There are a lot of similarities between IPv4 and IPv6. There are also a lot of differences, including some differences that may have security implications for network engineers who deploy IPv6. Network and security engineers may want to pay closer attention to IPv6 extension headers.
The IPv6 specification supports what are known as extension headers, which have varying uses. The good thing about extension headers is that they are typically seldom seen with general internet usage, except in specific situations, such as where packets must be handled in a specific manner that cannot be described in the standard IPv6 header.
The bad thing about extension headers is that end nodes (such as user computers) and intermediate nodes (such as routers, firewalls and other security devices) generally need to be aware of and be able to handle extension headers.
Perhaps the most frequent and important extension header is the fragment extension header (which will be discussed in a later post). Other extension headers defined in the IPv6 specification include hop-by-hop options, destination options and routing. The authentication and the encapsulating security payload headers, defined in separate RFCs , support IPsec in IPv6.
Source routing in IPv4 has been problematic because of opportunities for denial of service attacks and routers are usually configured to ignore source routing options. Because of its similarity to IPv4 source routing and its even greater potential for facilitating denial of service attacks, the IPv6 routing extension header type 0 was deprecated by the IETF in December 2007. In packets that contain a type 0 routing header (also known as RH0), the routing header must be ignored or the packet must be dropped.
Extension headers force the packet byte offset of the layer 4 header (typically a TCP or UDP header) to be shifted from its usual packet offset immediately after the main header. As a result, it is possible for the layer 4 header to appear at a variety of packet offsets into the packet.