Methodology for the identification of potential security issues of different IPv6 transition technologies: Threat analysis of DNS64 and stateful NAT64

Abstract

We are faced with the transition from IPv4 to IPv6, which will last for several years or possibly decades. There are different IPv6 transition technologies, which enable the communication between hosts using the two incompatible versions of the Internet Protocol in various scenarios, but they also involve additional security issues. In this paper, we develop a methodology for the identification of potential security issues of different IPv6 transition technologies and their implementations based on the STRIDE approach and its application to IPv6 transition technologies. Our methodology includes the application of the STRIDE approach at two levels: the level of the individual IPv6 transition technologies and the level of their selected implementations. We demonstrate the operation and viability of our methodology by the detailed threat analysis of the DNS64 technology, and we prove the necessity of the implementation level analysis with several examples. We also include the most interesting highlights of the security analysis of the stateful NAT64 IPv6 transition technology. We also make a survey of the published vulnerabilities of DNS64 and NAT64 in different research papers and show the effectiveness of our systematic method by uncovering the threats of DNS64 and NAT64. Finally, we point out the need for the in-depth security analysis of the DNS64 technology and its most important implementations.