[152369] in North American Network Operators' Group
JUNOS forwards IPv6 link-local packets
daemon@ATHENA.MIT.EDU (Chris Adams)
Fri Apr 27 09:57:32 2012
Date: Fri, 27 Apr 2012 08:56:16 -0500
From: Chris Adams <cmadams@hiwaay.net>
To: nanog@nanog.org
Mail-Followup-To: Chris Adams <cmadams@hiwaay.net>, nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I found out by accident yesterday that JUNOS routers will forward IPv6
packets with a link-local source address, in direct opposition of RFC
4291. To me, this seems to be a security hole that would be useful for
DDoS attackers, giving them a way to send traffic that is difficult to
trace back to the source. I try to be a good "net neighbor", using uRPF
wherever possible (and other filters elsewhere) to make sure all packets
coming from my network at least look valid, but this goes right by that.
I posted over on juniper-nsp about this (more to see if I was just
missing something) and got a response that it is a known thing. There's
a closed Juniper PR, 556860, that says this affects all JUNOS devices
except SRX (Trio platforms will get a fix starting with JUNOS 12.3). It
doesn't sound like Juniper is going to fix this for the rest of us.
I guess I'm mainly curious to see what others think about this.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
