Knowledge Search


×
 

Incorrect parsing of IPv6 packets may cause the kernel to panic

  [JSA10310] Show Article Properties


Legacy Advisory Id:
PSN-2003-03-002
Product Affected:
All JUNOS Internet Software built prior to January 6, 2003
Problem:
The kernel is responsible for decoding the IPv6 header and optional extension headers for traffic destined to the routing engine. An error in the kernel’s parsing of these headers may result in a kernel crash, causing a system reboot.

Please see PR/32427 for more details.
Solution:
Software changes made for another problem report, PR/30790, implemented stricter sanity checking on IPv6 headers before they are parsed. This change in PR/30790 also prevents the type of kernel crash described in PR/32427.
Implementation:
Customers using IPv6 are encouraged to upgrade to a JUNOS software release built after January 6, 2003 (JUNOS 5.5R3 or later, or JUNOS 5.6R2 or later)

For customers who are unable to upgrade their JUNOS software, a temporary workaround is to filter IPv6 packets that have an extension header or have a header with a next-header value of 0x29. The following filter blocks packets with these headers.
filter ipv6_hostprotect {
    term discard_0x29_and_ext_headers {
        from {
            next-header [ ah esp dstopts fragment hop-by-hop routing 0x29 ];
        }
         then {
             count discard_0x29_and_ext_headers;
             discard;
         }
    }
    term <...> {
        ...
        }
    }
You should apply this filter as an input filter on the loopback interface.

Important note: Certain protocols running over IPv6 rely on the use of IPv6 extension headers. Filtering packets containing these headers may prevent the proper operation of these protocols. Prior to implementing this workaround, you should understand which protocols are running over IPv6 and whether they will be adversely affected by filtering extension headers.

The following protocols and applications are likely to be affected by filtering extension headers:
  • Multicast Listener Discovery (MLD) protocol: Discarding packets with a Hop-by-hop header may impact MLD, which uses the Router Alert functionality provided by this header.
  • OSPFv3: Discarding packets with a fragment header may impact OSPFv3, which uses fragments to send large LSAs.
  • Ping and traceroute: Discarding packets with a Routing header may prevent use of the loose source routing capabilities of the ping and traceroute applications.
BGP over IPv6 operation is not affected by filtering packets with extension headers.
Related Links:
Risk Level:
None