Hello misc, I am wondering whether the good volks here would be able to share their insight on configuring the IPv6 gateway address for a machine which has been assigned a static IPv6 address.
Based on my layman research, there are two options: 1) Link local gateway address - fe80::1%em0 (Preferable) 2) Global unicast gateway address (router's IPv6 address) - xx:.... Which of the above is preferable? The reason I wish to ask is, after trying to understand IPv6, I have understood that I do not understand much. But based on what little I do understand, the switches need to have RA guards, to protect from rogue RAs. Unfortunately, the baremetal provider that I am working with has not yet been able to understand my concerns and queries regarding the mitigations they have put in place for this impersonation and other vectors. This has led me to use the fully static configuration approach as outlined by Enno Rey in his APNIC blog post - https://blog.apnic.net/2017/01/16/ipv6-configuration-approaches-servers/ . Additionally, I came across net.inet6.ip6.accept_rtadv to disable accepting router advertisements. However, I could not find it. So, code searching led me to a commit [1] in sys/netinet6/in6.h which removed the sysctl and introduced IFXF_AUTOCONF6. Searching for that led me to inet6 autoconf. So, my current understanding is that unless autoconf is specified, the router advertisements are not accepted. Similarly, net.inet6.icmp6.rediraccept seems to have been removed and is now dependent on IFXF_AUTOCONF6 [2]. Please correct me if I am wrong. Finally, if there are things an IPv6 rookie should know but tends to learn after getting burnt, pointers towards the same will be much appreciated. Thanks. Regards, ab [1] - https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/in6.h?rev=1.73&content-type=text/x-cvsweb-markup [2] - https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/icmp6.c?rev=1.148&content-type=text/x-cvsweb-markup ---------|---------|---------|---------|---------|---------|---------|--
