[c-nsp] ASR9001 ASR9901 IOS-XR IPv6 filtering

Gert Doering gert at greenie.muc.de
Wed Jun 10 08:58:47 EDT 2020 

Hi,

On Wed, Jun 10, 2020 at 02:21:55PM +0200, cnsp at marenda.net wrote:
> 2. On  the Neighbor Discovery ets stuff  is src and dst allway link-lokal 
> or must I allow explicit the four pairs LL-LL LL-real real-LL real-real ? 

IPv6 ND sucks big time.  You'll also see :: sources (DAD).

This is what we have at DECIX:

 20 permit icmpv6 fe80::/64 2001:7f8::/64 nd-ns
 30 permit icmpv6 2001:7f8::/64 2001:7f8::/64 nd-ns ttl eq 255
 40 permit icmpv6 2001:7f8::/64 2001:7f8::/64 nd-na ttl eq 255
 90 permit icmpv6 any ff02::/64 nd-ns
 100 permit icmpv6 fe80::/64 fe80::/64 nd-ns
 110 permit icmpv6 any fe80::/64 nd-ns
 120 permit icmpv6 any fe80::/64 nd-na
 130 permit icmpv6 any host ff02::1 nd-na
 140 deny icmpv6 any any nd-ns log
 150 deny icmpv6 any any nd-na log
 160 permit ipv6 fe80::/64 fe80::/64
 170 permit ipv6 fe80::/64 ff02::/64
 180 deny ipv6 fe80::/64 any
 ...

(looking closer, I seem to have any-to-LLA nd-ns twice here...  that is
obviously not needed)

You should be able to filter ND/NS by matching on TTL 255, but when
we did this, we saw peer routers send out NS with lower TTLs - which is
a violation of RFCs, but nobody seems to care...

We do filter link-local to anything non-multicast / non-onlink - nobody
should ever forward these, but we did see packets.


> 3. will that ACL work on the mentioned devices in Hardware 
> or is it done in software slowing down everything ? 

This is fairly easy, XR will do things in hardware, or not at all.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20200610/10a0402b/attachment.sig>

More information about the cisco-nsp mailing list