[j-nsp] Re : IPv6 Routing Headers

Kevin Oberman oberman at es.net
Tue Apr 24 09:32:11 EDT 2007 

> Date: Tue, 24 Apr 2007 03:09:07 +0000 (GMT)
> From: hritter at videotron.ca
> Sender: juniper-nsp-bounces at puck.nether.net
> 
> Kevin,
> 
> Slide 20 of the presentation states that RH processing can not be
> deavtivat> ed on Juniper routers. Not sure whether that applies to
> JunOS, JunosE or bo> th.
> 
> Cheers,

The issue is the RH0 header. RH2 is not a problem and is essential to
mobile services.

Yesterday FreeBSD (which is the base OS of JUNOS) put out a patch to
it's development version to disable RH0 processing. A fix which allows
processing to be enabled/disabled and filtered is expected shortly (I am
building a test version now) and Juniper should be able to include it
fairly quickly. But for now, IPv6 on Junipers is a serious problem.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751


> 
> ----- Message d'origine -----
> De: Kevin Day <toasty at dragondata.com>
> Date: Lundi, Avril 23, 2007 6:44 pm
> Objet: [j-nsp] IPv6 Routing Headers
> À: juniper-nsp at puck.nether.net
> 
> > > 
> > There was a recent presentation ( http://www.secdev.org/conf/ > 
> > IPv6_RH_security-csw07.pdf ) on how IPv6 routing headers can be > 
> > used > 
> > as a DDOS tool - essentially you could take an entire 1280 byte > 
> > packet and fill it with routing headers specifying that a > 
> > packet > 
> > should keep bouncing back and forth between two hosts. They were > 
> > able > 
> > to take 4mbps of upload bandwidth from one host, and cause two > 
> > routers to consume 150mbps of bandwidth bouncing a packet back > 
> > and > 
> > forth. It gets worse with larger MTUs. :)
> > > 
> > Is there anything like "set chassis no-source-route" but for > 
> > IPv6 > 
> > that will tell the router to ignore routing headers in IPv6 > 
> > packets? > 
> > I know the firewall can match on packets with "from next-header > 
> > routing-header", but it looks like some hosts are generating > 
> > them to > 
> > force their next-hop to be changed. I don't care if packets come > 
> > in > 
> > with them, I just want our routers to ignore them.
> > > 
> > Any ideas?
> > > 
> > -- Kevin
> > > 
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> > > 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 224 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/juniper-nsp/attachments/20070424/4b4b0446/attachment-0001.bin

More information about the juniper-nsp mailing list