IPv6 shouldn’t be disabled you say? You’re probably right. Here is how you do it anyway:
What is IPv6?
IPv6 is a network communication protocol stack for addressing. IPv4 is the “old” way, and is supported nearly everywhere. IPv6 addressing support is quickly becoming available everywhere too (10% usage in 2016, a full 20 years after it was actually designed).
The reason for IPv6 is to remedy the quickly vanishing pool of available IPv4 addresses. As you might know, IPv4 addresses in the private namespace are not routable and are defined in RFC1918:
Everything else not in this range is considered public, and routable. The problem is that we have run out of public IP addresses. To fix this, IPv6 addressing was invented.
IPv6 addresses look like:
This is a 64 bit + 64 bit identifier and contains many more possible addresses that can be configured. Problem solved, right?
See If IPv6 is Configured
IPv6 can be enabled in the kernel and disabled at the interface/networking level, and blocked at the firewall level. Decide which method of “disable” meets your criteria.
For the kernel, look at the output of the command sysctl. If it returns nothing, IPv6 is disabled at the kernel. If it shows a bunch of lines of data related to IPv6, then the kernel is allowing the protocol.
sysctl -a | grep ipv6
Ifconfig will also show if the networking is enabled for IPv6. addresses in the x.x.x.x format are IPv4. Addresses with :: in them are IPv6.
Do You Have Apps Configured for IPv6?
SSH configs are pretty easy. Just modify the line in your /etc/ssh/sshd_config to disable IPv6:
What else do you have configured looking for IPv6? By default you might have mail utilities, apt, CPAN, apache, and mySQL. Look at your netstat to tell you what needs priority in configuring properly and then read the docs for each application:
IPv6 Firewall Rules
Finally you can disable by firewall. What do your rules say?
# ufw status verbose
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN 220.127.116.11
If your default isn’t deny, then it’s probably not a very effective policy. You will be able to see specific IPv6 or IPv4 rules this way though.
Why Disable IPv6?
There are several reasons why you might want to disable IPv6. Here are just a few:
- Legacy applications
- At the application level, adding IPv6 will require additional coding (somewhere). If your applications do not talk on the same addressing space, well – they don’t talk at all. Making sure that the addressing space works for office A, office B, and across the world at office C doesn’t make things less complicated either.
- Security Configurations
- Improperly configured firewall rules might allow for blocking of IPv4, but allowing IPv6 (a sample/simple example)
- You will need to understand IPv6. The cost of properly setting it up to work with all equipment might be more than budget allows. Improper setup is an invitation to attack.
For example, apt or CPAN might hang until you go in and fix IPv6. It’s annoying. Fixing each application to use the proper addressing is easy, but it’s still annoying.
These are the common reasons people might use. Perhaps you have other reasons?
Why Should You Use IPv6?
There are several valid reasons that you should just bite the bullet and use IPv6:
- End to End Encryption
- Once everyone starts using IPv6, MITM attacks will become much more difficult.
- 128 bit worth of Addressing
- There are only 4.3 Billion addresses available to IPv4. IPv6 has a number I could write and you probably won’t fathom available (3.4×10^38). I don’t even know what to call this number, do you? (I don’t care really)
- More Secure Name Resolution
- The SEND protocol can cryptographic confirm host identity. This makes ARP poisoning more difficult.
- Better Routing
- The routing tables are more compact and thus more efficient.
- Better Packet Processing
- IPv4 has an overhead of checksum processing, and IPv6 does not. This is handled at other layers already so is not needed.
- Multicast Send
- IPv6 allows for multicast senders, freeing disinterested hosts from even processing the packets and reducing network workload overhead.
- Reduced Complexity
- Networks could feasibly get rid of NATs and other address reducting methods, thus improving security by making things more logical to troubleshoot/fix/administer.
These are some of the common arguments for IPv6. Obviously though, you need to implement IPv6 to experience these benefits.
At least you know what you are disabling.
Ok – So Ready to Disable IPv6
Modify grub and it should work fine on Ubuntu 18.04
sudo vim /etc/default/grub
You can probably fix some errors (especially app mis-configurations) by simply putting the band-aid of “disable IPv6”, but it would be better to look at each app, configure it properly to use/not use IPv6 instead of disabling it on your server completely.