[152371] in North American Network Operators' Group
Re: JUNOS forwards IPv6 link-local packets
daemon@ATHENA.MIT.EDU (Chris Adams)
Fri Apr 27 10:27:16 2012
Date: Fri, 27 Apr 2012 09:26:07 -0500
From: Chris Adams <cmadams@hiwaay.net>
To: nanog@nanog.org
Mail-Followup-To: Chris Adams <cmadams@hiwaay.net>, nanog@nanog.org
In-Reply-To: <4F9AAA31.7010702@brightok.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Once upon a time, Jack Bates <jbates@brightok.net> said:
> On 4/27/2012 8:56 AM, Chris Adams wrote:
> >I found out by accident yesterday that JUNOS routers will forward IPv6
> >packets with a link-local source address, in direct opposition of RFC
> >4291. To me, this seems to be a security hole that would be useful for
> >DDoS attackers, giving them a way to send traffic that is difficult to
> >trace back to the source. I try to be a good "net neighbor", using uRPF
> >wherever possible (and other filters elsewhere) to make sure all packets
> >coming from my network at least look valid, but this goes right by that.
>
> Theoretically you can do a discard route and then uRPF should work with
> it. I'm not sure if it will kill the RE traffic, though. If it does,
> you'll have to have fail filters to allow it. :(
I don't think that will work, because there's an automatic direct route
for fe80::/64 to all interfaces with family inet6 configured. The only
way I see around it is to apply a firewall filter to all IPv6 interfaces
that blocks anything with a source in fe80::/64 and destination _not_ in
fe80::/64.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
