Header of death: security implications of IPv6 extension headers to the open-source firewall

Abstract

IPv6 extension headers (EHs) contain additional information utilized by network devices (such as routers and firewalls) to determine how to direct or process an IPv6 packet. However, the use of excessive and unknown EHs can lead to the security implications such as evasion and denial of service (DoS) of the target firewall. Study revealed that there is no permanent remediation that prevents the IPv6 EHs attack from invading the open-source firewalls by default. Using IPv6 packet manipulations technique, the attacker can evade the target network including the firewall and target host that can lead to a complete unavailability of network service. The common vulnerability scoring system (CVSS) also indicates that the base, temporal, and environment metric groups of IPv6 EHs vulnerabilities were in the critical level of severity. Quick and dirty solutions such as denying and allowing packets and IP addresses as preventive measures is still one of the effective ways of defending against the EHs packet manipulation attacks, as a temporary solution to date.