You are not logged in.

#1 2021-09-27 18:58:51

vorvac
Member
Registered: 2021-05-14
Posts: 44

Determining source of Private IPv6 traffic

I've had a cloud VM (Linode) set up running Arch for a few months. It's running a standard LAMP stack for web hosting.

I recently set up a new VM, same LAMP stack, in order to split some content between the two. However I have noticed in this new instance, I'm seeing a lot more private IPv6 traffic than my previous instance. It's averaging ~400 b/s traffic where my previous VM is < 2 b/s.

I've tried disabling IPv6 (https://wiki.archlinux.org/title/IPv6#Disable_IPv6) but that didn't seem to stop the private traffic.

I've tried iftop, jnettop, and nethogs, and all report traffic between the following:

ff02::1 => fe80::1
fe80::1 => ff02::1 

This was the only IPv6 traffic I could see, but this traffic happens on both VMs, so I'm not sure this is the cause of the ~400 b/s. I'm thinking these aren't the right troubleshooting tools, is there something better I should be using?

I'm only concerned due to my old VM not having such traffic. Is this even something to worry about?

Thank you

Last edited by vorvac (2021-09-27 23:17:36)

Offline

#2 2021-09-27 20:39:07

seth
Member
Registered: 2012-09-03
Posts: 49,981

Re: Determining source of Private IPv6 traffic

https://blogs.infoblox.com/ipv6-coe/fe8 … y-address/
Did you check netstat/ss/wireshark to determine the ports and local process responsible for the traffic? (And compare that to the other VM)

I've tried disabling IPv6

Tried "how" and did you succeed?

systool -vm ipv6

Getting IPv6 traffic when the IPv6 stack is claimed disabled would probably concern me

Offline

#3 2021-09-27 23:02:35

vorvac
Member
Registered: 2021-05-14
Posts: 44

Re: Determining source of Private IPv6 traffic

seth wrote:

https://blogs.infoblox.com/ipv6-coe/fe8 … y-address/
Did you check netstat/ss/wireshark to determine the ports and local process responsible for the traffic? (And compare that to the other VM)

Thanks for the tools here. Wireshark showed similar results between the two machines:

# new machine
# tshark -f ip6
1 0.000000000      fe80::1 → ff02::1      ICMPv6 118 Router Advertisement from 00:05:73:a0:0f:ff (only this message, roughly every 5 seconds on repeat)
# old machine
# tshark -f ip6
1 0.000000000      fe80::1 → ff02::1      ICMPv6 118 Router Advertisement from 00:05:73:a0:0f:ff (lots of these messages)
3 0.010847811 fe80::f03c:92ff:fef2:31d6 → ff02::16     ICMPv6 110 Multicast Listener Report Message v2 (lots of these messages)
17 17.587020609 2600:3c00::f03c:92ff:fef2:31d6 → 2601:603:b7f:fec0:0:ba11:ba11:ba11 NTP 110 NTP Version 4, client (few of these)
seth wrote:

I've tried disabling IPv6

Tried "how" and did you succeed?

I added ipv6.disable=1 to the kernel line in /boot/grub/grub.cfg. It looked successful based on the output of # cat /proc/cmdline and also the inet6 addresses no longer appeared for # ip link.

# cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-linux root=/dev/sda rw console=ttyS0,19200n8 net.ifnames=0 loglevel=3 ipv6.disable=1

# journalctl -b | grep "IPv6"
Sep 27 21:36:51 vcloud kernel: IPv6: Loaded, but administratively disabled, reboot required to enable
seth wrote:
systool -vm ipv6

Getting IPv6 traffic when the IPv6 stack is claimed disabled would probably concern me

# systool -vm ipv6
Module = "ipv6"

  Attributes:
    uevent              = <store method only>

  Parameters:
    autoconf            = "1"
    disable             = "1"
    disable_ipv6        = "0"

Seeing that "0" under disable_ipv6, I added an additional kernel parameter ipv6.disable_ipv6=1 and gave it a reboot. May have been redundant but just eliminating any possibility it is causing issues.

# cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-linux root=/dev/sda rw console=ttyS0,19200n8 net.ifnames=0 loglevel=3 ipv6.disable=1 ipv6.disable_ipv6=1

# journalctl -b | grep "IPv6"
Sep 27 22:33:29 vcloud kernel: IPv6: Loaded, but administratively disabled, reboot required to enable

# systool -vm ipv6
Module = "ipv6"

  Attributes:
    uevent              = <store method only>

  Parameters:
    autoconf            = "1"
    disable             = "1"
    disable_ipv6        = "1"

I appologize for not clarifying a few points in my first post. First, this is IPv6 "Private In" traffic.
This is the graph I am looking at:
KDDIB3I.png
After a reboot, traffic is 0 for about 20 minutes.
I am under the assumption that these numbers are accurate, but this is from Linode's web interface, not from Arch.
I'd think something like nethogs should pick up this traffic, but all I see is regular IPv4 traffic:

# nethogs (I edited my Public IP)
NetHogs version 0.8.6

    PID USER     PROGRAM                                                                                                      DEV         SENT      RECEIVED
    297 vorvac   sshd: vorvac@pts/0                                                                                           eth0     0.811       0.053 KB/sec
      ? root     45.33.X.X:53303-89.248.165.110:58499                                                                                  0.000       0.000 KB/sec
      ? root     45.33.X.X:18100-89.248.165.39:42923                                                                                   0.000       0.000 KB/sec
      ? root     45.33.X.X:9100-89.248.165.39:42923                                                                                    0.000       0.000 KB/sec
      ? root     45.33.X.X:5555-190.6.49.23:54700                                                                                      0.000       0.000 KB/sec
      ? root     45.33.X.X:6100-89.248.165.39:42923                                                                                    0.000       0.000 KB/sec
      ? root     45.33.X.X:15100-89.248.165.39:42923                                                                                   0.000       0.000 KB/sec
      ? root     45.33.X.X:1100-89.248.165.39:42923                                                                                    0.000       0.000 KB/sec
      ? root     45.33.X.X:17925-5.188.206.18:46856                                                                                    0.000       0.000 KB/sec
      ? root     unknown TCP                                                                                                           0.000       0.000 KB/sec

  TOTAL                                                                                                                                0.811       0.053 KB/sec

Offline

#4 2021-09-28 13:59:45

seth
Member
Registered: 2012-09-03
Posts: 49,981

Re: Determining source of Private IPv6 traffic

So on the "new" system you only have the gateway asking you to please recognize its existence, the "old" system also looks for neighbours and queries NTP.

If the nifty GUI is bits / second and the Router Advertisement comes in every 2.5 seconds @118 bytes, you'd end up w/ 373 b/s inbound on average, but it's inconceivable how the "new" system can show more traffic than the "old" system unless the RA is much more frequent. Private out almost looks like a rounding error ;-)

Offline

Board footer

Powered by FluxBB