nanog mailing list archives

Re: BCP38 considerations in IPv6

From: Mark Andrews <marka () isc org>
Date: Fri, 11 Feb 2011 08:50:46 +1100


In message <acd7c570039e58b67bbf64e467f4b12b@192.168.152.50>, Ryan Rawdon writes
:


Hello NANOGers - 

What considerations should be made with respect to implementing egress
filtering based on source IPv6 addresses? Things like allowing traffic
sourced from fe80::/10 in said filters for on-link communication (for the
interface that the filter is applied to).  Is there anything else that
should be taken into account while implementing BCP38 egress filtering in
IPv6?

Ryan


You should definitely make sure you block ULA prefixes leaving your
site by default.

e.g.
        add unreach admin all from any to fc00::/7 via gif0
        add unreach admin all from fc00::/7 to any via gif0
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

BCP38 considerations in IPv6 Ryan Rawdon (Feb 10)
- Re: BCP38 considerations in IPv6 Mark Andrews (Feb 10)
- Re: BCP38 considerations in IPv6 Iljitsch van Beijnum (Feb 10)
- Re: BCP38 considerations in IPv6 William F. Maton Sotomayor (Feb 10)
- Re: BCP38 considerations in IPv6 Mohacsi Janos (Feb 10)