Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Screening for IPv6 traffic

0

0

Article ID: KB36247 KB Last Updated: 29 Sep 2020Version: 1.0
Summary:

Screen options offer protection against malicious information gathering probe or an attack by analyzing Layer 2, Layer 3 and/or Layer 4 headers.
This article summarizes the list of screening features, both statistics and signature based supported for IPv6. 

Solution:

By default SRX devices do not forward IPv6 traffic and drop all the IPv6 traffic. This default behaviour can be changed to either flow based processing or packet based processing.The packet-based processing is used to implement only Firewall filters and class of service whereas flow-based processing creates sessions and process traffic using packet-based features [firewall filters and class of service] as well as flow-based features [screens, security-policies]. To summarize, flow-based processing need to enabled for certain screening options of IPv6 traffic in SRX. It can be performed using the followingcommand:

user@host# set security forwarding-options family inet6 mode ?
Possible completions:
  drop                 Disable forwarding
  flow-based           Enable flow-based forwarding
  packet-based         Enable packet-based forwarding
[edit]

user@host# set security forwarding-options family inet6 mode flow-based

To enable the screening options for IPv6, no new CLI commands are needed. The same set of commands as used for IPv4 will be used for IPv6 for the same screening options. The list is shown below:


NAME

TARGET-RELEASE

PLATFORM

DEPENDENCY

V4/V6

winnuke

10.2

ALL

Basic Flow

4, 6

 syn-frag

10.2

ALL

Basic Flow

4, 6

tcp-no-flag           

10.2

ALL

Basic Flow

4, 6

syn-fin               

10.2

ALL

Basic Flow

4, 6

 fin-no-ack  

10.2

ALL

Basic Flow

4, 6

ping-death            

10.2

ALL

Basic Flow

4, 6

icmp-fragment  

10.2

ALL

Basic Flow

4, 6

icmp-large            

10.2

ALL

Basic Flow

4, 6

land                  

10.2

ALL

Basic Flow

4, 6

unknown-protocol 

10.2

ALL

Basic Flow

4, 6

 block-frag            

10.2

ALL

Basic Flow

4, 6

ip-loose-src-route

10.2

ALL
Basic Flow
4, 6

port-scan             

10.2

ALL

Basic Flow

4, 6

 ip-sweep   

10.2

ALL

Basic Flow

4, 6

limit-session-src   

10.2

ALL

Basic Flow

4, 6

limit-session-dst  

10.2

ALL

Basic Flow

4, 6

 syn-flood  

10.2

ALL

Basic Flow

4, 6

syn-flood-src  

10.2

ALL

Basic Flow

4, 6

 syn-flood-dst    

10.2

ALL

Basic Flow

4, 6

 icmp-flood  

10.2

ALL

Basic Flow

4, 6

udp-flood             

10.2

ALL

Basic Flow

4, 6

tear-drop             

10.2

ALL

Basic Flow

4, 6

syn-proxy/syn-cookie

10.4

ALL

Basic Flow

4, 6

syn-ack-ack-proxy

10.4

ALL

Auth

4, 6

ip-spoofing

10.4

ALL

Flow

4, 6

ip-bad-option 

N/A

N/A

N/A

4

ip-record-route    

N/A

N/A

N/A

4

 ip-security-opt       

N/A

N/A

N/A

4

 ip-stream-opt   

N/A

N/A

N/A

4

ip-strict-src-route  

N/A

N/A

N/A

4

ip-timestamp-opt 

N/A

N/A

N/A

4

Since there is no change in the TCP header with IPv4 or IPv6, the screen options for TCP remained unchanged for IPv6 network. The above firewall screens for IPv6 were introduced in versions 10.2 or 10.4.

New CLI commands were introduced in 12.1x46-D10 for enhanced IPv6 screening options ipv6-extension-header, ipv6-extension-header-limit, ipv6-malformed-header, icmpv6-malformed and more screening criteria were added for existing CLI command [ip bad-options]. The details about these enhanced screening options can be found in section Understanding IPv6 support for Screens.

In 12.3X48-D10, support for IPv6 Screen for tunneling was added. 

CLI Details: tunnel (Security Screen)
Screen Tunneling Details: Understanding Screen IPv6 Tunneling Control     
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search