IPv6 Covert Channels

Disclaimer

Originally IPv6 Covert Channels were the topic of my Master Thesis in CyberSecurity, In the last year I wanted to expand the topic and provide the community with a tool capable of instantiate such exploits easily in a network to test visibility and implement detections.

I have presented my work at Elbsides 2025, and you can find the slides available here

Introduction

Inspired by the work of Luca Caviglione et al. "IPv6CC: IPv6 covert channels for testing networks against stegomalware and data exfiltration" I have implemented a Python based tool that allows the instantiation of IPv6 Covert Channels between to networked hosts.

The goal of the tool is to:

  1. Provide a reliable, repetable and easy way to instantiate IPv6 Covert Channels
  2. Implement data exfiltration capabilities between two hosts over a covert channel
  3. Be extensible and controllable.

Why IPv6 Covert Channels?

Since 2012, the adoption of IPv6 has seen an exponential growth rate, with an average annual increase of around 40%. This acceleration is largely attributed to several factors:

  1. The increasing demand for IP addresses, driven by the proliferation of IoT devices and mobile networks;

  2. The growing adoption of cloud computing, which often relies on IPv6 as a default protocol; and

  3. The strategic efforts of major ISPs and tech companies, such as Google, Microsoft, and Amazon, who have been actively promoting IPv6 adoption.

For instance, in 2020, it was reported that over 30% of global internet traffic was already routed through IPv6 networks. As a result, the availability and accessibility of IPv6 addresses have improved significantly.

Another reason why I focused my attention on IPv6 Covert Channels is the rising adoption of hybrid cloud setups in enterprises could represent an additional communication link that relays on IPv6 based communication.

What is a Covert Channel

A simple definition of covert channels is the following:

"A covert channel can be defined as any communication channel that can be exploited by a process to transfer information in a manner that violates the security policy of the system."

Covert Channels in network protocols in a certain way can be compared to steganography techniques, in fact both use a carrier to send covert messages. The difference lies in the nature of the carrier itself, classical techniques in which the covert data hides in images, video, text or sound relies on a carrier of unstructured nature; while network covert channels' carrier is a network protocol, which, by nature, its a structured carrier.

In more details IPv6 Covert Channels work by embedding data within the IPv6 Header or IPv6 Extension Headers acting as a carrier; altering reserved or unused fields.

Adversarial model

From an attacker perspective Covert Channels are suitable during the Command and Control and Actions on Objective phases of the Attack Killchain. Once a the attacker has gained access to a node, Covert Channels could be use to instantiate any remote command to the victim machine or for exfiltrating data without being noticed by the Intrusion Detection System.

More formally we could also model the usage of a covert channel by using the Prisoners' Problem. Assume that Alice and Bob are two prisoners allowed to communicate only if Wendy, the warden, is able to check all the messages they exchange. The messages should look innocuous even if they contain useful information for planning their escape.

Prisoners' Problem

Covert Channels implemented

The tool is implemented in Python and the covert channels are implemented via a combination of iptables commands, Netfilter Queue and Scapy. At high level the tool works as follows:

  1. Writes an iptables rule that forwards all packets from a given source to a given destination in a Netfilter Queue.
  2. Bind the Netfilter Queue to a Python process that dequeue packets and,
  3. Depending on the role of the process (sender or receiver) data is inject or exfiltrated from the packet using Scapy.

and it implements covert channels that exploits the following components of the IPv6 Protocol:

  1. Flow Label
  2. Traffic Class
  3. Authentication Header
  4. Destination Options Header
  5. Routing Header
  6. Fragmentation Header