Am Mi, Okt 22, 2025 at 22:34:05 +0900 schrieb Simon Richter:
- [Independent control] over IPv6 and IPv4 operation from ifupdown is
broken. A single `inet` stanza will enable both, so `inet6 static` also
does SLAAC/DHCPv6.
The default interface config has "accept_ra" enabled, so SLAAC is
enabled as soon as the link is up. If we "fix" that, it will be about as
controversial as systemd's decision to drop into an emergency shell if
From a security point of view I find it very wrong that the kernel
configures the interface with IPv6 if the administrator doesn’t have
configured anything IPv6 related for the interface. After all you won’t
get any working IPv4 address without a configuration either.
You may have a local firewall for your IPv4 configuration, but the rules
get bypassed if your system suddenly gets itself an IPv6 address.
We had this problem, when the network guys tested the new routers for
IPv6, and the Cisco devices did the same auto bullshit by sending RA
without configuration.
The system should never configure an interface without proper
configuration through the admin. So if there is no inet6 stanza,
accept_ra should be disabled.
Speaking of inet and inet6 stanzas: could we have an inet46 stanza to
combine IPv4 and IPv6 in one block? The two parts aren’t a problem if you
only configure IP addresses, but with bonding and/or VLAN tagging it
would be great to have all in one section.
Many greetings,
Stephan
--
| If your life was a horse, you'd have to shoot it. |
