> > > > > I think you need to take some time to understand IPv6 before > implementing. > > The book examples don't restrict RS/RA to link local, are too open on > > things like BGP and traceroute. Trio hardware also has payload-protocol > > available in addition to next-header for matching. > > I don't think there is any need to. We've troubleshooted many outages > caused by customers limiting NS/NA to link-local or GUA, which may > work and may stop working when one end changes. >
Hi Ytti I have been using prefixes but of course, I missed the obvious solution here - matching on hop-limit 255. > Robust and secure rule would be something like: > > term icmp:nd { > from { > next-header icmp6; > icmp-type [ router-solicit router-advertisement > neighbor-solicit neighbor-advertisement ]; > hop-limit 255; > } > then { > count icmp:nd; > accept; > } > } > term icmp { > from { > next-header icmp6; > icmp-type [ echo-reply echo-request time-exceeded > destination-unreachable packet-too-big parameter-problem ]; > } > then { > policer police_local; > count icmp; > accept; > } > } > > Thanks for this. > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp