[ipv6hackers] Implications of IPv6 on network firewalls

Adrian Bool adrian.bool at revolution.net.eu
Mon Nov 21 11:16:15 CET 2011

Hi Fernando, 

On Monday, 21 November 2011 at 01:20, Fernando Gont wrote:

> An article about IPv6 firewalls that I've written for Techtarget has
> just been published. It is available here:
> <http://searchenterprisewan.techtarget.com/tip/IPv6-firewall-security-Fixing-issues-introduced-by-the-new-protocol>

On the subject IPv6 extension headers...

My understanding is that there are seven extension headers defined in RFC2460, which then goes on to state,

> Each extension header should occur at most once, except for the Destination Options header which should occur at most twice.

And earlier in the same RFC,

> [if] the Next Header value in the current header is unrecognized by the node, it should discard the packet and send an ICMP Parameter Problem message

It therefore seems to me that a firewall should never need to process more than eight extension headers - anything more than this should be dropped and in ICMP error returned.

Have I missed anything?

Kind regards,


Adrian Bool, Director, Network Revolution Limited

e adrian.bool at revolution.net.eu (mailto:adrian.bool at revolution.net.eu) 
m +44 7525 781 982

Network Revolution Limited, 145-157 St John Street, London, EC1V 4PW, United Kingdom. 
Registered in England and Wales, 7607414.

More information about the Ipv6hackers mailing list