Subnet ingress access lists

[Phil Benchoff]

We use ingress and egress filters on our IPv4 connections to upstream
providers.  We also use ingress filters on all of the campus subnets.
A typical IPv4 ingress access list for a subnet looks like this:

  Permit global IP4 prefix assigned to this subnet to any
  Permit host addresses of the other interfaces on multi-homed hosts to any
      (any interface may be the source of a packet, not just the one
       on this subnet)
  Permit unspecified address to broadcast port bootps
      (because we forward DHCP)
  Deny all others

This appears to be a bit more complicated with IPv6.  The following
is what I have come up with so far:

  Permit global unicast prefix assigned to this subnet to any
  Permit global unicast prefixes of multi-homed hosts other interfaces (/128s) to any.
  Permit site-local for this subnet to site-local
  Permit site-local for this subnet to site's global unicast
  Permit site-local for this subnet to site-local multicast (ff05::/16)
  Permit site-local interfaces on multi-homed hosts to site's global unicast
  Permit site-local interfaces on multi-homed hosts to site-local
  Permit link-local prefix to link-local unicast of router
  Permit link-local prefix to link-local multicast
  Permit unspecified to link-local multicast (ff02::/16)
        (required for duplicate address detection)
        (required so no other hosts use router's link-local address)
        (should really only need router interface solicited-node multicast)

I suspect a lot of this will be covered by an "ipv6 verify unicast
reverse-path" command with enhancements similar to the one for IPv4.  
12.2(2)T does not support the log keyword, so I haven't experimented
much to see what is really required in the access list.  Has anyone else
given it any thought?

Phil