RedHat / CentOS EL5 Static IPv6 woes

Does RedHat EL5 / CentOS like doing static IPv6? NO

It is easy to add a static IPv6 address, but it will still auto configure a dynamic one. Many times you don’t care. But sometimes you just want 1 address on the box then….

[root@myhost ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=myhost.mydomain
GATEWAY=1.2.3.1
IPV6FORWARDING=no
IPV6INIT=yes
# this does NOT work, but set it anyway in the hopes that someday it will
IPV6_AUTOCONF=no
IPV6_ROUTER=no
# should be here but had to move to eth0 to prevent an error message
# xIPV6_DEFAULTGW="1:2:3:4::1" 

[root@myhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# Whatever.... Ethernet
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
HWADDR=01:02:03:04:05:06
#
IPADDR=1.2.3.4
NETMASK=255.255.255.0
NETWORK=1.2.3.0
BROADCAST=1.2.3.255
GATEWAY=1.2.3.1
#
# IPV6INIT=yes in network
IPV6ADDR="1:2:3:4::4/64"
IPV6_DEFAULTGW="1:2:3:4::1"

The above “should” be enough, but alas…
(you will probably have to add the line)

[root@myhost ~]# vi /etc/sysctl.conf

...

# Disable IPv6 Autoconf
net.ipv6.conf.default.autoconf=0

Now for the running kernel…

[root@myhost ~]# echo 0 > /proc/sys/net/ipv6/conf/all/autoconf
[root@myhost ~]# echo 0 > /proc/sys/net/ipv6/conf/eth0/autoconf

Finally…

[root@myhost ~]# service network restart

IPv6 Auto Configuration from Static Windows Configuration

Had an interesting issue today that has some significant security implications. I was working on an isolated test network. I had a DHCP assigned v4 address. This network is currently not using v6.

I had been having trouble accessing a few services, but since I was setting up a new system, did not really think much of it. Finally I had ssh take forever to come, but it did work, then it was responsive. Because I have seen issues with IPv6 on some of our networks, I did an ifconfig. I had the IPv4 address I expected, but I also had an IPv6 address from a network that we were supposed to be totally isolated from. Start the fire drill … trace all the connections … look at all the services. Where is this address coming from?

Turns out it was coming from a Windows box (XP, I think) that had a hard coded IPv6 address on it. This box was temporarily connected to our test network, but the IPv6 configuration had not been updated. I had both Mac OSX & Linux auto-configuring IPv6 addresses from this source.

The kicker was that this box is not a server, not a router, just a regular Windows client. — Yes it could provide services, but maybe only to a select few?

Here is the impact that really scares me: If I have this configuration and someone has v6 on but not getting something from a router, say at your favorite hotspot: everything that I have shared but firewalled only to those on my network is accessible. A network address based firewall filter is useless.

References:
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-2/ipv6_autoconfig.html
http://www.tcpipguide.com/free/t_IPv6AutoconfigurationandRenumbering.htm
http://msdn.microsoft.com/en-us/library/ms172318.aspx
http://www.6diss.org/workshops/sca/autoconfiguration.pdf
http://ipv6.com/articles/general/Auto-Configuration-vs-DHCPv6.htm

IPv6 with Mac OSX

As of OSX 10.5.8, there seems to be a problem with static assigned IPv6 Addresses. You can fill in the dialog, but it does not actually configure the adapter.

Work around:
ifconfig en0 inet6 2001:48:24:12::12/64
route add -inet6 -prefixlen 0 default 2001:48:24:12::1

Note: this is not actually my IP (v6) address

Ubuntu IPv6 Notes

Right now IPv6 does work with Ubuntu but there are a couple of notes:

  • There is no GUI for configuration. I think it works fine with DHCP for 6 if you have DHCP v4.
  • If you are manually setting networking you will have to:
    1. add v4 & v6 to /etc/network/interfaces
      auto lo
      iface lo inet loopback
      iface eth0 inet6 static
      	address 2001:48:24::20:13
      	netmask 120
      	gateway 2001:48:24::20:1
      iface eth0 inet static
      	address 190.82.18.13
      	netmask 255.255.255.192
      	gateway 190.82.18.1
      
    2. configure DNS: /etc/resolv.conf
  • If you are using the default ufw firewall, you will need to tell it to let IPv6 work. This is easy: edit /etc/default/ufw and set IPV6=yes. Then just:
    ufw disable
    ufw enable

    Otherwise you will get:

    root@localhost:/etc/default# ping6 ipv6.google.com
    PING ipv6.google.com(qw-in-x68.google.com) 56 data bytes
    ping: sendmsg: Operation not permitted
    ping: sendmsg: Operation not permitted
    ping: sendmsg: Operation not permitted
    ping: sendmsg: Operation not permitted
    ^C
    --- ipv6.google.com ping statistics ---
    4 packets transmitted, 0 received, 100% packet loss, time 2999ms
    

Notes:

  • Yes — the IP Addresses have been altered
  • Yes — the IP 6 netmask should be 64

Refs:

  • http://www.ubuntugeek.com/ufw-uncomplicated-firewall-for-ubuntu-hardy.html
  • https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/188934
  • http://brainstorm.ubuntu.com/idea/1622/
  • http://brainstorm.ubuntu.com/idea/17331/
  • http://knowledgelayer.softlayer.com/questions/468/Adding+IPv6+to+Ubuntu+systems
  • https://wiki.ubuntu.com/IPv6