SIG used “lightweight” static analysis, looking for literals used with socket libraries, hardcoded IP addresses and so on, in their research. The fact the approach found them proves its worth, but many defects it cannot detect certainly exist. Deeper static analysis can detect more, but empirical testing is needed too.

For IPv6-only testing, that means setting up an IPv6 test environment with all IPv4 addressing and routing disabled. Easy enough, but the trouble is most applications will be running over “dual-stack” (IPv4-mapped IPv6 addresses) or “tunnelling” (one protocol’s packets encapsulated within packets of the other) networks for some time to come, so it may not be realistic. Building and testing either of these interim arrangements as a test environment is challenging.

No doubt the cloud can help. If you have a solution or suggestion please tell our editor about it.