Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to block 'type 0' routing extension header on the firewall

0

0

Article ID: KB23455 KB Last Updated: 25 Sep 2019Version: 3.0
Summary:

The Routing extension header is a way for a source to list one or more intermediate nodes, which are to be 'visited' on the way to the packet’s destination. It is analogous to source routing in IPv4.

The Routing type is one of the 6 fields in the routing extension header format, which allows multiple routing types to be defined. The routing types are:

  • Type 0: Primarily used by attackers.
  • Type 1: Defined by Nimrod. This type is unused.
  • Type 2: Used by MIPv6 and is understood only by MIPv6 compliant stacks.
Symptoms:
  • A single type 0 routing header may contain multiple intermediate node addresses and the same address may be included more than once in the same header.
  • This allows a packet to be constructed, in such a way that it will oscillate between two processing hosts or routers many times, causing amplification by the attacker.
  • This could lead to congestion along arbitrary remote paths and subsequently act as a denial-of-service mechanism.
Solution:

To prevent this on the ScreenOS firewall, which has the IPv6 functionality enabled, a change has been introduced from ScreenOS 6.3r8 onwards. You can either block all the header types or a specific type, depending on the requirement.

  1. Create a custom service, by using the following command:
    Set service <service name> protocol routing-ext-hdr type 0
  2. Invoke the service in a policy with the action set to deny. Place the policy at the top of the rule base.

  3. Alternatively, to block all the header types, use the following command:
    Set service <service name> protocol routing-ext-hdr all
Modification History:
2019-09-24: Minor, non-technical update.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search