tinc - Aug 2016 - Is it possible to block ipv6 auto configuration entering the tinc tunnel?

Hi
Im using tinc to bridge networks together. And im using ebtables to block dhcp
traffic for ipv4 on each node in tinc. One of my nodes have recently began using
ipv6. The isp is using auto configuration to give out ipv6 addresses. The
problem is that every computer in my bridged network is getting ipv6 addresses
from that node.
The other computers behind the other nodes have no use for ipv6 addresses it
gets through the tinc tunnel.

Is there a way to block ipv6 auto configuration traffic entering the tinc tunnel
on each node?

best regards,

Håvard Rabbe
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20160827/62289c08/attachment.html>

On Sat, Aug 27, 2016 at 11:41:12PM +0000, Håvard Rabbe wrote:
> Im using tinc to bridge networks together. And im using ebtables to block
dhcp traffic for ipv4 on each node in tinc. One of my nodes have recently began
using ipv6. The isp is using auto configuration to give out ipv6 addresses. The
problem is that every computer in my bridged network is getting ipv6 addresses
from that node.
> The other computers behind the other nodes have no use for ipv6 addresses
it gets through the tinc tunnel.
> 
> Is there a way to block ipv6 auto configuration traffic entering the tinc
tunnel on each node?
You should be able to block those packets in the FORWARD chain. IPv6
autoconfiguration is done using ICMPv6 packets with types 133 and 134,
see: https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol. So do
something like:

ip6tables -A FORWARD -i <vpn interface> -p icmpv6 --icmpv6-type 133 -j
DROP
ip6tables -A FORWARD -o <vpn interface> -p icmpv6 --icmpv6-type 134 -j
DROP

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20160830/790221d3/attachment.sig>

Hi
thank you for looking in to this. I haven't tried it before now. I cant get
it to work.

after running the commands you suggest I get this when I run ip6tables
--list-rules

root at JOTVPN:~# ip6tables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i vpn -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP
-A FORWARD -o vpn -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP


Do you have any other ideas?
Thanks for your help!

Best Regards,

Håvard Rabbe



On Aug 30, 2016, at 04:39 PM, Guus Sliepen <guus at tinc-vpn.org> wrote:

On Sat, Aug 27, 2016 at 11:41:12PM +0000, Håvard Rabbe wrote:

Im using tinc to bridge networks together. And im using ebtables to block dhcp
traffic for ipv4 on each node in tinc. One of my nodes have recently began using
ipv6. The isp is using auto configuration to give out ipv6 addresses. The
problem is that every computer in my bridged network is getting ipv6 addresses
from that node.
The other computers behind the other nodes have no use for ipv6 addresses it
gets through the tinc tunnel.

Is there a way to block ipv6 auto configuration traffic entering the tinc tunnel
on each node?

You should be able to block those packets in the FORWARD chain. IPv6
autoconfiguration is done using ICMPv6 packets with types 133 and 134,
see: https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol. So do
something like:

ip6tables -A FORWARD -i <vpn interface> -p icmpv6 --icmpv6-type 133 -j
DROP
ip6tables -A FORWARD -o <vpn interface> -p icmpv6 --icmpv6-type 134 -j
DROP

-- 
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
_______________________________________________
tinc mailing list
tinc at tinc-vpn.org
https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20170222/6568c3e7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20170222/6568c3e7/attachment.sig>