2

So I'm playing around with IPv6 on my home network a bit more, and I'm doing things a bit old-fashioned -- setting up static addresses and such. This means I don't really want or care for all the automatic configuration built into IPv6 via the various ICMPv6 messages. But running wireshark and capturing only IPv6 traffic, two of my IPv6 systems running Linux are proving to be chatty little things. They're constantly exchanging "Neighbor Solicitation", "Neighbor Advertisement", and ICMPv6 Multicast Listener Report" packets. They do this both on the statically-assigned ULA address I have set for each machine and on the automatically-configured link-local address.

My question is, how can I disable these in Linux? I've found several guides for Windows via the 'netsh' command (which has surprised me -- Windows seems to be FAR more tunable in this aspect than Linux is). So far, it seems my only choice in Linux is to use ip6tables to block specific ICMPv6 message types. However, looking at RFC4890, they imply that these messages must not be blocked if an IPv6 host is to participate in an IPv6 network successfully.

My reading of the IPv6 protocol suggests it was heavily influenced by problems faced in large, enterprise networks. The protocol engineers seemed to have little regard for small, private networks. This is great if you're a sysadmin of a large corporate or other such enterprise network, but a tad annoying if you're just "some guy" trying to play with the protocol on a home network to learn it. My method of learning means establishing something like my IPv4 network as a baseline, and then enabling features as I need them.

So I ask the experts, should I disable these three message types on my Linux and windows hosts? Will it horribly break my internal IPv6 setup if I do? How will it affect external IPv6 when I reach that stage (my ISP has not yet allocated IPv6 addresses for customers yet, so there is no external IPv6 routing as of yet and no 6-to-4 tunnels)? Are ip6tables my only option in Linux?

I also assume I'm stuck with the link-local addresses, right? No way to get rid of them? They're impossible to memorize...(maybe that's he point?)

Kumba
  • 610
  • 1
  • 5
  • 13

2 Answers2

5

Disabling ICMP for IPv6 can completely break it. It's used for a lot more stuff in v6 than v4. It's used for error reporting, neighbour discovery (as you've found out), and a lot more.

By blocking ICMPv6 at any level you can serious hinder IPv6's ability to do its job. There's a (brief) wikipedia arcticle on it along with the normal very comprehensive RFC.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • 3
    Neighbor Discovery is basically your ARP replacement. So you're not gonna be able to resolve any hosts on your segment. – Marcin Apr 05 '11 at 23:25
  • @Marcin: This is probably the best answer here (but I'm not detracting on @Mark's answer either). I had forgotten that IPv6 doesn't use ARP anymore. ARP so transparent half the time, that you forget all about it. I also don't think I can get rid of link-local. Most reads seem to so far imply that is automatic on behalf of the OS network driver or IP layer as an emergency fallback (like 169.254.0.0/16 is in IPv4 world). – Kumba Apr 06 '11 at 03:22
  • You can't get rid of link-local, funny enough, because you need a starting point for the Neighbor Discovery process. In IPv4 you always have your MAC and you ARP out to get some IP. In IPv6 you always have your link-local and you do {Neighbor,Router} Solicitation to find your neighbors on the segment and a gateway out of your segment. – Marcin Apr 06 '11 at 03:35
1

For getting a global address, you can use 6to4; you'll get a translation of your global v4 address as a v6 address. The downside is that you'll need to go through a 6to4 tunnel node; they range between "slow" and "painfully slow" depending on how near you are to a node (ping 192.88.99.1 to find out; this is the anycast address that ought to be your closest endpoint). Good enough to get a live link for testing and learning.. but that's about it.

As far as ICMPv6, Mark's already covered it well. I'll add this: Don't stress about it. Think of all the chatter that you're currently used to tuning out - ARP, DHCP; if you've got windows systems then netbios, computer browser, and teredo; multicast junk like SSDP/DNLA/UPnP. You're not used to these ICMP messages, but they're an important part of how IPv6 works.. which is why you're setting it up to learn on in the first place!

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • Not used to, but I'll adapt. Not looking to go outbound just yet, as I want to get an understanding of IPv6 on the internal network so that when I eventually build me an IPv6-aware firewall, I don't leave holes open that could compromise my network. Really the only thing I miss in IPv6 is NAT, but not for security, just because it obscures my addresses. I'll adapt in time, though... – Kumba Apr 06 '11 at 03:24