Selectively preventing IPv6 Global address acquisition.

RouterOS General
1

Hi all

I am in the process of putting more of my network over to IPv6. As part of that, I have 2 servers which I would like to enable for IPv6. At the moment, they are on an isolated IPv4 subnet with no route to the public internet and I want to achieve the same with IPv6. IPv6 is working fine from a hEX router [ROS 7.16.2] for normal stuff.

The machines in question have IPv6 options of OFF, AUTO, DHCP and MANUAL. Apart from OFF, all of these options give me a Link-Local, a Unique Local and a Global Address. So how can I prevent acquisition of a Global Address? The approaches I can see fall into the following classes:

  1. This is not how IPv6 works, you are mad to even think of this, you should solve this with the firewall or something like that. Well, yes, but for my peace of mind, I would rather sleep knowing that these boxes have no Global IPv6 addresses
  2. To selectively prevent the router giving the servers in question a global IPv6 address, while allowing them to configure with their Unique Local and Link-local Addresses
  3. To somehow disable acquisition of the global address by the servers [preferred] or disable the addresses once acquired [less favoured, although I can do this from the command line, so just a question of finding a place for a script]. These are Linux servers with system.d

So any ideas? I suppose 2. is the most on topic for this forum, but I would be grateful for all input

2

Who’s stopping you from leaving IPv6 disabled on those servers and leaving everything as it is now?

The other devices that will have IPv6 will also have IPv4 anyway.

3

Thank you, how right you are.

Anyone else?

4

Firewalls.

You must have a global in order for IPv6 to work.

5

Are you sure of what you wrote?

Did you read the user requirements well?

He doesn’t want the servers to be reachable and not reach globally,
he just wants them to go by IPv6 only to the local LAN…

6

Exactly.

So are you saying that if there is no global address, then Unique Local Addresses will not work? Or is it just that the ULA's will work locally, but there is no connection to the wider internet? Because the latter wold be good enough for me.

7

https://www.rfc-editor.org/rfc/rfc7404.html The whole idea of IPv6 is to be globally routable. Either option has pros and cons. These things are all defined in RFCs, what/why you want global, etc.

ULAs will work, but a ULA is not routable at all, so if you're not on the same LAN segment (switch/vlan/etc), it won't be reachable.

8

As I said,

I have 2 servers which I would like to enable for IPv6. At the moment, they are on an isolated IPv4 subnet with no route to the public internet and I want to achieve the same with IPv6.

So ULA’s will do fine.

9

OK, a proof of concept. In NetworkManager on Linux, it is possible to obtain a LinkLocal address and set a Unique Local Address. In the config file for the required interface, ie eth0.nmconnection in my case, the ipv6 stanza can be set as follows:

[ipv6]
addr-gen-mode=stable-privacy
ip6-privacy=2
address1=<ULA1>/64
address2=<ULA2>/64
method=shared

Moreover, this is an effective transport between local machines. Unfortunately, the target machines use ifconfig rather than NetworkManager, so more work required - and any thoughts on controlling this from the Router would still be welcome.

10

@DuctView http://forum.mikrotik.com/t/best-way-to-disable-ipv6-advertisement-only-to-specific-clients/181467/1 might be of interest to you.