[j-nsp] Re : IPv6 Routing Headers

Kevin Oberman oberman at es.net
Tue Apr 24 10:34:58 EDT 2007


> Date: Tue, 24 Apr 2007 16:46:30 +0300 (EEST)
> From: Pekka Savola <pekkas at netcore.fi>
> 
> On Tue, 24 Apr 2007, Kevin Oberman wrote:
> >> Kevin,
> >>
> >> Slide 20 of the presentation states that RH processing can not be
> >> deavtivat> ed on Juniper routers. Not sure whether that applies to
> >> JunOS, JunosE or bo> th.
> >>
> >> Cheers,
> >
> > The issue is the RH0 header. RH2 is not a problem and is essential to
> > mobile services.
> >
> > Yesterday FreeBSD (which is the base OS of JUNOS) put out a patch to
> > it's development version to disable RH0 processing. A fix which allows
> > processing to be enabled/disabled and filtered is expected shortly (I am
> > building a test version now) and Juniper should be able to include it
> > fairly quickly. But for now, IPv6 on Junipers is a serious problem.
> 
> Well, given that RH0 processing only happens at the RE, filtering out 
> all RH messages at the lo0 inet6 input should also fix this.

Correct. And I believe that the filtering should not be difficult.

I am now running on a system which has IPFW filtering to block
RH0. (Note to FreeBSD users: This is not even in current at this time,
but it may be there in a very short time.)

Off topic: Not just routers are subject to being used for these
attacks. The RFC currently mandates that all nodes (including end
systems) must process RH0 headers. It's not just routers nor does
routing need to be enabled to open your system.

It should be trivial for Juniper to do the same thing to JUNOS. Don't be
surprised if it shows up very quickly. (And I really hope that it
does. The Ebalard/Biondi shows several trivial, but really nasty things
that RH0 can be used for.) Until then, if you support native IPv6, you
might want to think again about it.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 224 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/juniper-nsp/attachments/20070424/0afec27d/attachment.bin 


More information about the juniper-nsp mailing list