How to disable ipv6 on Red Hat 6

Over the last few months we have been working on security hardening of Red Hat Enterprise Linux 6. One of the aspects of network security on Red Hat systems is to disable all services and protocols that are not being used.

We tend to use reliable sources as a point of reference for security related aspects. Unfortunately, some of those sources are often written for an old version of operating system, like the one written for Red Hat Enterprise Linux 5.

IP version 6 is integrated with Red Hat 6 to a such a degree that removing a module, as suggested by the document above, would cause some immediate problems like the one below related to bonding driver:

Bonding module as well well as many other modules rely on ipv6 to be present and it wouldn't work without ipv6 module.

Instead of removing ipv6 module its safer option to disable all ipv6 capabilities on a kernel level. It can be achieved by adding following entry to /etc/sysctl.conf file:

net.ipv6.conf.all.disable_ipv6 = 1

After a reboot module is being loaded, but all the ip version 6 functionality disapears:

As a result of comprehensive research and testing we have come to a conclusion that disabling ipv6 module without removing a module is the best way to disable ip version 6 functionality on red hat 6 systems. We don't believe that security is being compromised, by keeping module in memory.

If you have any questions of suggestions in regards to this article, please send an email to support@proxar.co.uk

Annex 1 (Added by Paul Preston on 29-11-2011): Recent Red Hat Security Advisory RHSA-2011:1465-1 describes several issues with ipv6 and related modules. After examination of bugs CVE-2011-2699 (Important), CVE-2011-4326 (Important) and CVE-2011-3188 (Moderate) we can confirm that procedure descibed above doesn't introduce any potential network security threat to the Red Hat Enterprise Linux 6.1 system.

Disabling Red Hat ipv6 Functionality changes - London, UK - Proxar IT Consulting.