Hi, On 12 June 2013 15:18, Trent W. Buck <trentbuck@gmail.com> wrote:
John Mann <john.mann@monash.edu> writes:
I would control traffic by giving ppp0, ip6test, and lo interfaces IPv6 addresses, and not giving IPv6 addresses to the interfaces you do not want to send/receive IPv6 traffic.
IME if you enable IPv6 in the kernel, EVERY up interface will have an IPv6 address (the link-local one, I suppose).
What happens with interfaces depend upon how they are configured debian v. Red Hat etc etc I just checked on Ubuntu 12.10 --- $ sysctl -a | grep ipv6.*disable net.ipv6.conf.all.disable_ipv6 = 0 net.ipv6.conf.default.disable_ipv6 = 0 net.ipv6.conf.eth0.disable_ipv6 = 0 net.ipv6.conf.eth1.disable_ipv6 = 0 net.ipv6.conf.lo.disable_ipv6 = 0 $ sysctl net.ipv6.conf.eth1.disable_ipv6=1 deleted all IPv6 addresses from eth1, including the link-local addresses.
Also, without IPv6 enabled, it won't receive IPv6 packets on those interfaces.
Are you asserting that if IPv6 is enabled in-kernel, but an interface has no IPv6 address, IPv6 traffic arriving on that interface will be dropped on the floor? What about broadcast traffic?
I am asserting that without IPv6 enabled, any IPv6 packets won't be passed up to the networking stack. But, I'm a networking guy, and my priority is to enable things wherever I can, rather than a security guy, whose priority is to block everything that isn't essential. John