back to article Juniper: Yes, IPv6 ping-of-death hits Junos OS, too

That IPv6 neighbour packet discovery bug Cisco warned about last week? Juniper has just followed Switchzilla by warning it has the same problem. When Cisco announced the vuln, it said other IPv6 implementations would also be at risk. The Gin Palace agrees: CVE-2016-1409 is an issue for anybody running Junos OS. The advisory …

  1. gerdesj Silver badge
    Childcatcher

    I'll have a go at translating that into English

    “The crafted packet, destined to the router, will then be processed by the routing engine (RE). A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the RE CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this happens, the DDoS policer may start dropping legitimate IPv6 neighbours as legitimate ND times out.”

    ARP is only valid on a particular switch on an internal network. It is not something that an external (internet) host should be able to mess with. Turns out you can make our switches melt by messing with inbound traffic that your systems thought they had requested because our switches simply believe what the traffic says rather than checking. As a result our funky protection mechanisms run out of resources that they were never really designed for. We fucked up, soz.

    1. Lee D Silver badge

      Re: I'll have a go at translating that into English

      Or:

      "We trusted external data without thinking about the consequences"

      1. Lennart Sorensen

        Re: I'll have a go at translating that into English

        And we didn't actually follow the IPv6 spec that said we were not allowed to route these packets in the first place and were not allowed to look at them if someone else had routed them by mistake.

    2. gnarlymarley

      Re: I'll have a go at translating that into English

      "ARP is only valid on a particular switch on an internal network. It is not something that an external (internet) host should be able to mess with. Turns out you can make our switches melt by messing with inbound traffic that your systems thought they had requested because our switches simply believe what the traffic says rather than checking. As a result our funky protection mechanisms run out of resources that they were never really designed for. We fucked up, soz."

      For anyone that is curious, how this happens is all IPv4 traffic uses ARP. The difference, is the router is forwarding packets to the next router. ARP and packet forwarding say on a point-to-point link between two routers has only two MAC addresses. This means the MAC for one router is associated with all internet traffic and the other MAC is associated with all LAN traffic. Now, IPV6 does not use ARP, but uses Neighbor Discovery (ND) instead. ND is basicly the same principle a s ARP.

      As previously stated, it needs to be set to static, or else we are screwed.

  2. Anonymous Coward
    Anonymous Coward

    Those who don't know IP

    are condemned to re-implement it. Poorly!

    OK somebody was saying this about Unix but it works like a charm in this case too.

  3. Anonymous Coward
    Anonymous Coward

    These Facebook kids

    call themselves programmers.

  4. Aodhhan Bronze badge

    IPv6

    When pen testing networks, I find it humorous the ease it is to use IPv6 exploits. Too many companies have their entire network dual honed, from their external router to user endpoints and servers. Yet, nothing uses it. Therefore, it's rare for IPv6 to be configured correctly or a good security posture maintained.

    If you're not using IPv6 for anything... shut it off!

    By default, Windows will activate it on your NICs, so you need to go in and ensure it's unchecked.

    1. ZeroSum

      Re: IPv6

      Most companies aren't connected to IPv6 at all and those that do just connect their public facing servers.

      What you claim can't be true anyway as if IPv6 connectivity was configured all the way to the end hosts then they would be using it as by default it is preferred over IPv4.

  5. asdf Silver badge

    Hmm OpenBSD doesn't have this flaw huh? Pretty solid router OS it is for being free. Though admittedly I did remember a bin patch for an IPv6 flaw this year.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019