Hey Chris. This is a known issue, tracked by internal pr 573100. I will flip that to externally visible so customers can see.
Appears fixed only on trio as of 13.3. There was talk of a possible work around, as below, but not clear it was ever tested/confirmed: << possible WA: why don't we install the link-local routes with a discard nexthop (to match destination link-locals) and add a uRPF strict check to it (to match source-link-locals) ? -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Chris Adams Sent: Thursday, April 26, 2012 1:58 PM To: [email protected] Subject: [j-nsp] Forwarding IPv6 link-local packets? I noticed some (anti-spoofing) IPv6 filter drops got logged, so I went to track down the source of the problem. Annoyingly, the source address was a link-local address (although the destination addresses were on the Internet). I tracked down the source (only because I don't have a lot of IPv6 traffic yet). My question is this: why is a packet with a link-local source forwarded at all? I have uRPF enabled on the interface, but I guess since fe80::/64 is considered a valid route for all IPv6 interfaces, uRPF won't catch that. Is there any practical way to turn off link-local forwarding, other than to apply filters to every interface? Or am I just missing something obvious? -- Chris Adams <[email protected]> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
