TIPS IPv6 Default PIAF Setup

Linetux · May 13, 2011

For those of you who don't use or need IPv6 (not many of us do on our PBX yet), it's a good idea to turn it off.

With some of the new builds, it's enabled by default.

You're going to want to modify /etc/modprobe.conf and set the following options to turn it off for good:

Code:

alias ipv6 off
options ipv6 disable=1

(FYI, this was a change in CentOS 5.4 - the /etc/sysconfig/network "NETWORKING_IPV6 = no" setting doesn't do the trick anymore)

Why bother? Well, for those of us in the security arena, you don't turn something on unless you need it. And as good of a job as Ward and everyone else who burns their time on this project do, there's always more you can do (and you can't/shouldn't expect them do to everything for you, anyway!)

What can go wrong? Well, for one, if someone were to get onto your network, they could easily setup IPv6 'dhcp' and other services on your network. And the way IPv6 works, it would happily respond, then it would happily tunnel all your IPv4 traffic to the 'bad guy' on your LAN.

Remote chance? Perhaps. But the more you know, the better prepared you are. Be safe out there... you're only a few milliseconds away from every bad guy on the internet...

jroper · May 14, 2011

Hi

On the other hand, rather than just turning it off, we ought to be learning how it works, and how to deploy it in our networks, including how to firewall it, and have Fail2ban / Ossec protect it. Especially as Asterisk 1.8 now support IPv6

Once we have a world of IPV6, then NAT, in my opinion the single most frustrating thing about VoIP, goes away completely. NAT is evil.

It's IPV6 day soon - http://isoc.org/wp/worldipv6day/ this may be a good time to start looking at this in more detail.

Joe

Linetux · May 14, 2011

I agree 100% with you in principal. Reality is, however, that IPv6 is a mess.

Yes, it's sorely needed.

But no, it's not ready. Consumer router support is at the fledgling state at the moment, and well all know what that means - big security bugs. You can go and get yourself an IPv6 block (they hand out class A's like they're candy), but try to use it with your run-of-the-mill provider... the vast majority don't even have the support staff trained enough to even know what IPv6 is!

Even Asterisk support is spotty at best.

There is a provision to encapsulate the entire IPv4 space in a small segment of an IPv6 address (which is the root of this problem). To me - right now - the best option is to turn it off. While it's all nice and good to think about what we should be doing, since there's really no way to do it right now, turn it down until the rest of the world is caught up.

wardmundy · May 14, 2011

Great suggestion. I'd just as soon we not use the entire PIAF Community as the IPv6 black mollies. If you didn't know, most folks use these little (fresh water) fish to get the chemical reaction started in new salt-water aquariums. Most of the black mollies DIE! For those that want to test IPv6, you can obviously turn it back on (preferably) in your lab.

wardmundy · May 14, 2011

Tom and I chatted about this, and he has done an enormous amount of work on IPv6 already for some customers. Rather than disabling this at the kernel level, what we've decided to do is disable all packets in ip6tables which manages IPv6.

For those that want to experiment, you then can adjust your /etc/sysconfig/ip6tables rules accordingly. Then restart ip6tables: service ip6tables restart.

This will become part of update-fixes shortly and also will be incorporated into all new installs via update-fixes which is now part of the initial install:

# default /etc/sysconfig/ip6tables setup
# Generated by ip6tables-save v1.3.5 on Sat May 14 10:15:05 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:RH-Firewall-1-INPUT - [0:0]
COMMIT
# Completed on Sat May 14 10:15:05 2011

jroper · May 14, 2011

...what we've decided to do is disable all packets in ip6tables which manages IPv6.

Good move

Joe

jvangent100 · Mar 25, 2014

Sorry to bring up this old thread, but has anyone have any experience with running Asterisk (11.x) with IPv6 enabled ?

I changed tcpbindaddr=:: in sip settings, After the reload, I can telnet to both ipv4 and ipv6 5060 ports from a different machine.

Ip6tables has been modified to allow for connectivity (I run a dual stack network for years, most of the traffic is ipv6 on the lan, I already connect via Ipv6 using other protocols such as ssh and https into the PIAF box).

When I try to make a connection to my exchange box on the same lan, I can see connectivity is done through Ipv6, I see the channel, but sound is missing. Dialling out via a sip trunk (which is still ipv4) renders the same result.

Could it be that the local network settings in sip settings are the cause of this issue, and if so, can I enter ipv6 subnets in some custom.conf file, as I am unable to enter them using freepbx.

atsak · Mar 25, 2014

The file you'd want to try in is sip_custom.conf . . but I never tried it with IPv6 - no need for it yet.

Twilight Sparkle · May 15, 2015

how do i find out if im using ipv6 or ipv4 by default?

im seeing 2 eth coonections?

howardsl2 · May 15, 2015

Twilight Sparkle said:
how do i find out if im using ipv6 or ipv4 by default?

im seeing 2 eth coonections?

https://unix.stackexchange.com/a/13263

TIPS IPv6 Default PIAF Setup

Linetux

Guru

jroper

Guru

Linetux

Guru

wardmundy

Nerd Uno

wardmundy

Nerd Uno

jroper

Guru

jvangent100

Member

atsak

Guru

Twilight Sparkle

https://voip.ms/en/invite/MjM2MjQ4

howardsl2

Guru

Members online

Latest Posts

Forum statistics