Knowledge Search


×
 

IPv6 Route Header Type 0 (RH-0) vulnerability in JUNOS (CERT/CC VU#267289)

  [JSA10369] Show Article Properties


Legacy Advisory Id:
PSN-2007-04-034
Product Affected:
All current releases of JUNOS.

JUNOSe and ScreenOS are not affected.
Problem:
The processing of IPv6 Type 0 Routing Headers can lead to denial of service exploits, as discussed in a recent publicly published paper (see link below). Current "Best Practices" encourage disabling processing of RH0 extension headers, since they are of extremely limited value.

All current releases of JUNOS are susceptible to this vulnerability.

The following packet types may trigger the vulnerability:
  • packets that are destined for the router itself and contain the RH0 extension header
  • transit packets in which the first extension header is a hop-by-hop extension (Type 0) and the hop-by-hop extension is followed by an RH0 extension header (Type 43)
This vulnerability affects all J-series, M-series and T-series routers. JUNOSe and ScreenOS are not affected by this vulnerability.
Solution:
A firewall filter can be used to silently discard all IPv6 datagrams that contain the RH0 extension. The following firewall filter will cause packets containing the RH0 extension header to be silently discarded.
firewall {
    family inet6 {
        filter filter_v6_rh {
            term 0 {
                from {
                    next-header [hop-by-hop routing];
                }
                then {
                    discard;
                }
            }
        }
    }
}
(In this firewall filter, it is preferred to use the keywords hop-by-hop and routing to identify the header types to match, rather than using numeric values 0 and 43 respectively.)

This filter should be applied to every logical interface on the router or, alternatively, applied to the forwarding table. For instructions on how to apply a firewall filter to an interface or to a forwarding table, refer to the URLs below in the Related Links section below.
Implementation:
This filter will cause all packets in which the first extension header is a hop-by-hop or routing options header to be discarded; this includes both transit packets and packets addressed to the router itself. Note that the impact of stopping hop by hop packets may have consequences for IPv6 operations such MLD and Router Alert.
Related Links:
Risk Level:
High
Risk Assessment:
IPv6 routing headers can be crafted such that they contain routing headers specifying that a packet should keep bouncing between two hosts, thus creating a Distributed Denial of Service (DDoS) attack on the link.