Introduction
This document describes that an IPv6 ACL with an all-zero prefix in an ACE can match all IPv6 packets and its workaround.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- IPv6 ACL(Access Control List) configuration on Cisco IOS® XR routers
- ACL Hardware Programming on Cisco IOS® XR routers
Components Used
The information in this document is based on these software and hardware versions:
- IPv6 ACL is applied with compression level 2 or 3
- Cisco IOS® XR release without fix of Cisco bug ID CSCwe08250
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
IPv6 address ::/128 is reserved for Unspecified Address in the RFC(Request For Comments) 4291. It must never be assigned to any node, thus it is a best practice to deny this address in the IPv6 Bogon filtering.
Problem
An IPv6 ACL including an ACE(Access Control Entry) of ::/128 can match any IPv6 packet on the interface which it applied to.
An example of this observation in the lab is shown below.
Configuring an IPv6 ACL with ::/128 matching IPv6 source and destination address, respectively:
ipv6 access-list PREFIX_ALL_ZERO
10 remark ** HOST MASK **
11 deny ipv6 any host :: log
12 deny ipv6 host :: any log
Sending PING(Packet Internet or Inter-Network Groper) traffic to a non-zero IPv6 destination address:
RP/0/RP0/CPU0:router#ping fd00:4860:1:1::150 count 100 timeout 0
Thu Sep 14 12:30:23.412 UTC
pings with timeout=0 may result in system instability and
control protocol flaps resulting in traffic impact.
Do you really want to continue[confirm with only 'y' or 'n'] [y/n] :y
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to FD00:4860:1:1::150, timeout is 0 seconds:
....................................................................................................
Success rate is 0 percent (0/100)
The packet got dropped by ACE11:
RP/0/RP0/CPU0:router#show access-lists ipv6 PREFIX_ALL_ZERO hardware ingress location 0/RP0/CPU0
Thu Sep 14 12:30:46.346 UTC
ipv6 access-list PREFIX_ALL_ZERO
11 deny ipv6 any host :: log (100 matches)
12 deny ipv6 host :: any log
When removing the ACE 11, drops move to ACE 12:
RP/0/RP0/CPU0:router#clear access-list ipv6 PREFIX_ALL_ZERO hardware ingress location 0/RP0/CPU0
Thu Sep 14 12:31:34.899 UTC
RP/0/RP0/CPU0:router#ping fd00:4860:1:1::150 count 100 timeout 0
Thu Sep 14 12:31:39.482 UTC
pings with timeout=0 may result in system instability and
control protocol flaps resulting in traffic impact.
Do you really want to continue[confirm with only 'y' or 'n'] [y/n] :y
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to FD00:4860:1:1::150, timeout is 0 seconds:
....................................................................................................
Success rate is 0 percent (0/100)
RP/0/RP0/CPU0:router#show access-lists ipv6 PREFIX_ALL_ZERO hardware ingress location 0/RP0/CPU0
Thu Sep 14 12:31:45.229 UTC
ipv6 access-list PREFIX_ALL_ZERO
12 deny ipv6 host :: any log (100 matches)
These ACEs are supposed to only drop packets with source or destination address being all zeros.
However, all traffic, even with source or destination not all zeros, was getting dropped.
Caution: This mismatch behavior is applied to the IPv6 subnet mark length from /1 to /128 for an ACE, not only the /128 in the example.
Solution
Cisco IOS® XR release with the fix of Cisco bug ID CSCwe08250 corrects this wrong behaviour.
On a Cisco IOS® XR router running without that fix, a workaround exists:
- Use hybrid ACLs and move the ::/<x> from the ACL into a network object-group to match source or destination address with all zeros.