When Cellular Networks Met IPv6: Security Problems of Middleboxes in IPv6 Cellular Networks Hyunwook Hong, Hyunwoo Choi, Dongkwan Kim, Hongil Kim, Byeongdo Hong, Jiseong Noh, and Yongdae Kim Korea Advanced Institute of Science and Technology {hyunwook.h, zemisolsol, dkay, hongilk, byeongdo, jiseong.noh, yongdaek}@kaist.ac.kr Abstract—Recently, cellular operators have started migrating to IPv6 in response to the increasing demand for IP addresses. With the introduction of IPv6, cellular middleboxes, such as firewalls for preventing malicious traffic from the Internet and stateful NAT64 boxes for providing backward compatibility with legacy IPv4 services, have become crucial to maintain stability of cellular networks. This paper presents security problems of the currently deployed IPv6 middleboxes of five major operators. To this end, we first investigate several key features of the current IPv6 deployment that can harm the safety of a cellular network as well as its customers. These features combined with the currently deployed IPv6 middlebox allow an adversary to launch six different attacks. First, firewalls in IPv6 cellular networks fail to block incoming packets properly. Thus, an adversary could fingerprint cellular devices with scanning, and further, she could launch denial- of-service or over-billing attacks. Second, vulnerabilities in the stateful NAT64 box, a middlebox that maps an IPv6 address to an IPv4 address (and vice versa), allow an adversary to launch three different attacks: 1) NAT overflow attack that allows an adversary to overflow the NAT resources, 2) NAT wiping attack that removes active NAT mappings by exploiting the lack of TCP sequence number verification of firewalls, and 3) NAT bricking attack that targets services adopting IP-based blacklisting by preventing the shared external IPv4 address from accessing the service. We confirmed the feasibility of these attacks with an empirical analysis. We also propose effective countermeasures for each attack. 1. Introduction The increasing popularity of mobile devices such as smartphones and tablets enables a great number of users to enjoy cellular data services. This new trend inevitably increases Internet usage via mobile devices, along with demand for Internet Protocol (IP) addresses. This need has been even more pressing when we consider the upcoming Internet of Things (IoT) era. Because of this demand, In- ternet Service Providers (ISPs) have started to deploy IPv6 addresses, and many services are following this trend. For example, Apple announced that they would support IPv6- only network services and encouraged developers to use IPv6-based APIs [4]. Similarly, cellular operators are also beginning to adopt IPv6 addresses on their networks [15]. With the introduction of IPv6, as in IPv4 cellular net- works, middleboxes are required to manage and protect their network resources effectively. Firewalls need to filter out incoming malicious packets. At least until the transition from IPv4 to IPv6 completes, stateful NAT64, a middlebox that translates an IPv6 address to an IPv4 address (and vice versa), is indispensable for backward compatibility with legacy IPv4 services. For IPv4 cellular networks, there have been several studies revealing that middleboxes can be abused by exploit- ing their properties [31, 32, 40]. Wang et al. investigated middlebox properties such as mapping patterns on NAT boxes and filtering rules on firewalls that may have a large impact on both the performance and security of cellular customers [40]. Other works demonstrated that an adversary can inject malicious data by exploiting vulnerabilities in se- quence number verification on a firewall [31, 32]. However, no prior work has considered the security issues related to IPv6 middleboxes. In this paper, we analyze the properties of middleboxes deployed in IPv6 cellular networks. To this end, we investi- gate the security problems of IPv6 middleboxes in five major operators in three countries on different continents. As a result, we conclude that certain features of cellular networks combined with IPv6 middleboxes may expose end users to various attacks. One of the key features is the support of end- to-end transparency [9]. Since all hosts in IPv6 networks are allocated with public IP addresses, it is possible to directly send packets to end hosts (i.e. smartphones) in the cellular networks from the Internet. Other key features include that the core network of cellular networks utilizes only a /64 prefix of an IPv6 address for data transmission to end hosts, and a mobile device can change the last 64 bits of an IPv6 address (defined as the interface identifier, in short the IID) at any time. The last key feature originates from the nature of stateful NAT64. The stateful NAT64 maps N public IPv6 addresses to one public IPv4 address, an arrangement known as N-to-1 mapping. This stateful NAT64 utilizes a relatively small number of external IPv4 addresses compared to NAT in IPv4 cellular networks. Our measurement also shows a high N value of N-to-1 mapping. Combined with these features of IPv6 cellular networks, we discover that several properties of IPv6 middleboxes can cause serious problems. First, we examined firewalls in IPv6 cellular networks. In