The fragmentation extension header in IPv6 is used when a packet exceeds the maximum transmission size (MTU) of a link along the delivery path. Fragmentation splits the original packet into smaller fragments that can be transmitted over the link without exceeding the MTU.
At the end of the article you will find a small test that will allow you assess the knowledge acquired in this reading
Fragmentation
When an IPv6 packet is fragmented, the fragmentation header is added to the beginning of each generated fragment. The fragments are transmitted individually over the network and then reassembled at the destination node.
It is important to note that fragmentation in IPv6 is not as common as in IPv4. In IPv6, fragmentation-free routing is preferred whenever possible. This means that nodes and routers along the path must be configured to handle full MTU size packets and not fragment them.
If a packet exceeds the MTU on a link, the source node should attempt to discover an alternative path or use MTU discovery techniques to avoid fragmentation.
Important aspects
Among the most important aspects of fragmentation we can detail the following:
Fragmentation on the source node
In IPv6, fragmentation is usually performed at the source node when a packet is generated that exceeds the MTU of the outgoing link. The source node splits the packet into smaller fragments and adds the fragmentation extension header to each fragment.
Each fragment has its own fragmentation header with information such as the Fragment Offset and the More Fragments flag.
Fragmentation in transit
Unlike IPv4, where routers can fragment packets in transit, in IPv6 routers are not allowed to fragment packets. This is known as “fragmentation-free routing.” Routers simply drop IPv6 packets that exceed the MTU of the link instead of fragmenting them. This reduces the processing load on routers and improves network efficiency.
Collection and reassembly
Reassembly of the fragments is performed on the destination node. The destination node uses the packet ID and the Fragment Offset field to collect the related fragments and reassemble the original packet. The More Fragments flag is used to determine when the last fragment has been received and reassembly can be completed.
Fragmentation into different links
If an IPv6 packet needs to pass over links with different MTUs, chain fragmentation can occur. In this case, the source node will fragment the original packet into fragments that fit the MTU of each link along the path. Routers will then only forward the fragments without performing additional fragmentation.
Fragmentation options
IPv6 also includes a fragmentation option called the “Jumbo Payload Option.” This option is used to send packets that exceed the maximum size allowed by the MTU of most links. The Jumbo payload option allows packets up to 4 GB in size to be fragmented and reassembled.
Fragmentation and quality of service (QoS)
Fragmentation in IPv6 can affect quality of service. When fragmenting a packet, some of the quality of service information that was present in the original packet may be lost. This can cause degradation in performance and prioritization of fragments during reassembly on the destination node.
Path MTU Discovery (PMTUD)
To avoid fragmentation in IPv6, the Path MTU Discovery mechanism is used. PMTUD allows source nodes to adjust packet sizes along the delivery path using the lowest MTU found. This prevents fragmentation and ensures efficient transmission without packet loss.
Fragmentation problems
Fragmentation in IPv6 can introduce some limitations and problems in the network:
- Processing overhead: Reassembling the fragments on the destination node may require additional processing and memory resources.
- Security issues: Fragmentation can be used in denial of service (DoS) attacks and malicious traffic hiding techniques. To mitigate these risks, some devices and networks may block or filter fragments.
- MTU Discovery: Since routers in IPv6 do not fragment packets, it is important that source nodes perform MTU discovery to determine the appropriate MTU along the delivery path. This prevents fragmentation and ensures better packet transmission efficiency.
Keep in mind that, although fragmentation in IPv6 is possible, it is recommended to avoid it whenever possible. Fragmentation-free routing and proper use of MTU discovery are critical to ensuring optimal performance and minimizing complexity in the network.
Authentication
The Authentication extension header provides a mechanism for authentication and integrity verification of IPv6 packets. This header is placed after the IPv6 extension header and before the payload header. Its main purpose is to ensure that the origin and/or content of the packet have not been altered during transmission.
The authentication process in IPv6 with the Authentication extension header involves the source of the packet generating a digital signature or message authentication code using a shared secret key or an asymmetric key. The receiver of the packet can verify the authenticity and integrity of the packet using the same key.
Scenarios
The Authentication extension header can be used in different scenarios and applications that require a high level of security and authentication. Below are some cases where this header can be used:
- Virtual Private Networks (VPNs): In VPN environments, where secure connections are established over public networks, it can be used to guarantee the authenticity of packets traveling through the VPN. This ensures that packages come from trusted sources and have not been modified in transit.
- Confidential communications: When confidential or sensitive data, such as financial or medical information, is transmitted, it is used to verify that the data has not been altered and is coming from the expected source. This provides an additional level of security and ensures the integrity of the transmitted data.
- Preventing phishing attacks: It is used to prevent phishing attacks. By authenticating IPv6 packets, you can ensure that they come from the correct sources and avoid accepting spoofed packets.
- Integrity verification in critical applications: In environments where data integrity is critical, such as industrial control systems or critical infrastructure, helping ensure that commands and control data have not been modified in transit and come from authorized sources.
Importantly, use of the Authentication extension header requires an appropriate key management mechanism and security infrastructure. Additionally, both the source and the receiver must be able to perform the necessary authentication operations and share the corresponding secret or public key.
Encapsulation Security Payload
The extension header Encapsulation Security Payload (ESP) It is used to provide security services, such as confidentiality, integrity, and authentication, to IPv6 packets. The ESP header is placed after the IPv6 extension header and before the packet payload. Its main purpose is to protect the packet data from unauthorized access and tampering during transmission.
The ESP extension header allows the source and destination systems to negotiate the cryptographic algorithms and security parameters used to protect the communication. Systems can agree to use symmetric or asymmetric encryption, as well as authenticate messages using cryptographic hash functions.
Using the ESP extension header allows you to secure sensitive communications, protect data privacy, and prevent eavesdropping and tampering attacks. However, its implementation requires proper configuration and administration, including establishing and managing encryption and authentication keys.
ESP Extension Header Features
This header has the following characteristics:
- Integration with other security services: The ESP header can be used in conjunction with other security services to provide an additional level of protection. For example, it can be combined with the use of VPN (Virtual Private Network) to create secure connections between networks or used in conjunction with firewalls and intrusion detection and prevention systems to reinforce network security.
- Cperformance considerations: Using the ESP extension header involves additional processing on network devices, which can impact communication performance. The cryptographic algorithms used to encrypt and authenticate data can require significant computational resources, especially in high-traffic environments. Therefore, it is important to consider the balance between security and network performance when implementing the ESP header.
- Key management and security policies: Implementation of the ESP extension header requires proper management of the security keys used for encryption and authentication. This involves generating, distributing and securely storing keys, as well as establishing security policies for their management and updating. Proper key management is essential to ensure the confidentiality and integrity of data protected by the ESP header.
- Standards Compliance: The ESP extension header follows the standards defined by the Internet Engineering Task Force (IETF) in RFC 4303. It is important to take into account the requirements and recommendations established by the standards to ensure interoperability and security in implementations of the ESP header.
Brief knowledge quiz
What do you think of this article?
Do you dare to evaluate your learned knowledge?
Recommended book for this article
IPv6 book with MikroTik, RouterOS v7
Study material for the MTCIPv6E Certification Course updated to RouterOS v7