Overviewdigital data

Deployment of IPv6 network ensures better security. It is safe against security attacks that prevailed in IPv4. But the chances of appearance of new or mutational anomaly traffic while deploying IPv6 are not ruled out. There are several anomaly traffic patterns that utilize ICMPv6, IPv6 extension headers and IPv6-over-IPv4 tunneling. Such anomalies can be observed through traffic monitors.

IPv6 traffic monitors are spy tools that help in watching the IPv6 network activity in real time. They analyze network, examine LAN usage and IPv6 traffic monitoring between LAN and internet. Some IPv6 traffic monitors allow intercepting, displaying, recording, and analyzing the data exchanged through IP connectivity. They are also used for security purposes in detecting any restricted user activity.


  • Netflow – defined by Cisco systems, Netflow version 9 is an IP flow based traffic accounting protocol used to support various applications such as usage-based billing, traffic analysis, and capacity planning. It is the basis for the IPFIX (IP Flow Information export) protocol standardized by IETF.
  • IP Packet Sniffer – is either hardware or software that intercepts and reports traffic information over a digital network. It captures each packet and analyzes its content based on RFC specifications.

IP Packet Sniffer  table

  • AS-path-tree – performs IPv6 network operation analysis depending on the BGP /routing table on IPv6 routers running BGP. It supports Cisco/Juniper/Zebra routers. It automatically generates html pages giving graphical view of IPv6 routing paths. It also provides information of the anomalous route entries notified through BGP. It also gives details about AS in table, active AS paths, active BGP neighbors, network size analysis, and circulating prefixes. As-path-tree is useful in network routing engineering.
  • IPFlow – is a collector for Netflow version v1, v5, v6, v7, v8 and v9. It displays flow statistics and supports logging flow data to disk, data aggregation, port scan detection, and many more.
  • Mping – performs mping on multiple hosts that are listed by a traceroute command and gives better statistical information than traceroute. It presents information through percentiles, SDV statistics, sorted reports, and histograms. It can pin multiple hosts including IPv4 and IPv6 in a round-robin order.
  • Tele Traffic Tapper– a decendent of tcpdump is an IP network traffic monitoring tool. It reports real-time and remote traffic-monitoring results in graphical formats.
  • RIPE TT Server– gathers statistics such as packet delay and loss, traceroutes etc., between any pair of deployed TT servers.
  • Cricket – monitors trends in time series data. It helps network managers to visualize and understand the traffic on their networks.
  • Multi Router Traffic Grapher (MRTG) – monitors traffic load on network links and generates its graphical representation.
  • Argus – is an application that monitors system and network. Its version 3.2 has IPv6 support and monitors anything it is asked to. It has built in email alert notification until they are acknowledged by resending.
  • Ethereal– is an IPv6 packet analyzer that is used to develop and troubleshoot IPv6 applications. It is free and runs on many platforms.
  • Multicast Beacon – monitors the parameters of multicast traffic. Some of these parameters are packet loss, delay, jitter, duplicate etc.
  • Pchar – is a tool that characterizes bandwidth, latency and loss of links throughout the network. It measures the characteristics of the network path on an IPv6 network.
  • Iperf– is used to check the bandwidth availability on an end-to-end path.
  • ntop– probes network traffic and reports the network usage.
  • Nagios– is a host service monitor that reports any network problem. It runs intermittent checks on hosts using some external plugins. Whenever a problem is recognized, it sends out notifications to all administrative contacts.


There are many advantages of IPv6 traffic monitors. Some of them are given below.

  • Analyze and report IP network problems
  • Early detection of network intrusion attempts
  • IPv6 DoS attack mitigation
  • Stateful inspection of IPv6 packets at various levels
  • Spy on Internet communications
  • Monitor IP network usage
  • Debug any IP network software and hardware
  • Research the functionality and behavior of any third-party software and hardware
  • Implement, debug and test IPv6
  • Analyze and reverse engineer protocols
  • Record and replay logs while debugging IPv6
  • Gather and report IPv6 network statistics
  • Filter suspect and unwanted content from network traffic.


IPsec in IPv6 adds a significant level of security to IPv6. It is mandatory to use it in the IPv6 and it has enhancements that provide authenticity, integrity, confidentiality and access control to each IP packet through usage of the two new headers: AH (authentication header) and ESP (Encapsulations Security Payload). There are still many threats that remain as issues in IP networking.

  • IPsec security diagram
  • IPv6 supports new multicast addresses that allow an adversary to identify key resources on a network and attack them. To avoid this, privacy extensions must be implemented carefully. Using internal filters can prevent attacks.
  • Using local unicast addressing an enterprise automatically denies inbound and outbound access for the enterprise-only services.
  • Only three top-level aggregation identifiers (TLAs) in IPv6 have been allocated so far and this enables ACL to permit only these ranges.
  • At network firewalls, upper layer information is not visible if IPsec with encryption is used, but distributed firewalls can see the packet after decryption.
  • As all IPv6 endpoints accept IPv6 packets with a routing header, a validation can be applied to the operating systems so that they do not forward packets having a routing header.
  • As IPv6 addresses are globally aggregated, it is easy to deploy spoof mitigation at aggregation points.
  • To avoid Amplification attacks, filtering of packet with IPv6 multicast source/destination addresses can be implemented.
  • To avoid worm attacks, best practices of IPv4 are retained. As hybrids and pure worms depend on internet scanning to infect other hosts, the chances of finding the first host for attacks are rare or none.