Extension headers and firewalls

Tore Anderson tore.anderson at redpill-linpro.com
Mon Jul 23 08:04:50 CEST 2012

* Erik Kline

> > I know that (at least some models of) Brand J router ACLs can't
> > filter when there are extension headers so the packets are usually
> > just dropped. Extension headers, and by extension, fragmentation,
> > really kinda just don't work in the IPv6 world right now. :-(

Extension headers are certainly often filtered by end sites, perhaps
sometimes overzealously. But that's nothing new, the same thing is true
for ICMP, for example, or even anything that is not 80/tcp.

The good news is that ISPs and backbone carriers generally don't filter
them. So if two end sites want to communicate using functionality
provided by extension headers, and neither of them filter them, it will
likely work just fine.

* Cameron Byrne

> Perhaps this functionality should be officially depricated.

That would take important features with it such as IPSEC and Mobile
IPv6 down with it (both of which I've seen working over the public
IPv6 internet). Also, fragmentation is often used inside individual
end sites - I see my OSPFv3 sessions make use of it all the time,
for example.

So you can't deprecate extension headers just like that. You'll
first have to replace the functionality they offer with alternate


More information about the ipv6-ops mailing list