Killing IPv6 – There’s Gotta Be A Better Way

First, why kill IPV6 in your home network? Isn’t it the way and the light and the future?

https://www.leowkahman.com/2016/03/19/disable-ipv6-raspberry-raspbian/

Note: NAT is Network Address Translation – the router hides your internal address and uses only its external address for communications, then when information returns, sends it to only the computer that originated that request. By default it prevents an external party pushing bits at your machine as there is no “reverse table” to say to whom those bits ought to be sent by the router. The router only makes a table entry for the specific target and port you first established as your destination.

Reason for disabling

Avoiding IPv6 leak when using IPv4-only VPN

In the presence of both IPv4 and IPv6, the priority is to use the IPv6 path first before falling back to IPv4. This can be a problem when used in conjunction with VPN where most VPN providers are still providing IPv4 service exclusively. An IPv6-enabled machine will bypass the VPN.

Need implicit firewall with NAT

IPv6 no longer use NAT; all devices are Internet routable. The implicit protection offered by NAT in IPv4 is now gone. This means the overall network security setup needs a rethink prior to introducing IPv6.

Disabling IPv6 at router is an easy way to turn this off for all devices but you may want to selectively enable on some.

I have had IPv6 disabled at my routers essentially “forever”. I run an IPv4 shop and have no need for an IPv6 address or routing. I don’t care about the IdIOT devices on the “internet of things”, and to the extent only running IPv4 thwarts them, all the better. I LIKE my NAT firewall and I do not want my machine address routing all over the world. Just the firewall address and / or proxy server. All attacks to be focused only on them.

So how to do it?

Supposedly it is very easy:

Disabling IPv6

Firstly, check for presence of IPv6 using ifconfig. You should be seeing a few lines containing inet6 addr: ….

To disable, edit a file: sudo nano /etc/sysctl.conf

Add the following line:

net.ipv6.conf.all.disable_ipv6 = 1

For the change to take effect without rebooting:

sudo sysctl -p

Verify that IPv6 address does not show up in ifconfig.

Personally I just sudo bash and then do all the commands I want instead of a sudo in front of each one; and I find the nano editor a pain. Decades ago my fingers learned “vi” and they just do it… so I vi /etc/sysctl.conf and added that line. Then did the sysctl -p and it all worked fine.

Until I rebooted… and then it was all back again…

This site made a different claim:

https://superuser.com/questions/546788/how-to-disable-ipv6-on-debian-wheezy

As I’m on Devuan, I look for “How To” on older Debian releases before it got all SystemD junked up…

If you do sysctl -p, the reboot isn’t necessary. It worked for me, but I prefer to keep params in single file, so I put the line above in the sysctl.conf file.

Just to be sure, I put a line about every device, so my solution is adding the following lines to /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.eth1.disable_ipv6 = 1
net.ipv6.conf.ppp0.disable_ipv6 = 1
net.ipv6.conf.tun0.disable_ipv6 = 1

[…]
Thanks for this! For some reason, on my Raspberry Pi just disabling via net.ipv6.conf.all.disable_ipv6 didn’t work; adding an explicit line for my adapter did the trick!

Tried that… it also did not survive the reboot. I took the expedient way out and just put sysctl -p into my rc.local file:

root@odroidxu4:/# cat /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

sysctl -p

exit 0

After a reboot, no IPv6:

root@odroidxu4:/# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:1e:06:31:aa:27  
          inet addr:10.66.6.66  Bcast:10.66.6.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:49 errors:0 dropped:0 overruns:0 frame:0
          TX packets:57 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5616 (5.4 KiB)  TX bytes:5462 (5.3 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

But really… this just smells like Kludge to me. There’s gotta be a better way…

Why this came up now? Well, as part of that Pocket PiHole thing. As IT is going to be my personal firewall / gateway / router etc. etc. I wanted only IPV4 running on it, too. It simplifies the firewall design in some ways. Only one protocol. No NAT bypass. etc. etc…

So I got my Round Tuit for shutting off the various things chatting IPv6 into my local isolated network and having it all stopped at the NATing Router. They would “talk among themselves” I guess, but why waste those bits? So off I went to shut it off. It was not quite as easy as I’d hoped… or I’ve missed something.

Any better ideas or insights welcomed.

Subscribe to feed

Advertisements

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , . Bookmark the permalink.

14 Responses to Killing IPv6 – There’s Gotta Be A Better Way

  1. philjourdan says:

    Nope, no better idea, just an affirmation of what you said about the preference of IPv6. I was trouble shooting an issue (someone had plugged the server into the wrong switch). I could get to the server fine from a workstation. So it must be on the same subnet, right? Took me about 15 minutes to finally see that the 2 machines were on different IPv4 subnets now, and that the client was talking to the server over IPv6!

