I´m studying about IPv6 security (IPv6 security book from Cisco- Scott Hogg and Eric Vyncke) and at this momment I´m trying to build an ACL to apply on a interface that is connected to a ISP.
At recomendations they say that we need to allow icmp nd-na and nd-ns to any from link local address:
permit icmp fe80::/10 any nd-ns
permit icmp fe80::/10 any nd-na
I can´t see this permit as mandatory and in a laboratory I made a ACL blocking it. It is a simple LAB, but I didn´t see problems after blocked it.
I´m not using LLA as BGP neighbor address.
Does anyone know something about permit or deny LLA icmp on production networks?
Thanks.