nanog mailing list archives
Re: JUNOS forwards IPv6 link-local packets
From: Chris Adams <cmadams () hiwaay net>
Date: Fri, 27 Apr 2012 09:26:07 -0500
Once upon a time, Jack Bates <jbates () brightok net> said:
On 4/27/2012 8:56 AM, Chris Adams wrote:I found out by accident yesterday that JUNOS routers will forward IPv6 packets with a link-local source address, in direct opposition of RFC 4291. To me, this seems to be a security hole that would be useful for DDoS attackers, giving them a way to send traffic that is difficult to trace back to the source. I try to be a good "net neighbor", using uRPF wherever possible (and other filters elsewhere) to make sure all packets coming from my network at least look valid, but this goes right by that.Theoretically you can do a discard route and then uRPF should work with it. I'm not sure if it will kill the RE traffic, though. If it does, you'll have to have fail filters to allow it. :(
I don't think that will work, because there's an automatic direct route for fe80::/64 to all interfaces with family inet6 configured. The only way I see around it is to apply a firewall filter to all IPv6 interfaces that blocks anything with a source in fe80::/64 and destination _not_ in fe80::/64. -- Chris Adams <cmadams () hiwaay net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Current thread:
- JUNOS forwards IPv6 link-local packets Chris Adams (Apr 27)
- Re: JUNOS forwards IPv6 link-local packets Jack Bates (Apr 27)
- Re: JUNOS forwards IPv6 link-local packets Chris Adams (Apr 27)
- Re: JUNOS forwards IPv6 link-local packets Jack Bates (Apr 27)
- Re: JUNOS forwards IPv6 link-local packets Chris Adams (Apr 27)
- Re: JUNOS forwards IPv6 link-local packets Jack Bates (Apr 27)
- Re: JUNOS forwards IPv6 link-local packets Christopher Morrow (Apr 27)
- Re: JUNOS forwards IPv6 link-local packets Owen DeLong (Apr 28)
- Re: JUNOS forwards IPv6 link-local packets Chris Adams (Apr 27)
- Re: JUNOS forwards IPv6 link-local packets Jack Bates (Apr 27)
- Re: JUNOS forwards IPv6 link-local packets Justin M. Streiner (Apr 30)
- Re: JUNOS forwards IPv6 link-local packets Phil Bedard (Apr 30)