|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
To: Ryan Rawdon <ryan@u13.net> From: Mark Andrews <marka@isc.org> In-reply-to: Your message of "Thu, 10 Feb 2011 16:34:04 CDT." <acd7c570039e58b67bbf64e467f4b12b@192.168.152.50> Date: Fri, 11 Feb 2011 08:50:46 +1100 Cc: nanog@nanog.org Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org In message <acd7c570039e58b67bbf64e467f4b12b@192.168.152.50>, Ryan Rawdon writes : > > Hello NANOGers - > > What considerations should be made with respect to implementing egress > filtering based on source IPv6 addresses? Things like allowing traffic > sourced from fe80::/10 in said filters for on-link communication (for the > interface that the filter is applied to). Is there anything else that > should be taken into account while implementing BCP38 egress filtering in > IPv6? > > Ryan You should definitely make sure you block ULA prefixes leaving your site by default. e.g. add unreach admin all from any to fc00::/7 via gif0 add unreach admin all from fc00::/7 to any via gif0 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |