In message <acd7c570039e58b67bbf64e467f4b12b@192.168.152.50>, Ryan Rawdon writes
:
>
> Hello NANOGers -
>
> What considerations should be made with respect to implementing egress
> filtering based on source IPv6 addresses? Things like allowing traffic
> sourced from fe80::/10 in said filters for on-link communication (for the
> interface that the filter is applied to). Is there anything else that
> should be taken into account while implementing BCP38 egress filtering in
> IPv6?
>
> Ryan
You should definitely make sure you block ULA prefixes leaving your
site by default.
e.g.
add unreach admin all from any to fc00::/7 via gif0
add unreach admin all from fc00::/7 to any via gif0
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
