Just since I had everything hooked up I did a quick test on IOS-XR 4.2.0 on an ASR9000 and found it also forwards v6 traffic with a link-local source address and a global destination address. The destination was a Juniper box which I tried to DoS using ICMPv6 echo requests. The 200:11ff:fe00:0 is an Ixia tester a couple IOS-XR hops away...
11:21:38.051256 In IP6 fe80::200:11ff:fe00:0 > 2001:578:101::2: ICMP6, echo request, seq 0, length 28 11:21:38.250659 In IP6 fe80::200:11ff:fe00:0 > 2001:578:101::2: ICMP6, echo request, seq 0, length 28 11:21:38.451093 In IP6 fe80::200:11ff:fe00:0 > 2001:578:101::2: ICMP6, echo request, seq 0, length 28 Which kicked in the junos ddos protection... Apr 27 11:29:12.527 2012 jddosd[1516]: DDOS_PROTOCOL_VIOLATION_SET: Protocol ICMPv6:aggregate is violated at fpc 7 for 1 times, started at 2012-04-27 11:29:07 EDT, last seen at 2012-04-27 11:29:07 EDT -Phil On 4/27/12 9:56 AM, "Chris Adams" <[email protected]> wrote: >I found out by accident yesterday that JUNOS routers will forward IPv6 >packets with a link-local source address, in direct opposition of RFC >4291. To me, this seems to be a security hole that would be useful for >DDoS attackers, giving them a way to send traffic that is difficult to >trace back to the source. I try to be a good "net neighbor", using uRPF >wherever possible (and other filters elsewhere) to make sure all packets >coming from my network at least look valid, but this goes right by that. > >I posted over on juniper-nsp about this (more to see if I was just >missing something) and got a response that it is a known thing. There's >a closed Juniper PR, 556860, that says this affects all JUNOS devices >except SRX (Trio platforms will get a fix starting with JUNOS 12.3). It >doesn't sound like Juniper is going to fix this for the rest of us. > >I guess I'm mainly curious to see what others think about this. >-- >Chris Adams <[email protected]> >Systems and Network Administrator - HiWAAY Internet Services >I don't speak for anybody but myself - that's enough trouble. >
