Subnet ingress access lists

[Antonio Querubin]

On Wed, 27 Jun 2001, Phil Benchoff wrote:

> A typical IPv4 ingress access list for a subnet looks like this:
>
>   Permit global IP4 prefix assigned to this subnet to any
>   Permit host addresses of the other interfaces on multi-homed hosts to any
>       (any interface may be the source of a packet, not just the one
>        on this subnet)
>   Permit unspecified address to broadcast port bootps
>       (because we forward DHCP)
>   Deny all others
>
> This appears to be a bit more complicated with IPv6.  The following
> is what I have come up with so far:
>
>   Permit global unicast prefix assigned to this subnet to any
>   Permit global unicast prefixes of multi-homed hosts other interfaces (/128s) to any.
>   Permit site-local for this subnet to site-local
>   Permit site-local for this subnet to site's global unicast
>   Permit site-local for this subnet to site-local multicast (ff05::/16)
>   Permit site-local interfaces on multi-homed hosts to site's global unicast
>   Permit site-local interfaces on multi-homed hosts to site-local
>   Permit link-local prefix to link-local unicast of router
>   Permit link-local prefix to link-local multicast
>   Permit unspecified to link-local multicast (ff02::/16)
>         (required for duplicate address detection)
>         (required so no other hosts use router's link-local address)
>         (should really only need router interface solicited-node multicast)

The last one should probably be to the site-local multicast/anycast or
specific server IP addresses if you want to be more discriminating.

> I suspect a lot of this will be covered by an "ipv6 verify unicast
> reverse-path" command with enhancements similar to the one for IPv4.
> 12.2(2)T does not support the log keyword, so I haven't experimented
> much to see what is really required in the access list.  Has anyone else
> given it any thought?

It's a good list though my head hurts thinking about it :)