Re: [v6ops] Some stats on IPv6 fragments and EH filtering on the Internet

Tim Chown <> Mon, 04 November 2013 23:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D5DB921E8180; Mon, 4 Nov 2013 15:27:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.487
X-Spam-Status: No, score=-2.487 tagged_above=-999 required=5 tests=[AWL=0.113, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PpgQjMXmkhEr; Mon, 4 Nov 2013 15:27:51 -0800 (PST)
Received: from ( [IPv6:2001:630:d0:f102::25e]) by (Postfix) with ESMTP id C217B11E8216; Mon, 4 Nov 2013 15:27:50 -0800 (PST)
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id rA4NRiaR024399; Mon, 4 Nov 2013 23:27:44 GMT
X-DKIM: Sendmail DKIM Filter v2.8.2 rA4NRiaR024399
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple;; s=201304; t=1383607664; bh=8SGFyTGc7sX1kEevSEEsTL/Yvl8=; h=Mime-Version:Subject:From:In-Reply-To:Date:References:To; b=Du2HrzdYg9aJ9hYeWImQxdAnmDcdBq1DJLD3SoSZGKUNk6TTlhU2fklRJQTq6pc4d Q4IctaJyLTfofCcEACzx+eLIu4BLblNYq1ls6dftwGWi30WV4jyO0CSCNWGtkqAdSa vxVLUXfEzNCVjmqWisWiIlkKvyCJ7J8Fjy5hcgGM=
Received: from ( [2001:630:d0:f102::25d]) by ( [2001:630:d0:f102::25e]) envelope-from <> with ESMTP (valid=N/A) id pA3NRi0959634445PQ ret-id none; Mon, 04 Nov 2013 23:27:44 +0000
Received: from ( [IPv6:2001:67c:370:160:b9a1:2be0:ee20:2896] (may be forged)) (authenticated bits=0) by (8.13.8/8.13.8) with ESMTP id rA4NREDQ022044 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 4 Nov 2013 23:27:16 GMT
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1816\))
From: Tim Chown <>
In-Reply-To: <>
Date: Mon, 4 Nov 2013 23:27:12 +0000
Content-Transfer-Encoding: quoted-printable
Message-ID: <EMEW3|dedd4c8528278c035fade0cbf2a8cb74pA3NRi03tjc||>
References: <> <>
To: "" <>, IPv6 Operations <>
X-Mailer: Apple Mail (2.1816)
X-ECS-MailScanner: Found to be clean, Found to be clean
X-smtpf-Report: sid=pA3NRi095963444500; tid=pA3NRi0959634445PQ; client=relay,ipv6; mail=; rcpt=; nrcpt=2:0; fails=0
X-ECS-MailScanner-Information: Please contact the ISP for more information
X-ECS-MailScanner-ID: rA4NRiaR024399
Subject: Re: [v6ops] Some stats on IPv6 fragments and EH filtering on the Internet
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Nov 2013 23:27:52 -0000


Also as per the IEPG discussion, the results I had in conjunction with a summer MSc project student can be summarised as follows. 

The headline is that he saw a 37.7% failure rate for the Fragmentation Header (alone), a bit better than Fernando’s results, but still not good.

He tested the top 1,000 IPv6-enabled Alexa sites.
He used the scapy toolkit which supports the four main extension header types (routing, fragmentation, destination and hop-by-hop)
He tested
a) valid combinations of those 4 extension headers as per RFC 2460
b) other non-valid combinations
c) duplicated extension headers
d) fragmentation header
Primarily TCP tests, doing HTTP GET requests.

For single extension headers, acceptance was
Routing header 63.9%
Frag header 62.3%
Hop by hop header 60%
Destination option header 15.8% 
When using no extension headers, success rate was 100%
When using multiple headers, the rates fall markedly, not dissimilar with Fernando’s numbers for longer headers.

About 120 sites accept all four types of extension headers. 

A small number of sites accepted illegal combinations/ordering of extension headers.

A more detailed set of results is being pushed to a conference paper.

I now have another student taking this further, and validating the above results, so feel free to contact me off-list if you’re interested.


On 4 Nov 2013, at 23:01, Fernando Gont <> wrote:

> Folks,
> I did a presentation on the topic at the IEPG meeting earlier this week.
> It provides some concrete data regarding IPv6 fragmentation and
> Extension Header filtering on the Internet.
> The slideware is available at:
> <>
> Certainly there's *much* more work to be done in this area, but I
> thought that this could be good food sfor some of the discussions that
> we were having on the topic.
> Thanks,
> -- 
> Fernando Gont
> e-mail: ||
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> Administrative Requests:
> --------------------------------------------------------------------