[j-nsp] Re : IPv6 Routing Headers
hritter at videotron.ca
hritter at videotron.ca
Mon Apr 23 23:09:07 EDT 2007
Kevin,
Slide 20 of the presentation states that RH processing can not be deavtivated on Juniper routers. Not sure whether that applies to JunOS, JunosE or both.
Cheers,
----- Message d'origine -----
De: Kevin Day <toasty at dragondata.com>
Date: Lundi, Avril 23, 2007 6:44 pm
Objet: [j-nsp] IPv6 Routing Headers
À: juniper-nsp at puck.nether.net
>
> There was a recent presentation ( http://www.secdev.org/conf/
> IPv6_RH_security-csw07.pdf ) on how IPv6 routing headers can be
> used
> as a DDOS tool - essentially you could take an entire 1280 byte
> packet and fill it with routing headers specifying that a
> packet
> should keep bouncing back and forth between two hosts. They were
> able
> to take 4mbps of upload bandwidth from one host, and cause two
> routers to consume 150mbps of bandwidth bouncing a packet back
> and
> forth. It gets worse with larger MTUs. :)
>
> Is there anything like "set chassis no-source-route" but for
> IPv6
> that will tell the router to ignore routing headers in IPv6
> packets?
> I know the firewall can match on packets with "from next-header
> routing-header", but it looks like some hosts are generating
> them to
> force their next-hop to be changed. I don't care if packets come
> in
> with them, I just want our routers to ignore them.
>
> Any ideas?
>
> -- Kevin
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list