IPv6 filtering at network edge?
Pete Ashdown
pashdown at xmission.com
Sat Mar 13 20:18:18 UTC 2021
I'm tightening up some network-edge filters, and in the process of
testing filtering with IPv6, I found that there is a lot of ICMP
link-local (fe80::) to ff02:: activity at an IX. Is any of this
necessary? I am wary of over-filtering that cuts down functionality and
doesn't increase security. What of the IANA-reserved IPv6 addresses can
be safely blocked on ingress/egress at the network edge?
More information about the NANOG
mailing list