From 7224c8b4e6dd8238a726a874edbb7f4336f9b64e Mon Sep 17 00:00:00 2001 From: Robby Workman Date: Sun, 28 Feb 2021 16:32:21 -0600 Subject: README.IPv6: Remove implementation details --- README.IPv6 | 50 -------------------------------------------------- 1 file changed, 50 deletions(-) diff --git a/README.IPv6 b/README.IPv6 index 42b8664..fe4be5f 100644 --- a/README.IPv6 +++ b/README.IPv6 @@ -13,56 +13,6 @@ Features * DHCPv6 support for server controlled address configuration. * Fixed IP configuration of IPv6 interfaces. - -Implementation --------------- -[This section can be removed from the final README.IPv6 as it relates to - implementation by Pat rather than user level configuration] - -Pat should add a /lib/modprobe.d/ipv6.conf (preferred) or -/etc/modprobe.d/ipv6.conf file to a package (probably network-scripts), with -content: - options ipv6 autoconf=0 - options net-pf-10 autoconf=0 -in order to disable IPv6 auto configuration (SLAAC) by default. - -Rationale: Should (possibly unknown to the end user) the network the host is -connecting to employ SLAAC via Router Advertisement (RA), when the ipv6 module -is loaded into the kernel the default is to accept RA packets and do auto -configuration. This would result in any interface (whether being configured for -any IP networking or not) coming up with a globally routable IPv6 address. - -We considered this to be a bad idea since Slackware does not employ any -firewalling by default, and most daemons will bind to an IPv6 address if it -exists - possibly exposing services to the global internet where none is -expected. It is not possible to disable SLAAC or RA via sysctl at boot time - -when sysctl is invoked in the Slackware boot process, the interfaces have not -yet established their /proc/sys/net/ipv6/conf entries for configuration, so the -setting would fail. - -Effects: Previous versions of Slackware followed the default behaviour when -loading the ipv6 module, so would obtain a globally routable IP address via -SLAAC should the network support it. This behaviour would now change to the -more secure default of not configuring network interfaces that the end user does -not know about. - -Effects if not used: Although the USE_SLAAC[x] option in rc.inet1.conf can be -used to disable stateless address auto configuration by RA for an interface via -/proc/sys/net/ipv6/conf/$interface/autoconf, there is a chance that auto -configuration will happen anyway because of a race condition between when the -ipv6 kernel module is loaded and when USE_SLAAC[x] is applied by rc.inet1 - if a -RA packet arrives during that time, the interface will be auto configured -regardless of the USE_SLAAC[x] option. Once that auto configured IP is attached -to the interface, even disabling auto configuration via the /proc/sys/net -interface will not automatically remove the IP from the interface. A manual 'ip --6 addr del' would need to be applied to remove that address. - -This can lead to the situation where the user thinks they have disabled -stateless auto configuration using the USE_SLAAC[x] option in rc.inet1.conf, but -an IP is still assigned in the brief time between module load and setting -autconf off via /proc. - - Configuration ------------- v6 IPs can be configured via SLAAC, DHCP6 or statically using the following new -- cgit v1.2.3