[137289] in North American Network Operators' Group
Re: BCP38 considerations in IPv6
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Thu Feb 10 16:53:06 2011
From: Iljitsch van Beijnum <iljitsch@muada.com>
In-Reply-To: <acd7c570039e58b67bbf64e467f4b12b@192.168.152.50>
Date: Thu, 10 Feb 2011 22:51:48 +0100
To: Ryan Rawdon <ryan@u13.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 10 feb 2011, at 22:34, Ryan Rawdon wrote:
> What considerations should be made with respect to implementing egress
> filtering based on source IPv6 addresses? Things like allowing traffic
> sourced from fe80::/10 in said filters for on-link communication (for =
the
> interface that the filter is applied to). Is there anything else that
> should be taken into account while implementing BCP38 egress filtering =
in
> IPv6?
There's a lot of language in the RFCs about this type of addresses not =
being forwarded by routers, so filtering shouldn't be necessary. I know =
that Cisco lets neighbor discovery through before the implicit deny is =
applied, so specifically allowing link locals for neighbor discovery =
isn't necessary either. (I would assume other vendors do the same, but =
it's of course a good idea to check.)
The only time you have to be careful is when you do a deny all, because =
you need neighbor discovery unless you use static neighbor cache =
entries. ND also uses multicast, so you need to let that through as =
appropriate, too.=
