> Date: Tue, 24 Apr 2007 03:09:07 +0000 (GMT) > From: [EMAIL PROTECTED] > Sender: [EMAIL PROTECTED] > > Kevin, > > Slide 20 of the presentation states that RH processing can not be > deavtivat> ed on Juniper routers. Not sure whether that applies to > JunOS, JunosE or bo> th. > > Cheers,
The issue is the RH0 header. RH2 is not a problem and is essential to mobile services. Yesterday FreeBSD (which is the base OS of JUNOS) put out a patch to it's development version to disable RH0 processing. A fix which allows processing to be enabled/disabled and filtered is expected shortly (I am building a test version now) and Juniper should be able to include it fairly quickly. But for now, IPv6 on Junipers is a serious problem. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: [EMAIL PROTECTED] Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 > > ----- Message d'origine ----- > De: Kevin Day <[EMAIL PROTECTED]> > Date: Lundi, Avril 23, 2007 6:44 pm > Objet: [j-nsp] IPv6 Routing Headers > À: juniper-nsp@puck.nether.net > > > > > > There was a recent presentation ( http://www.secdev.org/conf/ > > > IPv6_RH_security-csw07.pdf ) on how IPv6 routing headers can be > > > used > > > as a DDOS tool - essentially you could take an entire 1280 byte > > > packet and fill it with routing headers specifying that a > > > packet > > > should keep bouncing back and forth between two hosts. They were > > > able > > > to take 4mbps of upload bandwidth from one host, and cause two > > > routers to consume 150mbps of bandwidth bouncing a packet back > > > and > > > forth. It gets worse with larger MTUs. :) > > > > > Is there anything like "set chassis no-source-route" but for > > > IPv6 > > > that will tell the router to ignore routing headers in IPv6 > > > packets? > > > I know the firewall can match on packets with "from next-header > > > routing-header", but it looks like some hosts are generating > > > them to > > > force their next-hop to be changed. I don't care if packets come > > > in > > > with them, I just want our routers to ignore them. > > > > > Any ideas? > > > > > -- Kevin > > > > > _______________________________________________ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp >
pgpGfXuRM8NZR.pgp
Description: PGP signature
_______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp