RIPv6 circumvents restrictive IP address-based filter and blocking rules

RIPv6 uses multiple IP addresses simultaneously. The implementation is based on the rollover concept of the Pre-publish model of DNSSEC keys (ZSK). The first IPv6 address IP1 is generated and actively used. After time factor x, a second IPv6 address IP2 is generated and also actively used straight away for new connections. IP1 reverts to a kind of stand-by status so that it is no longer used for new requests but can still accept responses. When the third IPv6 address IP3 is generated, IP1 switches to rolled status and is deleted from the network adapter. IP2 is now in stand-by status and is also deleted when the next IPv6 address is generated. This cycle carries on endlessly, such that the test system receives new IP addresses and responses never get lost

A precondition for RIPv6 is an existing gateway that carries out the routing of the IPv6 network. The specific address range and this gateway are currently defined in the script itself in the Variables section. This section can also be used to define the time value for the rotation of IP addresses. In a later version these values can also be defined using parameters.

IP addresses in the network range are randomly generated by the GenerateAddress() function, which currently generates addresses for a /64 subnet. Support for /48 networks is planned. The original function itself comes from Vladislav V. Prodan, although I have modified and shortened it for my own purposes.

For the rollover concept I establish an endless while loop. The IP addresses generated are assigned to or removed from the network adapter using the ip command. During the first pass, the default route is also configured. This step is only carried out during the first pass.

The script can be started and executed in the background. At the moment every operation (addition and deletion) is output with echo. This way it is clear which IP address is currently being used.

[user@host ~]# ./ripv6.sh
[+] add ip1 2001:470:26:12b:45dc:2314:b631:4c4a
[*] set default route
[+] add ip2 2001:470:26:12b:9a65:b818:6c96:4271
[+] add ip3 2001:470:26:12b:c15e:ec07:400a:56a2
[-] del ip1 2001:470:26:12b:45dc:2314:b631:4c4a
[+] add ip1 2001:470:26:12b:5326:a7c6:7122:d269
[-] del ip2 2001:470:26:12b:9a65:b818:6c96:4271
[+] add ip2 2001:470:26:12b:ef45:b13a:5665:7ae4
[-] del ip3 2001:470:26:12b:c15e:ec07:400a:56a2
[+] add ip3 2001:470:26:12b:9bd6:6e3d:f90f:8a36
[-] del ip1 2001:470:26:12b:5326:a7c6:7122:d269
...

No further modification to the test system is required. The web scanner and other applications can be used as normal. The only difference is that requests are now sent with alternating IP addresses. This means that IP-based blocking should not present an obstacle in the future – provided the website can be accessed through IPv6.

The current version is still in the proof-of-concept phase and will receive a number of improvements in future. Plans include use of parameters for the configuration and support of /48 subnets. Any feedback, changes or additions are appreciated.