[152370] in North American Network Operators' Group
Re: JUNOS forwards IPv6 link-local packets
daemon@ATHENA.MIT.EDU (Jack Bates)
Fri Apr 27 10:17:37 2012
Date: Fri, 27 Apr 2012 09:16:17 -0500
From: Jack Bates <jbates@brightok.net>
To: nanog@nanog.org
In-Reply-To: <20120427135616.GA29251@hiwaay.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 4/27/2012 8:56 AM, Chris Adams wrote:
> I found out by accident yesterday that JUNOS routers will forward IPv6
> packets with a link-local source address, in direct opposition of RFC
> 4291. To me, this seems to be a security hole that would be useful for
> DDoS attackers, giving them a way to send traffic that is difficult to
> trace back to the source. I try to be a good "net neighbor", using uRPF
> wherever possible (and other filters elsewhere) to make sure all packets
> coming from my network at least look valid, but this goes right by that.
>
Theoretically you can do a discard route and then uRPF should work with
it. I'm not sure if it will kill the RE traffic, though. If it does,
you'll have to have fail filters to allow it. :(
Jack
