From Perimeter Router Security Technical Implementation Guide Juniper
Part of ICMPv6 unreachable notifications and redirects must be disabled
The Internet Control Message Protocol version 6 (ICMPv6) supports IPv6 traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMPv6 messages under a wide variety of conditions. ICMPv6 messages are commonly used by attackers for network mapping and diagnosis: Host unreachable and Redirect.
Review the active configuration to determine if controls have been defined to ensure router has ICMPv6 unreachables or redirects disabled any external interfaces. ICMP Unreachable 1. Protocol Unreachable The filter used for the routing engine must be configured to silently discard any packets it does not recognize or want. Following would be an example: [edit interfaces] lo0 { unit 0 { family inet { filter { input protect-routing-engine; } address 192.168.1.2/32; } } } [edit firewall] family inet { filter protect-routing-engine { term 1 { . . . term default-action { then { syslog; discard; } } } } 2. Host Unreachable The only method to prevent a Juniper router from sending a Host Unreachable message back to the originator when it receives a packet with a destination address that is not found in its forwarding table, is t define a default route to the discard interface. The filter applied to this interface would then silently discard the packets. [edit interfaces] dsc { unit 0 { family inet { filter { input log-discard; } address 10.1.1.1/32 { destination 10.1.1.2; } } } } [edit firewall] family inet { filter log-discard { term one { then { syslog; discard; } } } } [edit routing-options] static { route 0.0.0.0/0 next-hop 10.1.1.2 ; } 3. Aggregate and black hole routes A Juniper router will also send ICMP unreachable messages for packets that have a destination address of an aggregate route as well as a black hole route. a. Checking aggregate routes By default, when aggregate routes are installed in a Juniper routing table, the next hop is configured as a reject route. Hence the packet is dropped and an ICMP unreachable message is sent to the packet’s originator if the aggregate route itself is the result of a routing table longest-match lookup or a packet with a more specific destination under the advertised summary route does not match a more specific route (contributing route). These packets can be quietly dropped by specifying discard for an individual route in the route part of the aggregate statement, or specifying reject when you configure the defaults for aggregate routes. [edit routing-options] aggregate { route 192.168.0.0/17 discard ; or [edit routing-options] aggregate { defaults { active; discard; community 2:333; } } Note: You can also issue the operational command show route protocol aggregate to determine if discard or reject option is used. b. Checking black hole routes [edit routing-options] static { route 0.0.0.0/8 discard; route 1.0.0.0/8 discard; route 5.0.0.0/8 discard; . ICMP Redirects Under the edit system hierarchy enter a show command to verify that the no-redirects command is present on all Juniper routers. This restriction can also be enforced by including the no-redirects statement under each active interface. [edit system] no-redirects; or [edit interfaces] fe-2/0/1 { description "NIPRNet link"; unit 0 { family inet { no-redirects; filter { input ingress-filter; } address 121.70.11.68/29; } } } } ICMP Mask Reply JUNOS has no option to not reply to an ICMP Mask Request message. Consequently, to ensure that the router does not send any ICMP Mask Reply messages in response to a mask request, include a term statement in the routing engine firewall to drop any masks requests sent to it. [edit interfaces] lo0 { unit 0 { family inet { filter { input protect-routing-engine; } address 192.168.1.2/32; } } } [edit firewall] family inet { filter protect-routing-engine { term icmp-mask-request { from { protocol icmp; icmp-type mask-request; } then { log; discard; } } } }
The network element configuration must be changed to ensure ICMPv6 unreachables and redirects are disabled at all external interfaces.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer