== Howto

Super easy IPv6 connectivity:
# apt-get install miredo
(Works with no further configuration.)
http://www.debian-administration.org/articles/621

Allow/block IPv6:
# ip6tables -P INPUT ACCEPT
# ip6tables -P OUTPUT ACCEPT
# ip6tables -P INPUT DROP
# ip6tables -P OUTPUT DROP

Set an address and netmask on an interface:
# ip addr add 1234:5678::123/64 dev eth0

Add a default gateway:
# ip route add ::/0 via 1234:5678::1 dev eth0

Add a route:
# ip route add aaaa:bbbb::/64 via 1234:5678::aabb dev eth0

List routes:
# route -n -A inet6

Nmap currently requires you to have a gateway address set on the IPv6
interface you want to use. The default tunnelbroker.net instructions
don't set such a gateway, but you can add one like this:

ip route del ::/0 dev he-ipv6
ip route add ::/0 dev he-ipv6 via 2001:470:XXXX:XXXX::1

== /etc/network/interfaces setup

/etc/network/interfaces for tunnelbroker.net tunnel:

auto he-ipv6
iface he-ipv6 inet6 v4tunnel
	address <your-IPv6-address>::2
	netmask 64
	endpoint <your-IPv4-endpoint-from-tunnel-page>
	local <your-IPv4-LAN-address>
	ttl 255
	gateway <your-IPv6-address>::1

How to refresh a tunnelbroker.net tunnel for a new external IP:
https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&pass=$(md5sum <your-password>)&user_id=<your-user-id>&tunnel_id=<your-tunnel-id>
<your-user-id> is a 32-byte hex string (not the same as your user ID)
and <your-tunnel-id> is a decimal number.

== Routing

Use a tunnelbroker.net routed /64 tunnel.
tunnelbroker.net gives you two IPv6 endpoints in a /48, plus a /64 (on a
slightly different subnet) that you can route through it. The address prefixes
differ very slightly; this difference is in bold on the tunnel info page. (For
instance, my /48 starts with 2001:470:1f04 and my /64 starts with
2001:470:1f05.) Here are instructions to set up a Linux host to route for a
virtual machine guest running on it.

Turn your main interface into a bridge, and add your eth0 to it. Add
this to /etc/network/interfaces:

auto br0
iface br0 inet static
	address <your-IPv4-address>
	netmask 255.255.255.0
	gateway <your-IPv4-gateway>
	bridge_ports eth0
	bridge_fd 9
	bridge_hello 2
	bridge_maxage 12
	bridge_stp off
	ip addr add <your-/48-prefix>::1/48 dev br0

Comment out your normal eth0 config. Then run

# ifup br0

Enable IPv6 forwarding:

# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Set up the interface that will bridge the connections from the VM. In QEMU,
make a qemu-ifup.sh script containing:

#!/bin/sh
/sbin/ifconfig $1 0.0.0.0 promisc up
/sbin/brctl addif br0 $1
sleep 2

Then inside the VM, assign another address from the /48 and make
<your-/48-prefix>::1 the gateway.

== Ideas for OS detection

* Presense/absence of extension headers, particularly AH and ESP.
  * High-order bytes of options within hop-by-hop and destination
    extension headers (UNP p. 720):
      00: Ignore option
      01: Discard packet
      10: Discard and send ICMP
      11: Discard and send ICMP (multicast only)
    The high-order bytes are not independent of the low-order bytes;
    all 8 bits make up the type field. But maybe some implementations
    treat them as independent. This would make it possible to
    enumerate supported options.
  * Wrongly aligned options.
  * Duplicate/contradictory options.
  * Order of extension headers. RFC 2460 section 4 has a recommended order.
* Flow label. Use is unspecified; might be echoed or not.
* Might need to support IPsec, like we do OpenSSL.
* Neighbor Discovery Protocol (NDP).
* RFC 4884 ICMPv6 extension objects (presense/absence of and contents).

Goals:
* See if existing IPv4 tests can be reused for IPv6.
* Build a sample of one-hop IPv6 fingerprints.
* Build a sample of over-Internet IPv6 fingerprints, see which tests
  degrade.
* Develop new IPv6 tests; test their effectiveness.

