# Would USE=-ipv6 be worthwhile and safe?

## figueroa

My OpenRC desktop profile includes USE=ipv6 by default. That's "default/linux/amd64/17.1/desktop (stable)."

I don't see myself using ipv6 for many years. Would it be safe and worth rebuilding 50 or so packages add USE=-ipv6 to my /etc/portage/make.conf?

I'm thinking less is better, right? Are there a downsides/tradeoffs?

----------

## pietinger

 *figueroa wrote:*   

> I don't see myself using ipv6 for many years. Would it be safe and worth rebuilding 50 or so packages add USE=-ipv6 to my /etc/portage/make.conf?

 

I have done this before many years and IPv6 still is deactivated in my systems (because I dont need/want it).

 *figueroa wrote:*   

> I'm thinking less is better, right?

 

This is true - especially from a security point of view. (see also: https://en.wikipedia.org/wiki/IPv6#Security )

 *figueroa wrote:*   

> Are there a downsides/tradeoffs?

 

I didnt had any problems so far. In my systems I have also IPv6 disabled in my kernel configurations. If you dont want to change your kernel configuration, there is another way to disable it: https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters

It has also an advantage if IPv6 is disabled: Your Firewall configuration is much easier  :Wink: 

----------

## grknight

Personally, I rather recommend setting ipv6.disable=1 to the kernel parameters so the kernel will just say there is no support.

This prevents potential issues in software that just are not tested very well.

----------

## pjp

Be aware that some programs may require it, even if they install without it. I can't find a reference now, but I was unable to configure postgresql after installing it. My recollection is that it uses IPv6 internally and (inferring) it uses the IPv6 space that encapsulates IPv4 addresses. I wasn't about to reconfigure a kernel with IPv6 support solely for that. I installed mariadb instead.

----------

## figueroa

Thank you for the responses. I think I WILL.

Can I disable IPV6 in the kernel config by just changing CONFIG_IPV6=m (currently) to "not set."

----------

## pietinger

 *figueroa wrote:*   

> Can I disable IPV6 in the kernel config by just changing CONFIG_IPV6=m (currently) to "not set."

 

Yes (if you do it with "make menuconfig"; all depended modules will be disabled also; take a look into the crypto section before and after you have disabled IPv6  :Wink:  ).

----------

## pa4wdh

If you somehow need IPv6 enabled in your kernel and still don't want to use it you can always use nftables of ip6tables to block it completely.

----------

## Perfect Gentleman

It is definitely safe.

----------

## figueroa

 *pietinger wrote:*   

>  *figueroa wrote:*   Can I disable IPV6 in the kernel config by just changing CONFIG_IPV6=m (currently) to "not set." 
> 
> Yes (if you do it with "make menuconfig"; all depended modules will be disabled also; take a look into the crypto section before and after you have disabled IPv6  ).

 

Easier done that said. In the newly stable sys-kernel/gentoo-sources-5.10.93, deselecting IPV6 under Networking Options using menuconfig, as asked above, deselected ALL IPV6 related items in the resulting .config. It's compiling now. I'm concurrently also running a world update implementing USE=-ipv6 globally, affecting 44 installed packages.

----------

## pjp

 *figueroa wrote:*   

>  *pietinger wrote:*    *figueroa wrote:*   Can I disable IPV6 in the kernel config by just changing CONFIG_IPV6=m (currently) to "not set." 
> 
> Yes (if you do it with "make menuconfig"; all depended modules will be disabled also; take a look into the crypto section before and after you have disabled IPv6 ;-) ). 
> 
> Easier done that said. In the newly stable sys-kernel/gentoo-sources-5.10.93, deselecting IPV6 under Networking Options using menuconfig, as asked above, deselected ALL IPV6 related items in the resulting .config. It's compiling now. I'm concurrently also running a world update implementing USE=-ipv6 globally, affecting 44 installed packages.

  What was the before and after difference in the crypto section ?

----------

## figueroa

 *pjp wrote:*   

> ...
> 
> What was the before and after difference in the crypto section ?

 

The "the crypto section" is ambiguous to me. Let me know if you are looking for a named section in particular. Let me know if the following doesn't answer your question. I'll be happy to answer some other way:

```
$ grep -i ipv6 .config.old

CONFIG_IPV6=m

# CONFIG_IPV6_ROUTER_PREF is not set

# CONFIG_IPV6_OPTIMISTIC_DAD is not set

# CONFIG_IPV6_MIP6 is not set

# CONFIG_IPV6_ILA is not set

# CONFIG_IPV6_VTI is not set

CONFIG_IPV6_SIT=m

# CONFIG_IPV6_SIT_6RD is not set

CONFIG_IPV6_NDISC_NODETYPE=y

# CONFIG_IPV6_TUNNEL is not set

# CONFIG_IPV6_MULTIPLE_TABLES is not set

# CONFIG_IPV6_MROUTE is not set

# CONFIG_IPV6_SEG6_LWTUNNEL is not set

# CONFIG_IPV6_SEG6_HMAC is not set

# CONFIG_IPV6_RPL_LWTUNNEL is not set

# IPv6: Netfilter Configuration

# CONFIG_NF_SOCKET_IPV6 is not set

# CONFIG_NF_TPROXY_IPV6 is not set

# CONFIG_NF_DUP_IPV6 is not set

CONFIG_NF_REJECT_IPV6=m

CONFIG_NF_LOG_IPV6=m

CONFIG_IP6_NF_MATCH_IPV6HEADER=m

# end of IPv6: Netfilter Configuration

CONFIG_NF_DEFRAG_IPV6=y
```

vs

```
$ grep -i ipv6 .config

# CONFIG_IPV6 is not set
```

----------

## pietinger

 *pjp wrote:*   

> What was the before and after difference in the crypto section ?

