Once upon a time, Jack Bates <[email protected]> said: > On 4/27/2012 8:56 AM, Chris Adams wrote: > >I found out by accident yesterday that JUNOS routers will forward IPv6 > >packets with a link-local source address, in direct opposition of RFC > >4291. To me, this seems to be a security hole that would be useful for > >DDoS attackers, giving them a way to send traffic that is difficult to > >trace back to the source. I try to be a good "net neighbor", using uRPF > >wherever possible (and other filters elsewhere) to make sure all packets > >coming from my network at least look valid, but this goes right by that. > > Theoretically you can do a discard route and then uRPF should work with > it. I'm not sure if it will kill the RE traffic, though. If it does, > you'll have to have fail filters to allow it. :(
I don't think that will work, because there's an automatic direct route for fe80::/64 to all interfaces with family inet6 configured. The only way I see around it is to apply a firewall filter to all IPv6 interfaces that blocks anything with a source in fe80::/64 and destination _not_ in fe80::/64. -- Chris Adams <[email protected]> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
