IPV6 Address via SLAAC on Bridge

[domfi]

Hello everybody,

I've just seen, that ProxmoxVE has SLAAC activated for vmbr*. If an interface is connected to a network with IPv6 RAs the bridge gets an IPv6 Address and the virthost is reachable from the ipv6 network. IMO this is a security risk. Is there a solution other than disable ipv6 manually on the virthost?

Kind regards,
Dominik

 

[wbumiller]

You can add `autoconf 0` to vmbr0's /etc/network/interfaces inet6 section.
You can also disable autoconf by default via `/etc/sysctl.conf` (by adding `net.ipv6.conf.default.autoconf = 0`)

 

[domfi]

Thank you for your answer. I've tried but this did not work:

/etc/network/interfaces:
(...)
auto eth0.10
iface eth0.10 inet manual
vlan-raw-device eth0

auto vmbr1
iface vmbr1 inet manual
bridge_ports eth0.10
bridge_stp off
bridge_fd 0

iface vmbr1 inet6 manual
autoconf 0
(...)

Am I missing something here?

Nevertheless using sysctl worked. Since I don't want any IP address on my
bridges beside of vmbr0, I used this:

/etc/sysctl.d/disable-ipv6-on-vmbr.conf:
net.ipv6.conf.vmbr1.disable_ipv6=1

Kind regards
Dominik

 

[Aiko Barz]

SLAAC on Bridge-Interfaces is IMHO a real problem in hostile environments.
https://bugzilla.proxmox.com/show_bug.cgi?id=1251

 

[mcfly9]

Tried adding autoconf 0 to /etc/network/interfaces:

iface vmbr1 inet6 manual
        accept_ra 0
        autoconf 0

@wbumiller, unfortunately this didn't work, I still see the ULA address obtained using SLAAC. Doesn't matter if I do static or manual method.