JUNOS forwards IPv6 link-local packets

Chris Adams cmadams at hiwaay.net
Fri Apr 27 08:56:16 CDT 2012


I found out by accident yesterday that JUNOS routers will forward IPv6
packets with a link-local source address, in direct opposition of RFC
4291.  To me, this seems to be a security hole that would be useful for
DDoS attackers, giving them a way to send traffic that is difficult to
trace back to the source.  I try to be a good "net neighbor", using uRPF
wherever possible (and other filters elsewhere) to make sure all packets
coming from my network at least look valid, but this goes right by that.

I posted over on juniper-nsp about this (more to see if I was just
missing something) and got a response that it is a known thing.  There's
a closed Juniper PR, 556860, that says this affects all JUNOS devices
except SRX (Trio platforms will get a fix starting with JUNOS 12.3).  It
doesn't sound like Juniper is going to fix this for the rest of us.

I guess I'm mainly curious to see what others think about this.
-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.



More information about the NANOG mailing list