diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
new file mode 100644
index 0000000..da6f27a
--- /dev/null
+++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
@@ -0,0 +1,118 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[ -z "${gbmc_ncsi_br_deprecated_ips_lib-}" ] || return
+
+gbmc_ncsi_br_deprecated_ips_init=
+gbmc_ncsi_br_deprecated_ips_confip=
+gbmc_ncsi_br_deprecated_ips_lastip=
+
+gbmc_ncsi_br_deprecated_ips_update() {
+  [ -n "$gbmc_ncsi_br_deprecated_ips_init" ] || return
+  [ "$gbmc_ncsi_br_deprecated_ips_confip" != "$gbmc_ncsi_br_deprecated_ips_lastip" ] || return
+  gbmc_ncsi_br_deprecated_ips_confip="$gbmc_ncsi_br_deprecated_ips_lastip"
+
+  printf 'gBMC Bridge NCSI Deprecated Addrs: %s\n' \
+    "${gbmc_ncsi_br_deprecated_ips_lastip:-(deleted)}" >&2
+
+  local contents=
+  if [ -n "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then
+    local pfx_bytes=()
+    ip_to_bytes pfx_bytes "$gbmc_ncsi_br_deprecated_ips_lastip"
+
+    local pfx="$(ip_bytes_to_str pfx_bytes)"
+    pfx_bytes[8]=0
+    pfx_bytes[9]=0
+    local host_pfx="$(ip_bytes_to_str pfx_bytes)"
+    read -r -d '' contents <<EOF
+[Address]
+Address=$pfx/128
+PreferredLifetime=0
+[Address]
+Address=$host_pfx/128
+PreferredLifetime=0
+EOF
+  fi
+
+  local file
+  for file in /run/systemd/network/{00,}-bmc-@NCSI_IF@.network.d/50-deprecated.conf; do
+    mkdir -p -m 755 "$(dirname "$file")"
+    if [ -z "$contents" ]; then
+      rm -f "$file"
+    else
+      printf '%s' "$contents" >"$file"
+    fi
+  done
+
+  # Ensure that systemd-networkd performs a reconfiguration as it doesn't
+  # currently check the mtime of drop-in files.
+  touch -c /etc/systemd/network/*-bmc-@NCSI_IF@.network
+
+  if [ "$(systemctl is-active systemd-networkd)" != 'inactive' ]; then
+    networkctl reload && networkctl reconfigure @NCSI_IF@
+  fi
+
+  read -r -d '' contents <<EOF
+table inet filter {
+  chain ncsi_input {
+    ip6 saddr != $pfx/76 ip6 daddr $pfx/76 goto ncsi_gbmc_br_pub_input
+  }
+  chain ncsi_forward {
+    ip6 saddr != $pfx/76 ip6 daddr $pfx/76 accept
+  }
+}
+EOF
+  rfile=/run/nftables/40-gbmc-ncsi-br.rules
+  mkdir -p -m 755 "$(dirname "$rfile")"
+  printf '%s' "$contents" >"$rfile"
+  systemctl reset-failed nftables && systemctl --no-block restart nftables || true
+}
+
+gbmc_ncsi_br_deprecated_ips_hook() {
+  if [ "$change" = 'init' ]; then
+    gbmc_ncsi_br_deprecated_ips_init=1
+    gbmc_ip_monitor_defer
+  elif [ "$change" = 'defer' ]; then
+    gbmc_ncsi_br_deprecated_ips_update
+  elif [ "$change" = 'addr' -a "$intf" = 'gbmcbr' ] &&
+     [ "$scope" = 'global' -a "$fam" = 'inet6' ]; then
+    local pfx_bytes=()
+    ip_to_bytes pfx_bytes "$ip" || return
+    # No ULA Addresses
+    if (( pfx_bytes[0] & 0xfe == 0xfc )); then
+      return
+    fi
+    # We only want to allow a <pfx>::fd0x address, where x>0
+    if (( pfx_bytes[8] != 0xfd || pfx_bytes[9] & 0xf == 0 )); then
+      return
+    fi
+    for (( i = 10; i < 16; ++i )); do
+      if (( pfx_bytes[i] != 0 )); then
+        return
+      fi
+    done
+    if [ "$action" = 'add' -a "$ip" != "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then
+      gbmc_ncsi_br_deprecated_ips_lastip="$ip"
+      gbmc_ip_monitor_defer
+    fi
+    if [ "$action" = 'del' -a "$ip" = "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then
+      gbmc_ncsi_br_deprecated_ips_lastip=
+      gbmc_ip_monitor_defer
+    fi
+  fi
+}
+
+GBMC_IP_MONITOR_HOOKS+=(gbmc_ncsi_br_deprecated_ips_hook)
+
+gbmc_ncsi_br_deprecated_ips_lib=1
diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-ip-from-ra.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-ip-from-ra.sh.in
index 80bd34f..6144617 100755
--- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-ip-from-ra.sh.in
+++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-ip-from-ra.sh.in
@@ -70,7 +70,6 @@
   touch -c /lib/systemd/network/*-bmc-gbmcbr.network || true
 
