RedHat / CentOS EL5 Static IPv6 woes

Does RedHat EL5 / CentOS like doing static IPv6? NO

It is easy to add a static IPv6 address, but it will still auto configure a dynamic one. Many times you don’t care. But sometimes you just want 1 address on the box then….

[root@myhost ~]# cat /etc/sysconfig/network
# this does NOT work, but set it anyway in the hopes that someday it will
# should be here but had to move to eth0 to prevent an error message
# xIPV6_DEFAULTGW="1:2:3:4::1" 

[root@myhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# Whatever.... Ethernet
# IPV6INIT=yes in network

The above “should” be enough, but alas…
(you will probably have to add the line)

[root@myhost ~]# vi /etc/sysctl.conf


# Disable IPv6 Autoconf

Now for the running kernel…

[root@myhost ~]# echo 0 > /proc/sys/net/ipv6/conf/all/autoconf
[root@myhost ~]# echo 0 > /proc/sys/net/ipv6/conf/eth0/autoconf


[root@myhost ~]# service network restart

IPv6 Auto Configuration from Static Windows Configuration

Had an interesting issue today that has some significant security implications. I was working on an isolated test network. I had a DHCP assigned v4 address. This network is currently not using v6.

I had been having trouble accessing a few services, but since I was setting up a new system, did not really think much of it. Finally I had ssh take forever to come, but it did work, then it was responsive. Because I have seen issues with IPv6 on some of our networks, I did an ifconfig. I had the IPv4 address I expected, but I also had an IPv6 address from a network that we were supposed to be totally isolated from. Start the fire drill … trace all the connections … look at all the services. Where is this address coming from?

Turns out it was coming from a Windows box (XP, I think) that had a hard coded IPv6 address on it. This box was temporarily connected to our test network, but the IPv6 configuration had not been updated. I had both Mac OSX & Linux auto-configuring IPv6 addresses from this source.

The kicker was that this box is not a server, not a router, just a regular Windows client. — Yes it could provide services, but maybe only to a select few?

Here is the impact that really scares me: If I have this configuration and someone has v6 on but not getting something from a router, say at your favorite hotspot: everything that I have shared but firewalled only to those on my network is accessible. A network address based firewall filter is useless.


IPv6 with Mac OSX

As of OSX 10.5.8, there seems to be a problem with static assigned IPv6 Addresses. You can fill in the dialog, but it does not actually configure the adapter.

Work around:
ifconfig en0 inet6 2001:48:24:12::12/64
route add -inet6 -prefixlen 0 default 2001:48:24:12::1

Note: this is not actually my IP (v6) address

Ubuntu IPv6 Notes

Right now IPv6 does work with Ubuntu but there are a couple of notes:

  • There is no GUI for configuration. I think it works fine with DHCP for 6 if you have DHCP v4.
  • If you are manually setting networking you will have to:
    1. add v4 & v6 to /etc/network/interfaces
      auto lo
      iface lo inet loopback
      iface eth0 inet6 static
      	address 2001:48:24::20:13
      	netmask 120
      	gateway 2001:48:24::20:1
      iface eth0 inet static
    2. configure DNS: /etc/resolv.conf
  • If you are using the default ufw firewall, you will need to tell it to let IPv6 work. This is easy: edit /etc/default/ufw and set IPV6=yes. Then just:
    ufw disable
    ufw enable

    Otherwise you will get:

    root@localhost:/etc/default# ping6
    PING 56 data bytes
    ping: sendmsg: Operation not permitted
    ping: sendmsg: Operation not permitted
    ping: sendmsg: Operation not permitted
    ping: sendmsg: Operation not permitted
    --- ping statistics ---
    4 packets transmitted, 0 received, 100% packet loss, time 2999ms


  • Yes — the IP Addresses have been altered
  • Yes — the IP 6 netmask should be 64