Kevin, Slide 20 of the presentation states that RH processing can not be deavtivated on Juniper routers. Not sure whether that applies to JunOS, JunosE or both.
Cheers, ----- Message d'origine ----- De: Kevin Day <[EMAIL PROTECTED]> Date: Lundi, Avril 23, 2007 6:44 pm Objet: [j-nsp] IPv6 Routing Headers À: juniper-nsp@puck.nether.net > > There was a recent presentation ( http://www.secdev.org/conf/ > IPv6_RH_security-csw07.pdf ) on how IPv6 routing headers can be > used > as a DDOS tool - essentially you could take an entire 1280 byte > packet and fill it with routing headers specifying that a > packet > should keep bouncing back and forth between two hosts. They were > able > to take 4mbps of upload bandwidth from one host, and cause two > routers to consume 150mbps of bandwidth bouncing a packet back > and > forth. It gets worse with larger MTUs. :) > > Is there anything like "set chassis no-source-route" but for > IPv6 > that will tell the router to ignore routing headers in IPv6 > packets? > I know the firewall can match on packets with "from next-header > routing-header", but it looks like some hosts are generating > them to > force their next-hop to be changed. I don't care if packets come > in > with them, I just want our routers to ignore them. > > Any ideas? > > -- Kevin > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp