# Filtering fe80::/10

## wswartzendruber

What are the link-local addresses used for?  I prefer to keep tight firewall restrictions on both IPv4 and IPv6 stacks.  IPv4 is straightforward, but IPv6 introduces some peculiar features.

----------

## ali3nx

i'll start by admitting i'm yet to master ipv6 but i was an early adopter of it using ipv6 to ipv4 tunnels and had my own assigned /64 subnet on my internal lan at some time several years ago. 

Despite that it's still a learning process as I was never a stalwart mathematician and subnetting in cisco class gave me headaches   :Laughing: 

I did manage to find a few references for you that state that link local ipv6 is a non routable /64 subnet used only by non routable network communications for router discovery. with that in mind fe80:: link local is required but not used for routable ipv6. 

Essentially fe80::/64 is the ipv6 equivalent of 169.254.1.0/24

any router designed to adhere to the ipv6 RFC should not pass fe80::/64 across the edge router. 

https://en.wikipedia.org/wiki/Link-local_address#IPv6

https://tools.ietf.org/html/rfc4291#section-2.5.6

----------

## mtfj

 *wswartzendruber wrote:*   

> What are the link-local addresses used for?  I prefer to keep tight firewall restrictions on both IPv4 and IPv6 stacks.  IPv4 is straightforward, but IPv6 introduces some peculiar features.

 

As I look at my network traffic, they are used for

- router advertisement

- DHCPv6

----------

## wswartzendruber

I suppose I should put tcpdump on the router.

EDIT:  Can anyone think of any reason to filter it?

----------

## ali3nx

Based on the RFC and the design of link-local any router should inherently filter fe80:: by default. It would be an interesting test to confirm this  for a lesson in ipv6   :Smile: 

----------

## mtfj

 *ali3nx wrote:*   

> Based on the RFC and the design of link-local any router should inherently filter fe80:: by default. It would be an interesting test to confirm this  for a lesson in ipv6  

 

Just to add this line, right?

```

ip6tables -A FORWARD -o ppp1 -s fe80::/10 -j DROP

```

----------