== Ideas for host discovery

* RFC 5157 "IPv6 Implications for Network Scanning"
  http://tools.ietf.org/html/rfc5157
  * Suggests sequential scanning starting with [prefix]::1 (section 2.3).
  * Also using common Ethernet vendor IDs; reduces the search space to 24
    bits per ID when prefix is known (section 2.3).
* Neighbor Discovery Protocol (NDP).
* Standardized multicast addresses (like router or time servers) for
  same-LAN host discovery (likely protocol-specific payloads like UDP
  payloads). We can have potentially dozens or hundreds of these; with
  multicasting it's still few packets compared to pinging each address.
  http://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xml
  * ff01::1 interface-local all nodes
  * ff02::1 link-local all nodes
  * ff01::2 interface-local all routers
  * ff02::2 link-local all routers
  * ff05::2 site-local all routers
  * ff0x::c SSDP
  * ff0x::f UPnP
  * ff0x::fb multicast DNS
  * ff0x::108 NIS
  * ff0x::1:2 all DHCP servers on local network (RFC 3315)
* ping6 -I eth0 ff02::1
* ping6 -a option. Sends ICMPv6 Node Information Node Addresses; may get
  different classes of addresses.
* If an IPv6 address can be found somehow (like through snmp-interfaces
  or DNS), try scanning topologically close addresses.
* A node is required to reject any Next Header it does not understand
  with an ICMP Parameter Problem, code 1.
* The alive6 tool sends
  1. ICMPv6 echo request to ff02::1.
  2. Invalid extension header (0x80) followed by ICMP echo request to ff02::1.
  3. Hop-by-hop header followed by ICMP echo request to ff02::1. 
* Possibly get MAC addresses through stateless address
  autoconfiguration.
* IPv4-mapped or -compatible addresses.
* Use a Router Advertisement to force address auto-configuration, then monitor
  for host advertisements.
  http://www.metasploit.com/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement
  http://wuntee.blogspot.com/2010/11/ipv6-link-local-host-discovery-concept.html

== Other tools

SinFP
http://www.gomor.org/sinfp
http://www.gomor.org/files/sinfp-jcv.pdf
Can match IPv6 responses against IPv4 fingerprints, using the following
mapping (section 3.2 of sinfp-jcv.pdf):
        IPv4 ID -> IPv6 flow label
        IPv4 TTL -> IPv6 hop limit
        IPv4 DF -> IPv6 traffic class

IPv6 attack tools suite
http://freeworld.thc.org/thc-ipv6/

Scapy
http://www.secdev.org/projects/scapy/
Great for prototyping and building packets. Example:
>>> send(IPv6(fl=0xabcde, dst="::1")/ICMPv6())

== RFCs

RFC 2460 "Internet Protocol, Version 6 (IPv6)"
http://tools.ietf.org/html/rfc2460

RFC 3542 "Advanced Sockets Application Program Interface (API) for IPv6"
http://tools.ietf.org/html/rfc3542

RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet
Protocol Version 6 (IPv6)"
http://tools.ietf.org/html/rfc4443

RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
http://tools.ietf.org/html/rfc4861

RFC 4942 "IPv6 Transition/Coexistence Security Considerations"
http://tools.ietf.org/html/rfc4942

RFC 5157 "IPv6 Implications for Network Scanning"
http://tools.ietf.org/html/rfc5157

== Papers

IPv6 Host Fingerprint
http://faculty.nps.edu/xie/theses/06Sep_Nerakis.pdf
A master's thesis. It evaluates Nmap's IPv4 detection probes (section
IV. B.) against IPv6 stacks (section IV. D.). It also proposes new
IPv6-only probes (section V. A.) and tests a small number of them
(section V. B.). It appears that the richest source of new
fingerprinting techniques, apart perhaps from new protocols like ICMPv6,
are extension headers.

IPv6 Neighbor Discovery Protocol based OS Fingerprinting
http://hal.inria.fr/docs/00/16/99/90/PDF/technical_report_fingerprinting.pdf
A tool called osfinger6 uses NDP differences exclusively. Can
distinguish different OSes, but not for example Linux 2.4 from Linux
2.6.

Toward Undetected Operating System Fingerprinting
http://www.usenix.org/events/woot07/tech/full_papers/greenwald/greenwald.pdf
Has a section on measuring information gain to evaluate OS probes.

A Hybrid Approach to Operating System Discovery using Answer Set Programming
http://ieeexplore.ieee.org/iel5/4258513/4258514/04258556.pdf?tp=&isnumber=&arnumber=4258556
I don't remember why I had this one marked.

== Links

Kris's SGoC RFC http://seclists.org/nmap-dev/2008/q1/458