    I kind of like that. But I do turn it off at the router.

  2. E.M.Smith says:

    On an entirely different note…

    In my efforts to limit data leakage and block ads, I’ve generally set manual IP and DNS values in the various hardware in the house. One exception has been the Roku devices. After all, it’s just TV, so who cares, right?

    Well, I decided I’d get my Round Tuit on them as well. Went to change the DNS… ( I already have the IP “fixed” in the router via a DHCP “allocation” setting). Nope. Nowhere to set DNS. Does it even use DNS? I’d assume so (otherwise a whole lot of stuff would need to be hard coded). But all you get is the default from the DHCP server.

    So back at the AT&T Router. I know where to set the IP addresses and the DHCP allocation and such. DNS choice ought to be around there somewhere – just like it is on my Netgear, right? Nope. I can not find ANYWHERE to set the default DNS servers that it DHCP serves to clients…

    Now I get Really Really Suspicious when some company blocks my ability to configure a key bit of information leaking / gathering stuff… It looks like my only real choice is to take 2 router hops and move the Roku devices onto my “Lab network”… I can then give them my ad blocking / private DNS server as their choice… I’ll be testing this on my Office TV. Then add the Bedroom TV a bit later.

    IF, in fact, this is the only way AND it works well, then I might as well turn off WiFi entirely from the AT&T router. It just becomes a nice Broadband / Ethernet router and otherwise is useless to me. Well, that, and the Ethernet ports in the back become a de facto DMZ network.

    Maybe it’s for the better anyway… Not that I don’t implicitly trust The Phone Company… I do. I implicitly trust them to be evil and do anything any TLA would like, no questions asked. Sigh.

    This would also mean digging out my other, even older Netgear or the decrepit D-Link and setting it up again as the actual Lab Isolated Network and going three levels deep just inside the house. Not my idea of ideal, but you do what you must.

    Maybe I’ll just leave the Living Room TV on the AT&T DHCP and they can decide I’m a retired woman watching soaps & mysteries ;-) Everything else is pretty much “my stuff” as the Spouse gets the big TV ;-)

    For the life of my I can not think of a good reason to block setting default DNS servers offered by a DHCP server. Every possible reason comes down to wanting to have control and gather information.

    UPDATE:

    After a bit of a think over a bowl of beans: I think I can just tell my R.PiHole to also be the DNS server, shut off DNS serving on the AT&T Router, and maybe fix it that way. It will depend a bit on how to get the AT&T router to serve the WiFi subnet and if it will let a new arrival issue a DHCP request to some other server on that subnet. But worth a try.

  3. Ossqss says:

    In the Arris primary modem/router I have there is an IPv6 filter available and it is empty. In the Asus AC router conneted to that, there is an option in the firewall settings to disable IPv6. It has been disabled since I got it a few years ago. I do have other options enabled like DDoS protection etc..

  4. E.M.Smith says:

    Well this was a pleasant surprise… I turned OFF DNS serving from the AT&T router and turned it ON from the PiHole. Machines reconnect, get new IP (the two were put in different ranges) AND the PiHole also won’t let you change the DNS it offers, but since it is offering itself (and that is a valid conclusion if you are using it…) you get the DNS blocking ;-)

    So now anything in the house that does a DHCP connection to the AT&T router gets the PiHole DNS ad blocking. I’m happy ;-)

    @OssQss:

    That seems to be the default for routers made during the IPv6 rollout. Ability to shut it off. I wonder if, someday, they will start leaving out IPv4… If so, I’ll just need to “roll my own”… but I seem to be doing that anyway ;-)

    The whole idea behind IPv6 was that the world was running out of IPv4 addresses and the IOT folks calculated the need for an order of magnitude more numbers for every device in the world to be internet rout-able. The didn’t forsee folks putting 10 to 100 things behind one NAT gateway and the number of addresses really needed plunging… and a lot of folks NOT wanting a house full of Chatty Kathy IdiOT devices…

  5. E.M.Smith says:

    Rebooted the Roku and it is showing up in the PiHole logs!

