Disabling link local IPv6 addresses
Hi,
I've been using radvd to set up a group of clients using RA broadcasts. I also have a group of client PCs using static IPv6 in a different ::/64 subnet altogether but on the same physical network. The two networks have to remain separate for security reasons. The problem I'm having is that clients on the two separate networks can still "see" each other through the automatic link-local (fe80::) addresses. I've added the line IPv6_AUTOCONF=no to network & my ifcfg-* files but I can't seem to stop this behaviour. Any hints, tricks, hacks, gotchas? Thanks -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
Disabling link local IPv6 addresses
Hi, nullv you can try to add "-A OUTPUT -m addrtype --dst-type
MULTICAST -j DROP" / "-A OUTPUT -m pkttype --pkt-type multicast -j DROP" to ip6tables or try to remove multicast with ip maddr 2012/1/10 <nullv@gmx.com>: > Hi, > > I've been using radvd to set up a group of clients using RA broadcasts. I also have a group of client PCs using static IPv6 in a different ::/64 subnet altogether but on the same physical network. The two networks have to remain separate for security reasons. > > The problem I'm having is that clients on the two separate networks can still "see" each other through the automatic link-local (fe80::) addresses. I've added the line IPv6_AUTOCONF=no to network & my ifcfg-* files but I can't seem to stop this behaviour. > > Any hints, tricks, hacks, gotchas? > > Thanks > -- > users mailing list > users@lists.fedoraproject.org > To unsubscribe or change subscription options: > https://admin.fedoraproject.org/mailman/listinfo/users > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > Have a question? Ask away: http://ask.fedoraproject.org -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
Disabling link local IPv6 addresses
On Tue, Jan 10, 2012 at 12:00 PM, <nullv@gmx.com> wrote:
> Hi, > > I've been using radvd to set up a group of clients using RA broadcasts. I also have a group of client PCs using static IPv6 in a different ::/64 subnet altogether but on the same physical network. The two networks have to remain separate for security reasons. > > The problem I'm having is that clients on the two separate networks can still "see" each other through the automatic link-local (fe80::) addresses. I've added the line IPv6_AUTOCONF=no to network & my ifcfg-* files but I can't seem to stop this behaviour. > > Any hints, tricks, hacks, gotchas? > > Thanks Two steps: 1. Create a file named /etc/sysctl.d/disable-ipv6.conf in /etc/sysctl.d/ that will contain: net.ipv6.conf.all.disable_ipv6=1 This will disable IPv6 in all future reboots. In the mean time (current boot), type: sysctl -w net.ipv6.conf.all.disable_ipv6=1 2. Gotchas: sshd will continue to bind to IPv6 socket, breaking X11 forwarding [1]. The solution to the problem is to add the following line to /etc/sysconfig/sshd: OPTIONS=-4 - Gilboa [1] https://bugzilla.redhat.com/show_bug.cgi?id=735889 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
Disabling link local IPv6 addresses
On Tue, Jan 10, 2012 at 2:29 PM, Gilboa Davara <gilboad@gmail.com> wrote:
> On Tue, Jan 10, 2012 at 12:00 PM, *<nullv@gmx.com> wrote: >> Hi, >> >> I've been using radvd to set up a group of clients using RA broadcasts. I also have a group of client PCs using static IPv6 in a different ::/64 subnet altogether but on the same physical network. The two networks have to remain separate for security reasons. >> >> The problem I'm having is that clients on the two separate networks can still "see" each other through the automatic link-local (fe80::) addresses. I've added the line IPv6_AUTOCONF=no to network & my ifcfg-* files but I can't seem to stop this behaviour. >> >> Any hints, tricks, hacks, gotchas? >> >> Thanks > > Two steps: > 1. Create a file named /etc/sysctl.d/disable-ipv6.conf in > /etc/sysctl.d/ that will contain: > net.ipv6.conf.all.disable_ipv6=1 > This will disable IPv6 in all future reboots. > In the mean time (current boot), type: > sysctl -w net.ipv6.conf.all.disable_ipv6=1 > 2. Gotchas: sshd will continue to bind to IPv6 socket, breaking X11 > forwarding [1]. > The solution to the problem is to add the following line to /etc/sysconfig/sshd: > OPTIONS=-4 > > - Gilboa > [1] https://bugzilla.redhat.com/show_bug.cgi?id=735889 Re-reading your post - this is not what you want, as it will disable IPv6 completely. Sorry for the noise. - GIlboa -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
Disabling link local IPv6 addresses
Cool. That should work :D
------Original Message------ From: My Name To: nullv@gmx.com To: Community support for Fedora users Subject: Re: Disabling link local IPv6 addresses Sent: Jan 10, 2012 12:15 PM Hi, nullv you can try to add "-A OUTPUT -m addrtype --dst-type MULTICAST -j DROP" / "-A OUTPUT -m pkttype --pkt-type multicast -j DROP" to ip6tables or try to remove multicast with ip maddr 2012/1/10 <nullv@gmx.com>: > Hi, > > I've been using radvd to set up a group of clients using RA broadcasts. I also have a group of client PCs using static IPv6 in a different ::/64 subnet altogether but on the same physical network. The two networks have to remain separate for security reasons. > > The problem I'm having is that clients on the two separate networks can still "see" each other through the automatic link-local (fe80::) addresses. I've added the line IPv6_AUTOCONF=no to network & my ifcfg-* files but I can't seem to stop this behaviour. > > Any hints, tricks, hacks, gotchas? > > Thanks > -- > users mailing list > users@lists.fedoraproject.org > To unsubscribe or change subscription options: > https://admin.fedoraproject.org/mailman/listinfo/users > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > Have a question? Ask away: http://ask.fedoraproject.org -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
