IPv6 extension header: Is it good or bad?

IPv6 extension header: Is it good or bad?

A recent IETF study shows that when an extended header is deployed, the packet loss rate of IPv6 packets sent to the internet server is between 10% and 50%. This intensity of filtering is not very good, which not only hinders the future development of IPv6 protocol, but also affects the use of its basic functions, such as IPsec or even IPv6 fragments.

Although this is not desirable from the user's point of view, such filtering is indeed a practical method to reduce security risks and operational impact, including common network devices and settings. Why? There are security and operation considerations, and some other factors explain why the operator is still justified when IPv6 contains extended header packet loss.

Security Impact of IPv6 Extended Headers

The security impact of IPv6 extension headers is summarized as follows:

· Escape Security Control

· Dos due to incorrect implementation

· Dos due to processing requirements

· Unique issues of each extension header

IPv6 extension headers also have an impact on the operation layer, but it is still a good solution to overcome the difficulties through the current implementation.

In addition to some products that cannot properly handle IPv6 extension headers, security product defects allow security control evasion. Processing these Extended Headers is relatively complex and may cause implementation errors, leading to DoS attacks.

In addition, some vro deployments can only process data packets with Extended Headers on slow paths. In this way, IPv6 data packets with Extended Headers may also cause DoS attacks. Finally, each IPv6 extension header has its own security problems. For example, segment headers can cause resource depletion attacks. At the same time, some Routing Header types (such as obsolete Type 0) can cause a magnified attack.

Influence of IPv6 extension header operation layer

IPv6 extension headers also have operational impact. Some common causes of packet loss are as follows:

· Enforce the infrastructure access control list (ACL)

· DDoS management and user filtering requirements

· ECMP routing and hash-based load sharing may fail.

· Packet forwarding engine restrictions

Infrastructure ACLs are used to filter out data packets that are identified as unnecessary by the infrastructure. These data packets are not useful for operations and can be used to launch attacks on the routing control platform. In essence, anti-DDoS filtering is similar. The layer-4 ACL usually needs to be deployed on the network edge as much as possible to protect the user edge.

In the case of ECMP load sharing, the router needs to formulate relevant policies to determine the links used by each output package. Most forwarding engines calculate a simple hash function. For calculation, IPv6 source and target addresses and layer-4 information are required, such as source and target transmission protocol port numbers. However, using the extended header organizes the forwarding device to identify the transport protocol port number.

Finally, we noticed that most modern routers use dedicated hardware and have decided on how to forward data packets in their internal structure. Such an implementation only takes into account limited data packets. Therefore, when a hardware forwarding engine on a modern route cannot make a forwarding decision because the key information does not match the aforementioned proprietary implementation limits, the router usually discards the data packet.