Your Router is My Prober: Measuring IPv6 Networks via ICMP Rate Limiting Side Channels

TL;DR

This paper introduces iVantage, a novel technique leveraging ICMP rate limiting side channels to measure IPv6 network deployment and reachability from a single vantage point, enabling large-scale, remote network analysis.

Contribution

We propose iVantage, a new method exploiting ICMP rate limiting side channels to perform large-scale IPv6 network measurements without multiple vantage points or target control.

Findings

Measured ~50% of IPv6 ASes for ISAV vulnerabilities.

Found ~79% of IPv6 ASes vulnerable to spoofing.

Achieved over 80% accuracy in reachability measurements.

Abstract

Active Internet measurements face challenges when some measurements require many remote vantage points. In this paper, we propose a novel technique for measuring remote IPv6 networks via side channels in ICMP rate limiting, a required function for IPv6 nodes to limit the rate at which ICMP error messages are generated. This technique, iVantage, can to some extent use 1.1M remote routers distributed in 9.5k autonomous systems and 182 countries as our "vantage points". We apply iVantage to two different, but both challenging measurement tasks: 1) measuring the deployment of inbound source address validation (ISAV) and 2) measuring reachability between arbitrary Internet nodes. We accomplish these two tasks from only one local vantage point without controlling the targets or relying on other services within the target networks. Our large-scale ISAV measurements cover ~50% of all IPv6 autonomous systems and find ~79% of them are vulnerable to spoofing, which is the most large-scale measurement study of IPv6 ISAV to date. Our method for reachability measurements achieves over 80% precision and recall in our evaluation. Finally, we perform an Internet-wide measurement of the ICMP rate limiting implementations, present a detailed discussion on ICMP rate limiting, particularly the potential security and privacy risks in the mechanism of ICMP rate limiting, and provide possible mitigation measures. We make our code available to the community.