The importance of a firewall to a network goes without saying. It is the first line of defense, used to protect against public internet attacks and restrict local users’ public internet access. With the emergence of IPv6, new demands are placed on firewalls. Although IPv6 and IPv4 offer very similar services, there are some subtle differences between the two protocols that can significantly impact firewall devices and operations.
1. One major change in IPv6 is the adoption of a fixed-length protocol header, unlike IPv4’s variable-length header. Any necessary options must be added to subsequent extension headers, which are located between the fixed IPv6 header and the encapsulated upper-layer protocol. Different extension headers are used depending on which system processes the options. For example, options that need to be processed on the destination host are contained in a “Destination Options” header, while options processed by routers are contained in a “Hop-by-Hop Options” header. In theory, this at least allows routers and hosts to parse and process only the options meant for them—unlike IPv4, where every node processing a packet must parse all options.
2. This header structure defines the IPv6 header chain: multiple headers are linked together in sequence, starting with the IPv6 header and ending with the upper-layer protocol. Each extension header contains its specific header length and the type of the next header in the chain.
Therefore, any IPv6 flow will consist of a complete IPv6 header chain, and a system processes only the headers it needs. The Fragment Header is a special type of extension header that contains the mechanisms necessary to implement IPv6 fragmentation.
Unlike IPv4, IPv6 does not store all fragmentation-related information in the fixed IPv6 header but rather in an optional Fragment Header. Therefore, a host performing fragmentation simply inserts a Fragment Header into the IPv6 header chain and adds the original data packet that needs to be fragmented.
3. Any system needing to obtain upper-layer information (such as TCP port numbers) must process the entire IPv6 header chain. Furthermore, because current protocol standards support an arbitrary number of extension headers, including multiple instances of the same type, this has various implications for devices like firewalls. Firewalls need to parse multiple extension headers to perform Deep Packet Inspection (DPI), which can degrade WAN performance, trigger Denial of Service (DoS) attacks, or lead to firewall bypass.
4. Because current protocol specifications support an arbitrary number of extension headers, including multiple instances of the same type, firewalls must be able to meticulously handle packets containing abnormal numbers of IPv6 extension headers. This could be exploited by attackers, who might deliberately insert a large number of extension headers into packets, causing the firewall to waste excessive resources when processing them.
Ultimately, this can lead to firewall performance degradation or cause DoS issues for the firewall itself. Additionally, some poorly performing firewalls may fail to process the entire IPv6 header chain when applying filtering policies, potentially allowing attackers to leverage extension headers to compromise the firewall.
5. IPv6 fragmentation can also be exploited maliciously, similar to methods used in IPv4. For example, to circumvent a firewall’s filtering policy, attackers might send overlapping fragments that affect the target host’s fragment reassembly process.
In IPv6, this problem is more severe because the combination of multiple IPv6 extension headers and fragments can produce erroneous fragments. Although the packet size may appear “normal,” they may be missing essential information typically needed to enforce filtering policies, such as TCP port numbers. That is, the first fragment of a packet might contain so many IPv6 options that the upper-layer protocol header ends up belonging to a subsequent fragment, rather than the first one.
6. IPv6 transition/coexistence technologies pose another challenge for IPv6 firewalls. Most transition technologies use some form of tunneling mechanism, encapsulating one network layer protocol (usually IPv6) within another (usually IPv4). This has many implications for firewall security; the firewall may fail to recognize a specific transition technology or be unable to apply filtering policies supported for native IPv6 traffic. For instance, while a site can block packets destined for TCP port 25 using native IPv4 or native IPv6, it might fail to block these packets once a transition mechanism like Teredo is deployed.
7. Transition technologies can exacerbate