Revisiting and Expanding the IPv6 Network Periphery: Global-Scale Measurement and Security Analysis

TL;DR

This paper provides a comprehensive, large-scale security assessment of IPv6 network peripheries worldwide, revealing persistent vulnerabilities, service exposures, routing issues, and security weaknesses in deployed systems.

Contribution

It introduces a novel Response-Guided Prefix Selection strategy and a Hierarchical LLM Exposure Verification framework for large-scale IPv6 security measurement and analysis.

Findings

Identified over 281.9 million active IPv6 peripheries globally, a 371.2% increase since 2021.

Found 2.5% of reachable services are dangerously exposed, including outdated interfaces.

Revealed 4.5 million routing responses prone to loops, indicating widespread routing vulnerabilities.

Abstract

As IPv6 deployment accelerates, understanding the evolving security posture of network peripheries becomes increasingly important. A DSN 2021 study introduced the first large-scale discovery of IPv6 network peripheries, uncovering risks like service exposure and routing loops. However, its scope was limited to three regions and is now outdated. In this paper, we revisit and significantly expand upon that work, presenting a comprehensive, up-to-date security assessment of IPv6 network peripheries. To support efficient large-scale scanning, we propose a novel Response-Guided Prefix Selection (RGPS) strategy to identify high-value IPv6 prefixes for probing. Our global-scale measurement covers 73 countries/regions and identifies over 281.9M active IPv6 network peripheries, including a 371.2% increase (245M) over the 52M reported in 2021 for India, China, and America. Our service exposure analysis shows that 2.5% of reachable services are still dangerously exposed, including outdated administrative interfaces and misconfigured servers, while correlation with known CVEs reveals recurring software vulnerabilities. Building on this service-exposure perspective, we further design a Hierarchical LLM Exposure Verification (HLEV) framework to identify unauthorized-access risks in exposed LLM deployment tools, revealing multiple security weaknesses caused by insecure default configurations and missing authentication. Additionally, we revisit routing loop vulnerabilities and identify 4.5M loop-prone responses, confirming that flawed routing behaviors remain widespread across vendors and countries/regions. These findings suggest that while IPv6 adoption has surged, key security challenges persist and are structurally embedded.