[j-nsp] Re : IPv6 Routing Headers

Daniel Lete daniel.lete at heanet.ie
Tue Apr 24 11:31:10 EDT 2007 

Now, maybe I am too innocent, but believe Kevin's original mail does cover the 
vulnerability. As far as I can see both filters below would stop the 
vulnerability. There is not the functionality of blocking Type 0, Type 1 or 
Type 2, but supposely any of them is either not used or dangerous.



firewall {
     family inet6 {
         filter re-in-6 {
             term routing-header {
                 from {
                     next-header routing;
                 }
                 then {
                     reject;
                 }
             }
         }
     }
}

or if refer to rfc2460, Section 4.4 "The Routing header is identified by a Next 
Header value of 43"

firewall {
     family inet6 {
         filter re-in-6 {
             term routing-header {
                 from {
                     next-header 43;
                 }
                 then {
                     reject;
                 }
             }
         }
     }
}

Kevin Oberman wrote:
>> Date: Tue, 24 Apr 2007 16:46:30 +0300 (EEST)
>> From: Pekka Savola <pekkas at netcore.fi>
>>
>> On Tue, 24 Apr 2007, Kevin Oberman wrote:
>>>> Kevin,
>>>>
>>>> Slide 20 of the presentation states that RH processing can not be
>>>> deavtivat> ed on Juniper routers. Not sure whether that applies to
>>>> JunOS, JunosE or bo> th.
>>>>
>>>> Cheers,
>>> The issue is the RH0 header. RH2 is not a problem and is essential to
>>> mobile services.
>>>
>>> Yesterday FreeBSD (which is the base OS of JUNOS) put out a patch to
>>> it's development version to disable RH0 processing. A fix which allows
>>> processing to be enabled/disabled and filtered is expected shortly (I am
>>> building a test version now) and Juniper should be able to include it
>>> fairly quickly. But for now, IPv6 on Junipers is a serious problem.
>> Well, given that RH0 processing only happens at the RE, filtering out 
>> all RH messages at the lo0 inet6 input should also fix this.
> 
> Correct. And I believe that the filtering should not be difficult.
> 
> I am now running on a system which has IPFW filtering to block
> RH0. (Note to FreeBSD users: This is not even in current at this time,
> but it may be there in a very short time.)
> 
> Off topic: Not just routers are subject to being used for these
> attacks. The RFC currently mandates that all nodes (including end
> systems) must process RH0 headers. It's not just routers nor does
> routing need to be enabled to open your system.
> 
> It should be trivial for Juniper to do the same thing to JUNOS. Don't be
> surprised if it shows up very quickly. (And I really hope that it
> does. The Ebalard/Biondi shows several trivial, but really nasty things
> that RH0 can be used for.) Until then, if you support native IPv6, you
> might want to think again about it.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

-- 
Daniel Lete Murugarren
HEAnet Limited, Ireland's Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin 1
Registered in Ireland, no 275301  tel: +353-1-660 9040  fax: +353-1-660 3666
web: http://www.heanet.ie/

More information about the juniper-nsp mailing list