JUNOS forwards IPv6 link-local packets
Chris Adams
cmadams at hiwaay.net
Fri Apr 27 14:26:07 UTC 2012
Once upon a time, Jack Bates <jbates at brightok.net> said:
> On 4/27/2012 8:56 AM, Chris Adams wrote:
> >I found out by accident yesterday that JUNOS routers will forward IPv6
> >packets with a link-local source address, in direct opposition of RFC
> >4291. To me, this seems to be a security hole that would be useful for
> >DDoS attackers, giving them a way to send traffic that is difficult to
> >trace back to the source. I try to be a good "net neighbor", using uRPF
> >wherever possible (and other filters elsewhere) to make sure all packets
> >coming from my network at least look valid, but this goes right by that.
>
> Theoretically you can do a discard route and then uRPF should work with
> it. I'm not sure if it will kill the RE traffic, though. If it does,
> you'll have to have fail filters to allow it. :(
I don't think that will work, because there's an automatic direct route
for fe80::/64 to all interfaces with family inet6 configured. The only
way I see around it is to apply a firewall filter to all IPv6 interfaces
that blocks anything with a source in fe80::/64 and destination _not_ in
fe80::/64.
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the NANOG
mailing list