Disable iPv6 address

johnrabbit · May 7, 2016, 11:49am

Good day
I don’t know if I can post it here or in qubes help section.
I want to disable iPv6 in qubes considering that Tor don’t use it and to prevent leak. Is it possible?

Thank you

entr0py · May 7, 2016, 2:20pm

Good idea to disable if you’re not using. Disabled in Whonix already: https://github.com/Whonix/ipv6-disable/tree/master. (Used to be section in Docs under Host Security but I don’t see it anymore.)

Neither Qubes nor Whonix - specific issue. Disable the same way you would in Fedora / Debian.

Search: “linux disable ipv6”
Example: How to disable IPv6 on Linux

Patrick · May 7, 2016, 2:29pm

Please use search engines beforehand. Enter “Whonix IPv6”
Then you might find out, that Whonix-Gateway has IPv6 disabled by default.
“same as in Debian” as per
Free Support for Whonix ™ applies. Or
even “same as any Linux”. Then you can learn how to verify it really is
disabled optionally also.

johnrabbit · May 8, 2016, 2:21pm

Good day
I know that in Whonix iPv6 is disabled, I mean in Qubes OS

Regards

Ego · May 8, 2016, 3:04pm

Good day,

That than is not a Whonix related question and thus shouldn’t be asked here, but rather over at the Qubes forum.

Have a nice day,

Ego

Patrick · May 9, 2016, 4:50pm

Yes, and even then my last posting applies. Just replace “Whonix” with “Qubes”.

entr0py · May 17, 2016, 8:20pm

ipv6 is disabled in Whonix-12-Gateway but not disabled in Whonix-12-Workstation.

On one hand, it’s good to leave it enabled in Workstation in case programs in the future use ipv6 to communicate internally (like ipv6 loopback).

But if someone installed openvpn in Workstation and vpn was configured to tunnel ipv6 traffic, Workstation might leak ipv6 information through the vpn tunnel. Is this correct?

Patrick · May 17, 2016, 9:08pm

Whonix 13 whonix-ws-firewall blocks ipv6 traffic in

WORKSTATION_FIREWALL=1
TUNNEL_FIREWALL_ENABLE=true

mode. ivp6 loopback is allowed.

The documentation on this btw:
Connecting to Tor before a VPN
(until Whonix 13, expand button must be pressed)

Dell_Mercant · August 17, 2016, 11:39am

You can’t register your own address, and there is no need to do so.
The address are distributed by sub-dividing an existing allocation.
This process is documented in RFC6177 IPv6 Address Assignment to End Sites
and related documents. Your provider should provide at least a /64
network block. The RFCs encourage them to provide a range of networks
such as a /48 network block.

You should be able to get the DNS reverse pointer registry delegated
to you. This is much simpler under IPv6 than it is for a small
allocation in IPv4, which divides the allocation on /24 boundaries.

If you change ISPs, your IPv6 allocation will change to one from your
new ISP. However, having multiple addresses active at the same time is
much simpler. If you use the privacy extension your devices will
periodically change their IP address. For servers you may be able to
have both ISPs connected during any DNS transition period. There are
also tunneling techniques that can be used.

Dell