Hi, On Fri, May 17, 2024 at 9:26 AM Saku Ytti <[email protected]> wrote: > > On Thu, 16 May 2024 at 21:23, Antti Ristimäki via juniper-nsp > <[email protected]> wrote: > > > Does anyone have any insight into this? This issue was discussed on > > this list already over 10 years ago, for example: > > https://puck.nether.net/pipermail/juniper-nsp/2012-April/023134.html > > Personally I'm not convinced I'd even want this fixed, as it likely > comes with significant per-packet cost. Reality is always some > pragmatic version of standard. But I'm pretty sure if you press it, > Juniper will accept it as PR.
Fair point and I do not completely disagree. However this behaviour can come as a surprise for those that design their iACLs with the assumption that packets with link-local srcaddr are never forwarded outside the link. Now that the packets are actually forwarded, the iACL design becomes a bit more challenging if you want to keep the link-local things link local (e.g. there are legit ND packets with link-local srcaddr and GUA dstaddr). It is doable, though. > If I read the IPv6 standard correctly, nodes /have to/ join the ND > multicast group, which they don't, which is good, because the whole > thing is dumb, fragile and expensive. > ICMPv6 ND forwarding is weird, most forward it happily in all cases, > some like SROS punt all ICMPv6 ND with TTL 255, transit or punt, and > transit all TTL 254 or less. Agree. And joining the mcast groups would then equire MLD which would require accepting Hop-by-Hop options header, if my memory serves me correctly. Antti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
