Enabling IPv6 on a server LAN with the ipv6 address interface configuration without taking additional precautions might be a bad idea. All modern operating systems have IPv6 enabled by default, and the moment someone starts sending Router Advertisement (RA) messages, they’ll auto-configure their LAN interfaces.
Autoconfigured servers might become exposed to the outside world if you’re using something like iptables to protect them (because IPv6 uses ip6tables) – one of the many IPv6 security gotchas Eric Vyncke and myself will describe in the upcoming IPv6 security webinar (register here).
Interestingly, there’s a per-prefix flag in RA messages (the A flag described in details in my Building Large IPv6 Service Provider Networks webinar) telling the end-hosts whether they could use the prefix for stateless autoconfiguration. If you configure the routers not to advertise the A flag with something like the ipv6 nd prefix no-autoconfig interface configuration command, the hosts won’t get a valid IPv6 address and you’re safe ... or so one would think.
Unfortunately the reality is a bit more convoluted than that. I had a great chat with Sander Steffann during RIPE65 and he was kind enough to explain the intricacies:
- The moment a Unix-like server gets an IPv6 default route through RA, it thinks it lives in a dual-stack world (even though it doesn’t have a routable IPv6 address);
- Dual-stack-aware applications start establishing outgoing IPv6 sessions, and the server starts sending TCP SYN packets with the link-local source address, which any decent first-hop router immediately rejects with destination unreachable (beyond scope of source address) ICMP message.
- Some Unix-like servers react to the ICMP message and close the half-baked TCP session, allowing the application to recover pretty quickly, others wait for TCP SYN timeouts (because a security-conscious operating system never listens to ICMP messages ... after all, they might have been spoofed).
The only safe way to configure IPv6 on a server LAN where you don’t control all the servers (and thus cannot be sure IPv6 is disabled on the servers that should be IPv4-only) is thus to disable RA, use static server IPv6 addresses, static IPv6 default route configured on the servers, and first-hop redundancy protocol (like HSRP) between the first-hop layer-3 switches.