Disabling ipv6

Reindl Harald h.reindl at thelounge.net
Fri Jul 12 16:48:41 UTC 2013 


Am 12.07.2013 18:44, schrieb Fernando Lozano:
>> [As I changed the subject, let me clear: IPv6 still compiled in the kernel. Just the network interfaces configs
>> that should come with IPv6 disabled by default, if the user wants it should be easy to enable]
>> exactly *that* is my point
>>
>> it is ridiculous that i bave a clearly static ipv4 config
>> using network.service as well as "ipv6disable=1" as kernel
>> param and on a F19 machine with 3.10.0-1.fc20.x86_64 eth0
>> comes up with "inet6 fe80::20c:29ff:fe30:82b9"
>>
>> this is not a matter of ipv6 security / yes / no / don't know
>> it is a matter of if ipv6 would make sense for the network
>> and would enable and *properly* configure it but this is
>> not the case because the gateway is for sure not ipv6 capable
>>
>> i do not need to see any ip-address (ipv4 or ipv6) on a
>> statically interface which was not explicitly configured
> Having a smarter ifconfig / ip tool or ethernet device driver would be a way to implement my proposal.
> 
> But, by the IPv6 RTFs, just having IPv6 enabled means there is an IPv6 address for that interface. IPv6 provides
> local auto-configuration for network intefaces, without DHCP or any other infrastrucure being present.
> 
> That's one thing that creates security risks: you don't know you could be reached by that address.
> 
> So, ifconfig or ip or whatever would have to disable IPv6 for any interface that does not having an explicit IPv6
> address. I'd think it would be easier to have the default eth*-cfg files and Network Manager disable IPv6 unless
> the user tells them to enable.

hence it would be enough if "ifup" would respect the configuration
i can not see "just having IPv6 enabled means there is an IPv6 address"
below - where is there ipv6 enabled? there is even a "IPV6INIT=no"

jesus this is a *ipv6 disabled* interface and it has a link-local
address and NM does not run here at all because on complex network
configuration with different interfaces "network.service" is the
better way (MHO and IMHO is enough on machines i am responsible for)
http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/

[root at rawhide ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=00:0c:29:30:82:b9
ONBOOT=yes
BOOTPROTO=static
TYPE=Ethernet
MODE=Managed
IPADDR=192.168.196.18
NM_CONTROLLED=no
IPV6INIT=no
NETMASK=255.255.255.0
GATEWAY=192.168.196.2
USERCTL=no
MTU=1500

[root at rawhide ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.196.18  netmask 255.255.255.0  broadcast 192.168.196.255
        inet6 fe80::20c:29ff:fe30:82b9  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:30:82:b9  txqueuelen 1000  (Ethernet)
        RX packets 2046  bytes 170804 (166.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1608  bytes 176828 (172.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130712/976de0b3/attachment.sig>

More information about the users mailing list