 

With IPv6 there is enabled as default also IPSEC AH and ESP. These selects some modules in Cryptographic API. After disabling IPv6 completely you will not have these enabled anymore:

```
-*- Cryptographic API  --->

-*-   Cryptographic algorithm manager

-*-   Software async crypto daemon

-*-   Authenc support

-*-   GCM/GMAC support

-*-   Sequence Number IV Generator

-*-   Encrypted Chain IV Generator

-*-   CTR support

-*-   HMAC support

-*-   GHASH hash function
```

----------

## figueroa

 *pietinger wrote:*   

>  *pjp wrote:*   What was the before and after difference in the crypto section ? 
> 
> With IPv6 there is enabled as default also IPSEC AH and ESP. These selects some modules in Cryptographic API. After disabling IPv6 completely you will not have these enabled anymore:
> 
> ```
> ...

 

I have none of these before or after with gentoos-sources-5.10.88 or 93.

----------

## sam_

 *grknight wrote:*   

> Personally, I rather recommend setting ipv6.disable=1 to the kernel parameters so the kernel will just say there is no support.
> 
> This prevents potential issues in software that just are not tested very well.

 

Agreed, this would be my recommendation if you want to disable IPv6.

I commented on this on the gentoo-dev ML too with a bit more detail.

----------

## psycho

I've had

```
# CONFIG_IPV6 is not set
```

for many years now (probably always) and don't recall any problems. I also have -ipv6 in make.conf. What pjp said triggered a vague memory of something requiring ipv6 to function properly (and something weird...not like a network tool but something I wasn't expecting to need it) but it's obviously not an issue now...maybe some unnecessary dependencies on ipv6 have been fixed in some packages. Anyway, my boxes are perfectly happy without any mention of it.

----------

## pjp

 *pietinger wrote:*   

>  *pjp wrote:*   What was the before and after difference in the crypto section ? 
> 
> With IPv6 there is enabled as default also IPSEC AH and ESP. These selects some modules in Cryptographic API. After disabling IPv6 completely you will not have these enabled anymore:
> 
> ```
> ...

  At some point, I disabled IPv6. I do think I remember turning on some crypto options, but I don't recall what. I'm currently still using a 4 series kernel. Are any of the options you list particularly needed for commonly installed software? I'm keeping an eye out for things I "should" do when I upgrade to 5. I'm thinking of starting clean and following the kernel security project / guide (I forget the name) very closely.

----------

## Hu

 *pjp wrote:*   

> following the kernel security project / guide (I forget the name) very closely.

 https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project?

----------

## pietinger

 *pjp wrote:*   

> Are any of the options you list particularly needed for commonly installed software?

 

I dont know any. The most used (beside IPSEC) are: fscrypt and dmcrypt. When you select fscrypt it will enable/selects all needed modules itselve. Using dmcrypt you have to know what you enable for it (but there are many descriptions). In both cases I would recommend to enable all the better algorithms for newer CPUs also (if you have), e.g.: [*]   AES cipher algorithms (AES-NI) - Explaination is in parentheses. Dont be afraid for applications - if any need some crypto or hash modules it will tell you  :Wink: 

 *pjp wrote:*   

> I'm thinking of starting clean and following the kernel security project / guide (I forget the name) very closely.

 

The name is KSPP -> https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

Since some month we have new kernel options in our Gentoo section:

```
Gentoo Linux  --->

[*] Kernel Self Protection Project  --->

[*]   Enable Kernel Self Protection Project Recommendations

[*]     X86_64 KSPP Settings
```

(the last option depends on your system; you will see both only if some options are disabled, therefore I suggest to do first all disabling of options with KSPP Page and afterwards enabling with these Gentoo option; or you take a look into /usr/src/linux/distro/Kconfig)

At the moment it is not quite updated for 5.15.16. I have enabled these options also when I did my update from 5.10.x (default was "N"o):

```
CONFIG_WERROR=y

CONFIG_SYSFB_SIMPLEFB=y

CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y

CONFIG_IOMMU_DEFAULT_DMA_STRICT=y

CONFIG_ZERO_CALL_USED_REGS=y
```

I think these two are needed also but I wait for more informations:

```
# CONFIG_SCHED_CORE is not set

# CONFIG_KFENCE is not set
```

----------

## pjp

 *Hu wrote:*   

>  *pjp wrote:*   following the kernel security project / guide (I forget the name) very closely. https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project?

