Matthew Cengia <mattcen@gmail.com> wrote:
How can I prevent these other interfaces obtaining IPv6 addresses if these are being auto-configured via route advertisements etc.? Assuming that's achievable reliably, I agree this is probably the best way to ensure my primary FR: keeping my downstream IPv4 networks secure.
Let's see if this clarifies the situation. My machine has native IPv6 from Internode. ppp0 is the ADSL link (it's a Traverse Technologies Solos card). DHCPv6 prefix delegation is used to obtain a /56 block of IPv6 addresses and to assign a /64 block to the eth0 interface. I then have radvd configured to send router advertisements out eth0; this entails that every machine on the LAN accessible from eth0 will receive a publicly routable IPv6 address, with my primary host as the gateway. radvd.conf looks like this: interface eth0 { AdvSendAdvert on; prefix ::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; }; }; Apologies for the indentation - let's fix that. Now obviously, if there were an eth1 interface it wouldn't receive an IPv6 address unless I configured it to do so. Even if I did that, I would have to add an entry to radvd.conf before machines connected to eth1 would start receiving v6 addresses. In case you're interested, in /etc/wide-dhcpv6/dhcp6c.conf is as follows: interface ppp0 { send ia-pd 0; # script "/etc/wide-dhcpv6/dhcp6c-script"; }; id-assoc pd { prefix-interface eth0 { sla-id 0; sla-len 8; ifid 2; }; }; We receive a /56 block from the ISP and assign a /64 to eth0 (with all 0 bits in the network part of the address, i.e., bits 56-64). We then have a host address with 2 as the last digit, and the rest 0 (for historical reasons - I used to have another machine ending in ::1) which served as the router back then. Putting this together we have eth0 with 2001:44b8:412f:6e00::2 and ppp0 with a link local address, and a default route which is in fact the host at the other end of the PPP link (it's point-to-point, after all).