[j-nsp] JunOS forwarding IPv6 packets with link-local source
Antti Ristimäki
antristima at gmail.com
Fri May 17 11:36:20 EDT 2024
Hi
On Fri 17. May 2024 at 13.05, Daniel Verlouw <daniel at shunoshu.net> wrote:
> Hi,
>
> On Thu, May 16, 2024 at 8:22 PM Antti Ristimäki via juniper-nsp
> <juniper-nsp at puck.nether.net> wrote:
> > I thought this issue had been resolved already years ago, but I
> > noticed that JunOS still happily forwards IPv6 packets with link-local
> > source address towards remote destinations. This of course violates
> > RFC4291. Also recent JunOS releases seem broken, tested with e.g. 21.4
> > and 23.2.
>
> on MX:
> set forwarding-options family inet6 source-checking
>
> refer to:
> https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/source-checking-edit-forwarding-options.html
>
Thank you for a pointer, i had somehow missed the existence of such knob.
I accidentally replied Ytti unicast, so also to the list that yes, ND
packets can be filtered by matching relevant icmpv6 types and HL=255, but
nevertheless I’m pretty sure that a lot of people come surprised that by
default link-local sourced packets are forwarded outside the link and it is
not evident to all which hop limit different packets are specified to use.
Antti
More information about the juniper-nsp
mailing list