| IPv6 Stateless Address Autoconfiguration (RFC2462) is used for autoconfiguring addresses without a server in IPv6 networks. In short, the autoconfiguration mechanism consists of choosing an address candidate and verifying its uniqueness by multicasting it to the link-local network. The procedure of verifying the uniqueness of the address candidate is called Duplicate Address Detection (DAD).
The autoconfiguration mechanism has privacy issues, which have been identified before (RFC 3041). The default way to choose the address candidate is to use a link layer identifier, for example, the Ethernet MAC address for constructing the interface identifier part of the IPv6 address. The problem of the approach is that it allows a simple way to correlate all traffic originating from the particular device even if it is mobile, and thus can violate the privacy of the user. This problem can be mitigated with the privacy extension (RFC 3041) to the autoconfiguration mechanism that allows the use of pseudorandom bits for the network interface identifier part.
Additionally to the privacy issues, a known problem with the autoconfiguration mechanism is the possibility to execute Denial of Service attacks against hosts using the Duplicate Address Detection. Hypothetically, an attacker could always reply with an “address in use” message to the DAD procedure. This could be a major issue in the deployment of ad hoc networks, for example.
In this paper, we present a novel way to use the IPv6 autoconfiguration for malicious purposes. The autoconfiguration mechanisms can be used as a very effective covert channel. The covert channel is a serious threat for communication security if used by malicious third party IPv6 vendors or deployed by a rootkit. We have implemented the covert channel that allows efficient local attacks combined with Ethernet identifiers. The attacks are applicable to wired and wireless networks. We also discuss the possibility to make global attacks in the Internet with similar principles. Our attacks can compromise for example the confidentiality keys of IPsec ESP. In addition, we analyze strategies for preventing the identified attack opportunities. |