Just since I had everything hooked up I did a quick test on IOS-XR 4.2.0 on an ASR9000 and found it also forwards v6 traffic with a link-local source address and a global destination address. The destination was a Juniper box which I tried to DoS using ICMPv6 echo requests. The 200:11ff:fe00:0 is an Ixia tester a couple IOS-XR hops away... 11:21:38.051256 In IP6 fe80::200:11ff:fe00:0 > 2001:578:101::2: ICMP6, echo request, seq 0, length 28 11:21:38.250659 In IP6 fe80::200:11ff:fe00:0 > 2001:578:101::2: ICMP6, echo request, seq 0, length 28 11:21:38.451093 In IP6 fe80::200:11ff:fe00:0 > 2001:578:101::2: ICMP6, echo request, seq 0, length 28 Which kicked in the junos ddos protection... Apr 27 11:29:12.527 2012 jddosd[1516]: DDOS_PROTOCOL_VIOLATION_SET: Protocol ICMPv6:aggregate is violated at fpc 7 for 1 times, started at 2012-04-27 11:29:07 EDT, last seen at 2012-04-27 11:29:07 EDT -Phil On 4/27/12 9:56 AM, "Chris Adams" <cmadams@hiwaay.net> wrote:
I found out by accident yesterday that JUNOS routers will forward IPv6 packets with a link-local source address, in direct opposition of RFC 4291. To me, this seems to be a security hole that would be useful for DDoS attackers, giving them a way to send traffic that is difficult to trace back to the source. I try to be a good "net neighbor", using uRPF wherever possible (and other filters elsewhere) to make sure all packets coming from my network at least look valid, but this goes right by that.
I posted over on juniper-nsp about this (more to see if I was just missing something) and got a response that it is a known thing. There's a closed Juniper PR, 556860, that says this affects all JUNOS devices except SRX (Trio platforms will get a fix starting with JUNOS 12.3). It doesn't sound like Juniper is going to fix this for the rest of us.
I guess I'm mainly curious to see what others think about this. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.