Any security/privacy downside to disabling IPv6 on Ubuntu?

By running sudo sysctl net.ipv6.conf.all.disable_ipv6=1

2 Likes

Typically disabling things reduces attack surfaces. In this case, I canā€™t imagine it would hurt anything. Is there a reason you are disabling IPV6?

Due to IPv6 leak which exposes my ip. Whatā€™s itā€™s benefit anyway?

Which ipv6 leak are you referring to?

I donā€™t know now but Debian and Ubuntu enables ipv6 by default that reveals the deviceā€™s MAC address. Disabling ipv6 eliminates this problem, but enabling ipv6 privacy extensions might be good enough to protect the MAC address.

Use ipv6 privacy extensions (RFC 4941):

net.ipv6.conf.all.use_tempaddr = 2

Reveals it to who?

AFAIK Any website you visit. Basically IPv6 uses the MAC address of a device as a seed value when creating the IPv6 address.

Further reading on the topic:

1 Like

Does sudo sysctl net.ipv6.conf.all.disable_ipv6=1 circumvent that issue?

If i understand correctly from this thread then that command disables IPv6 routing on a Ubuntu, do yes it should mitigate any issues from EUI-64 IPv6 addresses.

Edit, after a quick search it seems i was partially correct. That command does disable IPv6; but only temporarily. To disable it perminantly you need to edit the

ā€˜/etc/sysctl.confā€™ file that controls it.

Source: Ubuntu Forum Thread on the topic

Personally I would not recommend disabling IPv6 completely as it can break things. Instead ensure that the IPv6 privacy extensions are enabled and EUI-64 is not in use and just leave IPv6 on.

1 Like

How do you d that, exactly?

Paywalled

I believe Ubuntu enables this by default now, but this would be how to configure it otherwise.

Privacy extensions

Add the following sysctl parameters:

/etc/sysctl.d/40-ipv6.conf

Enable IPv6 Privacy Extensions net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 net.ipv6.conf.nic.use_tempaddr = 2

Source:
https://wiki.archlinux.org/title/IPv6

Ubuntu and arch both use sysctl so this should be applicable.

1 Like

Sorry about that, i mostly was looking for a good explainer on EUI-64, and must not have scrolled far enough yo notice the pay wall. Here is an alternative explanation; which shouldnā€™t be pay walled.

To sum it up though IPv6 EUI-64 is a method of IPv6 self assignment where the following steps occur to create an address.

  • An end device takes its MAC address, splits it in two.
  • insert ā€œFFFEā€ inbetween the two halves
  • flip the 7th bit

If you use P2P apps often, then IPv6 will always get you better connectivity.

Otherwise, you can turn off IPv6 without any consequence.

re: IP privacy: Believe you donā€™t have worry about them any differently than you would for IPv4, as current implementations (as another user noted about Ubuntu) mostly do the right thing.

Some distros donā€™t. For example Fedora does not use ipv6 privacy extensions.

2 Likes

Is this an issue for Fedora users ? How much important is this extension ?

It is, if you donā€™t want to get easily tracked by the part of your ipv6 address which gets generated through your MAC address. wonā€™t change over time if your MAC address does not change and you donā€™t have ipv6 privacy extensions enabled. Most modern consumer devices have had ipv6 privacy extensions activated for a long time (Windows, Android, ā€¦) , but some Linux distros for workstations/laptops still donā€™t activate it by default

There is a topic here:

Why PG does not add not about this?

This enhances privacy, but could cause problems in some applications, on the other hand.

What type of side-effect can be happen? Torrent, port forwarding, web-rtc, snapdrop are important things for me personally. What may break?

(post deleted by author)

Additional notes about this topic:

randomize IPv6: