Statically configuring IPv6 address & gateway on CentOS/RHEL

Share Button

By default RHEL/CentOS 5 and 6 have SLAAC enabled, to automatically configure IPv6 addresses if a router advertisement is received on an interface.  I find this VERY undesirable on a server network and turn it off and statically assign instead.  Having it on is a huge risk; it basically would let anyone on a network where there is not currently IPv6 do some bad things.  For example, let’s say the attacker has access to a system on the network in question.  They could set up a 6to4 gateway on that system, start performing ipv6 router advertisements and then any RHEL/CentOS 5 or RHEL/CentOS 6 server on the network will immediately give itself a self-generated IPv6 address.  Now, any traffic leaving those systems destined for a dual-stack destination (i.e. offers ipv4 and ipv6), will leave via IPv6 to the attacker server as the default gateway for the IPv6 service and then that server proxies back to IPv4 so no one realizes what is occurring, while watching the traffic.  I see no reason why SLAAC should ever be enabled by default.  Windows does this too.  Here’s how to turn that off for both Linux and Windows.

Anyway, to set up static IPv6, you’ll make the following changes to the /etc/sysconfig/network file:

Change NETWORKING_IPV6=no to NETWORKING_IPV6=yes

Add:

IPV6_AUTOCONF=no
IPV6_DEFAULTGW=2001:db8::1

Just change the above to the relevant default gateway for your network.  If you, or your network provider, have chosen to use link local addresses for the default gateway, you will one additional line of configuration:

IPV6_DEFAULTDEV=eth0

Adjust that eth0 to whatever is appropriate for your system.  This is necessary because a link local address is specific to the interface you want to use it on and duplicates can exist if you have more than one interface, so you have to tell the OS which interface to use as the default (this is also why I don’t like link local addresses for gateways).

Next, changes to the /etc/sysconfig/network-scripts/ifcfg-eth0 (or ifcfg-em1, etc.) file:

Add:

IPV6INIT=yes
IPV6ADDR=2001:db8::10

Once these are completed, run “service network restart” and it will replace the auto assigned address with the new assigned address.

Share Button

One Reply to “Statically configuring IPv6 address & gateway on CentOS/RHEL”

  1. Zem Nedviz

    Use IPV6INIT=yes instead of NETWORKING_IPV6=yes. For the latter is deprecated and is not used by RH init scripts any more. Though it was used in some old RH releases.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *