Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora User (http://www.linux-archive.org/fedora-user/)
-   -   Disabling link local IPv6 addresses (http://www.linux-archive.org/fedora-user/619311-disabling-link-local-ipv6-addresses.html)

01-10-2012 09:00 AM

Disabling link local IPv6 addresses
 
Hi,

I've been using radvd to set up a group of clients using RA broadcasts. I also have a group of client PCs using static IPv6 in a different ::/64 subnet altogether but on the same physical network. The two networks have to remain separate for security reasons.

The problem I'm having is that clients on the two separate networks can still "see" each other through the automatic link-local (fe80::) addresses. I've added the line IPv6_AUTOCONF=no to network & my ifcfg-* files but I can't seem to stop this behaviour.

Any hints, tricks, hacks, gotchas?

Thanks
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

My Name 01-10-2012 09:15 AM

Disabling link local IPv6 addresses
 
Hi, nullv you can try to add "-A OUTPUT -m addrtype --dst-type
MULTICAST -j DROP" / "-A OUTPUT -m pkttype --pkt-type multicast -j
DROP" to ip6tables or try to remove multicast with ip maddr
2012/1/10 <nullv@gmx.com>:
> Hi,
>
> I've been using radvd to set up a group of clients using RA broadcasts. I also have a group of client PCs using static IPv6 in a different ::/64 subnet altogether but on the same physical network. The two networks have to remain separate for security reasons.
>
> The problem I'm having is that clients on the two separate networks can still "see" each other through the automatic link-local (fe80::) addresses. I've added the line IPv6_AUTOCONF=no to network & my ifcfg-* files but I can't seem to stop this behaviour.
>
> Any hints, tricks, hacks, gotchas?
>
> Thanks
> --
> users mailing list
> users@lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Gilboa Davara 01-10-2012 11:29 AM

Disabling link local IPv6 addresses
 
On Tue, Jan 10, 2012 at 12:00 PM, <nullv@gmx.com> wrote:
> Hi,
>
> I've been using radvd to set up a group of clients using RA broadcasts. I also have a group of client PCs using static IPv6 in a different ::/64 subnet altogether but on the same physical network. The two networks have to remain separate for security reasons.
>
> The problem I'm having is that clients on the two separate networks can still "see" each other through the automatic link-local (fe80::) addresses. I've added the line IPv6_AUTOCONF=no to network & my ifcfg-* files but I can't seem to stop this behaviour.
>
> Any hints, tricks, hacks, gotchas?
>
> Thanks

Two steps:
1. Create a file named /etc/sysctl.d/disable-ipv6.conf in
/etc/sysctl.d/ that will contain:
net.ipv6.conf.all.disable_ipv6=1
This will disable IPv6 in all future reboots.
In the mean time (current boot), type:
sysctl -w net.ipv6.conf.all.disable_ipv6=1
2. Gotchas: sshd will continue to bind to IPv6 socket, breaking X11
forwarding [1].
The solution to the problem is to add the following line to /etc/sysconfig/sshd:
OPTIONS=-4

- Gilboa
[1] https://bugzilla.redhat.com/show_bug.cgi?id=735889
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Gilboa Davara 01-10-2012 11:31 AM

Disabling link local IPv6 addresses
 
On Tue, Jan 10, 2012 at 2:29 PM, Gilboa Davara <gilboad@gmail.com> wrote:
> On Tue, Jan 10, 2012 at 12:00 PM, *<nullv@gmx.com> wrote:
>> Hi,
>>
>> I've been using radvd to set up a group of clients using RA broadcasts. I also have a group of client PCs using static IPv6 in a different ::/64 subnet altogether but on the same physical network. The two networks have to remain separate for security reasons.
>>
>> The problem I'm having is that clients on the two separate networks can still "see" each other through the automatic link-local (fe80::) addresses. I've added the line IPv6_AUTOCONF=no to network & my ifcfg-* files but I can't seem to stop this behaviour.
>>
>> Any hints, tricks, hacks, gotchas?
>>
>> Thanks
>
> Two steps:
> 1. Create a file named /etc/sysctl.d/disable-ipv6.conf in
> /etc/sysctl.d/ that will contain:
> net.ipv6.conf.all.disable_ipv6=1
> This will disable IPv6 in all future reboots.
> In the mean time (current boot), type:
> sysctl -w net.ipv6.conf.all.disable_ipv6=1
> 2. Gotchas: sshd will continue to bind to IPv6 socket, breaking X11
> forwarding [1].
> The solution to the problem is to add the following line to /etc/sysconfig/sshd:
> OPTIONS=-4
>
> - Gilboa
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=735889

Re-reading your post - this is not what you want, as it will disable
IPv6 completely.
Sorry for the noise.

