IPv6 unexpectedly operational without configuring anything

E

Edrusb

Member
Jun 3, 2021
2
1
8
54
Paris
Hi,

I just realized that my proxmox hosts got assigned an IPv6 address from the internet provider box, since I changed one week ago from 'vlan aware' open-vswitch to the 'vlan unware' and default setting of vmbridge (which now supports large MTU, so I could get ride of open-vswitch).

I have thus configured a vmbr1 interface for the LAN connecting to the Internet box without any IPv4 nor IPv6 configured from proxmox GUI, two VMs instead are expect to filter the internet access having one of their interface connected to this vmbr1 LAN. The vmbridge configuration from proxmox point of view has empty IPv4/IPv6 fields, and as there is no way to set different modes (autoconf / DHCPv6 / or manual), I wrongly assumed IPv6 was behaving the same as IPv4 and had to be configured manually...

But that was wrong! The vmbr1 interface has a local-link address *and* a obtained a public IPv6 "2a01:...". Proxmox hypervisor is thus reachable from anywhere on Internet through IPv6 and is not protected by any of the two VMs that were here for that 8'-|

This may be seen as vulnerability and I suggest disabling the IPv6 autoconf and IPv6 router-advertisement by default in proxmox to mimic the IPv4 behavior. Else add a dropbox beside IPv6 fields when configuring an interfaces in proxmox GUI (auto/DHCPv6/manual) to clarify the default behavior to the administrator.

I guess something like this in the default proxmox distribution would do the trick (to be tested):
sysctl -w net.ipv6.conf.default.autoconf=0
sysctl -w net.ipv6.conf.default.accept_ra=0

my 2 cents
Edrusb
 
There are already very strong opinions on IPv6 and if it should be disabled by default or not in this forum [0].

I understand your point, but (sadly) this is simply how SLAAC works... Assigning addresses automatically without asking - which in most cases is very useful. By disabling SLAAC by default, we change the "default debian" behavior and quite a few users will suddenly have lost their IPv6 addresses.

Anyway, thanks for your report :)

[0] https://forum.proxmox.com/threads/what-do-i-need-to-do-to-disable-ipv6.42466/
 
  • Like
Reactions: Stoiko Ivanov
Adding a hint in the proxmox interface about possible auto assignment of IPv6, and the need of firewall setup (for example) to completely disable IPv6 would worth it (should not cost much in dev I guess, and it would help users not falling into the IPv6 trap and its possible security consequences).

Anyway, I take the opportunity to congratulate the dev/design team on proxmox, being an excellent alternative, much more intuitive than existing commercial solutions, while accesible to home user as I am. By the way, becoming confident with proxmox at home let me push and mention it to my customers (i'm working in IT). I just hope the business model you chose will stay long enough for you get back the long term benefit of the popularity it deserves: today more an more people know about proxmox when I mention it as a solution :^)
 
  • Like
Reactions: Lorenz.S
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom