[j-nsp] Forwarding IPv6 link-local packets?
Chris Adams
cmadams at hiwaay.net
Thu Apr 26 21:37:53 EDT 2012
Once upon a time, Harry Reynolds <harry at juniper.net> said:
> Update. The better pr is 556860, which shows closed as not fixed. PR 573100 is considered a new feature and cannot be made visible externally. <Oops>.
See RFC 4291:
2.5.6. Link-Local IPv6 Unicast Addresses
...
Routers must not forward any packets with Link-Local source or
destination addresses to other links.
JUNOS forwarding such packets is a major bug and IPv6 RFC violation.
That leaves a wide-open hole for difficult-to-trace DDoS attacks from
hosts connected to Juniper routers.
I'm seeing this on my M10i routers, if it makes any difference.
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the juniper-nsp
mailing list