Link-local and ACLs
spz at serpens.de
Wed Jul 26 08:08:51 CEST 2017
Thus wrote David Farmer (farmer at umn.edu):
> In practice Neighbor Discovery, and other critical protocols, need
> link-local addresses to talk to other link-local addresses and some
> multicast addresses.
> Also, in theory a link-local address could talk to a GUA or ULA address on
> the same link. However, in practices does this really happen? If it does
> happen in practice what are circumstances?
a) be logged in to a system only having a link-local address
b) access a service you know to be on-link by DNS name
I expect that to work. I'm not sure what you win by preventing it from
I usually try to have "same link, same administration", so we may have
differing expectations on the trustworthiness of what is reachable via
link-local. Also, "if it doesn't have a routable address its attack
surface is drastically smaller".
spz at serpens.de (S.P.Zeidler)
More information about the ipv6-ops