On Monday 17 June 2019 10:54:19 am Dan Ritter wrote: > Gene Heskett wrote: > > But that opens yet another container of worms. If I arbitrarily > > assign ipv6 local addresses, and later, ipv6 shows up at my side of > > the router, what if I have an address clash with someone on a > > satellite circuit in Ulan Bator. How is that resolved, by > > unroutable address blocks such as 192.168.xx.xx is now? > > Sort of. > > IPv6 has a concept of "scope" that says: this address space is > purely local. This address space is global. This address space > is for a link. > > If you fire up 'ip -6 address' on a stock Debian machine with > IPv6 enabled (which is the default these days), you will see > something like this: > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1 > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > > 3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen > 1000 > inet6 2001:570:1c07:ff7:d63d:7eff:fe93:e318/64 scope > global > valid_lft forever preferred_lft forever > inet6 fe80::a2d3:c1ff:ce24:b122/64 scope link > valid_lft forever preferred_lft forever > > Your loopback interface has one address with scope host: it's only on > this machine. The eth0 has two addresses: one is scope global, > and can be used for routing to your machine from the outside > world, and one is scope link, and should only be used to talk to > your local network. IPv6 routers should never forward those > packets.
That's if ipv6 is even propagated thru my router, running a semi-current dd-wrt. I've not seen a thing about ipv6 in its configuration. > > If you don't get an address block from your ISP, you won't have > a scope global address. I have for eth0, two scope global addresses in a new stretch install of an r-pi-3b, one from avahi and one from e/n/i.d/eth0, but the instant it goes global, it sends from the avahi address 169.etc. Since thats out of my local/24 domain, it of course doesn't work for global access as my router doesn't pass it. As this is a hosts file local network, how can I turn off the avahi stuff forever? It's screwing me up. > > What I've read so far has not addressed this serious security > > concern. Or even mentioned it. If in the future all addressing is > > by dhcpd6, how do the other machines on my local net, advertise > > their presence to the other machines on my local net. So I can still > > ssh -Y vna.coyote.den for instance, if I can ever make ssh work to a > > win-10-home edition box. Thats a rarely used hookup at best. > > Presently the hosts file duplicated on all machines fill's this > > requirement. > > Most IPv6 boxes don't use dhcpd6; they use SLAAC: stateless > automatic address configuration. But you're asking about local > naming, and that's done the same way on IPv4 and 6: zeroconf, > aka Rendezvous, Bonjour or Avahi. I'd rather nuke avahi. Not the first time its been a problem child but usually I've been able find the right knife to neuter it. Not this time... > Try (installing avahi-utils if needed)_ avahi-browse-domains -a > > -dsr- Thats the entire point, with a hosts file based local net, its a hindrance that has become a showstopper. And short of commenting every line in /e/i.d/avahi-* out, I don't know how to stop that PITA from screw that machine up. Apparently systemctl disable avahi-daemon is NOT sufficient. systemctl, spit. If it can't do what its told to do, what good is it? Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) If we desire respect for the law, we must first make the law respectable. - Louis D. Brandeis Genes Web page <http://geneslinuxbox.net:6309/gene>