Disable IPv6 on Seed hosts

angdraug · angdraug · commit d4cc15a56887 · 2020-12-28T17:24:56.000-08:00
Only containers running edge services (e.g. Envoy or Nginx) should have global IPv6 addresses. Seed host has privileged access to all containers running on it. Access to Seed hosts is a sensitive security surface that should not be unnecessarily exposed to additional attack vectors. A globally routable IPv6 address is not necessary when Seeds are managed from local network. IPv6 also adds up to 5s to network initialization: systemd/systemd#16547 (comment)
diff --git a/network/40-br0.network b/network/40-br0.network
@@ -3,3 +3,5 @@ Name=br0
 
 [Network]
 DHCP=yes
+IPv6AcceptRA=no
+LinkLocalAddressing=ipv4
