[c-nsp] ASR9001 ASR9901 IOS-XR IPv6 filtering

cnsp at marenda.net cnsp at marenda.net
Wed Jun 10 08:21:55 EDT 2020 

Hi List, 

I would like to filter the incoming IPv6 traffic from upstream and peering 
relatively strong like I do it for IPv4 
(no martian src allowed, 
 Traffic on the link to upstream/peerinc allowed, 
 my and customers prefixes allowed as dst ). 

Having link-local addresses will complicate this , 
also the ND etc. 
So I came up to a relatively long ACL and big question-marks: 

1. With classical IOS, "IP" Rules include  icmp, udp, tcp ,... 
   Is this also true on IOS-XR for IPv6 ? 

2. On  the Neighbor Discovery ets stuff  is src and dst allway link-lokal 
or must I allow explicit the four pairs LL-LL LL-real real-LL real-real ? 

3. will that ACL work on the mentioned devices in Hardware 
or is it done in software slowing down everything ? 

With 1. And 2. I could probably short the sketch below down 
and avoid unspecific icmp "any any "rules 

!========== 
ipv6 access-list AL6-FILTER-IN 
! from http://www.bgp4all.com.au/pfs/_media/workshops/12-ipv6-security.pdf 
2000 permit icmpv6 any any echo-reply 
2010 permit icmpv6 any any echo-request 
2020 permit icmpv6 any any 1 3 
2030 permit icmpv6 any any 1 4 
2040 permit icmpv6 any any packet-too-big 
2050 permit icmpv6 any any time-exceeded 
2060 permit icmpv6 any any parameter-problem 
! not accepted 2070 permit icmpv6 any any mld-query 
! not accepted 2080 permit icmpv6 any any mld-reduction 
! not accepted 2090 permit icmpv6 any any mld-report 
2100 permit icmpv6 any any nd-na 
2110 permit icmpv6 any any nd-ns 
2120 permit icmpv6 any any router-solicitation 

!HSRP 2200 permit udp FE80::/16 eq 2029 host FF02::66 eq 2029 

2900 deny icmpv9 any any 
! 
! tmp block bad src 
3000 deny ipv6 2605:9880:300::/48 any 
! 
! transit to upstreams and peering 
6000 permit ipv6 2001:qwer::1234/126 2001:qwer::1234/126 
6020 permit ipv6 2001:789::/64 2001:789::/64 
6030 permit ipv6 2001:asdf:ghjk:uiop::/64 2001:asdf:ghjk:uiop::/64 
! 
!! my and customers ipv6 ranges src 
! wrong direction 
!7000 permit ipv6 2a00:xxxx:/32 any 
!7100 permit ipv6 2a01:asdf::/32 any 
! 
! my and customers ipv6 ranges dst 
8000 permit ipv6 any 2a00:xxxx::/32 
8100 permit ipv6 any 2a01:asdf::/32 
! 
9000 deny ipv6 any any 
! 
!========== 

Thank you for suggestions on how do do this "right", 

Juergen.

More information about the cisco-nsp mailing list