IPv6 filtering at network edge?

• Previous message (by thread): IPv6 filtering at network edge?
• Next message (by thread): IPv6 filtering at network edge?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey,

> I'm tightening up some network-edge filters, and in the process of
> testing filtering with IPv6, I found that there is a lot of ICMP
> link-local (fe80::) to ff02:: activity at an IX.  Is any of this
> necessary?  I am wary of over-filtering that cuts down functionality and

Dunno, ff02::1 would be very necessary (i.e. ND), ff02:: I have no
idea. But you should do yourself favor, before you drop ICMP packets,
allow ND:

set from next-header icmp6
set from icmp-type router-solicit
set from icmp-type router-advertisement
set from icmp-type neighbor-solicit
set from icmp-type neighbor-advertisement
set from hop-limit 255
set then count icmp:nd
set then accept

It doesn't really matter how many times this is mentioned on how many
forums, people will continue to break IPV6 ND by filtering it
incorrectly. I regularly have customers complaining we've broken IPV6,
when ND stops working, due to implementation change in our end using
different combinations of GUA/LL than what their filter permits. And
customers often remain unconvinced, offering 'it works on N other
providers just fine'. IPv6 is too hard, we don't understand how ND
works.


-- 
  ++ytti

• Previous message (by thread): IPv6 filtering at network edge?
• Next message (by thread): IPv6 filtering at network edge?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]