Pakhnyushchyy - Fotolia
One well-known IPv6 feature is that it has been designed to allow for a virtually unlimited number of IPv6 options -- that is, data that conveys additional information about packets or how they should be processed -- thus enabling the widespread extensibility of IPv6 for many years to come. However, recent studies indicate that there is widespread filtering of IPv6 packets that employ extension headers. This article provides a snapshot of the filtering of IPv6 packets that employ extension headers in the public Internet and analyzes the implications of such IPv6 filtering.
IPv6 packets follow a "daisy-chain" structure, in which the mandatory IPv6 header may be followed by multiple extension headers that are employed to convey IPv6 options, implement IPSec or perform IPv6 packet fragmentation. Such IPv6 extension headers are inserted between the mandatory IPv6 header and the upper-layer protocol header, and each IPv6 extension header specifies the type of header that follows (via a next header field) and its own length (unless it has an associated fixed length). Thus, IPv6 can accommodate a virtually unlimited number of options (as opposed to IPv4, which can only support a limited number).
The following diagram illustrates the structure of an IPv6 packet, with two extension headers.
Filtering of IPv6 packets with extension headers
A recent study has shown that there is widespread filtering of IPv6 packets that employ IPv6 extension headers in the public Internet. The following chart illustrates the packet drop rates when employing different types of IPv6 extension headers (destination options of 8 bytes, hop-by-hop options of 8 bytes, and IPv6 fragments of 256 bytes) when communicating with Web servers, mail servers, and name servers of the IPv6-enabled domains from the top one million websites, as measured by Alexa Internet.
Additionally, the following chart illustrates the percentage of packet drops that occur at an autonomous system other than the destination AS. While packet drops occurring at the destination AS might be expected to be the result of an intended policy, packet drops occurring at an intermediate AS are more likely out of the control of the target servers (and unlikely to be an intended policy by the target servers).
Implications of widespread filtering of IPv6 packets with extension headers
The bottom line: IPv6 packets employing extension headers are unlikely to survive in the public Internet when communicating with public servers. The repercussions of such widespread IPv6 filtering vary from one extension header to another, and also depend on where in the network such filtering occurs. For example:
- Filtering of IPv6 packets containing extension headers at intermediate systems hinders any future extension of the IPv6 protocol, since the associated packet drops are not under the control of the communicating endpoints.
- Packet drops occurring at intermediate ASes can be harmful to the current IPv6 Internet, since they may prevent the use of IPSec between IPv6 peers, cause interoperability problems to applications that rely on IPv6 fragmentation (such as the domain name system), and create other problems.
- Packet drops occurring at the destination AS might be considered less of a concern. However, that really depends on whether such packet drops are the result of an intended IPv6 filtering policy at the target AS, as opposed to incorrect configuration defaults at routers or other filtering devices. At this point, the cause or motivation of the measured packet drops is yet unknown.
Filtering of IPv6 packets that use extension headers could very well damage the operation and evolution of the IPv6 Internet. To that end, there are a number of ongoing efforts to raise awareness about this situation, as well as efforts to provide advice regarding the filtering of IPv6 packets that contain extension headers. By raising awareness about the current state of affairs regarding IPv6 extension headers in the public Internet, we hope steps will be taken to address this important issue.
The impact of IPv6 on the Internet of Things
Will IPv6 overwhelm routing tables?
Understanding IPv6 extension headers