IPv6

The rapid adoption of IPv6 continues to make its way into our lives: more andmore operating systems, routers, server developers, andother…

Progsky

~8 min read · March 27, 2026 (Updated: March 27, 2026) · Free: Yes

The rapid adoption of IPv6 continues to make its way into our lives: more andmore operating systems, routers, server developers, andother software vendors are announcing support for it, leavingusers naturally puzzled: what is it, why do we even need it, and what is the current state of affairs

A major drawback of the IPv4 protocol (and the primary reason for the transition to IPv6) has been the limited number of IP addresses, a catastrophic shortage of which is already being felt today. And although DHCP servers (which assign dynamic IPs) and network address translation systems (Network Address Translation, or NAT for short) mitigate the severity of the problem to some extent, the fact remains that the 32-bit field allocated by the protocol's developers for an IP address provides 2 ³² = 4,294,967,296 unique addresses, some of which are reserved for service purposes, so the figure given is slightly inflated. In the early days of the Internet, when the number of nodes was in the tens, this limitation did not seem like such a significant drawback (more precisely, it never occurred to anyone to call it a "limitation"), It became clear that "we can't go on like this" and that the IPv4 protocol must either be expanded or we must switch to something entirely different. A widespread misconception is that IPv6 is a slightly modified version of IPv4, but this is not the case. The IPv6 protocol emerged not yesterday, nor even the day before. But a very long time ago. As early as the beginning of 1990, RFC 1750 contained the first mention of the impending shortage of IP addresses, which sparked discussions and the search for new solutions. To coordinate these efforts, in 1993 the IETF committee formed the "IPng Area" working group (where 'IPng' stands for "IP Next Generation"), which was approved by the "Internet Engineering Task Force on July 25, 1994. This date can be considered a historic milestone in the history of the creation of the IPv6 protocol. Work began in earnest at research centers, and a multitude of RFCs were published, often contradicting one another.

The Benefits of IPv6 — In Detail

1. Address Space 128-bit addressing solves the problem of address scarcity. This allows providers and organizations to assign larger prefixes, simplify network planning, and avoid complex NAT schemes.

2. SLAAC and DHCPv6 SLAAC provides automatic address configuration. DHCPv6 provides centralized control. Both mechanisms are often used together: SLAAC for basic configuration and DHCPv6 for additional parameters (DNS, NTP, etc.).

3. Simplified Routing IPv6 removes certain obsolete header fields, makes routing more predictable, and enables more efficient prefix aggregation.

4. Built-in support for modern mechanisms IPv6 was designed with modern requirements in mind: support for extended headers, built-in compatibility with IPsec (although IPsec is not required).

5. Mobility support IPv6 is better suited for mobile scenarios where devices frequently change connection points.

Drawbacks and limitations

Increased attack surface: every node is potentially accessible.

New autoconfiguration mechanisms introduce new attack vectors.

The transition period from IPv4 creates complex compatibility scenarios and additional risks.

Tunnels and transition mechanisms — what you need to know The transition to IPv6 did not happen overnight. To ensure compatibility, mechanisms were developed that allow IPv6 to run over IPv4. These mechanisms are convenient, but they also create hidden traffic channels.

Main mechanisms:

Dual Stack — the device operates on both IPv4 and IPv6. This is the simplest option, but it doubles the attack surface.

6to4 — automatic generation of an IPv6 address based on IPv4. Works via relay servers.

Teredo — encapsulation of IPv6 in UDP, allowing NAT traversal. Often enabled by default in operating systems.

ISATAP — an enterprise mechanism for IPv6 over IPv4.

DS-Lite — an ISP-provided scheme: the client's IPv4 address is encapsulated in IPv6 and processed via AFTR.

MAP-T / MAP-E — static mapping of addresses and ports, an alternative to NAT444 and DS-Lite.

6rd — an ISP-provided version of 6to4, offering greater control.

Why this matters: Tunnels allow IPv6 traffic to pass through networks where the administrator considers IPv6 to be disabled. If a firewall filters IPv6 but does not filter the corresponding tunnels (UDP/3544 for Teredo, protocol 41 for 6to4), the traffic will pass through.

Teredo PCAP example (simplified):

Frame 42: 142 bytes
IPv4 Src: 192.168.1.5 → 52.167.144.123
UDP 3544 → 3544
Teredo
IPv6 Src: 2001:0:53aa:64c:34f2:91d2:abcd:1234
ICMPv6 Echo Request

If the firewall does not block UDP port 3544, this IPv6 traffic will pass through.

