Facebook is very clever with their IPv6 address scheme, but it got me thinking about ACLs and Is it possible to write a Cisco IOS IPv6 ACL that matches ? In IPv4 you could match a middle octet such as 10.xxx.10.xxx in order to hit any 'x' with 'don't care'. I don't think this is possible in IPv6, at least not as of IOS 15.1.
In the case of my example, since Facebook has been clever, it makes it easy to just match on FACE:B00C if you could. In a way this simplifies because without looking up what block was assigned, I can just match on that range.
2A03:2880:F000:[0000-FFFF]:FACE:B00C::/96
The obvious and normal way is to match on 2A03:2880:F000::/48 but unfortunately, I'm not sure at a glance if FB has a larger range ( probably does ). So in this particular case, if I could match on just the FACE:B00C part, I could match everything they are using, assuming they don't move on to FACE:B00D
Since I can't enter a wildcard mask in IOS for and IPv6 ACL, I don't think you can do this, but I'm curious if someone has an interesting workaround. I think it would be useful to know this because at some point I may need to filter a sub block only because of DDoS or aggressive traffic while not wanting to block an entire /32 for some large provider.
Additionally, this could allow for policy based traffic redirection or prioritization. If I realize the advertisements are in a different block, I could QoS them differently for example, a nice feature for low bandwidth, congested satellite links.
EDIT: To clarify a bit. There may be cases where I need to block or permit certain ranges within a large block like a /32. These may be slightly contiguous and rather than hundreds of entries, a wildcard might match large portions of them. This could also be used for traffic engineering in the way I could route all 10.x.10.0 blocks where if x is odd, it goes one route vs even to another route.
Another example is a DDoS where the IPv6 source IP is being spoof with a pattern that spells the hackers' group name. This will happen at least once, it would be nice to be able to filter on it.
A compact ACL is cleaner but not always more manageable. These things may be good or bad ideas/practice, not here to argue that, just trying to get a handle on what tools I have vs what tools I may have to create.
Best Answer
Unfortunately, Cisco did away with wildcard masks in IPv6. That is mostly a good thing, EXCEPT in this particular case. For your idea to work however, you have to rely on Facebook being both "clever" and consistent, which is probably more than one can hope for.
But if you want to process Facebook's traffic differently than other traffic, you can simply filter on their assigned address block. The one you mention in your question is actually assigned to Facebook Ireland: 2a03:2880::/32.
But it is just as easy to look up others in the registries.