nanog mailing list archives
Re: IPv6 filtering at network edge?
From: Saku Ytti <saku () ytti fi>
Date: Tue, 16 Mar 2021 17:15:44 +0200
Hey,
I'm tightening up some network-edge filters, and in the process of testing filtering with IPv6, I found that there is a lot of ICMP link-local (fe80::) to ff02:: activity at an IX. Is any of this necessary? I am wary of over-filtering that cuts down functionality and
Dunno, ff02::1 would be very necessary (i.e. ND), ff02:: I have no idea. But you should do yourself favor, before you drop ICMP packets, allow ND: set from next-header icmp6 set from icmp-type router-solicit set from icmp-type router-advertisement set from icmp-type neighbor-solicit set from icmp-type neighbor-advertisement set from hop-limit 255 set then count icmp:nd set then accept It doesn't really matter how many times this is mentioned on how many forums, people will continue to break IPV6 ND by filtering it incorrectly. I regularly have customers complaining we've broken IPV6, when ND stops working, due to implementation change in our end using different combinations of GUA/LL than what their filter permits. And customers often remain unconvinced, offering 'it works on N other providers just fine'. IPv6 is too hard, we don't understand how ND works. -- ++ytti
Current thread:
- IPv6 filtering at network edge? Pete Ashdown (Mar 16)
- Re: IPv6 filtering at network edge? Saku Ytti (Mar 16)
- Re: IPv6 filtering at network edge? Mark Tinka (Mar 16)
- RE: [EXTERNAL]:Re: IPv6 filtering at network edge? ERCIN TORUN (Mar 17)
- Re: IPv6 filtering at network edge? Saku Ytti (Mar 16)