Am Mi, Okt 22, 2025 at 22:34:05 +0900 schrieb Simon Richter:
The default interface config has "accept_ra" enabled, so SLAAC is enabled as soon as the link is up. If we "fix" that, it will be about as controversial as systemd's decision to drop into an emergency shell if- [Independent control] over IPv6 and IPv4 operation from ifupdown is broken. A single `inet` stanza will enable both, so `inet6 static` also does SLAAC/DHCPv6.
From a security point of view I find it very wrong that the kernel configures the interface with IPv6 if the administrator doesn’t have configured anything IPv6 related for the interface. After all you won’t get any working IPv4 address without a configuration either.
You may have a local firewall for your IPv4 configuration, but the rules get bypassed if your system suddenly gets itself an IPv6 address.
We had this problem, when the network guys tested the new routers for IPv6, and the Cisco devices did the same auto bullshit by sending RA without configuration.
The system should never configure an interface without proper configuration through the admin. So if there is no inet6 stanza, accept_ra should be disabled.
Speaking of inet and inet6 stanzas: could we have an inet46 stanza to combine IPv4 and IPv6 in one block? The two parts aren’t a problem if you only configure IP addresses, but with bonding and/or VLAN tagging it would be great to have all in one section.
Many greetings, Stephan -- | If your life was a horse, you'd have to shoot it. |