Neighbor Discovery and RFCs — Key Points to Remember Neighbor Discovery (ND) replaces ARP in IPv6. It serves several purposes: neighbor discovery, link-layer address resolution, router discovery, and prefix management.

Brief excerpts from RFCs:

RFC 4861 (Neighbor Discovery): "Nodes use Neighbor Solicitation messages to determine the link-layer address of a neighbor."

RFC 2460 (IPv6): "The IPv6 header is not allowed to be fragmented." (Fragmentation in IPv6 occurs at the node level, not at routers)

RFC 4380 (Teredo): "Teredo enables IPv6 connectivity for hosts behind one or more NATs."

RFC 4213 (Transition): "IPv6 transition requires coexistence with IPv4 for an extended period."

These excerpts show that the protocols were designed for IPv4 and IPv6 to work together, and that many transition mechanisms are part of the standard.

IPv6 Attacks — In Detail with Examples I will describe real attack vectors, how they work, and what consequences they have.

Rogue Router Advertisement (RA Spoofing) How it works: An attacker sends out a Router Advertisement with a false prefix or identifying itself as the router. Clients receive the RA and change their default gateway or prefix.

Consequences: MITM, traffic interception, DNS spoofing, redirection to phishing resources.

RA PCAP example:

ICMPv6 Router Advertisement
  Source: fe80::dead:beef:1
  Prefix: 2001:db8:dead:beef::/64
  Router Lifetime: 1800

Security: RA-Guard on switches, RA filtering on ports, trusted router control.

Neighbor Discovery Spoofing (NA/NS spoofing)

How it works: An attacker responds to a Neighbor Solicitation by specifying their own MAC address and setting the Override flag. The victim updates its neighbor table and begins sending traffic to the attacker.

PCAP example NA:

ICMPv6 Neighbor Advertisement
  Target Address: fe80::1234:56ff:fe78:9abc
  Target MAC: de:ad:be:ef:00:01
  Flags: Override=1

Consequences: Local man-in-the-middle (MITM) attacks, interception of traffic, sessions, and credentials.

Protection: Secure Neighbor Discovery (SEND) — requires PKI and is rarely used; more practical options include RA-Guard, port security, and static entries for critical devices.

SLAAC Prefix Injection

How it works: An attacker broadcasts RA messages with a prefix that causes devices to generate addresses within that prefix. Traffic is routed to a controlled zone.

Consequences: Traffic interception, DNS spoofing, creation of "phantom" segments.

Protection: Disable SLAAC where strict control is required; use DHCPv6 with validation; RA-Guard.

DHCPv6 Spoofing

How it works: An attacker responds to DHCPv6 requests by providing malicious parameters (DNS, routes).

Consequences: Traffic redirection, service spoofing, data leakage.

Protection: DHCPv6 with authentication, DHCP server control, L2 filtering.

RA Flooding

How it works: Massive distribution of RA messages with different prefixes or long lifetimes. Devices and routers begin processing a large number of entries.

Consequences: Table overflow, performance degradation, DoS.

Protection: RA limiting on ports, RA-Guard, OS and stack updates.

Extension Header Abuse and Fragmentation

How it works: An attacker uses extended header chains or fragmentation to bypass IDS/IPS. Some devices and systems incorrectly process header chains or fail to collect fragments for analysis.

PCAP fragmentation example:

Frame 88: IPv6 Fragment Header
  Next Header: TCP (6)
  Fragment Offset: 0
  M flag: 1
Payload (first 8 bytes)
Frame 89: IPv6 Fragment Header
  Next Header: TCP (6)
  Fragment Offset: 1
  M flag: 0
Payload (rest)

Consequences: Bypassing IDS signatures, delivering malicious payloads.

Protection: Configure IDS/IPS to assemble fragments, filter suspicious combinations of extension headers, and update signatures.

Tunneling attacks (Teredo, 6to4, ISATAP)

How it works: An attacker uses tunnels to route IPv6 traffic through an IPv4 infrastructure, bypassing filters.

6to4 PCAP example:

Frame 101: IPv4 Src: 192.168.1.10 → 192.88.99.1
Protocol: IPv6 (41)
IPv6 Src: 2002:c0a8:10::1

Consequences: bypassing security boundaries, a covert channel for commands and control, and the delivery of malicious traffic.

