Link-local and ACLs
Brian E Carpenter
brian.e.carpenter at gmail.com
Tue Jul 25 22:48:43 CEST 2017
On 25/07/2017 19:07, Gert Doering wrote:
> Hi,
>
> On Tue, Jul 25, 2017 at 10:41:06AM +1200, Brian E Carpenter wrote:
>> Why would you ever do it for normal traffic?
>
> I'm not sure that was a question asked in this thread :-)
>
>> And why would ACLs be relevant for on-link traffic?
>
> Interface ACLs are relevant for all packets leaving or entering an
> interface, generally...
Yes, but why are they relevant except for routers? I didn't see
anything in the original message that limited its scope to routers.
Most nodes aren't routers. I don't expect to see ACLs on normal
hosts.
> So, to stay with Tore's example, if you want to make NDP work on an IXP,
> you need to permit fe80->fe80, fe80->GUA, etc. in your ACLs - which ends
> up needing quite a number of lines to cover all cases
Fair enough. IXPs are a bit of a special case, though.
Brian
>
> #sh access-lists ipv6 internet-ipv6-in | inc icmp
> 20 permit icmpv6 fe80::/64 2001:7f8::/64 135 0
> 30 permit icmpv6 2001:7f8::/64 2001:7f8::/64 135 0 ttl eq 255
> 40 permit icmpv6 2001:7f8::/64 2001:7f8::/64 136 0 ttl eq 255
> 50 permit icmpv6 any ff02::/64 135 0
> 60 permit icmpv6 fe80::/64 fe80::/64 135 0
> 70 permit icmpv6 any fe80::/64 135 0
> 80 permit icmpv6 any fe80::/64 136 0
> 90 permit icmpv6 any host ff02::1 136 0
> 100 deny icmpv6 any any 135 log
> 110 deny icmpv6 any any 136 log
>
> (Example for DECIX which uses 2001:7f8::/64 on-link)
>
> Gert Doering
> -- NetMaster
>
More information about the ipv6-ops
mailing list