Impossible to disable IPv6 auto, params "accept_ra & autoconf = 0" have no effect on VLAN interfaces

Bug #1345847 reported by Thiago Martins
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ifupdown (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Guys,

I'm trying to disable IPv6 autoconf (and accept_ra too) in one of my servers (Samba4 AC DC) and I am unable to disable it. IPv6 keep appearing no matter what.

Steps to reproduce:

1- Join a Network with a working IPv6 radvd within a tagged VLAN 10, for example:

* Router Ubuntu with:

--
interface vlan10 {
        AdvSendAdvert on;
        MinRtrAdvInterval 5;
        MaxRtrAdvInterval 20;
        AdvLinkMTU 1500;
        AdvDefaultPreference high;
        prefix 2001:db8:1:10::/64 {
                DeprecatePrefix on;
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
        route ::/0 {
                RemoveRoute on;
        };
        RDNSS 2001:4860:4860::8844 2001:4860:4860::8888 { };
        DNSSL domain.com.br { };
};
--

 Of course, for example, vlan10 on Ubuntu router have IPv6 addr = 2001:db8:1:10::1/64, so radvd can work. Also, vlan10 of router have IPv4 172.16.0.1/24 (it is a dual-stacked router).

-----

2- Configure your Ubuntu 14.04 server interfaces like this:

--
auto vlan10
iface vlan10 inet static
 vlan_raw_device eth0
 accept_ra 0
 autoconf 0
 address 172.16.0.10
 netmask 24
 gateway 172.16.0.1
 dns-nameservers 172.16.0.1
--

3- Turn it up:

--
ifup vlan10

* Here is the BUG, IPv6 appear anyway! But it should not!

-
root@ubuntu-srv-1:~# ip -6 r
2001:db8:1:10::/64 dev vlan10 proto kernel metric 256 expires 86389sec
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev vlan10 proto kernel metric 256
default via fe80::5054:ff:feae:1407 dev vlan10 proto ra metric 1024 expires 49sec
-

 This is undesired and a security breach. It facilitates MITM IPv6 attacks for tagged vlans.

--

 As a workaround, I'm adding the following lines at my /etc/rc.local (of ubuntu-srv-1):

--
# Workaroung against IPv6 autoconf & accept_ra
sysctl -p
ifconfig vlan10 down ; ifconfig vlan10 up
--

Where "sysctl -p" returns:

--
root@ubuntu-srv-1:~# sysctl -p
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.eth0.accept_ra = 0
net.ipv6.conf.eth0.autoconf = 0
net.ipv6.conf.vlan10.accept_ra = 0
net.ipv6.conf.vlan10.autoconf = 0
--

This workaround is the only way I'm seeing to completely disable IPv6 for this server (ubuntu-srv-1).

Best,
Thiago

Revision history for this message
Thiago Martins (martinx) wrote :

Oops! I think this BUG belongs to the "ifupdown" package, not to "linux"! Am I right?!

Thiago Martins (martinx)
affects: linux (Ubuntu) → ifupdown (Ubuntu)
Revision history for this message
Thiago Martins (martinx) wrote :

BTW,

The following lines of sysctl.conf also have no effect:

--
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.all.autoconf = 0
--

I started with it but, IPv6 appeared anyway... That's why at first, I thought it was a Linux BUG...

Nevertheless, I think that the above lines was intended to completely disable IPv6, independently of ifupdown... Right?! But it did not work either.

Best,
Thiago

Revision history for this message
Thiago Martins (martinx) wrote :

I have a better workaround for this:

`sysctl -p` now returns:

--
root@ubuntu-srv-1:~# sysctl -p
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.eth0.accept_ra = 0
net.ipv6.conf.eth0.autoconf = 0
--

And /etc/network/interfaces contains:

--
iface eth0.10 inet manual
 up echo 0 > /proc/sys/net/ipv6/conf/eth0.120/accept_ra
 up echo 0 > /proc/sys/net/ipv6/conf/eth0.120/autoconf
 up ip link set dev $IFACE up
 up ip addr add 172.16.0.10/24 dev $IFACE
 up ip route add default via 172.16.0.1
--

IPv6 did not appear, as expected...

-
 Thiago

Revision history for this message
Thiago Martins (martinx) wrote :

ERRATA:

And /etc/network/interfaces contains:

--
iface eth0.10 inet manual
 up echo 0 > /proc/sys/net/ipv6/conf/eth0.10/accept_ra
 up echo 0 > /proc/sys/net/ipv6/conf/eth0.10/autoconf
 up ip link set dev $IFACE up
 up ip addr add 172.16.0.10/24 dev $IFACE
 up ip route add default via 172.16.0.1
--

information type: Private Security → Public
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ifupdown (Ubuntu):
status: New → Confirmed
Revision history for this message
Vintozver (vintozver) wrote :

This is a kernel bug. I don't have ifupdown (use networkd instead) - problem confirmed.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.