   *pietinger wrote:*   

> The name is KSPP -> https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

  Yes. I kept thinking of the S as security, but didn't think that was correct. I went through it once before (around spectre), but it was somewhat a pain. I only implemented some of it and never made it back to evaluate some of the more strict options. 5 seems like a good time to revisit it. Fortunately 4 isn't going away any time soon.

 *pietinger wrote:*   

> I dont know any. The most used (beside IPSEC) are: fscrypt and dmcrypt. When you select fscrypt it will enable/selects all needed modules itselve. Using dmcrypt you have to know what you enable for it (but there are many descriptions). In both cases I would recommend to enable all the better algorithms for newer CPUs also (if you have), e.g.: [*]   AES cipher algorithms (AES-NI) - Explaination is in parentheses. Dont be afraid for applications - if any need some crypto or hash modules it will tell you ;-)

  I thought maybe you recommended checking crypto before and after disabling IPv6 due to something needed being unset. I may just leave IPv6 configured and disable it during boot. Then it's at least there if I'm forced into it somehow. I try to avoid recompiling kernels if I can. The difference between my current version and latest stable of that release is negligible. If not for working through a better build process, I'd probably not bother with it.

 *pietinger wrote:*   

> Since some month we have new kernel options in our Gentoo section:
> 
> ```
> Gentoo Linux  --->
> 
> ...

  Interesting. That should make it a lot easier. Although I've also been considering using a vanilla kernel. If nothing else I'd gain a greater appreciation for the Gentoo kernel team.

 *pietinger wrote:*   

> At the moment it is not quite updated for 5.15.16. I have enabled these options also when I did my update from 5.10.x (default was "N"o):

  Unless there's a newer LTS version by the time I'm ready, I'd be using 5.10. 5.15 EOL in 2023 doesn't seem to qualify as "L"TS.

----------

## Hu

I think the cross connection between cryptography and IPv6 is that enabling IPv6 requires enabling certain kernel cryptographic features that you otherwise could disable.  Thus, by disabling IPv6, you gain the option to also disable those cryptographic features.  If you enable IPv6, you must include those cryptographic features, even if you have no use for them outside IPv6.  If you're looking to minimize the enabled features in your kernel, whether for size concerns or to minimize attack surface, disabling IPv6 would let you disable some cryptographic features, which would be a double win.

----------

## pjp

A good point. Some of them seem commonly used, and I preseume that support in the kernel is required for user land tools. I believe I noticed AES not enabled at some point, perhaps after disabling IPv6. Other than for common uses (ssh, tls, gpg, ...) I don't directly use encryption, so "most people should say yes / enabled by default" would be nice :).

----------

## figueroa

A diff of the full .config after disabling ipv6 and before disabling doesn't show anything dramatic or unusual. I only made the one configuration change. All the other changes were automatically included -- or more accurately excluded.

```
$ diff .config .config.old

885a886

> # CONFIG_XFRM_INTERFACE is not set

895a897

> CONFIG_NET_IP_TUNNEL=m

898a901

> # CONFIG_NET_FOU_IP_TUNNELS is not set

901a905

> CONFIG_INET_TUNNEL=m

907c911,928

< # CONFIG_IPV6 is not set

---

> CONFIG_IPV6=m

> # CONFIG_IPV6_ROUTER_PREF is not set

> # CONFIG_IPV6_OPTIMISTIC_DAD is not set

> # CONFIG_INET6_AH is not set

> # CONFIG_INET6_ESP is not set

> # CONFIG_INET6_IPCOMP is not set

> # CONFIG_IPV6_MIP6 is not set

> # CONFIG_IPV6_ILA is not set

> # CONFIG_IPV6_VTI is not set

> CONFIG_IPV6_SIT=m

> # CONFIG_IPV6_SIT_6RD is not set

> CONFIG_IPV6_NDISC_NODETYPE=y

> # CONFIG_IPV6_TUNNEL is not set

> # CONFIG_IPV6_MULTIPLE_TABLES is not set

> # CONFIG_IPV6_MROUTE is not set

> # CONFIG_IPV6_SEG6_LWTUNNEL is not set

> # CONFIG_IPV6_SEG6_HMAC is not set

> # CONFIG_IPV6_RPL_LWTUNNEL is not set

989a1011,1027

> #

> # IPv6: Netfilter Configuration

> #

> # CONFIG_NF_SOCKET_IPV6 is not set

> # CONFIG_NF_TPROXY_IPV6 is not set

> # CONFIG_NF_DUP_IPV6 is not set

> CONFIG_NF_REJECT_IPV6=m

> CONFIG_NF_LOG_IPV6=m

> CONFIG_IP6_NF_IPTABLES=m

> CONFIG_IP6_NF_MATCH_IPV6HEADER=m

> CONFIG_IP6_NF_FILTER=m

> CONFIG_IP6_NF_TARGET_REJECT=m

> CONFIG_IP6_NF_MANGLE=m

> # CONFIG_IP6_NF_RAW is not set

> # end of IPv6: Netfilter Configuration

> 

> CONFIG_NF_DEFRAG_IPV6=y

1007a1046

> # CONFIG_6LOWPAN is not set

1157a1197

> CONFIG_DST_CACHE=y

```

----------

