Steps to Reproduce: 1. Configure an PPPoE interface (e.g., ppp0) with an IPv6 address and a prefixlen of 64; e.g., 2001:0DB8::1/64. 2. Configure a Netfilter ip6table rule to drop IN to OUT forwarding of traffic across the PPP interface; e.g., ip6tables -A FORWARD -i ppp+ -o ppp+ -j DROP a. Note: Create a matching NFLOG rule to log the DROP above. 3. Create a Netfilter NFLOG rule to log all outbound traffic. 4. From an Internet IPv6 Address initiate TCP traffic to an IPv6 address within the /64 IPv6 address space from step 1, but an IPv6 address that is NOT configured on that interface; e.g., ` nc 2001:0DB8::2 80` 5. Observe the NFLOG showing the Netfilter ip6table filter FORWARD rule is matched and therefore the traffic should be dropped. a. E.g., <redacted> IN=ppp0 OUT=ppp0 MAC=<redacted> SRC=<Internet IPv6 Address> DST=<2001:0DB8::2 - The Unallocated IPv6 Address within Configured /64> LEN=80 TC=0 HOPLIMIT=241 FLOWLBL=0 PROTO=TCP SPT=37113 DPT=80 SEQ=1330179746 ACK=0 WINDOW=65535 SYN URGP=0 MARK=0 6. Observe the traffic from step 4, that should have been dropped, resulted in an outbound ICMPv6 Redirect with a source IPv6 address of the PPP interface’s Local Link to the Internet IPv6 Address. a. E.g., <redacted> IN= OUT=ppp0 MAC= SRC=<fe80:: - PPP’s Local Link IPv6 Address> DST=<Internet IPv6 Address> LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=137 CODE=0 MARK=0 Workaround: 1. Create an anti-spoofing table that results in blocking fe80/10 Local Link traffic to Internet IPv6 Addresses. a. E.g., Create rules as needed... ip6tables -A OUTPUT -s fe80::/10 ! -d fe80::/10 -j DROP. Rules as needed. Etc. Software Version: 1. Kernel: Linux 4.19.52-gentoo SMP x86_64 2. ip6tables: v1.6.1 Preliminary CVSS 3.0: 1. Base 5.8 (medium), Temporal 5.1 (medium), Environmental 3.4 (Low). 2. Vector: /AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L/E:P/RL:W/RC:R/AR:L/MAV:A/MAC:L/MPR:N/MUI:N/MS:C/MC:N/MI:N/MA:L