[clug] Bridge setup without IP address configuration turn off end station autoconfiguration

Robert Edwards bob at cs.anu.edu.au
Thu Apr 9 22:52:42 UTC 2020 

Hi George,

Do you actually need IPv6 on this system? I usually disable it on all my
systems that don't need it as it is still a potential security hole if
not separately managed to IPv4 security (firewall rules, various service
configurations etc. etc.).

I add:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

to the end of /etc/sysctl.conf and then run:

sudo sysctl -p

(happens automatically on reboot).
IPv6 is immediately disabled and will go away on all interfaces.

cheers,
Bob Edwards.

On 9/4/20 11:51 pm, George at Clug via linux wrote:
> Hi,
> 
>   I wanted a KVM host server with an isolated network bridge without IP
> address configuration for both IPv4 and IPv6.
> 
> 
> I am interested if anyone can explain how to achieve this.   Setting
> up IPv4 bridge without IP addresses was not too difficult, however
> getting IPv6 not to auto configure IPv6 addresses was challenging.
> Sadly I don't understand linux networking enough to truly be confident
> that I have been successful or not.
> 
> 
> If you understand the below /etc/network/interfaces lines, please let
> me know which lines you believe are correct, which are incorrect and
> why.
> 
> My understanding is that I need to " turn off end station
> autoconfiguration" by setting "autoconf 0", and "accept_ra 0", however
> the bridge was still being assigned an IP address.
> 
> 
> Two examples that I have tried:
> 1)
> 
> auto br1
> iface br1 inet manual
>      bridge_ports eth4
>      bridge_stp on
>      bridge_fd 0
>      bridge_maxwait 0
>      bridge_waitport 0
> 
> iface br1 inet6 manual
>      autoconf 0
>      accept_ra 0
>      bridge_ports eth4
>      bridge_stp on
>      bridge_fd 0
>      bridge_maxwait 0
>      bridge_waitport 0
> 
> ===============================================
> 2)
> I found this link, which was for IPv4 but the IPv6 address was still
> being assigned assigned, even when I duplicated the details for IPv6.
> Adding "autoconf 0", and "accept_ra 0" did not stopan  IPv6 address
> being assigned.
> 
> https://wiki.debian.org/NetworkConfiguration#Network_Interface_Names
> Example: Bridge setup without IP address configuration (use "manual"
> instead of "static") to "forward" an interface to a guest VM. (The
> static bridge config contains only 1 physical interface. The virtual
> interface will be added to the bridge when the VM is started.)
> 
> auto br1
> iface br1 inet manual
>          bridge_ports eth4
>          up /usr/sbin/brctl setageing br1 0
>          up /usr/sbin/brctl stp br1 off
> 
> iface br1 inet6 manual
>          bridge_ports eth4
>          up /usr/sbin/brctl setageing br1 0
>          up /usr/sbin/brctl stp br1 off
> 
> ===============================================
> 
> Below are some links I used for information.
> 
> https://www.rmv6tf.org/wp-content/uploads/2013/04/2-End-Station-Addressing.pdf
> Stateless Address Autoconfiguration (SLAAC) is the default method IPv6
> hosts obtain an IPv6 address. End stations automatically generate the
> Interface ID (lower 64 bits) of their address as an EUI-64 address
> based on the station MAC address. The Prefix is provided to the end
> station via a Router Advertisement (RA).
> 
> https://howdoesinternetwork.com/2013/slaac
> As a result, an IPv6 host can configure for itself complete or part of
> the address settings automatically, which depends on the type and
> method it uses for autoconfiguration. The method types include:
>      Stateful autoconfiguration
>      Stateless autoconfiguration using EUI-64 addressing process
> (SLAAC)
> Stateful autoconfiguration is a method in which a host or router is
> assigned its entire 128-bit IPv6 address with the help of
> DHCP.Stateless autoconfiguration or SLAAC is that second method in
> which the host or router interface is assigned a 64-bit prefix, and
> then the last 64 bits of its address are derived by the host or router
> with help of EUI-64 process.
> 
> https://www.cyberciti.biz/faq/ubuntu-ipv6-networking-configuration/
> 
> 
> https://hackingandsecurity.blogspot.com/2016/06/ip-address-configuration-in-kali-linux.html?view=classic
> 
> 
> https://sumguy.com/proxmox-ip-bridge-for-single-public-ip/
> 
> 
> http://rockhoppervpn.sourceforge.net/ref_bridge_v6_2.html
> 
> 
> https://wiki.debian.org/NetworkConfiguration#Network_Interface_Names
> 
> 
> https://www.ionos.com/help/server-cloud-infrastructure/ip-addresses/adding-a-public-ipv6-address-to-a-server/adding-a-public-ipv6-address-to-a-linux-server-ubuntu/
>                accept_ra int
>                       Accept router advertisements
> (0=off, 1=on)
>                autoconf int
>                       Perform stateless
> autoconfiguration (0=off, 1=on). Default value: "0"
>

More information about the linux mailing list