touch-packages team mailing list archive

Thread
Date

[Bug 1345847] Re: Impossible to disable IPv6 auto, params "accept_ra & autoconf = 0" have no effect on VLAN interfaces

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Seth Arnold <1345847@xxxxxxxxxxxxxxxxxx>
Date: Mon, 21 Jul 2014 18:45:18 -0000
Reply-to: Bug 1345847 <1345847@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ifupdown in Ubuntu.
https://bugs.launchpad.net/bugs/1345847

Title:
  Impossible to disable IPv6 auto, params "accept_ra & autoconf = 0"
  have no effect on VLAN interfaces

Status in “ifupdown” package in Ubuntu:
  New

Bug description:
  Guys,

  I'm trying to disable IPv6 autoconf (and accept_ra too) in one of my
  servers (Samba4 AC DC) and I am unable to disable it. IPv6 keep
  appearing no matter what.

  Steps to reproduce:

  1- Join a Network with a working IPv6 radvd within a tagged VLAN 10,
  for example:

  * Router Ubuntu with:

  --
  interface vlan10 {
          AdvSendAdvert on;
          MinRtrAdvInterval 5;
          MaxRtrAdvInterval 20;
          AdvLinkMTU 1500;
          AdvDefaultPreference high;
          prefix 2001:db8:1:10::/64 {
                  DeprecatePrefix on;
                  AdvOnLink on;
                  AdvAutonomous on;
                  AdvRouterAddr on;
          };
          route ::/0 {
                  RemoveRoute on;
          };
          RDNSS 2001:4860:4860::8844 2001:4860:4860::8888 { };
          DNSSL domain.com.br { };
  };
  --

   Of course, for example, vlan10 on Ubuntu router have IPv6 addr =
  2001:db8:1:10::1/64, so radvd can work. Also, vlan10 of router have
  IPv4 172.16.0.1/24 (it is a dual-stacked router).

  -----

  2- Configure your Ubuntu 14.04 server interfaces like this:

  --
  auto vlan10
  iface vlan10 inet static
  	vlan_raw_device eth0
  	accept_ra 0
  	autoconf 0
  	address 172.16.0.10
  	netmask 24
  	gateway 172.16.0.1
  	dns-nameservers 172.16.0.1
  --

  3- Turn it up:

  --
  ifup vlan10

  * Here is the BUG, IPv6 appear anyway! But it should not!

  -
  root@ubuntu-srv-1:~# ip -6 r
  2001:db8:1:10::/64 dev vlan10  proto kernel  metric 256  expires 86389sec
  fe80::/64 dev eth0  proto kernel  metric 256 
  fe80::/64 dev vlan10  proto kernel  metric 256 
  default via fe80::5054:ff:feae:1407 dev vlan10  proto ra  metric 1024  expires 49sec
  -

   This is undesired and a security breach. It facilitates MITM IPv6
  attacks for tagged vlans.

  --

   As a workaround, I'm adding the following lines at my /etc/rc.local
  (of ubuntu-srv-1):

  --
  # Workaroung against IPv6 autoconf & accept_ra
  sysctl -p
  ifconfig vlan10 down ; ifconfig vlan10 up
  --

  Where "sysctl -p" returns:

  --
  root@ubuntu-srv-1:~# sysctl -p
  net.ipv6.conf.all.accept_ra = 0
  net.ipv6.conf.all.autoconf = 0
  net.ipv6.conf.eth0.accept_ra = 0
  net.ipv6.conf.eth0.autoconf = 0
  net.ipv6.conf.vlan10.accept_ra = 0
  net.ipv6.conf.vlan10.autoconf = 0
  --

  This workaround is the only way I'm seeing to completely disable IPv6
  for this server (ubuntu-srv-1).

  Best,
  Thiago

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1345847/+subscriptions