Philip Homburg <philip.homburg@ripe.net> writes:
As far as I know, this a well known Juniper bug where their routers forward errors ICMPs without checking whether the source address is link local.
Thinking about this... Is there any reason except formalities why you shouldn't forward those packets? The won't generate a reply and can't generate an ICMP error, so their source address will never be used as a destination. Agreed, it would be better if they had a global source. But they don't. Maybe because there was none configured on the router/host the error message originates from? In any case, the source address is what it is and you can either forward the packet or drop it. Dropping it means the information is lost. Maybe breaking PMTU or whatever. I believe it's better to ignore the formalities here and forward those packets. It's certainly harmless. At least as harmless as forwarding any other ICMP error messages. Bjørn