Official guidance to permanently disabling IPv6 on CentOS 7

[sawozny]

Greetings CentOS 7 Gurus,

Is there a standard set of instructions for permanently disabling IPv6 in CentOS 7? There seem to be a number of articles on the web that include a number of options to do this, but I was wondering if there was any sort of central “official” guidance on the process. I’m looking to do so purely for minimizing attack surface on my machines directly connected to the Internet. My ISP doesn’t offer IPv6 connectivity at this time, but if it ever gets turned on without my knowledge I want to be as deaf to it as I can be.

In Anaconda there is an Ignore option in the IPv6 settings tab of NIC configuration, but even when I choose it over the default Automatic, IPv6 is still enabled. Does anyone know what “ignore” means in this context? The IPv4 settings tab allows you to choose Disabled. Does anyone know the reason it’s not an option for IPv6?

Because I want this to be permanent, I didn’t want to change kernel boot options by adding ipv6.disable=1 to GRUB_CMDLINE_LINUX in /etc/default/grub. My experience has been that stuff like that has the tendency to get overwritten at the worst possible times so, irrational or not, I’m avoiding that option.

I considered adding net.ipv6.conf.all.disable_ipv6 = 1 and net.ipv6.conf.default.disable_ipv6 = 1 to /etc/sysctl.conf but when I took a look at the actual sysctl.conf file, the first line says those settings are controlled through /usr/lib/sysctl.d, /run/sysctl.d and /etc/sysctl.d. When I looked in /etc/sysctl.d there was a single 99-sysctl.conf file that contained exactly what I saw in /etc/sysctl.conf. So which file should I add the ipv6 disablement parameters to or is it best practice to add a new file with those parameters in /etc/sysctl.d and, if so, is there a best practice naming convention for files in the /etc/sysctl.d directory? I understand that there’s a variety of ways to accomplish this goal as evidenced by the variety of documents on the web that propose slightly different solutions, but I’m trying to find out if there’s a BEST way to do it. Further to this approach, some guidance also suggests including net.ipv6.conf.lo.disable_ipv6 = 1 in sysctl.conf. Is there any reason to include “lo” when “all” seems to be a superset including “lo”? And, for that matter, why does all the guidance seem to include the “default” parameter? Isn’t “all” a superset that includes “default” or am I failing to understand the syntax of these parameters?

There are also suggestions to set IPV6INIT="no" in /etc/sysconfig/network-scripts/ifcfg-eth* and set NETWORKING_IPV6=no in /etc/sysconfig/network. This seems simpler, but since I only found the approach mentioned in one place I was wondering if it isn’t effective or has side effects that might cause problems down the road.

While on the topic of how to best do this, several of the guidance documents I found recommend also making changes to /etc/ssh/sshd_config and /etc/postfix/main.cf but those are also inconsistent. Both appear to need adjustments to their configuration to stop the related daemons from attaching themselves to a disabled IPv6 interface (since total removal does not appear to be an option). Is that correct?

For SSHD, some guidance suggests to change the #AddressFamily any line to AddressFamily inet and some suggests removing the comment # from ListenAddress 0.0.0.0 which seems to me would both have SSHD try to attach itself to all IPv4 interfaces. Is one better than the other?

For Postfix, guidance that mentions it suggests commenting out inet_interfaces = localhost in main.cf (which, I assume, includes ALL loopbacks, IPv4 and IPv6) and adding inet_interfaces = 127.0.0.1 (the explicitly defined IPv4 loopback) instead. This seems to be the only unambiguous part of this process and I’m only mentioning it here for completeness and to see if anyone can think of a reason to do it differently.

Finally, I’ve seen suggestions to remove the IPv6 loopback address from /etc/hosts. Good idea? Bad idea? Why? My instinct is to remove anything that could possibly breathe life back into IPv6 unexpectedly, but I’m also a little leery of removing a default line from a core system configuration file without even trying to determine the effects.

Sorry this rambled on a bit, but permanently disabling IPv6 turned out to be a much larger topic than I thought it would be. Any of your thoughts and experiences would be appreciated and if there’s an official doc I missed on this, I would love to hear about it.

Thanks,

Scott

[hunter86_bg]

Hi,

Sadly RedHat will not recommend complete disabling of IPv6. Many of the tools will work poorly or won't accept that change - thus I would not recommend complete disable. You will hit numerous bugs, if you disable ipv6 .

Just leave it to 'ignore' during deployment and don't bother with it.

[TrevorH]

Any of your thoughts and experiences would be appreciated and if there’s an official doc I missed on this, I would love to hear about it.

Yes, don't disable it.

[sawozny]

Thank you both for your feedback. After looking into this further, I can definitely see the risks of disabling IPv6 in it’s entirety. It looks like the Ignore option during installation sets the IPV6INIT=no in the ifcfg-device file of any interface you turn on during install (all other physical interfaces have ONBOOT=no which seems to be the “off”est you can make an interface).

My concern is that even with IPV6INIT=no the interface still gets an FE80 local-link address and sends out a packet looking for a router when it comes up. While it’s not a globally routable address, it still appears to be accessible by local neighbours and as this machine will be in a shared colocation facility I don’t trust my neighbours (yes, I know the colo provider should filter traffic from my neighbours but to paraphrase Tony Montana, the only one I trust is me).

So, agreeing that booting the kernel with ipv6.disable=1 is a bad idea, do you also caution against using sysctl to set net.ipv6.conf.all.disable_ipv6 = 1 , net.ipv6.conf.default.disable_ipv6 = 1 and net.ipv6.conf.lo.disable_ipv6 = 1? If that’s the case how do you recommend protecting any connected interface from local attack? I know the firewall only allows SSHv6 and DHCPv6 inbound by default, so should I close those holes, set a DROP on all outbound IPv6 traffic and call it a day? Or is there a better approach?

Thanks,

Scott

[avij]

Maybe you should consider disabling IPv6 on a per-daemon basis. ss -lnp6 (or some variation) may be useful for this.

I have done a similar thing to reduce attack surface, only that I did the other way around -- I disabled IPv4 and used my server over IPv6.

[chemal]

My experience with CentOS 7 and putting ipv6.disable=1 on the kernel commandline is positive. Some services needed minor configuration changes, like what you mentioned above. Nothing has ever overwritten my /etc/default/grub. This file is the official place for user specified changes to grub and it is guaranteed to not be overwritten if you ever edit it.

Moreover, I have never found anything that stopped working because of missing ipv6 support.

[hunter86_bg]

Check the CentOS general and network threads before proposing such option
I've seen so often that ipv6 disabling has caused issues, that I keep away from such drastic measures.

I think you can block the ipv6-related services in firewalld/iptables . Should be enough for your tasks.

[chemal]

RH even has a kb article where they suggest it themselves: https://access.redhat.com/solutions/8709. This could be called the "official guidance to permanently disabling IPv6 on CentOS 7".

I haven't seen any problems with ipv6.disable=1 in years.

[TrevorH]

Though the best solution is not to disable it at all.

[hunter86_bg]

I support Trevor's comment.
Disable ipv6 only if it is causing issues (very rare).
Keep in mind that Red Hat did not mention the cases where ipv6 needs to be disabled.