nanog mailing list archives

Re: BCP38 considerations in IPv6

From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Thu, 10 Feb 2011 22:51:48 +0100

On 10 feb 2011, at 22:34, Ryan Rawdon wrote:

What considerations should be made with respect to implementing egress
filtering based on source IPv6 addresses? Things like allowing traffic
sourced from fe80::/10 in said filters for on-link communication (for the
interface that the filter is applied to).  Is there anything else that
should be taken into account while implementing BCP38 egress filtering in
IPv6?


There's a lot of language in the RFCs about this type of addresses not being forwarded by routers, so filtering 
shouldn't be necessary. I know that Cisco lets neighbor discovery through before the implicit deny is applied, so 
specifically allowing link locals for neighbor discovery isn't necessary either. (I would assume other vendors do the 
same, but it's of course a good idea to check.)

The only time you have to be careful is when you do a deny all, because you need neighbor discovery unless you use 
static neighbor cache entries. ND also uses multicast, so you need to let that through as appropriate, too.

Current thread:

BCP38 considerations in IPv6 Ryan Rawdon (Feb 10)
- Re: BCP38 considerations in IPv6 Mark Andrews (Feb 10)
- Re: BCP38 considerations in IPv6 Iljitsch van Beijnum (Feb 10)
- Re: BCP38 considerations in IPv6 William F. Maton Sotomayor (Feb 10)
- Re: BCP38 considerations in IPv6 Mohacsi Janos (Feb 10)