What happens when IPv6 is disabled, but devices keep receiving IPv6 Link Local Address?

EnthusiastXYZ

Limp Gawd
Joined
Jun 26, 2020
Messages
221
I disable IPv6 everywhere I can - router (with incredibly limited "simpleton-consumer" settings), local Raspberry Pi DNS server (in both - Server App and device configuration), and on every device I can. My VPN does not support IPv6 and neither does my ISP. All devices on my LAN/Local WiFi are assigned a static IPv4 address. Static IP's are reserved for each device in router, but DHCP is disabled in router. All WiFi devices are on Guest AP Isolation network and are unable to see each other via IPv4 or login to router settings or receive Multicast. The router sends out IGMPv3 signals to all devices and there are no settings on router to change that. Some Android wireless devices (with locked bootloaders without root) on my network continue to receive "fe80" IPv6 Link Local addresses, but all those devices have Wireguard-based VPN (with local network discovery disabled in VPN App). Due to circumstances, I can't monitor what IPv6 information is exchanged between all devices with IPv6 Link Local addresses on my LAN/Local WiFi network. My personal Android WiFi devices do not receive IPv6 Link Local addresses, but they are rooted, modified with Magisk modules, and root-requiring network apps that prevent any IPv6 assignment.

So what happens when one local network device receives an IPv6 address and other devices do not? What information can be exchanged between such devices? I assume that an IPv4-only device would automatically drop all IPv6-related requests as if it had a firewall with a rule to drop all IPv6 requests?
 
To the best of my knowledge, all IPv6 Link Local addresses are unroutable - they couldn't get out to the internet if you wanted them to. And Link Local IPV6 addresses are about as useful as IPv4 Link Local addresses - which is to say useless without DNS or WINs or NetBIOS or something to "glue" the systems on that network together.

If you want to avoid seeing the Link Local IPV6 addresses entirely, at least on your Windows boxes, you can unbind the IPv6 protocol from each of your LAN/WiFi adapters and be done with it.
 
Nevermind, I realized my non-IPv6 devices eventually get IPv6 addresses (30-40 seconds after booting up) and that's when TCPDUMP starts showing entries like:
IP6 :: > ff02::xxx ICMP6, neighbor solicitation, who has fe80::xxx, length 24
IP6 :: > ff02::xxx HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
IP6 :: > ff02::xxx HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
IP6 fe80::xxx > ff02::xxx HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
IP6 fe80::xxx > ff02::xxx ICMP6, router solicitation, length 16
IP6 fe80::xxx > ff02::xxx HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
IP6 fe80::xxx > ff02::xxx ICMP6, router solicitation, length 16

I thought ff00::/8 rule would drop all ff02:: IPv6 Multicast packets and fe80::/10 would block all IPv6 Local Link packets, but they don't, and they don't block IGMPv3 all-systems.mcast.net entries either:
iptables -I FORWARD -p icmp -j DROP
iptables -I INPUT -p icmp -j DROP
iptables -I OUTPUT -p icmp -j DROP
iptables -I FORWARD -m iprange --src-range 224.0.0.0-255.255.255.255 -j DROP
iptables -I INPUT -m iprange --src-range 224.0.0.0-255.255.255.255 -j DROP
iptables -I OUTPUT -m iprange --src-range 224.0.0.0-255.255.255.255 -j DROP
iptables -I FORWARD -m iprange --dst-range 224.0.0.0-255.255.255.255 -j DROP
iptables -I INPUT -m iprange --dst-range 224.0.0.0-255.255.255.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 224.0.0.0-255.255.255.255 -j DROP
ip6tables -I FORWARD -p icmp -j DROP
ip6tables -I INPUT -p icmp -j DROP
ip6tables -I OUTPUT -p icmp -j DROP
ip6tables -I FORWARD -s ff00::/8 -j DROP
ip6tables -I FORWARD -d ff00::/8 -j DROP
ip6tables -I FORWARD -s fc00::/8 -j DROP
ip6tables -I FORWARD -d fc00::/8 -j DROP
ip6tables -I FORWARD -s fd00::/8 -j DROP
ip6tables -I FORWARD -d fd00::/8 -j DROP
ip6tables -I FORWARD -s fe80::/10 -j DROP
ip6tables -I FORWARD -d fe80::/10 -j DROP
ip6tables -I INPUT -s ff00::/8 -j DROP
ip6tables -I INPUT -d ff00::/8 -j DROP
ip6tables -I INPUT -s fc00::/8 -j DROP
ip6tables -I INPUT -d fc00::/8 -j DROP
ip6tables -I INPUT -s fd00::/8 -j DROP
ip6tables -I INPUT -d fd00::/8 -j DROP
ip6tables -I INPUT -s fe80::/10 -j DROP
ip6tables -I INPUT -d fe80::/10 -j DROP
ip6tables -I OUTPUT -s ff00::/8 -j DROP
ip6tables -I OUTPUT -d ff00::/8 -j DROP
ip6tables -I OUTPUT -s fc00::/8 -j DROP
ip6tables -I OUTPUT -d fc00::/8 -j DROP
ip6tables -I OUTPUT -s fd00::/8 -j DROP
ip6tables -I OUTPUT -d fd00::/8 -j DROP
ip6tables -I OUTPUT -s fe80::/10 -j DROP
ip6tables -I OUTPUT -d fe80::/10 -j DROP

The only commands that drop IPv6 packet reception are the commands used to disable IPv6, which are included in one of my Magisk modules:
echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra
echo 0 > /proc/sys/net/ipv6/conf/wlan0/accept_ra
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/wlan0/disable_ipv6
 
This is pretty scary. I did a search on a quick way to completely break an ipv6 network and didn't get any results. :(
 
Should be able to disable ipv6 on the interface itself, this won't allow for an ipv6 link local, either.
 
