IPv6 Virtualization Consideration

When I’m working with KVM or XEN virtualization software I use “bridge-utils“, 802.1q and also IPv6 very often. When I direct some vlan-based collision domain into a bridge but also of course to my virtual machines I use the following network configuration (Debian):

  • iface br0 inet manual
  • iface br0 inet6 manual

while br0 is the bridge’s interface name.

I use ‘manual’ as a parameter because I want my virtualization server not to be adressable in the corresponding network by not having an IP address. For IPv4 this works just fine. The interface just doesn’t get an address. It’s completely different with IPv6, because no matter what parameter you choose between ‘manual’, ‘auto’ or ‘dhcp’, br0 will always get a link-local address. By having such an address it automatically is reachable within this very vlan / collision domain. The guest host can again very easily find out this link-local address by doing

ff02::1 -i <<interface name>>

Well sometimes an IP at the interface is fine, lot of other times it’s not. It might be a security issue because when you virtualize guests that should somehow be isolated.
Instead you can be adressed via IP. If a personal firewall is missing and you ‘accidentally’ have some service running, it might pose a risk.
Looking at it from the other side: Why would you want an IP, when you are 100% sure that you won’t need one?

So what do I need to do?
Unfortunately at debian you have to set a kernel parameter for this interface manually (consider pre-up or post-up):

sysctl -w net.ipv6.conf.br0.autoconf=0

Maybe after that flush all IP addresses from that interface:

ip addr flush dev br0

Leave a Reply

Your email address will not be published. Required fields are marked *