JUNOS forwards IPv6 link-local packets

Phil Bedard bedard.phil at gmail.com
Fri Apr 27 10:35:57 CDT 2012


Just since I had everything hooked up I did a quick test on IOS-XR 4.2.0
on an ASR9000 and found it also forwards v6 traffic with a link-local
source address and a global destination address.  The destination was a
Juniper box which I tried to DoS using ICMPv6 echo requests.  The
200:11ff:fe00:0 is an Ixia tester a couple IOS-XR hops away...


11:21:38.051256  In IP6 fe80::200:11ff:fe00:0 > 2001:578:101::2: ICMP6,
echo request, seq 0, length 28
11:21:38.250659  In IP6 fe80::200:11ff:fe00:0 > 2001:578:101::2: ICMP6,
echo request, seq 0, length 28
11:21:38.451093  In IP6 fe80::200:11ff:fe00:0 > 2001:578:101::2: ICMP6,
echo request, seq 0, length 28

Which kicked in the junos ddos protection...

Apr 27 11:29:12.527 2012 jddosd[1516]: DDOS_PROTOCOL_VIOLATION_SET:
Protocol ICMPv6:aggregate is violated at fpc 7 for 1 times, started at
2012-04-27 11:29:07 EDT, last seen at 2012-04-27 11:29:07 EDT




-Phil






On 4/27/12 9:56 AM, "Chris Adams" <cmadams at hiwaay.net> wrote:

>I found out by accident yesterday that JUNOS routers will forward IPv6
>packets with a link-local source address, in direct opposition of RFC
>4291.  To me, this seems to be a security hole that would be useful for
>DDoS attackers, giving them a way to send traffic that is difficult to
>trace back to the source.  I try to be a good "net neighbor", using uRPF
>wherever possible (and other filters elsewhere) to make sure all packets
>coming from my network at least look valid, but this goes right by that.
>
>I posted over on juniper-nsp about this (more to see if I was just
>missing something) and got a response that it is a known thing.  There's
>a closed Juniper PR, 556860, that says this affects all JUNOS devices
>except SRX (Trio platforms will get a fix starting with JUNOS 12.3).  It
>doesn't sound like Juniper is going to fix this for the rest of us.
>
>I guess I'm mainly curious to see what others think about this.
>-- 
>Chris Adams <cmadams at hiwaay.net>
>Systems and Network Administrator - HiWAAY Internet Services
>I don't speak for anybody but myself - that's enough trouble.
>





More information about the NANOG mailing list