IPv6 extension headers prove problematic
There are a lot of similarities between IPv4 and IPv6. There are also a lot of differences, including some differences that may have security implications for network engineers who deploy IPv6. Network and security engineers may want to pay closer attention to IPv6 extension headers.
The IPv6 specification supports what are known as extension headers, which have varying uses. The good thing about extension headers is that they are typically seldom seen with general internet usage, except in specific situations such as where packets must be handled in a specific manner that cannot be described in the standard IPv6 header. The bad thing about extension headers is that end nodes (such as user computers) and intermediate nodes (routers, firewalls and other security devices) generally need to be aware of, and be able to handle, extension headers.
Perhaps the most frequent and important extension header is the fragment extension header (which will be discussed in a later post). Other extension headers defined in the IPv6 specification include hop-by-hop options, destination options and routing. The authentication and the encapsulating security payload headers, defined in separate RFCs, support IPsec in IPv6.
Source routing in IPv4 has been problematic because of opportunities for denial of service attacks and routers are usually configured to ignore source routing options. Because of its similarity to IPv4 source routing and its even greater potential for facilitating denial of service attacks, the IPv6 routing extension header type 0 was deprecated by the IETF in December 2007. In packets that contain a type 0 routing header (also known as RH0), the routing header must be ignored or the packet must be dropped.
Extension headers force the packet byte offset of the layer 4 header (typically a TCP or UDP header) to be shifted from its usual packet offset immediately after the main header. As a result, it is possible for the layer 4 header to appear at a variety of packet offsets into the packet.
In IPv4, if there are options present, the location of the layer 4 header will be at the offset indicated by the header length field. In IPv6, if a network device is to correctly detect the layer 4 header for an IPv6 packet with extension headers, it must parse the extension header chain until it reaches the layer 4 header.
Some network devices are incapable of traversing the list of extension headers, with the result being that the network device either incorrectly identifies what it thinks is the layer 4 header or it doesn’t identify the layer 4 header information at all. In some cases, the network device may only be capable of parsing a specific number of extension headers or it may stop evaluating extension headers past a specific byte offset.
Filters that make decisions based upon layer 4 information may fail if the network device or its software cannot parse extension headers. Other devices may evaluate packets with extension headers in a slower software processing mode, which can reduce the packet processing capabilities of the device. When purchasing a network device, it is important to confirm that the device can identify layer 4 headers at a variety of offsets in the packet and to confirm what performance penalties may occur if the device has to examine extension headers in packets.
The extent to which a router will attempt to process and report extension header or layer 4 information in-flow varies. The Netflow v9 standard, as described in IETF RFC 3954, describes an “IPv6 option headers” field that is used for encoding which extension headers were observed in the packet. Not all router vendors implement this field. IPFIX provides a similar field and is described in this IANA document. Some router operating systems are unable to report layer 4 information when one or more extension headers are present.
In theory, extension headers allow for adding new functionality to IPv6. In reality, it is hard to create and implement new extension headers because of the lead time that network device implementers need to update their hardware and software. Many network devices will drop any packets with extension headers that aren’t recognized by the device. There will be a continual trade-off between the introduction of new extension headers to IPv6 and the cost to network device creators and maintainers of adding support for the new extension header.
Around 2002, I attended a presentation prepared by a systems engineer for a router manufacturer, in which the presenter argued that due to the obscure nature of extension headers and the inherent opportunities for problems,…extension headers should be eliminated. I have not heard anyone seriously suggest outright elimination of extension headers since, because some extension headers provide essential functionality in IPv6. But extension headers are still generally despised for how they complicate the IPv6 protocol.
Bill Cerveny is senior software quality assurance engineer at Arbor Networks. For more information visit http://www.arbornetworks.com/