Link-local and ACLs

S.P.Zeidler spz at
Wed Jul 26 08:08:51 CEST 2017


Thus wrote David Farmer (farmer at

> In practice Neighbor Discovery, and other critical protocols, need
> link-local addresses to talk to other link-local addresses and some
> multicast addresses.
> Also, in theory a link-local address could talk to a GUA or ULA address on
> the same link. However, in practices does this really happen? If it does
> happen in practice what are circumstances?

a) be logged in to a system only having a link-local address
b) access a service you know to be on-link by DNS name

I expect that to work. I'm not sure what you win by preventing it from

I usually try to have "same link, same administration", so we may have
differing expectations on the trustworthiness of what is reachable via
link-local. Also, "if it doesn't have a routable address its attack
surface is drastically smaller".

spz at (S.P.Zeidler)

More information about the ipv6-ops mailing list