7

We are currently setting up a some local network servers to run in a full ipv4 network. I can be sure, that this network don't have ipv6 support, and never will.

Next to that,

  • partially because of a command from higher organisational levels,
  • partially because we must guarantee, it never will cause any interference,

we need to somehow completely disable the ipv6 support on the kernels of there linux servers.

Yes, I can google for some sysctl settings, but it wasn't enough. For example, in the default settings of the /etc/hosts, I've also found some ipv6 records. I won't let it to cause some trouble in the future.

What exactly need to be done, to remove the whole ipv6 support from a fresh installed debian entirely? The best were a checklist/todo list, but any other form were also okay.

I checked the config files in /etc a lot, but I can't be sure I've found everything.

Any better ideas? Is there any "checklist", what need to be set up?

  • 5
    Good question, bad management. It's 2015; disabling IPv6 without _compelling_ reasons is irresponsible and stupid. And I've _never_ heard a compelling reason. If you just don't want to be surprised when global IPv6 addresses suddenly start coming in, then you _also_ need to firewall the network off. – Michael Hampton Jan 20 '15 at 18:33
  • What I would tell people making such misguided requests is this: I cannot guarantee, that a dual stack deployment won't cause any problems. I can however guarantee, that completely disabling IPv6 will cause some problems. – kasperd Jan 20 '15 at 19:50
  • the only reason an dual stack deployment would cause issues that I can think of is a 6to4 issue caused by using public IPs privately – Jim B Jan 20 '15 at 20:35

1 Answers1

8

Either the sysctl lines in /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

and/or the GRUB line in /etc/default/grub

GRUB_CMDLINE_LINUX="ipv6.disable=1"

will disable ipv6 support at the system level and should be enough. If your applications still attempt to connect via ipv6, then that's the application's fault and needs to be addressed with the vendor.

The /etc/hosts file entry isn't relevant.

Hyppy
  • 15,608
  • 1
  • 38
  • 59
  • 2
    Don't count on applications to work without IPv6 though if the OS/distro you're using is shipped with IPv6 enabled. Nobody will have tested that configuration so you will have to do your own testing and QA. – Sander Steffann Jan 20 '15 at 18:47
  • 3
    PS: if you also have Windows boxes on that network: Microsoft haa explicitly stated that turning IPv6 of is an untested and unsupported configuration. – Sander Steffann Jan 20 '15 at 18:48
  • it's not the "applications fault" programs can still load the module as they wish. You can check this by running lsmod or modprobe -l, you will still see the ipv6.ko kernel module. This allows user mode programs to access the kernel module in their code. If an admin is actually going to do this- they've instituted their own instability. – Jim B Jan 20 '15 at 20:41
  • Sysctl.conf needed a reboot (Debian stretch/sid) but worked otherwise. (Needed to turn off IPv6 since I needed HTTPS on IPv4, and Apache only claimed 443 on tcp6) – MSalters Jan 30 '17 at 10:13