1

While manually assigning a static IPv6 address on CentOS release 7.9.2009 works. I noticed that another (second) IPv6 address is being generated the so called EUI-64 containing ff::fe in the middle of the host part of the address. I want to remove it and leave only the manually assigned one, but unfortunately not able to. Currently under the interfaces i have the following parameters.

/etc/sysconfig/network-scripts/ifcfg-br0

and the interface looks like this:

DEVICE=br0
BOOTPROTO=static
NM_CONTROLLED=no
ONBOOT=yes
USERCTL=no

TYPE=Bridge
MACADDR=01:02:03:01:02:03
MTU=9000
    
IPADDR=MY_PUBLIC_IPV4
PREFIX=29
NETWORK=MY_PUBLIC_IPV4_NETWORK

DNS1=8.8.8.8
DNS2=8.8.4.4

IPV6INIT=yes
IPV6_AUTOCONF=no
DHCPV6C=no
IPV6ADDR=MY_GLOBAL_IPV6/48
IPV6_DEFAULTGW=MY_GLOBAL_IPV6_GATEWAY
IPV6_MTU=9000

ZONE=public

the interface itself is coming up and L2 and L3 networking is working fine for v4 and v6, but when i issue the command

ip addr show dev br0

I see not only the statically configured ipv6, but also a second ipv6 which is generated based on the EUI-64. I want to get rid of this second IPv6. How do i do that in CentOS?

I have also removed the dhcpv6-client service from all zones in order to see if that will changed anything but it did not .

firewall-cmd --zone=internal --remove-service=dhcpv6-client --permanent
firewall-cmd --zone=home --remove-service=dhcpv6-client --permanent
firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent
firewall-cmd --zone=block --remove-service=dhcpv6-client --permanent
firewall-cmd --zone=dmz --remove-service=dhcpv6-client --permanent
firewall-cmd --zone=drop --remove-service=dhcpv6-client --permanent
firewall-cmd --zone=external --remove-service=dhcpv6-client --permanent
firewall-cmd --zone=trusted --remove-service=dhcpv6-client --permanent
firewall-cmd --zone=work --remove-service=dhcpv6-client --permanent

after that i reloaded the firewall just to be sure.

firewall-cmd --reload

how to get rid of that EUI-64 address in CentOS/RHEL/FEDORA ?

Running:

Linux server 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

The IPv6 address in question i am trying to remove have scope: scope global mngtmpaddr dynamic i.e. we are not speaking about link local addresses here i.e. not fe80::

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
Tito
  • 143
  • 1
  • 8
  • well there are multiple reasons , here are couple of those. any address containing ff:ffe in the middle is to be considered EUI-64, basically providing the mac address of the machine globally. Some people will consider this a security risk. Another reason is routing. If you have static addresses you know where the traffic is coming from in case you use BGP etc ,, you see the address and you immediately know what prefix that is, in case you have a schema. There are also others, but those 2 should suffice. – Tito Dec 06 '20 at 14:41
  • Just to be sure, are you using NetworkManager? – Michael Hampton Dec 06 '20 at 17:38
  • @MichaelHampton no i am not using Network manager, thus the line "NM_CONTROLLED=no" in the config. This was deliberate decision. It was related to channel bonding / and 802.1x authentication and ansible, but this is out of the scope of this question. – Tito Dec 06 '20 at 19:33
  • You do have a proper mystery then. Might I suggest as a workaround `IPV6_PRIVACY=rfc3041` until you are able to find the cause? – Michael Hampton Dec 06 '20 at 20:52
  • @MichaelHampton , thank you , i do appreciate it and i will consider it. However the point here is to control the source of the traffic. – Tito Dec 07 '20 at 07:49
  • @MichaelHampton I have particularly disabled SLAAC i.e. according to google this is IPV6_AUTOCONF=no, but still no luck. – Tito Dec 07 '20 at 07:53
  • @MichaelHampton found it , apparently it is not enough to to configure IPV6_AUTOCONF=no under the interface itself but it is also required to put that exact same directive under the /etc/sysconfig/network. after i did that , bingo. SO this is kind of global setting all or nothing :) – Tito Dec 07 '20 at 08:10
  • You should still be able to enable autoconf for specific interfaces if you need it. Later, in CentOS 8 you will get RFC 7217 stable privacy addresses and will no longer need to worry about leaking the MAC address when using SLAAC. – Michael Hampton Dec 07 '20 at 16:32

1 Answers1

1

In my case is not enough to put

IPV6_AUTOCONF=no

under the interface config. It was required to put "IPV6_AUTOCONF=no" also in /etc/sysconfig/network

Then the SLAAC was disabled completely and with that also the EUI-64 address.

Tito
  • 143
  • 1
  • 8