   contents='[Network]'$'\n'
-  contents+="Address=$pfx/128"$'\n'
   contents+="Gateway=$rtr"$'\n'
   for file in /run/systemd/network/{00,}-bmc-"$NCSI_IF".network.d/49-public-ra.conf; do
     mkdir -p -m 755 "$(dirname "$file")"
@@ -81,21 +80,6 @@
   if [ "$(systemctl is-active systemd-networkd)" != 'inactive' ]; then
     networkctl reload && networkctl reconfigure gbmcbr "$NCSI_IF" || true
   fi
-
-  read -r -d '' contents <<EOF
-table inet filter {
-  chain ncsi_input {
-    ip6 saddr != $pfx/76 ip6 daddr $pfx/76 goto ncsi_gbmc_br_pub_input
-  }
-  chain ncsi_forward {
-    ip6 saddr != $pfx/76 ip6 daddr $pfx/76 accept
-  }
-}
-EOF
-  rfile=/run/nftables/40-gbmc-ncsi-ra.rules
-  mkdir -p -m 755 "$(dirname "$rfile")"
-  printf '%s' "$contents" >"$rfile"
-  systemctl reset-failed nftables && systemctl --no-block restart nftables || true
 }
 
 w=60
diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
index 7a630f5..30b2b65 100644
--- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
+++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
@@ -35,36 +35,11 @@
   fi
 
   local ip6="$gbmc_ncsi_nft_lastip6"
-  local pfx=
   if [ -n "$ip6" ]; then
     contents+="        ip6 daddr $ip6/128 goto ncsi_legacy_input"$'\n'
-
-    local ip_bytes=()
-    ip_to_bytes ip_bytes "$ip6"
-    # If our address has enough spare bits for appending the BMC suffix
-    # then we add a rule that allows the BMC subnet. That is, we need a /64
-    # as input.
-    local i
-    for (( i = 8; i < 16; i++ )); do
-      if (( ip_bytes[$i] != 0 )); then
-        ip_bytes=()
-        break
-      fi
-    done
-    if (( ${#ip_bytes[@]} != 0 )); then
-      ip_bytes[8]=0xfd
-      pfx="$(ip_bytes_to_str ip_bytes)"
-      contents+="        ip6 saddr != $pfx/76 ip6 daddr"
-      contents+=" $pfx/76 goto ncsi_gbmc_br_pub_input"$'\n'
-    fi
   fi
 
   contents+='    }'$'\n'
-  contents+='    chain ncsi_forward {'$'\n'
-  if [ -n "$pfx" ]; then
-    contents+="        ip6 saddr != $pfx/76 ip6 daddr $pfx/76 accept"$'\n'
-  fi
-  contents+='    }'$'\n'
   contents+='}'$'\n'
 
   local rfile=/run/nftables/40-gbmc-ncsi-in.rules
diff --git a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb
index 10ef56a..0074a31 100644
--- a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb
+++ b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb
@@ -18,6 +18,7 @@
   file://gbmc-ncsi-sslh.service \
   file://gbmc-ncsi-nft.sh.in \
   file://gbmc-ncsi-br-pub-addr.sh.in \
+  file://gbmc-ncsi-br-deprecated-ips.sh.in \
   file://gbmc-ncsi-set-nicenabled.service.in \
   "
 
@@ -100,6 +101,9 @@
   sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/gbmc-ncsi-br-pub-addr.sh.in \
     >${WORKDIR}/gbmc-ncsi-br-pub-addr.sh
   install -m644 ${WORKDIR}/gbmc-ncsi-br-pub-addr.sh $mondir
+  sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/gbmc-ncsi-br-deprecated-ips.sh.in \
+    >${WORKDIR}/gbmc-ncsi-br-deprecated-ips.sh
+  install -m644 ${WORKDIR}/gbmc-ncsi-br-deprecated-ips.sh $mondir
 
   sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/gbmc-ncsi-set-nicenabled.service.in \
     >${D}${systemd_system_unitdir}/gbmc-ncsi-set-nicenabled.service