In message <acd7c570039e58b67bbf64e467f4b12b@192.168.152.50>, Ryan Rawdon writes : > > Hello NANOGers - > > What considerations should be made with respect to implementing egress > filtering based on source IPv6 addresses? Things like allowing traffic > sourced from fe80::/10 in said filters for on-link communication (for the > interface that the filter is applied to). Is there anything else that > should be taken into account while implementing BCP38 egress filtering in > IPv6? > > Ryan
You should definitely make sure you block ULA prefixes leaving your site by default. e.g. add unreach admin all from any to fc00::/7 via gif0 add unreach admin all from fc00::/7 to any via gif0 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org