[j-nsp] IPv6 firewall filter issues in Junos 10.4?

Justin M. Streiner streiner at cluebyfour.org
Mon Jun 18 01:13:25 EDT 2012


I recently brought up dual-stack IPv6 connectivity on my network, and I've 
been in the process of tweaking my ingress/egress firewall filters to 
strike a reasonable balance between functionality and security, and I've 
run into the following issue:

Periodically, processing of packets through the firewall filters, or at 
least the ingress filter, seems to stall.  I've verified this by 
attempting to browse to websites and run MTR sessions to hosts that I know 
to be IPv6-reachable.  I've found that if I deactivate my IPv6 input 
(ingress) filter on one of my upstream interfaces, commit, reactivate it, 
and then commit again, that the filter resumes normal operation.  I can 
browse to the sites I couldn't reach, and MTR traces now reach the 
destination network, rather than dying at my border routers.

I have a case open with JTAC on this, but I wanted to check if anyone here 
has run into any similar behavior.  I looked for possibly relevant pug 
reports, but I've found Juniper's bug search tool to be a little dodgy on 
occasion.

This is on a pair of M120s running Junos 10.4R9.2.  I am aware of the some 
of the shortcomings of Junos IPv6 firewall filters on this platform, such 
as the possibility of IPv6 packets with appropriately crafted extension 
headers being able to bypass the filters if there is a catch-all 'accept' 
at the bottom, but I haven't heard of anything that would cause packet 
processing to stall periodically.

Nothing interesting shows up in the message log, and no IPv6 traffic shows 
up as being dropped in the output of "show firewall log".  The filter 
terms that drop specific traffic are set up to log any matches against 
those terms.

jms


More information about the juniper-nsp mailing list