Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: juniper

Forwarding IPv6 link-local packets?

 

 

nsp juniper RSS feed   Index | Next | Previous | View Threaded


cmadams at hiwaay

Apr 26, 2012, 1:57 PM

Post #1 of 4 (927 views)
Permalink
Forwarding IPv6 link-local packets?

I noticed some (anti-spoofing) IPv6 filter drops got logged, so I went
to track down the source of the problem. Annoyingly, the source address
was a link-local address (although the destination addresses were on the
Internet). I tracked down the source (only because I don't have a lot
of IPv6 traffic yet).

My question is this: why is a packet with a link-local source forwarded
at all? I have uRPF enabled on the interface, but I guess since
fe80::/64 is considered a valid route for all IPv6 interfaces, uRPF
won't catch that. Is there any practical way to turn off link-local
forwarding, other than to apply filters to every interface?

Or am I just missing something obvious?

--
Chris Adams <cmadams [at] hiwaay>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


harry at juniper

Apr 26, 2012, 3:25 PM

Post #2 of 4 (889 views)
Permalink
Re: Forwarding IPv6 link-local packets? [In reply to]

Hey Chris. This is a known issue, tracked by internal pr 573100. I will flip that to externally visible so customers can see.

Appears fixed only on trio as of 13.3. There was talk of a possible work around, as below, but not clear it was ever tested/confirmed:

<< possible WA:

why don't we install the link-local routes with a discard nexthop
(to match destination link-locals) and add a uRPF strict check to it
(to match source-link-locals) ?



-----Original Message-----
From: juniper-nsp-bounces [at] puck [mailto:juniper-nsp-bounces [at] puck] On Behalf Of Chris Adams
Sent: Thursday, April 26, 2012 1:58 PM
To: juniper-nsp [at] puck
Subject: [j-nsp] Forwarding IPv6 link-local packets?

I noticed some (anti-spoofing) IPv6 filter drops got logged, so I went
to track down the source of the problem. Annoyingly, the source address
was a link-local address (although the destination addresses were on the
Internet). I tracked down the source (only because I don't have a lot
of IPv6 traffic yet).

My question is this: why is a packet with a link-local source forwarded
at all? I have uRPF enabled on the interface, but I guess since
fe80::/64 is considered a valid route for all IPv6 interfaces, uRPF
won't catch that. Is there any practical way to turn off link-local
forwarding, other than to apply filters to every interface?

Or am I just missing something obvious?

--
Chris Adams <cmadams [at] hiwaay>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


harry at juniper

Apr 26, 2012, 3:31 PM

Post #3 of 4 (897 views)
Permalink
Re: Forwarding IPv6 link-local packets? [In reply to]

Update. The better pr is 556860, which shows closed as not fixed. PR 573100 is considered a new feature and cannot be made visible externally. <Oops>.

I will try and flip 556860 to externally visible.

Also, I hear that SRX platforms have been fixed already. Not sure of release.

Regards




-----Original Message-----
From: juniper-nsp-bounces [at] puck [mailto:juniper-nsp-bounces [at] puck] On Behalf Of Harry Reynolds
Sent: Thursday, April 26, 2012 3:26 PM
To: Chris Adams; juniper-nsp [at] puck
Subject: Re: [j-nsp] Forwarding IPv6 link-local packets?

Hey Chris. This is a known issue, tracked by internal pr 573100. I will flip that to externally visible so customers can see.

Appears fixed only on trio as of 13.3. There was talk of a possible work around, as below, but not clear it was ever tested/confirmed:

<< possible WA:

why don't we install the link-local routes with a discard nexthop
(to match destination link-locals) and add a uRPF strict check to it
(to match source-link-locals) ?



-----Original Message-----
From: juniper-nsp-bounces [at] puck [mailto:juniper-nsp-bounces [at] puck] On Behalf Of Chris Adams
Sent: Thursday, April 26, 2012 1:58 PM
To: juniper-nsp [at] puck
Subject: [j-nsp] Forwarding IPv6 link-local packets?

I noticed some (anti-spoofing) IPv6 filter drops got logged, so I went
to track down the source of the problem. Annoyingly, the source address
was a link-local address (although the destination addresses were on the
Internet). I tracked down the source (only because I don't have a lot
of IPv6 traffic yet).

My question is this: why is a packet with a link-local source forwarded
at all? I have uRPF enabled on the interface, but I guess since
fe80::/64 is considered a valid route for all IPv6 interfaces, uRPF
won't catch that. Is there any practical way to turn off link-local
forwarding, other than to apply filters to every interface?

Or am I just missing something obvious?

--
Chris Adams <cmadams [at] hiwaay>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


cmadams at hiwaay

Apr 26, 2012, 6:37 PM

Post #4 of 4 (884 views)
Permalink
Re: Forwarding IPv6 link-local packets? [In reply to]

Once upon a time, Harry Reynolds <harry [at] juniper> said:
> Update. The better pr is 556860, which shows closed as not fixed. PR 573100 is considered a new feature and cannot be made visible externally. <Oops>.

See RFC 4291:

2.5.6. Link-Local IPv6 Unicast Addresses
...
Routers must not forward any packets with Link-Local source or
destination addresses to other links.

JUNOS forwarding such packets is a major bug and IPv6 RFC violation.
That leaves a wide-open hole for difficult-to-trace DDoS attacks from
hosts connected to Juniper routers.

I'm seeing this on my M10i routers, if it makes any difference.
--
Chris Adams <cmadams [at] hiwaay>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

nsp juniper RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.