Tuesday, 1 December 2015

The Controversial IPv6 Extension Headers


IPv6 Extension Headers allow for the extension of the IPv6 protocol, and provide support for core functionality such as IPv6 fragmentation. The typical structure of an IPv6 packet containing IPv6 extensions headers is as follows:



Common implementation limitations suggest that IPv6 extension headers present a challenge for a plethora of device types, and recent studies indicate that there exists widespread dropping of IPv6 packets containing extension headers.

The topic of IPv6 extension header typically triggers heated discussions in the technical communities between network engineers claiming that IPv6 extension headers are key to future innovation, versus security specialists that quite frequently argue that IPv6 extension headers represent a security nightmare.

Given the ongoing debate on this topic, we believe the following resources can help in raising awareness about the challenge represented by IPv6 extension headers and their current operational status.

A first set of resources comprises a number of TechTarget articles on this topic:
A more thorough discussion of these issues can be found in these IETF Internet-Drafts:
The above resources give a clear signal that, if IPv6 extension headers are to usable in the public Internet, there is a lot of work to be done by the IETF itself, software developers, hardware manufacturers, and the operational community as a whole.

Tuesday, 25 August 2015

IETF RFC 7610: "DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers"

We have just published IETF RFC 7610, entitled "DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers". The abstract of the RFC is:
This document specifies a mechanism for protecting hosts connected to
a switched network against rogue DHCPv6 servers.  It is based on
DHCPv6 packet filtering at the layer 2 device at which the packets
are received.  A similar mechanism has been widely deployed in IPv4
networks ('DHCP snooping'); hence, it is desirable that similar
functionality be provided for IPv6 networks.  This document specifies
a Best Current Practice for the implementation of DHCPv6-Shield.

We hope that this RFC will help in achieving parity of security features with IPv4.