Avoid IPv6 link local address on interface

I have a setup with virtual Xen hosts connected to a set of VLAN-s. On Dom0, I have set up a bridge for each of my VLAN-s to connect DomU-s to. Bridges are set up in /etc/network/interfaces like this:

auto eth0
iface eth0 inet manual

auto eth0.1
iface eth0.1 inet manual
  vlan_raw_device eth0

auto br1
iface br1 inet manual
  bridge_ports eth0.1

For most of these interfaces, I don't want Dom0 to be reachable, I just want it to bridge.

However, with IPv6, each interface automatically gets a link local address on the fe80::/64-network, which effectively breaks my security by letting Dom0 be available on all interfaces/VLAN-s.

I guess I can block all incoming packets with iptables, but avoiding any IPv6-address altogether seems like a cleaner solution.

Is there anyway to take an interface up on the link-layer but not on the IP-layer?

This is linux/debian (sorry I missed this detail initially…)

(master) 844$ cat /etc/issue.net 
Debian GNU/Linux 5.0
(master) 845$ uname -a
Linux master 2.6.26-2-xen-amd64 #1 SMP Sun Jun 20 20:51:58 UTC 2010 x86_64 GNU/Linux

# 80-disable-ipv6.conf #net.ipv6.conf.default.disable_ipv6 = 0 #net.ipv6.conf.all.disable_ipv6 = 0 #net.ipv6.conf.lo.disable_ipv6 = 0 #net.ipv6.conf.eth0.disable_ipv6 = 0 #net.ipv6.conf.virbr0.disable_ipv6 = 0 #net.ipv6.conf.virbr1.disable_ipv6 = 0

Best Answer

It looks like you are running a Debian variant, and at least Linux. You could drop a file in /etc/sysctl.d to disable IPv6 on the interface or all interfaces. I have enabled IPv6, but this is the file I used to disable IPv6. Initially, I disabled everything, then I disabled individual interfaces while I brought up IPv6. You should be able to just disable your bridge.

Best Answer

Related Solutions

No network on domU in network-bridge configuration for Xen-4.0

Creating a layer 2 virtual interface, linked via virtual bridge to eth0

Related Question