Hi, On Wed, Jun 10, 2020 at 02:21:55PM +0200, c...@marenda.net wrote: > 2. On the Neighbor Discovery ets stuff is src and dst allway link-lokal > or must I allow explicit the four pairs LL-LL LL-real real-LL real-real ?
IPv6 ND sucks big time. You'll also see :: sources (DAD). This is what we have at DECIX: 20 permit icmpv6 fe80::/64 2001:7f8::/64 nd-ns 30 permit icmpv6 2001:7f8::/64 2001:7f8::/64 nd-ns ttl eq 255 40 permit icmpv6 2001:7f8::/64 2001:7f8::/64 nd-na ttl eq 255 90 permit icmpv6 any ff02::/64 nd-ns 100 permit icmpv6 fe80::/64 fe80::/64 nd-ns 110 permit icmpv6 any fe80::/64 nd-ns 120 permit icmpv6 any fe80::/64 nd-na 130 permit icmpv6 any host ff02::1 nd-na 140 deny icmpv6 any any nd-ns log 150 deny icmpv6 any any nd-na log 160 permit ipv6 fe80::/64 fe80::/64 170 permit ipv6 fe80::/64 ff02::/64 180 deny ipv6 fe80::/64 any ... (looking closer, I seem to have any-to-LLA nd-ns twice here... that is obviously not needed) You should be able to filter ND/NS by matching on TTL 255, but when we did this, we saw peer routers send out NS with lower TTLs - which is a violation of RFCs, but nobody seems to care... We do filter link-local to anything non-multicast / non-onlink - nobody should ever forward these, but we did see packets. > 3. will that ACL work on the mentioned devices in Hardware > or is it done in software slowing down everything ? This is fairly easy, XR will do things in hardware, or not at all. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/