Re: need to disable IPv6

[Robert Elz <kre%munnari.OZ.AU@localhost>]

    Date:        Thu, 28 Jun 2012 12:07:06 +0300
    From:        Aleksey Cheusov <cheusov%tut.by@localhost>
    Message-ID:  
<CAK9rGba_mfQTvUeak4xDAiN0wvqsAJj5wAWR-AmFXyHc2pJSLg%mail.gmail.com@localhost>

  | I have not analysed patch by Robert Elz yet, but it is not complete
  { (changes in etc/default/rc.conf and man page are missing).

Of course, that was intended as a quick hack for Anne to test
whether or not it worked (my suspcion is that her problem is
not related to v6 in any way at all, but that the cosmetic
problem you're mentioning is making it appear that v6 is related.)

The /etc/defaults/rc.conf change is trivial, just alter

ip6mode=host                                    # host, autohost or router

to

ip6mode=host                                    # host, autohost, router or off

(providing patches in hacks for comments is beyond what I'd generally
bother with).

On the other hand, if this was ever to be actually made part of the
distribution, then you're absolutely right, it would need documentation.
I could do that, but only if I could work out what doc to update.
At the minute I have no idea where (aside possibly from the installation
guide) any of this stuff might be hiding.

  | If I cannot use it (yet), I don't see reasons to configure
  | it and have a garbage in stderr.

I'm not sure my (hack) patch would necessarily stop the garbage, it just
makes it absolutely certain that no attempt can be actually made to
use IPv6 - it doesn't stop AAAA records coming back in v4 DNS queries,
it doesn't stop ftp for asking for them, it doesn't stop ftp (or
anything else) from making a PF_INET6 socket, nor from attempting to
use it.    So most likely ftp (and some other commands) would still
complain about the IPv6 destination failing.  Fixing that wasn't
the aim (this time).

Avoiding that problem, and even more, the "rogue router" problem someone
else mentioned (though that's not Anne's problem, as nothing was
supplying her system with a prefix) was the objective of our mods
that really disable a whole protocol stack - disable to the extent
that incoming v6 packets are just dropped, as they would be if you compiled
with INET6 missing, rather than causing a TCP reset if sent to an
unconnected port, or an ICMP (ICMPv6) for UDP, etc, and causing
socket(PF_INET6) to give the exact same error it would give if
INET6 wasn't compiled in.   The code to do all that is actually
trivial (just a few lines), there get to be a few more when you
want to allow existing v6 connections, established before you
disabled the protocol, to keep on working, while preventing new ones
(and we decided that might be a good idea, otherwise on server
type systems deciding when is a good time to disable is tricky).
Of course, it doesn't really matter if the only reason for disabling
is "it doesn't work for me", but once the facility exists, people
are going to want to use it for other things as well... (after
all it also allows IPv4 to be disabled in just the same way, not
that that is a sane thing to try with the current state of the system.)

Last, there's almost no-one who can't (couldn't) make IPv6 work if
they really wanted to - I did back in the 80's when there were
almost no implementations, and no-one to connect to.   It won't
necessarily be nearly as reliable or fast as your current v4, but
it can ba made to work, anywhere - all it takes is the desire.

(Or if you like, the foresight to realise that preparing & learning now,
before it is essential, is going to be a hell of a lot easier than suddenly
being told "make it work by tomorrow" when someone important finds
that they actually need it.)

kre