Security implication and detection of threats due to manipulating IPv6 extension headers

Abstract

Use of IPv6 protocol is increasing due to lack of address space in IPv4 protocol. Along with increased address space, IPv6 also provides simplified header and additional functionality is put in the form of extension headers which can cause certain network threats, if misused. Network devices and operating systems are not at the matured stage to handle threats against IPv6 protocol. Reason being, not all network devices and operating system are fully RFC complaint. Even if they are, experience with IPv6 protocol is less, so there are possibilities of many unknown threats. This research investigates the threats due to misusing IPv6 destination option and fragmentation extension headers. Attacks addressed are fragmentation attack where upper layer protocol not present in first fragment i.e. tiny fragmentation attack, overlapping fragmentation attack, and flooding attack due to unknown option in destination option header. To verify these attacks, real test network set up is used. For each attack, detection logic is proposed and implemented in Linux environment using advanced shell scripting and C programming. To create packets with attack vectors Scapy - Python based packet manipulation tool is used. The proposed solution can run in host in order to detect these attacks and raise the alarm.