Discussion:
IPV6 issues
Bob Nestor
2014-04-16 19:14:31 UTC
Permalink
I'm trying to upgrade to 6.1.3 and find myself on a steep learning curve with some of the new features. NPF has been a trip, but I think I finally have it working. (Documentation, examples, missing kernel modules, unreported or underreported errors and been a realy learning experiene.)

However my connection to my ISP doesn't support IPV6 so I'd like to disable it at least for the time being. I can't find any sysctl knob to do this but I found an article that says the way to do this is with NPF. The article indicates the way to do this is to add these two rules to the default group:
block in inet6
block out inet6
But these lines give syntax errors when I attempt an "npfctl reload". Looking at the npf.conf documentation seems to indicate that the proper syntax (for the npf variant in 6.1.3) should be:
block in family inet6
block out family inet6
But that also gives a syntax error.

So I dropped back and decided that at least for the time being I'd build a kernel that doesn't have IPV6. I commented out the "options INET6" line in GENERIC and tried building the kernel. That fails during link with an unresolved reference to "stfattach".

My simple question is therefore, what's an easy way of disabling IPV6 in the GENERIC kernel?

Thanks,
Greg Troxel
2014-04-16 22:29:02 UTC
Permalink
Post by Bob Nestor
However my connection to my ISP doesn't support IPV6 so I'd like to
disable it at least for the time being.
So I would ask: why do you think you need to disable it? By default,
the system will have no v6 addresses configured and should not incur
delays due to this. Are you having a problem?
Post by Bob Nestor
So I dropped back and decided that at least for the time being I'd
build a kernel that doesn't have IPV6. I commented out the "options
INET6" line in GENERIC and tried building the kernel. That fails
during link with an unresolved reference to "stfattach".
When disabling INET6, you surely also need to disable the stf
pseudodevice. Arguably stf should have an #ifndef INET6/#error in it to
make this more obvious.
Thor Lancelot Simon
2014-04-17 00:08:50 UTC
Permalink
Post by Greg Troxel
So I would ask: why do you think you need to disable it? By default,
the system will have no v6 addresses configured and should not incur
delays due to this. Are you having a problem?
The system will have link-local addresses configured and anything that
listens on ANY will take packets from them. Without a firewall configuration
that blocks all IPv6 traffic on the Internet side, this can be very
dangerous, effectively exposing services that were not exposed over IPv4.

Thor
Greg Troxel
2014-04-17 00:40:36 UTC
Permalink
Post by Thor Lancelot Simon
Post by Greg Troxel
So I would ask: why do you think you need to disable it? By default,
the system will have no v6 addresses configured and should not incur
delays due to this. Are you having a problem?
The system will have link-local addresses configured and anything that
listens on ANY will take packets from them. Without a firewall configuration
that blocks all IPv6 traffic on the Internet side, this can be very
dangerous, effectively exposing services that were not exposed over IPv4.
A fair point. I run real v6, so I have a corresponding v6 ruleset, but
I hadn't really contemptated link-local. I wonder, given that, if our
firewall rules should be configured so that one can write rules that
match tcp/tcp6 in one rule, kind of like the tcp/udp block rules for the
same port in different protocols within an AF.
John Nemeth
2014-04-20 17:50:20 UTC
Permalink
On Apr 16, 8:08pm, Thor Lancelot Simon wrote:
} On Wed, Apr 16, 2014 at 06:29:02PM -0400, Greg Troxel wrote:
} >
} > So I would ask: why do you think you need to disable it? By default,
} > the system will have no v6 addresses configured and should not incur
} > delays due to this. Are you having a problem?
}
} The system will have link-local addresses configured and anything that
} listens on ANY will take packets from them. Without a firewall configuration
} that blocks all IPv6 traffic on the Internet side, this can be very
} dangerous, effectively exposing services that were not exposed over IPv4.

If you're ISP doesn't support IPv6, then how are you going to
receive any packets at a link-local address on an interface connected
to the ISP?

}-- End of excerpt from Thor Lancelot Simon
Thor Lancelot Simon
2014-04-20 23:35:27 UTC
Permalink
Post by John Nemeth
} >
} > So I would ask: why do you think you need to disable it? By default,
} > the system will have no v6 addresses configured and should not incur
} > delays due to this. Are you having a problem?
}
} The system will have link-local addresses configured and anything that
} listens on ANY will take packets from them. Without a firewall configuration
} that blocks all IPv6 traffic on the Internet side, this can be very
} dangerous, effectively exposing services that were not exposed over IPv4.
If you're ISP doesn't support IPv6, then how are you going to
receive any packets at a link-local address on an interface connected
to the ISP?
The answer's obvious, isn't it? You'll get them from other stations
connected to the multiple-access network that connects you to your ISP's
router.

For example, the network upstream of my home firewall has a /22 netmask,
and when the ISP's router fails over and everyone has to ARP for the new
gateway's MAC address, I can observe literally hundreds of other stations
on it. All those stations can talk directly to me by IPv6 (or by IPv4,
for that matter) without the DOCSIS head-end routing anything.

Thor

Bob Nestor
2014-04-17 00:26:37 UTC
Permalink
With Greg's kind help and patience I think I found my problem. I'd made some incorrect changes to the namedb files distributed with the system. When I fixed those files things started working the same on 6.1.3 as it does on my old 5.1 system.
Leonardo Taccari
2014-04-17 21:42:30 UTC
Permalink
Hello Bob,
Post by Bob Nestor
block in inet6
block out inet6
block in family inet6
block out family inet6
But that also gives a syntax error.
So I dropped back and decided that at least for the time being I'd build a kernel that doesn't have IPV6. I commented out the "options INET6" line in GENERIC and tried building the kernel. That fails during link with an unresolved reference to "stfattach".
My simple question is therefore, what's an easy way of disabling IPV6 in the GENERIC kernel?
In my npf.conf I specified to every pass rule (except on lo0) the
"family inet" flag and in this way it works without any problem (and I have
a "block all" rule at the end).

Maybe this thread could be interesting for you:

http://mail-index.netbsd.org/netbsd-users/2012/06/27/msg010930.html

IIRC there should be also a patch to /etc/rc.d/network in order to disable
IPv6 without recompiling the kernel (I think that it disable setting
link-local address that by default is enabled as noted by Thor).


HTH,
L.
Loading...