IPv6 Address Fast Scanning Technology for Dual-Stack Nodes Based on Host Identifier Association

Introduction

The exhaustion of IPv4 addresses has necessitated the global transition to IPv6 networks. As of 2023, IPv6 deployment has reached 36.5%, with a significant increase in IPv6-capable devices. However, the vast address space of IPv6 (128 bits compared to IPv4’s 32 bits) presents challenges for traditional scanning techniques. In particular, Apple ecosystem operating systems (macOS, iOS, and iPadOS) enhance user privacy by employing random interface identifiers and temporary IPv6 addresses, making conventional IPv6 scanning methods ineffective.

Existing IPv6 scanning techniques fall into two categories: remote-link scanning and local-link scanning. Remote-link scanning focuses on reducing the address search space through statistical or predictive methods, while local-link scanning leverages protocol interactions to discover active IPv6 addresses. However, current local-link scanning methods struggle with Apple devices due to their unique protocol support and firewall configurations.

This paper introduces HScan6, a novel IPv6 address scanning technology that leverages host identifier association in dual-stack (IPv4/IPv6) environments. By utilizing DNS Service Discovery (DNS-SD) and multicast DNS (mDNS) protocols, HScan6 efficiently discovers IPv6 addresses for Apple devices, including both desktop and mobile versions.

Background and Challenges

IPv6 Address Privacy in Apple Ecosystem

Apple’s operating systems enhance privacy by:

Random Interface Identifiers (IIDs): Unlike traditional EUI-64 addressing, Apple devices generate random IIDs to prevent tracking.
Temporary IPv6 Addresses: Devices frequently rotate temporary global unicast addresses, complicating long-term host identification.

These privacy features render conventional IPv6 scanning techniques ineffective, as they rely on predictable address patterns or direct protocol interactions that Apple’s firewalls often block.

Limitations of Existing IPv6 Scanning Techniques

Remote-Link Scanning:
• Statistical Methods: Rely on common IID patterns (e.g., low-byte embedding, EUI-64), which fail against randomized IIDs.

• Predictive Methods: Use machine learning or heuristic algorithms to guess active addresses, but struggle with high randomness.
Local-Link Scanning:
• IPv6 Single-Stack Methods: Techniques like Multicast Ping6 (MP6) and Stateless Address Autoconfiguration (SLAAC) scanning are often blocked by firewalls.

• Dual-Stack Association Methods: Tools like LLMNR6 and LinkScan6 depend on NetBIOS or LLMNR protocols, which Apple devices do not support.

These limitations result in incomplete IPv6 address detection, particularly for Apple mobile devices (iOS/iPadOS).

HScan6: Host Identifier-Based IPv6 Scanning

HScan6 addresses these challenges by exploiting the shared host identifier between IPv4 and IPv6 stacks in Apple devices. The methodology consists of four key modules:

IPv4 Active Address Detection

HScan6 begins by identifying active IPv4 hosts using ARP scanning, which is resilient to firewall restrictions. Unlike ICMP or TCP-based scans, ARP is fundamental to IPv4 networking and is rarely blocked. The scanner sends ARP requests across the local subnet and records responses to build a list of active IPv4-MAC address pairs.

Host Identifier Discovery via DNS-SD

Apple devices advertise services using DNS Service Discovery (DNS-SD), a zero-configuration protocol. HScan6 queries each active IPv4 host for service records (e.g., _services._dns-sd._udp.local) to retrieve:
• Service names (e.g., _airplay._tcp.local).

• Host identifiers (e.g., MacBook-Pro.local), which are unique per device.

This step bridges IPv4 and IPv6 by associating IPv4 addresses with host identifiers.

IPv6 Address Resolution via mDNS

With host identifiers obtained, HScan6 uses multicast DNS (mDNS) to resolve IPv6 addresses. Apple devices respond to mDNS queries with their full IP configuration, including:
• Link-local addresses (e.g., fe80::a1b2:c3d4:e5f6).

• Global unicast addresses (both permanent and temporary).

Unlike LLMNR, which Apple devices ignore, mDNS is natively supported across macOS, iOS, and iPadOS.

IPv6 Address Classification and Completion

To distinguish between permanent and temporary IPv6 addresses, HScan6 exploits ICMPv6 error reporting:

It sends malformed ICMPv6 packets to the all-nodes multicast address (ff02::1).
Devices respond with error messages sourced from their temporary IPv6 addresses, allowing the scanner to classify addresses accordingly.

This step ensures complete detection of all IPv6 addresses per host.

Experimental Evaluation

Test Environment

HScan6 was tested in a controlled network with:
• 4 macOS versions (10, 11, 12, 13).

• 6 mobile OS versions (iOS 15–17, iPadOS 15–17).

• Comparison against Nmap scripts (MP6, SLAAC, MLD, IEH) and dual-stack tools (LLMNR6, LinkScan6).

Key Findings

Superior Completeness:
• HScan6 detected 30 IPv6 addresses (3 per device), while Nmap scripts found only 10–20.

• LLMNR6 and LinkScan6 failed entirely due to lack of Apple protocol support.
Mobile Device Support:
• HScan6 successfully discovered IPv6 addresses for all iOS/iPadOS devices, whereas other tools either missed mobile devices or detected only link-local addresses.
Address Classification:
• HScan6 uniquely identified permanent vs. temporary global unicast addresses, a feature absent in other tools.

Conclusion

HScan6 represents a significant advancement in IPv6 scanning by:

Leveraging host identifier association to overcome privacy protections in Apple devices.
Supporting mobile devices via DNS-SD and mDNS, which are universally enabled in Apple ecosystems.
Achieving higher completeness by classifying permanent and temporary addresses using ICMPv6.

Future work includes optimizing packet processing for faster scans and extending support to IPv6-only environments.

doi.org/10.19734/j.issn.1001-3695.2024.04.0152

Was this helpful?

0 / 0