JUNOS forwards IPv6 link-local packets

Chris Adams cmadams at hiwaay.net
Fri Apr 27 09:26:07 CDT 2012

Once upon a time, Jack Bates <jbates at brightok.net> said:
> On 4/27/2012 8:56 AM, Chris Adams wrote:
> >I found out by accident yesterday that JUNOS routers will forward IPv6
> >packets with a link-local source address, in direct opposition of RFC
> >4291.  To me, this seems to be a security hole that would be useful for
> >DDoS attackers, giving them a way to send traffic that is difficult to
> >trace back to the source.  I try to be a good "net neighbor", using uRPF
> >wherever possible (and other filters elsewhere) to make sure all packets
> >coming from my network at least look valid, but this goes right by that.
> Theoretically you can do a discard route and then uRPF should work with 
> it. I'm not sure if it will kill the RE traffic, though. If it does, 
> you'll have to have fail filters to allow it. :(

I don't think that will work, because there's an automatic direct route
for fe80::/64 to all interfaces with family inet6 configured.  The only
way I see around it is to apply a firewall filter to all IPv6 interfaces
that blocks anything with a source in fe80::/64 and destination _not_ in

Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

More information about the NANOG mailing list