Should be able to disable ipv6 on the interface itself, this won't allow for an ipv6 link local, either.

On interface itself? As in disable in router settings or disable on per-device basis? IPv6 is disabled in router settings, but it appears to affect only WAN. There is no way to disable IPv6 on non-rooted Android devices...
 
On interface itself? As in disable in router settings or disable on per-device basis? IPv6 is disabled in router settings, but it appears to affect only WAN. There is no way to disable IPv6 on non-rooted Android devices...

ANY AND EVERY device that has an active IPv6 stack will self-generate a Link Local address if it is not assigned one by a server. The same is true for the IPv4 stack as well. Since link local addresses are not routable, don't worry about it.
 
ANY AND EVERY device that has an active IPv6 stack will self-generate a Link Local address if it is not assigned one by a server. The same is true for the IPv4 stack as well. Since link local addresses are not routable, don't worry about it.

I don't care about IPv6 being routable or not outside of local network. I do care about the local network.
 
I don't care about IPv6 being routable or not outside of local network. I do care about the local network.

Then your one and only option is to disable/unbind the IPv6 stack on every device that you can. On devices you can't, you'll just be stuck with it. No other way around it.
 
So I hate to bump an older thread, but this is strongly related to the OP's situation.

All IPv6 is disabled by unchecking the ip6 box under network adapters--and yet network activity under resource monitor shows svchost sending out data:
Code:
Image    Address    Send (B/sec)    Receive (B/sec)    Total (B/sec)
svchost.exe (NetworkService)    9570:7a14:ff48:83c3:266:833b:2074:f6e9    12    0    12
What gives? I thought we all agreed that shutting off ip6 on all devices on a network should stop stuff like this?

I found a thread on this on another forum with the same issue with no resolution:
https://www.sevenforums.com/network...trying-connect-ipv6-even-ipv6-disabled-2.html
 
Last edited:
Its really not supported to disable ipv6 on windows. As you are seeing, its so baked into everything on it.
 
Seems maybe that disabling IPv6 doesn't truly kill it, but simply prevents it from being used on a physical NIC?

That address is an odd-looking one. It's not a part of any current or previously assigned IPv6 range, nor is it a multicast or link-local address. My guess is that process requires the IPv6 stack for inter-process communication of some sort.
What interesting about this (and its two sibling processes as well) is that it has only sent and never received. So either some sort of local address, or my router is stopping any ip6 routing since ip6 isn't configured there.

I just don't like sneaky stuff running that shouldn't. That's a big no-no that I've really been butting heads with in the more recent generations of windows. :mad:
 
Its really not supported to disable ipv6 on windows. As you are seeing, its so baked into everything on it.
Yeah, I read that in the other thread as well. Makes me trust it even less too knowing that.
 
On Linux, as per one of OP's replies, use the following SysCTL tweaks to disable IPv6:
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

On Windows, disable Microsoft IPv6 Protocol Driver Autostart, disable IPv6 in Network Adapter properties, and add the following to reigstry:
Code:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents"=dword:000000ff


That should prevent any and all IPv6 connections. Once router IPv6 interfaces are disabled (per above-mentioned Linux tweak), devices connected to it would not be able to communicate via IPv6 connections (Link Layer or otherwise). I am not sure if that applies to Ad-Hoc networks and/or Mesh networks where devices can connect to each other regardless of routers' functions and/or presence.
 
If your router doesn't execute custom SysCTL configurations on boot before connection to clients are established and/or before configured router rules are executed, then you may be screwed, but secure routers tend to keep interfaces disabled until kernel and user rules are applied during power up, reboot, and power down cycles. That's why to this day law enforcement uses dirty tricks, such as cutting off all power to reboot devices to gain more information. Uninterruptable Power Supplies are essential to network security!
 
On Linux, as per one of OP's replies, use the following SysCTL tweaks to disable IPv6:
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

On Windows, disable Microsoft IPv6 Protocol Driver Autostart, disable IPv6 in Network Adapter properties, and add the following to reigstry:
Code:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents"=dword:000000ff


That should prevent any and all IPv6 connections. Once router IPv6 interfaces are disabled (per above-mentioned Linux tweak), devices connected to it would not be able to communicate via IPv6 connections (Link Layer or otherwise). I am not sure if that applies to Ad-Hoc networks and/or Mesh networks where devices can connect to each other regardless of routers' functions and/or presence.

I get "Command Not Found" :(
 
Back
Top