- GIlboa
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

01-10-2012 01:59 PM

Disabling link local IPv6 addresses
 
Cool. That should work :D
------Original Message------
From: My Name
To: nullv@gmx.com
To: Community support for Fedora users
Subject: Re: Disabling link local IPv6 addresses
Sent: Jan 10, 2012 12:15 PM

Hi, nullv you can try to add "-A OUTPUT -m addrtype --dst-type
MULTICAST -j DROP" / "-A OUTPUT -m pkttype --pkt-type multicast -j
DROP" to ip6tables or try to remove multicast with ip maddr
2012/1/10 <nullv@gmx.com>:
> Hi,
>
> I've been using radvd to set up a group of clients using RA broadcasts. I also have a group of client PCs using static IPv6 in a different ::/64 subnet altogether but on the same physical network. The two networks have to remain separate for security reasons.
>
> The problem I'm having is that clients on the two separate networks can still "see" each other through the automatic link-local (fe80::) addresses. I've added the line IPv6_AUTOCONF=no to network & my ifcfg-* files but I can't seem to stop this behaviour.
>
> Any hints, tricks, hacks, gotchas?
>
> Thanks
> --
> users mailing list
> users@lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

01-10-2012 02:02 PM

Disabling link local IPv6 addresses
 
Used scope link instead of scope local & it worked :D I'll just have to chain it to my initscripts & I'm sorted
------Original Message------
From: ZioPRoTo (Saverio Proto)
To: nullv@gmx.com
Cc: ds6@lists.deepspace6.net
Cc: users@lists.fedoraproject.org
Subject: Re: [ds6] Disabling link local IPv6 addresses
Sent: Jan 10, 2012 12:37 PM

did you try

ip -6 addr flush scope local

best regards

Saverio Proto


2012/1/10 <nullv@gmx.com>:
> Hi,
>
> I've been using radvd to set up a group of clients using RA broadcasts. I also have a group of client PCs using static IPv6 in a different ::/64 subnet altogether but on the same physical network. The two networks have to remain separate for security reasons.
>
> The problem I'm having is that clients on the two separate networks can still "see" each other through the automatic link-local (fe80::) addresses. I've added the line IPv6_AUTOCONF=no to network & my ifcfg-* files but I can't seem to stop this behaviour.
>
> Any hints, tricks, hacks, gotchas?
>
> Thanks
> _______________________________________________
> ds6 mailing list
> ds6@lists.deepspace6.net
> https://lists.deepspace6.net/listinfo/ds6

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Chris Adams 01-10-2012 02:14 PM

Disabling link local IPv6 addresses
 
Once upon a time, nullv@gmx.com <nullv@gmx.com> said:
> I've been using radvd to set up a group of clients using RA broadcasts. I also have a group of client PCs using static IPv6 in a different ::/64 subnet altogether but on the same physical network. The two networks have to remain separate for security reasons.

Basically, if they're on the same physical LAN segment, they are not
separate in terms of security. If they need to be separate, then you
should truly separate them (for example, create a VLAN for each group of
systems).

Even in IPv4, there are ways for systems on the same LAN segment to
communicate, even if you assign them to different IP blocks.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Cameron Simpson 01-10-2012 11:24 PM

Disabling link local IPv6 addresses
 
On 10Jan2012 10:00, nullv@gmx.com <nullv@gmx.com> wrote:
| I've been using radvd to set up a group of clients using RA
| broadcasts. I also have a group of client PCs using static IPv6 in a
| different ::/64 subnet altogether but on the same physical network. The
| two networks have to remain separate for security reasons.

If they're on the same physical network, they _aren't_ separate from a
security standpoint. Forget this. You might configure the machines to
not use these addresses using iptables or something, but that is
machine-internal policy. If users can plug other things into the network
or if any uses can configure a machine's network settings you are not
secure. No more than a lot of people in a room agreeing not to look at
each other are. If you want actual security, you need two rooms with a door
(i.e. two physical networks with a firewalling router).

Cheers,
--
Cameron Simpson <cs@zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/

More computing sins have been committed in the name of performance,
without necessariliy achieving it, than for all other reasons
combined. - Wulf
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

01-10-2012 11:56 PM

Disabling link local IPv6 addresses
 
Noted. So I guess the only way to properly secure the network is to have seperate physical media. Thanks
------Original Message------
From: Peter Bieringer
To: nullv@gmx.com
Cc: ds6@lists.deepspace6.net
Cc: users@lists.fedoraproject.org
Subject: Re: [ds6] Disabling link local IPv6 addresses
Sent: Jan 10, 2012 10:08 PM

Hi,

Am 10.01.2012 11:00, schrieb nullv@gmx.com:
> Hi,
>
> I've been using radvd to set up a group of clients using RA broadcasts. I also have a group of client PCs using static IPv6 in a different ::/64 subnet altogether but on the same physical network. The two networks have to remain separate for security reasons.
>
> The problem I'm having is that clients on the two separate networks can still "see" each other through the automatic link-local (fe80::) addresses. I've added the line IPv6_AUTOCONF=no to network& my ifcfg-* files but I can't seem to stop this behaviour.

You mean you want to run 2 independend IPv6 network on the same physical
link?

> Any hints, tricks, hacks, gotchas?

I suggest to use at least VLANs, because killing link-local address can
kill neigbor and router detection.

But neither removing link-local nor VLAN will really increase security,
an unfriendly client can sniff on the network and configure itself a new
static IPv6 address (and in case the VLAN ID also), as long as broad- or
allhost-multicast are running on the link.

Use local firewalling and permit only the link-local addresses of the
participating clients can help you a little bit, but even link-local
addresses can be faked (e.g. changing the MAC address on an interface).

Regards,
Peter

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


All times are GMT. The time now is 02:25 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.