[j-nsp] JunOS forwarding IPv6 packets with link-local source
Antti Ristimäki
antristima at gmail.com
Fri May 17 03:36:19 EDT 2024
Hi,
On Fri, May 17, 2024 at 9:26 AM Saku Ytti <saku at ytti.fi> wrote:
>
> On Thu, 16 May 2024 at 21:23, Antti Ristimäki via juniper-nsp
> <juniper-nsp at puck.nether.net> wrote:
>
> > Does anyone have any insight into this? This issue was discussed on
> > this list already over 10 years ago, for example:
> > https://puck.nether.net/pipermail/juniper-nsp/2012-April/023134.html
>
> Personally I'm not convinced I'd even want this fixed, as it likely
> comes with significant per-packet cost. Reality is always some
> pragmatic version of standard. But I'm pretty sure if you press it,
> Juniper will accept it as PR.
Fair point and I do not completely disagree. However this behaviour
can come as a surprise for those that design their iACLs with the
assumption that packets with link-local srcaddr are never forwarded
outside the link. Now that the packets are actually forwarded, the
iACL design becomes a bit more challenging if you want to keep the
link-local things link local (e.g. there are legit ND packets with
link-local srcaddr and GUA dstaddr). It is doable, though.
> If I read the IPv6 standard correctly, nodes /have to/ join the ND
> multicast group, which they don't, which is good, because the whole
> thing is dumb, fragile and expensive.
> ICMPv6 ND forwarding is weird, most forward it happily in all cases,
> some like SROS punt all ICMPv6 ND with TTL 255, transit or punt, and
> transit all TTL 254 or less.
Agree. And joining the mcast groups would then equire MLD which would
require accepting Hop-by-Hop options header, if my memory serves me
correctly.
Antti
More information about the juniper-nsp
mailing list