Disable IPv6 on a per interface bassis

[Red Squirrel]

I don't know much about IPv6 (want to eventually play around with it) so that creates a security obscurity as I don't know how to properlly secure stuff when it comes to it. I rather just disable it outright on a per interface bassis (not global) and I can always enable it on specific interfaces as needed when I get around to learning more about it.

I have multiple vlans setup on my server and it's very important that traffic from one can't spill to the other, so the interfaces are simply there so they can be assigned to VMs. I don't want them to have any kind of IP. It seems with ipv6 they get an IP no matter what. Ex here is my config for one of the vlans:

VLAN=yes
DEVICE=eth0.3
BOOTPROTO=none
ONBOOT=yes
TYPE=Ethernet
#IPADDR=10.1.1.11
#NETMASK=255.255.0.0

IPV6INIT=no
IPV6_AUTOCONF=no

Yet if I do ifconfig:

eth0.3    Link encap:Ethernet  HWaddr 00:1C:C0:41:8F:97  
          inet6 addr: fe80::21c:c0ff:fe41:8f97/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:294 (294.0 b)  TX bytes:468 (468.0 b)

It has an IP. So if there was by chance something malicious on one vlan, it could potentially use ipv6 instead of ipv4 and then connect to my server. I don't want this to be possible.

I suppose worse case scenario I can block in iptables, but I rather it simply not have an IP, it's a long shot but there's always the chance that there's a security issue with IPtables at one point, or the service fails to start, etc.

Anything I can do to stop it from getting an IP?

 

[theevilsharpie]

Which distro?

It looks like you're using a Red Hat-based distro.

I'm not a Red Hat expert, but I believe you can disable IP communication entirely by just removing anything involving IP from the interface configuration file. This will, of course, prevent you from using those interfaces for communication via the server directly, but you should be fine with your VMs.

Also, the recommending practice from giving VMs network access is via bridging, not via assigning an interface directly. The Linux bridging tools are commonly used for this, and Red Hat has bridge configuration information with virtualization as a use case in their documentation. You can also use Open vSwitch if you've got some special bridging needs.

 

[mv2devnull]

http://wiki.centos.org/FAQ/CentOS6#head-d47139912868bcb9d754441ecb6a8a10d41781df

ls /proc/sys/net/ipv6/conf/

 

[Red Squirrel]

Which distro?

It looks like you're using a Red Hat-based distro.

I'm not a Red Hat expert, but I believe you can disable IP communication entirely by just removing anything involving IP from the interface configuration file. This will, of course, prevent you from using those interfaces for communication via the server directly, but you should be fine with your VMs.

Also, the recommending practice from giving VMs network access is via bridging, not via assigning an interface directly. The Linux bridging tools are commonly used for this, and Red Hat has bridge configuration information with virtualization as a use case in their documentation. You can also use Open vSwitch if you've got some special bridging needs.

Works for ipv4 but it seems to still get an ipv6 address. And I AM using bridging... these are the vlan interfaces, so depending which vlan I want the vm on I bridge it to it.

I ended up just installin ip6tables and blocking all ipv6 traffic.

Is there not a way to set an interface to only operate at layer 2 though? That would be the most secure way of ensuring vlan hopping cannot happen between vms.