[j-nsp] Forwarding IPv6 link-local packets?

Chris Adams cmadams at hiwaay.net
Thu Apr 26 21:37:53 EDT 2012


Once upon a time, Harry Reynolds <harry at juniper.net> said:
> Update. The better pr is 556860, which shows closed as not fixed. PR 573100 is considered a new feature and cannot be made visible externally. <Oops>. 

See RFC 4291:

  2.5.6. Link-Local IPv6 Unicast Addresses
    ...
    Routers must not forward any packets with Link-Local source or
    destination addresses to other links.

JUNOS forwarding such packets is a major bug and IPv6 RFC violation.
That leaves a wide-open hole for difficult-to-trace DDoS attacks from
hosts connected to Juniper routers.

I'm seeing this on my M10i routers, if it makes any difference.
-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.


More information about the juniper-nsp mailing list