Guest

Preview Tool

Cisco Bug: CSCun33218 - IPv6 ACL for fec0::/10 incorrectly matches fe80 link local addresses

Last Modified

Aug 06, 2018

Products (15)

  • Cisco Carrier Routing System
  • Cisco CRS-1 Line Card Chassis (Dual)
  • Cisco CRS-1 16-Slot Line Card Chassis
  • Cisco CRS-1 Line Card Chassis (Multi)
  • Cisco CRS-3 Multishelf System
  • Cisco CRS-1 4-Slot Single-Shelf System
  • Cisco IOS XR Software
  • Cisco CRS-1 8-Slot Line Card Chassis
  • Cisco CRS-3 8-Slot Single-Shelf System
  • Cisco CRS-3 16-Slot Single-Shelf System
View all products in Bug Search Tool Login Required

Known Affected Releases

4.2.3.BASE

Description (partial)

Symptom:
IPv6 access-list with fec0::/10 entry incorrectly matches fe80::/10 addresses, might affect IPv6 ND operation,
such as peers of node might have incomplete address resolution (if deny fec0::/10 is before permit of ICMP 
type 135 and 136).

Above is most commonly seen impact scenario as RFC3513 defined fec0::/10 as site local addresses, later
deprecated them via RFC3879, hence customer often had ingress ACLs denying fec0::/10 & fe80::/10.

However defect can manifest on other entries too, not limited to fec0::/10 & fe80::/10, it can incorrectly copy
result of one entry to other if those entries match following criteria: They have mask of same length and differ
by 1 bit in last byte of address. Depending on role of affected entries in ACL, impact on services can greatly
vary. It might drop what should be permitted and vice versa.

fec0::/10
1111  1110  1>1<
fe80::/10
1111 1110   1>0<

Conditions:
ACL contains 2 entries which have same mask length and differ by 1 bit in last byte of address.
Trigger is every action which results in ACL recompression, such as ACL modification, CLI-initiated ping, 
BGP peer provisioning, etc.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.