Wireshark-users: Re: [Wireshark-users] ipv6 unknown extension header

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 6 Nov 2008 17:44:58 -0800

On Nov 5, 2008, at 5:41 PM, Martin d Anjou wrote:

I would like to know how wireshark is expected to behave in the presence of an "unknown" ipv6 extension header when it is formed of a Next Header,
a Hdr Ext Len, and data. Is wireshark able to "jump" over the unknwon
extension header (using the Hdr Ext Len) and keep searching for next
headers and eventually find L4 protocols like TCP?

No - is anything *else* able to do so?

And what indicates which unknown headers are extension headers (and should be skipped over) and which are just protocols that run over IP and that you don't happen to know about?

All I see in RFC 2460 is

In IPv6, optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. There are a small number of such extension headers, each identified by a distinct Next Header value.

which seems to suggest that only headers in that "small number" are non-final headers, and

If, as a result of processing a header, a node is required to proceed to the next header but the Next Header value in the current header is unrecognized by the node, it should discard the packet and send an ICMP Parameter Problem message to the source of the packet, with an ICMP Code value of 1 ("unrecognized Next Header type encountered") and the ICMP Pointer field containing the offset of the unrecognized value within the original packet. The same action should be taken if a node encounters a Next Header value of zero in any header other than an IPv6 header.

which doesn't leave much provision for intermediate nodes (or final nodes, for that matter) ignoring unknown headers.

This doesn't seem to suggest that skipping over unknown headers is necessarily the right thing to do.