link-local
IPv6 address
Take over DNS
 IPv6 DNS server
will be used
DNS spoofing
 Use a fake
WPAD.DAT file
WPAD exploit
 NTLM relay
Fake proxy

18. 18
iptables & ip6tables

19. Other ways to access localhost
19

20. 20
A long way to go …

21. 21
Thank you