Should I deploy an IPv4-only server?

The CIS (Centre for Internet Security) Benchmarks recommend disabling IPv6 to reduce the attack surface on our systems. I don't know enough about networking to understand whether this is a good idea if you are trying to serve clients that might include IPv4-only and IPv6-only clients.

Can an IPv4-only server deal with IPv6-only clients?

4 Replies

I don't think that IPv6 is any more or less secure than IPv4… IP is a set of protocols and, as such, only enable inter-network communication. It's the things that are on either end of that communication that are insecure. So, CIS gets a big raspberry from me for making a recommendation like "disabling IPv6 to reduce the attack surface"…they should know better.

I have IPv6 enabled because I use it…so do lots of other people (e.g., US/EU governments & US/EU/NATO militaries). Every piece of a modern Linux kernel is IPv6-aware…and has been for a long time. These days, it's mostly only apps that are not IPv6-aware…

Most of the attacks I see are IPv4. Here's a sample since Saturday, 1/16/2020 @ 00:00 PST (attacks are the Found/Ban pairs):

2021-01-16 07:56:06,953 fail2ban.filter [844]: INFO [sshd] Found - 2021-01-16 07:56:06
2021-01-16 07:56:07,558 fail2ban.actions [844]: NOTICE [sshd] Ban
2021-01-16 15:07:13,733 fail2ban.actions [844]: NOTICE [dovecot] Unban
2021-01-16 19:56:35,730 fail2ban.filter [844]: INFO [sshd] Found - 2021-01-16 19:56:35
2021-01-16 19:56:35,731 fail2ban.filter [844]: INFO [sshd] Found - 2021-01-16 19:56:35
2021-01-16 19:56:35,849 fail2ban.actions [844]: NOTICE [sshd] Ban
2021-01-16 19:56:38,621 fail2ban.filter [844]: INFO [sshd] Found - 2021-01-16 19:56:38
2021-01-16 19:56:39,058 fail2ban.actions [844]: NOTICE [sshd] already banned
2021-01-16 19:56:42,604 fail2ban.filter [844]: INFO [sshd] Found - 2021-01-16 19:56:42
2021-01-16 19:56:43,063 fail2ban.actions [844]: NOTICE [sshd] already banned
2021-01-16 19:56:54,922 fail2ban.filter [844]: INFO [sshd] Found - 2021-01-16 19:56:54
2021-01-16 19:56:55,077 fail2ban.actions [844]: NOTICE [sshd] already banned
2021-01-16 21:50:27,299 fail2ban.filter [844]: INFO [sshd] Found - 2021-01-16 21:50:27
2021-01-16 21:50:27,342 fail2ban.filter [844]: INFO [sshd] Found - 2021-01-16 21:50:27
2021-01-16 21:50:27,476 fail2ban.actions [844]: NOTICE [sshd] Ban
2021-01-16 21:50:28,045 fail2ban.filter [844]: INFO [sshd] Found - 2021-01-16 21:50:27
2021-01-17 01:16:36,963 fail2ban.filter [844]: INFO [sshd] Found - 2021-01-17 01:16:36
2021-01-17 01:16:37,017 fail2ban.filter [844]: INFO [sshd] Found - 2021-01-17 01:16:37
2021-01-17 01:16:37,247 fail2ban.actions [844]: NOTICE [sshd] Ban
2021-01-17 14:43:55,527 fail2ban.actions [844]: NOTICE [sshd] Unban
2021-01-18 04:17:55,527 fail2ban.filter [844]: INFO [sshd] Found - 2021-01-18 04:17:55
2021-01-18 04:17:55,847 fail2ban.actions [844]: NOTICE [sshd] Ban

As you can see, 100% of the attacks are via IPv4. From my experience, the attack surface is much greater using IPv4. I can count the number of IPv6 attacks on my Linode since 2013 on one hand.

You write:

Can an IPv4-only server deal with IPv6-only clients?

No. You can set up various (bi-directional) tunneling schemes…usually on your router(s):

However, the recipients of this tunneled traffic have to be able to deal with it…or you have to enable some facility in the network stack to de-tunnel it. You may as well just turn on IPv6 and save yourself a lot of admin pain and on-going maintenance. IMHO, there is no downside to this.

-- sw

Thanks for the thorough answer! I did suspect that IPv6 clients wouldn't be able to interact directly with an IPv4 server. I just haven't seen this explicitly stated anywhere, after a few searches.

I suspect that CIS was trying to recommend against the use of redundant protocols, in case there are as-yet undiscovered vulnerabilities in the relatively immature IPv6 stack.

That might be practical in some controlled settings, but in the context of providing a server to a general internet audience, what you've said makes me think that I have to go dual stack for the foreseeable future.



The first IPv6 related network code was added to the Linux kernel 2.1.8 in November 1996 by Pedro Roque. It was based on the BSD API


mainline: 5.11-rc4 2021-01-18
stable: 5.10.8 2021-01-17
stable: 5.9.16 [EOL]
longterm: 5.4.90 2021-01-17
longterm: 4.19.168 2021-01-17
longterm: 4.14.216 2021-01-17
longterm: 4.9.252 2021-01-17
longterm: 4.4.252 2021-01-17
linux-next: next-20210118 2021-01-18

All of this is a long way from 1996 (25 years ago)! If the IPv6 implementation in the modern Linux kernel hadn't improved since then, we'd all be using FreeBSD, and, IMHO, enjoying it a lot more ;-)

You write:

I have to go dual stack for the foreseeable future.

That would be more like the rest of your natural life :-)

-- sw

You could probably implement something like dhcpv6 to translate client ipv6 addresses into different ipv6 addresses due to the potential MAC address issue.

But yeah other than that it's mainly just that it's another vector. Also it can be handled separately than ipv4. For example, using iptables does nothing against ipv6. You'd want to implement ipv6tables rules in that case doing essentially the same stuff as ipv4 since it's no more secure but just as capable as ipv4.

Also there's a bug in Ubuntu 18.04 LTS. Sysctl.conf doesn't seem to disable ipv6.

it can be disabled in: /etc/default/grub

I was using Wireguard with pi-hole (dns ad block/malware domain blackhole). Turns out it doesn't block them on Android without disabling ipv6 on the server. And Andoid security apps don't tend to be so great.

My game server also got hit by an ipv6 ddos attack once lol, but that's due to someone targeting a particular game.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct