Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Incorrect parsing of IPv6 packets may cause the kernel to panic



Article ID: JSA10310 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 3.0
Legacy Advisory Id:
Product Affected:
All JUNOS Internet Software built prior to January 6, 2003
The kernel is responsible for decoding the IPv6 header and optional extension headers for traffic destined to the routing engine. An error in the kernel’s parsing of these headers may result in a kernel crash, causing a system reboot.

Please see PR/32427 for more details.
Software changes made for another problem report, PR/30790, implemented stricter sanity checking on IPv6 headers before they are parsed. This change in PR/30790 also prevents the type of kernel crash described in PR/32427.
Customers using IPv6 are encouraged to upgrade to a JUNOS software release built after January 6, 2003 (JUNOS 5.5R3 or later, or JUNOS 5.6R2 or later)

For customers who are unable to upgrade their JUNOS software, a temporary workaround is to filter IPv6 packets that have an extension header or have a header with a next-header value of 0x29. The following filter blocks packets with these headers.
filter ipv6_hostprotect {
    term discard_0x29_and_ext_headers {
        from {
            next-header [ ah esp dstopts fragment hop-by-hop routing 0x29 ];
         then {
             count discard_0x29_and_ext_headers;
    term <...> {
You should apply this filter as an input filter on the loopback interface.

Important note: Certain protocols running over IPv6 rely on the use of IPv6 extension headers. Filtering packets containing these headers may prevent the proper operation of these protocols. Prior to implementing this workaround, you should understand which protocols are running over IPv6 and whether they will be adversely affected by filtering extension headers.

The following protocols and applications are likely to be affected by filtering extension headers:
  • Multicast Listener Discovery (MLD) protocol: Discarding packets with a Hop-by-hop header may impact MLD, which uses the Router Alert functionality provided by this header.
  • OSPFv3: Discarding packets with a fragment header may impact OSPFv3, which uses fragments to send large LSAs.
  • Ping and traceroute: Discarding packets with a Routing header may prevent use of the loose source routing capabilities of the ping and traceroute applications.
BGP over IPv6 operation is not affected by filtering packets with extension headers.
Severity Level:
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search