How to get rid of IPv6 - once and for ever....?

It’s regarding both Leap 15.1 and TW. I’m a little out of humor on this issue, as it is a year-long, uphill fight against opensuse and its constant and repeated attempts to enable ipv6 on its distributions. Earlier they simply switched in NetworkManager the ipv6 setting from “ignored” to something else, now they simply ignore it. I have disabled ipv6 in Yast, in wicked (although not used) as well as in NetworkManager. To no avail. With ip addr I see the eth0 interface still has (again) an ipv6 address. I don’t want it. I can disable it for the current session via

sysctl -w net.ipv6.conf.all.disable_ipv6=1 sysctl -w net.ipv6.conf.default.disable_ipv6=1 
  but after the next reboot the same ipv6 stuff is back.  Can I delete something once and for ever? Can I disable ipv6 in the kernel on boot (reliably)?    Please. There must be solution to get rid of this pest. IPv6 is uncontrollable via router/firewall, as nobody knows which and how many address a single machine has (including the router/firewall). I don't want this security issues on my network.

I have IPv6 running for years already on my systems. It is the way the world goes.Isn’t this like cutting yourself off from the ineternet more and more? To me it looks like an up-hill battle.

Hi Henk! No, everything here running just fine. Even if my ISP would switch to ipv6 Iwould go with ipv4 in the LAN. Again: ipv6 is a security nightmare. Uncontrollable. Insecure and side-channel by design. Can anybody enlighten my, where to turn it off? Pretty, pretty please? :slight_smile:

I see a line in “/etc/sysctl.conf”

# net.ipv6.conf.all.disable_ipv6 = 1

As far as I know, if you uncomment that, and then regenerate the “initrd” (run “mkinitrd”), that should do what you want.

However, I agree with Henk – ipv6 is the future. Unfortunately, my ISP does not currently provide it.

Yes, in the BIOS under Network.

Hy !

My /etc/sysctl.conf looks like:

  cat /etc/sysctl.conf                                               
####
#
# To disable or override a distribution provided file just place a
# file with the same name in /etc/sysctl.d/
#
# See sysctl.conf(5), sysctl.d(5) and sysctl(8) for more information
#
####

I used this file to disable ipv6 on the debian machine (Dell Precision M6400 with ATI m7740, not playing nice with opensuse anymore) by including

 net.ipv6.conf.all.disable_ipv6 = 1  
net.ipv6.conf.default.disable_ipv6 = 1  
net.ipv6.conf.lo.disable_ipv6 = 1

But as this file is so… empty… in TW I though it might be not in use for any kind of configuration.

BIOS is not an option, as my BIOS (all old machines here) don’t have such options. I would not trust is anyway, after I saw Win10 ignoring BIOS-disabled HDDs and simply accessed them anyway… :wink:

In Yast -> Boot Loader I added under “Kernel Parameters” -> “Optional Kernel Command Line Parameter”

 ipv6.disable=1

https://itsfoss.com/disable-ipv6-ubuntu-linux/

After reboot the machine cam back without IPv6 address.For now. Most likely the next TW update will kill that, too?

Here is the old forums thread:
https://forums.opensuse.org/showthread.php/433057-howto-disable-ipv6-opensuse-11-2-a

You may want to suppress ipv6 on a link basis only: https://en.opensuse.org/Systemd-networkd#Disabling_IPv6

Actually I observed a large delay upon connecting. This resulted from the router being unable to support ipv6. Thus the network tried to connect again until timeout. When suppressing ipv6 on the link it would not probe for ipv6.

                                                             https://itsfoss.com/disable-ipv6-ubuntu-linux/ 

An update never removes the iommu=soft parameter.

Inet6 is gone in Kubuntu 19.10 with the given link method (foss). Splash screen remains normal if set that way (see grub below) and the router is not affected. Should work the same for TW in Yast.

ip a

 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 inet 127.0.0.1/8 scope host lo

 valid_lft forever preferred_lft forever
 2: enp2s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
 link/ether xx xx xx xx xx xx brd ff:ff:ff:ff:ff:ff

 3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
 link/ether xx xx xx xx xx xxbrd ff:ff:ff:ff:ff:ff
 inet xx /24 brd xx.255 scope global dynamic noprefixroute wlp3s0
 valid_lft 7198sec preferred_lft 7198sec


etc/default/grub

 GRUB_DEFAULT=0
 GRUB_TIMEOUT=7
 GRUB_DISTRIBUTOR=`lsb_release -i -s 2&gt; /dev/null || echo Debian`
 GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
 GRUB_CMDLINE_LINUX="ipv6.disable=1 iommu=soft"


uname -a

 Linux xx 5.2.0-050200rc6-generic #201906222033 SMP Sun Jun 23 00:36:46 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

 mokutil --sb-state

 SecureBoot enabled


Tor browser needs an extra tweak to kill V6 >about:config>IPV6>First entry must be set to false = will be removed>Restart Tor.

Fallback IPV6 is negative = fail + IPV6 test is mark not reachable.

https://ipleak.net/

Note FF 67.0.4 and Chrome 77.0.3833.0 don’t need to be tweaked. The result is negative.

I must say I fully agree with Henk. IPv6 is over 25 years old and many countries (e.g. China, Korea, Japan, etc) didn’t get many IPv4 addresses. Now there are hardly any IPv4 addresses left. I regularly buy for my little business items from China. When I visit my daughter’s place where they have no IPv6 I cannot connect to some of the regular addresses - I only get the response “Server not available”. I agree that there are additional security issues with IPv6, on the other hand just a random IP address may not lead anywhere as there are so many addresses available. I use IPv6 since 2003 or 2004 without problems and see no reason to disable it. With disabling IPv6 you are cutting yourself off a large part of the world.
Cheers
Uli

appreciate any comments, but don’t see the point of “simply use it, won’t hurt.” How would you recognize if you are side-channeled? Especially when it comes to China, USA, UK and alike I would be extremely careful with using protocols so prone to messing up security (or may I call it “insecure by design”? remember which time it was when ipv6 was standardized…).

as long as nobody can provide a secure setup for ipv6 (LAN-wise) I will go with ipv4 and NAT. ipv6 on WAN is a different piece of cake and might be necessary one day, but not now. I never saw any “server not available”. What kind of miss-config should this be to cut off 98% of the internet (the ipv4 world) from your “services”? :smiley:

Returning to your opening post…

Earlier they simply switched in NetworkManager the ipv6 setting from “ignored” to something else, now they simply ignore it.

What leads you to believe that this is the case? With a NM connection defined such that

[ipv6]
method=ignore

show the following (when that connection is then activated)…

ip -6 a
ip -6 r

I added the disable command to the bootloader and think I’m done. Will report back if the ipv6 stuff comes back… :slight_smile:

Hello,

As someone who has worked in networking for over 20 years, I can absolutely tell you that your assessment of the IPv6 protocol absolutely incorrect.

In fact, by design, IPv6 is more secure than IPv4 could ever be. It is actually much easier to lockdown and control than IPv4 could ever be. Because of that, nothing has been done to enhance IPv4 for over a decade now.

If you indeed succeed in “turning it off”, it’ll only be to your own demise as you’ll quickly learn, as IPv6 is rolled out worldwide, even running IPv4 on your own LAN will only hinder your ability to nagivate the internet in a safe and sufficient manner.