Page MenuHomeVyOS Platform

ipv6 disable not working
Open, NormalPublic

Description

i want to disable ipv6, i use: set system ipv6 disable
after commit+save+reboot, interfaces have ipv6 addresses.

system-ipv6.py creates the /etc/modprobe.d/vyos_disable_ipv6.conf file to set ipv6 modul options. There is already an ipv6.conf file with another ipv6 options, but this is unused too:
IPV6 is build directly into the kernel. So, it's not loaded by modprobe, so the modprobe configuration is not involved.
(unfortunately, autoconf is 1 by default)

Disable through sysctl is not good, because that doesnt really disable ipv6, just "hide" address from ipv6 interfaces.
the real solution add "ipv6.disable=1" to grub command line parameter.

(same, ipv6.autoconf=0 sould be added to command line)

Details

Difficulty level
Unknown (require assessment)
Version
1.3-rolling-20200317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

elbandi triaged this task as Normal priority.Mar 17 2020, 4:04 PM
elbandi created this task.
elbandi created this object in space S1 VyOS Public.
elbandi updated the task description. (Show Details)
elbandi added a project: vyatta-cfg-system.
pasik added a subscriber: pasik.Mar 18 2020, 9:52 PM
c-po added a subscriber: c-po.Mar 28 2020, 1:13 PM

Actually why do you wan't to disbale IPv6 on the system? I think this is a huge workpackage.

What should happen to all the ipv6 nodes in the system? Should they "vanish" or should they stay as they are?

One example would be disabling IPv6 but enabling either DHCPv6 or configuring an IPv6 address on an interface - thus will result in commit errors as addresses would likely be rejected by the system.

syncer added a subscriber: syncer.Mar 28 2020, 1:18 PM

in my opinion it should be always enabled

jjakob added a subscriber: jjakob.Mar 28 2020, 1:58 PM

It's useful when the user is sure he doesn't want IPv6, as it lessens the attack surface, especially if the user doesn't know he needs to configure a IPv6 firewall separately to the IPv4 firewall. Even link-local addresses can be used to launch attacks in the absence of a firewall config.
IMO the configured interface addresses and v6 nodes should become no-ops, possibly print a warning on commit.
On the other hand, leaving IPv6 enabled, would be better to move in the direction of v6 adoption. Personally, I'd prefer this, and leave v6 enabled by default.

it's enabled by default.

Just it handles, if user disable it on live iso before install the system image

c-po added a comment.Mar 28 2020, 2:54 PM

Well - making all IPv6 stuff a noop is not coded into VyOS. Can you show real life examples of increased attack surface?

sorry, i'm not a hacker, so i dont know any attach vector. :( But it does not mean that it does not exist.

but in my opinion, if there is an unused stuff in any system, it sould be disabled to reduce the number of possible attacks. thats, we dont use ipv6, so it's disabled system wide.