[j-nsp] Re : IPv6 Routing Headers

hritter at videotron.ca hritter at videotron.ca
Mon Apr 23 23:09:07 EDT 2007


Slide 20 of the presentation states that RH processing can not be deavtivated on Juniper routers. Not sure whether that applies to JunOS, JunosE or both.


----- Message d'origine -----
De: Kevin Day <toasty at dragondata.com>
Date: Lundi, Avril 23, 2007 6:44 pm
Objet: [j-nsp] IPv6 Routing Headers
À: juniper-nsp at puck.nether.net

> There was a recent presentation ( http://www.secdev.org/conf/ 
> IPv6_RH_security-csw07.pdf ) on how IPv6 routing headers can be 
> used 
> as a DDOS tool - essentially you could take an entire 1280 byte 
> packet and fill it with routing headers specifying that a 
> packet 
> should keep bouncing back and forth between two hosts. They were 
> able 
> to take 4mbps of upload bandwidth from one host, and cause two 
> routers to consume 150mbps of bandwidth bouncing a packet back 
> and 
> forth. It gets worse with larger MTUs. :)
> Is there anything like "set chassis no-source-route" but for 
> IPv6 
> that will tell the router to ignore routing headers in IPv6 
> packets? 
> I know the firewall can match on packets with "from next-header 
> routing-header", but it looks like some hosts are generating 
> them to 
> force their next-hop to be changed. I don't care if packets come 
> in 
> with them, I just want our routers to ignore them.
> Any ideas?
> -- Kevin
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list