Link-local and ACLs

David Farmer farmer at umn.edu
Mon Jul 24 23:36:17 CEST 2017 

On Mon, Jul 24, 2017 at 3:42 PM, Brian E Carpenter <
brian.e.carpenter at gmail.com> wrote:

> On 25/07/2017 05:46, David Farmer wrote:
> > In practice Neighbor Discovery, and other critical protocols, need
> > link-local addresses to talk to other link-local addresses and some
> > multicast addresses.
> >
> > Also, in theory a link-local address could talk to a GUA or ULA address
> on
> > the same link. However, in practices does this really happen? If it does
> > happen in practice what are circumstances?
>
> I assume you mean a case where the global scope address matches an
> on-link prefix? Otherwise the packet is doomed anyway, since no
> conforming router will forward it off-link. That doesn't need an ACL.
>
> Also you must mean a case where RFC6724 is overridden, since otherwise
> source address selection will prevent it happening (see the examples
> in RFC6724 section 10).
>
> So, I'm not aware of any realistic case where this happens, or any
> reason for it. Or any harm that it would do, for an on-link prefix.
>
>    Brian
>

So, the nice summary in the link Gert sent, says;

Neighbor Solicitation (NS) Message

NS is ICMPv6 Type 135 and Code 0
Source address of the IPv6 Packet encapsulating the NS can be one of the two
1. IPv6 address of the originating interface
2. Unspecified address ::/0 (All Zeros) if the NS is sent for Duplicate
Address Detection
The destination address of NS can be one of the two
1. Solicited-Node Multicast Address corresponding to the the target address
2. The Target address itself
note: Target address is the IPv6 address of the target of the solicitation
and is never a multicast address.
Options Field of the NS can contain the link-layer address of the interface
originating the NS

I think that means the Target address, and therefore the destination
address of the packet, could be a Link-Local, GUA, or ULA address, and the
source of the packet could be a Link-local address. When would a Neighbor
Solicitations not using the Solicited-Node Multicast Address normally
occur?

Thanks.



-- 
===============================================
David Farmer               Email:farmer at umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815 <(612)%20626-0815>
Minneapolis, MN 55414-3029   Cell: 612-812-9952 <(612)%20812-9952>
===============================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20170724/b457c8e8/attachment-0001.html

More information about the ipv6-ops mailing list