noid-privacy/Modules/AdvancedSecurity/Private/Test-IPv6Security.ps1

function Test-IPv6Security {
    <#
    .SYNOPSIS
        Test IPv6 disable status (mitm6 attack mitigation)
    
    .DESCRIPTION
        Checks if IPv6 is completely disabled via DisabledComponents registry value.
        This is an OPTIONAL setting only available in Maximum profile.
        
        DisabledComponents = 0xFF (255) means IPv6 is completely disabled.
    
    .EXAMPLE
        Test-IPv6Security
    #>
    [CmdletBinding()]
    param()
    
    try {
        $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters"
        $value = Get-ItemProperty -Path $regPath -Name "DisabledComponents" -ErrorAction SilentlyContinue
        
        if ($value -and $value.DisabledComponents -eq 255) {
            return [PSCustomObject]@{
                Feature   = "IPv6 Disable (mitm6 mitigation)"
                Pass      = $true
                Compliant = $true
                Message   = "IPv6 DISABLED (DisabledComponents = 0xFF) - mitm6 protected"
                Details   = "IPv6 completely disabled - DHCPv6 spoofing attacks blocked"
            }
        }
        elseif ($value -and $value.DisabledComponents -gt 0) {
            return [PSCustomObject]@{
                Feature   = "IPv6 Disable (mitm6 mitigation)"
                Pass      = $true
                Compliant = $true
                Message   = "IPv6 PARTIALLY disabled (DisabledComponents = $($value.DisabledComponents))"
                Details   = "IPv6 partially disabled - some mitm6 protection"
            }
        }
        else {
            # IPv6 is enabled - this is OPTIONAL, so still "pass" but note it's not configured
            return [PSCustomObject]@{
                Feature   = "IPv6 Disable (mitm6 mitigation)"
                Pass      = $true  # Optional feature - not a failure
                Compliant = $true  # Optional feature
                Message   = "IPv6 ENABLED (Optional - not configured)"
                Details   = "IPv6 enabled (default) - WPAD disabled provides partial mitm6 protection"
            }
        }
    }
    catch {
        Write-Log -Level ERROR -Message "Failed to test IPv6 security: $_" -Module "AdvancedSecurity" -Exception $_.Exception
        return [PSCustomObject]@{
            Feature   = "IPv6 Disable (mitm6 mitigation)"
            Pass      = $true  # Don't fail on error for optional feature
            Compliant = $true
            Message   = "Error checking IPv6 status"
            Details   = "Could not determine IPv6 status: $_"
        }
    }
}