This is a kernel bug. I don't have ifupdown (use networkd instead) - problem confirmed.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ifupdown in Ubuntu. https://bugs.launchpad.net/bugs/1345847 Title: Impossible to disable IPv6 auto, params "accept_ra & autoconf = 0" have no effect on VLAN interfaces Status in ifupdown package in Ubuntu: Confirmed Bug description: Guys, I'm trying to disable IPv6 autoconf (and accept_ra too) in one of my servers (Samba4 AC DC) and I am unable to disable it. IPv6 keep appearing no matter what. Steps to reproduce: 1- Join a Network with a working IPv6 radvd within a tagged VLAN 10, for example: * Router Ubuntu with: -- interface vlan10 { AdvSendAdvert on; MinRtrAdvInterval 5; MaxRtrAdvInterval 20; AdvLinkMTU 1500; AdvDefaultPreference high; prefix 2001:db8:1:10::/64 { DeprecatePrefix on; AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; }; route ::/0 { RemoveRoute on; }; RDNSS 2001:4860:4860::8844 2001:4860:4860::8888 { }; DNSSL domain.com.br { }; }; -- Of course, for example, vlan10 on Ubuntu router have IPv6 addr = 2001:db8:1:10::1/64, so radvd can work. Also, vlan10 of router have IPv4 172.16.0.1/24 (it is a dual-stacked router). ----- 2- Configure your Ubuntu 14.04 server interfaces like this: -- auto vlan10 iface vlan10 inet static vlan_raw_device eth0 accept_ra 0 autoconf 0 address 172.16.0.10 netmask 24 gateway 172.16.0.1 dns-nameservers 172.16.0.1 -- 3- Turn it up: -- ifup vlan10 * Here is the BUG, IPv6 appear anyway! But it should not! - root@ubuntu-srv-1:~# ip -6 r 2001:db8:1:10::/64 dev vlan10 proto kernel metric 256 expires 86389sec fe80::/64 dev eth0 proto kernel metric 256 fe80::/64 dev vlan10 proto kernel metric 256 default via fe80::5054:ff:feae:1407 dev vlan10 proto ra metric 1024 expires 49sec - This is undesired and a security breach. It facilitates MITM IPv6 attacks for tagged vlans. -- As a workaround, I'm adding the following lines at my /etc/rc.local (of ubuntu-srv-1): -- # Workaroung against IPv6 autoconf & accept_ra sysctl -p ifconfig vlan10 down ; ifconfig vlan10 up -- Where "sysctl -p" returns: -- root@ubuntu-srv-1:~# sysctl -p net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.all.autoconf = 0 net.ipv6.conf.eth0.accept_ra = 0 net.ipv6.conf.eth0.autoconf = 0 net.ipv6.conf.vlan10.accept_ra = 0 net.ipv6.conf.vlan10.autoconf = 0 -- This workaround is the only way I'm seeing to completely disable IPv6 for this server (ubuntu-srv-1). Best, Thiago To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1345847/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
