How should I temporarily disable IPv6 for an entire network?

networking ipv6

We have a medium sized network with IPv4 and IPv6 across it, and our upstream provider is making IPv6 go away for two weeks while they do... something. (It's "experimental" and we don't pay for it, but it's been stable for years so we turned it on across the board.)

We have 150ish hosts on our network of at least a dozen different operating systems, plus a wireless network for people's phones and laptops, so disabling IPv6 on all our devices is a non-starter.

I would like to avoid too much of the classical broken IPv6 behaviour with long timeouts before failover to IPv4, and I am wondering what the best way of doing that is.

  • Should I block outgoing IPv6 packets at the border and return an unreachable message, or will that cause hosts to be marked unreachable without falling back to IPv4?
  • Is disabling AAAA resolution through our BIND nameserver feasible (and if so, how), and if so, is it sensible?
  • Alternatively, will turning off RADVD do the job? We do use static configuration on some of our servers, but there's few enough of those to do them by hand.

Solution 1:

I would turn off RAs and manually disable the statically configured hosts. Setting up a tunnel is possible as well, but renumbering twice is going to be more work than temporarily disabling it.

If you advertise IPv6 reachability in DNS (publish AAAA records) then you should temporarily remove those as well. Don't forget those might be cached by users so leave enough time between removing the AAAA records and disabling IPv6.

Solution 2:

The easiest on your clients would be to go the ipv6-tunnel route. If you can update your routing so your subnets go over the tunnel that would be awesome, but you may have to go to a 1:1 NAT method with the subnets given you by the tunnel provider mapping to your existing ones. You'd configure your routing core to send v6 traffic over the v6 tunnels so anything relying on it would continue to work, albeit perhaps a bit slower than before but faster than v4-failback at least. Subnets that are entirely dynamically assigned probably wouldn't need the 1:1 NAT, but anything with static assignments probably would.

Related

Bootrec /FIXBOOT vs Bootrec /FIXMBR
ipsec verify on ubuntu Two or more interfaces found, checking IP forwarding [FAILED]
dcomcnfg - Can't set Launch and Activation Permissions - Windows Server 2012
How to persist resolv.conf options such as rotate, timeout in CentOS?
Why do some mac-addresses repeat so often?
Storage Spaces Direct guidelines
I am able to ping a device on a different subnet without passing through a L3 device. How?
Win10 NFS Client a SAMBA Killer?
How to access LVM partitions on OS X?
Do I need seperate iptables rule for ipv6 address?
Changing DNS serial number to be in the past
How to move directory from one server to other?