[j-nsp] Re : IPv6 Routing Headers
Kevin Oberman
oberman at es.net
Tue Apr 24 09:32:11 EDT 2007
> Date: Tue, 24 Apr 2007 03:09:07 +0000 (GMT)
> From: hritter at videotron.ca
> Sender: juniper-nsp-bounces at puck.nether.net
>
> Kevin,
>
> Slide 20 of the presentation states that RH processing can not be
> deavtivat> ed on Juniper routers. Not sure whether that applies to
> JunOS, JunosE or bo> th.
>
> Cheers,
The issue is the RH0 header. RH2 is not a problem and is essential to
mobile services.
Yesterday FreeBSD (which is the base OS of JUNOS) put out a patch to
it's development version to disable RH0 processing. A fix which allows
processing to be enabled/disabled and filtered is expected shortly (I am
building a test version now) and Juniper should be able to include it
fairly quickly. But for now, IPv6 on Junipers is a serious problem.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
>
> ----- Message d'origine -----
> De: Kevin Day <toasty at dragondata.com>
> Date: Lundi, Avril 23, 2007 6:44 pm
> Objet: [j-nsp] IPv6 Routing Headers
> À: juniper-nsp at puck.nether.net
>
> > >
> > There was a recent presentation ( http://www.secdev.org/conf/ >
> > IPv6_RH_security-csw07.pdf ) on how IPv6 routing headers can be >
> > used >
> > as a DDOS tool - essentially you could take an entire 1280 byte >
> > packet and fill it with routing headers specifying that a >
> > packet >
> > should keep bouncing back and forth between two hosts. They were >
> > able >
> > to take 4mbps of upload bandwidth from one host, and cause two >
> > routers to consume 150mbps of bandwidth bouncing a packet back >
> > and >
> > forth. It gets worse with larger MTUs. :)
> > >
> > Is there anything like "set chassis no-source-route" but for >
> > IPv6 >
> > that will tell the router to ignore routing headers in IPv6 >
> > packets? >
> > I know the firewall can match on packets with "from next-header >
> > routing-header", but it looks like some hosts are generating >
> > them to >
> > force their next-hop to be changed. I don't care if packets come >
> > in >
> > with them, I just want our routers to ignore them.
> > >
> > Any ideas?
> > >
> > -- Kevin
> > >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> > >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 224 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/juniper-nsp/attachments/20070424/4b4b0446/attachment-0001.bin
More information about the juniper-nsp
mailing list