This issue may affect any product or platform running Junos OS.A vulnerability in IPv6 processing has been discovered that may allow a specially crafted IPv6 Neighbor Discovery (ND) packet to be accepted by the router rather than discarded.  The crafted packet, destined to the router, will then be processed by the routing engine (RE).  A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the RE CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this happens, the DDoS policer may start dropping legitimate IPv6 neighbors as legitimate ND times out.Note that this is similar to the router’s response to any purposeful malicious IPv6 ND flood destined to the router.

The difference is that the crafted packet identified in the vulnerability is such that the forwarding controllers/ASICs should disallow this traffic from reaching the RE for further processing.

Additionally, due to the routable nature of the crafted IPv6 ND packet, the attack may be launched from beyond the local broadcast domain.This issue has been assigned CVE-2016-1409.Internal investigation has uncovered three separate issues with IPv6 Neighbor Discovery processing in Junos:  QFX5100 exceptions transit IPv6 ND traffic to RE
​PR 1183115 logged to resolve this issue in a future release.

Junos routers forward IPv6 ND traffic in violation of RFC4861
PRs 1183124 (QFX), 1188939 (MX), 1188949 (PTX) logged to investigate this issue.

Junos routers fail to discard non-RFC4861-compliant IPv6 ND traffic destined to the router (CVE-2016-1409)
PRs 1183124 (QFX), 1188939 (MX), 1188949 (PTX)

Note that only MX, PTX, and QFX have been confirmed to experience this behavior.  Other platforms are still under investigation.Juniper Networks will update this advisory once fixes are available.Refer to KB16613 for additional information about the Juniper Networks SIRT Quarterly Security Bulletin Publication Process.”While no complete workaround currently exists for this issue, especially for adjacent network attacks from the local broadcast domain, security best current practices (BCPs) of filtering all ND traffic at the edge, destined to network infrastructure equipment, should be employed to limit the malicious attack surface of the vulnerability.  Examples include:Interface and/or control plane firewall filters may be used to stop propagation of NDP traffic beyond connected devices.

Devices that support the hop-limit option can utilize the following interface filter design:
user@junos# show firewall family inet6 NDP
filter NDP {
term PERMIT_LOCAL_ICMP {
from {
next-header icmp6;
hop-limit 255;
}
then {
count PERMIT_LOCAL_ICMP;
accept;
}
}
term REJECT_NETWORK_ICMP {
from {
next-header icmpv6;
icmp-type [ neighbor-advertisement neighbor-solicit router-solicit router-advertisement redirect ];
}
then {
count REJECT_NETWORK_ICMP;
discard;
}
}
term PERMIT_ALL {
then accept;
}
}

Sample Protect_RE filter:
user@junos# show firewall family inet6 IPV6_PROTECT_RE
filter IPV6_PROTECT_RE {
term ICMPV6_TRUSTED {
from {
source-prefix-list {
IPV6_REMOTE_ACCESS;
}
next-header icmpv6;
}
then accept;
}
term IPV6_ND_LOCAL {
from {
next-header icmpv6;
hop-limit 255;
}
then accept;
}
term ICMPV6 {
from {
next-header icmpv6;
icmp-type [ echo-request echo-reply time-exceeded destination-unreachable packet-too-big parameter-problem ];
}
then accept;
}
}​

Devices that do not support the ‘hop-limit’ option will require a slightly more complicated interface filter design:
user@junos# show firewall family inet6 NDP
filter NDP {
term PERMIT_VALID_ICMP {
from {
destination-address {
fe80::/10;
ff02::/123;
ff02:0:0:0:0:1:ff00::/104;
}
}
then {
count PERMIT_VALID_ICMP;
accept;
}
}
term PERMIT_VALID_ICMP_LOCAL {
from {
source-address {
x:x:x:x::/64;
}
destination-address {
x:x:x:x::/64;
}
next-header icmp6;
}
then {
count PERMIT_VALID_ICMP_LOCAL;
accept;
}
}
term REJECT_INVALID_ICMP {
from {
next-header icmpv6;
icmp-type [ neighbor-advertisement neighbor-solicit router-solicit router-advertisement redirect ];
}
then {
count REJECT_INVALID_ICMP;
discard;
}
}
}

and Protect_RE filter design:​
user@junos# show firewall family inet6 IPV6_PROTECT_RE
filter IPV6_PROTECT_RE {
term ICMPV6_TRUSTED {
from {
source-prefix-list {
IPV6_REMOTE_ACCESS;
}
next-header icmpv6;
}
then accept;
}
term IPV6_ND {
from {
destination-address {
fe80::/10;
ff02::/123;
ff02:0:0:0:0:1:ff00::/104;
}
}
then accept;
}
term IPV6_ND_LOCAL {
from {
source-address {
x:x:x:x::/64;
}
destination-address {
x:x:x:x::/64;
}
next-header icmp6;
}
then accept;
}
term ICMPV6 {
from {
next-header icmpv6;
icmp-type [ echo-request echo-reply time-exceeded destination-unreachable packet-too-big parameter-problem ];
}
then accept;
}
term OTHER {
then {
count DROP;
discard;
}
}
}
Information for how Juniper Networks uses CVSS can be found at KB 16446 “Common Vulnerability Scoring System (CVSS) and Juniper’s Security Advisories.”