Hello,

I was thinking about the 3 implicit rules that are added to all IPv6 ACLs. I understand their intention is to enable Neighbor Advertisement/Solicitation, however I was thinking about the impact of these rules on the device (outside of allowing NDP to function).

For example,

1) I have set up a lab where I have tested writing a simple QoS classifier for IPv6. To my surprise it did not match against NDP-NA/S traffic unless I added the implicit permit rules explicitly to the ACL. Hence, the IPv6 ACL for QoS behaves like a IPv4 ACL with the only implicit rule being "deny ipv6 any any".

2) I have set up a lab where I have been able to use the implicit "permit icmp any any nd-na" rule to forward Neighbor Advertisements from one subnet to another (using global unicast addresses instead of link-local). This also included adding custom options attached to the end of the NA with payloads, so its theoretically possible this could allow someone to create a tunnel through a router that uses the implicit rules. However, this is not as surprising as it might sound. Its the expected behaviour from https://tools.ietf.org/html/rfc4890, where it states rules need to be configured on routers/firewalls to prevent non-link-local NA/NS being forwarded.

Does anyone know if Cisco has produced a document/some form of guidance that details the impact of these rules?