Disabling link local IPv6 addresses
Used scope link instead of scope local & it worked :D I'll just have to chain it to my initscripts & I'm sorted
------Original Message------ From: ZioPRoTo (Saverio Proto) To: nullv@gmx.com Cc: ds6@lists.deepspace6.net Cc: users@lists.fedoraproject.org Subject: Re: [ds6] Disabling link local IPv6 addresses Sent: Jan 10, 2012 12:37 PM did you try ip -6 addr flush scope local best regards Saverio Proto 2012/1/10 <nullv@gmx.com>: > Hi, > > I've been using radvd to set up a group of clients using RA broadcasts. I also have a group of client PCs using static IPv6 in a different ::/64 subnet altogether but on the same physical network. The two networks have to remain separate for security reasons. > > The problem I'm having is that clients on the two separate networks can still "see" each other through the automatic link-local (fe80::) addresses. I've added the line IPv6_AUTOCONF=no to network & my ifcfg-* files but I can't seem to stop this behaviour. > > Any hints, tricks, hacks, gotchas? > > Thanks > _______________________________________________ > ds6 mailing list > ds6@lists.deepspace6.net > https://lists.deepspace6.net/listinfo/ds6 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
Disabling link local IPv6 addresses
Once upon a time, nullv@gmx.com <nullv@gmx.com> said:
> I've been using radvd to set up a group of clients using RA broadcasts. I also have a group of client PCs using static IPv6 in a different ::/64 subnet altogether but on the same physical network. The two networks have to remain separate for security reasons. Basically, if they're on the same physical LAN segment, they are not separate in terms of security. If they need to be separate, then you should truly separate them (for example, create a VLAN for each group of systems). Even in IPv4, there are ways for systems on the same LAN segment to communicate, even if you assign them to different IP blocks. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
Disabling link local IPv6 addresses
On 10Jan2012 10:00, nullv@gmx.com <nullv@gmx.com> wrote:
| I've been using radvd to set up a group of clients using RA | broadcasts. I also have a group of client PCs using static IPv6 in a | different ::/64 subnet altogether but on the same physical network. The | two networks have to remain separate for security reasons. If they're on the same physical network, they _aren't_ separate from a security standpoint. Forget this. You might configure the machines to not use these addresses using iptables or something, but that is machine-internal policy. If users can plug other things into the network or if any uses can configure a machine's network settings you are not secure. No more than a lot of people in a room agreeing not to look at each other are. If you want actual security, you need two rooms with a door (i.e. two physical networks with a firewalling router). Cheers, -- Cameron Simpson <cs@zip.com.au> DoD#743 http://www.cskk.ezoshosting.com/cs/ More computing sins have been committed in the name of performance, without necessariliy achieving it, than for all other reasons combined. - Wulf -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
Disabling link local IPv6 addresses
Noted. So I guess the only way to properly secure the network is to have seperate physical media. Thanks
------Original Message------ From: Peter Bieringer To: nullv@gmx.com Cc: ds6@lists.deepspace6.net Cc: users@lists.fedoraproject.org Subject: Re: [ds6] Disabling link local IPv6 addresses Sent: Jan 10, 2012 10:08 PM Hi, Am 10.01.2012 11:00, schrieb nullv@gmx.com: > Hi, > > I've been using radvd to set up a group of clients using RA broadcasts. I also have a group of client PCs using static IPv6 in a different ::/64 subnet altogether but on the same physical network. The two networks have to remain separate for security reasons. > > The problem I'm having is that clients on the two separate networks can still "see" each other through the automatic link-local (fe80::) addresses. I've added the line IPv6_AUTOCONF=no to network& my ifcfg-* files but I can't seem to stop this behaviour. You mean you want to run 2 independend IPv6 network on the same physical link? > Any hints, tricks, hacks, gotchas? I suggest to use at least VLANs, because killing link-local address can kill neigbor and router detection. But neither removing link-local nor VLAN will really increase security, an unfriendly client can sniff on the network and configure itself a new static IPv6 address (and in case the VLAN ID also), as long as broad- or allhost-multicast are running on the link. Use local firewalling and permit only the link-local addresses of the participating clients can help you a little bit, but even link-local addresses can be faked (e.g. changing the MAC address on an interface). Regards, Peter -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
| All times are GMT. The time now is 05:46 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.