    2018-12-20 13:57:01 	A	captive.roku.com	192.168.66.64	OK (forwarded)	CNAME (25.2ms)	
    2018-12-20 13:57:01 	A	captive.roku.com	192.168.66.64	OK (cached)	CNAME (0.5ms)	
    2018-12-20 13:57:01 	A	captive.roku.com	192.168.66.64	OK (cached)	CNAME (0.5ms)	
    2018-12-20 13:57:01 	A	captive.roku.com	192.168.66.64	OK (cached)	CNAME (0.3ms)	
    2018-12-20 13:57:01 	A	index.ehub.netflix.com	192.168.66.64	OK (forwarded)	CNAME (22.7ms)	
    2018-12-20 13:57:01 	A	api.rokutime.com	192.168.66.64	OK (forwarded)	IP (22.3ms)	
    2018-12-20 13:57:01 	A	api.rokutime.com	192.168.66.64	OK (cached)	IP (0.5ms)	
    2018-12-20 13:55:34 	A	pubads.g.doubleclick.net	android-666ae32a1f4d6666.chiefio.home	Blocked (gravity)	- (0.5ms)	
    2018-12-20 13:55:34 	A	ssl.google-analytics.com	android-666ae32a1f4d6666.chiefio.home	Blocked (gravity)	- (0.4ms)	
    2018-12-20 13:55:30 	A	cognito-identity.us-east-1.amazonaws.com	android-666ae32a1f4d6666.chiefio.home	OK (forwarded)	IP (22.8ms)	
    

    At the bottom you can see my Burner Phone Android also being protected ;-)

    My phone is now de-Googled in terms of ads ;-) at least when at home. And after I get the last of the Pocket PiHole config done.

  6. E.M.Smith says:

    Interesting… Looks like someone who makes the block lists found something in the Roku they didn’t care for. Likely a tracker of some sort:

    2018-12-20 14:29:09 	A	giga.logs.roku.com	recroom.chiefio.home	Blocked (gravity)	- (0.6ms)	
    2018-12-20 14:29:09 	A	giga.logs.roku.com	recroom.chiefio.home	Blocked (gravity)	- (0.4ms)
    

    Came on when I launched a Netflix session to see if it worked OK. It does…

  7. E.M.Smith says:

    Interesting… of 4614 DNS queries, 48.7% have been blocked. The Roku is a bit Chatty on log files…

    OTOH, the PiHole is working very nicely ;-)

    I’m using Cloudflare as my upsteam DNS, but not yet encrypted. I suppose I ought to do that next as it applies to both the house PiHole and the Pocket Pihole.

    On the Pi M2 / Devuan 1.0 (32 bit quad core at 900 MHz armv7) of 1 GB memory, 189 MB is used. That’s with it configured for a LXDE login panel – it would be smaller if configured terminal only. Load is running 99.2% idle and that’s with a Web Monitor page open on another machine watching it… Load “bursts” to 96% idle if you click on a new display in the web monitor…

    It’s my opinion this could easily run on a Pi model B+ (v6 instructions single core 700 MHz) or other minor board. I might take a look at putting this on an Orange Pi One (that $10 board I bought ;-).

  8. Steven Fraser says:

    @EM: Mmmmm. Powerful Jedi.

  9. jim2 says:

    This link includes a link with a list of Roku IP requests, and a discussion.

  10. Rienk says:

    Hi there,
    Long time lurker and a noob to boot. So, I have to look-up everything.
    Found here:
    https://www.raspberrypi.org/forums/viewtopic.php?p=964671
    halfway down by a friendly chap called Rascas.
    add
    ipv6.disable=1
    to
    /boot/cmdline.txt.
    I’m on vanilla raspbian, so may not be quite the same on devuan.
    Cheers

  11. E.M.Smith says:

    Interesting…. As I’m already blocking all things doubleclick I’d not had that issue.

    One of the reasons for moving to PiHole is the use of maintained lists where I leverage off the work of the community…

    I’ll check out the discussion when I get a bit of time.

    @Steven:

    Just a moon farmer ;-)

  12. E.M.Smith says:

    @Rienk:

    So you can shut it off with a kernel parameter, eh? I’m good with that!

    While each kind of boot has its own way of passing kernel parameters, just knowing there is one is the first big step! That specific method will work for the typical R.Pi OS types as they all boot from the same boot area / method. For things with uboot or other boot code there’s a different way to pass params, but it can still be done.

    Thanks!

  13. E.M.Smith says:

    I’ve used that command line parameter on a couple of systems now, including Alpine and it works great!

  14. Rienk says:

    Glad to be of help but there’s more. Basically I’ve made a habit of revisiting these type of security settings and your article made me revisit it some more. Having been on windows from way back I always switched IPv6 off to my best knowledge. First in the connection settings and later the teredo and isatap via commandline and the registry as well. When I got a raspberry and pihole I found out that programs can have their own mind and not respect system settings. In my case pale moon (firefox fork) and sabnzbd. Pale moon can be set in about:config haven’t managed the other yet.
    The raspberry pi is stil asking AAAA from 2.debian.pool.ntp.org.
    I Have an asus router where I’ve switched off IPv6 but it keeps happily using it for its own purposes. I’m now thinking the switches may be mislabeled and the off setting is in reality a bypass. Still, keeping an eye on the logs and hunting for leaks.

    Cheers

Anything to say?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.