Is it safe to disable IPv6 for all the ports?

blazingice · Jul 14, 2013

I understand that IPv6 is the future, however I don't need it for my home use. So, I was planning to keep everything simple by disabling IPv6 for both my network and ports.

I think IPv6 is disabled in my network because I have the IFDISABLED flag. Is that correct?

Code:

re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether 20:cf:30:ac:11:32
        inet 192.168.1.10 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::22cf:30ff:feac:1132%re0 prefixlen 64 scopeid 0x1
        inet 192.168.1.5 netmask 0xffffffff broadcast 192.168.1.5
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active

I was also going to add to make.conf:

Code:

OPTIONS_UNSET=IPV6

So, my question. Is it safe to do so for all the ports? Could this create any potential problems?

I guess, there is no need to disable it from the kernel.

Thanks

Chris_H · Jul 15, 2013

Greetings,

Unless you ever attempt to install an IPv6 (only) application/port. No harm will come of disabling IPv6. As per disabling IPv6 within your system; a couple of thoughts come to mind. You might explore the options available to rc.conf(5). The best place to look (beyond the man pages for rc.conf(5)) for many of the options available, will be /etc/defaults/rc.conf. You would probably also do well to build a custom kernel that doesn't include the IPv6 stack. Because most of the overhead you look to remove, is loaded at/during boot, and is available within the kernel itself (unless it's removed before it's built -- custom kernel).

HTH

--chris

blazingice · Jul 15, 2013

Thanks. I was hoping not to build a custom kernel, because I use freebsd-update for updates, which doesn't support custom kernels.

adripillo · Jul 15, 2013

blazingice said:
Thanks. I was hoping not to build a custom kernel, because I use freebsd-update for updates, which doesn't support custom kernels.

I do not understand why you want to disable IPv6 but you do not have to worry about that. If you were using IPv4 when you installed your system IPv6 is disabled.

throAU · Jul 16, 2013

blazingice said:
I understand that IPv6 is the future, however I don't need it for my home use. So, I was planning to keep everything simple by disabling IPv6 for both my network and ports.

You can keep everything simple by not messing with the defaults and just turning off IPv6 on your router.

Unless you have a genuine NEED to compile a custom kernel, you're probably best off not doing so - the futher you deviate from a standard configuration the more likely you are to run into obscure edge case problems that others will have difficulty trying to replicate.

I guess what I'm trying to say is that by "trying to keep things simple", in doing this you are more than likely creating issues for yourself to try and diagnose further down the line.

kpa · Jul 16, 2013

IPv6 is here today and it is already being widely used as a supplement to IPv4, very rarely as a full replacement but things are changing. I don't see any reason to disable IPv6 on the kernel because it does not take that much resources if IPv6 is not enabled for interface, the default is to have IPv6 disabled for interfaces anyway.

blazingice · Jul 16, 2013

Thanks everyone for the suggestions.

My biggest concern is installing ports/services that make use of IPv6. So not being very confident with IPv6 I might have messed up the firewall settings. So, I could have ended up with many IPv6 ports opened. So in my mind, the easiest solution was to disable IPv6 flag when building from ports.

But if I understand you correctly, IPv6 is already disabled by default, so there is no real benefit in building ports without IPv6. So even if sockstat -6 -l gives me a list of services listening on IPv6, I should not worry about them. Correct?

throAU · Jul 17, 2013

blazingice said:
Thanks everyone for the suggestions.

My biggest concern is installing ports/services that make use of IPv6. So not being very confident with IPv6 I might have messed up the firewall settings. So, I could have ended up with many IPv6 ports opened. So in my mind, the easiest solution was to disable IPv6 flag when building from ports.

But if I understand you correctly, IPv6 is already disabled by default, so there is no real benefit in building ports without IPv6. So even if sockstat -6 -l gives me a list of services listening on IPv6, I should not worry about them. Correct?

Unless your router is configured for IPv6 the only addresses your machine will get are link-local addresses (e.g., fe80::1) which are not reachable from the internet.

If you want to be paranoid, in case IPv6 does get enabled on your router you could create a firewall ruleset to block all IPv6, but as far as port scanning goes, you are pretty safe with IPv6 (unless you have manually allocated an IP like xxxxxxxxxxxxx::1 - i.e., the first IP in your IPv6 subnet).

To run a port scan against even a "small" /56 subnet a home DSL user typically gets allocated would take 16 million times longer for an attacker to perform than to scan the entire IPv4 internet.

edit:
My calculations are off.

A /56 gives you 72 bits of IP space (Not 2^56. Not sure why but I always screw that up when dealing with IPv6). So you have ~2^72 IPs on a /56. i.e., a hell of a lot - 2^40 times more than the IPv4 address space. Numbers that will blow your mind. To scan that is not feasible. Especially when your outbound IPv6 traffic is sent from a randomzied IPv6 address within your subnet that changes

The existing malware practice of scanning the internet for machines to compromise just won't work without significant change in the IPv6 world.

Better subnet scannnig info: http://www.itdojo.com/2011/05/09/on-the-practical-feasibility-of-ping-sweeping-ipv6-networks/