Growing pains for next Net

Juniper's Internet routers running IPv6 could be vulnerable to denial-of-service attacks.

Marguerite Reardon Former senior reporter
Marguerite Reardon started as a CNET News reporter in 2004, covering cellphone services, broadband, citywide Wi-Fi, the Net neutrality debate and the consolidation of the phone companies.
Marguerite Reardon
3 min read
A vulnerability discovered in some of Juniper Networks' routing software highlights that the next-generation Internet, known as Internet Protocol version 6, still has a ways to go before it will be ready for widespread adoption.

The U.S. Computer Emergency Readiness Team and Secunia, a security advisory company, issued alerts Wednesday for Juniper M-series and T-series routers built between Feb. 24 and June 20 that are running IPv6.

IPv6 is a new version of the Internet Protocol that expands the pool of unique addresses available for connecting PCs and other devices in the Internet.

The vulnerability is caused by what is called a "memory leak," which an attacker could exploit to cause a denial-of-service attack. These memory leaks occur when IPv6 packets are sent in such an order that they take up more memory than usual. As the memory is filled up, the router runs slower. And eventually when the memory is exhausted, the router crashes and reboots itself, potentially causing major service outages or significantly slowed network performance.

Customers who are registered at Juniper's support site can log on to the site to get more information on how to fix the problem. Users also can disable IPv6 in the routers' Packet Forwarding Engine, according to the advisories.

"All Junos software built on or after June 20, 2004, includes the corrected code," a Juniper representative said. "The Junos software has been modified to release the memory occupied by the original IPv6 packets."

Experts say that the vulnerability will not have much of an impact on the Internet, because only a small number of networks throughout the world use IPv6.

Many people say that IPv4, the predominate version of the protocol used today, doesn't have enough room in its address field to support the millions of devices that will likely be added to the Internet in the next several years.

Mobile communications and new consumer IP services, such as voice over Internet Protocol and video on demand, will increase the number of devices that need IP addresses. Asia and Europe will likely be affected first, because that is where adoption of these new technologies is growing fast. Analysts don't expect the potential address shortfall to affect U.S. networks anytime soon.

"IPv6 is still in very early stages of deployment, so it's natural to see issues coming up and getting fixed," said Thomas Kristensen, chief technology officer for Secunia. "The same kind of vulnerability came up in IPv4."

Verio, a subsidiary of NTT Communications, is one of the only carriers that offers IPv6 commercially in North America. Verio, which uses Juniper routers, has been offering its service to large corporate customers since December 2003. It expanded the offering just last month.

Aside from Verio, the only other major IPv6 launch in North America will come from the U.S. Department of Defense. In June 2003, it set a mandate that all agencies be IPv6-ready by 2008. The agency has helped develop the Moonv6 network, which serves as a test bed for service providers and equipment makers testing IPv6 technology.

"The Defense Department has made some noise about IPv6," said Dave Passmore, research director for the Burton Group. "But other than that, there is literally zero demand from commercial customers in the U.S. Verio offers a service, but many corporate customers don't seem interested in IPv6."