Link-local and ACLs

Brian E Carpenter brian.e.carpenter at gmail.com
Tue Jul 25 22:48:43 CEST 2017


On 25/07/2017 19:07, Gert Doering wrote:
> Hi,
> 
> On Tue, Jul 25, 2017 at 10:41:06AM +1200, Brian E Carpenter wrote:
>> Why would you ever do it for normal traffic? 
> 
> I'm not sure that was a question asked in this thread :-)
> 
>> And why would ACLs be relevant for on-link traffic?
> 
> Interface ACLs are relevant for all packets leaving or entering an
> interface, generally...

Yes, but why are they relevant except for routers? I didn't see
anything in the original message that limited its scope to routers.
Most nodes aren't routers. I don't expect to see ACLs on normal
hosts.

> So, to stay with Tore's example, if you want to make NDP work on an IXP,
> you need to permit fe80->fe80, fe80->GUA, etc. in your ACLs - which ends
> up needing quite a number of lines to cover all cases

Fair enough. IXPs are a bit of a special case, though.

   Brian

> 
> #sh access-lists ipv6 internet-ipv6-in | inc icmp
>  20 permit icmpv6 fe80::/64 2001:7f8::/64 135 0
>  30 permit icmpv6 2001:7f8::/64 2001:7f8::/64 135 0 ttl eq 255
>  40 permit icmpv6 2001:7f8::/64 2001:7f8::/64 136 0 ttl eq 255
>  50 permit icmpv6 any ff02::/64 135 0
>  60 permit icmpv6 fe80::/64 fe80::/64 135 0
>  70 permit icmpv6 any fe80::/64 135 0
>  80 permit icmpv6 any fe80::/64 136 0
>  90 permit icmpv6 any host ff02::1 136 0
>  100 deny icmpv6 any any 135 log
>  110 deny icmpv6 any any 136 log
> 
> (Example for DECIX which uses 2001:7f8::/64 on-link)
> 
> Gert Doering
>         -- NetMaster
> 


More information about the ipv6-ops mailing list