What happens when IPv6 is disabled, but devices keep receiving IPv6 Link Local Address?

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
71
I disable IPv6 everywhere I can - router (with incredibly limited "simpleton-consumer" settings), local Raspberry Pi DNS server (in both - Server App and device configuration), and on every device I can. My VPN does not support IPv6 and neither does my ISP. All devices on my LAN/Local WiFi are assigned a static IPv4 address. Static IP's are reserved for each device in router, but DHCP is disabled in router. All WiFi devices are on Guest AP Isolation network and are unable to see each other via IPv4 or login to router settings or receive Multicast. The router sends out IGMPv3 signals to all devices and there are no settings on router to change that. Some Android wireless devices (with locked bootloaders without root) on my network continue to receive "fe80" IPv6 Link Local addresses, but all those devices have Wireguard-based VPN (with local network discovery disabled in VPN App). Due to circumstances, I can't monitor what IPv6 information is exchanged between all devices with IPv6 Link Local addresses on my LAN/Local WiFi network. My personal Android WiFi devices do not receive IPv6 Link Local addresses, but they are rooted, modified with Magisk modules, and root-requiring network apps that prevent any IPv6 assignment.

So what happens when one local network device receives an IPv6 address and other devices do not? What information can be exchanged between such devices? I assume that an IPv4-only device would automatically drop all IPv6-related requests as if it had a firewall with a rule to drop all IPv6 requests?
 

mvmiller12

[H]ard|Gawd
Joined
Aug 7, 2011
Messages
1,036
To the best of my knowledge, all IPv6 Link Local addresses are unroutable - they couldn't get out to the internet if you wanted them to. And Link Local IPV6 addresses are about as useful as IPv4 Link Local addresses - which is to say useless without DNS or WINs or NetBIOS or something to "glue" the systems on that network together.

If you want to avoid seeing the Link Local IPV6 addresses entirely, at least on your Windows boxes, you can unbind the IPv6 protocol from each of your LAN/WiFi adapters and be done with it.
 

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
71
Nevermind, I realized my non-IPv6 devices eventually get IPv6 addresses (30-40 seconds after booting up) and that's when TCPDUMP starts showing entries like:
IP6 :: > ff02::xxx ICMP6, neighbor solicitation, who has fe80::xxx, length 24
IP6 :: > ff02::xxx HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
IP6 :: > ff02::xxx HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
IP6 fe80::xxx > ff02::xxx HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
IP6 fe80::xxx > ff02::xxx ICMP6, router solicitation, length 16
IP6 fe80::xxx > ff02::xxx HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
IP6 fe80::xxx > ff02::xxx ICMP6, router solicitation, length 16

I thought ff00::/8 rule would drop all ff02:: IPv6 Multicast packets and fe80::/10 would block all IPv6 Local Link packets, but they don't, and they don't block IGMPv3 all-systems.mcast.net entries either:
iptables -I FORWARD -p icmp -j DROP
iptables -I INPUT -p icmp -j DROP
iptables -I OUTPUT -p icmp -j DROP
iptables -I FORWARD -m iprange --src-range 224.0.0.0-255.255.255.255 -j DROP
iptables -I INPUT -m iprange --src-range 224.0.0.0-255.255.255.255 -j DROP
iptables -I OUTPUT -m iprange --src-range 224.0.0.0-255.255.255.255 -j DROP
iptables -I FORWARD -m iprange --dst-range 224.0.0.0-255.255.255.255 -j DROP
iptables -I INPUT -m iprange --dst-range 224.0.0.0-255.255.255.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 224.0.0.0-255.255.255.255 -j DROP
ip6tables -I FORWARD -p icmp -j DROP
ip6tables -I INPUT -p icmp -j DROP
ip6tables -I OUTPUT -p icmp -j DROP
ip6tables -I FORWARD -s ff00::/8 -j DROP
ip6tables -I FORWARD -d ff00::/8 -j DROP
ip6tables -I FORWARD -s fc00::/8 -j DROP
ip6tables -I FORWARD -d fc00::/8 -j DROP
ip6tables -I FORWARD -s fd00::/8 -j DROP
ip6tables -I FORWARD -d fd00::/8 -j DROP
ip6tables -I FORWARD -s fe80::/10 -j DROP
ip6tables -I FORWARD -d fe80::/10 -j DROP
ip6tables -I INPUT -s ff00::/8 -j DROP
ip6tables -I INPUT -d ff00::/8 -j DROP
ip6tables -I INPUT -s fc00::/8 -j DROP
ip6tables -I INPUT -d fc00::/8 -j DROP
ip6tables -I INPUT -s fd00::/8 -j DROP
ip6tables -I INPUT -d fd00::/8 -j DROP
ip6tables -I INPUT -s fe80::/10 -j DROP
ip6tables -I INPUT -d fe80::/10 -j DROP
ip6tables -I OUTPUT -s ff00::/8 -j DROP
ip6tables -I OUTPUT -d ff00::/8 -j DROP
ip6tables -I OUTPUT -s fc00::/8 -j DROP
ip6tables -I OUTPUT -d fc00::/8 -j DROP
ip6tables -I OUTPUT -s fd00::/8 -j DROP
ip6tables -I OUTPUT -d fd00::/8 -j DROP
ip6tables -I OUTPUT -s fe80::/10 -j DROP
ip6tables -I OUTPUT -d fe80::/10 -j DROP

The only commands that drop IPv6 packet reception are the commands used to disable IPv6, which are included in one of my Magisk modules:
echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra
echo 0 > /proc/sys/net/ipv6/conf/wlan0/accept_ra
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/wlan0/disable_ipv6
 

SamirD

2[H]4U
Joined
Mar 22, 2015
Messages
4,000
This is pretty scary. I did a search on a quick way to completely break an ipv6 network and didn't get any results. :(
 
D

Deleted member 12106

Guest
Should be able to disable ipv6 on the interface itself, this won't allow for an ipv6 link local, either.
 

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
71
Should be able to disable ipv6 on the interface itself, this won't allow for an ipv6 link local, either.

On interface itself? As in disable in router settings or disable on per-device basis? IPv6 is disabled in router settings, but it appears to affect only WAN. There is no way to disable IPv6 on non-rooted Android devices...
 

mvmiller12

[H]ard|Gawd
Joined
Aug 7, 2011
Messages
1,036
On interface itself? As in disable in router settings or disable on per-device basis? IPv6 is disabled in router settings, but it appears to affect only WAN. There is no way to disable IPv6 on non-rooted Android devices...

ANY AND EVERY device that has an active IPv6 stack will self-generate a Link Local address if it is not assigned one by a server. The same is true for the IPv4 stack as well. Since link local addresses are not routable, don't worry about it.
 

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
71
ANY AND EVERY device that has an active IPv6 stack will self-generate a Link Local address if it is not assigned one by a server. The same is true for the IPv4 stack as well. Since link local addresses are not routable, don't worry about it.

I don't care about IPv6 being routable or not outside of local network. I do care about the local network.
 

mvmiller12

[H]ard|Gawd
Joined
Aug 7, 2011
Messages
1,036
I don't care about IPv6 being routable or not outside of local network. I do care about the local network.

Then your one and only option is to disable/unbind the IPv6 stack on every device that you can. On devices you can't, you'll just be stuck with it. No other way around it.
 
Top