Pakhnyushchyy - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

IPv6 filtering threatens impact of new protocol

IPv6 extension headers give the protocol additional versatility, but widespread IPv6 filtering is threating the new protocol's ability to survive in the public Internet.

One well-known IPv6 feature is that it has been designed to allow for a virtually unlimited number of IPv6 options -- that is, data that conveys additional information about packets or how they should be processed -- thus enabling the widespread extensibility of IPv6 for many years to come. However, recent studies indicate that there is widespread filtering of IPv6 packets that employ extension headers. This article provides a snapshot of the filtering of IPv6 packets that employ extension headers in the public Internet and analyzes the implications of such IPv6 filtering.

IPv6 packets follow a "daisy-chain" structure, in which the mandatory IPv6 header may be followed by multiple extension headers that are employed to convey IPv6 options, implement IPSec or perform IPv6 packet fragmentation. Such IPv6 extension headers are inserted between the mandatory IPv6 header and the upper-layer protocol header, and each IPv6 extension header specifies the type of header that follows (via a next header field) and its own length (unless it has an associated fixed length). Thus, IPv6 can accommodate a virtually unlimited number of options (as opposed to IPv4, which can only support a limited number).

The following diagram illustrates the structure of an IPv6 packet, with two extension headers.

IPv6 packet, IPv6 extension headers
Figure 1. Typical IPv6 packet with extension headers.

Filtering of IPv6 packets with extension headers

A recent study has shown that there is widespread filtering of IPv6 packets that employ IPv6 extension headers in the public Internet. The following chart illustrates the packet drop rates when employing different types of IPv6 extension headers (destination options of 8 bytes, hop-by-hop options of 8 bytes, and IPv6 fragments of 256 bytes) when communicating with Web servers, mail servers, and name servers of the IPv6-enabled domains from the top one million websites, as measured by Alexa Internet.

IPv6 packet drops, IPv6 filtering extension headers
Figure 2. Packet drop rates as a result of IPv6 filtering extension headers.

Additionally, the following chart illustrates the percentage of packet drops that occur at an autonomous system other than the destination AS. While packet drops occurring at the destination AS might be expected to be the result of an intended policy, packet drops occurring at an intermediate AS are more likely out of the control of the target servers (and unlikely to be an intended policy by the target servers).

IPv6 packet drops, IPv6 autonomous
Figure 3. Percentage of packet drops at an autonomous system other than the destination AS.

Implications of widespread filtering of IPv6 packets with extension headers

The bottom line: IPv6 packets employing extension headers are unlikely to survive in the public Internet when communicating with public servers. The repercussions of such widespread IPv6 filtering vary from one extension header to another, and also depend on where in the network such filtering occurs. For example:

  • Filtering of IPv6 packets containing extension headers at intermediate systems hinders any future extension of the IPv6 protocol, since the associated packet drops are not under the control of the communicating endpoints.
  • Packet drops occurring at intermediate ASes can be harmful to the current IPv6 Internet, since they may prevent the use of IPSec between IPv6 peers, cause interoperability problems to applications that rely on IPv6 fragmentation (such as the domain name system), and create other problems.
  • Packet drops occurring at the destination AS might be considered less of a concern. However, that really depends on whether such packet drops are the result of an intended IPv6 filtering policy at the target AS, as opposed to incorrect configuration defaults at routers or other filtering devices. At this point, the cause or motivation of the measured packet drops is yet unknown.

Filtering of IPv6 packets that use extension headers could very well damage the operation and evolution of the IPv6 Internet. To that end, there are a number of ongoing efforts to raise awareness about this situation, as well as efforts to provide advice regarding the filtering of IPv6 packets that contain extension headers. By raising awareness about the current state of affairs regarding IPv6 extension headers in the public Internet, we hope steps will be taken to address this important issue.

Next Steps

The impact of IPv6 on the Internet of Things

Will IPv6 overwhelm routing tables?

Understanding IPv6 extension headers

This was last published in September 2015

Dig Deeper on Network protocols and standards

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Is IPv6 filtering of header extensions a critical issue at your organization?