SEI Insights

CERT/CC Blog

Vulnerability Insights

Managing IPv6 - Part 1

Posted on by in

This entry is the first in a series about securely configuring the IPv6 protocol on selected operating systems. Although this entry focuses on how to disable IPv6, we are not recommending that everyone immediately disable IPv6. However, if critical parts of your infrastructure (firewall, IDS, etc.) do not yet fully support the IPv6 protocol, consider disabling IPv6 until those components can be upgraded.

The following are some of the reasons why an administrator would want to disable IPv6:

  • Many networks have IPv6 connectivity running on their LAN but do not have IPv6 WAN connectivity. Programs may see the connectivity on the LAN and unsuccessfully attempt to use IPv6 to connect to remote IPv6-enabled servers.
  • Local IPv6 traffic might be able to bypass IDS systems or other low-layer network defenses.
  • Operating systems may obtain global (publicly reachable) IPv6 addresses by creating tunnels.
  • Running an additional protocol increases a system's attack surface.
  • Global addressing restores end-to-end connectivity.

There are also more than a couple of reasons why an administrator wouldn't want to disable IPv6 connectivity:

  • The network has full IPv6 connectivity, and software on the network actively uses some of the features (usually the large pool of global addresses) found only in IPv6.
  • Network services running on the LAN are actively using IPv6.
  • The network is designed to be a "dump pipe," and the administrator is expected to not interfere with passing traffic.
  • Global addressing restores end-to-end connectivity.

Below are instructions for disabling IPv6 on some popular operating systems. At the bottom of the entry are links to scripts that you can run from the command line.

Disabling IPv6 via firewalls or access control lists

To disable IPv6 at a router or firewall, block protocols 41, 43, 44, 58, 59, and 60 as well as UDP ports 3544 and 3545. This firewall policy will likely miss some tunneled and non-routed IPv6 traffic (such as Teredo-compatible tunnels on non-standard ports) running on the local network.

There is too much variation in firewall syntax for us to list rules for every vendor; instead, we've written a few rules in Cisco's ACL syntax and included an ip6tables script linked at the bottom of this page.

access-list ipv6 deny 41 any any
access-list ipv6 deny 43 any any
access-list ipv6 deny 44 any any
access-list ipv6 deny 58 any any
access-list ipv6 deny 59 any any
access-list ipv6 deny 60 any any
access-list ipv6 deny udp any any eq 3544
access-list ipv6 deny udp any any eq 3545

Disabling IPv6 on Windows XP and Server 2003

The easiest way to disable IPv6 on Windows XP and Server 2003 is to run this command from a prompt with administrator privileges and reboot:

netsh.exe interface ipv6 uninstall

Disabling IPv6 on Windows Vista and Server 2008

The IPv6 protocol cannot be uninstalled from Windows Vista. The most effective way of disabling it is to edit the registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents]
"Compatibility Flags"=dword:0xFFFFFFFF

If you don't want to edit the registry, the following netsh commands will effectively block IPv6. Note to administrators: using the "domain profile" feature of the Windows firewall will allow you to create rules that block IPv6 connectivity based on whether the user is authenticated to your domain.

netsh advfirewall firewall add rule name "IPv6" protocol=icmpv6 dir=out action=block
netsh advfirewall firewall add rule name "IPv6" protocol=icmpv6 dir=in action=block
netsh advfirewall firewall add rule name "IPv6" action=block protocol=41 dir=out
netsh advfirewall firewall add rule name="IPv6 protocol 43" protocol=43 action=block dir=out
netsh advfirewall firewall add rule name="IPv6 protocol 44" protocol=44 action=block dir=out
netsh advfirewall firewall add rule name="IPv6 protocol 58" protocol=58 action=block dir=out
netsh advfirewall firewall add rule name="IPv6 protocol 59" protocol=59 action=block dir=out
netsh advfirewall firewall add rule name="IPv6 protocol 60" protocol=60 action=block dir=out

Disabling IPv6 on Red Hat Enterprise Linux 5

  1. Edit /etc/sysctl.conf
  2. Append "net.ipv6.conf.all.disables_ipv6 = 1"
  3. Execute "sysctl -p" as root

You can modify "net.ipv6.conf.all.disables_ipv6 = 1" for a specific interface (e.g., "net.ipv6.conf.eth1.disables_ipv6 = 1") to selectively disable IPv6 on that interface.

The following steps will disable IPv6 connectivity on all interfaces:

  1. Edit /etc/modprobe.conf
  2. Append "alias net-pf-10 off"
  3. Execute the command "modprobe -a" as root

For those of you who really want to disable IPv6, add these lines to your iptables scripts:

ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP


ip6tables -I INPUT -p all -j DROP
ip6tables -I OUTPUT -p all -j DROP

Disabling IPv6 on Ubuntu Linux (version 9.04)

  1. Edit /etc/sysctl.conf
  2. Append "net.ipv6.conf.all.disable_ipv6 = 1"
  3. Execute "sysctl -p" as root

You can modify "net.ipv6.conf.all.disable_ipv6 = 1" for a specific interface (e.g., "net.ipv6.conf.eth1.disable_ipv6 = 1") to selectively disable IPv6 on that interface.

The following steps will disable IPv6 connectivity on all interfaces:

  1. Edit /etc/modprobe.d/blacklist
  2. Append "blacklist ipv6"
  3. Execute the command "modprobe -a" as root

Ubuntu users who run UFW can check /etc/default/ufw. If IPV6=no, you can block IPv6 connectivity with this command:

sudo ufw disable && sudo ufw enable

Scripts

Here are files you can use to disable IPv6. As with all scripts, make sure you understand the implications before running these on your system.

About the Author