Protection: Block TCP port 41 and UDP port 3544 at the network perimeter, monitor tunnels, and disable unnecessary mechanisms on hosts.

Transition Mechanisms — A Detailed Analysis

I will describe each mechanism, how it works, where it is used, and what risks it entails.

Dual Stack

How it works: A device has both IPv4 and IPv6 addresses and uses both stacks. Advantage: compatibility. Disadvantage: both stacks must be secured, and logs and policies must be maintained for both.

Risks: double attack surface, complexity of policy management.

6to4

How it works: An IPv6 address is constructed from a public IPv4 address. Traffic is encapsulated in IPv4 protocol 41 and sent to a 6to4 relay.

Risks: Dependence on the relay, potential for bypassing filters, NAT complications.

Teredo

How it works: IPv6 encapsulation in UDP, allows NAT traversal. Often enabled by default in the OS.

Risks: Tunnel via UDP/3544, filtering complexity, potential for a hidden channel.

ISATAP

How it works: an enterprise mechanism for IPv6 over IPv4. Uses special addresses and automatic configuration.

Risks: ISATAP router spoofing, hidden routes.

DS-Lite

How it works: the client has only IPv6, while IPv4 traffic is encapsulated and processed on the provider's AFTR.

Risks: AFTR is a single point of failure and control; debugging complexity.

MAP-T / MAP-E

How it works: Static mapping of addresses and ports, allowing the provider to conserve IPv4 addresses without tunnels.

Risks: configuration complexity, need for hardware support.

6rd

How it works: a provider-side version of 6to4 where the prefix is managed by the provider. Deploys quickly but inherits the risks of 6to4.

Practical security recommendations — checklist

Below are specific steps you can take on your network.

1. Inventory

Identify all devices that support IPv6.

Check which transition mechanisms are enabled by default.

2. Disabling Unnecessary Mechanisms

On workstations and servers, disable Teredo, 6to4, and ISATAP if they are not needed.

At the network edge, block TCP port 41 and UDP port 3544 if tunnels are not in use.

3. RA-Guard and Port Security

Enable RA-Guard on switches.

Restrict ports where RA packets are expected (e.g., ports to routers).

4. DHCPv6 and SLAAC

Determine where to use SLAAC and where to use DHCPv6.

In critical segments, prefer DHCPv6 with prefix assignment control.

5. IDS/IPS and Logging

Update IDS/IPS rules for IPv6.

Configure the collection and analysis of ICMPv6, ND, and RA.

Enable collection of fragmented packets.

6. Segmentation and ACL

Apply ACLs for IPv6 at the network perimeter and within the network.

Separate IoT and user segments.

7. Updates and Patches

Update network devices and operating systems. Many vulnerabilities are addressed by updates.

8. Staff Training

Train administrators on IPv6 specifics: addressing, ND, ICMPv6, transition mechanisms.

9. Testing

Conduct lab tests: RA spoofing, ND spoofing, fragmentation, tunnels.

Use test environments, not production environments.

Practical examples: PCAP and code

Below are additional PCAP snippets and sample code for the test environment.

PCAP: Neighbor Solicitation

Frame 12: 86 bytes
Ethernet II, Src: 00:0c:29:aa:bb:cc, Dst: 33:33:ff:12:34:56
IPv6 Src: fe80::20c:29ff:feaa:bbcc, Dst: ff02::1:ff12:3456
ICMPv6 Neighbor Solicitation
  Target Address: fe80::1234:56ff:fe78:9abc

PCAP: RA Flooding (excerpt)

Frame 200: 150 bytes
IPv6 Src: fe80::bad:1, Dst: ff02::1
ICMPv6 Router Advertisement
  Router Lifetime: 65535
  Options: Prefix Information (2001:db8:bad::/64)

Scapy: Generating RA for Testing

from scapy.all import IPv6, ICMPv6ND_RA, ICMPv6NDOptPrefixInfo, Ether

def build_ra(src_mac, prefix):
    eth = Ether(src=src_mac, dst="33:33:00:00:00:01")
    ra = IPv6(dst="ff02::1")/ICMPv6ND_RA(routerlifetime=1800)/ICMPv6NDOptPrefixInfo(prefix=prefix, prefixlen=64, L=1, A=1)
    return eth/ra

pkt = build_ra("00:11:22:33:44:55", "2001:db8:dead:beef::")
pkt.show()

Note: The code and PCAP fragments are intended for use in test environments. Do not use them in production or run them against external networks.

#cybersecurity #hacking #ethical-hacking