On 10 feb 2011, at 22:34, Ryan Rawdon wrote: > What considerations should be made with respect to implementing egress > filtering based on source IPv6 addresses? Things like allowing traffic > sourced from fe80::/10 in said filters for on-link communication (for the > interface that the filter is applied to). Is there anything else that > should be taken into account while implementing BCP38 egress filtering in > IPv6?
There's a lot of language in the RFCs about this type of addresses not being forwarded by routers, so filtering shouldn't be necessary. I know that Cisco lets neighbor discovery through before the implicit deny is applied, so specifically allowing link locals for neighbor discovery isn't necessary either. (I would assume other vendors do the same, but it's of course a good idea to check.) The only time you have to be careful is when you do a deny all, because you need neighbor discovery unless you use static neighbor cache entries. ND also uses multicast, so you need to let that through as appropriate, too.
